Smashing Security podcast #168: The Bitcoin fraud factory

So there's no mea culpa.

It's a fact of life, Carole. It's a fact of life. Yeah, hacks happen. Breaches occur. Get over it, they're saying. What are you going to do? We have a First Amendment right to be hacked. And anyone who's going to prevent us from being hacked...

Smashing Security, Episode 168, The Bitcoin Fraud Factory, with Carole Theriault and Graham Cluley.

Hello, hello and welcome to Smashing Security episode 168. My name's Graham Cluley. And I'm Carole Theriault. And we're joined this week, of course, by a special guest. He's coming to us fresh from the RSA conference. It's the CyberWire's Dave Bittner. Hello.

Never have I been so glad that we do this remotely after you guys get out of a huge conference like this.

Well, and the highlight of the conference for me was getting to meet Graham.

Oh, you guys had a little love in, didn't you?

We did. We did.

We've never physically encountered each other before. We did. It was wonderful.

Now, Graham, did you get a CyberWire t-shirt? Because I know you gave Dave a Smashing Security t-shirt.

Sadly, we had no CyberWire t-shirts to give out. But the next time we order some, I will make sure that some make their way across the pond. Thank you very much, Carole, for reminding me.

Were they too heavy for your hand luggage, Dave? Because Graham had to bring it all the way from England.

Yes, I know. He did.

Just be careful with sizing because I believe that in America a lot of things are sized and it says triple XL. When in fact, I am a medium, but I wear triple XL in your size. So just be sure to send over.

Yeah, okay. I see. I can do that.

Carole, what's coming up on the show this week?

First, thanks to this week's sponsors, LastPass and DomainTools. Their support helps us give you this show for free. Now, Graham takes us to the Bitcoin fraud factory. Dave dons his election hat and tells us how Twitter is going to help us. And I take the surveillance pulse. Am I the only one in the world who hates it? All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, Bitcoin has been an extraordinary phenomenon, hasn't it? Originally, I think we were all kind of annoyed with ourselves. We're all kicking ourselves, thinking, oh, why didn't we back in 2011, why didn't we invest a little bit of money in Bitcoins? You know, just like the nerds and the neckbeards.

Always money, money, money with you.

Well, money does help, Carole. Money does help.

Always want more. Well, it's expensive family. I'll tell you something that I have that people like you and Geoff Bezos don't have, and you'll never have.

Hair?

Enough.

Oh. Deep. Deep, man. Oh, wow. Anyway, sorry, I pulled you off track.

Oh, no, it's all right. I didn't know we had Deepak Chopra on this week.

Anyway, if we had, we'd have millions by now because the price soared, of course. And it took some years for the great unwashed public to see what was going on and for them to dip their toes into the water as well. But there were dangers lurking, weren't there? There was a danger you'd have your little tootsies bitten, which wouldn't be good at all.

I'm not really sure what you're referring to. Your analogy is a bit weird.

I'm saying that if you were to dip your toe into the Bitcoin cryptocurrency waters and you didn't take enough care, there were dangers there.

Oh, right. There might be sharks.

Piranhas swimming beneath the surface. Right. Exactly.

I'm with you now.

Now, well done to the Swedish newspaper, Dagens Nyheter, which with their journalist colleagues around the world, they released a very scary story of a Bitcoin fraud factory running out of Ukraine. So what's going on is this. In Kiev, there is a swanky office building. It looks like Harrods from the photographs I've seen. And on the top two floors...

So, she-she.

Oh, it's very she-she. More than 200 young people are working seven days a week. You know, you'd think, oh, poor people working in that call centre. Well, don't feel so sorry for them because they are in the business of defrauding unsuspecting investors around the world, according to this newspaper report. We know this because a whistleblower working at the company brought evidence to Dagens Nyheter and took a secret camera into the building to film what was going on.

Have I ever been fitted up with a secret camera or a microphone?

I would never confirm or deny such a thing. I've had it done to me, actually.

Really?

Yes, I've had a TV company not fit a secret camera to me, but fit a secret microphone to me because they wanted a conversation to be recorded between myself and the people who were the subject of this documentary. And unfortunately, the microphone wasn't that secret. It was a little bit obvious.

Was it nestled in your chest hair or something? A huge normal mic?

They were sort of scrabbling around. They suddenly had this idea, oh, we can mic you up, we can mic you up, and you could go in. And I'm like, all right, okay. And so they put this microphone on, but it was a great big, like, it was like a pop shield, sort of on my lapel of my jacket.

Oh, yeah. That's subtle. Yeah, but isn't it illegal to record without the other party being aware that you're recording?

