We head to Hong Kong to look at how technology has helped anti-government protesters (and how China has tried to disrupt it), Samsung is skittish over whether to tell TV owners to virus-scan their devices, and you won’t believe whose website is not GDPR-compliant.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Say, for example, you decide to buy a smart fridge. You might find out after a while that you can't update it anymore.
Why would anyone buy a smart fridge?
Thank you, Jack. Thank you. I'm so pleased you're on the show. I was holding back. I thought, no, I can't say it. What's she talking about? Why would anyone want a bloody smart fridge?
What is the point? Smashing Security, episode 133: Cookie Ransomware mockups, Hong Kong protests, and smart TV virus scans with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 133. My name is Graham Cluley.
What is the point? Smashing Security, episode 133: Cookie Ransomware mockups, Hong Kong protests, and smart TV virus scans with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 133. My name is Graham Cluley.
You sound bored, Graham. My name is Carole Theriault.
Bored? Yeah. This early on?
It's 133 and now you've hit your limit. This is it. I'm just, I don't know.
And we're joined by a very special guest this week, aren't we, Carole?
Yes, my very good friend, James Thomson.
Greetings.
Greetings. You're not feeling too hot, are you?
I'm feeling wonderful.
Are you?
Yeah, I mean, mainly because I'm currently in rehab.
I heard the rumors.
For an addiction? No, not that one. Something else.
What happened?
Me and a psychopath had a rather violent coming together recently. Tell me, there couldn't have been a pothole in the road or anything?
No, it was more of a kind of BMX track style bunny hop, which they helpfully inserted on what was otherwise a flat cycle track in some woodland.
So I couldn't see it very clearly and I hit it at quite a high speed and my bike kangarooed off the road and I bounced off in the other direction.
No, it was more of a kind of BMX track style bunny hop, which they helpfully inserted on what was otherwise a flat cycle track in some woodland.
So I couldn't see it very clearly and I hit it at quite a high speed and my bike kangarooed off the road and I bounced off in the other direction.
Are you likely to start seeping blood or anything during this?
No, I've already seeping blood. That's not going to start.
No more than a typical guest on this show, I suspect. That's right. Carole Theriault, what's coming up on this week's episode?
Thanks to this week's sponsors, MetaCompliance and Edgewise. Their support helps us give you this show for free.
Now, this week, Graham goes after a cookie cock-up whilst James heads to Hong Kong. And I ask a very important question: are IoT TVs all that smart?
All this and noodles more coming up on this episode of Smashing Security.
Now, this week, Graham goes after a cookie cock-up whilst James heads to Hong Kong. And I ask a very important question: are IoT TVs all that smart?
All this and noodles more coming up on this episode of Smashing Security.
Cookies, cookie, cookie, yum, yum. Hi guys. Yeah, well, what's wrong with that? Everybody loves cookies, don't they? They're fantastic.
I do like a cookie.
But in the world of security, there's something a little less nibble-worthy.
A cookie is a small text file downloaded onto your computer or smartphone when you access a website, and it lets the website recognize your device and store information about your preferences or past activity on the site.
And to be honest, they're pretty darn useful. It's hard to build a website which is flexible and able to do the cool things it needs to do without sometimes using some cookies.
But as I think you've probably heard, they're not always a good thing because they can be abused and they can be used to track people's behavior online and where they may have gone to and maybe provide adverts which may be customized depending on your past website viewing.
A cookie is a small text file downloaded onto your computer or smartphone when you access a website, and it lets the website recognize your device and store information about your preferences or past activity on the site.
And to be honest, they're pretty darn useful. It's hard to build a website which is flexible and able to do the cool things it needs to do without sometimes using some cookies.
But as I think you've probably heard, they're not always a good thing because they can be abused and they can be used to track people's behavior online and where they may have gone to and maybe provide adverts which may be customized depending on your past website viewing.
Right, and kind of take advantage of your interests without you being in the know that that's what's happening.
Although most people now seem to be aware that cookies do that, don't you think?
Although most people now seem to be aware that cookies do that, don't you think?
I don't know if the typical user— I mean, I think maybe you're inside your own little bubble there, Carole, imagining that everyone's as good.
You know what girls are like.
James, you're not particularly security— you're not working in the world of, well, at least not computer security. I don't know what you get up to.
Not I seem to remember there's some— No, no, no.
Not I seem to remember there's some— No, no, no.
Not directly. No, my technical knowledge is limited. I mean, I suffer from extreme paranoia, but I can't mate that with sort of extreme knowledge.
But I have heard of cookies, but if you ask me to explain exactly what they do, I'd be a bit hazy. Right.
But I have heard of cookies, but if you ask me to explain exactly what they do, I'd be a bit hazy. Right.
Well, not all cookies are used in a way that could identify you, but many are, and that's why they fall under the European Union's General Data Protection Regulation, GDPR.
Oh my God.
Whoa, hold the front page. Are you actually talking about GDPR?
Well, I'm really trying not to, if at all possible.
Oh, so third paragraph. One minute in, you decide, I can't hold back anymore.
Well, under GDPR and the ePrivacy Directive, which sort of runs alongside it, there are strict rules on how website owners can use cookies and track online visitors from the European Union.
For instance, and this is something which I'm sure most people have seen, they go to a website and a little banner pops up, doesn't it?
And it says, "Oh, you know, this website uses cookies and you have to agree to this." And you go, "Yeah, yeah, whatever, whatever, agree, agree." Sometimes you might have an option to customize how it's using cookies, but many people will just simply hit that button.
For instance, and this is something which I'm sure most people have seen, they go to a website and a little banner pops up, doesn't it?
And it says, "Oh, you know, this website uses cookies and you have to agree to this." And you go, "Yeah, yeah, whatever, whatever, agree, agree." Sometimes you might have an option to customize how it's using cookies, but many people will just simply hit that button.
Do you know, I don't.
Well, you're a very strange person. You're a very deviant sort of person. You're not conforming to the norm.
Deviant?
Well, you know, from what I've heard. It's just, you're not someone who necessarily conforms, are you?
I just, I guess I get a kick out of seeing how everyone tries to apply the GDPR rule to their website, and of course every single site, they're not all completely individually different, but there is a lot of different approaches, which has made the whole environment of consenting or not consenting super hard for average users.
So you're right, it is a bit of a minefield.
So you're right, it is a bit of a minefield.
All I can say, Carole, is you must be a lot of fun at parties. You know what?
I'm excellent at parties, aren't I, James?
Yeah, very good at pouring drinks.
Anyway, so these cookie popups, they're used by websites and they give visitors the opportunity to give their informed consent.
The problem is often they won't actually read the small print, they just click through it.
And according to the ICO, which is the UK's data regulation body, the Information Commissioner's Office, you must tell people if you set cookies and clearly explain what the cookies do and why, and you must get consent and consent must be actively and clearly given, right?
That's one of the things, I've got that straight from their website.
And they also say you need to be confident that your users have taken a clear and deliberate action to give consent.
This must be more than simply continuing to use the website, and the consent has to be freely given.
Okay, so it's all fairly straightforward, but there's a problem with these pop-up cookie banners, as I've already described.
They're really, really fracking irritating, and often users will feel that they've got no choice but just to click past them in order to access the website.
It's, whatever, I've got stuff to do, I'm just going to click, click, click, go past.
The problem is often they won't actually read the small print, they just click through it.
And according to the ICO, which is the UK's data regulation body, the Information Commissioner's Office, you must tell people if you set cookies and clearly explain what the cookies do and why, and you must get consent and consent must be actively and clearly given, right?
That's one of the things, I've got that straight from their website.
And they also say you need to be confident that your users have taken a clear and deliberate action to give consent.
This must be more than simply continuing to use the website, and the consent has to be freely given.
Okay, so it's all fairly straightforward, but there's a problem with these pop-up cookie banners, as I've already described.
They're really, really fracking irritating, and often users will feel that they've got no choice but just to click past them in order to access the website.
It's, whatever, I've got stuff to do, I'm just going to click, click, click, go past.
I'm a busy man, I don't drink coffee, click, click, click.
Exactly. That's what happens to me.
Mind you, anyone listeners.
That's what happens to me. All of the time. And I suspect many people, I expect few people—
Oh yeah, they're all like you.
Everyone's like you.
Only weirdos are likely to read the information behind about what the cookies are actually going to be set and what purpose, et cetera.
'Cause we've all got better things to do, haven't we, Carole? So what are the ways in which you can stop these cookies actually tracking you and your online behavior?
Well, there is a setting in some of the browsers out there called Do Not Track. And that sends a request to websites asking them very politely to not track you.
