Don’t hire a hacker, they might scam you! What works and what doesn’t when it comes to protecting your email account? And China’s controversial social credit system comes under the microscope.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Newsflash! Newsflash! Smashing Security has made it to the finals of the European Security Blogger Awards!
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast.
Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show.
Smashing Security, Episode 129: Too Long, Didn't Listen, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 129.
My name is Graham Cluley.
If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast.
Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show.
Smashing Security, Episode 129: Too Long, Didn't Listen, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 129.
My name is Graham Cluley.
I'm Carole Theriault.
And hello, Carole. We are joined this week by a special returning guest. It's fun time family favorite. It's Maria Varmazis back again. Hello, Maria.
Hi.
That's a great intro. Fun time family favorite.
It could have been worse, couldn't it?
No, different accent.
It's Maria.
It's Maria.
Carole, what have we got coming up on the show this week?
Coming up on this week's show, thanks to this week's sponsors MetaCompliance and LastPass. Their support helps us give you this show for free.
This week, Graham investigates hackers for hire. Maria digs into whether account hygiene is actually effective or not.
And I will take you into the future of Zoldaan to uncover just what kind of leaders Maria and Graham would be.
All this and loads more coming up on this episode of Smashing Security.
This week, Graham investigates hackers for hire. Maria digs into whether account hygiene is actually effective or not.
And I will take you into the future of Zoldaan to uncover just what kind of leaders Maria and Graham would be.
All this and loads more coming up on this episode of Smashing Security.
What? What podcast am I on?
Now, now, chaps, chaps. Have either of you run your own blogs or anything like that? Oh yeah. Yeah?
Oh yeah, definitely.
Okay. In which case, you'll probably be familiar with the concept of comment spam being posted up onto your blog where people try and post messages which you don't want to appear.
Sometimes they'll be selling pharmaceuticals or fake degrees or something like that.
And other times, in my experience, messages will appear saying, oh, I had such a big problem with an account, but then I was able to contact ABCZY.
He's a great hacker who was able to hack into my Instagram account and allow me to get access back to it. He's elite, man.
Sometimes they'll be selling pharmaceuticals or fake degrees or something like that.
And other times, in my experience, messages will appear saying, oh, I had such a big problem with an account, but then I was able to contact ABCZY.
He's a great hacker who was able to hack into my Instagram account and allow me to get access back to it. He's elite, man.
I've never ever had one of those.
You've never had one of those? Maybe you aren't running a security blog like I am.
Yeah, I was I'm not familiar with that one specifically. Okay.
But I've seen plenty of people posting up hacker-for-hire services and trying to promote them. And obviously the idea is that people want to break into accounts.
Maybe it might be for a legitimate reason, they can't remember their password and it is really their account.
Quite often I imagine it's a girlfriend or boyfriend or spouse whose account they want to break into to find out what they've been up to.
Maybe it might be for a legitimate reason, they can't remember their password and it is really their account.
Quite often I imagine it's a girlfriend or boyfriend or spouse whose account they want to break into to find out what they've been up to.
Okay, so we're not talking legit hackers, we're talking account-level stuff.
Yes.
Invading privacy, spouse and spouse.
Not I'm going to deploy a botnet or something.
No, I think these are people who are principally selling their ability or their claimed ability to break into accounts and get around password or maybe even two-factor authentication in some cases as well.
Hmm.
Yeah. And sometimes these things have even crossed over from the sort of digital world into the physical world.
I remember a while back, I actually received some voicemails, people calling me up asking me if I could help them hack into a Facebook account, which they claim to belong to a loved one of theirs.
And I've actually got a recording of that voicemail right here if we want to listen to it.
I remember a while back, I actually received some voicemails, people calling me up asking me if I could help them hack into a Facebook account, which they claim to belong to a loved one of theirs.
And I've actually got a recording of that voicemail right here if we want to listen to it.
Hi, Graham Cluley, this is— I was trying to figure out how to hack a Facebook account. I've been trying so many ways to do it and it's just not working. Oh, I remember this.
I played this before. Do these kind of things and just kind of help me out here.
I played this before. Do these kind of things and just kind of help me out here.
Is this just when an aunt goes, hey, I can't get into my email, can you help me?
It's not my aunt. It's not my aunt. Call him out.
And I emailed you, I called you, but it's kind of a different sort of thing, isn't it?
This person seems to be legitimately calling you up to try and get your help, not really understanding that that's not something you do.
This person seems to be legitimately calling you up to try and get your help, not really understanding that that's not something you do.
Well, obviously it's not something I do, but how do you know they're legitimate? Maybe they're just really good at social engineering.
Maybe they sound so helpless and pathetic that you think, oh, maybe they have locked themselves.
Maybe they sound so helpless and pathetic that you think, oh, maybe they have locked themselves.
I'm your biggest fan. Yeah.
Good, good.
Be suspicious. Actually, that bit does sound legitimate, Maria. I don't know why you're mocking that bit.
Oh yeah, I'm sure a social engineer would not try to butter you up at all.
So the point is there are people out there who are offering their services because there is a strong demand to crack into accounts.
Okay.
And a lot of people, for instance, will have a Google account, right? And so Google, they have recently teamed up with boffins at the University of California in San Diego.
And in this latest report, they're actually examining what do the hackers do? How do they get in? So what Google decided to do with these researchers is they approached hackers.
They found hackers for hire online, and they said to them, can you hack our accounts, please?
They posed as members of the public and contacted around about 27 hackers and black market services in English, Russian, Chinese.
They got local speakers to do it and they said, can you break into accounts? And these were all websites which were offering this particular service.
In some cases, they were saying that they could even bypass SMS two-factor authentication and other methods as well.
And in this latest report, they're actually examining what do the hackers do? How do they get in? So what Google decided to do with these researchers is they approached hackers.
They found hackers for hire online, and they said to them, can you hack our accounts, please?
They posed as members of the public and contacted around about 27 hackers and black market services in English, Russian, Chinese.
They got local speakers to do it and they said, can you break into accounts? And these were all websites which were offering this particular service.
In some cases, they were saying that they could even bypass SMS two-factor authentication and other methods as well.
Question: did they pay for these services?
Well, I wondered that as well. Because I thought, would it really be right for Google to pay criminals to hack accounts?
I see great minds, Graham.
And the answer is yes, they paid them. Ooh, controversial.
Now they say that they immediately stopped paying as soon as the minimal amount was done, but they did actually give some money.
And sometimes the prices range from $100 up to $500 per account. But what they did, because they were obviously concerned about the legal consequences of this.
So normally you can't go around hiring hackers to break into accounts, but this is Google and Google owns Gmail.
And so what they did was they created some synthetic accounts on Gmail.
Now they say that they immediately stopped paying as soon as the minimal amount was done, but they did actually give some money.
And sometimes the prices range from $100 up to $500 per account. But what they did, because they were obviously concerned about the legal consequences of this.
So normally you can't go around hiring hackers to break into accounts, but this is Google and Google owns Gmail.
And so what they did was they created some synthetic accounts on Gmail.
Synthetic accounts?
This is what they called them. So they fabricated online personas.
Okay. They've got enough data to be able to do that convincingly. Exactly. Yeah.
So they created—
They could probably create entire universes. They have enough data. A billion. Yeah, exactly.
So they created fake Gmail accounts and populated them with information so they looked legitimate.