Well, here in the States, it depends. For example, here in Maryland, we are a two-party consent state. So it is illegal without permission. But there are some states where you can do it.

And I don't know if there are different rules if you're an investigative journalist, which they were, the people who were sending me in. I mean, I don't want to anyway, the fact is the person I was speaking to said that's a microphone isn't it, and I said yeah, so we didn't get anything that juicy. Anyway, the whistleblower who was sent in with the secret camera, he wasn't taking him with a Sony camcorder or something like that. I imagine it was a bit smaller than that, and he managed to film what was going on. And that was quite an achievement because normally staff at this particular place in Kiev have to leave their smartphones at the door because clearly the firm is a little bit nervous about outsiders finding out what is going on inside.

So this guy went in, he worked there, but he put on secret cameras to go and film the naughty stuff that was going on inside this Bitcoin fraud factory.

Yes, at the requests of the journalists. They had rented a room on the other side of the street and were watching the goings-on via a telephoto lens. The journalists were, as their undercover man was working inside. I think they were also a bit worried as to what might happen if he was found out because, you know, potentially this is quite a physically dangerous thing to do, unlike when I tried to do it.

I wouldn't really think a Bitcoin fraud factory would be the height of, you know, danger.

Well, if you're making maybe $70 million from your fraud being committed at that place, then maybe you could call upon a few heavies to duff someone up or perhaps worse.

Yeah, that's not chump change. You're absolutely right. I think you've got to be careful with organized criminals who are working in this way. So what's happening is this: there are folks out there who have been ensnared by online ads, sometimes shown on Facebook, sometimes in mobile phone games. And the ads will claim to come from a legitimate investment company, and sometimes they've used the faces of famous celebrities like money-saving expert Martin Lewis, who's well-known in the UK, or Gordon Ramsay, a very foul-mouthed chef, or the greatest showman, Hugh Jackman.

He's just so handsome. That's all, he's just handsome. Isn't he a werewolf? You see Hugh Jackman scroll by, you're going to stop and see, you can't help yourself. You get lost in those dreamy eyes.

Yeah, no, he doesn't do it for me, but we all know who does it for me. But yeah, a lot of my friends are big fans of Mr. Hugh Jackman.

Wait, who does it for you, Carole?

Geoff Goldblum.

Oh, not again. Three weeks? Four?

Is it four weeks we've had mentions of Geoff Goldblum? Yes, yes, yes. Oh, goodness, yes, yes.

One day he'll come on the show.

Anyway, they will use different celebrities based upon the territory that they are targeting. So someone like Martin Lewis probably isn't known outside the UK, but in Sweden, you would have, I don't know, Benny and Bjorn, Swedish chef from the Muppets, you know, something like that. You know, they'd use some Swedish celebrities. But what's been offered is an easy way to jump on the Bitcoin bandwagon and become a billionaire yourself. Now the scammers say that they will make it easy for the wannabe investors to trade in cryptocurrency in stock, so they try and set up a business relationship with you. It's a bit like, you know, I have a financial advisor, right, and he comes around and he pretends to be my friend. Like everyone, he's made his little notes in his little black book about me to ask him about the kids and how the podcast's going.

Didn't he say blog last time? He asked about your podcast? Well, yes, last time he said oh yes, how's the podcast going? Oh, it's all right, all right. And he said yeah, he said I haven't seen them for a while, but normally I go on YouTube and check them out, and I'm thinking, what? We don't video. What you like? So they target it afterwards? So you click on an ad, you kind of reach out saying, oh, I'm interested in this, and then you get a basically normal guy calls you up and says, hey, let me—

And then the phone calls begin, and then they begin to charm you.

Laughing at your jokes, exactly, exactly.

And apparently they have been given a cheat sheet as to how to deal with victims in different countries, right?

Oh, I'd have to see that.

Well, you can see it because I'll link in the show notes where you can see these documents. And it turns out, for instance, in Scandinavia, often their victims were often elderly and they just wanted someone to talk to, it says. So pitch to them quietly and gently and make an emotional connection.

Is that how I have to talk to you now, Graham? Well, no, because I'm British, it's different. Oh, right, how do I do it for British old grumpy men?

For Brits, it says they seem to know everything in the world and have a great ego, it says. You're right, Graham, they believe themselves to be highly intelligent. Don't argue with them, it says, Carole, just make them feel clever. That's where you're going wrong.

But you are clever, so clever. Both of you are.

