What is Kaspersky’s ugly ring for? Is there something suspicious about how NordVPN lets you stream Disney+? And why did a hacker impersonate a music producer?
Plus we have a bonus feature interview with Rachael Stockton from Logmein, the folks behind LastPass, all about behavioral biometrics!
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So Kaspersky have ridden in on their great big Russian bear and they have come to your rescue because they say that—
Sorry, I've gone picturing that for a moment.
Shirtless. Make sure they're shirtless.
They're shirtless. Yes, they're wrestling a bear. They stumble in.
Holding hands with Putin. I got it. It's beautiful. Oiled.
There's a choir singing somewhere and it's really glorious.
Smashing Security, episode 157. Biometric Knuckle Duster with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 157. My name's Graham Cluley.
Hello, I'm Carole Theriault.
Hello. And we are joined this week by a returning fabulous guest. It's Maria Varmazis. Hello, Maria.
The crowd goes wild.
Hi. Thanks for having me back.
Yay for coming back.
Yay.
It's almost Christmas. Are you guys panicking yet?
No, no, no, no, not really.
No, no, I heard it's pretty Christmasy there. I mean, we don't like to talk about the weather on this podcast, Maria, but I hear you are snowy.
I'm snowed in.
So yeah, we're getting some unseasonably large amounts of snow right now, so it's very— well, you know, it's not unusual for us to get a little snow, but this is quite a big snow dump.
Yeah, it's unusual. Usually we start getting that later, but it's cozy. I've got my coffee, I'm good.
I've got my fuzzy slippers and working from home because I'm a freelancer, so I do this every day.
So yeah, we're getting some unseasonably large amounts of snow right now, so it's very— well, you know, it's not unusual for us to get a little snow, but this is quite a big snow dump.
Yeah, it's unusual. Usually we start getting that later, but it's cozy. I've got my coffee, I'm good.
I've got my fuzzy slippers and working from home because I'm a freelancer, so I do this every day.
We're all in our pajamas. Yes, we're all freelancers.
Every day, even in the summer. I'm really cozy.
Well, snuggle up, everybody. And Carole, tell us what's coming up on the show this week.
One moment, please.
We're not actually having a show.
First, thanks to this week's sponsor, LastPass. Its support helps us give you the show for free. Now, on today's show, Graham showcases Kaspersky's new foray into improved security.
Maria, Maria, take over from me.
Maria, Maria, take over from me.
I'm talking about residential proxies and what NordVPN is or isn't doing.
Who could have said that better? And I'm looking at what could have been a pretty neat little hack were it not for egos getting in the way.
Plus, we have a special feature with LastPass. Rachael Stockton explains all things single sign-on, including behavioral analytics. Creepy stuff.
All this and loads more coming up on this episode of Smashing Security.
Plus, we have a special feature with LastPass. Rachael Stockton explains all things single sign-on, including behavioral analytics. Creepy stuff.
All this and loads more coming up on this episode of Smashing Security.
Now, chums, cast your mind back to the early days of Smashing Security. You may remember that we discussed once the scent of Eugene Kaspersky.
Was that a pick of the week or something?
No, it was a main story. Kaspersky released a perfume called Kaspersky, the essence of an antivirus researcher.
Oh, I remember this.
And it got us thinking, I think, at the time, you know, what other people could release a perfume? Maybe the aroma of John McAfee coming all the way from Costa Rica.
Oh, please.
Strong sense of bullshit.
Well, Kaspersky's marketing department, they've been busy beavering away, and they've come up with something new that has caught the media's attention.
So they're quite creative, those folks.
So they're quite creative, those folks.
Well, these are the guys that came up with Packing the K, if I remember rightly.
Let's never forget the Packing the K video. One of our favorite cybersecurity music videos.
Yeah.
When I'm packing the K, I can say with affection, the K-man gives me the best protection.
Who's the key?
Kaspersky. K is the key, Kaspersky. Always a good excuse to link to it in the show notes. So thank you for giving us that.
Now, before I reveal what Kaspersky's marketing plan I've done this time, I think it's a good idea to explain what the problem is that they are trying to address.
Now, before I reveal what Kaspersky's marketing plan I've done this time, I think it's a good idea to explain what the problem is that they are trying to address.
Perfect.
Because we live in a biometric world, don't we? Our phones are unlocked with a glance of our face, and bank accounts are unlocked with a fingerprint.
And we find ourselves— Well, some of us do.
And we find ourselves— Well, some of us do.
Specifically Graham's. Mine is unlocked with Graham's fingerprint.
God, that must make it tough since you live in different countries.
And some places, like in the UK, you can be identifying yourself when you ring up the taxman with your voice.
Yes. Oh, delightful.
Yes, wonderful, isn't it?
Well, the problem is with those sort of technologies being used to identify whether it's really us looking or touching or speaking is they need to somehow store some kind of print to compare against our voice or our fingerprint or our face.
Well, the problem is with those sort of technologies being used to identify whether it's really us looking or touching or speaking is they need to somehow store some kind of print to compare against our voice or our fingerprint or our face.
Yeah, and this is all addressing the whole problem of authentication, right?
Yeah.
You know, we have username and passwords, but then we forget our passwords or we forget our usernames, and then we have more than one email address and more than one phone number.
So using something that is a very good way of authenticating, I'm guessing.
So using something that is a very good way of authenticating, I'm guessing.
Yeah, yeah. Authentication, I think, lies at the heart of many of today's security problems.
A failure to reliably identify it is the individual who you wanted to give access to something who's really trying to gain access.
A failure to reliably identify it is the individual who you wanted to give access to something who's really trying to gain access.
That's almost the definition of a hack, right? Is that someone who wasn't authenticated got access as though they were authenticated to something, right?
And that's the big problem, right? Okay.
And that's the big problem, right? Okay.
So there are organizations out there and technology which obviously need to store biometric data in some way or another. And if that was ever stolen, yeah, could be quite harmful.
That's the big problem, right? You only have one set of fingerprints. Well, you've done, I suppose.
Well, yeah, you can get hacked 10 times and then you move on to toes, ear, bum. Oh, butt prints. That's the future. At least you heard it here first.
Maybe more in some cases. But the important thing to remember is you can change your password after a hack occurs, right?
We see hacks all the time and you're told, oh, reset your passwords. Well, just try resetting or changing your face or your fingerprints. It's going to be really difficult, isn't it?
We see hacks all the time and you're told, oh, reset your passwords. Well, just try resetting or changing your face or your fingerprints. It's going to be really difficult, isn't it?
It's going to be a huge lineup at the plastic surgery outlets around the place, isn't there?
Well, I have been on YouTube this morning, Carole, and I've watched the trailer for that marvellous 1997 movie Face/Off.
Oh, the classic. An American classic, if you will.
Someone I know, maybe it's my parents, I think it's them, but someone I know walked out of that film within the first 10 minutes.
I walked out during the trailer. I found it too confusing working out which one was John Travolta and which one was Nicolas Cage.
They're remaking it, aren't they? They're remaking the series.
You're kidding me.
No, I'm pretty sure they are. Because we didn't get enough with the first one. Or maybe they already did and I missed it, but—
It's so ridiculous. Anyway, so for normal people outside of this sort of fantasy Hollywood world, it's not possible to change your face or your fingerprints.
So they're not the same as passwords, and you can't change your fingerprints, and you leave your fingerprints everywhere.
Maybe fingerprints aren't actually the ideal mechanism for security or authenticating yourself.
So they're not the same as passwords, and you can't change your fingerprints, and you leave your fingerprints everywhere.
Maybe fingerprints aren't actually the ideal mechanism for security or authenticating yourself.
Do you want to tell every single airport in the world operating right now?
Well, there are challenges, aren't there? Because when a breach happens, what are you going to do about it?
So Kaspersky have ridden in on their great big Russian bear, and they have come to your rescue because they say that—
So Kaspersky have ridden in on their great big Russian bear, and they have come to your rescue because they say that—
Sorry, I've been picturing that for a moment.
Shirtless. Make sure they're shirtless.
They're shirtless. Yes, they're wrestling a bear. They stumble in.
Holding hands with Putin. I got it. It's beautiful. Oiled.
There's a choir singing somewhere and it's really glorious.
They have teamed up with Swedish designer Benjamin Way to create a ring that you wear on your hand.
Do you know that name? Benjamin Way?
He's a Swedish designer.
Okay. Okay.
Okay.
So you should know him. And this ring creates a fake synthetic fingerprint, right?
It houses a 3D-printed rubber stone made out of, quote, thousands of conductive fibers that basically simulate a fingerprint.
Now, I've included a picture in the show notes here, and I'll also include a link to the video so our listeners can— as you can see, it's completely and utterly ugly.
It houses a 3D-printed rubber stone made out of, quote, thousands of conductive fibers that basically simulate a fingerprint.
Now, I've included a picture in the show notes here, and I'll also include a link to the video so our listeners can— as you can see, it's completely and utterly ugly.
Oh my God, looks like a tumor.
Well, what we've got here is a picture of a man with an enormous ring on his hand.
Okay, yeah, I see the ring.
And a great big black oval, like it's a stone. It's basically the size of a thumb, I guess, on his finger and made out of some kind of black rubber.
It's like a— and the idea is that rather than using your thumb to register, for instance, your fingerprint, you'd use your ring.
So you sort of turn it over and press that against your Touch ID.
It's like a— and the idea is that rather than using your thumb to register, for instance, your fingerprint, you'd use your ring.
So you sort of turn it over and press that against your Touch ID.
Dudes, this could be maybe the cutting edge of Russian chic right now. Now, okay?
Seriously. It looks ugly, but I'm intrigued by the idea behind it.
But you get to punch in. So effectively, instead of using your fingerprint, you literally punch the ring in and it has a simulated fingerprint.
