Smashing Security podcast #130: Doctored videos, Bcc blunders, and a diva

Newsflash! Newsflash! Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast. Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show. Smashing Security, Episode 130: Doxxed Videos, BCC Blunders, and a Diva, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 130. My name is Graham Cluley.

God, 130 sounds amazing. I'm Carole Theriault.

Half past one. And we are joined by the illustrious, the amazing, the incredible, the extraordinary, no one. Absolutely no one. It's just you and me this week, Ro. Why is that?

Well, we've been travelling different places, different times. It's been a bit insane.

You've been to beautiful Denmark.

Yes, I'm talking about that later in my pick of the week.

Oh, are you? Okay, no spoilers now. Yep. I don't know if they say that, but yes, I've been down there. I gave a little talk, which went wonderfully. I've been all the way down to Johannesburg in South Africa.

Diplomatic immunity.

I met some Smashing Security listeners down there.

Jo'burg. Did you? Why are you surprised?

It was always a pleasure. They came up, shook my hand. I gave them some stickers and bid them on their way.

Were you wearing a Smashing Security t-shirt with you?

I was not. No, no. They knew who I was because I was standing on a stage giving a talk and they came up afterwards. Obviously during the talk, I plug the podcast. You know, I drop it into the conversation subtly, subliminally.

Any podcasters listening, this is what you need to do.

Well, I'll tell you something else you need to do. Word on the street has it that Apple has changed the way that Apple Podcasts and iTunes works.

In a better way?

Well, possibly better for us as podcast producers and indeed listeners as well, because for a couple of years, Apple's new and noteworthy section and what's hot, it's been horrific. They haven't been updating. Their new and noteworthy was full of podcasts which haven't released a new episode for about 3 years.

It's driven me mad because I often use the native podcast app and I find it revolting. You know, you go in and finally, there's podcasts from 2016.

Well, I'll put a link in the show notes, but there's a bunch of dudes who reckon that Apple has now updated this and it appears they have because I went on to iTunes in the UK. I went into the technology and tech news section and went to what's hot, and we're in there.

Of course we are.

Which we haven't been before. Well, we haven't been there before because they never updated it.

We have been there before. Haven't we been there? We've been in their top 100 list a number of times.

Oh, piff-paff-poof. Carole, we've been in the top 10 of technology before, but this is in the what's hot section, so it's more exposure. Now, I've heard, and again, don't know if it's true because there's a lot of different people saying this, but according to this research, Apple have updated it. So they are finally, those two sections at least, basing it upon reviews and ratings which loyal listeners give to podcasts.

Ah, so now they're finally realizing that the work that people do by filling in reviews should mean something.

So this is our shout out to our faithful fan base that if you've ever thought about leaving us a review, on Apple Podcasts/iTunes.

Now's the time.

Now's a perfect time, isn't it? Because it might actually mean something.

Look, you know what? Why don't you just put it on pause? You go do that and we'll wait for you.

Oh yeah, okay. We'll play some hold music.

Yes.

Okay, everyone's back now, Carole. I'm sure they've done that, right? So what's coming up on this week's show?

Coming up on this episode of Smashing Security, first off, we need to thank our sponsors, Recorded Future and LastPass. Their support helps us give you this show for free. Now, Graham, you were talking about a data breach. Let's see if you can make that interesting as well as informative.

I'll try.

And I'm gonna dive into the world of digital propaganda, AKA fake news, AKA—

Oh, get on with it for goodness' sake. Phishing.

Can we get on with the show? All this and a teeny weeny little bit more coming up on this episode of Smashing Security.

Now, Kroll, have you ever been responsible for a data breach?

Well, I once almost replied all on a pretty unfortunate email, which I ended up unplugging the cable because it was pre-Wi-Fi days.

So as I remember, you were replying to an internal email, weren't you?

Yes, to a dickhead.

It wasn't so much a data breach because all of those people knew each other's email addresses already. Because you said someone's a bit of a knob.

So that's another way of putting the word. Yes.

It was more of a career-limiting move which you made. The point is that a data breach doesn't have to involve a hack or an unsecured Amazon web bucket or anything like that. Any of us can accidentally cause a data breach with email if we're careless with our email.

Yes.

It's easy to do. And it seems many companies keep on suffering from this kind of data breach. The most simple form might be something like sending an email to a large number of recipients and putting their email addresses in the CC field rather than the blind carbon copy field.

Yes, that happens a lot. I've seen that happen to basically even heads of IT.