And apparently sometimes after a while, the scammer will actually award their client with a certificate pronouncing them a master trader. So you feed their ego and fluff them up. But these victims are often persuaded to install software onto their computers. Now, it's legitimate software like TeamViewer and AnyDesk, but it gives the scammers remote control over the PC. And this will often be sort of like, well, it's a little bit hard to learn how to use the investment software. Let me show you how to do it. Because, of course, you've got a relationship now. It's Pete who's ringing you up and helping you. I'm like, oh—

Pete, what would I do without you?

Right. And also, they don't ring up and say, hi, we're ringing from Kiev in Ukraine. They will claim to be based in the UK, for instance, if they're speaking to British customers. But through this remote control software, the bad guys are setting up loans with high interest rates, up to 39% being taken out in their victims' names. And the scam continues on the website victims are seeing that their money, their funds are increasing at enormous rates they think everything's going really well until they try to withdraw the money and that proves impossible. It's a bit like the missing crypto queen.

Yeah, I was just thinking that exactly. So it's a similar model but on a much smaller scale.

Right, people's wallets, you know, what they thought were increasing enormously but they simply couldn't get the money out. And these scammers, they're only monthly commissions, they're filling their pockets. They don't care about the lives they're ruining because they're making loads of money, but they're tasked with making 300 calls a day to extract more money from investors.

God, you'd not want to talk to anyone. If you got home after doing 300 calls and you had a partner and they're like, hi, dear, shut up.

Well, it does seem like it's completely crazy. It's like you'll have one person calling you up and then your phone starts buzzing at you to tell you there's someone on the other line. And it's another scammer from the same organization. So you just end up getting all these calls. So it's become a huge problem. And some people have lost a vast amount of money. Some people have had to sell their houses to try and make up for the loans. Did you say $70 million? $70 million is estimated to have been taken. Maybe it's even more than that, but that's what the documents are suggesting.

And then there are the folks who call after you've lost the money who are also part of the scammers calling to help you get your money back.

That's exactly what happens, is that you'll get these calls claiming to come from lawyers, for instance, saying, oh, we're working on helping people extract their money.

You're kidding me. No. It's like a double whammy.

And they say, it just cost you $1,000 and we'll help you extract the money. And they managed to get even more of the money out of you. It's absolutely horrendous.

Do we know what caused this whistleblower to flip?

It's not really said. You get the sense in the video and in some reports that they were just frankly disgusted because they got the job there and then realized what they were doing. And it's really heartless what's going on. But the other thing which is really upsetting is it appears the police haven't really done anything about it. So, for instance, Dag and Nita went to the Swedish police. And apparently, although there have been plenty of victims in Sweden, investigations have been dropped, presumably because they think there's little chance of success. But people are losing out to a large degree.

We've heard that particularly the Russian scammers who do this, there's sort of an agreement that as long as they don't go after their own countrymen, that they'll be left alone.

Yeah. That seems to be an issue, yes, throughout cybercrime is Russian cybercriminals, as long as you don't poop on your own doorstep, they'll turn a blind eye.

Yeah, and this one, of course, is manually run, but a lot of the automated ones, the ransomware attacks and things like that, they'll actually check your computer to see what kind of keyboard you're using. If you're set up for a Russian language, it will leave you alone.

Yes. So you could try and defend yourself by setting your Windows settings to use Russian rather than English. But I have other disadvantages.

Someone should just make a USB dongle that just blasts out and says, I'm a Russian keyboard. I'm a Russian keyboard. I'm a Russian keyboard. Or Klingon.

Or Klingon. Yeah, well, yeah. Could have the Romulan ransomware scam. The risks then. So don't get bitten by the Bitcoin bug. Okay. You may think it's a false route to making you a multimillionaire, but it ain't necessarily so.

Yeah, Graham. Take your own advice. Well, yeah, right. Well, you know. You're the one who feels left out. Bring it up. Poor you. Roma. Roma. It's like Tiny Tim.

That isn't my T-shirt size, by the way. David, what's your story for us this week?

Well, I have to ask both of you. You're both on Twitter. And, of course, Smashing Security is on Twitter without a G because Twitter wouldn't let you have a G. Yeah. But do any of your accounts have the coveted blue checkmark?

We've had— Someone else has asked me this question on the show before. No, I do not.

Graham? I do on my personal account, but the smash in security. I wonder what hoops we would have to jump through to get one.

Yeah, we recently got ours for the Cyber Wire. Oh, la-dee-da. And there's a lot of hoops you do have to jump through. I tried to get one several years ago for my personal account and was promptly ignored. So I don't know what you've got going on that I do not.

Well, now you've met him. You don't know?