Yes.
So it's basically a deep print fake print thingy.
Oh, deep prints.
Deep prints, TM, Carole Theriault.
It's not a copy of your fingerprint. So it has its own unique fingerprint.
And let me guess, if you lose it, you can buy another one.
Yeah, exactly.
It's like there's a built-in profit there.
At this stage, if someone had brought this up at a meeting on a Friday afternoon, I would be, let's do it. How much would it cost to do a prototype? This can't be that expensive.
It is a PR winner. Okay. So, okay. And I like it. I kind of think I like it.
It is a PR winner. Okay. So, okay. And I like it. I kind of think I like it.
On a pure fashion scale, Carole, would you wear one of these?
Well, I might wear it the other way around.
Oh, I see. So it's underneath.
Right into my palm.
Right.
It's quite large. You know, I don't think you'd be able to hold on to things like the handlebars of your exercise bike and things.
I don't need to hold on to the handlebars of the exercise bike, Graham.
Geez.
You're not going that fast.
I'll take you on any time.
Imagine trying to do yoga with that curl. Like you're doing a handstand or something.
Presumably you can take it off for certain activities. Like yoga.
No, no, you have to wear it forever. Of course you can take it off.
It's fused to the bone.
Exactly.
So you just remove it.
Oh my God, imagine you lose it. Okay, I know. Okay, I can see where the problem's—
Okay, go, go, go. This is where the flaw is, right? So first of all, first of all, yes, you could lose it, right?
Because when you go to the gym, or when you're doing the washing up, or when you're lathering yourself in the shower, it could slip off with all the soap. When you go swimming—
Because when you go to the gym, or when you're doing the washing up, or when you're lathering yourself in the shower, it could slip off with all the soap. When you go swimming—
Hey, I lost my engagement ring, right?
Right.
Still married, but there you go.
People take off their rings when they go swimming, or if they're baking, because you don't want to get lots of yeast under there. So there's that issue.
A real finger is hard to lose, but I would argue that a ring is pretty easy to lose.
And furthermore, okay, there's this problem of, well, you use the same fingerprint for everything.
A real finger is hard to lose, but I would argue that a ring is pretty easy to lose.
And furthermore, okay, there's this problem of, well, you use the same fingerprint for everything.
Can I ask some questions?
No, can I finish what I'm saying?
You too. Oh shucks.
This is a fun chat.
I just said furthermore. You keep interrupting me.
Simmer down now, children.
But furthermore, right? So it's not only the issue, I've just, I've gotta edit this bit. It's not only the issue of whether you lose this thing, right? And have to replace it.
And that's gonna be a nuisance 'cause people do take their rings off.
But furthermore, wouldn't it be great if you had different fingerprints for different services rather than having your fingerprint stolen in one place, your fingerprint data, and then used to break into other accounts?
So are you supposed to wear 10 different?
And that's gonna be a nuisance 'cause people do take their rings off.
But furthermore, wouldn't it be great if you had different fingerprints for different services rather than having your fingerprint stolen in one place, your fingerprint data, and then used to break into other accounts?
So are you supposed to wear 10 different?
A knuckle duster.
One on each.
Yeah, a knuckle duster.
All right. Sorry, I interrupted, sorry.
Actually, to be fair, I think this is an interesting approach to the biometrics problem. I don't know if it's the solution, but I want to give them credit.
This is actually kind of interesting. This ring, I think, is ugly as all hell. I mean, it— I just— oh, it looks nasty. But it is an interesting, you know, you lose your finger—
This is actually kind of interesting. This ring, I think, is ugly as all hell. I mean, it— I just— oh, it looks nasty. But it is an interesting, you know, you lose your finger—
Oh, you like blood diamonds better?
No, no, I don't. I'm a millennial. I don't do that. We kill diamonds, remember? It's a thing. But maybe there's another solution that's not literally on your hand. I don't know.
But an earring?
But an earring?
Perhaps? You could just—
A keychain fob? You know, we had a bunch of those. We seem to really like those in InfoSec. Yet another little dangly thing.
But the problem with all of these fingerprint replacements is that it doesn't prove it's really you, does it?
It just proves that someone else has possession of the item, which you're using to try and prove that it's you.
It just proves that someone else has possession of the item, which you're using to try and prove that it's you.
Knock you over the head with the hammer and put your finger as you're passed out on the phone. Good, good.
Look.
I think all these companies are trying to make these devices much more part of our everyday life, which is why we have these watches. We saw the Amazon Ring, right?
And there's like necklaces and now all these things. So is it harder than losing your finger?
Of course it is, but it's probably less likely that you'd lose a wearable than something that's in your pocket, like a dongle.
And there's like necklaces and now all these things. So is it harder than losing your finger?
Of course it is, but it's probably less likely that you'd lose a wearable than something that's in your pocket, like a dongle.
A dongle? I don't know. Well, yes, possibly, I suppose. I suppose you change your trousers more often than you take your ring off, right?
Well, and often you, when you, if you wear jewelry, you tend to—well, not me, obviously, because I lost mine—but you would put your rings down in the same place if you're removing them, right?
It's a tough nut to crack. I don't know.
Okay, so did this go wrong? Did this go wrong?
It hasn't gone wrong. I think that they—oh, I'm going to give them the benefit of the doubt on this one.
I assume this is just a marketing concept rather than something that they're really going to push.
I assume this is just a marketing concept rather than something that they're really going to push.
I don't know.
So it's an interesting idea.
I think it doesn't really solve the problem, or at least it solves some problems, but then it introduces a whole load of ones which we have in the first place.
I think it doesn't really solve the problem, or at least it solves some problems, but then it introduces a whole load of ones which we have in the first place.
What's your solution? You complain about people using fingerprints.
You think he'd be on the podcast if he had a solution? He'd be marketing it and making a whole boatload of money.
I know, he's just whingy. Whinge, whinge, whinge.
He wouldn't be doing this if he had the solution.
Maria, what have you got for us this week?
Not Facebook. So that's fantastic. I'm going to be talking about residential proxies.
Ooh la la.
Yes.
That sounds riveting.
I know. We're done here. We're done.
Bye.
All right. So I had asked on Twitter, as I often do, hey, what story should I talk about for the show today? Because I'm lazy and our listeners are very helpful.
So some of our listeners sent in a blog post that's been making the rounds. It went out about 4 days ago from recording. It's about NordVPN. And does that name ring a bell for anyone?
So some of our listeners sent in a blog post that's been making the rounds. It went out about 4 days ago from recording. It's about NordVPN. And does that name ring a bell for anyone?
Hmm. Have they been in security headlines recently for any reason at all?
Yeah.
I wonder.
Have they had any snafus?
Yeah. Well, I'll do a little backstory for folks who don't know.
Absolutely.
Yeah. So about 2 months ago, correct me if I'm wrong, guys, they were in the news because they'd been compromised, but they sort of sat on that news for a number of months.
So their servers got compromised in 2018, or their data center rather, and they found out about it in April 2019, and they only came clean about it in October of 2019 after a lot of public pressure.
That is a very nutshell version of what happened. It was a bad look for a VPN given that the whole deal with VPNs is that they're supposed to help your security.
So sitting on news of a data breach for months and months is a really, really bad look.
So their servers got compromised in 2018, or their data center rather, and they found out about it in April 2019, and they only came clean about it in October of 2019 after a lot of public pressure.
That is a very nutshell version of what happened. It was a bad look for a VPN given that the whole deal with VPNs is that they're supposed to help your security.
So sitting on news of a data breach for months and months is a really, really bad look.
Yeah. Well, weren't they doing this massive push? Because for a while they were all over television like terrestrial TV or digital TV.
And I would see them in numerous Reddit feeds as well. So it felt to me like they had a lot of money to burn to get their name out there.
And I would see them in numerous Reddit feeds as well. So it felt to me like they had a lot of money to burn to get their name out there.
They're a big name. Yeah. Yeah.
And they had rather blotted their copybook around the same time as the news of this data breach.
They had been criticized for some ads which they were running, which were basically saying, you get rid of all of your security problems if you're running a VPN.
They had been criticized for some ads which they were running, which were basically saying, you get rid of all of your security problems if you're running a VPN.
That's a bold claim.
Which was a rather bold claim. And they did pull it back. But they have had something of a challenge record history, I'd suggest.
I mean, they sponsored lots of podcasts and videos and things like that.
And sometimes the claims made by the people appearing on those podcasts and videos weren't completely legitimate.
I mean, they sponsored lots of podcasts and videos and things like that.
And sometimes the claims made by the people appearing on those podcasts and videos weren't completely legitimate.
Specious, maybe.
Good word.
So there's a blog post by Derek Johnson that NordVPN is doing something that they shouldn't be able to do and that there's something really bad behind it.
And I'm not saying this is true or not. I just want to dig into what's behind this claim and maybe we can draw some conclusions there.
Because I'm not really sure that this is the case. But in any case, let's dig in.
The big question is this: how exactly is NordVPN able to serve up Disney+ to countries that shouldn't be able to access it? That is the question, right?
And I'm not saying this is true or not. I just want to dig into what's behind this claim and maybe we can draw some conclusions there.
Because I'm not really sure that this is the case. But in any case, let's dig in.
The big question is this: how exactly is NordVPN able to serve up Disney+ to countries that shouldn't be able to access it? That is the question, right?
And Disney+ is their version of Netflix. It's a new streaming service, isn't it? And I think there's some kind of Star Wars TV show or something on it.
I can't get it from over here, but that is correct.
I can't get it from over here, but that is correct.
So is your point that Disney blocks most VPNs from attempting to do this, and for some reason Nord is not on their blocklist?
Kind of, yeah.