Oh yeah, it can happen to anybody. It's very easy to do if you're not in the habit of—and who is, quite frankly, who is properly in the habit of checking themselves when they send an email? 'Cause you send thousands of emails every day and you know, you're busy and you're not thinking about what field you're putting something into. And it's not just potentially a data privacy issue if lots of email addresses get leaked because they've been put in the CC field. It also could be a big problem if someone does a reply all to one of those monster threads. You know, the problem just gets bigger and bigger. It becomes an email bomb effectively. 'Cause people said, "Hey, you left out all our email addresses in the CC field," hit send, and that goes to everybody on the list again.

Mm-hmm.

And this has happened to some big companies, including organizations you hope it wouldn't happen. Security training firm KnowBe4, for instance, they had one of these gaffes where they put people's email addresses in the CC field rather than the blind carbon copy.

There was information inside the contents of the email Sorry, I won't say it. KnowBe4? Don't know.

Ad blocker Ghostery, they had a similar goof as well. One of the real monsters was in November 2018 at the National Health Service, a test email was sent by accident to 850,000 NHS workers.

that would have been shared with the entire company

That's all the ones who have an email account. And by the way, that's about 1% of the entire UK population.

that would have been quite embarrassing to the dickhead.

And of course, people started replying saying, hey, how can you do this?

Oh, dear Lord.

Now the newspapers got hold of this, of course, and they were reporting on it. And the NHS weren't able to email an official statement because their email had clogged up and turned to porridge. And so they were phoning people instead.

That's the problem when you're in a disaster, then the media come hounding you because they want a comment and you're in the muck, aren't you? You're in the soup.

Absolutely. We've been there before in the old days. We were often in the soup, weren't we? But so a subsequent investigation revealed that between 8:29 in the morning when the email was first sent and 9:45 later that morning, so just an hour and a quarter later, half a billion emails crossed the NHS network. Normally, their normal traffic volume was around about 3 to 5 million emails per day. So it was a ginormous amount of email. The problem got so—

They had a nice spike.

Well, they weren't the only ones who noticed there could be a problem. The problem got so bad that Google actually blocked access to the entire NHS network, thinking that a botnet was at work because of this huge amount of traffic which was occurring.

It's very dangerous, isn't it? I mean, it's the NHS. So they're blocking all traffic coming in. Like, hi, I'm having a heart attack. What do I do?

I don't know if people email in their heart attack problem. Maybe if 999's not working properly. Oh, you know, it doesn't matter. I'll send an email. You know, they're not answering at the moment. You know, they don't tend to do— I mean, interesting approach you have there. I need some advice. There's a man collapsed on the ground. I'm not sure if he's breathing or not. How do I use the defibrillator? Could you send me a link to the FAQ, please?

Sincerely, best Carole Theriault. Okay.

So there's this problem of email bombs, but there's also this problem of innocent people's email addresses leaking out because they've been put in the CC field. So it's all sort of— now, I was wondering, how on earth can we prevent this? And I think there's a number of possible solutions which I'd like us to talk through.

Did you put your thinking cap on, Mr. Wooley?

Well, my thinking cap sadly didn't fit very well. So I also asked on Twitter if anyone had any ideas as well. So we've got a combination of—

Crowdsourced again. Story.

So here's one of the ideas. One is that maybe you should always use the BCC field rather than the To field. So maybe every email should be a BCC.

I don't like that.

Well, yeah, I think it's flawed as well.

Okay. Do you want to go first? You can look smart.

No, you tell me what you think is wrong with it.

I just think, I think if someone's sending me an email and they have BCC'd someone, if I find out about that, I don't like it. I really hate it. I think it's tantamount to filming someone without their permission.

In 2018, a study was conducted. See, I did my research. It revealed that people considered BCCing a supervisor or a boss, it basically eroded trust.

Yeah.

It was seen as less moral, more secretive, and more intimidating than CCing the boss. So if you did it sneakily, and I know as you know, on occasions I have been a boss, that if someone BCCs—

A very, very good one, may I tell all the listeners. I remember hearing from your wonderful lucky employees.

But if someone were to BCC me, I would think, oh, I know, that's interesting that they've copied me on this. I might actually have a dim view of the person who BCC'd me as well.

But after you've read it and figured out there's nothing juicy.

Yeah, yeah, exactly. And also, there might be times when you do need to include others in the conversation, right? When it's a group discussion, you don't want everyone to be BCC'd because sometimes you do want people to reply to the group.

Yeah, I would say most company or corporate emails that certainly in my day, I would say at least 60, 70% involved more than two people. That wasn't always necessary.

No.

But they did. I was often CC'd in.

So always using BCC rather than to sounds like it might work until you think about it for 10 seconds and then you realise not really great answer.

It took me 2 seconds, but yeah.

So another possible solution. Some email clients hide the BCC option. Right? You have to press a button to display it.

Yeah.

