Apple’s furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by web security journalist John Leyden.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You know how you always point out my flaws all the time, Graham, right? And I don't see them, but you're very hyper-aware and you see them and you call them out.
And it's a better world because of that, Carole. Yes, right. No one ever mentioned these things.
Exactly.
We'd never progress, would we?
Thank God for you. So yeah, I agree.
Thank God for both of you. Good grief, I'm having to mediate already.
Smashing Security Episode 145: Apple and Google Willy Wave While Home Assistant Spies. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 145. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 145. My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by returning guest, it's web security journalist John Leyden. Hello, John, how are you?
I'm very good. How are you, Graham?
Oh, you know, I've been better, but no, I'm serious, I'm fine. I'm fine.
You're not fine. What's wrong?
This has been going on for a week, everybody.
Seriously, I've talked to him a number of times, and this is the tone. I'm like, hey, Graham. And he's upset with me. He blames me. And Graham, tell them.
Not completely.
Tell them what happened.
Well, I was in the shower, and as you know, I listen to podcasts in the shower. Not with earphones. I put my phone up on a little ledge out of the way of the water.
In the steam.
And yes, in the hot, hot steam of my shower. And let's not paint too much of a picture. And then suddenly my phone sort of went, "Brrr, brrr, brrr." A phone call?
Right, a phone call, but specifically the noise of someone FaceTiming me.
Right, a phone call, but specifically the noise of someone FaceTiming me.
With video?
This has happened before.
Well, we have had problems before with my phone in the shower randomly FaceTiming people.
This is still your phone in the shower?
Yes, but on this occasion it was you FaceTime videoing. Not FaceTime audio. Why you would ever, Carole?
Okay, let me give my side. So, the day before, I've made friends with a robin. I wanted to show Graham my little friend robin, right?
And I put it on FaceTime and called him so he could see my robin friend.
And I put it on FaceTime and called him so he could see my robin friend.
I think you should make clear that you're talking about robin as in a bird rather than something else, right?
Yes, not a bird woman, a little fly thing, because it's not some imaginary human.
It's a really tiny little cute bird that we're making friends with.
Anyway, and whatever, it didn't work out, forgot about it.
Next day when I'm calling him just about podcast stuff, I press the FaceTime because that's at the top of the list, it's the last phone call I made on FaceTime.
Normally I call FaceTime audio, but no, goes into video mode. So there I am about to call Graham and it's 9— I don't want to be on video either, I assure you, okay?
I did not want to be on video. So I try and cancel the call, but no, my phone goes into freeze mode. And there was no exit button.
So then I'm pressing dramatically, very quickly, trying to turn the whole phone off, the system off, by keeping the shut-off button on for 5 seconds and then to swipe off.
Next day when I'm calling him just about podcast stuff, I press the FaceTime because that's at the top of the list, it's the last phone call I made on FaceTime.
Normally I call FaceTime audio, but no, goes into video mode. So there I am about to call Graham and it's 9— I don't want to be on video either, I assure you, okay?
I did not want to be on video. So I try and cancel the call, but no, my phone goes into freeze mode. And there was no exit button.
So then I'm pressing dramatically, very quickly, trying to turn the whole phone off, the system off, by keeping the shut-off button on for 5 seconds and then to swipe off.
But meanwhile, I'm trying to cancel the call as well with my wet fingers all covered in soap in the shower, whereupon the phone slips out of my hand, falls down into the tray of the shower with the camera facing upwards at my body.
I love that you thought I would look at that.
And I was thinking, well, what do I do now? What exactly am I broadcasting to Carole at this point?
Graham, pinky swear I would always avert my eyes in that situation.
Anyway.
You can count on me.
My phone has not been the same since. In fact, I've not been the same since either. And the phone is no longer working. So anyway, I'm not completely blaming you, Carole.
Did you put it in with some dried rice to—
To be honest, John, it's not so much— I don't actually think it's a water issue.
He's talking about your phone, Graham.
Right.
Yes, thank you for that, Carole.
Carole, what's coming up on the show this week?
Thanks to this week's sponsors, LastPass, Recorded Future, and MetaCompliance. Their support helps us give you this show for free.
Now, on today's show, Graham talks about Apple vulnerabilities. John will be making sense of the following acronyms, DNS over HTTPS or DoH.
And I will be revisiting the land of smart assistants. Is it time for Graham and I to give in and get one? All this and loads more on this epic show of Smashing Security. Just wait.
Now, on today's show, Graham talks about Apple vulnerabilities. John will be making sense of the following acronyms, DNS over HTTPS or DoH.
And I will be revisiting the land of smart assistants. Is it time for Graham and I to give in and get one? All this and loads more on this epic show of Smashing Security. Just wait.
Now, fellows, I want to talk to you today about, well, there's been a bit of a ding dong going on.
You may remember last month, Google security researchers, the security wonks at Project Zero, they warned of a hacking group that had made a sustained effort to hack the users of iPhones.
You may remember last month, Google security researchers, the security wonks at Project Zero, they warned of a hacking group that had made a sustained effort to hack the users of iPhones.
Cybersecurity experts at Google discovered a plot to hack a massive number of iPhones over a two-year period.
Researchers found a group of hacked websites that exploited vulnerabilities in Apple software that would have given hackers access to users' contacts, photos, and location data.
And Google says that the group that were behind this were there for about two years, a minimum of two years, they believe. We just don't know what the scope of it is at this stage.
But what's quite scary is how we're only finding about it now.
Researchers found a group of hacked websites that exploited vulnerabilities in Apple software that would have given hackers access to users' contacts, photos, and location data.
And Google says that the group that were behind this were there for about two years, a minimum of two years, they believe. We just don't know what the scope of it is at this stage.
But what's quite scary is how we're only finding about it now.
Now, in what could be one of the biggest attacks on iPhone users ever, Google has warned malicious hackers have been monitoring data of iPhone users for years without being discovered.