So basically, to just back up half a second, Disney+ is only available in a very small number of countries— so Canada, US, Australia, New Zealand, Netherlands— and then everyone else has to wait at least a year, if not longer, right?
So companies like Disney+ and Netflix are always doing whack-a-mole with VPNs. So that's a known problem.
So if you want to access Disney+, say, in Europe, anywhere in Europe outside of the Netherlands, what are you gonna do? So you're gonna try your VPN and you find out you're blocked.
So this is where it gets a little weird.
Users of NordVPN are still able to access Disney Plus even though pretty much every other VPN apparently, or a lot of other VPNs, can't access it, right?
Because Disney Plus goes, nope, you're a VPN, I'm not letting you in. So how is that happening? And that is the question that Derek Johnson is asking in his blog post.
This really shouldn't be able to be happening, and yet it is.
So basically, to just back up half a second, Disney+ is only available in a very small number of countries— so Canada, US, Australia, New Zealand, Netherlands— and then everyone else has to wait at least a year, if not longer, right?
So companies like Disney+ and Netflix are always doing whack-a-mole with VPNs. So that's a known problem.
So if you want to access Disney+, say, in Europe, anywhere in Europe outside of the Netherlands, what are you gonna do? So you're gonna try your VPN and you find out you're blocked.
So this is where it gets a little weird.
Users of NordVPN are still able to access Disney Plus even though pretty much every other VPN apparently, or a lot of other VPNs, can't access it, right?
Because Disney Plus goes, nope, you're a VPN, I'm not letting you in. So how is that happening? And that is the question that Derek Johnson is asking in his blog post.
This really shouldn't be able to be happening, and yet it is.
So it's kind of impressive and maybe a competitive advantage if NordVPN says, well, we can give you access to Disney Plus.
Well, totally.
Yeah.
You know, I assumed, perhaps incorrectly, that some were just blocked and some they just weren't on the hit list and it was that easy.
This could be possible. And then there's another theory.
Okay.
So the theory is this thing called a residential proxy, which is sort of new to me. I haven't really heard this term much, but you'll probably be hearing more about it.
So a residential proxy is a real person's IP address, like it's assigned to them by their own ISP. So it's not an anonymous block of VPN IPs that the VPNs tend to get.
So they're newish and folks love them for going around these VPN ISP blocks and also maybe doing some more dirty stuff on the internet.
I'll let you fill that in with your own imaginations. So I did a little digging for the marketing spiels that some of these VPNs use.
And there's this very breathless description of how great residential proxies are. Just listen to this.
These proxies are the highest quality product on the proxy market for one simple reason, which is that residential IP addresses are undetectable.
They look exactly like real mobile and desktop devices. They are immune to bulk bans and blocks because these proxies do not share any subnetworks.
A residential proxy network is a pool of real residential IP addresses that are associated with real internet service providers, which makes them unstoppable.
So they're newish and folks love them for going around these VPN ISP blocks and also maybe doing some more dirty stuff on the internet.
I'll let you fill that in with your own imaginations. So I did a little digging for the marketing spiels that some of these VPNs use.
And there's this very breathless description of how great residential proxies are. Just listen to this.
These proxies are the highest quality product on the proxy market for one simple reason, which is that residential IP addresses are undetectable.
They look exactly like real mobile and desktop devices. They are immune to bulk bans and blocks because these proxies do not share any subnetworks.
A residential proxy network is a pool of real residential IP addresses that are associated with real internet service providers, which makes them unstoppable.
So the reason why they look exactly like real mobile and desktop devices is because they are real mobile and desktop devices.
Yeah. Okay. I think I'm following. Because I was— yeah, there's a lot of marketing hubbub there.
Yeah, it is. And I was like, that is a very breathless description. And I was reading that I'm going, this sounds like a botnet a little bit. And I'm like, that's— but they're not.
It's not the same thing. But it made me think of that. So bringing it back to Nord and Disney Plus, Derek Johnson is thinking that Nord is using residential proxies.
Now, NordVPN, they don't say anything about that on their website.
They say they use something called SmartPlay technology, which is not a term I've ever heard, and I'm guessing that could be their own branding on residential proxies.
It's not the same thing. But it made me think of that. So bringing it back to Nord and Disney Plus, Derek Johnson is thinking that Nord is using residential proxies.
Now, NordVPN, they don't say anything about that on their website.
They say they use something called SmartPlay technology, which is not a term I've ever heard, and I'm guessing that could be their own branding on residential proxies.
I—
It's not a term that I'm familiar with at all. So in any case, if NordVPN or anyone else is using a residential proxy, how does a VPN get their hands on these IPs?
Because how do you get your hands on some Joe Schmo's IP address? How does that happen?
Because how do you get your hands on some Joe Schmo's IP address? How does that happen?
Right.
So, because it's kind of odd. So there's a number of possibilities. I was doing a little digging and learning on this one.
So one theory is that the VPNs are kind of doing a tit for tat with their users.
So say the US users are routing overseas traffic through their own IPs in exchange for being able to do the same. So if I'll route you, if you route me kind of thing.
So one theory is that the VPNs are kind of doing a tit for tat with their users.
So say the US users are routing overseas traffic through their own IPs in exchange for being able to do the same. So if I'll route you, if you route me kind of thing.
Yeah. So a quid pro quo, if you will.
Keeping it topical. Good. Is that what this is all about?
About.
Yeah, it comes back to that every time.
So hang on, so Rudy Giuliani has a NordVPN account and he's letting some guy in Ukraine— I don't, I haven't been following it too closely.
Just go to Wikipedia's conspiracy page.
You're throwing those theories out there rapid fire. Amazing. I'm impressed.
So the idea is you sign up for the VPN and they say, hey, we're going to use your IP address, but this will allow you to use somebody else's.
So this is sort of called colloquially a volunteer channel.
So the idea is that you're telling someone when they sign up, hey, this is what's going to happen with— and we're asking your permission explicitly.
But as long as you sign up for this, then everything's kosher.
So the idea is you sign up for the VPN and they say, hey, we're going to use your IP address, but this will allow you to use somebody else's.
So this is sort of called colloquially a volunteer channel.
So the idea is that you're telling someone when they sign up, hey, this is what's going to happen with— and we're asking your permission explicitly.
But as long as you sign up for this, then everything's kosher.
Okay. My question is like, what if guy using my IP address does something a bit yucko, right? That's on my watch, effectively.
That's awfully unfortunate, isn't it?
Yeah.
Yeah.
I don't have an answer for you, but that is unfortunate.
Or on the other side, if you are someone who does something naughty on the internet, if you are allowing other people overseas to use your IP address, then that's your get out of jail free potentially, isn't it?
That's your excuse. You could maybe use that argument.
That's your excuse. You could maybe use that argument.
Yeah. I don't know how people would be able to distinguish between the two, 'cause it looks completely just like a legitimate IP. I don't know enough about networking.
So quid pro quo is one option. Second option is that providers, yeah, I'm just throwing that out there.
Providers with that already have residential proxy IPs will resell them to others in big batches.
So we don't know how they're getting those IP addresses, but the horses are out of the barn and they're being resold.
So quid pro quo is one option. Second option is that providers, yeah, I'm just throwing that out there.
Providers with that already have residential proxy IPs will resell them to others in big batches.
So we don't know how they're getting those IP addresses, but the horses are out of the barn and they're being resold.
Okay.
So there's a bunch of different options here.
Another option, which is kind of a boring option, but realistic, Brian Krebs did a story on residential IPs and proxies a few months ago.
And according to his sources, a bunch of the world's biggest ISPs are more than happy to just sell chunks of their IPs to anyone who asks.
As long as you got the money to pay for them, they'll be like, you want some residential IPs? Here you go.
Another option, which is kind of a boring option, but realistic, Brian Krebs did a story on residential IPs and proxies a few months ago.
And according to his sources, a bunch of the world's biggest ISPs are more than happy to just sell chunks of their IPs to anyone who asks.
As long as you got the money to pay for them, they'll be like, you want some residential IPs? Here you go.
Ah.
That is kind of a boring answer, but if that's the case, then I mean, that seems like a very easy way to do it.
And NordVPN, for example, their website says that they do purchase IPs directly from ISPs. So that's a thing.
You know, I wouldn't have thought that ISPs would want to do that, but I guess if you've got a gazillion IPs, what's a few hundred thousand to sell for some money?
It's like free money. So this is all pretty above board.
And NordVPN, for example, their website says that they do purchase IPs directly from ISPs. So that's a thing.
You know, I wouldn't have thought that ISPs would want to do that, but I guess if you've got a gazillion IPs, what's a few hundred thousand to sell for some money?
It's like free money. So this is all pretty above board.
But these are all bona fide attached to particular people, right?
They've been assigned by ISPs to be assigned to a resident. So this all is the more aboveboard stuff.
But there are a lot of theories that there are some more malicious things going on with residential proxies as well.
So, for example, there is a security researcher who works at Facebook named Shanghang Mi, and he wrote a paper this year for IEEE on residential proxies.
And I'm going to really, really boil it down and simplify it massively.
And the link I provided for the show notes if people want to read his paper, but one of his data points is that he collected hundreds of thousands, if not millions, of residential IPs that are used by proxy services.
And he was able to identify that about half of the IPs that he could identify clearly belong to IoT devices like web cameras, DVRs, and printers.
So I do wonder how a device volunteers to share its IP. Like, where's that option? Yeah, interesting.
But there are a lot of theories that there are some more malicious things going on with residential proxies as well.
So, for example, there is a security researcher who works at Facebook named Shanghang Mi, and he wrote a paper this year for IEEE on residential proxies.
And I'm going to really, really boil it down and simplify it massively.