'Cause we've all got better things to do, haven't we, Carole? So what are the ways in which you can stop these cookies actually tracking you and your online behavior?
Well, there is a setting in some of the browsers out there called Do Not Track. And that sends a request to websites asking them very politely to not track you.
Yeah, there's a number of plugins that do that for a variety of different browsers as well.
There are plugins which do it, and there are also browsers which do it as well.
Right.
And the outcome of that is if you have Do Not Track enabled, some websites won't respond by showing you ads which are related to you and the other websites you've visited.
But most websites don't change their behavior whatsoever, even if you've enabled that. It's purely up to them whether they actually honor do not track. In short—
But most websites don't change their behavior whatsoever, even if you've enabled that. It's purely up to them whether they actually honor do not track. In short—
Oh, is that true?
Yes.
I didn't know that.
Yeah, yeah. So they can carry on collecting and using your data regardless.
So it's like a request saying do not track. It sounds like it's an imperative, but it's actually a please, would you mind leaving me off the list?
And they go, yeah, no, we'll just put you on.
And they go, yeah, no, we'll just put you on.
Would you mind awfully, awfully, you know, just ignoring me on this occasion and not collecting my data?
They're like, yeah, no.
Do not track, pretty toothless.
May I ask a question? Graham, why would anyone want to be tracked?
Well, there might be— I remember actually meeting someone who was, I think she was buying shoes or something like that.
And she'd been to a website where she'd looked at these shoes. And then weeks later, she was on other websites and these ads kept on popping up.
And her argument was that she quite liked this because it reminded her of the shoes that she'd previously shown an interest in.
And she'd been to a website where she'd looked at these shoes. And then weeks later, she was on other websites and these ads kept on popping up.
And her argument was that she quite liked this because it reminded her of the shoes that she'd previously shown an interest in.
So she wants to use the entire Google Display Network to give her random reminders to buy shoes. I have to say, that seems like a pretty narrow reason to have tracking.
I mean, I can see what the benefit is from the company's point of view. They want to be able to see what you're doing on the internet to decide whether you might buy stuff.
I mean, I can see what the benefit is from the company's point of view. They want to be able to see what you're doing on the internet to decide whether you might buy stuff.
But well, if you had the choice, I said, this is their argument.
If you had the choice between getting a completely random advert or one which is actually designed for you and is about things which you might be interested in, many people would—
If you had the choice between getting a completely random advert or one which is actually designed for you and is about things which you might be interested in, many people would—
Like some Band-Aids.
Many people—
Savon.
Gonna need more than that.
A bike helmet.
Some proper drugs.
That's kind of cool in a way, isn't it?
Well, I don't know. I mean, maybe I'm the only person on the internet who just doesn't look at adverts, but—
I'm with you 100%.
Yeah.
Yeah.
Yeah. So this fact that Do Not Track is pretty toothless has not gone unnoticed by browser manufacturers.
For instance, Apple has now removed the Do Not Track option from the Safari browser, as it didn't actually really do anything.
And they said that it was in order to prevent potential use as a fingerprinting variable.
In other words, actually having Do Not Track enabled might make it easier for you to be tracked and for it to identify your computer rather than somebody else's.
And in its place, Apple are introducing some new technology called Intelligent Tracking Prevention, which they believe will be better.
And Firefox— yeah, yeah, Firefox is similarly keen to adopt a similar smarter way to reduce this sort of cross-site tracking. So that's all, that's all good news.
Google, meanwhile, they're not really emphasizing all this anti-tracking quite as much. Now, why would that be, Graham? I don't know.
It's a mystery to me why the world's biggest advertising company—
For instance, Apple has now removed the Do Not Track option from the Safari browser, as it didn't actually really do anything.
And they said that it was in order to prevent potential use as a fingerprinting variable.
In other words, actually having Do Not Track enabled might make it easier for you to be tracked and for it to identify your computer rather than somebody else's.
And in its place, Apple are introducing some new technology called Intelligent Tracking Prevention, which they believe will be better.
And Firefox— yeah, yeah, Firefox is similarly keen to adopt a similar smarter way to reduce this sort of cross-site tracking. So that's all, that's all good news.
Google, meanwhile, they're not really emphasizing all this anti-tracking quite as much. Now, why would that be, Graham? I don't know.
It's a mystery to me why the world's biggest advertising company—
Don't they have enough money? I mean, just, gosh!
Anyway, listen, back to these cookie opt-in pop-ups, which I started with.
Websites around the world have been petrified and scared into implementing them by the introduction of GDPR and dire warnings from the likes of the Information Commissioner's Office.
Just last year, the Washington Post, they were told off by the ICO because they failed to meet the required standards when it came to their cookie pop-up.
A recent inspection of 10 major EU institutions and public bodies found that 7 had data protection issues and were either non-compliant with the ePrivacy Directive or failed to follow guidelines.
So many firms have been uncertain about the proper way to implement these cookie pop-ups without breaking the rules.
And many consultants, as a result, have said to firms, well, why don't you do what the ICO does on its own website and copy them? Right?
Because if you copy the guys who are laying down the law, then you're going to be compliant, right? What could possibly go wrong with that?
Websites around the world have been petrified and scared into implementing them by the introduction of GDPR and dire warnings from the likes of the Information Commissioner's Office.
Just last year, the Washington Post, they were told off by the ICO because they failed to meet the required standards when it came to their cookie pop-up.
A recent inspection of 10 major EU institutions and public bodies found that 7 had data protection issues and were either non-compliant with the ePrivacy Directive or failed to follow guidelines.
So many firms have been uncertain about the proper way to implement these cookie pop-ups without breaking the rules.
And many consultants, as a result, have said to firms, well, why don't you do what the ICO does on its own website and copy them? Right?
Because if you copy the guys who are laying down the law, then you're going to be compliant, right? What could possibly go wrong with that?
I think I know where we're going. Okay, carry on, maybe I'm wrong, maybe I'm wrong, maybe I'm wrong, probably wrong. Of course I'm wrong. What would I know?
This week, Krow, brace yourselves, put your seatbelt on, particularly you. James, you actually don't have a seatbelt on a bike, do you? But anyway, I need one.
But yeah, helmet, knee pads, because it has been revealed that the ICO itself has been in breach of its very own cookie privacy guidelines.
But yeah, helmet, knee pads, because it has been revealed that the ICO itself has been in breach of its very own cookie privacy guidelines.
Oh my goodness. Goodness.
So didn't the Dutch have to report themselves to themselves for not handling data properly?
Yes. So the Dutch Data Protection Regulation, the UK has joined forces. They suffered a data breach. It appears to be spreading like a virus across Europe.
Data protection organizations basically cocking up on a massive scale.
A chap called Adam Rose, he is a lawyer at Mishcon de Reya law firm, and he discovered that users of mobile phones visiting the ICO's website did not give explicit informed consent for cookies to be planted on their mobile devices.
Instead, the ICO website used implied consent. It just assumed you were happy with it.
And according to Rose, the ICO website has probably been failing to reach the required standards since 2011.
Data protection organizations basically cocking up on a massive scale.
A chap called Adam Rose, he is a lawyer at Mishcon de Reya law firm, and he discovered that users of mobile phones visiting the ICO's website did not give explicit informed consent for cookies to be planted on their mobile devices.
Instead, the ICO website used implied consent. It just assumed you were happy with it.
And according to Rose, the ICO website has probably been failing to reach the required standards since 2011.
Avril Lavigne, anyone?
Avril Lavigne?
What? I think Avril Lavigne was probably longer ago than 2011.
I was just saying, isn't it ironic?
No. Oh dear, not this again. Cruel, cruel.
It's not her.
It's not her. How many times?
Seriously. They're all the same to me. What does it remind you of, James?
I'm trusting you to actually—
Someone was talking to me about TikTok, you know, the Chinese short video app. I don't even know what it does, but kids apparently are into it.
Right.
If you go to the Wikipedia page, somebody is regularly changing it to say that the entire app was designed and created by Kesha, who is an American pop singer who had a hit called "TikTok," but is otherwise completely unrelated to the Chinese video app.
But I imagine it's created quite a lot of confusion for people who check on these facts on Wikipedia.
It's one of those — somebody's obviously decided to take the piss and it's got into people's heads in the same way that Avril Lavigne and Alanis Morissette have somehow become confused in Carole's mind.
But I imagine it's created quite a lot of confusion for people who check on these facts on Wikipedia.
It's one of those — somebody's obviously decided to take the piss and it's got into people's heads in the same way that Avril Lavigne and Alanis Morissette have somehow become confused in Carole's mind.
They're not the only two. Oh, the stories Graham could tell you.
