Smashing Security podcast #038: Gents! Stop airdropping your pics!

Computer security industry veterans, chatting about computer security and online privacy.

Graham Cluley
Graham Cluley @

 @grahamcluley.com
 / grahamcluley

Smashing Security #038: Gents! Stop airdropping your pics!

WannaCry hero Marcus Hutchins (aka MalwareTech) pleads not guilty to malware charges, the Scottish parliament is hit by a brute force attack, IoT smart locks aren’t so smart, and.. ahem.. someone is sending intimate pics via AirDrop to unsuspecting commuters.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.

Podcast artwork

Smashing Security #38:
038: Gents! Stop airdropping your pics!

Hosts:

Graham Cluley:

Carole Theriault:

Guest:

Geoff White – @geoffwhite247

Show notes:

Sponsor: Recorded Future
This episode of Smashing Security is made possible by the generous support of Recorded Future – the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats. Sign up for free daily threat intelligence updates at recordedfuture.com/intel. Thanks to Recorded Future for their support.

Follow the show:

Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.

Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Transcript

Sparkle transcript icon 48This transcript was generated automatically, probably contains mistakes, and has not been manually verified. Speaker names, speaker attribution, and proper nouns are most likely to trip it up. Treat it as a helpful guide rather than a verbatim record - for the definitive version, please listen to the original audio instead.

GRAHAM CLULEY. Before we start the show, we’d like to give a shout out to our sponsors. This episode of Smashing Security is supported in part by Recorded Future. They’re the real-time threat intelligence company whose patented machine learning technology continuously analyses technical, open and dark web sources to give organisations unmatched insight into emerging threats. You should sign up for their free daily threat intelligence updates at recordedfuture.com slash intel. And thanks to Recorded Future for supporting the show.

Smashing Security, Episode 38. Gents, stop airdropping your picks. With Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Episode 38 of Smashing Security for the 17th of August 2017. My name’s Graham Cluley and I’m joined as always by my gorgeous co-host, Ms. Carole Theriault. Hello, Carole. How are you? I’m wondering how you can see me, actually.

CAROLE THERIAULT. I said we’re not in the same room. I just remember what you looked like. What, from four years ago when we actually hung out in person? I’m doing brilliantly, thank you for asking.

GRAHAM. Oh, smashing. And we are joined this week by a special guest, investigative journalist Geoff White. Normally, you’ll see him popping up on Channel 4 News or the BBC’s talking about technology, sort of cybercrime-y stuff. But, Geoff, hello. Welcome to the show.

You are off to the Edinburgh Festival. You’re doing a show called The Secret Life of Your Mobile Phone. Tell us about yourself, what you do, and tell us about this show. It sounds interesting.

GEOFF WHITE. Well, yeah, we’ve managed to sort of blag our way into the Edinburgh Festival, which is full of, obviously, full of thesps and actors. So myself and a colleague of mine called Glenn Wilkinson who’s a an ethical hacker or a penetration tester to give it the more humorous name I off up with our show to Edinburgh festival.

So as you say normally I cover cyber security full time. I tend to do the more investigative stuff, the longer term stuff. The problem we had after a while was this whole thing of personal data. The problem is it isn’t personal data when these mega hacks happen and millions of records go missing or when you expose some creepy vulnerability. People look and go, well, yeah, but that’s not me. It’s not my phone. It’s not my data.

So I realized that to really make data personal, you have to make it that person’s data. And the only way to do that is in a theater venue with an audience face to face.

So we cooked up this thing called the secret life of your mobile phone. We effectively take an audience of people. We hack their phones with their permission, I should point out. We give them a significant warning at the beginning of what’s going to happen.

And then what we do is we track live and in real time where all of the data from their phones goes. So we show them which countries it goes to, which companies get it, where they are in the world. We talk and see what a cookie looks like. We show them what cookies they’re throwing out.

And we also show them how the signals given out by their phones, mostly by Wi-Fi, can be used to kind of profile them and track them and target them. And we also explain, by the way, we explain net neutrality using Mr. Potato Head. That’s a high point.

GRAHAM. Oh, we could have done that in our net neutrality episode. We needed a way to explain it simply.

CAROLE. I think that sounds like a genius idea. Are you going to record this? Are people going to be able to watch it, even those that can’t get up to Edinburgh?

GEOFF. It’s a tricky one. We try to keep the whole thing offline. There are highlights online. You can watch clips online.

