How to stop dick pics on Twitter, and a new way bad guys are extorting money from websites earning cash from Google ads.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
It's rather like the real thing. It may take a while to really get up to full force. And so—
I think that's an age-related issue. I don't think everyone experiences that.
Smashing Security, Episode 166: What the Dickens?
Ad ban?
Thank you, scam. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 166. 166. My name is Graham Cluley.
And I'm Carole Theriault.
Hi, Carole. How's it going?
Fine. I feel I've talked to you a lot of times this week already.
Well, yes, because we recorded our special bonus Patreon episode, didn't we?
We did.
Smashing Security After Dark.
Yeah, we put it out last night. I'd love to hear what people think about it. Did you see any comments yet?
Yes, yes. One guy says, "This is why I signed up for Patreon in the first place." He's very happy.
And someone else wants to go on a sort of uber platinum gold tier in order to find out what particular name I said, which was thankfully bleeped out for maybe libel reasons.
And someone else wants to go on a sort of uber platinum gold tier in order to find out what particular name I said, which was thankfully bleeped out for maybe libel reasons.
Thank God for censoring, eh? Sometimes it's a gem.
But anyway, what we should do is we should chuck at the end of this podcast a bit, a snippet.
I mean, that Patreon bonus, it's about 40 minutes long, so we won't put all of that up, but maybe we could put up a couple of minutes of it at the end of the show.
I mean, that Patreon bonus, it's about 40 minutes long, so we won't put all of that up, but maybe we could put up a couple of minutes of it at the end of the show.
Yep, deal.
And tempt people to become Patreon supporters at patreon.com/smashingsecurity.
Okay, enough advertising.
Oh, okay, yeah, right. What's coming up on today's show then?
Well, first, thanks to this week's sponsors, LastPass and DomainTools. Their support helps us give you this show for free.
Now, Graham is gonna tell us about a new content filter for Twitter, and I walk us through an unusually sneaky scam all geared towards stealing your moolah.
All this and oodles more coming up on this episode of Smashing Security.
Now, Graham is gonna tell us about a new content filter for Twitter, and I walk us through an unusually sneaky scam all geared towards stealing your moolah.
All this and oodles more coming up on this episode of Smashing Security.
Now, chum, chum, we have—
You could just say, hey, Carole.
Yeah, hey, Carole. We haven't got a guest this week. It just feels wrong not saying chum or chaps even. I still would rather say chaps, but—
Yeah, well, I don't have a dick.
Okay, so, well, oh, interesting.
Well, funny you should say that because it was in August '29, a developer going by the name of Kelsey Bressler, she had a rude awakening, poor thing.
As she described on Twitter, she woke up to an unsolicited dick pic in her direct messages.
Well, funny you should say that because it was in August '29, a developer going by the name of Kelsey Bressler, she had a rude awakening, poor thing.
As she described on Twitter, she woke up to an unsolicited dick pic in her direct messages.
Okay, I'm glad it was in her direct messages. Right. And I'm glad it was a pic. Okay.
Not really the kind of thing that you want.
First thing in the morning?
No. And apparently the way the conversation went is that they said, "Hey." She didn't reply. And then they said, "Why don't you talk to me?"
Can I interrupt? You're a guy.
Yes.
Why do guys want to send dick pics? Can you explain it to me?
Well—
No, no, I really don't understand.
The only reason I could fathom that you could possibly want to send a photo of your penis to somebody is if you had some kind of urgent medical ailment.
Oh, your cooter issue. Did you do it then?
So if there was some medical emergency, you might want to do it.
I can't really imagine why else, unless someone was very, very insistent, that you would ever want to do such a thing. Anyway, she wasn't—
I can't really imagine why else, unless someone was very, very insistent, that you would ever want to do such a thing. Anyway, she wasn't—
Just seems there's a lot of guys that to do it.
Sure. Well, is that in your experience or what?
Carry on with your story. Come on, you're digressing. Okay.
She wasn't entirely sure how she should respond. And some of her Twitter followers, they suggested responses like, "Oh, that looks just like a penis, only smaller." Or—
Right, making it personal. Nice.
Or, "Not sure if that's a dick pic or a thumbs up that you're giving me there." Sorry, I don't smoke. So I thought that was— But anyway, Kelsey, she's a smarty pants developer.
So rather than just reporting the user to the Twitter police for sending offensive pictures of his skinny chipolata to her. She instead rolled up her sleeves and wrote some code.
And on Valentine's Day just gone, appropriately enough, she unleashed what will probably be her lifetime's greatest achievement. It is—
So rather than just reporting the user to the Twitter police for sending offensive pictures of his skinny chipolata to her. She instead rolled up her sleeves and wrote some code.
And on Valentine's Day just gone, appropriately enough, she unleashed what will probably be her lifetime's greatest achievement. It is—
I'm listening.
A Twitter filter for dick pics.
Hallelujah! What's her name again?
Kelsey Bresler.
Kelsey Bresner, she's the girl of the day, isn't she?
There you are. It is called SafeDM for direct messaging.
Let me take a note. I'm just writing that down.
Right. safedm.com is the place where you want to go. You can find out all about it. DMs are direct messages, of course.
And there's this whole thing about slipping into your DMs, isn't there?
It's like when someone is chatting to you publicly on social media, but then they go into your direct messages because they're going to get a little bit down and dirty and a bit personal.
And maybe send you a photograph of their penis. Now, SafeDM is a free service that can block unsolicited nude photographs.
Specifically, Kelsey has requested that Twitter users forward to her their dick pics. She set up a special account called Show Yo Deek.