It's certainly ironic, isn't it? Is it like rain on your wedding day? So James, what's your story for us this week?
As Carole says, we're going to Hong Kong and in particular to ask what all those people there are getting so upset about.
Now I know China a little bit, but not very well, but I know Hong Kong a little bit better.
I've been there a lot of times and more particularly this last semester, this term just finished, I was teaching an undergraduate exchange student from Hong Kong.
And I was interested that she wasn't very politically engaged, at least compared to some of the other students.
But the one thing she did know was that she did not want to live under Chinese rules. Now Hong Kong is part of China. I'll go on and explain this a bit later.
But on June 4th, a couple of weeks ago, she actually came up to me and reminded me that it was the 30th anniversary of the Tiananmen Square massacre, even though that was an event that occurred before she was born.
She's a 21-year-old, I guess, undergraduate. And Hong Kong is the only place in China where events of '89 in Tiananmen Square can even be mentioned, let alone commemorated.
And my student knows this because she lives just a few minutes from the border with so-called mainland China.
In fact, a lot of Hong Kong is part of the mainland, but there's a border between the two with a passport check. So you need a visa to cross if you're not from Hong Kong or China.
Now, over the border, most people her age are barely aware that hundreds or possibly thousands— there's never been a proper investigation of these Chinese pro-democracy campaigners in '89 were killed by their own government.
And the Chinese Communist Party has since suppressed all mention of the '89 massacre.
Now the interesting thing is that technology, and China is now, as you might know, a very wired place, allows them to do that even more effectively than they could under the old school censorship that was employed before the internet and apps and smartphones came along.
And it's at a terrific cost.
I mean, the communist system is believed to employ tens, possibly hundreds of thousands of internet censors, but it's achieved near total control over what can be written and posted online, at least within China.
And the recent experience of a BBC employee gives a glimpse of how it works from the tech point of view.
It's a blog I saw read by Stephen McDonnell, who works for the BBC in China, and he uses an app called WeChat, which I'm sure you've heard of.
It's the kind of Chinese version of Facebook. I mean, as with Google, Facebook, Twitter, most of these things aren't allowed in China.
We can talk about that a little bit later, about how people get around that or try to in China, but in general they're not allowed you can't use them in China.
And so there are equivalents. And in fact, WeChat in many respects is superior to Facebook, at least from the way it's described in this post.
I've never used it myself, but I know people who have and they say it's kind of, it's all-embracing.
He describes it as Twitter, Facebook, Google Maps, Tinder, and Apple Pay all rolled into one.
Now I know China a little bit, but not very well, but I know Hong Kong a little bit better.
I've been there a lot of times and more particularly this last semester, this term just finished, I was teaching an undergraduate exchange student from Hong Kong.
And I was interested that she wasn't very politically engaged, at least compared to some of the other students.
But the one thing she did know was that she did not want to live under Chinese rules. Now Hong Kong is part of China. I'll go on and explain this a bit later.
But on June 4th, a couple of weeks ago, she actually came up to me and reminded me that it was the 30th anniversary of the Tiananmen Square massacre, even though that was an event that occurred before she was born.
She's a 21-year-old, I guess, undergraduate. And Hong Kong is the only place in China where events of '89 in Tiananmen Square can even be mentioned, let alone commemorated.
And my student knows this because she lives just a few minutes from the border with so-called mainland China.
In fact, a lot of Hong Kong is part of the mainland, but there's a border between the two with a passport check. So you need a visa to cross if you're not from Hong Kong or China.
Now, over the border, most people her age are barely aware that hundreds or possibly thousands— there's never been a proper investigation of these Chinese pro-democracy campaigners in '89 were killed by their own government.
And the Chinese Communist Party has since suppressed all mention of the '89 massacre.
Now the interesting thing is that technology, and China is now, as you might know, a very wired place, allows them to do that even more effectively than they could under the old school censorship that was employed before the internet and apps and smartphones came along.
And it's at a terrific cost.
I mean, the communist system is believed to employ tens, possibly hundreds of thousands of internet censors, but it's achieved near total control over what can be written and posted online, at least within China.
And the recent experience of a BBC employee gives a glimpse of how it works from the tech point of view.
It's a blog I saw read by Stephen McDonnell, who works for the BBC in China, and he uses an app called WeChat, which I'm sure you've heard of.
It's the kind of Chinese version of Facebook. I mean, as with Google, Facebook, Twitter, most of these things aren't allowed in China.
We can talk about that a little bit later, about how people get around that or try to in China, but in general they're not allowed you can't use them in China.
And so there are equivalents. And in fact, WeChat in many respects is superior to Facebook, at least from the way it's described in this post.
I've never used it myself, but I know people who have and they say it's kind of, it's all-embracing.
He describes it as Twitter, Facebook, Google Maps, Tinder, and Apple Pay all rolled into one.
Right?
Sounds hideous.
Yes.
I mean, it doesn't to me, it sounds appalling.
You know what? I think Graham so far would love this because I'm sure there's no consent forms or anything. So it hasn't been great.
Well, we're about to learn about that because it's more that they have to consent to you using it rather than the other way around.
So this guy Stephen McDonald went down to Hong Kong for the 30th anniversary commemoration in the beginning of June, and he posted some photos from the ceremonies that were held there.
There were about 180,000 people took part in a kind of candlelit ceremony in Hong Kong, and he posted them on WeChat back in China, but he didn't caption them.
He didn't describe where they were. He just put pictures up. And he says that several people in China messaged him to say, "Oh, where were you?
What was this?" Because you could see clearly the scale of the commemoration and also roughly where it was.
And he says that kind of illustrates to him how few people in China know what June 4th represents. But very quickly, his WeChat account got shut down.
And at this point, he entered this kind of Orwellian wormhole, if I can mix my metaphors, in his attempts to get back onto WeChat.
And the first message that he got said, "Your login has been declined due to account exceptions.
Try to log in again and proceed as instructed," which sounds very much like the kind of chatbot language that you get.
So this guy Stephen McDonald went down to Hong Kong for the 30th anniversary commemoration in the beginning of June, and he posted some photos from the ceremonies that were held there.
There were about 180,000 people took part in a kind of candlelit ceremony in Hong Kong, and he posted them on WeChat back in China, but he didn't caption them.
He didn't describe where they were. He just put pictures up. And he says that several people in China messaged him to say, "Oh, where were you?
What was this?" Because you could see clearly the scale of the commemoration and also roughly where it was.
And he says that kind of illustrates to him how few people in China know what June 4th represents. But very quickly, his WeChat account got shut down.
And at this point, he entered this kind of Orwellian wormhole, if I can mix my metaphors, in his attempts to get back onto WeChat.
And the first message that he got said, "Your login has been declined due to account exceptions.
Try to log in again and proceed as instructed," which sounds very much like the kind of chatbot language that you get.
"Your social credit score is down -20." That's right, yeah, yeah.
"Prepare to be liquidated." But then after that, he says that he got a new message saying, "This WeChat account has been suspected of spreading malicious rumors and has been temporarily blocked." Oh boy.
As he said, it seems posting photos of an actual event taking place without commentary amounts to, quote, "spreading malicious rumors" in China.
So he says that he was given time to try and log in again the next day, and he said that he was told that he had to agree and unblock under the stated reason of spread malicious rumors.
So he basically had to admit that he'd spread malicious rumors in order to get his account unblocked.
And then came a stage he wasn't prepared for, and it said, "Face print is required for security purposes." Oh boy.
And at that point, he had to hold his phone up, face directly in front of it, so that it could—
As he said, it seems posting photos of an actual event taking place without commentary amounts to, quote, "spreading malicious rumors" in China.
So he says that he was given time to try and log in again the next day, and he said that he was told that he had to agree and unblock under the stated reason of spread malicious rumors.
So he basically had to admit that he'd spread malicious rumors in order to get his account unblocked.
And then came a stage he wasn't prepared for, and it said, "Face print is required for security purposes." Oh boy.
And at that point, he had to hold his phone up, face directly in front of it, so that it could—
Map his face.
Do a face scan. And then read numbers aloud in Mandarin Chinese, which I guess he can working in China.
And that presumably is to avoid you using a photograph of someone rather than yourself.
So it's actually capturing— So you can't just— I mean, what I would have thought instantly was print out a picture of Piers Morgan and hold it in front of the camera.
But having to actually do that—
So it's actually capturing— So you can't just— I mean, what I would have thought instantly was print out a picture of Piers Morgan and hold it in front of the camera.
But having to actually do that—
Yeah, unless you've got very sophisticated deepfake technology, yeah, you're going to struggle to spoof it.