And the link I provided for the show notes if people want to read his paper, but one of his data points is that he collected hundreds of thousands, if not millions, of residential IPs that are used by proxy services.
And he was able to identify that about half of the IPs that he could identify clearly belong to IoT devices like web cameras, DVRs, and printers.
So I do wonder how a device volunteers to share its IP. Like, where's that option? Yeah, interesting.
Good point. Yes.
And then in addition, the researcher, me, also found that there was a correlation between the presence of potentially unwanted programs or straight up malware on a user's machine to that machine then serving itself up as a residential proxy.
So it seemed about like 10% of the time, at least, that person who was a residential proxy had no idea that they were. And they had malware that was making them into one.
So it seemed about like 10% of the time, at least, that person who was a residential proxy had no idea that they were. And they had malware that was making them into one.
One, right?
Okay.
Yep.
So that's a much more nefarious thing. So this could be somebody downloaded malware on—
You know, for them, time too, at least. That's huge.
Yeah, and it could be much more than that, and this is just in that one data set. So there are above-board methods of getting these IPs and not so above-board methods.
So back to NordVPN and Derek Johnson's blog post.
So he thinks there's something really nasty happening here, and he's drawing a connection between NordVPN and this other company called Oxylabs, which has a hefty residential proxy network, and nobody really knows how they're getting it, but there's some allegations that it's shifty, and there's also the rumor that the two companies are owned by the same guy.
So the thinking is that if Oxylabs is getting IPs through a nasty way, they're sharing them with Nord, and it's all kind of behind the scenes.
That's the assertion that's happening in that blog post.
So back to NordVPN and Derek Johnson's blog post.
So he thinks there's something really nasty happening here, and he's drawing a connection between NordVPN and this other company called Oxylabs, which has a hefty residential proxy network, and nobody really knows how they're getting it, but there's some allegations that it's shifty, and there's also the rumor that the two companies are owned by the same guy.
So the thinking is that if Oxylabs is getting IPs through a nasty way, they're sharing them with Nord, and it's all kind of behind the scenes.
That's the assertion that's happening in that blog post.
Or they might just be buying them deliberately, and there's just a hole in the regulation that allows, you know, and we're all getting screwed.
Yeah, I mean, that's the thing because we have no way of knowing how they're getting these IPs or even if they're doing residential proxies, but it's a good guess.
So yeah, I was thinking it's probably a lot easier to go the more legit route and just buy them.
So yeah, I was thinking it's probably a lot easier to go the more legit route and just buy them.
Yeah, yeah, totally.
So NordVPN also, for the record, they got tweeted at about this blog post and they have denied that anything fishy is going on.
And they say that they either purchase the IPs directly from ISPs, so what we just talked about, or that they get user IPs from people who have, quote, voluntarily downloaded a program that shares their bandwidth and the users are fully aware of the purpose.
And they say that they either purchase the IPs directly from ISPs, so what we just talked about, or that they get user IPs from people who have, quote, voluntarily downloaded a program that shares their bandwidth and the users are fully aware of the purpose.
Fully aware as in they clicked on the OK button.
Yeah, and I'm sure they didn't read whatever fine print that is, but, you know, they did hit the OK button. So yeah. So I always think that the truth is usually pretty mundane.
I have a feeling they bought the IPs from ISPs. I just don't think it's worth going through the trouble to do something shifty. But who knows?
I mean, I don't have any way of saying that allegation is true.
I have a feeling they bought the IPs from ISPs. I just don't think it's worth going through the trouble to do something shifty. But who knows?
I mean, I don't have any way of saying that allegation is true.
So yeah, it's just basically there's not enough — you know, the technology companies are way ahead, regulations way behind, and there's a Wild West mentality going on.
Like, if you can get away with it, go for it.
Like, if you can get away with it, go for it.
Pretty much.
We're the ones who are going to be paying the price.
So I read the Derek Johnson blog post.
It did feel like he was jumping to a conclusion, perhaps without the smoking gun of proof that NordVPN were doing quite what he suggested, because he does sort of paint a picture that imagine you were downloading an app to your device, for instance, and it was malicious and it was secretly helping NordVPN.
But you sort of think—
It did feel like he was jumping to a conclusion, perhaps without the smoking gun of proof that NordVPN were doing quite what he suggested, because he does sort of paint a picture that imagine you were downloading an app to your device, for instance, and it was malicious and it was secretly helping NordVPN.
But you sort of think—
We have no way of knowing.
Yeah, exactly. That could have happened, but I didn't feel really comfortable with him making that allegation without something a little bit more serious to back it up.
And some of the ideas and suggestions you've made here seem a little bit more plausible and likely.
Yeah, I think it's very possible, if not likely, that other VPNs are doing the shifty stuff. And in fact, there are plenty of studies out there that show that some VPNs are.
It's just, I don't want to be making that allegation without really having the proof, as you said. But I think just watch the space for residential proxies.
As I said, this is sort of newish to me, but I think a lot of companies are keeping an eye on it.
And certainly I imagine big content providers like Netflix and Disney Plus are keeping an eye on it. I think it's gonna be interesting to see how this continues to develop.
Yeah, I think it's very possible, if not likely, that other VPNs are doing the shifty stuff. And in fact, there are plenty of studies out there that show that some VPNs are.
It's just, I don't want to be making that allegation without really having the proof, as you said. But I think just watch the space for residential proxies.
As I said, this is sort of newish to me, but I think a lot of companies are keeping an eye on it.
And certainly I imagine big content providers like Netflix and Disney Plus are keeping an eye on it. I think it's gonna be interesting to see how this continues to develop.
Yeah, and hey, you can be accused, you know, because your name could be associated with an IP that's been slurping up loads of stuff you shouldn't be, when in fact you actually are in the right jurisdiction.
Oh God, let's hope the FBI is listening. Hey FBI, please don't arrest me for something I didn't do because someone else is using my IP address. Oh, that's scary.
Thank you, Maria Crowe.
What's your topic for us this? Well, we are now going to bop into the music world and see how a crew of nefarious opportunists tried to make fast buck.
And this might also be a lesson on how not to conduct yourself online. So the music industry, right, Graham?
The world of performance art, producers, recording artists, live shows, festivals.
And this might also be a lesson on how not to conduct yourself online. So the music industry, right, Graham?
The world of performance art, producers, recording artists, live shows, festivals.
Graham's in it up to his eyeballs. He knows this stuff well.
Oh, is this because I'm a pianist now? Is that why you're including me?
Well, there's a lot of struggling musicians out there, young and old, right, Graham? Yeah, and the young and the old.
And there is an ocean of moolah at the top, which indeed is probably one of the reasons why the music industry is often targeted by cybercriminals.
But the thing is, is not all cybercriminals are super smart, right? Sometimes some might seem to be knitting with a single needle.
And there is an ocean of moolah at the top, which indeed is probably one of the reasons why the music industry is often targeted by cybercriminals.
But the thing is, is not all cybercriminals are super smart, right? Sometimes some might seem to be knitting with a single needle.
How dare you!
And dare I say if this New York indictment sheet is anything to go by, 27-year-old Mr.
Christian Iraso of Austin, Texas might just be one of these single knitting, single needle knitters. And maybe I'm being harsh. Maybe I'm being harsh. You guys can decide.
So I'm just going to set up the play here. So Iraso and his three chums decide one day in 2016 that they want to make a bit of easy money, right? Bit of easy wedge.
And they must have felt they had some elite skills because they agreed to go after two US-based music management companies, one based in New York and one based in LA.
Now both are unnamed, okay? Now it's weird to me because these guys are based in Austin. Isn't Austin the music capital, blah blah blah?
And yet they target out-of-state producers, which anyway, just me.
Christian Iraso of Austin, Texas might just be one of these single knitting, single needle knitters. And maybe I'm being harsh. Maybe I'm being harsh. You guys can decide.
So I'm just going to set up the play here. So Iraso and his three chums decide one day in 2016 that they want to make a bit of easy money, right? Bit of easy wedge.
And they must have felt they had some elite skills because they agreed to go after two US-based music management companies, one based in New York and one based in LA.
Now both are unnamed, okay? Now it's weird to me because these guys are based in Austin. Isn't Austin the music capital, blah blah blah?
And yet they target out-of-state producers, which anyway, just me.
But I mean, there are certainly major artists I imagine are being managed from New York and Los Angeles. You're right, there is a vibrant music scene in Austin.
But maybe they're tougher. Maybe you just don't want to piss them off, right.
Right. I don't know. You don't want to shit on your own.
Exactly. It just makes the whole thing a federal level, right? Takes that out of the state and moves it to the Fed level.
Oh, true.
So anyway, these four opportunists managed to get their hands on stolen employee credentials.
And they use these credentials to access the producers, these two in New York and in LA, their cloud storage. And they successfully infiltrate it and snoop around. The plan?
Get some unpublished tunes under their belt.
And they use these credentials to access the producers, these two in New York and in LA, their cloud storage. And they successfully infiltrate it and snoop around. The plan?
Get some unpublished tunes under their belt.
Right.
So the New York producer attack came up trumps. Oh my God, is that saying now ruined forever?
Uh, came up Trump. Yeah, so smelling bullshit.
So the New York producer attack worked really well for them. And apparently they accessed the cloud storage account more than 2,300 times in several months.
And they ended up stealing more than 50 gigs worth of music, including hundreds of unreleased songs. Is that weird though? You guys are a bit geekier than me.
Is that weird that that didn't raise any suspicions?
So they've stolen some employee credentials, they've added 2,300 searches to the log that would have otherwise not happened, and they've downloaded 50 gigs and no one noticed?
And they ended up stealing more than 50 gigs worth of music, including hundreds of unreleased songs. Is that weird though? You guys are a bit geekier than me.
Is that weird that that didn't raise any suspicions?