Maybe BCC should be visible by default and you have to press a button to access the CC one. So it's more sort of conscious, oh, I need to CC these people. Would that make it less likely that you would accidentally leak people's email addresses?

Nah.

You don't think?

It just brings it back in the same problem, right? Because you have to kind of go CC. I mean, you're saying people have to think about clicking CC. Who doesn't know that CC copies everybody? Well. Who, who? It's 20, it's almost 2020. Come on.

Well, people are just on autopilot. Yeah, the thing is that it's the exception. It's not the norm to BCC, is it? But on particular occasions, it's really, really important that you do BCC rather than the thing you do 95% of the time.

To BCC or CC?

Is that Shakespeare?

Yeah, Shakespeare. Shakespeare.

Shakespeare. So, all right, another solution. Why doesn't your email client or something on the email server spot that an unusually high number of people have been CC'd, maybe, I don't know, 50 or something, anything more than 50, and prevent the email from being sent until—

There are systems that do that because I know, because I have tried to spam journalists before in my PR days.

Oh, okay.

And it can stop it. So yeah, there's a block saying, oh, there's more than 50 people here. Are you out of your mind?

Now, do you remember what email system that was? Because I was asking on Twitter and no one could come up with one.

I actually, I don't even remember exactly when it was, but I have a feeling I was still working for a corporation at the time. So I think the company, the IT admin probably put a limit into the number of recipients that could receive the email.

Well, I want to know if anyone has managed other than Carole's IT department to successfully set this up. Because most of the people I was asking on Twitter said, you know, this is really how we should do it.

Doesn't Google do it? Google Mail does it.

Yeah, but that's not— Yeah, but don't you want a solution which works with the most popular email clients rather than—

Oh yeah, Gmail. You're right. No one knows about that one.

No, no, no. But in the business situation.

Yeah, of course. You're right. No, no, no one uses Gmail in the business situation, right guys? Nobody.

Oh, for goodness sake. Some people do, but they're also using an actual piece of software on the computer and Gmail isn't a piece of software on your computer. You've got a different client there, haven't you?

Yeah, it's 2003 everyone. We've warped back.

Anyway, I think you're probably right, right? So probably Google Apps for Business, right? The business version of Gmail. Google Gmail probably has administrator options, I would imagine, to bounce back and put rules in place to look for too many safe sends.

It also doesn't love spammers using it as a platform, right? So they have an interest in that.

Yeah.

I was also contacted by a fellow called Extra Coconut.

I would trust him now. I trust him 100%.

It's a bit of a novelty, isn't it, having an extra coconut? He was on Twitter. He pointed me to a Norwegian company called SafeSend who seemed to have some kind of plugin or something which works with Office 365 and Outlook, which again warns you if you're CCing too many people.

Allegedly.

Yes.

I have not done any research yet.

He says he doesn't work for them either, but it's maybe one to check out. I'll put a link in the show notes. Now there's another issue as well, which was with this whole CC and BCC thing, which is if there's a message sent to people and CC to others, and then you are secretly BCCed, there's a danger that if you hit reply all, if you are the person BCC'd, that lets everyone else in on the fact that you were BCC'd, doesn't it?

Oh, totally.

Totally.

That's happened to me many times that I've been BCC'd on an email because you know how—

How come you get BCC'd on all these juicy emails all the time?

Because I was a boss for a long time and that's the way you communicate boss to boss.

Oh, I see. Very important person.

This is the old days. I'll write a book one day.

So there's obviously issues. It's a flipping minefield is my TL;DR on all of this.

Oh, look at you using the acronyms. Thank you.

Well, I learned it last week. Yes, that's right. Shaking my head, Sydney Morning Herald. So, I mean, another solution might be for those sort of communications where you're communicating externally and it's really important you don't leak those email addresses, you could use mailing list software. That could be a way to do it. And then everyone gets an individual email. There's no, rather than pasting in people's addresses, just prone to disaster. Now then, all of this was brought to my mind because last Friday, the Dutch Data Protection Authority—

The Dutch again? Yes. Let's not, don't worry about that. I know it's the Dutch again. They sent out an email campaign to raise awareness of the importance of GDPR.

You see, I love the Dutch.

The email subject line was, 'What does the Privacy Act mean to you?' Okay. Now you can probably guess what happened.

A big hitter. Big hitter. Went viral. No. Well, they didn't attach anything.

There wasn't a malicious link. A spokesperson at the Data Protection Authority, he of course put 38 addresses of journalists, editors, and such in the CC field rather than the BCC. So easy. So easy. Any of us can do it. Even the Data Protection Authority.

Literally the worst people you could CC in the entire world.

Entire world. So the Data Protection Authority basically told journalists, we've been careless with your data. And these smart aleck journalists had a great response, which was, if any other company which might have done this would have to report itself to you.