And then they pointed the hackers at these particular accounts and said, can you try and break into this account?
And so then the hackers sent phishing emails and whatever else to those Gmail addresses, which Google had specified.
By the way, obviously Google didn't announce they were Google when they were doing this. That would not have worked terribly well.
And then they pointed the hackers at these particular accounts and said, can you try and break into this account?
And so then the hackers sent phishing emails and whatever else to those Gmail addresses, which Google had specified.
By the way, obviously Google didn't announce they were Google when they were doing this. That would not have worked terribly well.
Yeah, but this is kind of a shame though. If they had, it would have been like, okay, bring your A game. We really want to see if you could do it.
Why operate in full transparency? Gross.
Well, I suppose they do that a lot of the time with the sort of bug bounty programs, don't they?
Where they invite people to find vulnerabilities and they will then reward people who find those vulnerabilities.
But here they really went to the dark side and they ended up with some attackers launching tailored phishing messages, some, as I said, with the ability to capture two-factor authentication information as well in order to see how many were actually capable of getting in.
Where they invite people to find vulnerabilities and they will then reward people who find those vulnerabilities.
But here they really went to the dark side and they ended up with some attackers launching tailored phishing messages, some, as I said, with the ability to capture two-factor authentication information as well in order to see how many were actually capable of getting in.
And yeah, I'm interested in the results now.
The findings were rather interesting, which was that in the majority of cases, it turned out that they didn't actually hack anybody.
Ha! What do you mean?
What I mean is the hackers, when you pay them, most of them didn't actually go through with it. They took your money.
Imagine that, criminals actually not holding up their side of the bargain. No honor amongst thieves.
Imagine that, criminals actually not holding up their side of the bargain. No honor amongst thieves.
So what you're saying is, Google under a pseudonym said, hey, hack me, hack me please. Hacker said, okay, that'll cost $400. Google under pseudonym says, no problem.
Where shall I pay you, sir, madam? And they received the payment and then I'm here.
Where shall I pay you, sir, madam? And they received the payment and then I'm here.
Peace out. That was another thing, by the way. Only a handful of the hackers advertised that they accepted bitcoin as a payment.
Google on each occasion was actually forced to say, well, actually, rather than just 'Could we pay you in bitcoin, please?' And then most of them were receptive to that.
But a lot of these hackers were quite happy to accept payment.
Google on each occasion was actually forced to say, well, actually, rather than just 'Could we pay you in bitcoin, please?' And then most of them were receptive to that.
But a lot of these hackers were quite happy to accept payment.
No one had a Google Wallet?
Through some sort of traditional form instead. So there were some accounts which were actually prepared to go through with it.
According to Google, they said only 5 of the 27 different websites which they contacted were willing to take their business.
I mean, maybe some of them worked out that they were being set up. I don't know.
According to Google, they said only 5 of the 27 different websites which they contacted were willing to take their business.
I mean, maybe some of them worked out that they were being set up. I don't know.
Google contacted only 27 of these dudes. So this is not very—
So they had a 20%, less than 20% success rate.
It's a pretty small sample size, though, for Google. I mean, really.
And what they said was that around about a third never responded, despite repeated requests to buy their services. And some, they say, were outright fraudulent.
Mm-hmm.
Quelle surprise.
Quelle surprise. And they said that these services had inconsistent and poor customer service.
Oh yeah. That's, yeah, you expect—
No call center in India?
Concierge-level service with your hacker for hire.
For example, said Google, 3 of the services charged significantly higher prices than their advertised price.
How dare you, sir? How dare you?
No honor amongst thieves these days.
And some, when they were actually executing the hack, said, well, actually the price has gone up. And they also complained that they were slow at getting back to them.
Well, there's—
Well, there's—
You know, Graham, you have a very excellent takeaway here. Stop looking to hire these idiots, people.
Well, exactly.
Don't make your hacker your front desk guy if you're expecting customer service.
So here are the takeaways, right? Hackers for hire may not even hack. They may be hard to hire, but even when you do hire them, they may not actually hack. They might...
Actually, now think about this, right? If someone gave you money and said, can you hack an account?
You thought, oh, that'd be a bit naughty and I could get in trouble with the law and things like that.
Well, what some of these hackers might actually do is they might look up your credentials and details in a previously leaked database to see if passwords are listed there.
And then they could say, here is password one, or let me in, that will get you in.
Actually, now think about this, right? If someone gave you money and said, can you hack an account?
You thought, oh, that'd be a bit naughty and I could get in trouble with the law and things like that.
Well, what some of these hackers might actually do is they might look up your credentials and details in a previously leaked database to see if passwords are listed there.
And then they could say, here is password one, or let me in, that will get you in.
Seriously, if that's the bar, I'm a hacker. I mean, honestly, I've done that. Come on.
But there are other dangers in hiring a hacker, which is one of the things that you need to watch out for, because you might end up being blackmailed by the very hackers that you've hired and given your $500 to.
Wait.
They may either threaten to tell your victim or even report you to the police if you don't cough up.
And imagine how annoyed the police are gonna be when eventually they get these reports to them of someone trying to hire a hacker and they ultimately find out it was actually Google who were doing it in the first place against their own accounts.
And imagine how annoyed the police are gonna be when eventually they get these reports to them of someone trying to hire a hacker and they ultimately find out it was actually Google who were doing it in the first place against their own accounts.
It's insane.
You all sort it out. Yeah.
And furthermore, imagine your disappointment if you try to hire a hacker and you actually end up not on a real hire the hacker website, but on a honeypot set up by some rival cybersecurity firm.
Cosmoogle?
Or a law enforcement agency trying to catch people who are in the habit of hiring hackers.
No such agency.
So I think we can summarize my story this week has been, don't hire hackers to break into accounts.
Try and remember your password or hit the "I've forgotten it" button, or just ask someone, "Hey, can you tell me what your password is?
I'd like to break into it, please." You know, maybe that'd be a better approach.
Try and remember your password or hit the "I've forgotten it" button, or just ask someone, "Hey, can you tell me what your password is?
I'd like to break into it, please." You know, maybe that'd be a better approach.
Just don't give it away, guys. Come on.
Don't hire a hacker who's advertising their services in the comment spam on a blog. I mean—
Well, it's not just that. I mean, that isn't how Google found these hackers.
Oh, okay, well—
Google had access to a high-quality search engine called AltaVista. Which they used to scour the internet.
Maybe they asked Jeeves to see if they could—
Ask Jeeves? Does that even still exist?
Ask.com? Yes, it's a toolbar, isn't it? It's an odious thing.
Lycos.
Lycos.
Hotbot. Was it Dogpile?
Or is that something else?
Something else. Sorry. Don't go there, folks. Maria, I'm sure you've got a story for us this week.
I do.
And it's interesting that you talked about that, that Google is doing some studies with New York University and University of California, San Diego, because my story is additional research that they did.
Imagine that. It's like we planned it, except we didn't.
And it's interesting that you talked about that, that Google is doing some studies with New York University and University of California, San Diego, because my story is additional research that they did.
Imagine that. It's like we planned it, except we didn't.
So you're saying Google and the University of San Diego again?
University of California at San Diego and New York University.
There's some other data that they were pouring through to find out some answers to questions about security hygiene, which is unsexy but very, very necessary.
So what do we mean by security hygiene? Do we know? Does everybody know what we mean by security hygiene?