So that's S-H-O-W for show and then yo as in yo. And Deek.
And there's this whole thing about slipping into your DMs, isn't there?
It's like when someone is chatting to you publicly on social media, but then they go into your direct messages because they're going to get a little bit down and dirty and a bit personal.
And maybe send you a photograph of their penis. Now, SafeDM is a free service that can block unsolicited nude photographs.
Specifically, Kelsey has requested that Twitter users forward to her their dick pics. She set up a special account called Show Yo Deek.
So that's S-H-O-W for show and then yo as in yo. And Deek.
That's a street.
Deek as in D-I-Q. So, show yo Deek. Make sure, please, you spell it correctly. You don't want to send it to the wrong person. You'll get into awful trouble.
So, if it is a photo which you are authorised to send, and if you're over 18, obviously, and it's all legal.
So, if it is a photo which you are authorised to send, and if you're over 18, obviously, and it's all legal.
Okay, I double love her now. Not only has she developed the service, but she's basically saying, hey guys, you need a channel, you need a vector for this dick energy.
You need somewhere to put your dicks.
Yeah, you can keep your dick pics here. Love it. Send nudes for science.
Now, if you send them to that address via DM, not as a public Twitter message, obviously, they will be fed into Kelsey's system, which is basically an artificial intelligence system which is learning all about penis photographs.
Are you sure she's not just taking the Twitter handle and blocking it?
Well—
Because that's what I'd do.
Well, no, I don't think this is purely for men to send in pictures of their own dicks.
It may be that if you're a woman who has received a dick pic and you would like the filter to improve, maybe it's one that slid past the filter.
It may be that if you're a woman who has received a dick pic and you would like the filter to improve, maybe it's one that slid past the filter.
You could forward it over.
Forward it over to her system where it will learn.
Bounce your dick over there.
About the characteristics of a particular penis. And then we'll block it in future. So it's adding to the knowledge, right?
Do you think there'll ever be a Google, what are they called? You know, to verify that you're human. It'll be like, click on all the dicks.
Oh, well, there was something like that. Do you remember?
I think in a past episode, David McClelland, in one of his early guest spots with us, he talked about a porn website, which was asking you to verify—
I think in a past episode, David McClelland, in one of his early guest spots with us, he talked about a porn website, which was asking you to verify—
Oh yeah, verify your age or something.
Or verify you were male or something by taking a photograph of your penis.
I think it was age.
Was it age? Oh my word. Anyway.
Just to make sure you're old enough to be on the saucy sites.
Or if you've all got grey hairs, maybe, you know.
Yeah, yeah. Grey pubes. That could be in our title, grape juice.
Anyway.
Anyway.
Okay. So, so far over 4,000 dick pics have been sent into the system. And Kelsey reckons that her filter blocks up to 99% of the penis photos.
So this is how it works, Carole, because you may want to put this in place in case you—
So this is how it works, Carole, because you may want to put this in place in case you—
Oh yeah, I have a serious problem with this.
Right. Now we've been talking about it on the podcast, maybe we'll start receiving these ourselves.
Do you think it's also picture of men that act like dicks as well? Do you think she can move that into the next version?
She has specifically asked that the pictures don't include people's faces or any identifying information.
You can send in tattooed penises, which of course might have your Social Security number on it.
You can send in tattooed penises, which of course might have your Social Security number on it.
What about with a Prince Albert?
Oh, well, anyway, this is how the filter works. Let's move on. This is how the filter works. Imagine, Carole, you sent me a picture of a penis. Via Twitter, via Twitter direct message.
As I often do. Okay, yeah.
So what SafeDM would do is it would look at my direct messages, spot what it believes to be a dick pic, deletes it so I can no longer see it, but sends a message back to you, the sender, and you can even optionally block them.
What if someone has wiry hair and a really long face? She could get sued. I hope she's got good liability insurance in place.
Well, there are a few problems, right? One problem is that the filter takes— well, it takes a few minutes to rev up. So it won't necessarily—
So if you get a flood of cockshots, right?
It's rather like the real thing. It may take a while to really get up to full force. And so—
I think that's an age-related issue. I don't think everyone experiences that.
So it might be that if you're very quick on the Twitters and you see, oh, I've got a message, and you go and look at it, it'll be there.
Whereas if you were to wait a couple of minutes, it may have by then got round to actually analyzing it.
Whereas if you were to wait a couple of minutes, it may have by then got round to actually analyzing it.
Okay, so Twitter addicts are screwed.
Yes, potentially.
Now, I haven't tested this service myself because I don't tend to receive dick pictures, although actually now I think about it, I have once received a photo of someone's dick.
I was giving a speech at the Excel Center in London. It was the biggest speech I've ever got. It was for Microsoft Future Decoded. There were thousands and thousands.
It was like a rock stage, right?
Now, I haven't tested this service myself because I don't tend to receive dick pictures, although actually now I think about it, I have once received a photo of someone's dick.
I was giving a speech at the Excel Center in London. It was the biggest speech I've ever got. It was for Microsoft Future Decoded. There were thousands and thousands.
It was like a rock stage, right?
Right, yeah. And that's exactly what I associate Microsoft with, yeah.
Oh, well, it was a huge event, right?
It's like a Zeppelin event, right?
And, oh my goodness, it was like being at a Madonna concert. All they got to see was me instead.
So I went on and I did my thing and I gave my talk and coming off the stage, I thought, oh, I wonder what the response was from all those geeks in the audience, right?
And I got people telling me, hey, your shoelaces are undone or something, right? So there were sort of personal comments.