We don't know who did it, what they took, or who was infected. But for two years, this attack had the potential to take, well, everything.
So Google, they thought it was right to warn people, warn iPhone users about this, because it'd be really bad if some organization knew what you were doing on your phones, what websites you were visiting, who you were chatting to, all that information.
If that ended up in someone else's hands—
If that ended up in someone else's hands—
Oh really, Google would have a problem with that, right? Is that— is that okay? Yeah, no, no, you're right, absolutely.
That's right. I mean, Google would say, hey, that's our job, right? Hands off, right? That's for us. For us to collect, not for some state intelligence agency to gather instead.
But seriously, according to Google, the unnamed hacked sites received thousands of visits per week. So it's no wonder the media went crazy about it.
Everyone was talking about new iPhone hacking danger. So Apple released a rather snotty statement, which really made them sound rather pissed off with Google.
They said, first of all, you know, Google's post, which was issued 6 months after we patched iOS against this problem, creates the false impression of mass exploitation to monitor the private activities of entire populations in real time.
And Apple even said that Google was stoking fear amongst all iPhone users that their devices had been compromised. This was never the case, said Apple.
But seriously, according to Google, the unnamed hacked sites received thousands of visits per week. So it's no wonder the media went crazy about it.
Everyone was talking about new iPhone hacking danger. So Apple released a rather snotty statement, which really made them sound rather pissed off with Google.
They said, first of all, you know, Google's post, which was issued 6 months after we patched iOS against this problem, creates the false impression of mass exploitation to monitor the private activities of entire populations in real time.
And Apple even said that Google was stoking fear amongst all iPhone users that their devices had been compromised. This was never the case, said Apple.
I don't think that's an unfair statement from their point of view, but I also understand from Google's point of view, whose researchers found these vulnerabilities, right?
They want to get their 15 minutes of fame. And they waited for those patches to be put in place. And then they want to do a little tap dance to say, hey, we found this, we helped.
So Apple shouldn't be kicking them in the shins for that.
They want to get their 15 minutes of fame. And they waited for those patches to be put in place. And then they want to do a little tap dance to say, hey, we found this, we helped.
So Apple shouldn't be kicking them in the shins for that.
I said, I think Apple's being a little bit snotty here and their response perhaps isn't great.
Apple went on, they said the attack affected fewer than a dozen websites that focused on information related to the Uyghur Muslim community.
Now they're a group of people, if people don't know, in East Turkestan. That's a province which was occupied by China back in the late 1940s and is still occupied by China.
And they obviously feel persecuted by China about their religion. They're obviously not very keen about China still occupying their country 60 years on. Now, Apple went on.
They said, all evidence indicates that these websites were only operational for a brief period, roughly two months, not, they said, two years as Google implied.
So there's quite a big disagreement here, isn't there, between Apple and Google?
Apple went on, they said the attack affected fewer than a dozen websites that focused on information related to the Uyghur Muslim community.
Now they're a group of people, if people don't know, in East Turkestan. That's a province which was occupied by China back in the late 1940s and is still occupied by China.
And they obviously feel persecuted by China about their religion. They're obviously not very keen about China still occupying their country 60 years on. Now, Apple went on.
They said, all evidence indicates that these websites were only operational for a brief period, roughly two months, not, they said, two years as Google implied.
So there's quite a big disagreement here, isn't there, between Apple and Google?
They're the two big boys and they're having a little bit of a beef, really.
I just think that, you know, Apple's trying to set up a bit of straw man by saying not all iPhone owners were hacked. Which is not really what Google was saying in the first place.
They were talking about a highly targeted attack.
And to say, oh, it wasn't two years, it was only two months or whatever, neither of them can be trusted because they're both arch rivals in the very marketplace and discussing the security risks existing.
That's the problem.
They were talking about a highly targeted attack.
And to say, oh, it wasn't two years, it was only two months or whatever, neither of them can be trusted because they're both arch rivals in the very marketplace and discussing the security risks existing.
That's the problem.
I think that's part of the problem.
And when I compared what Apple said in their statement to Google's original blog post, Apple does appear to take some statements from Google's blog post, and it's almost as though they've recharacterized them?
Because you certainly can read Google's blog post to suggest that they're not saying these websites were hacked for two years, that they're saying that the group who were behind the hack may have been exploiting a variety of vulnerabilities for the last two years instead.
And when I compared what Apple said in their statement to Google's original blog post, Apple does appear to take some statements from Google's blog post, and it's almost as though they've recharacterized them?
Because you certainly can read Google's blog post to suggest that they're not saying these websites were hacked for two years, that they're saying that the group who were behind the hack may have been exploiting a variety of vulnerabilities for the last two years instead.
Okay, but we can totally imagine that some journalists misinterpreted what Google said in a way that made Apple look bad, and Apple retaliated based on that misinterpretation.
Absolutely.
It happens all the time, right?
I think fundamentally Google hyped this up a bit. And Apple tried to play it down a bit.
By making noise.
The truth may be, you know, somewhere in between. So neither of them really come out of this smelling of roses.
Now, another thing which I thought was, if you were, for instance, the Chinese government and you wanted to monitor the Uyghur Muslim community, would you really target iPhones?
In China, Android has about 77% of the mobile and tablet market share. iOS, only around about 1 in 5 mobile owners are using that. So it doesn't really make sense to only target iOS.
Chances are that there are also attacks going on right now against Android devices in that community too.
Now, another thing which I thought was, if you were, for instance, the Chinese government and you wanted to monitor the Uyghur Muslim community, would you really target iPhones?
In China, Android has about 77% of the mobile and tablet market share. iOS, only around about 1 in 5 mobile owners are using that. So it doesn't really make sense to only target iOS.
Chances are that there are also attacks going on right now against Android devices in that community too.
Right.
And we know from past research that iPhone users tend to patch their devices more frequently than Android users.
You know, sometimes it's quite hard to get an update for Android, isn't it?