There's some other data that they were pouring through to find out some answers to questions about security hygiene, which is unsexy but very, very necessary.
So what do we mean by security hygiene? Do we know? Does everybody know what we mean by security hygiene?
Antiseptic on your keyboard?
When you're at a conference, make sure to take a shower every day. Use deodorant. That's what we mean about security hygiene.
I gave my keyboard a wipe down the other day, actually, and I completely bust my keyboard. It's been a nightmare. I got this one of these lemon wipes. Don't do that, folks.
Pro tips from the pros. Yeah. So security hygiene.
That could mean that, but what we usually mean is stuff like use a password manager, make sure you get the basics nailed, and we talk about this stuff here all the time.
That could mean that, but what we usually mean is stuff like use a password manager, make sure you get the basics nailed, and we talk about this stuff here all the time.
Two-factor.
All that good stuff.
So the question that Google and the universities also wanted to answer were, how effective are all these quote security basics at actually securing user accounts?
So in Google's case, they figured it probably helps that they have a ginormous sample size to look at. So they looked at over 1.2 million of their own users. Right.
So the question that Google and the universities also wanted to answer were, how effective are all these quote security basics at actually securing user accounts?
So in Google's case, they figured it probably helps that they have a ginormous sample size to look at. So they looked at over 1.2 million of their own users. Right.
Oh, a tiny drop.
Just a wee bit, yeah.
And of those 1.2 million users, they looked at over 350,000 real-life hacking attempts on those users, and they wanted to get some answers about what kind of security methods were effective at keeping attackers out of those accounts.
So, whoa. Yeah. So they pored through those logins and those attack types for about a year.
And what they did is they divided the users into users who had one of two types of security challenge. So one category, are you guys following me here?
And of those 1.2 million users, they looked at over 350,000 real-life hacking attempts on those users, and they wanted to get some answers about what kind of security methods were effective at keeping attackers out of those accounts.
So, whoa. Yeah. So they pored through those logins and those attack types for about a year.
And what they did is they divided the users into users who had one of two types of security challenge. So one category, are you guys following me here?
Yeah, totally.
One category is for people who use some kind of two-factor authentication. So a device, they call it device-based category. So it's a thing that you had. Okay.
So this means these were people who had an on-device prompt.
So tapping a confirmation button on a Google app that asks you to confirm you are who you say you are, or an SMS code or a physical security key, e.g.
So this means these were people who had an on-device prompt.
So tapping a confirmation button on a Google app that asks you to confirm you are who you say you are, or an SMS code or a physical security key, e.g.
YubiKey.
So that's one category of people.
Mm-hmm.
The other category of people were folks who were in the knowledge-based category.
So folks who relied on Google to say, hey, can you verify via a secondary email address or a phone number or your last sign-in location?
So folks who relied on Google to say, hey, can you verify via a secondary email address or a phone number or your last sign-in location?
So that's when, if for instance you're on holiday and you sign into your Google account, Google might recognize, oh, suddenly you are logging in from Paris and therefore, we're doing an additional security check to make sure you are who you claim to be, right?
Right, that's something like that. So we've got, again, we've got the device-based folks and we've got the knowledge-based folks. So those are the two categories of users.
So Google and the researchers wanted to see which set of users were better at thwarting attacks from automated bots, bulk phishing attacks, or targeted phishing attacks, the kinds you just talked about, Graham, in your story.
So Google and the researchers wanted to see which set of users were better at thwarting attacks from automated bots, bulk phishing attacks, or targeted phishing attacks, the kinds you just talked about, Graham, in your story.
Hey!
And what kind of trends might emerge from that data? So any guesses on what they found? Out of curiosity, you guys have any guesses?
Well, I—
And I think, Graham, you've seen the data, so knowledge-based would not be nearly as good as device-based. Right.
That's a great guess.
Okay. That's my guess.
That's your guess. Graham, any guesses from you?
Well, I've written an article about this research.
So pretend that you haven't written. Okay. Forget that.
Maria is trying to make this interactive, Graham.
I'm trying really hard.
Right? And you have to go, I know everything.
First of all, I'm encouraged that they managed to find 300 and— what was it?
350,000 real-life hacking attempts.
Yeah.
So I'm really encouraged that there are some people out there who've got any kind of additional security beyond just their password in place, because I think the vast majority of Google customers probably don't, right?
Most people are just using a password. So having anything at all has got to be better than nothing.
So I'm really encouraged that there are some people out there who've got any kind of additional security beyond just their password in place, because I think the vast majority of Google customers probably don't, right?
Most people are just using a password. So having anything at all has got to be better than nothing.
Yes.
So that's terrific.
Yes.
But I would think anything which doesn't put a reliance on the human brain is going to work better. And so therefore, maybe the authentication will work better.
It's almost like you've seen the research, Graham. Why, yes indeed.
So users with a phone number attached to their account, so folks that went beyond merely using a password, were able to thwart account takeover attempts by automated bots 100% of the time.
And yes, Carole, people who used any kind of two-factor authentication, device-based, basically, did a whole lot better than people who did not.
So overall, yeah, there's a number of datasets and you can drill down into the different numbers here, but overall, you're looking at more than 90% of the time, regardless of the two-factor authentication method that you use, you're able to thwart an attack attempt with one tiny important exception being SMS-based two-factor authentication.
So users with a phone number attached to their account, so folks that went beyond merely using a password, were able to thwart account takeover attempts by automated bots 100% of the time.
And yes, Carole, people who used any kind of two-factor authentication, device-based, basically, did a whole lot better than people who did not.
So overall, yeah, there's a number of datasets and you can drill down into the different numbers here, but overall, you're looking at more than 90% of the time, regardless of the two-factor authentication method that you use, you're able to thwart an attack attempt with one tiny important exception being SMS-based two-factor authentication.
So everything has a 90% success rate at blocking the attack or better.
If you're using two-factor, yes.
And the only one who's sort of lagging behind in the race is SMS.
Correct.
So SMS.
'Cause it's easier to hack, right?
Right. I mean, we've talked about it before. You guys have talked about it before with other folks. You know, it's a much maligned two-factor method for good reason.
It's certainly better than nothing. And the takeaway from Google study is that yes, it is better than nothing.
But it only prevents account takeovers about 76% of the time in a targeted phishing attack.
So going back to your story, Graham, those hackers that are going after people in a targeted manner, they have better success than folks who use a physical key or have an on-device prompt.
It's certainly better than nothing. And the takeaway from Google study is that yes, it is better than nothing.
But it only prevents account takeovers about 76% of the time in a targeted phishing attack.
So going back to your story, Graham, those hackers that are going after people in a targeted manner, they have better success than folks who use a physical key or have an on-device prompt.
Right. And in this particular research, they were looking at these automated attacks, these sort of bulk attacks, as it were. Bot-based attacks where there isn't a human element.
And they wouldn't even bother really, I think, trying to get past an SMS-based... It's too much effort.
And they wouldn't even bother really, I think, trying to get past an SMS-based... It's too much effort.
Yes.
But if someone was determined to break into Maria's Gmail account and she had SMS-based two-factor in place, you may well go to the effort of ringing up her mobile phone provider and trying to get her number switched over to you or something similar.
Oh, it could be even easier than that. You just text the target and say, "Hey, I'm from blah, blah, blah customer service. We just sent you a code.