Oh, well, it's true. It's true. There is an aura around him. I mean, he is self-luminous. Sorry about that. That's why we do this remotely. That's right. I blame the hotel toiletries. I see. Very good. Very good. Well, one of my colleagues here wanted me to ask you if the blue checkmark doesn't amount to an unconstitutional title of nobility. So with the elections coming up, Twitter recently announced that they would be verifying the accounts of political candidates, and this is to help voters to have confidence that the Twitter accounts that are associated with these candidates are actually legit accounts.

It's a slightly odd thing this, isn't it? Because what is the actual purpose of this? It's presumably so you only get accurate information from genuine political candidates. And the problem is that the genuine political candidates aren't going to give you accurate information. You might be better off going to the satirical account.

But it might be good to know which ones are satirical, which ones are real. I suppose, yes. Lots of people are confused about that, Graham. Of course, it never happens to you because you're so wise and British.

Are you trying to scam me? So this politician showed up on Twitter. His name is Andrew Walz. He had a website. He referred to himself as a proven business leader, a passionate advocate for students, and he was going to make change in Washington together. And that's what his Twitter account claimed. He was a Republican from Rhode Island. He was running for Congress and he got verified by Twitter. So a legit account, according to Twitter. But there was one problem. Who is it? The problem is that Andrew Walz does not exist. He was created by a 17-year-old high school student who was bored on winter break and decided to take it upon himself to test Twitter's verification process.

It's hard not to be impressed with someone like that. I'm sorry, I know that's probably wrong to say. Mom and dad are gonna hate me.

Yeah. So he said he told CNN that it took him about 20 minutes to create a website for his candidate and about five minutes to create the Twitter account. And this seems to be an interesting failure in the process that Twitter used. Evidently, Twitter was teaming up with an organization called Ballotpedia, which is a nonprofit website. They call themselves the Encyclopedia of American Political Candidates. So by submitting this candidate to Ballotpedia, Ballotpedia then checked that the candidate had a website. Twitter relied on Ballotpedia for the verification, and Bob's your uncle.

It seems a bit slapdash of Twitter, don't you think? That's all the vetting?

Yes, yes. And so when CNN reached out to Twitter, Twitter suspended the account. Yay, Twitter. But it's an interesting story about how these things can break down, and the chain of custody of the existence of this person failed in this case.

Yeah, because that's the problem, isn't it? It would be kind of irritating if each and every one of us had to independently do the verification. And so you would use a third-party service and you would assume that they have some level of competence. But if I could go to Ballotpedia and enter Dave Bittner for president or something, presidential candidate. Dave B for pres. Wow, my goodness. So he wasn't using this for any sort of malicious purpose. He was purely seeing whether he could get the little tick.

Yeah, just experimenting to test the system.

Yeah, because didn't Twitter come forward a few weeks ago saying we're going to do a lot more to try and qualify the content? Not just political stuff, but all. Is it just for politics or was it for all kind of content?

Well, Twitter said they weren't going to take any political ads, which is good, I think. CNN did reach out to Geoff Pallet, who is Ballotpedia's editor-in-chief, and he was quoted as saying, "Ballotpedia definitely made a mistake here." There you go. Okay. Their candidacy, but wait until the last minute to actually file their papers. So there can be a delay between them. And on Ballotpedia, they try to account for that. They will say that this candidate is announced, but not officially in the system. And that seems like that's part of what happened here.

Right. Because I can understand that. I can totally see people would want to press go, you know, all systems go at the same time. You know, Facebook page up, webpage up, Instagram up, all the crap up at the same time saying I'm announcing.

Yeah. Yeah. So Ballotpedia said that there's a difference between being a declared candidate and an officially filed candidate.

Yeah. And even if this wasn't the particular method, there may be other ways of— I'm trying to remember, because I've had my checkmark for a while. I'm trying to remember what on earth I had to do in order to get it. I remember it not being easy. No, I recall they wanted me to send them a copy of my driver's license. You can trust them. I know, right? Yeah.

It's for a blue check mark.

Well, actually, it's a good question. What do you get for that? What VIP service? How has your life been improved? What sort of wonderful things have rained down on you since you got your blue check mark? What red carpet

Do you walk on now that you've got your check? I did see this. There was a time when having a check mark was something a little bit exclusive. It was a case of I'm better than you. You should follow me on Twitter, not anybody else, because I've got one of these. But yeah, it hasn't really been there. It's not changed your life or anything? There's no blue checkmark secret handshake. Now, listen, listen. You have both made an error. You've both fallen into the elephant trap. And sometimes I've been guilty of it as well. You have referred to it as a blue checkmark. The checkmark is, in fact, white. Oh, God. Here we go. On a blue background. No, I think it's important because we get people sometimes criticizing our podcast, saying that we've made mistakes.