So they've stolen some employee credentials, they've added 2,300 searches to the log that would have otherwise not happened, and they've downloaded 50 gigs and no one noticed?
Yes, it's a music management company. They're not like Columbo. They're not keeping a close eye on what's going on on their network, are they?
This is after the Sony hack, which we discussed last week.
Well, yeah, that was Sony Pictures though, wasn't it? But regardless, I think it's probably a fairly relaxed environment when it comes to network security.
It shouldn't be, of course, because there's so much valuable commercial material there. But I would imagine in some cases they're not keeping a close eye on it.
It shouldn't be, of course, because there's so much valuable commercial material there. But I would imagine in some cases they're not keeping a close eye on it.
Yeah, guarantee there's a lot of password 123s happening.
Yeah, 123 better than ABC. Oh, that's not the word.
Is it? I don't know.
Is it Hunter 2?
It's Hunter 2.
So these guys have all these tunes, right? Hundreds and hundreds of unreleased tunes, 50 gigs worth of stuff. And what do you do now? Any guesses?
They release them as their own material. They create a fictional band.
How did you get—
Oh, really?
Did they really?
No, of course they didn't.
Oh, I was hoping it'd be some K-pop band just stealing people's songs. No? Okay.
No, these guys contact the victim in New York, right? This is months into their song snarfling situation.
So whilst they're contacting them, they are still actively snarfling music off their systems, right?
So they email the New York producers and they blame another producer called Individual One. Okay, so in the court indictment, they're unnamed. So an unnamed party is blamed.
So they say, look, Individual One was behind all these shenanigans, okay? And Individual One is the guy who accessed your cloud database.
Individual One stole all the tunes, and he's currently selling the stolen for $300 a pop. And the guys are like, whoa. And they're like, yeah, I just wanted to let you know. Right.
So whilst they're contacting them, they are still actively snarfling music off their systems, right?
So they email the New York producers and they blame another producer called Individual One. Okay, so in the court indictment, they're unnamed. So an unnamed party is blamed.
So they say, look, Individual One was behind all these shenanigans, okay? And Individual One is the guy who accessed your cloud database.
Individual One stole all the tunes, and he's currently selling the stolen for $300 a pop. And the guys are like, whoa. And they're like, yeah, I just wanted to let you know. Right.
Wait, so it's not extortion. It's blackmail.
Well, we don't know.
We're trying to get someone else in trouble from the sound of things.
That's—
I was thinking it would be simple extortion. Like, hey, I got all your songs here. I'm going to release them early on the web unless you pay me X to not do it.
Maybe they were too scared to do that and they thought the consequences could be serious.
Whereas if they were to point the finger of blame elsewhere, they could do some damage, but also come out fairly safe.
I mean, maybe it's a rival hacking gang or something like that.
Whereas if they were to point the finger of blame elsewhere, they could do some damage, but also come out fairly safe.
I mean, maybe it's a rival hacking gang or something like that.
It sounds like a vendetta. Yeah.
Remember when I was talking about the one needle knitting? Needle knitting. It's hard to say. So this is where Razzo really got into his role.
And he called back 10 days later, called back the New York producers and said things like, quote, I'm doing this for the love of the art.
Artists and claimed that he wanted no harm done to the producer, that because he was on his side, right?
So Erazo says to them, I'm happy to help you out if you need any of the info or anything I could dig up for you guys, just let me know and I'm more than happy to help you guys out with this.
He even urged the music label to take legal action against the person, Individual 1, and also advised this New York producer about improving their security of their cloud storage account.
And he called back 10 days later, called back the New York producers and said things like, quote, I'm doing this for the love of the art.
Artists and claimed that he wanted no harm done to the producer, that because he was on his side, right?
So Erazo says to them, I'm happy to help you out if you need any of the info or anything I could dig up for you guys, just let me know and I'm more than happy to help you guys out with this.
He even urged the music label to take legal action against the person, Individual 1, and also advised this New York producer about improving their security of their cloud storage account.
Well, it's a way to get an IT security contract, isn't it? Is to hack a company and then come in and say—
And then act like the cool kid.
Hey, I can help you fix all these things.
So in the indictment, there is quote, yeah, and another thing to— okay, so he's not the best writer, right? So I'm going to try and quote this.
In the indictment, he says, "yeah, and another thing to why we are going to you guys is we just hate this fucking person. Bottom line, we aren't even going to beat around the bush.
Bottom line is just, we hate this person, we want—" so they're basically really trying to build a strong rapport of trust between the actual guy who's stealing the songs and the victim.
And the whole thing goes like clockwork, you know, because Erazo feels he has them all duped.
And even a week later, he sends an online message to one of his co-conspirators saying that this the perf cover-up, which everyone's assuming means perfect.
In the indictment, he says, "yeah, and another thing to why we are going to you guys is we just hate this fucking person. Bottom line, we aren't even going to beat around the bush.
Bottom line is just, we hate this person, we want—" so they're basically really trying to build a strong rapport of trust between the actual guy who's stealing the songs and the victim.
And the whole thing goes like clockwork, you know, because Erazo feels he has them all duped.
And even a week later, he sends an online message to one of his co-conspirators saying that this the perf cover-up, which everyone's assuming means perfect.
Oh, that's what it means, right?
Yes. Drop half the words.
Very French.
Oh, fail.
What Erazo did not know—
That would be parf. That would be parf. Say parf.
Yes.
Now, what Erazo did not know is that, of course, the New York producers had contacted the authorities days after his initial call 10 days earlier.
So when he was doing all this showing off, he was actually talking to an undercover agent.
So when he was doing all this showing off, he was actually talking to an undercover agent.
Oh, calamity.
Yeah, yeah.
I mean, it wasn't really the police, it was a sting.
Or was it Sting?
It was Sting.
Is he still alive?
Can I just say, probably is after all that tantric sex.
It's just Sting in little blue spandex and a knife, and I will kill him. Anyway, sorry.
What's really interesting for me in the indictment, because I haven't read very many of these in my life, but there's a lot of talk about how he never ever reveals himself during these conversations.
Like, he never goes, "oh, by the way, I know something more, and I have access to the data, and let me give it back to you," or anything like that.
And there's all these big segments kind of saying basically he's constantly trying to distance himself. And that kind of adds weight to the whole case.
He ended up— apparently they found on his computer 850 stolen music files.
Like, he never goes, "oh, by the way, I know something more, and I have access to the data, and let me give it back to you," or anything like that.
And there's all these big segments kind of saying basically he's constantly trying to distance himself. And that kind of adds weight to the whole case.
He ended up— apparently they found on his computer 850 stolen music files.
Jeez.
And he was charged in a New York court on Monday under 3 counts.
Charges include one of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years, and one count of conspiracy to commit computer intrusion, which carries a maximum of 5 years.
And he's got aggravated identity theft as well. Minimum of 2 years imprisonment. So basically he's looking at up to 20 years.
Charges include one of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years, and one count of conspiracy to commit computer intrusion, which carries a maximum of 5 years.
And he's got aggravated identity theft as well. Minimum of 2 years imprisonment. So basically he's looking at up to 20 years.
So this is this chap Erazo, is it?
Yes.
I bet he wishes he'd erased those files that he downloaded rather than storing them on his hard drive.
I'm not even listening to you. During this hack, he also managed to get the LA producer, an LA producer's Twitter handle.
Well, they didn't say Twitter, they said microblogging and social networking accounts.
Well, they didn't say Twitter, they said microblogging and social networking accounts.
With a bird on it.
Yes.
I wonder which one they mean.
Exactly.
And they used this account to send direct private messages to other producers, music artists, saying, "hey, can you send your unreleased songs to this email address?" Which of course was in Erazo's, you know, in his cohort's control.
And in the indictment, there's this part where someone replied, right, to this DM saying, "yo, just got into Manhattan.
I got this exclusive track that didn't make the album, but I'll definitely be a club banger. Want me to send that one over?" So there you go.
So they're hanging out with some real serious musicians here.
And they used this account to send direct private messages to other producers, music artists, saying, "hey, can you send your unreleased songs to this email address?" Which of course was in Erazo's, you know, in his cohort's control.
And in the indictment, there's this part where someone replied, right, to this DM saying, "yo, just got into Manhattan.
I got this exclusive track that didn't make the album, but I'll definitely be a club banger. Want me to send that one over?" So there you go.
So they're hanging out with some real serious musicians here.
Carole, this chap isn't knitting with one needle. He's knitting with a baguette or something. He's a complete loon. What a thing to do. Yeah, well, he did that.
Seriously, the quality of cybercriminal has really gone downhill, hasn't it?
Seriously, the quality of cybercriminal has really gone downhill, hasn't it?
Really? Really?
Has it? Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on?
Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash.
Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week is a bit security-related this week.
What?
Well, doghouse.
My pick of the week this week is a website which you may have seen popping up on Twitter.
People have been amused by it, and I thought maybe some of our listeners would be amused by it as well. It's slightly rude, domain name, so I'm gonna have to be careful.
The website is called whythebeepwasibreached.com. And if you go to why the—
People have been amused by it, and I thought maybe some of our listeners would be amused by it as well. It's slightly rude, domain name, so I'm gonna have to be careful.
The website is called whythebeepwasibreached.com. And if you go to why the—
I think it's why the fuck was I breached.
Oh yes, that's correct.
I don't know what his problem is.
Like, it's fuck.
Yeah, it's not hard to say.
If you go to that website, whythefuckwasibreached.com, then you will be given a randomly generated explanation as to why your company was hacked.
And this is very useful if you're in a disaster recovery situation where you are having to put together a press statement or a statement for your customers, and you need to very rapidly explain why you lost all their Social Security numbers, or why your password was password, or the Amazon buckets which you set up wasn't protected by anything like a password or anything like that.