And the Mandarin might be tough.
Well, except that he then publishes in his blog an image of the screenshot that he got, which is in perfect English.
So even though WeChat caters mainly for the Chinese market, they are pushing this abroad a bit.
And so all of these warnings are written in English saying tapping the button means you authorize Tencent, which is the company that owns WeChat, to collect, store, use, and transfer the information you've submitted.
So that's your face scan, your voice recording, presumably.
So even though WeChat caters mainly for the Chinese market, they are pushing this abroad a bit.
And so all of these warnings are written in English saying tapping the button means you authorize Tencent, which is the company that owns WeChat, to collect, store, use, and transfer the information you've submitted.
So that's your face scan, your voice recording, presumably.
Your messages.
Well, yeah, I mean all of that's going to God knows who already.
And McDonald says, "No doubt I've now joined some list of suspicious individuals in the hands of goodness knows which Chinese government agencies." But then he says, a lot of people said to him, "Why do you go through this?
Why did you agree to do all this?" And he says, "Well, everyone has WeChat in China." He says, "I don't know a single person without it.
When you meet somebody in a work context, they don't give you a name card anymore. They share their WeChat. If you play for a football team, training details are on WeChat.
Children's school arrangements, WeChat. Tinder-style dates, WeChat. Movie tickets, WeChat. News stream, WeChat."
And McDonald says, "No doubt I've now joined some list of suspicious individuals in the hands of goodness knows which Chinese government agencies." But then he says, a lot of people said to him, "Why do you go through this?
Why did you agree to do all this?" And he says, "Well, everyone has WeChat in China." He says, "I don't know a single person without it.
When you meet somebody in a work context, they don't give you a name card anymore. They share their WeChat. If you play for a football team, training details are on WeChat.
Children's school arrangements, WeChat. Tinder-style dates, WeChat. Movie tickets, WeChat. News stream, WeChat."
Everything. Banks, getting your bank numbers.
You pay for everything on this app too.
And even though it's regarded as being pretty insecure from a technical point of view, at least he says so, because all of the data under Chinese law can be sent directly to the Chinese government, everybody uses it.
And if you want to have a normal life in China, then you have to use it too.
And even though it's regarded as being pretty insecure from a technical point of view, at least he says so, because all of the data under Chinese law can be sent directly to the Chinese government, everybody uses it.
And if you want to have a normal life in China, then you have to use it too.
Yeah, I've heard the same thing. It's absolutely ubiquitous. It's kind of, if you want to be a functioning part of society, you need to have access to WeChat.
That's what I've been doing wrong.
Now, going back to Hong Kong, where quite a lot of people have WeChat too, especially if they cross the border regularly.
Hong Kong's still got the same legal, financial, and political protections or political freedoms from the days when it was a British colony before '97.
And this is the sort of so-called one country, two systems arrangement that was part of the handover agreement.
But a lot of people in Hong Kong, and we saw at the weekend around 2 million people came out to demonstrate against a new law on extradition to China, which the government there were trying to introduce, they really worry that they are in danger of losing these freedoms.
And that wasn't helped by the fact that during the protests last week, there were violent protests after the police started tear gassing people.
The Chinese government appeared to have attempted to take down Telegram, which is a messaging app that the organizers were using to coordinate movement.
I mean, it was a pretty impressive achievement to coordinate the movement of half a million people in a fast-moving demonstration.
But afterwards Telegram came out and said, "We had a huge denial of service attack on our servers and most of the IP addresses for that attack were Chinese." I don't know if you saw, I actually loved how they described how the attack happened.
Hong Kong's still got the same legal, financial, and political protections or political freedoms from the days when it was a British colony before '97.
And this is the sort of so-called one country, two systems arrangement that was part of the handover agreement.
But a lot of people in Hong Kong, and we saw at the weekend around 2 million people came out to demonstrate against a new law on extradition to China, which the government there were trying to introduce, they really worry that they are in danger of losing these freedoms.
And that wasn't helped by the fact that during the protests last week, there were violent protests after the police started tear gassing people.
The Chinese government appeared to have attempted to take down Telegram, which is a messaging app that the organizers were using to coordinate movement.
I mean, it was a pretty impressive achievement to coordinate the movement of half a million people in a fast-moving demonstration.
But afterwards Telegram came out and said, "We had a huge denial of service attack on our servers and most of the IP addresses for that attack were Chinese." I don't know if you saw, I actually loved how they described how the attack happened.
They compared it to an army of lemmings jumping in front of you in the queue at McDonald's, and each of them is ordering a Whopper.
And they said the server is busy telling the Whopper lemmings that they've come to the wrong place, but there are so many of them that the server can't see you to try and take your order.
And that's how they described a denial of service attack.
And they said the server is busy telling the Whopper lemmings that they've come to the wrong place, but there are so many of them that the server can't see you to try and take your order.
And that's how they described a denial of service attack.
Okay, well, that's a pretty good metaphor, I guess. I've never been attacked by lemmings in a McDonald's, but if that happens, I'll bear it in mind.
How do you launch anyway a denial of service attack on a messaging app?
And wouldn't Telegram have recognized that if they had a huge number of requests from China, they would be bogus because there can't be that many people in China who have access to Telegram?
How do you launch anyway a denial of service attack on a messaging app?
And wouldn't Telegram have recognized that if they had a huge number of requests from China, they would be bogus because there can't be that many people in China who have access to Telegram?
Well, it may be. I mean, what happened was Telegram was able to actually prevent the denial of service attack after a relatively short amount of time. It's just a couple of hours.
So I'm sure they did respond to it and managed to divert it.
Telegram, like any of these online services, will have infrastructure online which has been bombarded with requests, or maybe requests which it's trying to process and which clog it up and thus make the service difficult.
And this denial of service, it affected users around the world, didn't it? There were many people who couldn't access Telegram systems while it was going on.
I was also very interested to see that the protesters in Hong Kong weren't just using Telegram, they were using another app called FireChat.
And FireChat's very interesting because you can use it even if you don't have internet access or even a cell phone connection. Because—
So I'm sure they did respond to it and managed to divert it.
Telegram, like any of these online services, will have infrastructure online which has been bombarded with requests, or maybe requests which it's trying to process and which clog it up and thus make the service difficult.
And this denial of service, it affected users around the world, didn't it? There were many people who couldn't access Telegram systems while it was going on.
I was also very interested to see that the protesters in Hong Kong weren't just using Telegram, they were using another app called FireChat.
And FireChat's very interesting because you can use it even if you don't have internet access or even a cell phone connection. Because—
What?
Yeah, I know. It uses magic. Yeah, well, it uses—
That's the whole internet, Carole.
So if you are organizing a demonstration and you don't want any risk of people spotting what you're up to and maybe intercepting your communications because they're going sent off to some internet server via chat, FireChat is a system which will communicate with nearby devices also running FireChat using Bluetooth and also will create a peer-to-peer Wi-Fi network.
So it's helpful if you've got a lot of people in the same kind of place to communicate with each other.
So it's helpful if you've got a lot of people in the same kind of place to communicate with each other.
Which tends to overwhelm the data through the cell towers as well. So if they can reduce dependency on that.
That sounds very cool.
The other thing which I heard the Chinese authorities were doing to try and spot people who were up to no good was that they were actually going to hospitals.
Hospitals in Hong Kong and accessing the database of people who had entered with the feeling that if people had been hurt in the trouble, then that is how they would be able to identify people who were in the protest area.
Awful. And they had apparently a backdoor into this database, which the hospitals only found out about when the police were using it.
Hospitals in Hong Kong and accessing the database of people who had entered with the feeling that if people had been hurt in the trouble, then that is how they would be able to identify people who were in the protest area.
Awful. And they had apparently a backdoor into this database, which the hospitals only found out about when the police were using it.
Well, I also heard that they targeted some of the— I don't know how they know this, but obviously China's got some pretty advanced hacking abilities.
They identified some of the people involved in organizing the protest. And picked one or two of those guys up.
And basically, once you're inside someone's phone, if you can get into their phone, then you can access the groups that they're messaging to.
They identified some of the people involved in organizing the protest. And picked one or two of those guys up.
And basically, once you're inside someone's phone, if you can get into their phone, then you can access the groups that they're messaging to.
Yes, that's right.
And that's effectively like rounding up a cell or a gang. But apparently on Telegram, you can have groups with hundreds of thousands of people in them.
It's not like WhatsApp, which has been limited after it was misused.
Just finally, if you want a real life Orwellian fright about where this absurd conclusion reaches, there was a report that's also on the BBC website by John Sudworth there, one of their China correspondents, about Xinjiang province in western China where he managed to get into one of these— well, the Chinese call them reeducation centers.