You know, sometimes it's quite hard to get an update for Android, isn't it?
That's true.
Often you're very dependent upon the carriers or the manufacturer in order to get an update for Android, and so it can be more difficult to do, whereas because Apple owned the whole infrastructure, it's easier to push out the updates to them.
So I think when we look at this case, Apple and Google both screwed up.
Google initially, in their blog, should have shared more details of what had actually been seen and who had been targeted to reduce the chances of media hysteria.
And sure, you know, the fact that it was being used against Uyghur Muslims doesn't mean it can't be used against anyone else.
But even so, they should perhaps have said, this is the community that has been targeted. We haven't seen it anywhere else.
But of course, the media just went crazy because they just saw iPhone vulnerability.
But I think there's also this real problem, and I don't know if you've encountered this as well, John, this really curious situation where Google are regularly reporting on vulnerabilities in the products of their biggest competitor.
So I think when we look at this case, Apple and Google both screwed up.
Google initially, in their blog, should have shared more details of what had actually been seen and who had been targeted to reduce the chances of media hysteria.
And sure, you know, the fact that it was being used against Uyghur Muslims doesn't mean it can't be used against anyone else.
But even so, they should perhaps have said, this is the community that has been targeted. We haven't seen it anywhere else.
But of course, the media just went crazy because they just saw iPhone vulnerability.
But I think there's also this real problem, and I don't know if you've encountered this as well, John, this really curious situation where Google are regularly reporting on vulnerabilities in the products of their biggest competitor.
Yes, that is one of the questions I had from what you've been saying, Graham, which is, did Google privately disclose this to Apple?
I mean, what is its motives in putting together this research?
I mean, what is its motives in putting together this research?
So Google did tell Apple and Apple patched it about 10 days later, and that was months and months ago, but they've now gone public and that's what created this latest media storm, even though anyone who's kept up to date with iOS is protected from these vulnerabilities.
So what you're saying, there was a responsible disclosure.
Apple did the right thing and made, put the patches in place rather than ignore it or put their head in the sand like an ostrich.
And then Google went out and tap danced and said, hey, we helped fix this and Apple be better.
Apple did the right thing and made, put the patches in place rather than ignore it or put their head in the sand like an ostrich.
And then Google went out and tap danced and said, hey, we helped fix this and Apple be better.
Yes. But you know, there's so many shades of gray in between this, isn't there? Because suddenly Google—
How many, about 50?
Google did, suddenly Google did produce some very technical blog posts with all kinds of details.
You know, they do do excellent research and you can argue that Apple should have found its own vulnerabilities in the first place, right?
It shouldn't have to rely or wait for a competitor to do it on their own dime.
You know, they do do excellent research and you can argue that Apple should have found its own vulnerabilities in the first place, right?
It shouldn't have to rely or wait for a competitor to do it on their own dime.
No, no, no, no, no. Yeah, that happens all the time. That's a problem is discovered by a third party and—
Well, yeah, it does.
You always point out my flaws all the time, Graham, right? And I don't see them, but you're very, very hyperaware and you see them and you call them out.
And it's a better world because of that, Carole. No one ever mentions these things.
Exactly.
We'd never progress, would we?
Thank God for you. So yeah, I agree.
Thank God for both of you. Good grief. I'm having to mediate already, listeners.
Anyway, I think Apple could have been politer. They could have thanked Google, even if it had been through gritted teeth. They didn't thank them for finding the vulnerability.
In an ideal world, they wouldn't have had the bug in the first place. And I think also they could have expressed a bit of grumpiness towards China for targeting the Uyghurs.
In an ideal world, they wouldn't have had the bug in the first place. And I think also they could have expressed a bit of grumpiness towards China for targeting the Uyghurs.
That sounds a bit odd, targeting the Uyghurs. It just does, you know what I'm saying? It's just funny.
They've also hacked the Tibetans, if that makes you feel any better.
Did you look up how to say it properly?
Goodness, yes, multiple times. And no one agreed. So I hope I've got it right.
So you chose the most—
So you—
Okay, great.
Look, I—
Great.
I think Apple could have done more to bash China for doing this kind of thing.
But you have to wonder, Apple doesn't want to rock the boat when it comes to China either, 'cause that's obviously a huge market for them and maybe they don't want to be too outspoken about this.
Anyway, I don't know. I do think there's a little bit of willy-waving going on on both sides between Apple and Google. And I'm not sure we all benefit because of it.
I think if someone else finds a vulnerability in your software, even though you may be grumpy about how they've expressed it, you should at the very least say, thank you.
For fixing this vulnerability and making our software more secure for our users.
Now maybe Google, you can go and look at some of your own software and try and fix some of the bugs in that as well.
I'm just really saying, can't all these tech companies get along with each other? Wouldn't that be marvelous?
But you have to wonder, Apple doesn't want to rock the boat when it comes to China either, 'cause that's obviously a huge market for them and maybe they don't want to be too outspoken about this.
Anyway, I don't know. I do think there's a little bit of willy-waving going on on both sides between Apple and Google. And I'm not sure we all benefit because of it.
I think if someone else finds a vulnerability in your software, even though you may be grumpy about how they've expressed it, you should at the very least say, thank you.
For fixing this vulnerability and making our software more secure for our users.
Now maybe Google, you can go and look at some of your own software and try and fix some of the bugs in that as well.
I'm just really saying, can't all these tech companies get along with each other? Wouldn't that be marvelous?
It would be great.
When we had problems in the 1980s, Stevie Wonder and Paul McCartney sat down at a piano and played Ebony and Ivory, and we've not had any trouble.
Oh good. Let's bring race into this.
I'm just saying, if it was possible to fix that problem—
Race is already in it. That's the whole issue with handshakes. Chinese and wieners.
Yes.
Good.
We're spotted.
Thank you for giving credibility.
And Carole Theriault.
Oh my goodness.
Together on our podcast. Okay, please go to your sleep. John, what's your topic for us this week?