That, then this is what you can use. And so, it's quite—
And this is very useful if you're in a disaster recovery situation where you are having to put together a press statement or a statement for your customers, and you need to very rapidly explain why you lost all their Social Security numbers, or why your password was password, or the Amazon buckets which you set up wasn't protected by anything like a password or anything like that.
That, then this is what you can use. And so, it's quite—
I'm looking at it now, it's quite funny.
For the first one that came up for me, on why the fuck was I breached, says the fucking competition used advanced techniques to force us to release this report.
We have since worked with law enforcement so it can never happen again. And then underneath it says Equifax already fucking used that one.
See, these are taken from real, from real life breaches.
For the first one that came up for me, on why the fuck was I breached, says the fucking competition used advanced techniques to force us to release this report.
We have since worked with law enforcement so it can never happen again. And then underneath it says Equifax already fucking used that one.
See, these are taken from real, from real life breaches.
I think not.
No. Can I read you mine? Because it's definitely not. It's, "The fucking hacking activists used nefarious techniques to do something, but we aren't quite sure what it is.
But since we have hired external consultants, it will never happen again."
But since we have hired external consultants, it will never happen again."
So the button which says Equifax already fucking used that one, that is if you need another one. So then you click on that to say it's already been used by Equifax.
Though it's not saying Equifax have actually used it.
Though it's not saying Equifax have actually used it.
You know what, it would make colorful language for Equifax. You know, even you can't use it.
It could have distracted attention from their actual data breach, couldn't it, if they had used a quote like that.
So that is whythebeepwasibreached.com, and that is my pick of the week.
So that is whythebeepwasibreached.com, and that is my pick of the week.
Funny, you said fucking throughout the story, but then you bleeped yourself again.
Just saving Crow the effort.
Oh, I see, I see.
Okay, he knows I won't bother.
Maria, what's your pick of the week?
My pick of the week has nothing to do with Equifax. It has everything to do with Richard Nixon.
Yes. Richard Milhous Nixon.
Yes, Richard Nixon.
Yeah, he's a big fan, Graham.
Well, not as much as Roger Stone. I haven't gone that far. I don't have the big tattoo on my ass.
You don't have the tattoo?
No.
Shame. No, no, no, no shame.
I wonder if he makes it talk by flexing his muscles.
Let's think about that a little more.
No, let's not.
Let's just think about it. Okay. So I am actually talking about Richard Nixon and deepfakes. Deepfakes. And not Deep Throat, but deepfakes.
Haha.
All right, so yeah, I'm good. It's good.
So MIT researchers use deepfake technologies combined with the acting know-how of a Nixon impersonator to bring a famous speech that never happened to life.
So the famous speech that never happened is the one that was written should the Apollo 11 astronauts not return from the moon.
Oh, which I, I don't know if you know, but his speechwriters did prepare that speech should that tragedy happen.
So MIT researchers use deepfake technologies combined with the acting know-how of a Nixon impersonator to bring a famous speech that never happened to life.
So the famous speech that never happened is the one that was written should the Apollo 11 astronauts not return from the moon.
Oh, which I, I don't know if you know, but his speechwriters did prepare that speech should that tragedy happen.
Happen, which is a good thing because it would be a terrible thing to sort of make up off the cuff, wouldn't it?
Right.
Yeah.
And, you know, remembering how it was— and not that I was alive then, but I mean, there was a very good chance that they might not return.
So it was just being prepared for a very sad thing that could happen. So there was— there is a legitimate speech. You can read it. It's easily available.
However, Nixon never recorded a TV version of himself in front of the cameras reading it. But the MIT researchers made that happen.
So they took a video of him, I think his resignation speech actually, plus the actor helping them get the cadence of the speech right, and deepfake technology.
They mashed it all together and you would swear Nixon had prerecorded this and it went live.
So it was just being prepared for a very sad thing that could happen. So there was— there is a legitimate speech. You can read it. It's easily available.
However, Nixon never recorded a TV version of himself in front of the cameras reading it. But the MIT researchers made that happen.
So they took a video of him, I think his resignation speech actually, plus the actor helping them get the cadence of the speech right, and deepfake technology.
They mashed it all together and you would swear Nixon had prerecorded this and it went live.
But, you know, really, it's that good, eh?
It's super convincing. And so the speech is real, but he never read it. But you would think he did after watching this. So there's a link.
It's, I think, a fascinating story, especially with this year being the 50th anniversary and all that.
I just, I was so, so fascinated by— I had this link as a tab open for weeks knowing I was coming on this show.
I was like, I'm saving it, I'm saving it for this show because I thought it was super cool. So there you go.
It's, I think, a fascinating story, especially with this year being the 50th anniversary and all that.
I just, I was so, so fascinated by— I had this link as a tab open for weeks knowing I was coming on this show.
I was like, I'm saving it, I'm saving it for this show because I thought it was super cool. So there you go.
Do you know, I think just today I read that China has now banned deepfakes.
Good luck.
Oh yeah, that's the problem, isn't it?
Yeah, no, but it's interesting if it will, because, you know, you don't really want to get nabbed by the Chinese authorities, really.
I suppose even if they can't actually stop it happening, what they can do is wield a great big cricket bat so anyone who does use them will get into serious trouble.
Maybe that's the point.
Maybe that's the point.
I'm just looking it up right now to make sure I'm not lying.
I mean, I also have personally banned deepfakes, but you know, that word hasn't gotten out yet.
Yeah, so three days ago, China makes it a criminal offense to publish deepfakes or fake news.
Oh, interesting to see how that'll work out. Interesting.
Yeah.
I have a feeling I'll be hearing that one stateside soon.
Yes. Everyone been told about that? Carole, what's your pick of the week?
Okay. Mine is really a game for you guys. Because, you know, this is radio, and often I'm talking about things that have no sound.
So I thought, actually, why don't we just have a little game? And this all comes from the website Mental Floss, which has a few cool little facts, interesting.
It's a good place to go waste time if you've got five minutes between meetings. So the game we're gonna play is which of these classic toys came first. Ready?
So I thought, actually, why don't we just have a little game? And this all comes from the website Mental Floss, which has a few cool little facts, interesting.
It's a good place to go waste time if you've got five minutes between meetings. So the game we're gonna play is which of these classic toys came first. Ready?
Okay, all right.
Okay. And I don't know the answers. I don't know the answers. Okay.
Okay.
Hula hoop or Frisbee?
Oh, I would think hula hoop came first.
I would guess Frisbee. Me too.
It's a lot harder to make a hoop. What would you make it out of? Cane? I'm gonna say Frisbee.
Okay, what's the answer?
Oh, Frisbee!
Okay, next. Barbie or G.I. Joe?
G.I. Joe.
Oh, I thought Barbie. Okay, what do you say?
They're both American. I haven't got a clue.
Oh, because you got one wrong.
Action Man over here. Well, I didn't have Cindy, obviously.
Which came first?
Which came first? Well, I'm gonna say G.I. Joe, because presumably that's Second World War.
No, Barbie. What?
I would not say.
Yeah, Barbie's 1959 debut beat G.I. Joe's march to toy shelves in 1964. So five years between.
Oh my goodness.
Well, I thought for sure G.I. Joe's World War II. I knew Barbie was around the '60s or 1960.
Okay, this is one probably more for Maria. Pound Puppies.
What?
Or My Little Pony.
I have no idea.
I've never heard of that.
You don't remember? I do. That's probably my—
No, I remember both of them, but I never— I only had— okay, My Little Pony.
I'm gonna— yeah, I'm gonna go Pound Puppies. Oh, you're right, My Little Pony. My Little Pony toys were introduced in 1983.
Yeah, I didn't have many toys as a kid.
Plush Pound Puppies were released— oh, they released the next year. I think that counts. Yeah. Okay, last one: Slinky or Silly Putty? Oh.
Oh.
Ah, now. I seem to— I've a vague recollection about how the Slinky was created. And it was— I think I'm going to say Slinky. I think Slinky is earlier.
Yep.
I think Slinky is earlier.
Yes. Slinky first tumbled around in 1945. The rubber goop used to make Silly Putty was invented around the same time. It didn't appear until 1949, 1950. There you go.
Anyway, so this is on mentalfloss.com. They have a few little games and interesting facts worth a gander if you're bored. Thank you very much.
Anyway, so this is on mentalfloss.com. They have a few little games and interesting facts worth a gander if you're bored. Thank you very much.
Are they stealing our data? This sounds a bit like a Facebook quiz.
Yeah, tell me about it.
Do you have to log in?
No, no, no, of course not. And I'm on a very locked-down browser.
It's asking me to put in my Social Security number. I mean, is that normal? I guess he needs my Social Security number to take this great quiz about toys.
Hmm.
How's Mental Floss making money? What's going on? Is it ad supported? Oh, lovely.
Well, Grim, people have to make money somehow.
Well, yeah, but couldn't they do something decent like install some malware on your computer, which opens up a residential proxy for VPN to use?
That's nice. Bingo, bingo.
And on that smooth move, we've just about wrapped it up for this week. Maria, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Twitter still works. I'm still there. So @MariaVarmazis, I think, is my handle. I think so. Yeah, I'm on Twitter.
Cool. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And you can also join the discussion on our subreddit.
So if you're on Reddit, go and look up Smashing Security.
So if you're on Reddit, go and look up Smashing Security.
High five, wondrous listeners! Thank you for listening, supporting us on Patreon, and giving us shoutouts. It all helps so freaking much.
And thank you once again to this week's Smashing Security sponsor, LastPass. That support helps us give you this show for free. And remember, we've got some other content coming.
Stay tuned.
