Smashing Security podcast #129: Too Long; Didn’t Listen

Now, on with the show. Smashing Security, episode 129. Too long, didn't listen, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 129. My name is Graham Cluley. I'm Carole Theriault. And, hello, Carole. We are joined this week by a special returning guest. It's fun time family favourite. It's Maria Vamarsis. Back again. Hello, Maria.

Hi. That's a great intro. Fun time family favourite.

It could have been worse, couldn't it?

Different. It's Maria. Hi.

Carole, what have we got coming up on the show this week?

Coming up on this week's show, thanks to this week's sponsors, meta compliance and LastPass their support helps us give you this show for free this week Graham investigates hackers for hire Maria digs into whether account hygiene is actually effective or not and I will take you into the future of zoldan to uncover just what kind of leaders Maria and Graham would be all this and loads more coming up on this episode of Smashing Security. What? What podcast am I on?

Now, now, chaps, chaps. Have either of you run your own blogs or anything like that? Oh, yeah. Yeah? Oh, yeah, definitely. Okay, in which case you'll probably be familiar with the concept of comment spam being posted up onto your blog, where people try and post messages which you don't want to appear. Sometimes they'll be selling pharmaceuticals or fake degrees or something like that. And other times, in my experience, messages will appear saying, oh, I had such a big problem with an account, but then I were able to contact ABCZY. He's a great hacker who was able to hack into my Instagram account and allow me to get access back to it. He's an elite man.

I've never ever had one of those. You've never had one of those. Maybe

you aren't running a security blog like that.

I was I'm not familiar with that one specifically. Okay.

But I've seen plenty of people posting up hacker for hire services and trying to promote them. And obviously the idea is that people want to break into accounts. Maybe it might be for a legitimate reason, they can't remember their password and it is really their account. Quite often, I imagine it's a girlfriend or boyfriend or spouse whose account they want to break into to find out what they've been up to.

Okay, so we're not talking legit hackers. We're talking account level stuff. Yes. Invading privacy, spouse on spouse. Not I'm going to deploy a botnet or something. No, I

think these are people who are principally selling their ability or their claimed ability to break into accounts and get reliable and password or maybe even two-factor authentication in some cases as well. Yeah, and sometimes these things have even crossed over from the sort of digital world into the physical world.

Hi, Graham Cluley. This is . I was trying to figure out how to hack a Facebook account. I've been trying so many ways to do it, and it's just not working. Oh, I remember this. You played this before. you know do these kind of things you just kind of help me out here is

this just when an aunt goes hey I can't get into my email it's not my aunt it's not my aunt call him out but it's kind of a different sort of thing isn't it this person seems to be legitimately calling you up to try and get your help not really understanding that's not something you do well

I remember a while back, I actually received some voicemails, people calling me up, asking me if I could help them hack into a Facebook account, which they claim to belong to a loved one of theirs. And I've actually got a recording of that voicemail right here, if we want to listen to it. obviously it's not something I do but how do you know they're legitimate maybe they're just really good at social engineering maybe they sound so helpless and pathetic that you think oh, maybe they have locked themselves out of an account. I'm your biggest fan. Yeah. Good, good. Actually, that bit does sound legitimate, Maria. I don't know why you're mocking that bit. Oh, yeah.

I'm sure a social engineer would not try to butter you up at all.

So the point is there are people out there who are offering their services because there is a strong demand to crack into accounts. Okay. And a lot of people, for instance, will have a Google account, right? And so Google, they have recently teamed up with boffins at the University of California in San Diego. And in this latest report, they're actually examining what do the hackers do? How do they get in? So what Google decided to do with these researchers is they approached hackers. They found Hackers for Hire online and they said to them, can you hack our accounts, please? They posed as members of the public and contacted around about 27 hackers and black market services in English, Russian, Chinese. They got local speakers to do it. And they said, can you break into accounts? And these were all websites which were offering this particular service. In some cases, they were saying that they could even bypass SMS two-factor authentication and other methods as well. Question. Did they pay for these services? Well, I wondered that as well, because I thought, would it really be right for Google to pay criminals to hack accounts?