So they reported themselves.

And so the Data Protection Authority said, well, you know, we have a very strict procedure for security incidents and it's gone up through the process. Exactly. You know, it goes to the department head and security officer, data protection officer. We're going to assess whether a data breach has occurred and whether it needs to be reported. And so on Monday at noon, the Dutch Data Protection Authority reported its own privacy snafu to itself. Beautiful. Isn't that wonderful? It's beautiful. And you know what?

Good for them for doing it, not burying it, because that has to be embarrassing, right?

Well, a little bit. At least they did it.

You know, at least they braved the consequences.

You're praising their transparency, are you? Yeah. They've been a little bit too transparent with those email addresses, haven't they? But there is another slight niggle, slight wrinkle, which is that under the data protection laws, you have to notify the data protection authority within 72 hours. I say, how do I remember that? They took about 75 hours.

And of course, every single journalist who was CC'd on the list plus their names. They've got the signs to point it out. Yeah. Okay, I don't know. I think this is a bit of a storm in a teacup. I mean, they've done the right thing. Well done. But anyway, just listen to my story and then we can talk.

What they've done is wonderful because they've raised awareness of the issue. And what a creative, wonderful way to do it.

Exactly. You couldn't pay for Well, Graham, I gotta tell you, I'm a little depressed. What are you depressed about? EU politics, anyone? that kind of advertising. Europe? Yeah, so the populist, the right-wing nationalist, it seems topped the polls not only in France and Italy but also in the UK. So what a team— Le Pen, Salvini, and Farage. All those journos talking about GDPR. Did you know a fifth of the UK vote went to that turkey Farage? While the other candidates like Lib Dems, the Greens, Labour, Conservatives all fought between themselves. It's the old war adage of divide and conquer still works a treat. Yeah. And let's face it, this divide and conquer rule could be a concern in the US 2020 elections too.

Oh, I think you'll find the States is very united. They're not split at all.

I would say that fake news played quite a shitty role in the Brexit and in the previous US election cycle. And it seems it reared its head up during the EU election campaign too. Quelle surprise. According to an analysis reviewed by Politico, more than half of Europeans may have seen some form of disinformation promoted by Russian actors on social networks, all ahead of the EU parliamentary election. Oh, so this isn't the American 2016 election. This is the elections that we've just had in the last few weeks. Yeah. More than half. So if you think 170 million voters, plus their kids who live in Europe, right? Yeah. That's significant. Now, don't worry though, 'cause Facebook, who have learned their lesson through the last year, the quagmire of crap they've been swimming through.

There was no fake news there at all, right?

No, they were totally at the ready. So the social media giant had about 40 people that they hired hunched over their screens around the clock monitoring the shifting pace of online conversation, looking for signs of things like manipulation or fake news or hate speech. This is all reported by The Guardian. Well, I say, Facebook, 40 people around the clock, are you pushing the boat out? I mean, this is a generous effort and it will certainly tackle disinformation in the important EU elections, don't you think? It only impacted 170 million voters.

It probably cost them quite a lot of money because they wouldn't have wanted to outsource it to Ukraine or somewhere.

Well, they had to cover all the languages, of course. Right, so that would have added to their big ticket. I mean, and you know, they're not as loaded as they were. This is from a company whose quarterly revenue from January to March this year was only $15 billion. And Zuck himself said in the report, "We had a good quarter and our business and community continues to grow."

You sound a little bit bitter, Carole, about Facebook.

I'm just a bit depressed. And this is all not to mention Zuck then pulling the "feeling cute, may not attend" the international hearing in Canada's House of Commons. I don't know, so yeah, there's that.

Oh yes, because the Canadian politicians, rather like the British ones, they asked him to show up, didn't they, and answer a few questions, and he won't do it.

Not just them. They had a few other countries represented as well. It was an international consortium that wanted to chat with them. It just happened to be in Canada, which is quite close for Mr. Zuckerberg to fly over. Not a big deal. Anywho, there's all this, so I thought, let's talk fake news, right?

Okay, go on then.

As we're talking about all things political and what with the EU elections, why don't we focus on the Nancy Pelosi video scandal? Have you been following that?

So she is, she's the head of— she's the U.S.—

Speaker of the House. Right, Nancy Pelosi.

Yes, she's quite high up, isn't she? She's quite high up. I mean, she's very high up. Carole, what's your

She's a thorn in the side of Mr. Orange.

Or sorry, Mr. Trump. Who would want to be a thorn stuck into his brain?

Every rose has— Yeah. And there's been a bit of a digital blame game going on with regards to this video.

story for us this week?