Can you send it to me?" And that works an alarming amount of time.
So yes, the overall takeaway from Google's research was that people who have device-based security challenges fare a lot better than those who rely on knowledge-based challenges.
So feather in the cap yet again for please use two-factor authentication. It really, really helps. Even though SMS is not great, it does better than not using it at all.
Can you send it to me?" And that works an alarming amount of time.
So yes, the overall takeaway from Google's research was that people who have device-based security challenges fare a lot better than those who rely on knowledge-based challenges.
So feather in the cap yet again for please use two-factor authentication. It really, really helps. Even though SMS is not great, it does better than not using it at all.
Do you know what, though? Do you know what the irony of this situation is?
The more and more people that start using two-factor authentication, so let's say we get to a world where 90% of people are using two-factor authentication.
Then what happens to us people who are in the gold bit at the moment, right? Right now we have additional security to most people, so we're kind of safer just—
The more and more people that start using two-factor authentication, so let's say we get to a world where 90% of people are using two-factor authentication.
Then what happens to us people who are in the gold bit at the moment, right? Right now we have additional security to most people, so we're kind of safer just—
You've outrun that bear slightly. Exactly, it's the arms race, isn't it?
Yeah. So that just shows how giving we are as a group.
But maybe you'd get a hardware key or something like that, Carole. Maybe you'd go one step further.
I'm not suggesting any of this is fun, and I think that is a problem with all of these things, isn't it? It's dreadful.
I'm not suggesting any of this is fun, and I think that is a problem with all of these things, isn't it? It's dreadful.
Yeah. And that was one of their other takeaways is that why don't we just implement it for everyone?
It's because I think they said over 30% of the time users don't have a phone with them when they're logging in, so they can't do device-based stuff because they don't have a device.
So that's an issue.
And it's funny that you mentioned the keys because the only group that was able to beat account takeover attempts 100% of the time literally every single method were folks that use a physical security key.
Yeah, that's the trick. But then it becomes, is it that the key is that much better?
I mean, I'm sure that is part of it, or are the folks that use the key people who are more security-minded or they have a threat model that requires them to use it?
It's because I think they said over 30% of the time users don't have a phone with them when they're logging in, so they can't do device-based stuff because they don't have a device.
So that's an issue.
And it's funny that you mentioned the keys because the only group that was able to beat account takeover attempts 100% of the time literally every single method were folks that use a physical security key.
Yeah, that's the trick. But then it becomes, is it that the key is that much better?
I mean, I'm sure that is part of it, or are the folks that use the key people who are more security-minded or they have a threat model that requires them to use it?
Good point. Good point, Maria.
There's another slight fly in the ointment as well, which is, didn't Google just announce there was a vulnerability in their physical security keys? The Titan.
And they're having to push out an update or something, and I don't think that's a reason necessarily to throw them in the bin.
No, I'm sure there's still better security there than not having one at all. But you know, it's confused things rather, hasn't it?
And they're having to push out an update or something, and I don't think that's a reason necessarily to throw them in the bin.
No, I'm sure there's still better security there than not having one at all. But you know, it's confused things rather, hasn't it?
It has. But yes, the TL;DR is two-factor authentication still beats no two-factor authentication, and now we have a lot of data to prove it.
Hey, yeah, it turns out we've been right all along.
Hooray! I'm going to write down these acronyms. TL;DR, no two-factor authentication.
Too long, didn't read.
SMH. What's that one?
Shaking my head.
Oh, is it? I always thought it was the Sydney Morning Herald. I'm always seeing that online, I find that one very difficult. Ah, good, excellent. Well, thank you very much, Maria.
So yes, protect yourself, people, I think was what Maria was saying. And Google's—
So yes, protect yourself, people, I think was what Maria was saying. And Google's—
It was a bit more in-depth. Too long, didn't listen.
TL;DR.
TL;DR. Graham didn't even pay attention, he just demonstrated.
Too long, didn't listen.
Carole, what have you got for us?
It's the distant future, okay? And you two, Maria and Graham, are the co-leaders of Zoldan, a world very similar to our own.
I've seen that episode of Doctor Who. I know where this is going.
Except that in Zoldan, people break into three basic parties: the Trekkies, the Warsies, and the Hoogians.
Okay. Oh, Star Wars. I couldn't work out what Warsies was.
Okay, right. Yeah, I was like, what is it? I had to look it up.
I don't know if it's right.
That doesn't sound right.
Okay, well, you guys can, if you get bored during my story, you can look it up and we could correct it by the end. Jedi?
Okay, so for reasons we're not going to go into here now, the social construct in your world of Zuldahn feels like it's going to utter pot. Yeah.
And despite the two of you being so woke, there seems to be just less respect for your authority these days, and more and more people are breaking the laws and acting, well, immorally.
Acting a fool?
Yeah, there's accusations from the Trekkies saying that they're spying on the Worzies, and the Whovians are mocking the Trekkies saying they don't know what sci-fi is.
Okay, so for reasons we're not going to go into here now, the social construct in your world of Zuldahn feels like it's going to utter pot. Yeah.
And despite the two of you being so woke, there seems to be just less respect for your authority these days, and more and more people are breaking the laws and acting, well, immorally.
Acting a fool?
Yeah, there's accusations from the Trekkies saying that they're spying on the Worzies, and the Whovians are mocking the Trekkies saying they don't know what sci-fi is.
That is pretty accurate. This is real life, I think.
This is real life, yeah. It's like, welcome to the internet, Carole, this is every day. So where's the fiction in any of this?
Doctor Who fans. And Trekkies, they find it difficult. I must say, there is a—
And yet you and I get along. It's so, you know, peace can happen.
Now what's going on is there's all kinds of infiltration and secret stealing and little cyber attacks and law breaking. Leaks, spoilers. Yeah.
And people, your people seem to always be complaining about you two because you guys can never agree which Zoldan party is best, right? Is it the Trekkies, the Whovians?
And people, your people seem to always be complaining about you two because you guys can never agree which Zoldan party is best, right? Is it the Trekkies, the Whovians?
It's definitely not The Warsies. I think Graham and I are agreed on that.
It's definitely not Star Wars. It's Doctor Who.
Yeah. Okay. And there's even in-team fighting, the Trekkies are split between the Jean-Luc Picard group and the, you know, James T. Kirk group and the Doctor Who guys. Accurate.
Don't even want to talk about that. Okay. Don't—
Don't even want to talk about that. Okay. Don't—
It's a total mess.
It's the Conservative Party in the UK. Yep. Yep.
But there is one thing you both share. Okay.
You can both smell the stink of revolution in the air and you agree that this is bad news for the two of you who are the most powerful leaders on Soldat.
You can both smell the stink of revolution in the air and you agree that this is bad news for the two of you who are the most powerful leaders on Soldat.
We need to get this fixed, right?
And you your power. You need a game plan to regain control. Where are we going?
And you decide together that you want to identify these bad apples, and you know, the ones that are acting in bad faith and causing the Red Dwarf fans—
And you decide together that you want to identify these bad apples, and you know, the ones that are acting in bad faith and causing the Red Dwarf fans—
Yeah, those Smegheads, we cannot stand them with their holographic H's on their foreheads and everything.
Okay, so we need to spitball some ideas here. How are you guys gonna efficiently and effectively identify these guys and strip them from their powers, right? What can we do?