I see great minds, Graham. And

The answer is yes, they paid them. Ooh, controversial. Now, they say that they immediately stopped paying as soon as the minimal amount was done. But they did actually give some money. And sometimes the prices range from $100 to up to $500 per account. But what they did, because they were obviously concerned about the legal consequences of this. So normally you can't go around hiring hackers to break into accounts. But this is Google. And Google owns Gmail. And so what they did was they created some synthetic accounts on Gmail.

Synthetic accounts? This is what they

Called them. So they fabricated online personas.

Okay, they've got enough data to be able to do that convincingly. So

They created fake... Probably create

An entire universe. A few

Billion. Exactly. So they created fake Gmail accounts and populated them with information so they looked legitimate. And then they pointed the hackers at these particular accounts and said, can you try and break into this account?

Yeah, but it's kind of a shame, though. If they had, it would have been, okay, bring your A game. We really want to see if you can do it. Why operate in full transparency? Well, I suppose they do that a lot of the time with the sort of bug bounty programs, don't they? Where they invite people to find vulnerabilities and they will then reward people who find those vulnerabilities. But here they really went to the dark side and they ended up with some attackers launching tailored phishing messages, some, as I said, with the ability to capture two-factor authentication information as well, in order to see how many were actually capable of getting in. What do you mean? Surprise! What I mean is

And so then the hackers sent phishing emails and whatever else to those Gmail addresses which Google had specified. By the way, obviously Google didn't announce they were Google when they were doing this. That would not have worked terribly well.

The hackers, when you pay them, most of them didn't actually go through with it. Imagine. They took your money. Imagine that. Criminals actually not holding up their side of the bargain. No honour amongst

Thieves. So what you're saying is Google under a pseudonym said, hey, hack me, hack me, please. Hackers said, OK, that'll cost 400 bucks. Google under a pseudonym says, no problem. Where shall I pay you, sir, madame? And they received the payment and then out of here. That was another thing, by the way. Only a handful of the hackers advertised that they accepted Bitcoin as a payment. Google, on each occasion, was actually forced to say, well, actually, rather than just, could we pay you in Bitcoin, please? And then most of them were receptive to that. But a lot of these hackers were quite happy to accept payment. Google contacted only 27 of these dudes. So this is not very... So they had a less than 20% success rate. It's a pretty small sample size, though, for Google. I mean, really. And

What they said was that roundabout a third never responded, despite repeated requests to buy their services. And some, they say, were outright fraudulent. No surprise. No surprise. And they said that these services had inconsistent and poor customer service.

Oh, yeah. Yeah, you expect concierge-level service with your hacker for hire. For

Example, said Google, three of the services charge significantly higher prices than their advertised price.

How dare you, sir? How dare you? No order amongst thieves these days. And some,

When they were actually executing the hack, said, well, actually, the price has gone up. And they also complained that they were slow at getting back to them.

You know, Graham, you have a very excellent takeaway here. Stop looking to hire these idiots, people. Exactly. Don't make your hacker your front desk guy if you're expecting customer service.

So here are the takeaways, right? Hackers for hire may not even hack. They may be hard to hire, but even when you do hire them, they may not actually hack. They might actually... Now, think about this, right? If someone gave you money and said, can you hack an account? You thought, oh, that'd be a bit naughty and I could get in trouble with the law and things. Well, what some of these hackers might actually do is they might look up your credentials and details in a previously leaked database to see if passwords are listed there. And then they could say, here is password one or let me in. That will get you in or you go. Seriously,

If that's the bar, I'm a hacker. I mean, honestly, I've done that. Come on. But there are other dangers in hiring a hacker, which is one of the things that you need to watch out for, because you might end up being blackmailed by the very hackers that you've hired and given your $500 to.

accounts. It's insane. And furthermore, imagine your disappointment if you try to hire a hacker and you actually end up not on a real hire the hacker website, but on a honeypot set up by some rival cybersecurity firm called Moogle or a law enforcement agency trying to catch people who are in the habit of hiring hackers. Don't give it away guys. Come on, don't hire a hacker who's advertising their services in the comments spam on a blog.