And I thought we could look at the responses from the three big boys: YouTube, Twitter, and Facebook and chat about them. You know, it's just the two of us.

So what video is this? What happened with the video?

Okay, so on May 23rd, Trump lawyer Rudy Giuliani tweeted a video of Pelosi. Yes, that was slowed down to 75% of the original speed, and this made her speech sound slurred. And his tweet was, "What's wrong with Nancy Pelosi? Her speech is bizarre." I've taken our podcast before— I can't remember why, I think I was quite— but if you listen to a podcast at about 75% of normal speed, the people do kind of—

I mean, I sound like that normally. But people do sound rather wasted. Yeah. Okay, so he assumed it was genuine. He hadn't created the video.

Okay, I want to stop here. Do you think he knew the video was doctored or not? You think he just saw it quickly or he thought some, one of his aides said retweet this or they did it on his behalf?

He just probably thought it was juicy. I mean, it's not like he's a cybersecurity expert. Oh yes, he is supposedly. But you know, it's not like, you know, he might assume it was genuine. I don't know. I smell a fish. Okay.

I smell a fish. I just think maybe, you know, they're viral experts, these dudes, right? So they put it out there. They waited until it got, you know, people realized how juicy it was and the fact that he'd shared it. Obviously copied the video.

And then he took it off going, 'Oh, sorry, sorry, sorry.' And it's very damaging. I mean, even if it was later withdrawn, because once people have seen it, and it makes it juicy.

We know this from our, you know, from our PR days of yore, right?

Wasn't there this thing during the election where Hillary was meant to have some kind of health problem, or she was caught on video doing some kind of weird kind of—

Yeah, she had a cold or something. And they totally exaggerated like she was. Yeah, right. Right. Anyway, back to the video scandal. Okay, so the story gets better. The story gets better. A few hours later, Fox Business plays a doctored video. Okay, now I don't know if Fox Business knew it was doctored, but doctored video of Nancy Pelosi exaggerating a minor stammer to a major stumble, and it was edited in a way that muddled and repeated her words, making her appear confused, and some people even say ill. What happens? Only the press. Mr. Trump himself retweets it with the heading, Pelosi stammers through the conference. Oh boy. So we have two videos that have been seen by millions that show doctored, unflattering footage of the US Speaker of the House, Nancy Pelosi, in an effort to make her look— some people said drunk, some people said dumb, unfit for the job. This basically seems to be the conclusion. And they were retweeted by the president and his own lawyer. Now, just a quick aside, and you know this, but just for those that don't know, because we have an international audience, Pelosi and Trump are not mega friends, right? They're not hanging out on Friday and having smoothies or milkshakes together. Are you sure about that? Currently, currently, right now at the time of recording, they're both swiping at each other's mental fitness. She's a mess, says Trump recently. And she's like, I pray for the president of the United States after a Trumpian temper tantrum.

So it's not Donald and Nancy sitting in a tree, kissing. Yeah. Trump-Pelosi forever.

No, I don't think that's happening. OK. OK. But the whole point here is the videos are doctored, they're getting millions of views. Everyone seems to know they're doctored. And we all know they're doctored with Pelosi as the main star of the shows. We don't have her thumbs up. We all seem to know that. And so my question is, what do the three giants do, right? There's YouTube, Facebook, and Twitter. Okay. So Google, who owns YouTube, removed the video from its platform pretty darn quickly, determining that the alteration went too far, that, you know, the massaging of the truth was too far. Facebook reluctantly started limiting the video's distribution, but declined to remove it.

So what do you mean limiting its distribution?

Well, let me just do this quote and then we'll talk about that. So we want to help people stay informed without stifling productive public discourse. There is also a fine line between false news and satire or opinion. And for these reasons, we don't remove false news from Facebook, but instead significantly reduce its distribution by showing it lower in the news feed. So nice, interesting way around this, because obviously they want to avoid the quagmire that is free speech. Anyone can put out what they want.

And if I was to be devil's advocate—

Oh, you've never played that role before. Good luck.

You could argue, right? I imagine people could argue. You could say, well, it's good for people to see this video because then you see the dirty tricks which are being played and you might want to investigate who made that video and why. Whereas if it's not distributed and no one else sees it other than the people who initially fell for it, but Facebook, what are you playing at? Hasn't Facebook been in enough of a mess regarding this kind of stuff?

We haven't talked about Twitter yet. Okay.

Oh, go on. Oh, well, Twitter are always great about Trumpy, aren't they? On Twitter.

The hashtag #deletefacebook was the top trending topic nationwide, so US-wide on Saturday. Really? Yeah. And weird, because you can still see the video on Twitter on the president's feed. And what's Twitter to do? Right? So they can't delete it from his feed. They've never done that before.