Everyone else calls them concentration camps, which they think might hold a million people in this region in western China at the moment.
And he gets to talk to some of the people there, but obviously surrounded by minders the whole time.
But the quotes from that report, which you can find on the BBC website, are kind of mind-blowing.
Chinese officials saying, "Well, we can now tell whether someone's going to commit a crime in advance and so we put them in a reeducation center in order to deter this from happening." It's basically, it is literally 1984.
It's basically, yeah, they've worked out that people commit thought crimes and if they can intercept them first, then that's a good reason to lock them up.
And that's precisely what people in Hong Kong in the long run are afraid about.
It's not like WhatsApp, which has been limited after it was misused.
Just finally, if you want a real life Orwellian fright about where this absurd conclusion reaches, there was a report that's also on the BBC website by John Sudworth there, one of their China correspondents, about Xinjiang province in western China where he managed to get into one of these— well, the Chinese call them reeducation centers.
Everyone else calls them concentration camps, which they think might hold a million people in this region in western China at the moment.
And he gets to talk to some of the people there, but obviously surrounded by minders the whole time.
But the quotes from that report, which you can find on the BBC website, are kind of mind-blowing.
Chinese officials saying, "Well, we can now tell whether someone's going to commit a crime in advance and so we put them in a reeducation center in order to deter this from happening." It's basically, it is literally 1984.
It's basically, yeah, they've worked out that people commit thought crimes and if they can intercept them first, then that's a good reason to lock them up.
And that's precisely what people in Hong Kong in the long run are afraid about.
I have to say, James, this is all rather chilling, but I wonder, have you actually thought of the consequences of what you're discussing here because you could— I mean, bad as this is, is it not worse that you may have just got our podcast banned in mainland China?
Have you thought about that?
Have you thought about that?
My God.
Have you thought about that?
I'm sorry.
Should he be censored too? Is that what you're advocating, that you're worried about your numbers?
Is that going to put your sponsorship by the People's Liberation Army at risk?
Ignore him. I don't know what he's smoking.
Oh gosh. Carole, cheer us up. It's all been too serious so far. What have you got for us?
I will. I think I will. Okay, so IoT disasters.
Marvelous.
I've got rogue fridges.
Now, we've gassed about this baby a lot. We've talked about IoT hoovers that break privacy expectations. This was episode 35 and 127.
We've talked about smart alarms that fell over due to server issues, episode 100. And we've even mentioned smart baby monitors and smart thermostats.
We've talked about smart alarms that fell over due to server issues, episode 100. And we've even mentioned smart baby monitors and smart thermostats.
But who wants smart babies, honestly?
And even privacy-blundering sex toys has been talked about, episode 52.
I think just about every episode actually, sex toys got a mention, but yes.
Episode 69, I think was it.
Now the typical sting in the tail when it comes to IoT devices is pretty straightforward. It's crappy security on the device, right?
Often there's no way even to update the firmware or even the software on these IoT gizmos.
Say, for example, after reading all the research that says it's perhaps not the cleverest idea, you decide to buy a smart fridge.
You might find out after a while that you can't update it anymore. Maybe it's not, you know, maybe it's out of date, or maybe they want you to buy a new one.
Often there's no way even to update the firmware or even the software on these IoT gizmos.
Say, for example, after reading all the research that says it's perhaps not the cleverest idea, you decide to buy a smart fridge.
You might find out after a while that you can't update it anymore. Maybe it's not, you know, maybe it's out of date, or maybe they want you to buy a new one.
Why would anyone buy a smart fridge?
Thank you, James. Thank you. I'm so pleased you're on the show. I was holding back. I thought, no, I can't say it. What's she talking about?
Why would anyone buy a smart fridge?
What a bloody smart fridge. What is the point?
I couldn't agree more, but you know what? Sales are rocketing.
So you either, you either try and sell the fridge just to pass on the future vulnerabilities to someone else, neighborly style.
So you either, you either try and sell the fridge just to pass on the future vulnerabilities to someone else, neighborly style.
Like Listeria.
Or maybe you try and disconnect the smart features from the fridge and then you find out you've actually bricked the fridge and it doesn't work at all.
Or you decide to keep the fridge, which is connected to your Amazon Pantry or whatever, and then it gets hacked and you only find out when the Amazon delivery guy hands you 100 pounds of bleeding tofu burgers.
Or you decide to keep the fridge, which is connected to your Amazon Pantry or whatever, and then it gets hacked and you only find out when the Amazon delivery guy hands you 100 pounds of bleeding tofu burgers.
I hear all these words and I'm just bamboozled. Where are they all coming from? What does all this mean? Why has the world got so confusing? It's just insane.
I think we can all agree that it's smarter to buy a dumb fridge, right? And I want to look into whether that would be true for TVs as well.
And we're going to talk about smart TVs, specifically Samsung smart TVs, because something a little weird happened on Monday this week. And I thought we could noodle on it.
And we're going to talk about smart TVs, specifically Samsung smart TVs, because something a little weird happened on Monday this week. And I thought we could noodle on it.
I beg your pardon.
And speculate to what actually happened.
Keep my noodle out of this, please.
But first, gentlemen, climb into my time machine. We're heading back to 2015. This is when Samsung got into hot water.
I've got news for you. It's not even 2010 here yet.
This is when Samsung got into hot water because a Reddit spotted a rather concerning set of words in the then-privacy statement for the Samsung Smart TV.
And according to a Gizmodo article, it said, quote, please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.
So let me translate: Basically, whatever you say, we can record and we'll share with any other company or entity we like.
And according to a Gizmodo article, it said, quote, please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition.
So let me translate: Basically, whatever you say, we can record and we'll share with any other company or entity we like.
Yep.
Then two years later in 2017, there was a big Samsung scandal where WikiLeaks released documents on CIA malware and hacking tools.
And the documents included a scary Samsung TV attack called Weeping Angel.
And the documents included a scary Samsung TV attack called Weeping Angel.
Yes.
Yeah.
Weeping Angel was purportedly, well, was created by the CIA, and its job was to infest smart Samsung TVs and basically transform them into covert microphones.
Now, I'm guessing the CIA had to create this smart TV spyware because Samsung two years ago was probably forced to take the wording out of their privacy agreement that anyone could get any recording they wanted.
They were basically already microphones back then. You're not with me. Have I lost everyone? Is James there?
Now, I'm guessing the CIA had to create this smart TV spyware because Samsung two years ago was probably forced to take the wording out of their privacy agreement that anyone could get any recording they wanted.
They were basically already microphones back then. You're not with me. Have I lost everyone? Is James there?
No, no, I'm here. Hello? Hello?
Hello? Hello?
I didn't want to say anything because there's a TV in the corner of the room.
Yeah, very wise.
So if things are not bad enough for Samsung, a month after the WikiLeaks scandal in 2017, an Israeli researcher uncovered 40, that's 4-0, zero-day vulnerabilities, each of which would allow a hacker to take control of a Samsung device remotely.
Totally. So yeesh, that is what I call being in the soup, right?
Totally. So yeesh, that is what I call being in the soup, right?
For the purpose, for the, why would they take, they'd take this over in order to monitor what you're saying in front of the TV, I imagine, rather than to change channels to watch Bargains in the Attic or something.
Sorry? The CIA, what?
I'm with you, Graham. You said that some Israeli guy found a whole load of vulnerabilities in Samsung TVs.
Yeah, well, because they're built on this, this kind of their own open source. I can't remember what it's called now. Tizen?
Yes.
Is it Tizen? Yes.
And at the time, especially in 2017, basically this was like the nail in the coffin, many people thought, for Samsung from a security standpoint, because there had been all these snafus in the press.
And no surprise, after a shitstorm like this, Samsung needed to pull its finger out if it didn't want to hemorrhage customer loyalty or lose business and all that.
So it started— this is back in 2017— running social and marketing campaigns to design, basically to reassure the customer that the company Samsung was taking security very, very seriously.
For example, in one of the articles from 2017, it said Samsung is now offering smart TVs not one but two antivirus engines to detect and contain malware for its platform.
So Samsung has what is called the anti-malware vaccine engine, basically a McAfee product that they worked with. So they've been dealing with security for quite a long time.
Now fast forward to this past Monday, Samsung Support tweets out this tweet, right? Right.
And at the time, especially in 2017, basically this was like the nail in the coffin, many people thought, for Samsung from a security standpoint, because there had been all these snafus in the press.
And no surprise, after a shitstorm like this, Samsung needed to pull its finger out if it didn't want to hemorrhage customer loyalty or lose business and all that.