Yeah, we need to identify them. We need to round them up, send them to labor camps in the north.
Is that what you wanna do?
No, no, no. That's very dark. That's very Who. No, yeah, in Trek, we send them to a distant colony and we're just "good luck."
It's sending people to Australia.
Do you give them a trial or anything?
Or— yeah, no, no, we're just "yeah, just go colonize." I'm sure there's no problems with the indigenous species that live there. I'm sure there won't be an issue.
Oh, thank goodness, because this might happen.
Well, look, I have a solution for you, right?
And it's based on something that us humans tried a long time ago on Earth in a land called China, and it's called the social credit system.
And this is where bad behavior was tied to a low score, and a low score could ruin your life in more ways than one. Now, let me— hear me out, hear me out.
So in the first decades of the noughties, China mashed together economic and social reputations of every person, every business, and they called this social credit.
And the system was marketed as a way to rebuild trust. So China felt that there was distrust and people didn't know who to trust and why they should trust.
And the whole idea was trying— well, this will help you trust people again.
And it's based on something that us humans tried a long time ago on Earth in a land called China, and it's called the social credit system.
And this is where bad behavior was tied to a low score, and a low score could ruin your life in more ways than one. Now, let me— hear me out, hear me out.
So in the first decades of the noughties, China mashed together economic and social reputations of every person, every business, and they called this social credit.
And the system was marketed as a way to rebuild trust. So China felt that there was distrust and people didn't know who to trust and why they should trust.
And the whole idea was trying— well, this will help you trust people again.
It's a bit like that website Klout, isn't it? Do you remember Klout?
Yes. Oh, it was the worst. It's gone.
I think they tried to give everybody a score, didn't they, based on their social media activity and things? Yeah.
Shut down just before GDPR became a thing. I wonder why. Oh, fancy that.
So the Chinese government was really clever way back then because it was the job of the credit score system was basically to parse all the data it could collect and identify it to a single individual and then give an overall score that assessed the trustworthiness and the compliance of each person.
And a low score would mean your life would suck, but a high score could open lots of doors. And this is where it gets clever, right? This is how you sell it to somebody else.
And a low score would mean your life would suck, but a high score could open lots of doors. And this is where it gets clever, right? This is how you sell it to somebody else.
What does that have to do with Star Trek?
Well, you guys, I'm offering you the solution. I can put this service into Zoldan for you without a problem, right?
So you've gamified it really, haven't you? You've gamified being a good member of society and doing what the joint rulers— well, currently we're joint rulers, Maria and Graham.
That won't last.
That won't last.
Okay.
You know, because all your guys, they have online accounts and you've got facial recognition systems in some places and people are using their smartphones and they're on the network all the time and on Wi-Fi.
All that gives us all the information— behavior and location and who their friends are and what their health records are and what their employment history is and their academic results and their insurance and blah, blah, blah, blah, blah.
You know, because all your guys, they have online accounts and you've got facial recognition systems in some places and people are using their smartphones and they're on the network all the time and on Wi-Fi.
All that gives us all the information— behavior and location and who their friends are and what their health records are and what their employment history is and their academic results and their insurance and blah, blah, blah, blah, blah.
Now, as leader, as co-leader currently of Zoldon.
Co, co, yes. Yeah, he has trouble with that word.
Trust me, I know. I know. Yeah.
I quite approve of this idea, provided we've got enough IT security to keep the data secure so it doesn't fall into the hands of the Ming-Mongs or some other country where they may try and exploit it.
Right.
Right.
Okay. Ming-Mongs, interesting term. They're an alien race.
They're on the twin planet on the other side of the sun.
Right. Okay. Near the binary star system.
It's true. Okay, so I didn't do my research very well, did I?
Listen, if you're going to create a fictional universe, keep up, okay?
So that all sounds quite good. But is this also good for the people, or should I not worry about that because I'm all right, Jack?
You tell me, right? So let me tell you what happened, what the plan was in China. So the idea was to reward good law-abiding people.
So people that follow your rules and act with integrity and morality, they get a high trust score, and that can really help them move ahead in the world in terms of who they get to hang out with, where they work, where they live, how they travel.
A social meritocracy.
So people that follow your rules and act with integrity and morality, they get a high trust score, and that can really help them move ahead in the world in terms of who they get to hang out with, where they work, where they live, how they travel.
A social meritocracy.
It's what everyone really wants.
And those that don't step into line, all without incarceration or legal entanglements, the system will just basically limit their freedoms and negatively impact their social life to kind of push them into the right direction.
One of the aims in one of the guides in China when they were developing this was "allow the trustworthy to roam everywhere under heaven while making it hard for the discredited to take a single step." That's not terrifying at all.
So for example, in China, caught jaywalking or you don't pay a court bill, play your music too loud on the train, you can lose certain rights, such as booking a flight or a train ticket.
And in fact, by March 2019, China had blocked millions of discredited travelers from buying plane or train tickets.
One of the aims in one of the guides in China when they were developing this was "allow the trustworthy to roam everywhere under heaven while making it hard for the discredited to take a single step." That's not terrifying at all.
So for example, in China, caught jaywalking or you don't pay a court bill, play your music too loud on the train, you can lose certain rights, such as booking a flight or a train ticket.
And in fact, by March 2019, China had blocked millions of discredited travelers from buying plane or train tickets.
So if I was there and I was caught, I don't know, wearing a loud shirt in a public place or— What about your shorts were too short? My shorts were too short?
They'd have to be very short, Carole, very short for those to cause offence.
They'd have to be very short, Carole, very short for those to cause offence.
Who wears short shorts?
So then it would be a little black mark on my social media score or something, would it? On my credit. That's right.
But that social credit score might be shared with me when I try to friend you on a social network system, and I might say, oh Carole, do you really want to friend this?
Oh, because I could drag you down.
Yes, because then I'm your friend.
Oh, okay, right. That's terrible. It's like you've got social herpes.
All right, yeah, but if your shorts were a correct length and you donated to a respected charity, up goes your score.
And bingo, it might be— So I have the opportunity to fix a bad score by doing things which our beloved leaders would applaud and—
And paying what sounds like an indulgence fee. This sounds all very medieval Catholicism a little bit.
Well, it's happening right now, Maria. Yeah, it's scary, it's very scary, isn't it? Anyway, so there you go.
So you guys are the leaders, and from your point of view, from people who want to secure, you want to secure your position, your rulership, your society, and the social fabric that you help construct and the laws you have, this is a pretty sexy tool, don't you think?
So you guys are the leaders, and from your point of view, from people who want to secure, you want to secure your position, your rulership, your society, and the social fabric that you help construct and the laws you have, this is a pretty sexy tool, don't you think?
I mean, I'm just wondering how we're going to overthrow this, because obviously this isn't a very cool thing that's going on.
Now, I remember Ferris Bueller, he managed to hack in and change his attendance records at school or something, didn't he? So he could have his day off.
Now, I remember Ferris Bueller, he managed to hack in and change his attendance records at school or something, didn't he? So he could have his day off.
Not so successful with the car odometer though. Just remember that people forget that part.
So I mean, they must be storing all this data somewhere, hopefully not in an unsecured Amazon, or maybe it should be a little bucket.
But where it isn't properly secured, but there's a risk someone could come in and sort of fiddle the scores, isn't there?
But where it isn't properly secured, but there's a risk someone could come in and sort of fiddle the scores, isn't there?