We try to keep the whole thing offline, A, because it’s our show and we want to try and stop people copying it, because we have a Luddite mentality about copyright. But B, also, the whole thing works when you’re actually in the room.

So putting it available online, we’d be back to the same problem. People thinking, oh yeah, I saw your show, but it doesn’t affect me. Everybody who’s seen the show so far, no one can walk out of that venue and not think it applies to them because it does apply. We have shown it applying to your phone. So it needs to be up close and personal.

GRAHAM. Cool. And of course, a criminal could do the same kind of thing which you and your ethical hacking friend are doing as well. They could set up an evil twin hotspot, say in a cafe or an airport. People just mindlessly connect to it. And they’d be able to see everything which you’re seeing in this show. I mean, it’s a very real threat, isn’t it?

GEOFF. It really is. I mean, you know, as Glenn Wilkinson, the guy I do the show with, says, you know, this hack, what’s called the karma attack, where you impersonate a Wi-Fi hotspot. You know, it’s 10 years old, but it’s still working for us.

And what’s really scary is what you said there is people connect to a Wi-Fi hotspot. Well, actually, no, you switch your phone’s Wi-Fi on and it’s automatically going to try and connect without you necessarily knowing. So we just get the audience switch their Wi-Fi on and that’s it. They start connecting the Internet through our kit. It’s bewildering that this still works.

GRAHAM. After this amount of time. Well, it sounds like an interesting show. Go and check out Geoff if you are up in Edinburgh and we’ll put a link in the show notes where you can find out some more about Geoff and his show.

So what we’re really here for is to talk about what’s been going on in the wonderful world of computer security in the last week. We’re all going to choose a topic and you should go first, Graham. You should definitely go first.

You think so? Well, I think first of all, maybe we just need to quickly touch on what’s been going on with Marcus Hutchins, a.k.a. MalwareTech. If you remember, he was the WannaCry accidental hero, the man who single-handedly crushed the WannaCry ransomware, which was ravaging National Health Service here in the UK by finding a kill switch for it. And of course, he hailed very much as a hero by everybody for what he did, which was fantastic.

CAROLE. Except for the guys who were running the attack.

GRAHAM. Yeah, I suppose they weren’t so keen. But yeah, Marcus got arrested, of course, after the DEF CON conference. He was in Las Vegas and he was caught as he was planning to board his plane back to the UK.

And he’s now appeared in court in Milwaukee. He’s pleaded not guilty in connection, not with WannaCry, but in connection with another piece of malware, a banking Trojan called Kronos. And there’s a suggestion that he, well, the allegation is that he may have written code which ultimately ended up inside the Kronos malware.

GEOFF. There were some very odd, I was trying to follow this in terms of the comments made, in the accusation against the allegation against him, and also the comments made by his lawyer in the US. And it was just very confusing in that there seemed to be contradictory messages about whether he was claiming he’d actually designed this piece of malware, if so, whether he’d given it to anybody else.

I couldn’t quite work out what the defense was going to be, and the defense seemed, from the quotes I read anyway, seemed to be a little all over the place. I’d imagine, though, if it comes to court, you know, whether it will or indeed when they’ll have nailed that down.

But, you know, the weird thing is, I don’t think on your own computer designing a piece of software like this is necessarily a crime. If I’m just designing it, it’s the point at which you give it to somebody else, sell it to somebody else. And I think that will be if this does, I say, you know, it does come to court. That will be an interesting crux to this, I think.

GRAHAM. It is. I’m of the opinion as well, though I’ve been working in antivirus for 25 odd years. I do believe on your own computer, if you want to write malware, you go ahead and write malware.

CAROLE. The problem, though, is everyone’s connected to the Internet. They’re not writing it in a box.

GRAHAM. But I’ve read the transcript of the hearing in Las Vegas, the initial hearing. And it is interestingly worded because it was slightly different to how some of the media reports. The prosecutors said that Hutchins had admitted he had written code which had eventually ended up inside the Kronos malware, which isn’t the same as saying you wrote the Kronos malware.

CAROLE. He could have written a tiny line of code that just fetches something that could be used both for good and for bad. Absolutely. That could have just been plugged in. It could be nothing.

So I think right now everyone has to just hold their breath and wait, you know, until we get more information. Because I agree with Geoff, it’s hard to know what’s going on right now.

GRAHAM. The situation right now is he’s pleaded not guilty. They’ve tagged him. He’s now in Los Angeles. He works for a security company out there. And he’s back online. You can follow him on Twitter as well, where no doubt he’ll be tweeting away.