Graham, how do you spell pedantic?

Last week, there were complaints that I said that I tried to pick Carole up on saying that Pooh was attracted to flies and Carole said, or rather she said, albeit in her Canadian accent, that Pooh was attractive to flies. I thought she said attracted. There was a bit of a hoo-ha on Twitter.

Well no, no Graham went all crazy on the show and I let him go, just let him, because it's easier right? It's so much easier to just let him go and I knew what I said exactly. Then there was the whole 10% of the world population currently can't move because of coronavirus just said that they're experiencing... They weren't freely available to me. Okay, all right. I'm just, anyway, they're not blue check marks. Was that it? Okay, no, no, it's fine. No, no, you're so wise. Carole, do you have a story this week? Yeah, thanks. Okay, facial recognition time. I, hat tip to our Smashing Security guest, Geoff White, for tweeting this one out. I'd like to introduce you to the Dazzle Club. What a great name. I just think it's beautiful.

Isn't that that place you and I visited in San Francisco together, Graham?

I think I got a Vodazzle while I was out there.

When you guys dressed up as Liza Minnelli? Yeah, right. Exactly. Now, this Dazzle Club is made up of four artists who are based in East London. And once a month, this quartet apply makeup that is camouflaged. And they walk a silent walk through the streets of London. And this is all an artistic protest against the use of facial recognition cameras in London. So the makeup is called CV Dazzle. And apparently, when applied correctly, it tricks cameras into being unable to detect a face. And what's interesting is the artist, one of the artists, Evie Price, is quoted as saying, what are they doing with the data that they're collecting? They say it's for safety purposes and preventative policing, but we don't have any evidence of that. What are they actually using it for? So, you know, I read these kind of stories and I think that's, you know, I'm kind of glad that people that aren't in our industry aren't necessarily super comfortable with facial recognition. And you might remember that about, what, eight weeks ago, episode 162 with Michael Hucks, I did a story about Clearview AI. And this was the company that scraped the web. So Facebook, Twitter, YouTube, Instagram, literally billions and billions and billions of images of our faces. And the idea was putting them all into a searchable database so that you or an authority could upload a picture of anyone and get information on that person. We kind of talked about it and going, this isn't very cool. And loads of other media people got involved with it. There was a lot of stories. So one of them was Apple blocks Clearview AI facial recognition app for violating app store policies. Another one was the creepy facial recognition companies reporting developing a surveillance camera. So currently it's an app and you have to put in pictures into the application. But if they had a camera, it would work seamlessly, wouldn't it? The AI chief executive, Juan Tan Vat, told CBS this morning that it was his First Amendment right to collect public photos. So he's not backing down. I don't know who owns the pictures. So maybe, Dave, you know this or Graham, you know this. If I put pictures up on, say, Facebook or Instagram or whatever, does that mean I own them or do they own them?

I think it depends what you mean by own. I think suddenly you will have agreed to the social network's terms and conditions which will have given them permission to do whatever the heck they want with them.

But I do think that these days if you pull the picture, then you're basically revoking their right to use it. I believe that's in a lot of the terms and conditions these days.

You know, if you think about this database built of billions and billions of pictures, right, taken from all these sites. So if I pulled my pictures from Facebook, but he had already, you know, this software had already grabbed it, it's there forever. Right? They're not deleting those pictures. Graham, are you following me or no?

Yeah, yeah, I'm following you. Yes. Okay, so yeah, so they're in the press. They're being talked about, you know, surveillance cameras, and he's defending his First Amendment rights. And then Clearview AI, news comes out that the database got hacked. Oh, right. So it's not as though we as individuals have to worry that our photographs have been pinched and snaffled by someone else. Well, they're already taken. They're already pinched.

Yeah, that horse has left the barn.

Well, they've been taken by Clearview, but they haven't necessarily been got by other people. But now we can find out because of this breach who was working and supporting Clearview.

Yes. Well, whoever has stolen the information can, certainly. Right. Now, it's kind of ironic maybe that the cops purchased a service and that service has now leaked the information on the fact that they were using it. I don't know. There's something a little bit messy there. And it does highlight the need that we need to take our business partners seriously and make sure that they take security seriously. Okay, so another weird side note here. Clearview, so during this hack, Clearview made a statement. Clearview AI made a statement. And it's kind of unusual. So they told the BBC News, security is Clearview's top priority. Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw and continued to strengthen our security. So there's no mea culpa. It's a fact of—

Life, girl. It's a fact of life. Yeah. Hacks happen. Breaches occur. Get over it, they're saying. What are you going to do? We have a First Amendment right to be hacked. And anyone who's going to prevent us from being hacked is breached. So in other—

Words, this is business speak for sorry we fucked up? Is that it?