Well, they don't like to reprimand him on his Twitter feed.

Well, have they ever?

No, exactly. Because he is basically, they're different. Other than that time they accidentally turned off his account.

Yeah, exactly. And they're not going to convince him to delete it. What, he's going to admit to screwing up? Give me a break.

But even if he has chosen to now delete it because it's, you know, basically— But he hasn't deleted it. Is it still there?

Yeah, go look.

Here we are. Stammers. Is it the stammering one?

Yeah, it's the one he did. Oh, yes. There. See? Still there. Because he's not going to delete it. So it's just the irony of there being this huge backlash on Twitter for telling people to delete Facebook because Facebook wasn't doing enough about this video. Meanwhile, you can find it easy peasy lemon squeezy on Twitter. So interesting. Now, how do we combat fake news? This is the important thing, right?

Oh, okay, yeah, let's do it. You got the answer.

Let's go to the government. Government. So I thought, what is the UK government talking about? Do they have anything on this? And they do. They even have an acronym, the S-H-A-R-E checklist.

Can you say that again?

Yeah, share. Do you know this?

The Share Initiative.

Okay, so before—

Are they planning to turn back time?

If I could find a way—

I could totally do Cher.

Right, okay, so let's go through this. I want you to be devil's advocate here, okay? The devil's advocate. Okay, before you like, comment, or share online, says the page, use the share checklist to make sure you're not contributing to the spread of harmful content. Number 1, S stands for source. Make sure the story is written by a source you trust with a reputation for accuracy.

Okay, that's fair. Donald Trump has tweeted it. I trust it. Yeah, I'm gonna— United States, why wouldn't I trust him?

Why would I trust him? Okay. Carry on. H for headline. Always read beyond the headline. If it sounds unbelievable, it very well might be. Okay, well, thanks, thanks guys. Yeah, okay. But yeah, basically don't just read the headline, don't just read the blurb, read that, read the content, because, you know, we all know about clickjacking on this show.

Yeah, people retweet stuff without actually reading it. They might just like the tweet and not look at what that says on the link.

Okay, you know what, that would be a good feature from Facebook and all these others, that they'd say the person never actually looked at the link. So it's being sent to you, but they never read it, just FYI.

Yeah, wouldn't that be good? Yeah, they'd never do it. I know, but that'd be good.

Me too. Okay, A for analyze. Make sure you check the facts. Okay, so you're— you're— how many— how many links do you look at a day? I don't know, I probably look about 500, 1,000. I do check the facts actually, because I have to when I do my work. But professional. Yeah, but if I'm just scooching it for my own sake and sending you a link to say, hey, here's this cool chess story because I think you like chess and I don't really want to actually say, hi, how are you? So I just forward you that and then you think, oh, she's thinking of me. That's nice. Right? Right. Right. So that's the problem. Okay. Now, R for retouched. Check whether the image looked like it has been or could have been manipulated.

How are we going to do that? Exactly.

I don't know. Sometimes they are authentic, but they have been taken out of context. Well, that puts a lot of responsibility on me, I think. I'm not a Photoshop expert.

I can't tell. Exactly.

And E for error. Many false news stories have phony or lookalike URLs. Look for misspellings, bad grammar, and awkward layouts. Okay, we say that too.

I think some of the letters of that acronym were rather crowbarred in, to be honest.

Right? And you know what? I hate to end on a big FUD, you know, fear and doubt and all this, but just wait for the deepfakes, kids. Just wait for them. That's going to be great fun. Then we'll be able to trust everything.

And that's just a joke. Did you see the thing the other day where they took the picture of the Mona Lisa and they were able to get it to sort of talk and move and things like that?

No. Is that your pick of the week? It should be your pick of the week. Okay, well, too bad, because it sounds good. Do you want a handbook full of practical steps for applying threat intelligence in any organization? Of course you do. Of course you do. Well, have I got a giveaway for you. It's a handbook full of practical steps about how you should apply threat intelligence in your organization. It is called the Threat Intelligence Handbook. Handy, right? And it's available from Recorded Future. Do you want a copy? You can have one for free. Go to smashingsecurity.com/intelligence to get your own free copy.

It's good stuff. You know, it's like 100 pages. It's a good little handbook. Go and grab it.

We don't even need you.

Don't need me. Oh, I just want to ensure if you want me or not. Okay, fine.

No.

So security breaches are happening all the time and there's often a common denominator, sloppy password practices. Enterprises which want to be effective about securing themselves need password management in place that can help them ensure that passwords are properly protecting their accounts. What better product can you grab than LastPass, the Enterprise Edition. Go to lastpass.com/smashing, and thanks very much to LastPass for sponsoring the show.