And so that’s been one of the big stories of the week. But what I actually want to talk about was there have been some more brute force attacks against politicians’ email accounts in the United Kingdom. In this case, what’s happened this week is Scottish Parliament has been attacked.

Staffers at Holyrood and members of the Scottish Parliament have been discovering that people have been trying to crack into their email accounts using this brute force technique, which isn’t a sophisticated technique. I mean, you can find automated tools freely available on the internet, which let you submit thousands and thousands of password attempts in seconds. You know, it’s starting with Arnold Aardvark and working your way up.

And we saw a similar attack a few weeks ago. I think it was back in June against Westminster, against politicians in London.

CAROLE. Isn’t it weird, though, that they wouldn’t be able just to discover it based on, you know, using software? Wouldn’t the government be using software to kind of go, hmm, a lot of traffic coming in from here?

GRAHAM. So it looks none of the accounts in this Scottish example have actually been compromised as far as we’ve been told so far. But what’s happened is some users have been locked out of their accounts. And that actually suggests to me that maybe some of the preventative measures which they put in place to prevent a brute force attack from succeeding actually worked.

They detected that something unusual was going on, which would be, for instance, a thousand attempts to log into an account and getting the password wrong one thousand times. You know, that sort of account lockout is a good idea. And that’s a typical countermeasure which can be used against a brute force attack.

The problem with account lockout, of course, is that it locks out legitimate users as well.

GEOFF. Up with an almost denial of service attack, don’t you, by default? Because everybody’s inconvenienced, you know.

GRAHAM. That’s right. And that’s why I think it’s not a good idea to lock out someone from their account after maybe three attempts. But if you lock out someone after 30 attempts or 100 attempts, or if you slow down the attacks so people can only try a few passwords every hour or progressively make that delay between entering a new password. Even a few seconds can make a dramatic difference to slow down a brute force attack.

CAROLE. Basically, you’re saying they locked out everyone in order to safeguard the accounts.

GRAHAM. No, I think some of the accounts, people automatically got locked out because there were so many failed attempts to log in.

GEOFF. These attacks, I mean, the brute force attacks are incredibly noisy. If you look at any institution, whether it’s the NHS, government, a local council or a business, how many of these brute force attacks go on all the time? And is it just that it was Westminster and Scottish Parliament’s turn? Or was it a directed targeted attack? And if it’s the latter, who on earth would do that? I mean, as soon as you get rumbled, you’re locked out. It’s exactly the opposite of what people who are interested in getting into an organisation want to do, which is to be stealthy, get in, stay in and stay undercover as long as possible.

GRAHAM. It’s strange. And it runs contrary to the story which we’re hearing from some people. Some people have suggested, oh, this must have been a state-sponsored attack. No, no, no. I’d be stunned, stunned if that was. Exactly. It doesn’t feel that. There are attempts made, for instance, you know, you get the LinkedIn breach database, the database of passwords which came out of LinkedIn years ago and other big hacks. And you might try those passwords against particular people’s credentials. But a brute force attack sounds a little bit dumber. Although, ultimately, you know, brute force attacks, given enough time, will work. It’s just whether your site or your web service is going to allow a brute force attack to continue. It’s a great

GEOFF. Way to distract attention, isn’t it, as well, if you’re wanting IT staff to be focused elsewhere. Just saying. Conspiracy theory number 12.

GRAHAM. I love it. It’s a bit one of these Ocean’s Eleven-style heists, isn’t it? If you want to steal one thing, you’ll divert everyone’s attention to the hippopotamus in the lift or whatever it is that you’ve created as a huge distraction. I don’t remember that from the film. I don’t remember that. No, it’s a bit rude of me talking about Catherine Zeta-Jones that. Is she even in it? I don’t know. I have no idea what I’m talking about here. But there are things you can do to prevent brute force attacks and obviously put in more checks, heighten the security. If you determine that unusual levels of attempted logins are happening, you could have a CAPTCHA in place, although CAPTCHAs can be irritating. So you might want to use Google’s reCAPTCHA or even their invisible one. You can demand stronger passwords from your users in the first place. You can have two-step verification. Troy Hunt, who runs the Have I Been Pwned website, and we should try and get him on the show sometime because we keep on plugging his sites. He’s just opened a new product called Pwned Passwords. You can actually download 300 million passwords that they know have already been breached. When people create an account, you can run it past that database. And you can say, actually, don’t use that password because we know that one’s been breached in the past. And it might be a dumb password. And that maybe will encourage people to use stronger passwords. I don’t know, but it seems a neat kind of idea.