And one person in the audience actually just sent me a picture of their penis.
So I went on and I did my thing and I gave my talk and coming off the stage, I thought, oh, I wonder what the response was from all those geeks in the audience, right?
And I got people telling me, hey, your shoelaces are undone or something, right? So there were sort of personal comments.
And one person in the audience actually just sent me a picture of their penis.
Of a penis.
Well, yes. I don't know.
I don't know if he signed it.
I didn't verify. Right. Or whether he took it there in the audience.
Spot the difference.
He was so bored. But yeah, so I did— that wasn't very pleasant, actually, I have to say. And I do feel for the people who might receive them more regularly than me.
Now, although I haven't tested it, the marvellous chaps at BuzzFeed did. Okay.
They went on to Wikipedia, where there are some penis photographs, and they fed them into the system to see if they'd be blocked. They also went to a Reddit channel.
There is a Reddit channel called Worldie Penis, where apparently there's lots of very varied penises, flaccid tattoos, ones wearing overalls, you name it, they are up there.
And so, and they fed them into the system. So they tried it to see how well it would actually block the messages.
Now, Carole, I wanted, I thought it might be fun to share some of these photos with you. Well, I'm going to do that right now.
So I'm going to just chuck some in the document right now, which we're sharing. So I'm just pasting one in now. Oops, Daisy, let's do it like this.
Now, although I haven't tested it, the marvellous chaps at BuzzFeed did. Okay.
They went on to Wikipedia, where there are some penis photographs, and they fed them into the system to see if they'd be blocked. They also went to a Reddit channel.
There is a Reddit channel called Worldie Penis, where apparently there's lots of very varied penises, flaccid tattoos, ones wearing overalls, you name it, they are up there.
And so, and they fed them into the system. So they tried it to see how well it would actually block the messages.
Now, Carole, I wanted, I thought it might be fun to share some of these photos with you. Well, I'm going to do that right now.
So I'm going to just chuck some in the document right now, which we're sharing. So I'm just pasting one in now. Oops, Daisy, let's do it like this.
Yeah, I'm not looking.
No, do look. They're all safe.
Oh, do I have to?
So, yep. So you will see it there.
The most famous penis of them all.
So that's Michelangelo's David, the statue.
They're prettier in stone.
So yes, they are, aren't they? So that one was detected. There's another one I've just put in below there. That isn't a penis. It'd be very unfortunate if it was. That is a lipstick.
Wow. Okay.
Okay. This is as nature truly intended, which astonishingly is not a penis.
Whoa.
Yeah, that is a plant.
Called the penis plant?
I don't know what it's called.
I think a lot of men would be envious of that plant.
I dread to Google it, to be honest. Yeah, I know it's quite—
Majestic.
Yes, exactly. And finally, finally, here's one which it didn't stop, which it allowed through. Here we have a statue of what appears to be a monk giving a young boy a loaf of bread.
Oh my God. Okay. You're going to have to put these pictures up on the website, aren't you?
I think what I'll do is I'll link to the BuzzFeed article so people can check these pictures out for themselves.
Brilliant.
But the one of the statue is quite wonderful. So now it doesn't just block penises, apparently it will also block la vagine as well.
Oh, la vagine.
Yes. So ladies, your lady gardens, they may well be barred.
Keep them off Twitter.
I don't know that people— do girls do that kind of thing?
Not the ones in my echo chamber.
Right. Okay. Yeah. Back doors also, they are unwelcome as well. They can also be spotted.
Oh my goodness. Smutty.
It is, and I would like to apologise.
But she's trying to stop the smut, so yay her. Exactly, exactly.
Now, it's not all good news. Stop thinking that this is all fantastic, because of course there are dangers associated with this, right?
In order to get this to work, you have to authorize the Safe DM app to link in with your Twitter account.
In order to get this to work, you have to authorize the Safe DM app to link in with your Twitter account.
Exactly.
And I'm sure it's been written well and competently, but you do have to give it a huge amount of access to your account to do its work, such as the ability to view pics and block users, right?
That's what it's meant to do. And the developers are aware that it's actually got much more power than that because unfortunately, Twitter doesn't offer much granularity, right?
That's what it's meant to do. And the developers are aware that it's actually got much more power than that because unfortunately, Twitter doesn't offer much granularity, right?
Yeah.
It doesn't allow you to say, "Oh, this third-party app, it can access my DMs and block people, but it can't follow accounts or it can't update my profile or it can't post and delete public tweets." So you have to give it access to everything.
This is a big problem for lots of plugins and security startup companies because in order for them to monitor, they need to get access to a lower level to be able to kind of stop stuff from happening.
But the problem is you have to give them permissions to do that. And in some cases, I mean, it's really, it's a jungle out there for people because do you go by reputation?
Do you go because it's a really great idea?
But the problem is you have to give them permissions to do that. And in some cases, I mean, it's really, it's a jungle out there for people because do you go by reputation?
Do you go because it's a really great idea?
And who's to say at one point, I mean, I'm sure Kelsey's put in lots of work and I think she's honorable in what she's doing. But what if she were hacked?
Or what if this tool were compromised in some way?
Or what if this tool were compromised in some way?
There'd be dick pics everywhere.
Well—
It'd be the reverse of what she wanted.
Well, potentially, yes, they could start multiplying.
Exponentially, ha!
Just imagine, yeah, well, think of the curve. It would be horrendous. So be a little bit careful about installing things like this.
There's nothing wrong with it as far as we can see at the moment. But if you are suffering a great deal from this sort of deluge of... what's French for penis, Carole?