Yeah, I mean, there's a lot of risks.
Well, it's also who determines what's good, what's bad, or what the weights are of—
I mean, imagine for artists, for example, right?
If you're either on trend and you're fitting the moral fiber of the day, or you're a little bit out there, and that might be— that might play again.
If you're either on trend and you're fitting the moral fiber of the day, or you're a little bit out there, and that might be— that might play again.
Well, I'm also just thinking, as I am the leader of Zordon— co-leader, co, co, co-leader— listen, I'm going to have a lot on my plate deciding what's in and what's not, what's hot and what's— Yeah, you've got a whole job ahead of you.
It's going to be exhausting working out what's a good thing to do.
It's going to be exhausting working out what's a good thing to do.
I just hope your algorithm doesn't ever go wrong, right? Because what's weird about this is it seems as though the burden of proof shifts from the accuser to the accused.
Because, for example, if the machine said, yes, your score should be 50 instead of 500, and you go and argue that, surely you have to prove the machine made a mistake in order for anyone to listen.
So it's a really weird legal change that happens under this, which obviously works for legislation way more than it does for the individual.
So watch out, this is sexy for some governments.
Because, for example, if the machine said, yes, your score should be 50 instead of 500, and you go and argue that, surely you have to prove the machine made a mistake in order for anyone to listen.
So it's a really weird legal change that happens under this, which obviously works for legislation way more than it does for the individual.
So watch out, this is sexy for some governments.
Well, thank you very much for cheering us up, Carole.
What? It's true.
Yeah, well, maybe one silver lining for you maybe is there are a few academics that say, look, we've looked at actually the data they're collecting and it isn't that amazing yet.
It's not enough information that you would require to get a bank loan, for instance. But I keep thinking the word yet, right?
I mean, there's certainly going to be a lot of people going to be working on this to try and make it work as soon as possible. I think their deadline's 2020.
It's not enough information that you would require to get a bank loan, for instance. But I keep thinking the word yet, right?
I mean, there's certainly going to be a lot of people going to be working on this to try and make it work as soon as possible. I think their deadline's 2020.
Yeah. And I don't think it's going to be just China. I really don't think it's going to be just China either.
Yeah. So things to look forward to in 2020, as if you weren't worried about anything else happening in 2020. Now you've got this.
No. Yeah. No. Well, you know, there you go. So, but what— Trekkies, what— I just—
Well, coming back— yeah, coming back to you guys.
I mean, if you want to secure your reign, obviously this is the best way forward for you because you'll know all and be able to reward the good and punish the bad, and you'll have all the information.
Or you can relinquish control and realize that no one cares. Trekkies versus Whovians— no one cares. Same diff. It's not the same. It's not the same.
I mean, if you want to secure your reign, obviously this is the best way forward for you because you'll know all and be able to reward the good and punish the bad, and you'll have all the information.
Or you can relinquish control and realize that no one cares. Trekkies versus Whovians— no one cares. Same diff. It's not the same. It's not the same.
Damn it, Carole, it's not the same. You know, sorry, dudes. Yeah, it's not the same.
And we are sponsored by MetaCompliance. Now, MetaCompliance make this platform to help you train up all your employees in all things cybersecurity related.
That's right. You can simulate phishing attacks. You can teach them about password safety, all aspects of data security.
Go and sign up right now at smashingsecurity.com/metacompliance and you can save because you listen to this podcast. You're a listener to this podcast. Boom.
Go and sign up right now at smashingsecurity.com/metacompliance and you can save because you listen to this podcast. You're a listener to this podcast. Boom.
We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
Yeah, stolen passwords, poorly chosen passwords, reused passwords.
Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.
You don't have to say forward slash, by the way, you can just say slash. Just so you know. And welcome back.
And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Should definitely not be. Hmm.
Now my Pick of the Week this week is— okay, look, sometimes I have mentioned this subject in the past. But I think this is quite a good one. It's Doctor Who again.
It's not Doctor Who, it's chess related.
It's not Doctor Who, it's chess related.
Shock! And— I fell over in my chair.
I have stumbled across in the last week a YouTube channel by a bunch of crazy Danish guys who call themselves OutRay Chess.
And they are working with the Danish Chess Federation in helping them promote the game in their country.
And they are working with the Danish Chess Federation in helping them promote the game in their country.
Is that a recognized federation?
Yes. The Danish Chess— oh yes, every country has a chess federation, Carole. But they are struggling somewhat.
They are struggling somewhat, chess federations around the world, because the problem is that a lot of chess players are sort of middle-aged, slightly podgy, antisocial men.
And we really need a few more of the lady folks.
Some youngsters get into chess as well, but then they sort of grow out of it until they become middle-aged men and then get back into it.
And so we're not doing a great job at encouraging people to join chess federations, and people are playing online rather than in real life.
Now, the guys at OutRay Chess, they have made some amazing videos.
For instance, let me point you towards the one about Tal versus Smyslov and the sacrificial maniac versus the positional maestro.
They have made a commentary of a chess game but what they've done is they've brought in a real tank, a T-34 tank.
They are struggling somewhat, chess federations around the world, because the problem is that a lot of chess players are sort of middle-aged, slightly podgy, antisocial men.
And we really need a few more of the lady folks.
Some youngsters get into chess as well, but then they sort of grow out of it until they become middle-aged men and then get back into it.
And so we're not doing a great job at encouraging people to join chess federations, and people are playing online rather than in real life.
Now, the guys at OutRay Chess, they have made some amazing videos.
For instance, let me point you towards the one about Tal versus Smyslov and the sacrificial maniac versus the positional maestro.
They have made a commentary of a chess game but what they've done is they've brought in a real tank, a T-34 tank.
That's loud. Yeah, did I not see quite a strong swear word at the beginning of this video? Smyslov feels, oh, I'm solving all my problems now elegantly.
He plays knight to f6, attacking the queen with a tempo, saying, "Oh, Tal, am I repelling your precious attack?" But now we see a hammer blow from the magician from Riga.
He plays queen takes f7. What?
Anyway, if you've ever wondered how the grandmasters decide to make a particular move, or whether chess is exciting or not, you may want to check out OutRay Chess, because I think he does quite a good job, and he's made some other videos as well, this chap, with a cast of hundreds in some cases.
He has planes in this.
He plays queen takes f7. What?
Anyway, if you've ever wondered how the grandmasters decide to make a particular move, or whether chess is exciting or not, you may want to check out OutRay Chess, because I think he does quite a good job, and he's made some other videos as well, this chap, with a cast of hundreds in some cases.
He has planes in this.
Did he just go underneath the flight path?
Where did he get the budget for this?
I think he's just lying to himself. Do Danes not have jobs?
I think the Danish military basically haven't got very much to do.
There haven't been any Well, I mean, they're just sitting around with all these freaking weapons, just talking about chess. Well, chess is quite a big deal in Denmark.
A lot of people do like chess in Denmark.
There haven't been any Well, I mean, they're just sitting around with all these freaking weapons, just talking about chess. Well, chess is quite a big deal in Denmark.
A lot of people do like chess in Denmark.
And so— I'm planning to be in Denmark. Oh, you lucky girl. I'll go check him out. I'll see if I can find him. I'm sure everyone knows him.
I'll be where can I find him? I've included the link in the show notes, which you can go and check out at smashingsecurity.com if you want to check out the video.