CAROLE. Well, once again, people, password managers are a good idea to think about.

GRAHAM. Yeah, because they would generate stronger passwords for you. That’s absolutely true. And long, complicated ones rather than people reusing them. And there’s also some great advice if you want to read more about brute force attacks over on the OWASP Foundation, the Open Web Application Security Project Foundation website. I’ll put a link in the show notes where you can read more about that. But yeah, politicians there, I wonder what they might have in their email, which would be of interest.

CAROLE. Oh, yeah, we’ve not seen any of that in the last few years.

GEOFF. Well, this is the thing. So, you know, with the Westminster attack, obviously 90 accounts were compromised. I was slightly huffy that they put out the line that only, in inverted commas, 90 accounts were compromised.

GRAHAM. You know what they actually, do you remember what they said actually, Geoff? They said less than 1% of the 9,000 accounts we look after.

GEOFF. So look, if you’re a constituent of that MP, hang on, do they get written to to say, you know, sorry, some of your data is personal, very personal data potentially of constituents potentially. You know, imagine the ICO has been informed, but the users, the constituents get informed if data’s been breached. I mean, on the one hand, national security might say, oh, no, don’t tell anybody. On the other hand, it’s well, this is people’s data. So I don’t know what’s going to happen with that.

GRAHAM. We need an investigative journalist to look into this. Get on it, Geoff. Get on it.

GEOFF. OK, Geoff, what have you got for us this week? Well, I’m quite interested as ever in the Internet of Things, partly because the phrase winds me up like you wouldn’t believe.

The Internet is things. You know, it’s always been the fibre optic cable switches, routers, you know. To say the Internet of Things is glibly assuming that it used to run on kind of hot air and bacon.

So the Internet of Things obviously is now a headline. And my favorite story from this week of the Internet of Things Gone Wrong is the digital locks, the remote access locks.

There’s a company called LockState, who are a US company. As the name suggests, they make digital locks.

These are connected to the internet. And as such, which is probably quite a good feature, these locks can update themselves over the internet. Unfortunately, it seems that…

CAROLE. You don’t even have to stop, you could just go dot dot dot and the rest was history yeah.

GRAHAM. Normally we’d be saying thank goodness there’s finally an IoT device which can actually update itself. No, that’s what we’ve been calling for and so yeah, but now you’re going to tell us, you know, ordinarily…

GEOFF. Nappies for adults are a great idea but so this update went out to a set of locks, unfortunately the update applied to one set of locks, a newer version, but got applied to the older set of locks and in techies parlance bricked the locks.

The locks just stopped working. This wouldn’t have been so bad.

It’s hundreds of locks, so it’s not thousands and thousands, but it is a significant number of locks. And what makes it slightly more worrying is LockState are, describe themselves as a global partner for Airbnb.

Yeah. Right. Because of course, if you’re trying to let somebody into your flat, you don’t necessarily have to be there.

You can remote lock, you can give them the code and so on. So this caused problems obviously of Airbnb customers who are trying to get into properties.

Now there’s a few depressing things about this story. Number one is the fixes that were offered by this company.

One of them was take the back off the lock, send it to us, we’ll update it, we’ll send it back to you. That could take about a week.

Are they paying postage? I don’t know where they’re paying for hotel accommodation while I’m locked out of my flat.

CAROLE. Exactly. Changes of adult nappies. But…

GEOFF. The response was slightly lacklustre, a lot of customers felt. Also, looking at LockState’s Twitter feed, I mean, in the tweets and replies, you know, there’s a lot of people saying, oh, God, I’m locked out.

What can you do? And in fairness, LockState will contact me on Twitter and reaching out fine.

But on the front page of LockState’s Twitter account and last time I checked their websites, there’s barely a mention of this. And I just feel, you know, it’s not like nobody knows this has happened.

I understand you kind of don’t want to make a huge fuss about it. But the fact that on the front page of your website, you don’t have a thing saying, look, we’re on it.

Here’s the deal. I find that a depressing response in this day and age. And it’s all…

GRAHAM. So common, isn’t it, that organisations, they’ll have a breach and they may even admit they’ve had a breach. But you go to the website, you go to the Twitter account and you won’t find a mention of it.

Or it’s so hidden away in a PDF somewhere on their website. And there should always be a single line or something just saying, yeah, we screwed up.

But look, here’s what we’re doing about it.

CAROLE. I’ve been a crisis PR person for a number of years. And yeah, I think the number one advice is don’t hide your feelings.