So it started— this is back in 2017— running social and marketing campaigns to design, basically to reassure the customer that the company Samsung was taking security very, very seriously.
For example, in one of the articles from 2017, it said Samsung is now offering smart TVs not one but two antivirus engines to detect and contain malware for its platform.
So Samsung has what is called the anti-malware vaccine engine, basically a McAfee product that they worked with. So they've been dealing with security for quite a long time.
Now fast forward to this past Monday, Samsung Support tweets out this tweet, right? Right.
Yeah.
Now I'll read it to you. Scanning your computer for malware viruses is important to keep it running smoothly. This is also true for your QLED TV if it's connected to Wi-Fi.
Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here's how. And there's a link to a video, right, on the issue.
Right now the press are going a little bit nuts over this tweet, and the reason is because the tweet was deleted. Dum dum dum. So my issue with it is a little bit different.
Okay, like, is this 1994? What is with the weekly manual scans of a TV system?
Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here's how. And there's a link to a video, right, on the issue.
Right now the press are going a little bit nuts over this tweet, and the reason is because the tweet was deleted. Dum dum dum. So my issue with it is a little bit different.
Okay, like, is this 1994? What is with the weekly manual scans of a TV system?
Why couldn't this be automated? If—
Why can't it be automated?
Why can't it automatically occasionally say, I'm now going to scan?
Or it could choose to do it at 3 o'clock in the morning when you're not. Or maybe if it's on standby, but while you're making dinner, you could silently update then.
I mean, for the love of everything, I didn't understand.
I mean, for the love of everything, I didn't understand.
Yeah, but they get the best conversations when you're having dinner, you see. That's what they want to listen to.
If they listen to it while you're using the TV, all they get is some sort of bad version of Gogglebox, some unedited version of Gogglebox. I mean, how boring would that be?
If they listen to it while you're using the TV, all they get is some sort of bad version of Gogglebox, some unedited version of Gogglebox. I mean, how boring would that be?
I don't see why anyone needs a smart— First of all, I don't— This whole voice activation thing where you have to shout at them and go, turn up the volume, turn up the volume, you know, turn it down, turn it down.
It's so funny. It's so funny. People with home assistants do that a lot.
Yeah. Yeah. So why, why would you do that?
But also you've got to wait for that instruction to get all the way to, you know, kind of Heilongjiang province for the guy to turn the knob, haven't you? Isn't that how it works?
But why, why, why, why even would you want this integrated into it?
It feels like the TV manufacturers and the boy, oh boy, they've made some huge goofs in the past, not just Samsung, but LG, for instance, and others.
Others have spied upon what people are watching and doing things like that.
It feels like they're making their TVs smart in order to sell them more easily, but I'm not certain that needs to be integrated into the TV because you can get these little sticks, can't you?
Which plug into the back, which give you Netflix and Amazon Prime and, you know, look—
It feels like the TV manufacturers and the boy, oh boy, they've made some huge goofs in the past, not just Samsung, but LG, for instance, and others.
Others have spied upon what people are watching and doing things like that.
It feels like they're making their TVs smart in order to sell them more easily, but I'm not certain that needs to be integrated into the TV because you can get these little sticks, can't you?
Which plug into the back, which give you Netflix and Amazon Prime and, you know, look—
Graham, I hate to break it to you, but you know what?
What?
Apparently, particularly, well, I haven't bought a TV in a decade, obviously not having a— apparently it's really hard to buy dumb TVs now.
And one guy I saw on Reddit was suggesting that if people wanted to try and get a dumb TV and were having trouble getting one, one of the ways to do it is to look for hospitality TVs, TVs that are in hospitals or in waiting rooms.
And one guy I saw on Reddit was suggesting that if people wanted to try and get a dumb TV and were having trouble getting one, one of the ways to do it is to look for hospitality TVs, TVs that are in hospitals or in waiting rooms.
Break into old people's homes, steal their televisions.
You can still buy them new from manufacturers because it's big business, right? It's a B2B business.
But they tend to be a little bit more expensive than the smart TV, if you can imagine it. Now, why did Samsung delete the tweet?
So that tweet went out and then suddenly it disappeared and the media went a bit nuts going, isn't this outrageous?
And so when I dug into it, I'm thinking, they've been talking about this pretty openly since 2017 when shit hit the proverbial fan. So why the big deal?
And I wanted to see if you had any ideas.
But they tend to be a little bit more expensive than the smart TV, if you can imagine it. Now, why did Samsung delete the tweet?
So that tweet went out and then suddenly it disappeared and the media went a bit nuts going, isn't this outrageous?
And so when I dug into it, I'm thinking, they've been talking about this pretty openly since 2017 when shit hit the proverbial fan. So why the big deal?
And I wanted to see if you had any ideas.
Do you have the answer or are we just guessing?
No, no, it's all speculation.
I'm guessing it got lots of attention and many people saw it during the time when it was online and they suddenly thought, shit, everyone's going to think that Samsung has a malware problem on its TVs and all the other TVs don't have this problem.
And it's we didn't really need to do this. We could have just left it as a knowledge base article.
And it's we didn't really need to do this. We could have just left it as a knowledge base article.
What, instead of issuing a tweet, which according to this image got 203,000 views, which isn't bad.
Bad.
No, they've done great.
I thought all publicity was good publicity.
Truly a viral tweet. Yeah.
Okay.
Do you want to hear it with my conspiracy hat on what I think happened?
Okay, go on. Put the tinfoil on.
I think they have a very expensive PR agency who came up with the tactic with the intention to pique the interest of press into covering the need for people to actually manually update and scan their TVs like it's the early 1990s.
Oh, you think that they wanted this attention?
I think they want people to scan their TVs.
So why didn't they leave the tweet up?
So hang on, I just want to understand the full scale of your conspiracy theory here. Okay, over to Oliver Stone.
So you're thinking that there's a problem with Samsung TVs and they are desperate for people to scan them, and so they tweeted about how to scan them, and then they decided, well, to get even more attention about the need to scan them, we will remove the message telling people to scan them.
Is that what you're saying? I just want to be absolutely clear about this.
So you're thinking that there's a problem with Samsung TVs and they are desperate for people to scan them, and so they tweeted about how to scan them, and then they decided, well, to get even more attention about the need to scan them, we will remove the message telling people to scan them.
Is that what you're saying? I just want to be absolutely clear about this.
Okay, before you with your mocking tone, Mr.
Cluley, I think we used that exact tactic a number of times in our PR days where you dribble a little thing out to the press and make it look like a mistake and pull it back so that they get all their attention.
They think they're on to a big winner.
Cluley, I think we used that exact tactic a number of times in our PR days where you dribble a little thing out to the press and make it look like a mistake and pull it back so that they get all their attention.
They think they're on to a big winner.
There you are, listeners. Carole reveals the dark arts of the PR. That was decades ago.
But yeah, I'm just saying.
Yeah.
Okay. Well, interesting.
I will maintain that I much prefer the idea of adding internet connectivity by plugging something into the back because you can just unplug it if it's got a problem, whereas it's much harder to disable if it's built into the TV.
I will maintain that I much prefer the idea of adding internet connectivity by plugging something into the back because you can just unplug it if it's got a problem, whereas it's much harder to disable if it's built into the TV.
Yeah. So yes, if you have a smart Samsung Smart TV, you might want to put a little pressure on Samsung to pull its finger out. But until then, I think you need to do what they say.
I think you need to manually scan for viruses every few weeks. Maybe my recommendation is to stick to dumb TVs.
I think you need to manually scan for viruses every few weeks. Maybe my recommendation is to stick to dumb TVs.
Is that really that big a problem about TVs getting infected? I mean, I know it's happened from time to time, but it's very, very isolated instances, isn't it?
Well, I wonder— okay, speculation hat or whatever, conspiracy hat on once again— maybe they have been communicated, contacted by a responsible researcher who has found vulnerabilities inside this and they are actively working on them, but we're not going to know until it's actually fixed in the source code.
And until then, they're telling us to—
And until then, they're telling us to—
Or so they should just roll out a firmware update to the affected TVs, because I imagine they are downloading updates from the internet occasionally, one which periodically scans for malware using the engines which it's built in, I'd think.
Crazy. Anyway, crazy.
Crazy. Anyway, crazy.
Just be aware that, I guess, the takeaway, you've got IoT devices in your house, make sure you keep them up to date. If you can't, get rid of them. That's basically it. Thank you.
Do you remember when there were only 4 channels on TV?
Yeah, I remember fewer.
Well. Fewer even. Boom!
So Kroll, imagine a hacker has gained access to one of the computers inside your organization.