Well, it's not just that. I mean, that isn't how Google found these hackers. Google had access to a high-quality search engine called AltaVista, which they used to scour the internet.

You all sort it out. Yeah.

Maybe they asked Jeeves to see if they could... Ask Jeeves. Does that even still exist?

Ask.com. Yes, it's a toolbar, isn't it? It's an odious thing. Lycos. Lycos. HotBot. Was it dogpile, or is that something else? That's something else. Sorry. Don't go there, folks. I do. And it's interesting that you talked about that Google was doing some studies with New York University and University of California, San Diego, because my story is additional research that they did. Imagine that. It's like we planned it, except we didn't.

So you're saying Google and the University of San Diego again?

University of California at San Diego and New York University. There's some other data that they were pouring through to find out some answers to questions about security hygiene, which is unsexy, but very, very necessary. I gave my keyboard a wipe down the other day, actually, and I completely bust my keyboard. It's been a nightmare. I've got this one of these lemon wipes. Don't do that, folks. Pro tips from the pros.

Yeah. So security hygiene, that could mean that. But what we usually mean is stuff use a password manager, make sure you get the basics nailed. And we talk about that stuff here all the time. 2FA. All that good stuff. So the question that Google and the universities also wanted to answer were how effective are all these, quote, security basics at actually securing user accounts? So in Google's case, they figured it probably helps that they have a ginormous sample size to look at. So they looked at over 1.2 million of their own users. Oh, a tiny drop. Just a wee bit, yeah. And of those 1.2 million users, they looked at over 350,000 real-life hacking attempts on those users. And they wanted to get some answers about what kind of security methods were effective at keeping attackers out of those accounts. Okay, whoa. Yes. They poured through those logins and those attacks types for about a year. And what they did is they divided the users into users who had one of two types of security challenge. So one category. Are you guys following me here? Yeah, totally. One category is for people who use some kind of 2FA. So device-based category. So it's a thing that you had. So this means these were people who had an on-device prompt. So tapping a confirmation button on a Google app that asks you to confirm you are who you say you are. Or an SMS code or a physical security key, e.g. YubiKey. So that's one category of people. The other category of people were folks who were in the knowledge-based category. So folks who relied on Google to say, hey, can you verify via a secondary email address or a phone number or your last sign in location? So that's

when if, for instance, you're on holiday and you sign into your Google account, Google might recognize, oh, suddenly you're logging in from Paris. And therefore, we're doing an additional security check to make sure you are who you claim to be, right?

Right. That's something that. So, again, we've got the device-based folks and we've got the knowledge-based folks. So, those are the two categories of users. Well, I've written an article about this research. So pretend that you

Haven't written. Okay, forget that. Right? And you have to go, I know everything.

Maria is trying to make this interactive, Graham. I'm trying hard.

250,000 real-life hacking attempts, yeah.

So I'm really encouraged that there are some people out there who've got any kind of additional security beyond just their password in place, because I think the vast majority of Google customers probably don't, right? Most people are just using a password. The research, Graham. Why, yes, indeed. So users with a phone number attached to their account. So folks that went beyond merely using a password were able to thwart account takeover attempts by automated bots 100% of the time. And yes, Curl, people who used any kind of TFA, device-based basically, did a whole lot better than people who did not. So overall, there's a number of data sets, and you can drill down into the different numbers here. But overall, you're looking at more than 90% of the time, regardless of the 2FA method that you use, you're able to thwart an attack attempt with one tiny important exception being SMS-based 2FA.

So everything has a 90% success rate, a block in the attack, or better.

If you're using 2FA, yes.

And the only one who's sort of lagging behind in the race is SMS-based.

Correct. So it's easier to hack, right? Right. And in this particular research, they were looking at these automated attacks, these sort of bulk attacks, as it were.

Too much effort.

It's too much effort. But if someone was determined to break into Maria's Gmail account and she had SMS-based to factor in place. You may well go to the effort of ringing up her mobile phone provider and trying to get her number switched over to you or something.

Oh, it could be even easier than that. You just text the target and say, hey, I'm from blah, blah, blah, customer service. We just sent you a code. Can you send it to me? Get a hardware key or something like that, Carole. Maybe you'd go, you know, a step further.