I'm just imagining your bank just saying, you know, banks get robbed. It's just the way it goes. And your money is gone. And it's just a fact of everyday life. So chin up. Tomorrow will be nicer. Yes. Yeah. That money is just gone.

Now here, this gets really interesting now. So in the case of we were talking earlier about the Dazzle Club, right? And they are talking about the facial surveillance that went on in the UK. Well, the UK cops say, hey, look, we are doing this, but we only keep pictures of people of interest. So immediately, you're not a person of interest that's flagged. That picture is dumped immediately. And the people of interest, their picture, we only keep for a maximum of 31 days. Okay, yeah. Now, in the case of Clearview, Clearview says on their website clearly, it says the search engine is available only for law enforcement agencies and select security professionals to use as an investigative tool. And its results contain only public information. So since I did this story six weeks ago, they have changed their website quite radically and their messaging has changed quite radically. But they're making it very clear that this is Clearview exists to help law enforcement agencies solve the toughest cases and our technology comes with strict guidelines and safeguards to ensure investigators use it for the intended purposes only. So I'm thinking okay you know at least they're being they're trying to control who has access to this because you know I was thinking about god I don't want you know the security guy at some Walmart you know to be able to just focus on anyone in store and know where they live and see all their social profiles.

Oh so if I was the security guard at your local supermarket there I am wolfing down some donuts I wouldn't be able to spot you take your photograph upload it to Clearview and find out your name in case— Well they're—

Saying they're only giving access to the software to law enforcement agencies and select security professionals and how—

Are they determining who's legitimate are they looking for Twitter checkmarks or something like that? Because I heard...

Maybe they should. Turns out. Maybe they should because BuzzFeed, three days ago, did this huge exposé saying that they found that more than 200 companies have Clearview accounts. These are companies like Kohl's and Walmart and banks like Wells Fargo and Bank of America.

What do they need it for? Why would they need to identify people?

Good question, because as far as I know, Walmart isn't a law enforcement agency or security professional. Not yet. Yeah. So it goes in a BuzzFeed article. It says, for a company that maintains its tools are for law enforcement. Clearview's client list includes a startling number of private companies in industries like entertainment. So Madison Square Garden and Eventbrite. Gaming, Las Vegas Sands and Panchega Resort casinos. Sports, get this, the NBA. Fitness Equinox I don't know if Equinox and also cryptocurrency Coinbase. So you know I don't know how you feel like you say you go to your gym and some guy who's working there in the CCTV can grab a picture from CCTV of you at your gym and slap it up in the software because they happen to have what a security tag.

No guy is ever going to get a photograph of me at the gym I'm not I can tell you right now, it ain't going to happen.

I just find this spooky. I'm like 100% not okay with this, but I'd love to know what you guys think.

So what is the intention? So, for instance, is the intention, let's take the example of Walmart, so a supermarket thing, right? I'll just set the scene if you want, and then you can tell me. Right. So let's say they are working on surveillance cameras, which many articles have been talking about, and they get the software to work with it. Right. This could be sitting inside a hotel lobby, for instance, or any public place. They take a picture. They're a cyber wire groupie, a hacking humans harlot.

Right, and then right away they know where you live just from your face. They're able to... In fact, you were recognized weren't you? You were recognized RSA weren't you in the gents.

Yes, yes it was a milestone in my life. So your hands were busy, my hands were busy. I'm standing there in the men's room taking care of some business, lined up with people on either side of me when I hear from my left this...

Is a number one right?

That would be correct, Carole. Just they don't tend to line up if they're doing anything else.

That's true, thank god.

Yeah, oh boy. So hey, aren't you Dave? Yes, yes I am, I said to this person. This kindly gent, did you...

Turn to him exactly. I turned and marked...

My territory immediately. I wouldn't recommend that, yes yes. He had to change his shoes. I said let's step outside of my office and continue this conversation.

What a place for it to happen, the last stronghold of man's privilege I suppose. You were probably...

Glad there was no handshakes because the coronavirus has probably been putting that off. We've...

Come up with some novel alternatives.

There was shaking, but it had nothing to do with hands.

Oh my god, okay, my story's done. I can't go back, not after that.

There you go. I just want to point out who opened that door. Who opened that door? You're welcome, everyone.

This week's Smashing Security Podcast is sponsored by Domain Tools. They help security analysts turn threat data into threat intelligence. Now, Domain Tools have something special to offer listeners this week, and I've got a special...