And I thought it was quite an inventive, imaginative way to talk about a game of— a particular game of chess, complete with— Not the Game of Thrones.
And I thought it was quite an inventive, imaginative way to talk about a game of— a particular game of chess, complete with— Not the Game of Thrones.
Game of chess.
And that's why it's my Pick of the Week. Maria, what have you got for us as your Pick of the Week?
My Pick of the Week is not Game of Thrones. 'Cause I've never seen it.
She's never seen Game of Thrones.
I have never seen Game of Thrones. I know, I know.
All right, so my Pick of the Week is, again, shock and surprise, it's about something that I'm very interested in, and it happens to be Star Trek.
So there are many iterations of Star Trek. One of the best, if not the best, is called Deep Space Nine. It came out in the '90s, it was great, it's 25 years old now.
And the producer/showrunner of the show, he made a documentary about why this show was so groundbreaking and a lot of behind-the-scenes stuff about when went into making it, things they wish they had done better.
Fascinating retrospective on this great series. And it's called What We Left Behind. And this documentary came out in the States, it aired in May.
And it is available to watch, I believe, in June in the UK and Ireland. It's gonna be one night only in theaters in the UK and Ireland.
So unfortunately for our US and Canada listeners, you can't see it in theaters again, sorry, but it's going to be out on Blu-ray in August, so you'll be able to see it very soon.
But if you're in the UK and Ireland, you can go see it. Please go see it if you're into Star Trek, especially Deep Space Nine, because they have HD clips.
They actually remastered a lot of great clips from the show. The behind-the-scenes stuff is fascinating. I cried many times while watching this, it was very affecting.
They get into a lot of great stuff.
All right, so my Pick of the Week is, again, shock and surprise, it's about something that I'm very interested in, and it happens to be Star Trek.
So there are many iterations of Star Trek. One of the best, if not the best, is called Deep Space Nine. It came out in the '90s, it was great, it's 25 years old now.
And the producer/showrunner of the show, he made a documentary about why this show was so groundbreaking and a lot of behind-the-scenes stuff about when went into making it, things they wish they had done better.
Fascinating retrospective on this great series. And it's called What We Left Behind. And this documentary came out in the States, it aired in May.
And it is available to watch, I believe, in June in the UK and Ireland. It's gonna be one night only in theaters in the UK and Ireland.
So unfortunately for our US and Canada listeners, you can't see it in theaters again, sorry, but it's going to be out on Blu-ray in August, so you'll be able to see it very soon.
But if you're in the UK and Ireland, you can go see it. Please go see it if you're into Star Trek, especially Deep Space Nine, because they have HD clips.
They actually remastered a lot of great clips from the show. The behind-the-scenes stuff is fascinating. I cried many times while watching this, it was very affecting.
They get into a lot of great stuff.
About Odo? Is Odo in it? The shapeshifter? Is that his name?
Yes, Odo's in it. Yes, he's in it.
They get into a lot of stuff about social issues in the '90s that prevented them from doing certain story types and what they wish they could have done.
I thought it was a fascinating look, and it's very, very—
They get into a lot of stuff about social issues in the '90s that prevented them from doing certain story types and what they wish they could have done.
I thought it was a fascinating look, and it's very, very—
This is slightly tangential, but do you want me to tell you my favorite line from Star Trek? The only one, you know, the one I would say is most powerful?
And I bet you could totally identify it, it's probably up there.
And I bet you could totally identify it, it's probably up there.
Is it when William Shatner says, come on?
No, I'm not even going to say who it is, and I bet she'll identify right away.
I might not, I'm not that great at this kind of stuff, actually. There are four lights. Oh, come on, don't even— of course, that's not even—
Come on, sorry, I have no idea what just happened.
There are four lights when Picard sees— anyway, never mind. Totally. Do you want to know the story behind that whole thing? It was an episode about against torture.
He talked to Amnesty International and they collaborate, I think they worked with the writers on writing a series of episodes against use of torture.
He talked to Amnesty International and they collaborate, I think they worked with the writers on writing a series of episodes against use of torture.
Oh, because the Cardassians, they're into torturing people, aren't they?
Cardassians. Cardassians.
Same diff, really. I'm using that word a lot this week.
Cardassians. Yes, Keeping Up with the Cardassians. Yes.
Anyway, folks in the UK and Ireland, if you're into Star Trek, especially Deep Space Nine, go see the documentary in theaters, it's worth it.
Anyway, folks in the UK and Ireland, if you're into Star Trek, especially Deep Space Nine, go see the documentary in theaters, it's worth it.
I've never really seen an episode of Deep Space Nine, but I have heard it's quite good, and if I had time, I probably would. I like the Ferengi.
Oh, the Ferengi are— they're capitalism gone crazy. It's a great little— it's very timely now. And if you've ever seen Battlestar Galactica, the new one that Ron D.
Moore wrote, he wrote for Deep Space Nine before he wrote Battlestar Galactica. I love Battlestar Galactica, it's that I love.
Yeah, so if you enjoyed Battlestar Galactica, I think Deep Space Nine is an easy segue.
Moore wrote, he wrote for Deep Space Nine before he wrote Battlestar Galactica. I love Battlestar Galactica, it's that I love.
Yeah, so if you enjoyed Battlestar Galactica, I think Deep Space Nine is an easy segue.
You see, I would be tempted to watch this documentary even though I've never seen Deep Space Nine, 'cause I quite like documentaries, and I think I would find it interesting.
It may be a way for me to get into the show. It's a bit like if there was a—
It may be a way for me to get into the show. It's a bit like if there was a—
Steal some ideas for the Whovians.
Well, maybe if there were, there are some very good Doctor Who documentaries on it too, but anyway, if there was a documentary about the Golden Girls, for instance, I'd probably watch that because I think I'd find that quite interesting as well.
And murder shows.
And murder shows.
There probably is one called On the Lanai or something. Let's have some cheesecake. I'm sure there is. There's got to be one. That's a missed opportunity if there isn't.
Thank you for being a friend.
Crow, what's your pick of the week? Mine is quick and dirty.
So this is for those that, you know, if you live underground and have no access to anything, Wi-Fi or mobile data— mobile data, can't even talk.
If you don't know who Joe Rogan is, I— you can't be listening to podcasts. Yeah, you can't be listening to podcasts because everyone knows who he is.
You may not like him, but you know who he is.
So he's known for being comedian, he's big into MMA or mixed martial arts, and he does this whole video podcast, which I personally need to argue, is a video podcast a podcast?
So this is for those that, you know, if you live underground and have no access to anything, Wi-Fi or mobile data— mobile data, can't even talk.
If you don't know who Joe Rogan is, I— you can't be listening to podcasts. Yeah, you can't be listening to podcasts because everyone knows who he is.
You may not like him, but you know who he is.
So he's known for being comedian, he's big into MMA or mixed martial arts, and he does this whole video podcast, which I personally need to argue, is a video podcast a podcast?
No, it's a video podcast, right?
It's a video podcast. I don't— I think podcast is just audio. I just certainly feel that way. Anyway, strong feelings.
Yeah, I guess so. I've never heard Joe Rogan's podcast. I know he's a very popular podcaster.
Yeah, it's long form. They tend to have chit-chats, unedited. He's very open about what he knows, what he doesn't know, his views, his thoughts. He's built huge, huge following.