And thank you once again to this week's Smashing Security sponsor, LastPass. That support helps us give you this show for free. And remember, we've got some other content coming.
Stay tuned.
Until next time, cheerio, bye-bye, bye!
Rachael, hello again. Thank you for joining us. Hello.
Thank you so much for having me.
I love when you come on, and today I am super excited about this topic because, as you know, this is a topic that I'm not super duper comfortable with, but I am desperate to learn more, and that is biometrics.
So I am hoping you can talk me through what it actually means.
So I am hoping you can talk me through what it actually means.
I think that it's finally the year of biometrics, you know, thank you Apple and Android and all of the consumer technology that's out there.
But I think it's a good time to talk about biometrics and figure out where do you stand, get a sense of what biometrics are and really what are you giving up when you're using, if you're giving up anything when you're using them to give you access to your phone or applications, personal or business.
But I think it's a good time to talk about biometrics and figure out where do you stand, get a sense of what biometrics are and really what are you giving up when you're using, if you're giving up anything when you're using them to give you access to your phone or applications, personal or business.
Okay. So what are biometrics? Let's just take it right back to basics.
Cool. So biometrics, I think the first things that we think about are things like your fingerprint or your face, you know, Face ID.
There's also another piece that'll be important as part of this conversation. And those are actually called behavioral biometrics.
So, some of you guys might be familiar with things like keystrokes. You know, how do you usually type? You know, how do you usually type on the computer versus on the phone?
Or, you know, your gait. Have you been walking normally over the past amount of time that it makes sense that this is you?
All of those things are really being enabled by different telemetry that's on the phone or on the computer. So, biometrics really break down into two things.
One are the things that really are who you are, and then the other half are things like how you behave.
And it's really the how you are that we're spending a lot of time working on now as we get into, you know, our mobile devices and things along those lines.
There's also another piece that'll be important as part of this conversation. And those are actually called behavioral biometrics.
So, some of you guys might be familiar with things like keystrokes. You know, how do you usually type? You know, how do you usually type on the computer versus on the phone?
Or, you know, your gait. Have you been walking normally over the past amount of time that it makes sense that this is you?
All of those things are really being enabled by different telemetry that's on the phone or on the computer. So, biometrics really break down into two things.
One are the things that really are who you are, and then the other half are things like how you behave.
And it's really the how you are that we're spending a lot of time working on now as we get into, you know, our mobile devices and things along those lines.
Right. So let me just, just to recap, so make sure I'm following you fully.
You've got your kind of almost physical traits, so your fingerprint, your face print, all that stuff that helps identify who you are. And then you've got how you behave.
So that's interesting. So I obviously display certain characteristics when I walk or when I type or when I do anything.
And that is the information you're looking to collect to try and help identify a person. Is that right?
You've got your kind of almost physical traits, so your fingerprint, your face print, all that stuff that helps identify who you are. And then you've got how you behave.
So that's interesting. So I obviously display certain characteristics when I walk or when I type or when I do anything.
And that is the information you're looking to collect to try and help identify a person. Is that right?
We're more advanced right now on the physical attributes.
I think it's those behavioral attributes that as we bring in and we use the more, the telemetry on the different devices, processes that are going to enable us to ensure that those physical attributes maintain.
They almost become a second factor.
I think it's those behavioral attributes that as we bring in and we use the more, the telemetry on the different devices, processes that are going to enable us to ensure that those physical attributes maintain.
They almost become a second factor.
But I've always thought of biometrics in more of the what elements I have, fingerprints, who I am.
I've not thought about it in terms of behavior, because where I'm uncomfortable with biometrics is the idea that we only have one set of prints or, you know, one face.
And while there are companies that you trust to manage that data very carefully, there's going to be a time when companies that are maybe less trustworthy can also get access to that information.
And what then? Or what if someone gets breached? And then, you know, you can't change your face.
I've not thought about it in terms of behavior, because where I'm uncomfortable with biometrics is the idea that we only have one set of prints or, you know, one face.
And while there are companies that you trust to manage that data very carefully, there's going to be a time when companies that are maybe less trustworthy can also get access to that information.
And what then? Or what if someone gets breached? And then, you know, you can't change your face.
No, or at least without costing a lot of money.
Yeah.
No, it's true. Everybody's just being their best selves.
But this idea of behavioral biometrics somehow not as invasive because behavior you can change, or is this behavior so deeply ingrained?
Is that the idea that it is very difficult to fake?
Is that the idea that it is very difficult to fake?
Well, I think that, you know, it is something that is how you behave. And so to change it consistently, it's changing any habit.
You have to walk differently, you have to type differently.
And I think that's one thing that really understanding those patterns makes it even harder for people to be able to leverage biometrics.
I think our perspective would be these wouldn't be the only sources for biometric data, but really they'd be additional sources with the physical elements as well.
You have to walk differently, you have to type differently.
And I think that's one thing that really understanding those patterns makes it even harder for people to be able to leverage biometrics.
I think our perspective would be these wouldn't be the only sources for biometric data, but really they'd be additional sources with the physical elements as well.
Right. Okay. Because I was going to ask, my next question was going to be, so what happens if I hurt my hand? In fact, I recently had tendonitis in my index.
I couldn't use my index finger at all for two months, which makes typing quite difficult, turns out. And I am sure that my typing pattern changed dramatically during that period.
So if you were just relying on that, that would be a big problem because you'd be this isn't Carole.
I couldn't use my index finger at all for two months, which makes typing quite difficult, turns out. And I am sure that my typing pattern changed dramatically during that period.
So if you were just relying on that, that would be a big problem because you'd be this isn't Carole.
Exactly. Broken ankle. Yeah, any of those things. And I think that's one of the other elements.
In the end, I'm not sure biometrics in and of itself as a single point is going to be everything that you need for accessing all applications.
It is part of a multiple-factor authentication.
And so it could be that you're using your face, but behind the scenes you're using some other kinds of sort of behavioral-based or adaptive authentication location and things along those lines.
Or you might even be still, you know, be logging into something that you have, so you're using your fingerprint on a phone, so they know that you have the device.
So you're still using the concept of multifactor authentication, ensuring that you can get that access. But in doing it in a secure way.
In the end, I'm not sure biometrics in and of itself as a single point is going to be everything that you need for accessing all applications.
It is part of a multiple-factor authentication.
And so it could be that you're using your face, but behind the scenes you're using some other kinds of sort of behavioral-based or adaptive authentication location and things along those lines.
Or you might even be still, you know, be logging into something that you have, so you're using your fingerprint on a phone, so they know that you have the device.
So you're still using the concept of multifactor authentication, ensuring that you can get that access. But in doing it in a secure way.
You know, putting my cybersecurity hat on, I can see why this is so sexy to so many companies because, you know, fraud and fake identities are a big problem for lots of companies.
Everyone would like to eradicate the problem. And the best way, I guess, to do that is to ensure that the user is indeed the user.
And being able to use hundreds of different data points across those three elements, so what you are, what you have, and what was the other one?
Everyone would like to eradicate the problem. And the best way, I guess, to do that is to ensure that the user is indeed the user.
And being able to use hundreds of different data points across those three elements, so what you are, what you have, and what was the other one?
What you know, what you have, and who you are. Those are the three different pieces there.
So that's the idea behind it, being able to use data from those three areas, build you a very reliable authentication service.
There is this creepiness factor. I'll admit it.
And I was reading the latest Gartner report on biometrics, and Alan even calls it out as creepiness, which I got a huge kick out of just seeing it.
The section is literally labeled creepiness. So look, let's acknowledge it.
There is something odd about being able to be recognized so quickly, so easily, and, you know, using your fingerprint for that or your face.
But also when you look out there, people are ready for it. There's a report that recently came out, 70% of consumers want to expand their use of biometrics.
And in prepping for this podcast, we did a Twitter poll to our LastPass users.
And I was reading the latest Gartner report on biometrics, and Alan even calls it out as creepiness, which I got a huge kick out of just seeing it.
The section is literally labeled creepiness. So look, let's acknowledge it.
There is something odd about being able to be recognized so quickly, so easily, and, you know, using your fingerprint for that or your face.
But also when you look out there, people are ready for it. There's a report that recently came out, 70% of consumers want to expand their use of biometrics.
And in prepping for this podcast, we did a Twitter poll to our LastPass users.
Oh, cool.
Yeah.
So we asked a couple of questions. First, just a poll asking about, hey, you know, how many of you are using Face ID or Touch to log into applications?
And we found that 60% of them are using it to log into some apps, 22% all apps, and then the remainder, 18%, aren't using it yet.
So that's 82% of people who are using biometrics in some way in every part of their life.
And we found that 60% of them are using it to log into some apps, 22% all apps, and then the remainder, 18%, aren't using it yet.
So that's 82% of people who are using biometrics in some way in every part of their life.
And do you think that's because it's so convenient as well and it's so fast?
Oh, definitely. I mean, I think when you look at it, there are probably three things. One is speed. I mean, you can just get into things much faster.
So your phone, your computer, your apps, but also just you don't have to think about the password anymore. Literally, you just don't have to worry about it.
And that takes a huge weight off your shoulders.
And then for some, even just on the end user level, there is a concept where it is more secure because if somebody does have my password, then they can't use it.
I mean, they have to take my finger to get this.
So your phone, your computer, your apps, but also just you don't have to think about the password anymore. Literally, you just don't have to worry about it.
And that takes a huge weight off your shoulders.
And then for some, even just on the end user level, there is a concept where it is more secure because if somebody does have my password, then they can't use it.
I mean, they have to take my finger to get this.
If they're that determined.
Yeah.
I'm going to fight for my finger, I think.
Yeah.
Biometric data has to be protected. And there are a lot of different ways to do it, and companies are doing it.