Okay, I'm going to change the subject entirely. I want to talk about an emerging internet technology which we're all going to be hearing a bit more of over time.
And it's called DNS over HTTPS, or DOH.
DNS is the technology that's used to resolve the names of websites that people understand, like google.com or Smashing Security, to numbers that computers and routers can understand.
And it's a vital technology that's used by web browsers to allow people to surf the web, but also to allow email to be properly directed.
And it's called DNS over HTTPS, or DOH.
DNS is the technology that's used to resolve the names of websites that people understand, like google.com or Smashing Security, to numbers that computers and routers can understand.
And it's a vital technology that's used by web browsers to allow people to surf the web, but also to allow email to be properly directed.
Right.
So what's coming along is DOH, which is nothing to do with Homer Simpson's famous catchphrase.
I was waiting for it.
Yeah, I know.
Are we really being expected to call it DOH? Is that— do you know what the official pronunciation is? Because we don't say H-T-T-P-S instead of HTTPS, do we?
So I'm just wondering, is it really expected that we have to call it DOH rather than D-O-H or something.
So I'm just wondering, is it really expected that we have to call it DOH rather than D-O-H or something.
I argue that as a name, I mean, there is no accepted pronunciation, so why not just go for the funniest possible one and have a joke about it?
Fair point. Yep.
Okay, so DOH, as I'm going to call it at least, is nothing to do with baking bread, right?
Although you might have been said that it's been proofing for a while, and I'll tell you why we can say that.
Although you might have been said that it's been proofing for a while, and I'll tell you why we can say that.
This podcast is obsessed with bread baking. I can't believe it.
Oh yeah, not Doctor Who or chess or anything like that. You're right, those are normal.
So back to my story.
He's like our dad. Shut up, kids.
Okay, so I'm gonna have to call it DNS over HTTPS. It's been available as experimental opt-in feature for Mozilla's Firefox web browser since June last year.
Now what's happened was that last Friday Mozilla said we're going to make it the default selection, initially only to people in the US, from later this month, late September.
And it's also saying that surfers can choose to opt out of it. Now what does it do?
Now what's happened was that last Friday Mozilla said we're going to make it the default selection, initially only to people in the US, from later this month, late September.
And it's also saying that surfers can choose to opt out of it. Now what does it do?
Yes, I was about to say, can you explain what it does?
How do you pronounce— we've got into how do you pronounce it and Homer Simpson or whatever.
The most important stuff. Yeah, let's find out what it does.
Yes, you have to make these jokes before you get into the meat and bread of the topic.
Yeah, Graham, calm down. God, cheer up.
So DNS over HTTPS, it hides DNS queries inside regular HTTPS encrypted traffic, so that makes it difficult for third parties to either manipulate this traffic, which as I said before redirects people around the web, or to snoop on users.
Right. Gotcha.
So if you don't have this in place, it's possible for someone naughty to intercept your DNS request and see what sort of websites your computer is looking up.
Yeah, exactly.
And the most obvious party that would see what you're looking at would be an ISP.
Right.
Yeah. The service provider.
And they're actually one group that was none too happy about this technology.
In fact, this summer, the UK's Internet Service Provider Association went so far as to nominate Mozilla as an internet villain because of its support for DNS over HTTPS. Really?
The ISP was upset because they argued that the technology would impede default filtering of adult content and mandatory court-ordered filtering of copyright violations.
In fact, this summer, the UK's Internet Service Provider Association went so far as to nominate Mozilla as an internet villain because of its support for DNS over HTTPS. Really?
The ISP was upset because they argued that the technology would impede default filtering of adult content and mandatory court-ordered filtering of copyright violations.
Okay, so basically Mozilla is saying, hey, we will help keep everything you want to do private.
Yes.
And the Internet Service Providers Association, or ISPA, were like, whoa, whoa, whoa, how are we supposed to filter for porn and things like that?
You're making our jobs so much more difficult. Okay, got you. I'm with you. Carry on.
You're making our jobs so much more difficult. Okay, got you. I'm with you. Carry on.
And I guess some of these ISPs may charge people more money to filter out adult content, or maybe to filter out non-adult content. So you only get a pure 100% filth feed.
I don't know what they offer, but, you know, something like that. I wouldn't even be surprised.
I don't know what they offer, but, you know, something like that. I wouldn't even be surprised.
I'm sure that's true. Isn't that sad? I'm sure you're right.
I don't want any clean websites. I just want the really mucky ones. Don't waste my time with the— anyway, sorry, please carry on before I dig this ditch even deeper.
So this provoked a bit of a backlash because the internet security community by and large sees DNS over HTTPS as something that boosts privacy. And it's also good for security.
So they said, guys, where— what are you coming from describing Mozilla as an internet villain? You know, this is David Blunkett and all the rest of it.
These kind of people are normally put in this category of internet villain, and here you are putting Mozilla in this for backing this technology, which everybody thinks is, you know, on the balance of things, quite good.
So they said, guys, where— what are you coming from describing Mozilla as an internet villain? You know, this is David Blunkett and all the rest of it.
These kind of people are normally put in this category of internet villain, and here you are putting Mozilla in this for backing this technology, which everybody thinks is, you know, on the balance of things, quite good.
I don't think anyone is suggesting that David Blunkett, the former MP, former Home Secretary, who of course is blind— Yes, former Home Secretary in the UK.
I don't think anyone's suggesting that he's going to visit porn websites or anything like that.
I don't think anyone's suggesting that he's going to visit porn websites or anything like that.
Who knows?
Okay.
Do they have them in Braille?
So what are other people's beef with this? Is there any sort of downside to encrypting DNS?
One thing to say about it is that if DNS is encrypted as a standard, it would mean all the traffic would go straight to a central server under the control of Mozilla or Google or one of its peers rather than the locally held DNS name server.
That means that a lot of control over search information and interactivity— it won't be completely hidden, but you'll just be trusted to fewer people in the chain.