There's nothing wrong with it as far as we can see at the moment. But if you are suffering a great deal from this sort of deluge of... what's French for penis, Carole?
It's the same, Graham.
Is it really?
Yeah.
That's a bit disappointing. They don't put an E on the end or anything?
No, they have an accent.
Oh, they have, does it, where?
What if the E?
Does it? Penis. What, is that how you say it? Oh, extraordinary.
Anyway. Graham, are you basically trying to get our listeners to send in dick pics to this woman to test her service? Is that what you're doing?
Are you doing a public service ad here?
Are you doing a public service ad here?
Well, I think it's entirely up to people whether they want to send pictures of their penises, flaccid or otherwise, to this artificial intelligence system.
Personally, it's not something I'm racing to do myself. I feel if she has 4,000 penis pictures—
Personally, it's not something I'm racing to do myself. I feel if she has 4,000 penis pictures—
You're a busy man, you don't drink coffee, you don't have time for dick pics.
I think it's probably already been covered to a large extent, I think.
Looking forward, looking to the future, there's no reason why this kind of tech couldn't, of course, be integrated into other systems.
And maybe the likes of Facebook and Instagram and Twitter should begin to do something like this themselves rather than leave it to third parties.
Looking forward, looking to the future, there's no reason why this kind of tech couldn't, of course, be integrated into other systems.
And maybe the likes of Facebook and Instagram and Twitter should begin to do something like this themselves rather than leave it to third parties.
Well, it often starts with, you know, good ideas often start with third parties, and then the big guys just hoover it up, steal it, and say it's their own.
Yep, that's true. That's often the way it is.
That's what you want.
I think more power to Kelsey's elbow. I think fantastic that she's been doing all this work and hopefully it will protect some people.
But just be aware, it does sort of open the doors to all kinds of dodgy behavior going forward.
But just be aware, it does sort of open the doors to all kinds of dodgy behavior going forward.
Yeah.
There is safedm.com and read more about BuzzFeed's experiment because it's quite a—
Cock-free Twitter, here we come.
So Carole, what's your story for us this week?
Okay, I'm going to have this wacky scenario for you.
But imagine for a second that all the scams out there, you know, phishing scams and ransomware and poisoned ads, they're all milling about at a party, right?
Schmoozing and chit-chatting away, right? You've got the old Nigerian 419 scammers bored in the corner because no one falls for them anymore.
The romance scammers are frustrated at being turned down left, right and centre.
But imagine for a second that all the scams out there, you know, phishing scams and ransomware and poisoned ads, they're all milling about at a party, right?
Schmoozing and chit-chatting away, right? You've got the old Nigerian 419 scammers bored in the corner because no one falls for them anymore.
The romance scammers are frustrated at being turned down left, right and centre.
Who's in the kitchen discussing house prices? That's what I want to know.
When in walks this little sneaky number and all heads turn like, who the hell is that?
Now, I'd like to tell you it's called blah, but it's so new, I don't think the scam's been named. So maybe we can come up with a name together.
So listeners, Graham, thinking caps on.
Now, I'd like to tell you it's called blah, but it's so new, I don't think the scam's been named. So maybe we can come up with a name together.
So listeners, Graham, thinking caps on.
Yo, describe it. Let's see what we come up with.
Yeah, right. So it all starts with an email. And this was an email that was sent to Brian Krebs by one of his readers. Krebs didn't name him, but we will. We'll call him Frankie.
Now, Frankie apparently maintains a few high-traffic sites, and Frankie serves ads through the Google AdSense program. Right now, a few quick facts on Google AdSense.
Its program was launched in 2003. Today serves almost 11 million websites. And in 2018, 734,000 publishers were removed from AdSense as part of their quality control measures.
Okay, so just keep that in your back pocket.
Now, Frankie apparently maintains a few high-traffic sites, and Frankie serves ads through the Google AdSense program. Right now, a few quick facts on Google AdSense.
Its program was launched in 2003. Today serves almost 11 million websites. And in 2018, 734,000 publishers were removed from AdSense as part of their quality control measures.
Okay, so just keep that in your back pocket.
So these might be scammers, for instance, or people who are promoting dodgy things via the ads and they're just trying to clean up the network.
Exactly.
Right.
So now let's get back to Frankie, the website guy, Webby Frankie.
Now Frankie gets an email from persons unknown and the email says that they plan to flood Frankie's Google ads with trash traffic.
Now you might be thinking, why would this be a problem? Surely this is a big kerching moment, right? Every ad click generates some money for the site owner, right?
But no, the scammers promise that the flood of traffic will be direct bot-generated web traffic with 100% bounce ratio and thousands of IPs in rotation.
And this is where the Webby Frankies of this world might start to get a little sweaty under the collar. Because they get the scam now, right?
The game plan is to ruin Frankie's Google AdSense account, effectively killing his moneymaker.
Now Frankie gets an email from persons unknown and the email says that they plan to flood Frankie's Google ads with trash traffic.
Now you might be thinking, why would this be a problem? Surely this is a big kerching moment, right? Every ad click generates some money for the site owner, right?
But no, the scammers promise that the flood of traffic will be direct bot-generated web traffic with 100% bounce ratio and thousands of IPs in rotation.
And this is where the Webby Frankies of this world might start to get a little sweaty under the collar. Because they get the scam now, right?
The game plan is to ruin Frankie's Google AdSense account, effectively killing his moneymaker.
Because Google would detect that kind of behaviour and they'd think, oh, it's Frankie trying to make his ad look really popular, or someone's making money by sending lots of traffic to that site, or?