Yeah. And that was one of their other takeaways is that why don't we just implement it for everyone? There's another slight fly in the ointment as well, which is didn't Google just announce there was a vulnerability in their physical security keys?

Yes. And they're having to Push out an update or something. And I don't think that's a reason necessarily to throw them all in the bin. It has. But yes, the TLDR is 2FA still beats no 2FA. I'm going to have to write down these acronyms. TLDR, no 2FA. Too long, didn't read. SMH, Sydney, what's that one? Shaking my head. TLDR Graham didn't even pay attention he just demonstrated too long didn't listen Kro, what have you got for us?

Okay. Oh, Star Wars. I couldn't work out what Warsies was. Okay, right. Yeah, I was like, what is it? I had to look it up. I don't know if it's right. That doesn't sound right. Is pretty accurate. This is real life, I think.

This is real life, yeah. It's like, welcome to the internet, Carl. This is every day.

So where's the fiction in any of this? Doctor Who fans and Trekkies, they find it difficult. I must say, there is a... And yet you and I get along. So, you know, peace can happen. I know, it's so weird.

Definitely not Star Wars. It's Doctor Who. Yeah. Okay. And there's even in team fighting, like the Trekkies are split between the Jean-Luc Picard group and the James T. Kirk group and the Doctor Who guys. Accurate. Do? Yeah, we need to identify them. We need to round them up, send them to labor camps in the north.

Is that what you want to do? No, no, no. That's very who. Oh, thank goodness, because this might happen. Well, look, I have a solution for you. And it's based on something that us humans tried a long time ago on Earth in a land called China. It's a bit like that website Klout, isn't it? Do you remember Klout with a K?

Oh, it was the worst. It's gone. I think they

Tried to give everybody a score, didn't they? Yes. Based on their social media activity and things. Yeah. It shut down just before GDPR became a thing. Right? So you've kind of gamified it really, haven't you? You've gamified being a good member of society and doing what the joint rulers, currently we're joint rulers, Maria and Graham. That won't last.

Yeah, okay. You know, because all your guys, they have online accounts and you've got facial recognition systems in some places and people are using their smartphones and they're on the network all the time and on Wi-Fi. So all that gives us all the information behavior and location and who their friends are and what their health records are and what their employment history is and their academic results and their insurance and blah, blah, blah, blah, blah.

Now, as leader, as co-leader currently of Zoldan.

Co, yes. Yeah, he has trouble with that word. Trust me, I know. I know. Yeah.

I quite approve of this idea, provided we've got enough IT security data secure so it doesn't fall into the hands of the Mingmongs or some other country where they may try and exploit it.

Right. OK. Mingmong's interesting term. They're an alien race.

They're on the twin planet on the other side of the sun.

OK. Near the binary star system. OK, so I didn't do my research very well, did I? Listen, you're going to create a fictional universe keep up. OK, so that all sounds quite good. But is this also good for the people or should I not worry about that? Because I'm all right.

You tell me. Right. So let me tell you what happened, what the plan was in China. Yeah. So the idea was to reward good law-abiding people. So people that follow your rules and act with integrity and morality, they get a high trust score. And that can really help them move ahead in the world in terms of who they get to hang out with, where they work, where they live, how they travel. A social meritocracy. It's what everyone really wants. And those that don't step into line, all without incarceration or legal entanglements, the system will just basically limit their freedoms and negatively impact their social life to kind of, you know, push them into the right direction. One of the aims in one of the guides in China when they were developing this was allow the trustworthy to roam everywhere under heaven while making it hard for the discredited to take a single step. That's not terrifying at all. Yeah. So, so for example, in China, caught jaywalking or you don't pay a court bill, play your music too loud on the train, you can lose certain rights, such as booking a flight or a train ticket. And in fact, by March 2019, China had blocked millions of discredited quote unquote travellers from buying plane or train tickets.

So if I was there and I was caught, I don't know, wearing a loud shirt in a public place or...

What about your shorts were too short?