And one of those people in the chain would be Google or Mozilla.
That means that a lot of control over search information and interactivity— it won't be completely hidden, but you'll just be trusted to fewer people in the chain.
And one of those people in the chain would be Google or Mozilla.
So, right, and do we trust them? Do we feel comfortable having them all in charge of it?
So yes, so we're gaining in some ways in privacy from this, but there are other potential pitfalls as well. I don't know, I feel overall I'd quite like to embrace DoH.
Feels like a step in the right direction.
So yes, so we're gaining in some ways in privacy from this, but there are other potential pitfalls as well. I don't know, I feel overall I'd quite like to embrace DoH.
Feels like a step in the right direction.
And you need it, Graham, you need dough.
Carole, what's your topic for us this week?
Well, this weekend, the hubs and I were looking after two little people.
Oh, sweet.
Sleepy and Bashful.
No, children, Graham. Now, this was at their new house, and we had a crazy weekend of gaming and eating and bopping around. More on that later.
But anyway, this morning we're running around getting them ready for school, and we suddenly hear this AI voice say, "Sorry, I didn't quite catch that." And we had no idea that there was a device in the house.
But anyway, this morning we're running around getting them ready for school, and we suddenly hear this AI voice say, "Sorry, I didn't quite catch that." And we had no idea that there was a device in the house.
Oh boy.
Right. Because normally people keep them in their kitchens, in my experience, or you see them in the kitchens, and then you know to ask about them.
I don't know, you just say, "Oh, okay, there is one." But anyway, I had no idea.
I don't know, you just say, "Oh, okay, there is one." But anyway, I had no idea.
And so you go to people's kitchens and check out if they've got a personal assistant?
Yeah, I do.
And do you say that I'm just checking to see if you've got a slow cooker oven or something like this?
No, I just say—
And then you actually spy for one of these?
No, I just say that my type of conversation may depend on whether one of these devices is active, and I just don't want to bring it up unless I see one.
All right, I think it's quite a sensible precaution.
Thank you very much.
I never thought of myself.
Well, yeah, well, it turns out it's not stupid because apparently— well, no, you guys guess. How many households do you think have a voice-controlled digital device in the UK?
In the US it's about the same in proportion.
In the US it's about the same in proportion.
I mean, they're getting more— maybe 5%, something like that.
I think a lot more than that. I'm gonna go, I have to go higher. I'm gonna go 15.
You're wrong. It's 1 in 4, right? So 25%.
25%.
You know, to think of how long they've been around, really, in my view, about a few years. I'd say less than 5, right? Bloody hell.
And they are now in 1 in 4 households in the UK and the US.
And they are now in 1 in 4 households in the UK and the US.
What are people actually doing with these things?
They're going, "Oh, you know, I want to buy something on Amazon," or "I want to know what the weather is," or "Tell me the news," or "Play this song."
Or "Play this audiobook for my kid." Do you think people use them for about a week and then the thrill—
No, people use them constantly. In my experience with my huge circle of friends who love these devices.
Yes. Okay.
Now we all know who the three market leaders are, right? Apple, Google, Amazon.
While Amazon is definitely the market leader and Apple is trailing behind, they all have different strengths and weaknesses.
So one of the big issues that's coming up is these devices recording us when we don't want them to record us.
And recently, The Guardian reported that Apple apologized for allowing workers to listen on Siri recordings. And this was all according to a whistleblower.
The Guardian wrote, "Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex as part of their job providing quality control." That would just be mortifying, or grading the company's Siri voice assistant.
While Amazon is definitely the market leader and Apple is trailing behind, they all have different strengths and weaknesses.
So one of the big issues that's coming up is these devices recording us when we don't want them to record us.
And recently, The Guardian reported that Apple apologized for allowing workers to listen on Siri recordings. And this was all according to a whistleblower.
The Guardian wrote, "Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex as part of their job providing quality control." That would just be mortifying, or grading the company's Siri voice assistant.
Imagine doing quality control over someone's sex recording.
It's just— right?
It turns out that Apple hired people to grade the quality and accuracy of the Siri requests, and these graders were getting access to some hot information not designed for their ears.
It turns out that Apple hired people to grade the quality and accuracy of the Siri requests, and these graders were getting access to some hot information not designed for their ears.
Good Lord.
It is disturbing to think that you'd be getting it on with your partner and a Siri-enabled device is grading your performance.
At least the contractor hearing it can't give you real-time feedback.
Maybe they probably can. They just, it's pressing a big red button.
Like, it's a big red button. But you can imagine them saying, "Left a bit, right a bit. Oh, for goodness' sake, do you want me to come round and do it?"
Okay.
So according to multiple former Siri graders, accidental activations were regularly sent for review.
And we know what these include: illegal acts, Siri users having sex, blah, blah, blah.
And we know what these include: illegal acts, Siri users having sex, blah, blah, blah.
So this is when someone hasn't said, "Okay Google, do my command," or Alexa, or whatever.
It's really interesting because from what I read, it activates after you say those words.
Right.
But who can prove when you say those words? Right?
Oh yeah, you love a conspiracy theory.
I know, I know, I'm gonna be so fun when I'm 90. I'm gonna be full of them. Okay, and what they heard is moot, right? They could have heard someone preparing for an alien landing.
They could have heard someone indulging in a kink or eating too many pies. Whatever it was, they shouldn't have listened, right?
They could have heard someone indulging in a kink or eating too many pies. Whatever it was, they shouldn't have listened, right?
Sometimes those things can be combined, Carole. But yes, okay, let's carry on. Let's keep it clean.
Apple apologized and said it will no longer keep audio recordings of Siri users by default, which is a good thing. I think that's good that they've made that decision.
Though it does hope that people will opt into sharing recordings with Apple to help improve the system.
And as they are not market leader, I can understand that they want to get their skates on and use crowdsourcing to do it.
Though it does hope that people will opt into sharing recordings with Apple to help improve the system.