Guest to tell us all about it. That's right, Graham. A study has been done into how automation is changing IT security, and specifically the staffing of IT departments.

Oh, thanks very much. And I'm guessing that although there are challenges, automation can help increase the productivity of...

IT security teams. That's correct, Cluley. And there are still some roles that are better done by human beings, so don't panic. Marvelous. Visit...

DomainTools.com slash smashing to learn more and download the report. Did you know that LastPass Enterprise gives a vault for every single user? In fact, every user can have both a work vault and a personal vault. If you want to make your organization safer and reduce friction for users, why not check out LastPass Enterprise at smashingsecurity.com forward slash LastPass. My pick of the week is not security related.

Excellent.

My pick of the week is a website called Amazon Dating. It's at amazondating.co. And if you go through to it, if you click on the link...

Is this a safe website?

Well, I don't know, but I've clicked on it. If you go to Amazon Dating...

Oh, well, there's an endorsement.

If you go to amazondating.co, it looks like it's a new feature from Amazon, where they are offering hot singles near you, over 20,000 results.

A friend of mine is recently single, and I am desperate to get them online. I could do this. Well, why are there prices, Graham?

Well, exactly. So you can order. Some of these people come with free one-hour delivery and are available to meet today. And if you click through to the profiles, there are criteria such as fit as expected, 73% say about Will 33.

Catherine has 2,312 hits. She's worth a whopping $300. Oh, there's a sale, a one penny sale.

You find out their love language and some facts about them. And there are reviews as well from people who've tried them out in the past. So you can find out... Now, you can add them to the cart. This is the most...

Ridiculous thing ever. Who did this? Who created this?

I don't know. It is, of course, not really done by the real Amazon. Sorry to disappoint you, Carole. This is a joke website, but it's rather wonderful. And it's quite funny as you dig deeper into it. If you go to Prime Video, for instance, rather than taking to Amazon Prime Video, it takes you to Chat Roulette. There's a link saying, don't see what you're looking for, and that takes you to Netflix instead.

I love how it's in stock, buy Amazon Basics. Trained as a barista, famous on TikTok, has child, won't text back. One used from 95 cents.

You know, Amazon, the real Amazon sells all manner of goods, and including that they sell condoms. But if you go and search for condoms on Amazon, over on the side, it'll say, this item is available used. There's no discount great enough to make that worthwhile.

It's quite a lot of work someone has put into this, but I do find it quite amusing. So there it is. I saw it a couple of weeks ago and I thought, oh, I must share that with people. Oh, here we are. I've just found the link. Hello, what is this about? And it says it is a joke website. And it says it was created by a couple of people. What, in the about? Oh yeah, I see. Yes. Annie Akopian, Susie Shin are the people who worked on it along with a chap called Morgan Gruer. How fun. It really tickled me, and I think it's a wonderful piece of design. I just think they should be

Very careful, though, with the logo. That's what I think. I think they've done it too closely to the actual Amazon logo.

It has been up for at least some weeks, and I'm surprised that it hasn't been brought down so far. Maybe this is where Geoff Bezos is looking for his next wife. I don't know.

Amazon does have a pretty good sense of humor overall, though. With reviews and things, they allow

A lot. There are some very funny items, aren't there, on Amazon? And I remember seeing a Bic Biro pen, which had about 12,000 reviews, selling for about 12 pence. And people just saying...

My two favorites are, you can buy a gallon of milk on Amazon and the reviews are priceless. The other notable thing you can buy is a 55-gallon drum full of lube.

Anyway, amazondating.co is my pick of the week.

I'm gonna fall in love with when I'm buying one. I'm just going to take it seriously.

Who are you going for? This is my guy.

This is my guy. He reminds me a little bit of my husband just in the hairiness. Cookie monster. Oh, God. Look at all the little pictures. I love it. Cookie. Isn't that fun? Beautiful.

Okay, great pick of the week. Excellent. Dave, what's your pick of the week?

So my pick of the week is actually an old radio show that years ago, I remember this show would run on Sunday mornings here on the local NPR station. And I suppose, Graham, you may be familiar with this. It's from the BBC and it's an old quiz show called My Word.

Oh, my goodness. This is such a blast from the past. Okay,

I'll just, I'll be quiet and listen because I know nothing about this.