Dun dun dun.
And of course they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects.
Gotcha. Yep.
Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software accessing that data and unapproved applications. Yeah.
Okay.
Yeah, yeah, yeah. Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform.
Okay.
It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center.
Clever.
Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes microsegmentation simpler and more secure.
Okay, I want to learn more.
Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click microsegmentation.
Oh, awesome.
Boom.
We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
Yeah, they do online training. They've gamified it. It's animated e-learning.
Teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
Teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
And best thing, it's not boring.
No, not boring at all. You learn everything. GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
On with the show.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week? James.
Oh, am I supposed to say that? Pick of the Week.
Such a professional.
Every week we have to wrap it. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
And my Pick of the Week this week, well, it is a little bit secure. It kind of is because it's about GDPR. No, it's about hacking and things. So, but it's also more than that.
It's political because you may remember a couple of months ago that our good friend, Mr. Mueller, released his report into the meddling by Russian hackers into the US elections.
And have you read the report, Carole?
It's political because you may remember a couple of months ago that our good friend, Mr. Mueller, released his report into the meddling by Russian hackers into the US elections.
And have you read the report, Carole?
No, I have not. Have you?
I have.
Oh, James. Excellent.
Not all 448 pages, but I've... Well, you can listen to it, can't you now?
You can download— I think you can download it as an—
I think a bunch of Democrats actually read it, and now you can actually go listen to it being read.
Get it as an audiobook. I do. I have downloaded it into my Kindle, but I haven't read it all.
But I discovered today a video which is about 28 minutes long by the wonderful people at PBS, the American Public Broadcasting System.
And they have basically condensed the report down to its key findings. It's less than half an hour, as I say.
But I discovered today a video which is about 28 minutes long by the wonderful people at PBS, the American Public Broadcasting System.
And they have basically condensed the report down to its key findings. It's less than half an hour, as I say.
We trust them.
Well, I do, because they're PBS. They're like—
I know, they're pretty good.
And it's done in a very straight, non-sensational way, and they get to the skinny of what the report did and did not say.
So if you've been— if you're fed up with all the grandstanding by the left and by the right as to what it said and what it didn't say and blah, blah, blah, blah, blah, blah, blah, blah, I'd recommend going and watching this video.
I thought it was a good way to spend half an hour, and you can be clued up as to what the main points are and the truth as to what was said and what was not said in that report.
So if you've been— if you're fed up with all the grandstanding by the left and by the right as to what it said and what it didn't say and blah, blah, blah, blah, blah, blah, blah, blah, I'd recommend going and watching this video.
I thought it was a good way to spend half an hour, and you can be clued up as to what the main points are and the truth as to what was said and what was not said in that report.
I have a question.
Yes.
In the PDF of that report, the 448-page PDF, which is a searchable PDF, you cannot search for about President Trump's profanities.
Is it possible to kind of selectively reference the text in a PDF? I guess it must be, because there's one bit where he famously says—
Is it possible to kind of selectively reference the text in a PDF? I guess it must be, because there's one bit where he famously says—
I'm fucked.
Exactly. I wasn't going to say that, but yes, he did. And of course, that was the first thing that I looked for, and it doesn't find it.
You have to know where it is and find it on the page. But other text is searchable. So I don't know whether those guys at the FBI are extremely careful.
You have to know where it is and find it on the page. But other text is searchable. So I don't know whether those guys at the FBI are extremely careful.
Well, I heard the initial release of the report wasn't searchable.
It was something that had to be sort of rescanned in and the Washington Post and whoever else had to use OCR technology to try and make it searchable.
It was something that had to be sort of rescanned in and the Washington Post and whoever else had to use OCR technology to try and make it searchable.
Because it was just a hard copy.
Something like that, wasn't it?
But it could have been. Yeah.
At least they've redacted it properly. There've been plenty of occasions where PDF documents haven't been properly redacted.
They used an old felt tip pen and you could read through it. Something like that.
Anyway, so that is my pick of the week. Good way to spend 20 minutes, and then he can appear terribly clued up without having to read all 448 pages.
James, what's your pick of the week?
James, what's your pick of the week?
My pick is a YouTube rabbit hole, which is not your PBS video. I'm sure that's very good, but this is, you know, those videos of insane driving in Russia.
I don't know if you've ever seen those on YouTube. I mean, it's an acquired taste, but it is truly—
I don't know if you've ever seen those on YouTube. I mean, it's an acquired taste, but it is truly—
So what are these? What do you mean insane driving? What's—
These are just video dashcam videos and, and kind of traffic camera videos of people driving in—
Car crash TV, literally?
It is basically car crash TV. The Russian version of car crash TV is 1,000 times more baroque than anything you've seen on Lights, Camera, Action. So that's the insane driving.
Well, check out the action, I was going to say, on the pavements or sidewalks, because I know some of your listeners are in America, because that is equally hair-raising.
For about 10 years now, there's a group of young people calling themselves Stop Ham, and ham means something like asshole in Russian. And they've been literally—
Well, check out the action, I was going to say, on the pavements or sidewalks, because I know some of your listeners are in America, because that is equally hair-raising.
For about 10 years now, there's a group of young people calling themselves Stop Ham, and ham means something like asshole in Russian. And they've been literally—
Hang on, you're saying Graham means grey asshole? Is that what you're saying in Russian? My name?
Stop Ham, not Graham.
No, but half of my name is ham.
You're right. Yes, I'm afraid so.
Yeah.
So grey asshole.
But as long as you don't aspirate the H, I think you're okay. No, no, you're not.
I would never have tied those together either.
You did that all by yourself.
Yeah, no, I didn't even think of it. I may have thrown that in otherwise.
Yeah, no thanks, Ben.
So for almost 10 years, a group of young people calling themselves Stop Ham and ham means something like asshole in Russian.
Have been literally laying themselves on the line to combat arrogant drivers and inconsiderate parking on public pavements.
Now, in most places around the world, this wouldn't be considered massively controversial, but in Russia, this is enough to start a small war.
I mean, and really, these guys— I won't go into the politics of this. I mean, the politics of cars in Russia is very complicated.
And these guys apparently started off from a pro-Kremlin youth movement called Nashi, which have got a very bad reputation.
But that aside, the stuff they do in these videos, which is basically trying to get people not to use pavements as motorways, is— well, you wouldn't think that that was controversial, but in Russia it is, it turns out.
And the tactics they use, I won't go into it now, but you'll get the idea when you watch a couple of these videos, but they're very smart.
Nonviolent, but it requires enormous cojones. So they get abused by irate drivers in every episode. There are billions of episodes.
Have been literally laying themselves on the line to combat arrogant drivers and inconsiderate parking on public pavements.
Now, in most places around the world, this wouldn't be considered massively controversial, but in Russia, this is enough to start a small war.
I mean, and really, these guys— I won't go into the politics of this. I mean, the politics of cars in Russia is very complicated.
And these guys apparently started off from a pro-Kremlin youth movement called Nashi, which have got a very bad reputation.
But that aside, the stuff they do in these videos, which is basically trying to get people not to use pavements as motorways, is— well, you wouldn't think that that was controversial, but in Russia it is, it turns out.
And the tactics they use, I won't go into it now, but you'll get the idea when you watch a couple of these videos, but they're very smart.
Nonviolent, but it requires enormous cojones. So they get abused by irate drivers in every episode. There are billions of episodes.
So what are they doing? What are these pedestrians doing to drive the drivers crazy?
Well, what they're doing is they're stopping the drivers from driving down the pavement, because in Russian cities, this is a way that you— when there's traffic, you just drive on the pavement, basically.
Or if you want to go and park outside your block, rather than driving around the block, you just drive straight across the garden through it.
Or if you want to go and park outside your block, rather than driving around the block, you just drive straight across the garden through it.
Yeah.
And so these guys basically put themselves in front of the cars. They just stand in front of the cars and dare these people to run them over, and they film it as well.
And then of course there's an altercation, and these people get very irate about the fact that they've been stopped from just driving down the pavement.
And then of course there's an altercation, and these people get very irate about the fact that they've been stopped from just driving down the pavement.
And you're recommending basically snuff movies?
No, no, no, occasionally it gets very heated, but no, they don't.
And a couple of times these guys have had people pull guns on them, but there's none of that, none of the kind of people getting or anything on this.
And a couple of times these guys have had people pull guns on them, but there's none of that, none of the kind of people getting or anything on this.
Was it Venezuela? Somewhere in South America, and there were traffic issues.
No one was paying attention to the laws, the traffic lights, or anything, and the city hired mime artists to basically poke fun at anyone who broke any of the standardized laws.