And as they are not market leader, I can understand that they want to get their skates on and use crowdsourcing to do it.
Yeah, because if it's not the default, most people won't turn on that feature. Well, and from what I understand, Apple's—
I'm freaking not turning it on.
Apple's voice recognition.
No offense, but let me do my job.
They're not as good at it, are they, as Google and Amazon? Siri's not quite there.
But their speaker is hand over— what do you say?
Head over heels?
What is it?
Hand over fist? Oh no, that's another sex. Oh dear.
There's an idiom I want to use, but I don't remember what it is. But they're so way, way better, the speakers on Apple than on the others.
Oh, are they?
Yeah.
Oh, okay. You've been checking them out?
Yeah, I checked them out at the John Lewis shop. All right, check them all out against each other. And I was a big fan of the Apple speakers.
Now, I know it sounds like I'm picking on Apple here, but they are de facto not alone, right?
All of them—Amazon, Apple, and Google—have all been exposed for having humans review the audio recordings.
Now, I know it sounds like I'm picking on Apple here, but they are de facto not alone, right?
All of them—Amazon, Apple, and Google—have all been exposed for having humans review the audio recordings.
Yes, yes.
And, you know, thank you whistleblowers for making people realize that of course that has to happen because the technology isn't in there.
Some people would argue that it's a good thing that humans have to look after this stuff, because it means the machines haven't taken control.
But people are trying to test whether or not these devices are actually making too many mistakes, or recording, or kind of sneaking recording, snarfling our secret information.
And one of these tests was from Consumer Reports, and it involved 4 differently named Amazon speakers, which were each exposed to super-talky TV show Gilmore Girls.
And the results is that during the Gilmore Girls marathon, the speaker started recording snippets of dialogue 10 times without hearing the correct wake word.
And during the audiobook test, 63 false positives happened in 21 hours. So doing the math there, is that a good result? That's like 3 an hour, isn't it?
Some people would argue that it's a good thing that humans have to look after this stuff, because it means the machines haven't taken control.
But people are trying to test whether or not these devices are actually making too many mistakes, or recording, or kind of sneaking recording, snarfling our secret information.
And one of these tests was from Consumer Reports, and it involved 4 differently named Amazon speakers, which were each exposed to super-talky TV show Gilmore Girls.
And the results is that during the Gilmore Girls marathon, the speaker started recording snippets of dialogue 10 times without hearing the correct wake word.
And during the audiobook test, 63 false positives happened in 21 hours. So doing the math there, is that a good result? That's like 3 an hour, isn't it?
Oh, I'm sorry. I thought you said the Golden Girls. Oh, how disappointing. I think the Golden Girls would have been much better. Much better.
I've never had—actually, you know what, girls?
I've never had—actually, you know what, girls?
Oh, it's really—I think you'd really love it, Graham. The softer side of you would love it.
Yeah, not as much as the Golden Girls.
No, Golden Girls is great. You're right, that is a classic. She's still going, you know, Betty.
Good for her.
Now, the test showed that Amazon does delete the snippets once it realized the recording was happening in errors, they said.
But I still find it a little bit kind of creepy, or maybe it's just modern and I need to get with the times.
It's hard for me to decide, and you guys are older than I am, so I don't think you guys can really help me on this one.
But I still find it a little bit kind of creepy, or maybe it's just modern and I need to get with the times.
It's hard for me to decide, and you guys are older than I am, so I don't think you guys can really help me on this one.
Well, I wonder.
Good grief.
Well, no, I do question why people need these devices. I can't understand what they actually do with them. I mean, I find it hard to—I think people just buy them.
Imagine you have a young, young baby.
Yes.
You're elbow deep in poop and you realize that you really would love to listen to the latest cricket match.
If you're elbow deep in poop, call the fire brigade. Don't call Google.
Now, stories that have, like these, the ones that I've been sharing with you about Amazon and Google and Apple, have sparked some legislation, including a new bill introduced by a Massachusetts rep, and it is called the Automatic Listening Exploitation Act.
And it suggests that a company should be fined $40,000 for each recording made without a user's permission.
And it suggests that a company should be fined $40,000 for each recording made without a user's permission.
Hang on a moment.
Yeah. Okay.
The Assistant Learning Exploitation Act.
Automatic listening.
Automatic listening.
A-L-E-A.
I see what it spells out.
I don't.
E-X-A, A-L-E-X-A, Exploitation. I hate it when people do that. What? It says Alexa. That is what his bill is called.
Oh no. I didn't spot that at all. You're so clever.
You're back!
You're back!
You're so depressed earlier.
Well done, Bill!
Your cosplay skills have come in.
Yes!
Genius!
Now, there's a lot of problems with this bill, isn't there? Because one of the things he says in it is exceptions would be made if it was for service improvements, right?
So you can just imagine that all the lobbyists for the big three will simply say that everything is for service improvements.
Now I'm laughing at this stage, but I think this is one of the first bills on this point. So well done for getting out of the door.
Now I don't think this is going to stand, but it's a step in the right direction because I do think we need legislation or legislators at least looking in this area and looking after the services that they're giving to their people that they're supposed to be protecting.
So there's a very serious endpoint.
So you can just imagine that all the lobbyists for the big three will simply say that everything is for service improvements.
Now I'm laughing at this stage, but I think this is one of the first bills on this point. So well done for getting out of the door.
Now I don't think this is going to stand, but it's a step in the right direction because I do think we need legislation or legislators at least looking in this area and looking after the services that they're giving to their people that they're supposed to be protecting.
So there's a very serious endpoint.
Oh, very good.
Yes. Frown and go, yes, very intelligent.
Yes, very, no, very, very, very good point, Carole. Very good point. I'm glad to have you on the show. I think it's time for our sponsors.
They'll be impressed by this sort of deep thinking, won't they? Yeah, very good.
They'll be impressed by this sort of deep thinking, won't they? Yeah, very good.
Very good. Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique.