Basically, Frankie's sitting there, gets this email. The email basically says, you know, look, we are going to be throwing all this traffic towards you, right?
It's not going to be good traffic. And by flooding your sites with shitty traffic, Google algorithms are going to smell something fishy.
And Google is going to fire you a warning shot, sending you this notice. They say, it says, "ad serving on your content is currently being limited due to invalid traffic concerns.
We'll automatically review and update this limit as we continue to monitor your traffic." But of course, the scammers don't stop, right?
They continue to hammer Frankie's sites with bogus clicks. So Google then temporarily suspends Frankie's account and all the revenue is refunded to the advertisers.
It's not going to be good traffic. And by flooding your sites with shitty traffic, Google algorithms are going to smell something fishy.
And Google is going to fire you a warning shot, sending you this notice. They say, it says, "ad serving on your content is currently being limited due to invalid traffic concerns.
We'll automatically review and update this limit as we continue to monitor your traffic." But of course, the scammers don't stop, right?
They continue to hammer Frankie's sites with bogus clicks. So Google then temporarily suspends Frankie's account and all the revenue is refunded to the advertisers.
Oh, so Frankie ends up with empty pockets.
Yes. And then the scammers say, sure, Frankie, you can lobby Google to get the ban lifted, but this usually takes about a month.
They promise that if Frankie manages it, they'll simply just retarget him and hit his ads again with a glut of shitty links.
And this, of course, could lead to a permanent ban, leaving Frankie as a statistic like the one I read out earlier.
They promise that if Frankie manages it, they'll simply just retarget him and hit his ads again with a glut of shitty links.
And this, of course, could lead to a permanent ban, leaving Frankie as a statistic like the one I read out earlier.
Gotcha.
Of course, there is an out. All Frankie has to do is pay $5,000 in bitcoin and the problem goes poof.
Oh.
It is interesting because, I mean, over the years we have seen ad click malware and ad fraud, which has generated sort of bogus traffic to ads in order for someone ultimately to make some money by making their ads appear more popular.
And in a way, they're sort of using the same technique. But this is really crafty, the idea of getting them kicked off Google. Because for many people, Google is it, right?
If you aren't making it, it's like you'd have to find another advertising network.
But of course, there's no reason why another advertising network, if you decided not to use Google Ads, many people do, of course.
It is interesting because, I mean, over the years we have seen ad click malware and ad fraud, which has generated sort of bogus traffic to ads in order for someone ultimately to make some money by making their ads appear more popular.
And in a way, they're sort of using the same technique. But this is really crafty, the idea of getting them kicked off Google. Because for many people, Google is it, right?
If you aren't making it, it's like you'd have to find another advertising network.
But of course, there's no reason why another advertising network, if you decided not to use Google Ads, many people do, of course.
Well, Brian Krebs being Brian Krebs got in touch with Google.
Right.
And Google declined to discuss this reader's account, but said that this looked like it was only planning an attack.
So they say, quote, "we hear a lot about the potential for sabotage. It's extremely rare in practice. And we have built some safeguards in place to prevent sabotage from succeeding."
So they say, quote, "we hear a lot about the potential for sabotage. It's extremely rare in practice. And we have built some safeguards in place to prevent sabotage from succeeding."
How does that tell the difference between a blackmailer doing it, an extortionist doing it, and someone who's—
So I was thinking about this, and I don't know if Google actually will really care because it's not going to happen to a ginormous percentage of its holders.
And indeed, it makes a huge amount of cash out of this and has tons and tons of users. So if they have to lose 5%, who cares?
And indeed, it makes a huge amount of cash out of this and has tons and tons of users. So if they have to lose 5%, who cares?
So well done on Frankie for going public and revealing this to the world. Maybe we need more people if they have received similar threats.
Well, there is a form. Okay, so go and read Brian Krebs.
There's a link in the show notes to his article, but he provides a link to the form on Google where publishers can contact Google if they think they're victims of sabotage.
But being a victim of sabotage isn't the same as getting a threat of sabotage. I imagine at this stage, Google would maybe do nothing.
And I indeed probably didn't do anything, which is why he got in touch with Brian Krebs in the first place.
There's a link in the show notes to his article, but he provides a link to the form on Google where publishers can contact Google if they think they're victims of sabotage.
But being a victim of sabotage isn't the same as getting a threat of sabotage. I imagine at this stage, Google would maybe do nothing.
And I indeed probably didn't do anything, which is why he got in touch with Brian Krebs in the first place.
Right. So basically Google are saying, well, nothing bad has happened at the moment, so we don't have to act upon anything.
But by the time something bad happens, it takes a month for it to come back at least.
But by the time something bad happens, it takes a month for it to come back at least.
Yeah, but it's an interesting approach of a scammer using Google algorithms against a user.
Yeah.
It's using its own systems.
Well, I think the real problem ultimately here is our over-reliance on single technology companies.
It's the fact that when you have a company which more or less has a monopoly, as, you know, Google has quite, you know, it is the internet advertising company, isn't it?
And so many people are using its systems to get signed up with someone else. It's difficult to switch. And even if you did switch, that's the thing, isn't it?
They could, if they really wanted to, target you again, but it seems like they've deliberately targeted Google Ads in this particular case.
It's the fact that when you have a company which more or less has a monopoly, as, you know, Google has quite, you know, it is the internet advertising company, isn't it?
And so many people are using its systems to get signed up with someone else. It's difficult to switch. And even if you did switch, that's the thing, isn't it?