My shorts were too short. They'd have to be very short, Carole, very short short for those to cause offence. Who wears short shorts? So then it would be a little black mark on my social media score or something, but on my credit system. That's right. But that social credit score might be shared with me when I try to friend you on a social network system. And I might say, oh, do you really want to friend this guy? Oh, because I could drag you down. Yes. Oh, I see. Because then I'm your friend.

Oh, okay. Right? That's terrible. It's you've got social herpes. This is good. All right. Yeah. But if your shorts were a correct length and you donated to a respected charity, up goes your score. And bingo, it might be. So have the opportunity to fix a bad score by doing things which our beloved leaders would applaud.

And paying what sounds an indulgence fee. This sounds all very medieval Catholicism a little bit. Well, it's happening right now, Maria. Yeah. It's scary. It's very scary, isn't it? It's anyway, so there you go. So you guys are the leaders. And from your point of view, you know, from people who want to secure, you know, you want to secure your position, your rulership, your society and the social fabric that you help construct and the laws you have. This is a pretty sexy tool, don't you think?

Couldn't. I mean, I'm just wondering how we're going to overthrow this because obviously this isn't a very cool thing that's going on. Now, I remember Ferris Bueller. He managed to hack in and change his attendance records at school or something, didn't he? Yes. So he could have his day off.

Not so successful with the car odometer, though. Just remember that. People forget that part.

So, I mean, they must be storing all this data somewhere, hopefully not in an unsecured Amazon, or maybe it should be. A little bucket. Where it isn't properly secured. But there's a risk someone could come in and sort of fiddle the scores, isn't there?

Yeah. I mean, there's a lot of risks. because it is. Well, it's also who determines what's good, what's bad or what the weights are of. I mean, imagine for artists, for example, right? You know, you're either on trend and you're fitting the moral fiber of the day or you're a little bit out there. And that might play against you. Well, I'm also just thinking, as I am the leader of Zordon.

Co-leader. Co, co, co-leader. Listen. I'm going to have a lot on my plate deciding what's in and what's not, what's hot and what's, you know. Yeah, you've got a whole job ahead of you. It's going to be exhausting working out what's a good thing to do and what's not. I just hope your Algorithm doesn't ever go wrong, right? Because what's weird about this is it seems as though the burden of proof shifts from the accuser to the accusee. Because, for example, if the machine said, yes, your score should be 50 instead of 500, and you go and argue that, surely you have to prove the machine made a mistake in order for anyone to listen. Well, thank you very much for cheering us up, Carole. What? It's true. Yeah, well, maybe one silver lining for you maybe is there are a few academics that say, look, we've looked at actually the data they're collecting and it isn't that amazing yet. Like it's not enough information that you would require to get a bank loan, for instance. Things to look forward to in 2020, as if you weren't worried about anything else happening in 2020. Now you've got this. No, yeah. No. Well, there you go. So, but what Trekkies, what I just... Well, coming back to you guys. I mean, if you want to secure your reign, obviously this is the best way forward for you because you'll know all and be able to, you know, reward the good and punish the bad. And you'll have all the information. It's not the same. It's not the same it's definitely not the same damn it girl

It's not the same you know sorry dude yeah it's not the same and we are sponsored by Meta Compliance now Meta Compliance make this platform to help you train up all your employees and all things cybersecurity related That's right you can simulate phishing attacks you can teach them about password safety, all aspects of data security. Go and sign up right now at smashingsecurity.com slash metacompliance and you can save because... Because you listen to this podcast. Boom. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an Enterprise Password Manager like the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com slash smashing.

You don't have to say forward slash by the way, you can just say slash, just so you know. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week is The part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. Fell over in my chair.

I have stumbled across in the last week a YouTube channel by a bunch of crazy Danish guys who call themselves OutRayChess and they are working with the Danish Chess Federation in helping them promote the game in their country.

Is that a recognised federation? Yes. The Danish chess. Oh, yes. Every country has a chess federation crew. OK. But they are struggling somewhat. TIL. They are struggling somewhat chess federations around the world because the problem is that a lot of chess players are sort of middle aged, slightly podgy, anti-social men.