If you can kind of own up quickly and solve it as fast as possible. I think we all like it better.

GRAHAM. Like Donald Trump did this week over Charlottesville, for instance. He recognised he’d caused a problem.

How long? 48 hours? He’d misspoke.

Yes, but he’d misspoke. But then he came back, Carole, with a much better step.

Of course, then he came back again. Yes, flim flam. And rather made it worse.

Because he likes to get his facts right.

GEOFF. He does. He’s very keen on that.

The other thing, the thing I find most depressing about this entire LockState story is, you know, thankfully this system comes with a failsafe. There is a key that can activate the lock.

And I just imagined myself getting my brand new LockState lock and fitting it to the door and thinking, oh, it’s a spare key. That’s great.

It’s a really good idea. Where shall I store that? I’ll store that in my flat.

CAROLE. Yeah. Underneath the welcome mat.

GEOFF. Because if you have to carry the key around just in case the lock goes wrong, what was the point of having the digital lock in the first place? It’s a nonsense. But there is actually on the subject of locks, there has been a nice, fun story, a happy story about a family who were locked out of their Toyota Estima.

Yeah, this is the Higgins family. Father John lost the key to the imported car when he bent down to tie his son’s laces one day. Well, immediately, you know, how would you – is he standing above a furnace or something? How do you – so the key goes missing under strange circumstances. But it’s the only key that will work on this car because they haven’t got a spare because it’s an imported, I think, a secondhand version.

So friendly neighborhood hacker, because he put out a Facebook alert for this lost key. Has anybody found it? We’re locked out of our car. It was months, I think, they were locked out of the car, just pushing it around like a wheelbarrow. And eventually this hacker says, well, I can probably help you out. They wheel it to a garage where the hacker unpacks the electronic systems behind the car, finds the chip apparently on which the key code is stored and recodes the chip with the new key and they get into their vehicle.

So happy ending. Although you then think, hang on, how many hackers can do that? I just would have broken the window. But then you can’t start the car. You’ve got to go to a car with a broken window. I’m sorry.

CAROLE. I was thinking back to when I actually did that before IoT and cars. You’ve got a literal –

GEOFF. Wheelbarrow in that case. People just chuck glitter through the broken window and have people sleeping –

GRAHAM. In it. I’m just feeling sorry for this family who went on holiday with their Toyota Estima, presumably got locked out of the property because it was using one of these smart locks, thought, okay, we’ll spend the night in the car. Oh, no, we can’t get in that either. You’ve got all these bricked devices left.

What you actually need is a real brick. We should all carry a brick around so we can smash a small window in order to get into our properties or into our cars.

GEOFF. I sometimes get accused of being the tinfoil helmet man. You’re in good company here. I’m in the company of the Brick Man. Brick Solution. Yeah, you guys could become superheroes. Brick Man and Tinfoil Helmet. All right, Carole.

CAROLE. So what have you got for us this week? Well, Bluetooth. I want to talk about Bluetooth. All right. So these days, we’ve got many devices that have Bluetooth switched on all the time. This is largely thanks to the popularity of wireless headphones and wearables, not to mention all the IoT devices Geoff was just talking about, or even retail apps, those things that track you around stores, you know, that offer you click and collect or in-store navigation functionality.

But I’m thinking that not many people are actually managing the Bluetooth restrictions as well as maybe they should. So we want to just look into how they can do that on iPhone particularly. And I want to talk about AirDrop in a second. So this was inspired by a story in the New York Post earlier this week.

This is involving 28-year-old Britta Carlson, who was on a New York train heading to a concert. And her phone makes this weird sound, right? The one that she’s not familiar with. And so she looks at the phone, there’s a message displayed and it says, iPhone one would like to share a note with you. She hits accept and was horrified with what she saw.

I’m going to quote here. What did she say? I’m quoting, it was just a huge close up picture of a disgusting penis. Unquote. I don’t think we needed the –

GRAHAM. Word disgusting. Surely they’re all disgusting.

CAROLE. Yeah. And she said it really felt like someone had just flashed to her. That’s what she said. Right. So, of course, then she’s panicking about who sent it.

Now, the image was sent, she has an iPhone. So the image was sent via AirDrop. Now, AirDrop is this neat little feature in Apple, which makes use of Bluetooth to create a kind of peer-to-peer Wi-Fi network between devices. So each device kind of creates a firewall around itself and the connection and the files that are sent are encrypted. So this is great if you want to share pictures and files with friends and family and colleagues, maybe even you, Graham, right? Not so great if the settings are allowing an honest stranger to send you pictures of their genitals.