You know, keeping it on the phone in a separate piece of hardware, like a SIM card, separate SIM card, or a separate trusted computing module.
Keeping it centralized, it's always encrypted if it's, you know, either place, you know, distributing it between a phone and a central place.
I mean, it has to be, it definitely has to be secure.
But when a business is evaluating, sort of just focusing on staying with passwords or with biometrics, I do think it's important to realize that when data is stolen, it is much easier for people to be able to take a password and then replay that.
You know, for biometrics, if you're able to get through it, if you're able to reconstruct it, you know, it isn't about then typing in the password.
There are a lot of different things you need to be able to do to use that. So as we talked about before, security isn't black and white.
Security is just getting better, more secure, tightening that. And I think that's what biometrics does, is it makes things more secure.
It tightens and eliminates sort of the attack surface even more than you would if you were just using passwords.
You know, keeping it on the phone in a separate piece of hardware, like a SIM card, separate SIM card, or a separate trusted computing module.
Keeping it centralized, it's always encrypted if it's, you know, either place, you know, distributing it between a phone and a central place.
I mean, it has to be, it definitely has to be secure.
But when a business is evaluating, sort of just focusing on staying with passwords or with biometrics, I do think it's important to realize that when data is stolen, it is much easier for people to be able to take a password and then replay that.
You know, for biometrics, if you're able to get through it, if you're able to reconstruct it, you know, it isn't about then typing in the password.
There are a lot of different things you need to be able to do to use that. So as we talked about before, security isn't black and white.
Security is just getting better, more secure, tightening that. And I think that's what biometrics does, is it makes things more secure.
It tightens and eliminates sort of the attack surface even more than you would if you were just using passwords.
Yes. And also biometric, as you say, is on a technological journey as well, because two years ago you were hearing about facial recognition going wrong.
But that's not a problem that we're seeing a lot today. That's not hitting the headlines on a regular basis, is it?
But that's not a problem that we're seeing a lot today. That's not hitting the headlines on a regular basis, is it?
No, it isn't. And there's never going to be zero.
There's always glitches.
Yeah, there will be glitches. And that's why things like behavioral biometrics coming up, they can really provide that sort of backup for the physical too.
So ensuring that as you're working, you are who you say you are as well. And I think it is interesting to think about where is biometrics going?
Where could they even be going with the— I mean, they've made huge leaps in acceptance over the past few years.
I mean, 10 years from now, are we talking about embeddable, embedded hardware devices in parts of us?
You know, where they're using our heartbeat or any of those real deep physical factors to be able to say who we say we are.
So ensuring that as you're working, you are who you say you are as well. And I think it is interesting to think about where is biometrics going?
Where could they even be going with the— I mean, they've made huge leaps in acceptance over the past few years.
I mean, 10 years from now, are we talking about embeddable, embedded hardware devices in parts of us?
You know, where they're using our heartbeat or any of those real deep physical factors to be able to say who we say we are.
It's interesting and scary though. See, it is creepy.
It is creepy. And you know what, I'd say it's Blade Runner, except did you already see that we're already past the date where Blade Runner was set? So we are living in the future.
Yeah, yeah, yeah. Blade Runner future.
Uh-huh.
God, I just wish I looked like Daryl Hannah.
It could do those cartwheels.
What else did you ask on your polls? What else did you hear from your Twitter users?
So it was interesting. So they gave some feedback when we were just asking what do they think about biometrics? And it was pretty positive.
Some people were saying I really can't wait until this happens, bring it on. A Twitter follower was mentioning that they specifically see it as a complementary means.
So they're looking at it as one of multiple factors.
And it's interesting, one follower, Super Mario, was saying that he thinks that you have to be careful because you can be sleeping and your fingerprints are still available and suggested that we put in, or that vendors make sure— I think he said Apple does this, which I did not know— that your biometrics can only be available for a certain amount of time.
So only when I'm awake, because you don't want a certain somebody using your fingerprint to get into your phone when you don't want them to.
Some people were saying I really can't wait until this happens, bring it on. A Twitter follower was mentioning that they specifically see it as a complementary means.
So they're looking at it as one of multiple factors.
And it's interesting, one follower, Super Mario, was saying that he thinks that you have to be careful because you can be sleeping and your fingerprints are still available and suggested that we put in, or that vendors make sure— I think he said Apple does this, which I did not know— that your biometrics can only be available for a certain amount of time.
So only when I'm awake, because you don't want a certain somebody using your fingerprint to get into your phone when you don't want them to.
I haven't even thought of that. And that is a really, really good point.
But see, that's the thing. The more it gets out there, the more different ideas and challenges are going to be coming and moving forward too.
Right.
And it isn't that those should be seen as blockers. I think it's how do we solve for them?
It's almost slaloming down a ski hill. You have to pay attention to these things and not barrel over them, but actually be graceful and go around the mogul.
Yeah.
And one of the users, I'll say Emmett, Emmett S., he put this awesome video up of a hedgehog gaining access to an early Apple phone with their handprint.
So you know, I think we're far past that right now.
But I think that's still what some people are thinking about where you can put your pet in and they'll know it's you or they'll mistake you for you.
But I do think we've improved far past that yet, but it definitely gave me a chuckle. So thank you, Emmett.
So you know, I think we're far past that right now.
But I think that's still what some people are thinking about where you can put your pet in and they'll know it's you or they'll mistake you for you.
But I do think we've improved far past that yet, but it definitely gave me a chuckle. So thank you, Emmett.
So once again, if I'm summing this up correctly, it's a little bit of the kind of push me, pull you between privacy and security.
And behavioral biometrics and indeed biometrics offer an extra layer of security, which is something where a lot of us are in dire need for because, you know, it's daily that we read of huge breaches.
And behavioral biometrics and indeed biometrics offer an extra layer of security, which is something where a lot of us are in dire need for because, you know, it's daily that we read of huge breaches.
I think that's true. There's one other point I want to make. We've talked a lot about user acceptance in our past conversations.
Yeah.
About it's great if you have security, but it doesn't really matter if your users aren't going to use it or use it poorly or complain about it the whole time.
And I think that this is a time when you really look at generations and you see how people are growing up with technology.
And there's a desire to have more biometrics, to have this ease.
And so I think it's up to us as companies and it's up to, you know, our business customers to figure out how do we make that as easy as possible for the employees or even your customers.
Because if they want it and it ends up being more secure, we should figure out how we deliver it.
You know, there are a lot of great companies out there who are putting together some amazing things to help under, you know, pin together the infrastructure for biometrics.
And I think that this is a time when you really look at generations and you see how people are growing up with technology.
And there's a desire to have more biometrics, to have this ease.
And so I think it's up to us as companies and it's up to, you know, our business customers to figure out how do we make that as easy as possible for the employees or even your customers.
Because if they want it and it ends up being more secure, we should figure out how we deliver it.
You know, there are a lot of great companies out there who are putting together some amazing things to help under, you know, pin together the infrastructure for biometrics.
Hallelujah.
Yeah.
And so, you know, I'm sure we'll be leveraging a lot of those different standards, but also trying to work with other companies to make sure that we can bring the best solutions forward.
And so, you know, I'm sure we'll be leveraging a lot of those different standards, but also trying to work with other companies to make sure that we can bring the best solutions forward.
Rachael, anything else to add?
No, that's great. Thank you so much.
Well, all I have to say now is happy Christmas.
Happy Christmas.
Or Merry Christmas.
You can say happy Christmas. I'm bilingual. Can you say Christmas, or do people say Happy holidays? No, you can—
We—
I say both.
Merry winter.
Merry—
And now we're gonna disagree.
Bye.
I wonder how long you can do that for.
Probably not so much because I have a cold right now, but on a normal occasion—
Bye bye. I bet you're a good singer, Maria.
I am.
You got a good key.
Yeah, I can tell. I am.
Yeah, yeah, I'm a good singer.
Yeah, I'm okay. I'm all right. Yeah, you're great.
You're a really good singer. What is that?
Is there a fly in the room?
Oh my gosh, did we get it?
Did we kill it? Is it dead?
Still recording.
Oh, I'm gonna hit stop.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- "Eau de Eugene Kaspersky" — Smashing Security, episode 12.
- Kaspersky Labs – Packin' The K — YouTube.
- Thousands of taxpayers tell HMRC to delete voiceprint data it stored without consent — Graham Cluley.
- Hackers Have Stolen Almost Six Million US Government Fingerprints — Tripwire.
- Fingerprints are not the same as passwords — Graham Cluley.
- Face/Off trailer — YouTube.
- Picture of the (rather ugly) Kaspersky ring — Twitter.
- Kasperky's synthetic fingerprint ring — YouTube.
- This Ring Uses a Fake Fingerprint to Protect Your Biometric Data — PC Magazine.
- How is NordVPN unblocking Disney+? It might be through YOUR own computer. Even if you’ve never used Disney+ or NordVPN. — Derek Johnson.
- The Rise of “Bulletproof” Residential Networks — Krebs on Security.
- SmartPlay by NordVPN: What is it and how does it work? — NordVPN.
- Resident Evil: Understanding Residential IP Proxy as a Dark Service — XiangHang Mi.
- Alleged Music Hacker Indicted for Impersonating a Producer to Steal Unreleased Music — Hollywood Reporter.
- Hacker stole unreleased music and then tried to frame someone else — ZDNet.
- Manhattan U.S. Attorney Announces Charges Against Austin Man For Computer Hacking And Fraud Scheme To Steal Unreleased Music From Music Industry Professionals — Department of Justice.
- Why the f**k was I breached?
- President Nixon Never Actually Gave This Apollo 11 Disaster Speech. MIT Brought It To Life To Illustrate Power Of Deepfakes — WBUR News.
- Which Classic Toy Came First? — Mental Floss.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