He also did a lot of, I think he did TV before too. So I don't know if he came to the podcast world with a huge following.
He also did a lot of, I think he did TV before too. So I don't know if he came to the podcast world with a huge following.
He did the podcast that Elon Musk went on and lit up a great big doobie, right?
I have no idea. I don't know enough about him.
I think so. I think so. All right.
Sounds about right. Anyway, so I saw on Reddit on the podcast feed that Dessa have pulled together a model that replicates Joe Rogan's voice.
To showcase the current artificial intelligence techniques. And they've created a little game where you can decide if it's the real Joe Rogan speaking or a fake.
Do you guys want to play?
To showcase the current artificial intelligence techniques. And they've created a little game where you can decide if it's the real Joe Rogan speaking or a fake.
Do you guys want to play?
Oh, I wouldn't know what he sounds like, to be honest.
But well, no, no, but yeah, but I've only listened to maybe one or two shows in my life, right? He's not a big—
I only know him from TV, really. I've never listened to his podcast.
If you listen to one or two of these, there's a link in the show notes.
So I've gone to fakejorogan.com and here we've got a whole bunch. We've got a grid of things we can play.
And I imagine we then, we listen and then we have to decide if they're real or fake.
And I imagine we then, we listen and then we have to decide if they're real or fake.
Yeah, yeah, yeah. It takes about a minute of your time. So listen to one and then just decide if you think it's real or fake.
Okay, let's do the first one. What was the person thinking when they discovered cow's milk was fine for human consumption? And why did they do it in the first place?
No, I got one saying you are much less likely to injure yourself if you do it correctly.
That was what it said. Much less likely to injure yourself if you do it correctly. So I think mine was fake. So I'm going to hit the fake button. Correct. I got it right.
Hey, why do you think yours was fake?
It just sounded a little bit— well, first of all, it's just stupid content, but it just sounded a little bit clipped to me.
So I did them all. Right. And I got one wrong, the first one wrong. And then the rest I got right because suddenly my brain adapted very quickly as to what to listen for.
Weird hesitations, longer and shorter hesitations. Yes. So there was just a few weird giveaways. I probably didn't even notice most of them because they unconsciously hit my brain.
Weird hesitations, longer and shorter hesitations. Yes. So there was just a few weird giveaways. I probably didn't even notice most of them because they unconsciously hit my brain.
But so there are tells in there that you're able to detect. That's interesting, though.
It's pretty scary how accurate it is. They've put together a video of him saying lots of different things, and you kind of watch it and you think, oh my.
So it's not long before we won't be able to trust anything that you hear, including someone who claims to be from Smashing Security.
So it's not long before we won't be able to trust anything that you hear, including someone who claims to be from Smashing Security.
I've been generated fakely this whole time.
Well, hey, you're welcome anytime. Hooray!
So I've just done a few of these. Sorry, I don't know what you've been talking about. I've just done a few of these. And I've got 100% you, Carole, at the moment.
So of the ones I've done. It is quite good, but it's not quite perfect.
So of the ones I've done. It is quite good, but it's not quite perfect.
No, but you have to really listen though. If they were talking and, you know, you— well, maybe in this— yeah, we were talking.
The other thing is that you alerted me. You told me, listen out as to whether this is a real or a fake. If I'd just heard it, I wonder if I would have spotted it or not.
I suspect I probably wouldn't.
I suspect I probably wouldn't.
So, as DESA say in their announcement, it's pretty fucking scary. So there you go. You want to play?
Is that a natural quote? In that press release?
Yeah. Well, the F-star-king, but I think we all know what that means.
Yeah, there was one I swore, I was oh, that's so easy. That one's definitely real. And it was fake. Yeah.
So check it out. Fakejorogan.com. See what you make of it.
I'd be really interested in hearing from people that are actually big Joe Rogan fans to see if they found it easy or difficult.
I mean, I don't know, Graham, we spend a lot of time editing this podcast, right? So we maybe have an editor's ear now. Maybe a listener's ear would find it more difficult. Who knows?
We don't edit.
I'd be really interested in hearing from people that are actually big Joe Rogan fans to see if they found it easy or difficult.
I mean, I don't know, Graham, we spend a lot of time editing this podcast, right? So we maybe have an editor's ear now. Maybe a listener's ear would find it more difficult. Who knows?
We don't edit.
This podcast, Carole? Hardly at all. You're right.
What was I— What am I thinking?
We just add some music at the start and the end. Some plinks and some plops and— Carole, I think you're really great. You know that? That was definitely fake.
You're the favourite podcast co-host. Can't imagine. Oh, you get co now. Yeah, now it's co-host.
You're the favourite podcast co-host. Can't imagine. Oh, you get co now. Yeah, now it's co-host.
If he talks about me, it's always co.
Yeah, he doesn't practice that.
And on that bombshell, we've just about wrapped it up for this week. Maria, I'm sure lots of our listeners would love to stalk you online. What's the best way for folks to do that?
Please don't stalk me. You can find me on Twitter @mvarmazis, @mvarmazis, that's me, or on Mastodon if you're on infosec.exchange, I'm @maria. Either one's great.
Yeah. And you can follow us on Twitter @SmashInSecurity, no G, Twitter wouldn't allow us to have a G, and you can also join our discussion on Reddit.
The quickest way to find our Reddit subreddit is smashingsecurity.com/reddit and it will take you right there.
The quickest way to find our Reddit subreddit is smashingsecurity.com/reddit and it will take you right there.
Hugs to this week's Smashing Security sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free, so be sure to check out their offers.
And kisses to you, our lovely listeners. I dread to think where we'd be without you, so thank you.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
And kisses to you, our lovely listeners. I dread to think where we'd be without you, so thank you.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye.
Bye.
I just paused, Carole, because you were talking about kissing our listeners after I got in trouble.
I know.
I didn't say with tongue.
This— I don't do that.
I haven't done that since I was 18. Who do that? Too much information. Yeah, yeah, it's a podcast. Surely that's another stipulation of a podcast.
And what, kissing?
It's cold outside, cold outside.
I'm going to hit the stop button.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- Vote for Smashing Security in the EU Security Blogger Awards
- "How to hack a Facebook account…" – how on earth to answer? — Graham Cluley.
- Hack for Hire: Exploring the Emerging Marketfor Account Hijacking — Report from University of California, San Diego and Google.
- Google research: Most hacker-for-hire services are frauds — ZDNet.
- New research: How effective is basic account hygiene at preventing hijacking — Google Online Security Blog.
- The complicated truth about China's social credit system — Wired.
- China bans 23m from buying travel tickets as part of 'social credit' system — The Guardian.
- Is China’s social credit system as Orwellian as it sounds? — MIT Technology Review.
- Opinion: Why India needs to be wary of China-style social credit ratings — LiveMInt.
- Mihail Tal vs. Vassily Smyslov // Sacrificial Maniac vs. Positional Maestro — YouTube.
- Outray Chess — YouTube.
- What We Left Behind: Looking Back at Star Trek: Deep Space Nine — A documentary film produced by 455 Films.
- DS9 Doc Heads To Uk & Ireland – List of Locations — TrekSphere.
- Joe Rogan — Wikipedia.
- Tesla’s Elon Musk smokes weed on Joe Rogan podcast, havoc ensues – Vox — Vox.
- Faux Rogan — Can you tell which are real or fake (Faux Rogan)?
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