That's loud. Did I not see quite a strong swear word at the beginning of this video? Smithloff... Did you feel... Oh, I'm solving all my problems now. Elegantly.

He plays knight to f6, attacking the queen with a tempo, saying, Oh, Tal,

But now we see a hammer blow from the magician from Riga. He plays queen Takes f7. What? Anyway, if you've ever wondered how the grandmasters decide to make a particular move or whether Chess is excited or not, you may want to check out Outray Chess because I think he does quite a good job and he's made some other videos as well, this chap, with a cast of hundreds in some cases.

Get the budget for this? Seriously? He just aligned himself. Do Danes not have jobs? I think

The Danish military basically haven't got very much to do. There haven't been any...

I mean, they're just sitting around with all these freaking weapons, just talking about chess. Well, chess is

Quite a big deal in Denmark. A lot of people do like chess in Denmark. And so... I'm

Planning to be in Denmark

Later this week. Oh, you're lucky to get up. So I'll

Go check him out. I'll see if I can find him. I'm sure everyone knows him. I'll be...

Anyway. Where can I find him? I've included a link in the show notes, which you can go and check out at smashingsecurity.com if you want to check out the video. And I thought it was quite an inventive, imaginative way to talk about a particular game of chess complete with

Not the Game of Thrones but the game of chess. And

That's why it's my pick of the week. Nice Maria, what have you got for us as your pick of the week?

My pick of the week is not Game of Thrones because I've never seen it. She's never seen Game of Thrones. I've never seen Game of Thrones. I know, I know. All right, so my pick of the week is again shock and surprise, it's about something that I'm very interested in and it happens to be Star Trek. So there are many iterations of Star Trek, one of the best if not the best is called Deep Space Nine. It came out in the '90s, it was great, it's 25 years old now and the producer showrunner of the show, he made a documentary about why this show was so groundbreaking and a lot of behind the scenes stuff about what went into making it, things they wish they had done better.

Odo in it the shapeshifter, is that his name?

Yes, Odo's in it, yes he's in it. They get into a lot of stuff about social issues in the '90s that prevented them from doing certain story types and what they wish they could have done. I thought it was a fascinating look and it's very well done. This is slightly tangential, but do you want me to tell you my favorite line from Star Trek, the only one I would say is most powerful and I bet you could totally identify it's probably up there, is it when William Shatner says come on? No, I'm not even going to say who it is. I bet she'll identify right away. I might not. I'm not that great at this kind of stuff, actually. There are four lights! Oh, come on! Don't even... Of course. That's not even... Come on. Sorry,

I have no idea what just happened.

There are four lights when Picard sees... anyway. Totally. Do you want to know the story behind that whole thing? I do. He was doing an episode against torture. He talked to Amnesty International, and they collaborate. I think they worked with the writers on writing series episodes against use of torture. Oh, because

The Cardassians, they're into torturing people, aren't they?

Cardassians! Cardassians! Same diff, really. I'm using that word a lot this week. Cardassians. Keeping up with the Kardashians, yes. Anyway, folks in the UK and Ireland, if you're into Star Trek, especially Deep Space Nine, go see the documentary in theaters. It's worth it. I've never

Really seen an episode of Deep Space Nine, but I have heard it's quite good. And if I had time, I probably would. I just didn't like the Ferengi. The Ferengi.

Well, the Ferengi are their capitalism gone crazy. It's a great little, it's very timely now. And if you've ever seen Battlestar Galactica, the new one that Ron Moore wrote, he wrote for Deep Space Nine before he wrote Battlestar Galactica. I love Battlestar Galactica. So if you enjoyed Battlestar Galactica I think Deep Space Nine is an easy segway.

I would be tempted to watch this documentary even though I've never seen Deep Space Nine because I quite like documentaries and I think I would find it interesting. It may be a way for me to get into the show. It's a bit like if there was a... steal some ideas for the Whovians, maybe. Oh there are some very good Doctor Who documentaries like that too. But anyway, if there was a documentary about the Golden Girls for instance I'd probably watch that because I think I'd find that quite interesting as well and Murder, She Wrote. There probably is one

Called On the Lanai or something. Let's have some cheesecake. I'm sure there is. There's got to be one. That's a missed opportunity if there isn't. Thank you for being a friend.