They could, if they really wanted to, target you again, but it seems like they've deliberately targeted Google Ads in this particular case.
And look, that is very standard, isn't it? Where attackers go after the biggest marketplace available.
In the same way that, you know, Windows malware, there's a greater number for Windows malware than Apple malware. I can imagine Google's gonna get more heat than other ad services.
In the same way that, you know, Windows malware, there's a greater number for Windows malware than Apple malware. I can imagine Google's gonna get more heat than other ad services.
You know what Frankie needs to do, don't you?
Go to Hollywood?
He needs to— that's a bit of a throwback. No, he needs to stop doing adverts. He needs to start looking into sponsorship instead.
Maybe if he had sponsors on his website rather than reliant on Google Ads, that'd be better.
Maybe if he had sponsors on his website rather than reliant on Google Ads, that'd be better.
Now, what are we going to call this scam? I came up with two names.
Oh, okay. What have you got?
Grabbed by the Goo Ads.
It's very creative.
Okay. An ad ban thank you scam.
Carole, did you actually come up with that? Ad ban thank you scam.
Yeah. This morning. In about 30 seconds. So there you go.
You're a genius. This week's Smashing Security podcast is sponsored by DomainTools. They help security analysts to turn threat data into threat intelligence.
Now, DomainTools have something special to offer listeners this week, and I've got a special guest to tell us all about it. That's right, Graham.
A study has been done into how automation is changing IT security, and specifically the staffing of IT departments. Oh, thanks very much.
And I'm guessing that although there are challenges, automation can help increase the productivity of IT security teams? That's correct, Cluley.
And there are still some roles that are better done by human beings. So don't panic. Marvelous. Visit domaintools.com/smashing to learn more and download the report.
Now, DomainTools have something special to offer listeners this week, and I've got a special guest to tell us all about it. That's right, Graham.
A study has been done into how automation is changing IT security, and specifically the staffing of IT departments. Oh, thanks very much.
And I'm guessing that although there are challenges, automation can help increase the productivity of IT security teams? That's correct, Cluley.
And there are still some roles that are better done by human beings. So don't panic. Marvelous. Visit domaintools.com/smashing to learn more and download the report.
Okay, I'm not gonna lie to you, passwords often are a pain in the you-know-where. But they don't always have to be. Take for instance LastPass's single sign-on feature.
Now single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs.
And this simplifies accessing those applications, making it far more streamlined. Wanna learn more? Check it out at lastpass.com/smashing. On with the show.
Now single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs.
And this simplifies accessing those applications, making it far more streamlined. Wanna learn more? Check it out at lastpass.com/smashing. On with the show.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week.
Pick of the Week is— Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related, necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related, necessarily.
Shouldn't be, unless it's really funny.
Okay, well, my Pick of the Week this week is not security related. My son is away on a ski trip, which meant that me and my missus were able to go to the cinema.
And have some adult time.
Right.
Hallelujah.
And we went to go and see not some Disney Pixar movie or something like that, which he would probably have enjoyed.
Instead, we went to see The Personal History of David Copperfield.
Instead, we went to see The Personal History of David Copperfield.
Oh, I haven't seen that.
Well, you should go and see it. It is written and directed by the marvellous Armando Iannucci.
Yep. A UK god.
It's based upon a book, a book book.
Is it?
Written by a chap called Charles Dickens.
Charles Dickens.
And I don't know if he's written any other books, but he's done pretty well if he got this one turned into a movie. So good luck to him. It's got a fantastic cast.
Dev Patel, you may remember from the Yesterday movie. And I think he was in Slumdog Millionaire.
Dev Patel, you may remember from the Yesterday movie. And I think he was in Slumdog Millionaire.
That's right.
The chilly Tilda Swinton. She's always slightly angry.
I love her.
And someone who you do love, Hugh Laurie.
Oh yeah, I do Hugh Laurie.
Yeah, we all love Hugh Laurie, don't we?
He's no Geoff Goldblum, but—
No, let's not start that again. And Peter Capaldi as well as Mr. Micawber.
Okay, so an all-star cast.
Oh, it's a fantastic cast. And the movie is utterly delightful and enchanting, sometimes surreal.
This must have come out when I was in Canada, 'cause I didn't read about it at all.
I think it might have been out for a few weeks, but it's still in the cinemas at the moment, I believe. Very, very funny. Wonderfully entertaining. I found it just utterly delightful.
I just thought, what a great movie. I've never read David Copperfield. I don't think I've read any Charles Dickens. Really? Is that a bit embarrassing to say?
I just thought, what a great movie. I've never read David Copperfield. I don't think I've read any Charles Dickens. Really? Is that a bit embarrassing to say?
Yeah, it is totally. Yes, I have. And did you know Charles Dickens used to write for the papers, right? He wrote a column in the paper.
Piers Morgan.
But these basically formed some of his books, right? He would kind of— and he was paid by the word, which when you read his books, you can kind of see.
Well, I think particularly in the case of David Copperfield, because there's an awful lot of moving around from, "And now this is going to happen, and now this is going to happen." But it is such a joyous— You should read him.
I'll tell you what, having seen this movie of David Copperfield, it's made me want to go and read the book. So I'm on a long plane journey soon and—
I'll tell you what, having seen this movie of David Copperfield, it's made me want to go and read the book. So I'm on a long plane journey soon and—
What, you're going on a plane during coronavirus?
Coronavirus.
Coronavirus.
Well, you know, RSA needs me, Carole, so I'm going to go there and—
Bring your N95 mask.
All right, okay. But anyway, my pick of the week is The Personal History of David Copperfield, the movie by Armando Iannucci and I'd really recommend it to everyone.