Yeah, you might want to do yours one more time. You sound a bit drunk.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

Week. Just felt alone there. It just shouldn't be. Talk security the whole time.

Well, we've always said it doesn't have to be. And mine this week is slightly security related. And so I want to talk to you about modern art and a piece of work put together by an internet artist called Guo O'Dong, who has—

Okay, you're going to have to spell that out for me.

G-U-O and then the letter O, Dong. I think O'Dong doesn't mean he's Irish. I think it's just his middle initial is O. Anyway, I'll put the links in the show notes for you, Carole Theriault, so you can check him out.

The persistence of chaos. This sounds a bit deep for you.

Oh, you'd be surprised how deep I am because he has been auctioning off his latest piece of art, which is a collaboration between himself and a cybersecurity company called Deep Instinct. And it is a laptop computer. And the laptop computer has on it half a dozen pieces of malware, and he's been selling this as art, right?

Okay, which pieces of malware? So he has 6 pieces of malware on the system. Okay, what are they?

Would you like to know what they are? I Love You, also known as the Love Bug.

Ah, we know about that one. Yeah. My Doom, which spread— yeah. They're all from the same— okay, so he's old like us. Oh, hang on.

WannaCry, which hit the NHS a couple of years ago. Dark Tequila, which hit Latin America and was stealing bank credentials and things like that. And Black Energy, which hit Ukraine and caused a big cyberattack over there and caused some problems.

I don't know that one. Is this legal?

Well, it is legal because selling malware isn't a crime.

You think that's cool? This is your pick. No, no, no, no. Selling malware is not cool. He's a gun for hire, people.

But there's no law being broken.

Computer crimes committed if you make— He's spreading malware. Well, is he? Not really. It's even worse.

No, no, no, no, no. You're wrong. You're wrong. Computer crimes committed when there's unauthorized access to a computer or an unauthorized change. Anyone buying this computer knows what they're getting and they've chosen to get it. And this computer is air-gapped, so they're not suggesting plug it into your network or shove a floppy disk in or a USB stick or anything like that.

Every computer is air-gapped until you connect it. Yes, I know, but this particular one, right? So it's your choice. If you want malware on your network, Kryll, you are allowed to put malware on your network. Sorry, controversial on two counts. One, you have a security pick of the week during a very clearly defined non-security pick of the week. That I've mentioned 430 times, or as long as we've done Pick of the Week. And two, I don't think this is very cool.

Well, I don't think it's very cool either, because— and I said that to a journalist who got in touch with me. A journalist contacted me, sent me an email, said, you know, I was wondering if there's any need to quarantine the laptop. And I said, well, you know, probably yes, you shouldn't connect it to anything. But he said—

But WannaCry did a fuckload of damage.

Yes, he said to me— I'm gonna quote the journalist, right? He said, could the new owner of this laptop start a series of events that leads to the new "Is there a risk of nuclear destruction of the planet?" is basically what I'm asking. Then he put in brackets. Theoretically. Then he put in brackets, "Hopefully not." So I said, "Well, no, not really." I said, "I think—" You can say, "Were I asked to speculate on this issue?" Well, I said, "Look, all of these pieces of malware, they've been detected by antivirus programs for years." And all of them already readily available on the internet if you know where to look. And he said to me, "Does this seem legit to you?" Because, oh, I haven't told you how much this is sold for, Carole. How much money have I? $1.3 million. Oh, fuck off. Fuck off.

Stupid, stupid, stupid. And I'm an artist saying that. I agree with you. I think it's absurd. I think it's nonsensical.

Someone could get a sample of those fricking viruses for Fiverr.

We could go to our mate Vanja, couldn't we? If we wanted, we'd say, here. We should start selling them. We could. So I find it hard to believe anyone would pay so much money for something that could so easily be created by someone who isn't an internet artist. Can I just say, my pick of the week is something you should pay for. Well, all right. Tell you what. So I think actually I'm gonna make this my unpick of the week. Good. I agree. I was a little nervous that you thought this was cool at the beginning. I was like, seriously?

Let's hear a proper pick of the week.

Right, so last week, the hubs and I, we went off to Copenhagen in Denmark for a little R&R&R. What are all of those Rs?

That's 3 Rs. What are those Rs? Rest, recreation, and bromance. And as a little coincidence, we met up with a friend of Smashing Security show you know very well, Mr. Vanja Svajcer. Van the man. Yeah, well, we met up and the three of us had a blast, and we were deciding what to do because we weren't ready to close off the evening, and we decided to go to a smoky blues club in the middle of Copenhagen because why not? And it was totally my idea, but they were all in. I mean, Van's a mean guitar player, right? And my other half loves Thom Waits, so an easy out. So we get to this club and it's totally packed. My husband's like, is it worth it when we have to pay the price to get in? He's like, you tell me. But whatever, throw the cash down and the band's tuning up and they sound good, you know, and they look fun and I'm excited. And out comes who I then learned, because we didn't plan it, I didn't know who was singing—Samantha Antoinette Smith. And she's from London and she totally owned that stage from the first second. Samantha Antoinette Smith. Yes, I will have links in the show notes. You guys can check her out. But she belted out a few songs, and I was like, wow. And I thought, she has to be my pick. Okay, but Clint, yeah, we didn't have a guest this week.