I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you.
Because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashingsecurity.
I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you.
Because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashingsecurity.
Recorded Future provides deep, detailed insight into emerging threats by automatically collecting and analyzing billions of data points from the web.
Every security team can benefit from that kind of threat intelligence.
Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks.
Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.
Every security team can benefit from that kind of threat intelligence.
Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks.
Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.
MetaCompliance, the security e-learning experts, make learning best practice engaging and fun.
Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessary.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessary.
Better not be.
And my Pick of the Week is not security-related this week. It is an app. Now, do you remember a few weeks ago we had as a guest Mr. Jack Rosider from the Darknet Diaries podcast?
And there he was.
And there he was.
I got a new mouse because of him.
Oh, interesting, did you? Because there he was crowing about his mouse. So you've actually got that mouse?
No, I use my touchpad. I didn't get one of those, but I took it on the chin that I was making too much noise.
Oh, okay, okay, I see. So he was crowing about his mouse and saying how wonderful it was and how it could do all these incredible things.
And I felt a little bit of pang of jealousy and I thought, I wish my mouse could do all these things.
But I didn't want to go and buy a new mouse because I quite like my existing mouse apart from that. So I found a tool.
I found a fantastic tool called BetterTouchTool, which I am able to run on the Mac operating system.
And I felt a little bit of pang of jealousy and I thought, I wish my mouse could do all these things.
But I didn't want to go and buy a new mouse because I quite like my existing mouse apart from that. So I found a tool.
I found a fantastic tool called BetterTouchTool, which I am able to run on the Mac operating system.
Okay.
And I'll put a link in the show notes. And Carole, you might be interested in this because you have, you have one of those MacBooks which has a touch bar, don't you?
Yes.
And do you ever think, oh, I wish I still had a physical Escape key?
No, I wish I had my old MacBook, which I loved.
Well, with BetterTouchTool, you can not only reprogram just about everything on your mouse, you can also reprogram your keyboard, you can reprogram your Touch Bar and your touchpad to do all manner of things.
So I've got, I've got ways now, I've got like a hyper key on my keyboard, so it's like the equivalent of a different like Command or Alt key. I can get it to run different commands.
I can press a button on my mouse and it can do screenshots and and automatically import it into graphic software for editing.
So I've got, I've got ways now, I've got like a hyper key on my keyboard, so it's like the equivalent of a different like Command or Alt key. I can get it to run different commands.
I can press a button on my mouse and it can do screenshots and and automatically import it into graphic software for editing.
Cool.
It is very, very cool and very powerful. The people who seem to particularly like it are people who have re-engineered their Touch Bar on the MacBook.
I don't have one of those types of MacBooks, I'm pleased to say, but it does look like you're able to make your Mac a real power Mac, if you want to reuse that term.
I don't have one of those types of MacBooks, I'm pleased to say, but it does look like you're able to make your Mac a real power Mac, if you want to reuse that term.
I would love someone to do that for me and then explain how everything worked and then made sure I memorised it all.
And then called me once a week to make sure I still memorised it correctly.
And then called me once a week to make sure I still memorised it correctly.
Well, there are some very, very cool apps out there, Carole, and maybe sometime we should, we should discuss some of the things.
That's what friends are for. That's what I've been told.
That's what friends are for. Anyway, so that is my pick of the week, the BetterTouchTool, and very cool it is too.
Cool. I'll check it out.
Yeah. Jon, what's your pick of the week?
Well, my pick of the week is a podcast, a podcast about technology.
And it's a podcast in which an industry veteran with a somewhat curmudgeonly attitude co-hosts the show with a much more articulate, charming, witty Canadian female co-host.
Now this is not a meta reference to Smashing Security.
And it's a podcast in which an industry veteran with a somewhat curmudgeonly attitude co-hosts the show with a much more articulate, charming, witty Canadian female co-host.
Now this is not a meta reference to Smashing Security.
Well, I realised it wasn't Smashing Security when you described the co-host, but anyway, yes, Carole Theriault. What?
See, it's outrageous.
What do you talk— what podcast is this? Is this a rival to Smashing Security, John?
It's a complementary podcast. Okay, okay, so I'm talking about Swigcast. It's a new cybersecurity podcast and we're taking a deep, in-depth look at infosec topics.
Hang on a moment.
Who are the hosts, John?
It's myself at the Daily Swig.
Oh my goodness. Two weeks running.
Yeah.
We've had guests shamelessly—
We opened Pandora's box, haven't we?
Of their own podcasts.
It was my fault. Good for you, John. Good for you. You work hard on your podcast. Good. Mention it.
You would never hear any self-promotion by any of the co-hosts of Smashing Security.
Right?
No, we would never stoop to this level. So John, the Swigcast. This is a podcast where you sort of look at a different topic each episode, don't you?
Rather than the sort of rubbish look back at the week's news that we do.
Rather than the sort of rubbish look back at the week's news that we do.
Yep.
We've had two so far and I will exclusively reveal the contents of the third one in a moment.
The first two were, we looked at hacker culture, the representation of hackers in the media and what effect that has on recruitment and so on and so forth.
The first two were, we looked at hacker culture, the representation of hackers in the media and what effect that has on recruitment and so on and so forth.
Cool.
Second episode, we looked at the encryption policy and we had an interview with Bruce Schneier about that.
You had Bruce on?
I can— yeah, I can say I've known John Leyden for a long time, and the one thing I can say about John is you ask good questions.
Oh yeah.
And sometimes I was on the bad side of those questions.
Yes, sometimes.
So I think it's great that you're doing a podcast. Welcome to the club.
He's always been fair, but he's probing, isn't he? You can't get much past him. That Leyden chap.
Gosh, I must blush.
I wouldn't say—
I would say all the best questions on this particular podcast go with my co-host Katherine Chapman, also of the Daily Swig.
So, and she's Canadian as well, is she?
She is Canadian.
What is it with these Canadians?