It was a quite gentle sort of parlor game. I'm sorry, I'm stealing it from you, Dave. No, no, go on, go on. But it was a lovely, gentle parlor game. I think it was on BBC Radio 4. There was also My Music, but I didn't like My Music as much. My Word was more my cup of tea. Yeah, My Word was funnier and more clever, I think. Yes, I think on My Music they often tried to show off how much they knew about music, whereas My Word had Dennis Norden and Frank Muir on it for decades. And they were a very funny couple of writers for radio and TV shows. Frank Muir always wore a great big pink bow tie. This is real gentle, wonderful humor, My Word. Anyway, Dave, I'm amazed you know about it as well.

Oh, I've got great affection for it. And I can just, whenever I think of this show, I always hear the host saying, "and Scott James." I don't know why. And the show would always end with these ridiculous stories that they would spin that ended up being just painful puns. The example that they have here is so you want to know where supercalifragilisticexpialidocious comes from why it's just a shopping list including a remedy for someone with bad breath soup, a collie, frigelastic, eggs, pee, halitosis. And then after they would say something like this all the panelists would go "oh" because they were very... They're very polite Brits, yes. Yes. There's something soothing about, in today's chaotic world, there's something very soothing and comforting and intellectually satisfying about this show. So I have a link to the BBC page about it, but also an episode. They're all over YouTube. If you search for My Word BBC, you'll find them, and they're great fun.

It is very much from yesteryear, isn't it?

Yes, yes. We don't really put out shows like this anymore.

No, no. Good Sunday afternoon listening. Very cool. Very erudite, Dave. Excellent.

As if I knew what erudite was. It's kind of glue, isn't it?

Carole, what's your pick of the week?

Well, this past weekend, I actually spent digging, literally moving a pile of earth the size of a humongous crocodile from one side of the garden to the other.

Are you burying someone? What's going on?

I'm preparing for your visit, Graham. No, it's just we're doing some garden thingy. But every muscle in my body hurts. But during this, it took me about 60 wheelbarrows to move all that stuff. And every muscle hurts today. But during this three-hour stretch, I had to find a podcast to listen to, right? Obviously. And I wanted something brand new and I found something kooky and I'm sharing it with you guys. So my pick of the week is called Solve and it's from iHeartRadio. It is an audio drama, Graham. Now, it's kind of cool because it's interactive where the audience plays the detective. So you hear a murder scene, you then have interviews like each kind of player of the scene kind of talks and maybe a best friend comes forward and they say this and at the end before they get to their sponsors they say okay who did it and they give you a list of people that possibly did it bit like Muroshi wrote then it goes off for the break right the sponsor break then it comes back and it says the person who did this crime was in fact Hazel the mother of the character. And then they explain how you could have spotted it and what the giveaway was. And it's kind of cute. So I can give you if you'd like one of the writeups of one of them of one of the stories of Chris found floating in a pool of the historic old Hollywood hotel. Now it's up to you to interrogate her family, friends and fans to figure out who would extinguish this rising star. So you'd get to hear from her family, friends, fans, and you would just get a few clues as to who might do it. And then kind of fun. Now it's not for kids. Yeah, it is kind of fun. Now, okay, I've done a lot, I've seen something that's given away at the last scene. So you really kind of were only sitting there really knowing.

Is it the case that after hearing the drama it could have been any of them and it's all down to the explanation? You know but they could have just as easily have said it was someone else and— Yes but for example they might have like say there was like four men and one woman who might be up for a suspect right and then the last scene you might hear the high heel clip clap across the floor.

You can listen to this.

And that is my pick of the week. Well, excellent. Well, on that cultural note, so you would call that a podcast, would you?

You can check us out at thecyberwire.com. I'm also on Twitter at Bittner, B-I-T-T-N-E-R. Those are the places to find me.

Marvellous. And you can follow us on Twitter at Smash Security, no G. Twitter wouldn't allow us to have a G. And you can also join us on Reddit. There is a Smash Security subreddit up there. And don't forget, if you want to be sure never to miss another episode, the best thing you can do is subscribe in your favourite podcast app. Do it. Yes, do it. Whether it be Apple Podcasts, Google Podcasts, Spotify, or Pocket Casts, go and do it today. I can't believe I've become that people begging for people to subscribe. What happened to us?

Until next time. Cheerio. Bye-bye. Bye. So long. Farewell.

So you guys feel fine, right? You both were at RSA. There was a lot of people there. People keep kind of talking. Is there a pandemic? No, there's no one. You're all okay? We're all okay so far. Yeah, yeah, yeah. It's fine. So far, so good. Yeah, everything's in as working order as it normally is. Yeah, everything's working in an age-appropriate way. Ew, I wonder what that sounds like on a mic.

It sounds like his laugh. That's what it sounds like. Yeah, exactly. They won't know the difference. It's the same sound, yeah. So offensive. Muttley the dog.

Right, I'm going to hit stop on that.