No, sadly we weren't able to arrange one.

So I thought, you know, why don't I just ask her and see if she wants to be interviewed for the show? Because that'd be cool. So I went up and I asked her, and she said something like, of course, darling. So I called her up and we had a little interview, and she even sings for us. Yes, she does. So you want to hear?

Oh yeah, go on then.

Yeah, check it out. Sam, it's amazing of you to join me today. So tell me, how does a blues singer from London end up in a cool, smoky club in Copenhagen? Hey, Carole.

So I ended up being in Copenhagen in 2014. I was doing an opera show at the Royal Danish Opera House called Porgy and Bess, and then I went to a jazz bar to watch a jazz band. When I got to the jazz club, they were playing, they're like New Orleans kind of jazz and stuff, and I just absolutely loved it. I just kind of joined in, and then during the interval the band leader said to me, "Would you like to come up on stage and sing?" Great harmonica player Peter Nand, he saw, or he heard me singing, and just out of the blue, I just received an email saying, "Hey, I saw you a few months ago. You were brilliant. Would you be interested in coming over to do some blues gigs with me? I can get you a band."

Now, I'm a big blues fan, and I want to know, who are your two top influences or favorites?

Do you know who I love listening to? Oh my goodness me, I love listening to Coco Taylor.

I immediately started to listen to her song.

So yeah, I really like Coco Taylor. And then there's a couple of songs that I do, Etta James. There's a couple of songs that I do by Etta James, so I like her.

Very cool. Now, the one thing, you have an incredibly amazing stage presence, it was just formidable and fantastic. Everybody has those moments in life when you're caught in the spotlight, right? From doing a wedding speech or presentation or performance or whatever. What would be your one tip owning the stage as you do?

Okay, well, firstly, thank you very much. I have heard that before, actually, so I'm quite chuffed a bit.

Firstly, I try to be engaging.

I try to be friendly. I am friendly and I am engaging anyway, naturally, so I think that helps if you can be your natural self on stage without feeling you've got to put on something else. What really helps as well, of course, is when you're prepared I've chatted with the band beforehand, I've prepared myself, so I'm confident. I've had a good rehearsal and I'm ready. So definitely get yourself prepared, get yourself organized, be engaging, be friendly, be well presented. It helps when you're a good-looking girl.

Now, Sam, how do you fancy singing us out? Let me try something for you.

Okay, so this little song that I sing is called Bluesiana Mama. Mama, okay?

I'm a bluesiana

I'm a bluesiana mama, I'm coming to your town.

mama, I'm coming I'll be belting out the blues until the sun goes down. Hey! Oh, I feel serenaded. to your town. Thank you so much, Sam. You're welcome, Carole, man.

Brilliant. Oh, she sounds very nice.

She's more than nice. She's cool, cool, cool. So there are more links in the show notes if you want to see some of her vids or see her in action. Samantha Antoinette Smith is the real thing. I love her, I love her, I love her.

You're not her agent or anything?

No, but hey, if I can bring her to Oxford so I can just go watch her, I'm up for that.

Who needs the SHARE initiative when you have Samantha Antoinette Smith? Formidable.

Is she? Definitely. 100%. I loved her.

Oh, fantastic. Well, that sounds terrific. Well, thank you very much, Carole. That is a much better and more artistic, may I put it, pick of the week. Artistic? No, artistic than the terrible computer malware auction thing. Agreed.

You see, just don't do security pick of the week. Jeez Louise.

Okay, and on that bombshell, we've just about wrapped it up for this week. If you want to follow us on Twitter, you can do so at Smashing Security, no G, Twitter wouldn't allow us to have a G. And we also have a subreddit on Reddit, just search for Smashing Security there.

Spread your arms for Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free, so be sure to check out their offers. And hugs to you, lovely listeners. We love you.

Can they still vote for us? They can still vote for us until the 31st.

Vote for us, guys. Come on. Very little time. We have some stiff competition. Stiff this year. We won last year. I don't know if we can hold on to the crown.

Not without you. Until next time. Cheerio.

Bye-bye. Guys, please. Vote for us. Do I sound as good as Samantha Antoinette Smith? No. Okay, bye.