And apparently it worked a treat.
No one was paying attention to the laws, the traffic lights, or anything, and the city hired mime artists to basically poke fun at anyone who broke any of the standardized laws.
And apparently it worked a treat.
Well, the irony being, if there's one person you do want to run over, it is a mime artist.
You get them all at once.
It's Marcel. Bloody Marcel.
Yeah, but my hundreds of them, hundreds of them, right? And they would all mock you if you, you know, say they didn't stop at the red light properly.
Yeah, I don't think that would work.
I'll find a link and I'll put it in the show notes.
Well, that's a nice idea, but I just, I don't think that would work in Russia, I'm afraid.
Or do you think this would work?
Well, it does work, but you'll see why when you read, when you, because the bravest one stands in front of the vehicle, then another guy talks to the driver in a very polite way, and then they get a load of abuse or they jump out of the car and try and attack them.
But then there's a bunch of others of them filming it.
And then if they really refuse to back down or they try to drive through, they put one of those stickers, a huge sticker on the windscreen, one of those ones that's impossible to get off.
That basically says, "I'm an asshole." And then these guys have to then drive around, either spend an hour trying to remove the sticker or drive around town with this enormous sticker on their windscreen saying—
But then there's a bunch of others of them filming it.
And then if they really refuse to back down or they try to drive through, they put one of those stickers, a huge sticker on the windscreen, one of those ones that's impossible to get off.
That basically says, "I'm an asshole." And then these guys have to then drive around, either spend an hour trying to remove the sticker or drive around town with this enormous sticker on their windscreen saying—
So, yeah, watch the video to learn about car vigilantes.
I'm watching one of these right now and they've put this enormous sticker on this woman's car and she's struggling to peel it off.
It's like one of those, you know, when you get a sticker on a book and sometimes they come off nicely and sometimes, and these stickers don't come off easily, do they?
It's like one of those, you know, when you get a sticker on a book and sometimes they come off nicely and sometimes, and these stickers don't come off easily, do they?
No. And when these guys do something, when these guys do something really kind of aggressive or angry or try to run one of these kids over, basically they go, right, that's it.
And they paper the whole vehicle. And so basically you see these guys driving, I mean, but they do it on the window so they don't damage the car.
That's the kind of the cute thing about it. Anyway, as I say, it's a YouTube rabbit hole, and once you start watching these, you'll end up watching more.
And they paper the whole vehicle. And so basically you see these guys driving, I mean, but they do it on the window so they don't damage the car.
That's the kind of the cute thing about it. Anyway, as I say, it's a YouTube rabbit hole, and once you start watching these, you'll end up watching more.
Thank you very much, James.
At your own risk, listeners.
Yes, you're welcome.
Carole, what's your pick of the week?
Okay, heads or tails, James, because I have two and I'm gonna choose one in the interest of time.
Tails.
Tails. Okay, so I yacked about smart TVs earlier, and James, you don't have a TV. I don't think you've had a TV for the 20 years that I've known you.
No, probably not.
Yeah.
And so this one's for you.
Ironic considering I used to work for a TV station. But anyway, yeah.
Yeah.
So this one's for you. And Graham, I know this will be an earworm too. So welcome to IHaveNoTV.com. This is a curated list of documentaries.
There's a list of categories and there's quite a lot of content, about 3,000 documentaries, lots of topics from physics, environment, design, art history, history.
So this morning I was watching one and this guy was talking about how if you want to get over anxiety, if you have anxiety over something you're going to do, say next time you have to do a talk, Graham, right?
And you're all nervous, right? Because you've only been doing them for 30 years, right? But you still get a little knee knocking, I'm sure. Okay, a way to get around that.
There's a list of categories and there's quite a lot of content, about 3,000 documentaries, lots of topics from physics, environment, design, art history, history.
So this morning I was watching one and this guy was talking about how if you want to get over anxiety, if you have anxiety over something you're going to do, say next time you have to do a talk, Graham, right?
And you're all nervous, right? Because you've only been doing them for 30 years, right? But you still get a little knee knocking, I'm sure. Okay, a way to get around that.
I try to avoid doing that just before a talk to conserve my energy.
No knee tremblers before the talks. You're like a boxer, right? Yeah, go on.
So apparently what you're supposed to do is rather than tell yourself that you're going to be great, pretend you've already completed the task and it was awesome.
Okay.
So you kind of go, "Oh, it was the best talk ever. I rocked it. They were dying of laughter.
That was awesome." And apparently, it tricks your brain into thinking that now it's okay, not scary anymore, and you perform much better.
That was awesome." And apparently, it tricks your brain into thinking that now it's okay, not scary anymore, and you perform much better.
Yeah, but by then, you'll be halfway through a bottle of Jack Daniel's.
Well, the danger is that I've convinced myself I've given the talk, and I'm actually now on a tube going home thinking I've done it.
Anyway, there's lots and lots of different shows and documentaries, a variety of lengths.
You can go in and get something for about 3 minutes, or you get something for an hour and a half, more long form. Anyone who likes to learn, I'm sure will enjoy it. Check it out.
IHaveNoTV.com. That's my pick of the week.
You can go in and get something for about 3 minutes, or you get something for an hour and a half, more long form. Anyone who likes to learn, I'm sure will enjoy it. Check it out.
IHaveNoTV.com. That's my pick of the week.
So these are curated documentaries and things from YouTube or something?
A curated list of documentaries.
Very good.
Yes.
Fantastic.
I think you'll enjoy it.
I like the sound of that.
I thought you would.
I think James would like that as well, as he doesn't have a TV.
Yeah, I can catch up on 20 years of whatever I've missed.
Well, I think we've just about wrapped it up for this week, haven't we? James, I'm sure lots of our listeners would love to follow you online or find out more.
What's the best way they can get in contact with you or find out what you're up to or anything really? Are there any ways to do that?
What's the best way they can get in contact with you or find out what you're up to or anything really? Are there any ways to do that?
No, I don't have any of that.
So Graham can't imagine that someone wouldn't want strangers to get in touch with them immediately.
They can read my column in the Slovak Spectator, but it's behind a paywall, and I don't suppose they're going to subscribe to it just to read my musings on the state of Slovak cycle paths.
So once you've finished reading James's column in the Slovak newspapers, you can follow us on Twitter as well at Smashing Security, no G, Twitter won't allow us to have a G, and you can also join us on Reddit.
Go and find us in the Smashing Security subreddit and you can discuss the show there with your fellow listeners.
Go and find us in the Smashing Security subreddit and you can discuss the show there with your fellow listeners.
And big thanks to our sponsors, MetaCompliance and Edgewise. Their support helps us give you this show for free. So be sure to check out their offers. And thank you, lovely listeners.
We wouldn't have anyone to listen to us if you didn't exist.
We wouldn't have anyone to listen to us if you didn't exist.
Is that it? And on that bombshell, cheerio, bye-bye, farewell, do svidaniya. Right, I have a little boy at my door, so I'm going to hang up.
Okay, bye.
See you, Graham.
See you. Bye. Bye.
Chickens to you too.
Chickens. Chickens.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
James Thomson
Show notes:
- Information about Cookies — ICO.
- All About Do Not Track.
- Apple is removing the Do Not Track toggle from Safari, but for a good reason — Macworld.
- Google Chrome privacy extension hasn't been updated for years — Graham Cluley.
- Tweet by Adam Rose — Twitter.
- Cookie Control plugin — Civic.
- China social media: WeChat and the Surveillance State — Stephen McDonell, BBC News.
- DDoS attack that knocked Telegram secure messaging service offline — Tripwire.
- Inside China's 'thought transformation' camps — BBC News.
- Scan your TV to prevent malware — Samsung.
- Samsung Deletes Frightening Tweet Warning That Its Smart TVs Can Get Viruses — Gizmodo.
- Samsung: Here's how we're securing your smart TV — ZDNet.
- Is the CIA's Weeping Angel spying on TV viewers? — Graham Cluley.
- Samsung's Android Replacement Is a Hacker's Dream — Motherboard.
- All of the Mueller report’s major findings in less than 30 minutes — PBS NewsHour, YouTube.
- СтопХам – Урок географии — YouTube.
- Where Mimes Patrolled the Streets and the Mayor Was Superman — New York Times.
- Documentaries – watch free online documentaries — IHaveNoTV.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Edgewise Networks
Edgewise is the industry’s first zero-trust segmentation platform. It’s simple to use interface lets you stops data breaches by allowing only verified software to communicate within your cloud or data centre. Edgewise’s data-centric approach makes micro-segmentation simpler and more secure.
Learn more and get a free trial at edgewise.net.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