Great, great fun.
Great, great fun.
I think you should commit to reading at least one Charles Dickens book before— let's set a time. This year, you've got to read it.
This year, I have to read a Dickens book. All right. Okay. The challenge has been thrown down. I'm going to put it in my calendar so I don't forget. Okay. All right.
Carole, what's your Pick of the Week?
Carole, what's your Pick of the Week?
Well, today is a two-pronged baby. I have a Pick of the Week and a Knit Pick of the Week. And it's the same Pick of the Week.
So my pick of the week is a podcast by— dun dun dun dun dun dun— Dick Wolf, makers of Law & Order. Ding ding!
So my pick of the week is a podcast by— dun dun dun dun dun dun— Dick Wolf, makers of Law & Order. Ding ding!
Oh, is that the— oh yeah, it goes— dun dun, doesn't it? Between scenes.
That's right. Yeah, yeah. Love it.
Love it.
Now, the podcast is called Hunted, and it's an 8-part season audio drama. And it opens with an FBI agent getting the lowdown on 4 prison escapees.
And you basically swivel from her story and that of the 4 prisoners on the run. And it's fast-paced, action-packed, tightly scripted, well-produced. It's all good, right?
But now for my nitpick of the week. So the shows are about 15 minutes long. So that's not very long. But there's about 5 minutes of fluff in every episode. Right?
So ads, promos for other shows, long trailers about going over what happened in previous shows, like people aren't listening back to back, a coming up for the next future shows.
It's too much.
And you basically swivel from her story and that of the 4 prisoners on the run. And it's fast-paced, action-packed, tightly scripted, well-produced. It's all good, right?
But now for my nitpick of the week. So the shows are about 15 minutes long. So that's not very long. But there's about 5 minutes of fluff in every episode. Right?
So ads, promos for other shows, long trailers about going over what happened in previous shows, like people aren't listening back to back, a coming up for the next future shows.
It's too much.
That would be all right if it were an hour-long podcast. But if it's only 15 minutes, then that's a whole third of the show.
Exactly. Well, it's a quarter of the show, isn't it?
Well, 5 minutes.
No, no, it's 20 minutes in total.
Oh, okay.
Yeah.
All right.
Yeah, yeah. So the show's basically, the show itself is 15 minutes long. They tack on this 5 minutes of crap. So it's 20. Yeah, it's a quarter of the show, isn't it?
Is stuff you're not invested in. And I think that's too high of a number.
Is stuff you're not invested in. And I think that's too high of a number.
Do you think people feel like that about our podcast? Because we have this whole Pick of the Week section, which isn't security related necessarily.
Do you think some people skip Pick of the Week?
Do you think some people skip Pick of the Week?
Yeah, I know one person that does.
Do you?
Yeah.
Who's that? Who's that? Does he? You mean we can talk about right now and he wouldn't ever know about it?
We could. Now, I'll tell you something else that bugs me, another nitpick of the week.
He's my nitpick of the week. They'll never find out.
So, they call it a podcast. And to my mind, a podcast is a radio program. You have a host or an interviewer or whatever. But an audio drama is different.
It's an entirely different experience for the listener. It has a cast, it has actors, it has plot. It gets a different— I don't know.
And it feels we should have a name that divides, because a podcast is kind of, in my view, people around a microphone communing about something.
It's an entirely different experience for the listener. It has a cast, it has actors, it has plot. It gets a different— I don't know.
And it feels we should have a name that divides, because a podcast is kind of, in my view, people around a microphone communing about something.
Oh, I don't know. I don't know. I think you should be a little bit more fluid about these things. Podcast, right? The word comes from— it's iPod, isn't it? And broadcast?
Yeah, I know, I understand.
Would you have a similar problem with a television program if it wasn't?
I don't know. I was just thinking that when I was saying this. Is that what it's like? I guess I think we need a differentiator between the two.
If they're all podcasts and one's a podcast audio drama, what are we?
If they're all podcasts and one's a podcast audio drama, what are we?
But you quite— see, I'm not a huge fan of these audio dramas, although there have been some which I have enjoyed. But I think you're much more into them than me.
Oh, I audio dramas are a podcast.
What did you just say?
No, I hear what I'm saying, but most. I wouldn't say audio dramas are a podcast.
You just did.
I looked at a podcast. Yes. I was going to list them off if you. You got in my way. I listen to news podcasts, I listen to interviews with celebrities. I listen to features, articles.
Keep going.
I listen to audio dramas.
Thank you very much. But nitpick unraveled.
Yeah, I'm still nitpicking it.
Well, what do you want?
If you agree with me, let me know.
They don't, right?
It's annoying that podcast means both podcast and audio drama.
We just sit in the nebulous field of podcast, just along with everybody else, and then I'm saying isn't that a little bit confusing?
We just sit in the nebulous field of podcast, just along with everybody else, and then I'm saying isn't that a little bit confusing?
We are informational, conversational, quite casual, chit-chat.
Infocast?
Why do you have to make up these ugly words all the time? Just a minute ago you had a wham bam thank you scam or whatever it was. Ad ban thank you.
Ad ban thank you scam.
Yeah, that was brilliant, right?
And grab by the goo ads. That was good.
Use some of that genius now to come up with new terms for podcasts.
Oh, so you think it should have changed?
No, I'm saying if you've got a problem—
All I'm saying is that my pick of the week is Broken, a podcast made by Dick Wolf, and you can judge for yourself whether you find all the interruptions irritating.
And I rest my case. Let's close the show.