Carole, what's your

Mine is Quick and Dirty. So this is for those that, you know, if you live underground and have no access to anything Wi-Fi or mobile data. Can't even talk. If you don't know who Joe Rogan is, you can't be listening to podcasts. Because everyone knows who he is. You may not like him, but you know who he is.

pick of the week?

So he's known for being a comedian. He's big into MMA or mixed martial arts. And he does this whole video podcast, which I personally need to argue, is a video podcast a podcast?

No, it's a video podcast.

Right? It's a video. I think podcast is just audio. I certainly feel that way. Strong feelings. Yeah, I guess. So

I've never heard Joe Rogan's podcast. I know he's a very popular podcaster.

Yeah, it's long form. They tend to have chit chats, unedited. He's very open about what he knows, what he doesn't know, his views, his thoughts. He's built huge following. He also did a lot of, I think he did TV before too. So I don't know if he came to the podcast world with a huge following.

He did the podcast that Elon Musk went on and lit up a great big doobie, right? I have no idea. I don't know enough about him. I think so. Sounds about right. Oh, I wouldn't know what he sounds like, to be honest. Well, no, but yeah. But I've only listened to maybe one or two shows in my life, right? He's not a big... I only know him from TV, really. I've never listened to his podcast.

fakejoerogan.com. And here we've got a whole bunch. We've got a grid of things we can play. And I imagine we then listen and then we have to decide if they're real or fake.

Yeah, yeah. It takes about a minute of your time. So listen to one and then just decide if you think it's real or fake.

OK, let's do the first one.

What was the person thinking when they discovered cow's milk was fine for human consumption? And why did they do it in the first place? You are much less likely to injure yourself if you do it correctly. So I did them all. Right. And I got one wrong, the first one wrong, and then the rest I got right because suddenly my brain adapted very quickly as to what to listen for, weird hesitations. Yes, the speed. Longer and shorter hesitations, yes. Yes. So I've just done a few of these. Sorry, I don't know what you've been talking about. I've just done a few of these. And I've got 100% you, Maria, at the moment, of the ones I've done.

No, but you have to really listen, though. If they were talking and, you know, you, well, maybe in this, yeah, we were talking.

The other thing is that you alerted me. You told me, listen out as to whether this is a real or a fake. If I'd just heard it, I wonder if I would have spotted it or not. I suspect I probably wouldn't.

As Dessa say in their announcement, it's pretty fucking scary. So there you go. You want to play?

Is that an actual quote in their press release? Yeah. Well, the F star king, but I think we all know what that means. Yeah, there was one I swore. I was oh, that's so easy. That one's definitely real. And it was fake. Yeah. We don't edit this podcast, Maria.

Hardly at all. You're right. What was I? What am I thinking? We just add some music at the start and the end. Some plinks and some plops.

Maria, I think you're really great. You know that? That was definitely fake. You're the favorite podcast co-host. Can't imagine.

And on that bombshell, we've just about wrapped it up for this week. Maria! I'm sure lots of our listeners would love to stalk you online. What's the best way for folks to do that?

Please don't stalk me. You can find me on Twitter at mvarmazis, that's me, or on Mastodon if you're on infosec.exchange I'm at Maria.

And you can follow us on Twitter at smashinsecurity, no G. Twitter wouldn't allow us to have a G and you can also join our discussion on Reddit. The quickest way to find our Reddit subreddit is smashinsecurity.com/reddit and it will take you right there.

Hugs to this week's Smashing Security sponsors LastPass and Meta Compliance. Their support helps us give you this show for free so be sure to check out their offers and kisses to you our lovely listeners. I dread to think where we'd be without you so thank you. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us.

Until next time, cheerio! Bye bye bye. I just paused because you're talking about kissing our listeners after I got in trouble.

I know, I know. I didn't say with tongues. I don't do that. I haven't done that since 18.

Too much information. Maybe not.

Yeah, it's a podcast. Surely that's another stipulation of a podcast. And what? Kissing? It's cold outside.

I'm going to hit the stop button.