There's two women that are Canadian.
Two women that are Canadian. Extraordinary. And Joe Mitchell. Watch out, we're coming again. Does she do a security podcast too?
Well, Taylor Swift does one. Oh, am I getting confused now?
So the Swigcast is available in all good podcast apps, I imagine.
Yeah. And there's upcoming one, we'll look at the serious issue of cybercrime legislation and policy.
Cool.
Wonderful. Okay. Fantastic. Carole, what's your pick of the week?
Very unsecurity related.
Good.
Did I mention I was babysitting this weekend?
You may have once or twice.
Well, okay, so these kids come over to my house pretty regularly, right?
And we are not au fait with the consoles and all the latest gizmos, but somehow we have introduced them to our old Wii and made it look like a collector's item.
And they love the Wii, right? So when we were going over to babysit, we collected all our Wii games, and I even went up to your house, didn't I? Mr.
Cluley, to pick up some old games and stuff from you.
And we are not au fait with the consoles and all the latest gizmos, but somehow we have introduced them to our old Wii and made it look like a collector's item.
And they love the Wii, right? So when we were going over to babysit, we collected all our Wii games, and I even went up to your house, didn't I? Mr.
Cluley, to pick up some old games and stuff from you.
You ransacked some controllers and old games from my house.
Yeah, you know what, thanks for going to seek them out because I know you have all the latest consoles, but you went for me and I'm grateful.
Now, I know everyone goes on and on about how the sexy new consoles are and the flashy-ass games, but my pick of the week brings us to the Wii.
2006, the Wii console was released and it was and still is awesome. We played Just Dance and we played some Zelda and it was excellent.
Now, I know everyone goes on and on about how the sexy new consoles are and the flashy-ass games, but my pick of the week brings us to the Wii.
2006, the Wii console was released and it was and still is awesome. We played Just Dance and we played some Zelda and it was excellent.
No, Wii Sports. I remember the Wii Sports.
Yeah, Wii Sports, exactly.
The tennis was fantastic. The tennis was just brilliant, wasn't it?
Yeah, my favorite that we did on Dance 4, I think it was Just Dance 4, we did about 5 times, Rock Lobster by B-52s. Seriously, the best song.
Yes, it is the best animated exercise class ever. We did a 10-minute jobbie of it. I was sweating bullets. It was excellent. So dig out your Wiis, people.
Dust off your old consoles and relive some of the early noughties because it's fun. It's really fun, and you actually get off your ass, which is, you know, a lot of us need to do.
So there.
Yes, it is the best animated exercise class ever. We did a 10-minute jobbie of it. I was sweating bullets. It was excellent. So dig out your Wiis, people.
Dust off your old consoles and relive some of the early noughties because it's fun. It's really fun, and you actually get off your ass, which is, you know, a lot of us need to do.
So there.
I think that's a terrific pick of the week.
Thank you. It's a great game.
It's great. It reminded me of how much fun I had with it.
I'm going to organize a Wii party soon. It's going to be a retro, but it's good.
Awesome.
Sounds cool.
You might get invites, guys. I'll let you know.
Well, on that bombshell, I think we've just about wrapped it up for this week. John, I'm sure lots of fellows would like to follow you online.
What's the best way to find out what you're up to?
What's the best way to find out what you're up to?
Right. So these days I write regularly for the Daily Swig, which is a cybersecurity news site created by PortSwigger which people will know, the makers of Burp Suite.
But if you want me to chat sports or security, then I'm also available on Twitter @jleyden.
But if you want me to chat sports or security, then I'm also available on Twitter @jleyden.
And you can find us on Twitter as well, @SmashingSecurity, no G, Twitter won't allow us to have a G. And maybe you might want to support us on Patreon.
If you want to support the show, just go to patreon.com/smashingsecurity with a G, and we've got different tiers and goodies to offer you up there.
If you want to support the show, just go to patreon.com/smashingsecurity with a G, and we've got different tiers and goodies to offer you up there.
Once again, thanks to this week's Smashing Security sponsors: Recorded Future, MetaCompliance, and LastPass. Their amazing support helps us give you this show for free.
And thanks to you super duper people who listen week in and week out. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
And thanks to you super duper people who listen week in and week out. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye, bye-bye-bye.
Totally great pick of the week, Carole.
Thanks, it's so fun. Seriously, it's so worth the money.
Graham Cluley and Carole Theriault making a podcast together harmoniously, choosing picks of the week, which aren't security-related necessarily.
Hahaha.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
John Leyden – @jleyden
Show notes:
- A very deep dive into iOS Exploit chains found in the wild — Google Project Zero.
- Google finds 'indiscriminate iPhone attack lasting years' — BBC News.
- A message about iOS security — Apple.
- Mobile & Tablet Operating System Market Share in China — Statcounter.
- Apple Disputes Google’s Claims of a Devastating iPhone Hack — Motherboard.
- What’s next in making Encrypted DNS-over-HTTPS the Default — Mozilla.
- Firefox DNS-over-HTTPS rollout starts later this month — The Daily Swig.
- ISP trade association backtracks on Mozilla ‘internet villain’ nomination — The Daily Swig.
- Apple apologises for allowing workers to listen to Siri recordings — The Guardian.
- Apple contractors 'regularly hear confidential details' on Siri recordings — The Guardian.
- Almost a quarter of Britons now own one or more smart home devices — YouGov.
- The Bright Side of Humans Eavesdropping on Your Alexa Recordings — Gizmodo.
- Smart Speakers That Listen When They Shouldn't — Consumer Reports.
- BetterTouchTool for Mac.
- The SwigCast — A security podcast from The Daily Swig, featuring John Leyden.
- The Wii — Wikipedia.
- Just Dance 4: Rock Lobster – The B-52's — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Sponsor: Recorded Future
For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
“The Threat Intelligence Handbook” is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation’s defence against the latest cyber attacks.
Download it for free at www.smashingsecurity.com/intelligence now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