And I rest my case. Let's close the show.
Well, we're almost done. There's going to be a little bit of a treat after the ending music. Yes, there is. Folks can follow us on Twitter @SmashingSecurity.
No G, Twitter doesn't allow us to have a G. Don't send us your dick pics. And on Reddit as well in the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
We really recommend subscribing and then you won't miss us.
No G, Twitter doesn't allow us to have a G. Don't send us your dick pics. And on Reddit as well in the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
We really recommend subscribing and then you won't miss us.
And big thank you to this week's Smashing Security sponsors, LastPass and DomainTools. Their support helps us give you this show for free.
And big love to you all for listening this week. Stay tuned after the show to hear a snippet of our latest exclusive 40-minute-long Q&A session.
And I edited it, so you know it's going to be a little bit edgy.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And big love to you all for listening this week. Stay tuned after the show to hear a snippet of our latest exclusive 40-minute-long Q&A session.
And I edited it, so you know it's going to be a little bit edgy.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye. Bye. Hello, hello, and welcome to Smashing Security After Dark. A special bonus episode for our Patreon listeners.
I am Graham Cluley.
And I'm Carole Theriault. Yes, we have got together late in the evening to answer some listeners' questions.
Can I just be honest? This is not my favorite time for us to interact because we tend to fight when both of us are tired and cranky after a hard day at work.
I'm not tired and cranky.
Oh, you will be. Give me 15.
So we asked our followers on Twitter and also on Reddit.
Not our followers on Facebook because we got rid of it. That could be a question. Why did we get rid of it?
Well, no, you could have sent that question in if you wanted, but you didn't.
No, I was dealing with other issues.
I'm not talking to you, Carole. I'm talking to the listeners. No one asked us why did we close our Facebook page down.
Can you just pretend to be nice just for this show?
So who's going to start? We've got a whole load of questions in front of us. I think we should just pick some out the hat. Okay. Okay. You ask.
I've got a question.
Who's it from?
John Baton.
Okay.
Part of the show is making fun of the co-host. Isn't it interesting? So he says part of the show is making fun of the co-host.
Has one of you ever thought, hmm, I've gone too far here? Have you ever stripped part of the discussion for this reason? John Baton.
Yes, every single show, we remove too far material. So we get on the show, and in order for the show to be funny, we give ourselves carte blanche during the recording. Right?
And the recording is probably what, an hour, sometimes an hour and 15.
Has one of you ever thought, hmm, I've gone too far here? Have you ever stripped part of the discussion for this reason? John Baton.
Yes, every single show, we remove too far material. So we get on the show, and in order for the show to be funny, we give ourselves carte blanche during the recording. Right?
And the recording is probably what, an hour, sometimes an hour and 15.
Yeah, yeah, yeah.
Yeah.
No more than that. Yeah.
And the whole point is to go right to the limit.
Is it?
And we regularly skid right past it as though we were on a smear of diarrhea. We just—
You can see the skid marks of the diarrhea, and it's awful.
So we remove those bits because it's embarrassing to each of us and to everyone who's listening. And it's important we do that because—
And sometimes one of the participants on the podcast may not realize that they've gone too far, and it's only when their co-host tells them that actually—
Exactly right, Graham. Exactly right.
That was quite hurtful, what you said there.
Oh, stop gaslighting.
I'm not saying which one of us might have done something like that.
I don't worry about hurtful. I don't think you've ever hurt my feelings ever on the podcast. I'm resilient to you.
To be honest for a moment though, Carole, there have been a couple of times when I thought, that's it.
I bet you want to know what he said, and it's kind of a sneaky trick that I cut it off right there.
But I just really, really want to encourage you guys become Patreon supporters because it's not very expensive and it would be just really great to build this kind of super cool community where you guys could support us and we could give you guys the content you wanted.
So if you want to hear more, visit our Patreon page.
All you have to do is open up a browser, go to www.smashingsecurity.com, and we'll have everything you need to know about how to become a supporter.
And we thank you from the bottom of our hearts. Well, my heart. Graham doesn't have one. Yeah. The song that's playing right now, you know what it's called? You Hurt Me So.
How beautiful is that?
But I just really, really want to encourage you guys become Patreon supporters because it's not very expensive and it would be just really great to build this kind of super cool community where you guys could support us and we could give you guys the content you wanted.
So if you want to hear more, visit our Patreon page.
All you have to do is open up a browser, go to www.smashingsecurity.com, and we'll have everything you need to know about how to become a supporter.
And we thank you from the bottom of our hearts. Well, my heart. Graham doesn't have one. Yeah. The song that's playing right now, you know what it's called? You Hurt Me So.
How beautiful is that?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Show notes:
- Tweet from Kelsey Bressler.
- safeDM – Making the Internet Safer.
- @showYoDiq — Twitter.
- This Dick Pic Filter For Your Inbox Does Block Most Pictures Of Dicks, And Some Dick-Like Things — Buzzfeed.
- Smashing Security 034: The pen is mightier than the password — With special guest David McClelland.
- Pay Up, Or We’ll Make Google Ban Your Ads — Krebs on Security.
- The Personal History of David Copperfield (Trailer) — YouTube.
- The Personal History of David Copperfield — Wikipedia.
- Hunted — Endeavor Audio.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: DomainTools
DomainTools turns threat data into threat intelligence, giving organizations the ability to use and create a forensic map of criminal activity, assess threats and prevent future attacks.
Read a free report into how automation is changing IT security, and specifically the staffing of IT departments. Get your copy at domaintools.com/smashing now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