GEOFF. So there must be a setting somewhere in the phone where you can either accept or –

CAROLE. Hey, hey, I’m getting to the advice section. Just slow down, buddy.

GEOFF. Oh, sorry, sorry, sorry.

CAROLE. So the thing is that the Bluetooth tethering range is limited. So that basically means that someone that’s using AirDrop has to be nearby. She knew the person who was sort of willy-waving at her was – no, because she was in the subway. But it had –

GRAHAM. To be someone close by, maybe in the same carriage or something like that. Yes. Crikey.

CAROLE. Yeah. Nearby penis. It’s a nearby penis. Penis proximity.

So the message she got was just titled Straw and it was sent basically by an anonymous stranger. She couldn’t locate the perp, right? And it turns out that Apple’s AirDrop doesn’t keep a log of these transactions. So I have seen reports that people are saying, oh, anyway, people are saying we can find out who sent these. I don’t see how that can happen if Apple couldn’t do it. If there was a national database –

GRAHAM. Of penises, it would be possible to do some sort of penis recognition.

CAROLE. Didn’t we cover, didn’t we have some porn site? It was David McClelland –

GRAHAM. Who was a guest a few, yeah, pervert, yes. Pervert. Who was on our show a few weeks ago, who was talking all about a porn site, which was asking you to photograph, I don’t know why he talked about this, but he was talking about a website which is using penises for authentication purposes, that’s right, and was asking you to upload images to it. I mean, if Apple worked with that company, presumably, maybe there’d be some correlation which could be drawn.

CAROLE. Honestly, though, as a girl, I don’t know, as a girl, you guys tell me if I’m being a genderist, but I think I’d find that really disturbing. I’d probably laugh out loud, but then I’d panic that I insulted the perv when I realized that he was just around, right, peacocking at me and waiting for my reaction.

GEOFF. This goes by, I mean, tooth thing. I think it was called tooth thing back in the day because when Bluetooth first came out, you could send unsolicited messages, unsolicited contact. And I thought that had been for exactly that reason that toothing became this thing where you try and if you heard a shriek at the other end of the train carriage, you knew you’d hit the right spot or whatever with your offensive message or rude message or whatever. But I can’t believe that they’ve brought that vulnerability back.

CAROLE. Well, there are ways to handle this. There are things that you can do. And I would recommend I know, you know, I’d recommend you talk to everyone around to check your kids’ phones and your family’s phones to make sure the settings like this. So number one, let’s look at Bluetooth, right? So Bluetooth, you can basically toggle between on and off. And that basically means I’m discoverable or I’m not discoverable.

Now, Graham and I, before the show, had a little bit of a Barney about Bluetooth because I’m a person who likes to have it turned off because I don’t need every supermarket I go into, if I have my Bluetooth turned on, to know what aisle I’m going down to try and gamify it better so that I buy things I shouldn’t buy. Right? I don’t even know that I go down aisle three all the time. So I find that a bit disturbing. But Graham, you seem to think it’s fine.

GRAHAM. I do have Bluetooth turned on on my phone but I’m very careful about what I allow to connect to it and certainly with AirDrop which is the iOS technology which has been used to spread these rude pictures I do use AirDrop I have a use for AirDrop inside my office but what I only do is I only allow people who are contacts to send me an AirDrop message.

CAROLE. Well, that’s exactly the advice, isn’t it? So with the AirDrop. So iPhone users, you can just check your AirDrop settings by swiping upwards on your home phone from the bottom. And if you do, you can see whether your AirDrop is turned on or off or if it’s allowing it for contacts or for everyone. And if you’ve got everyone there, tsk, tsk, tsk, turn that off and choose contacts only. Although contacts is also an interesting choice because I have a lot of people on my phone whose—

GRAHAM. Penises you wouldn’t want to look at.

CAROLE. Whose penises I don’t want to look at maybe I should have a penis contact list I think—

GEOFF. Pinu is the plural.

My favorites, the pinu. On a more, on a more serious note if I can, I was gonna say I was dying to squeeze that one in there but let’s move on. The look at what’s behind this what’s interesting is there’s an entire edifice behind the drive behind Bluetooth because what’s interesting is everybody’s switched their Bluetooth but because they used up a lot of batteries and it’s annoying. We now have Bluetooth low energy and what’s interesting is because Bluetooth is such a short-range thing and because as you say they can tell which aisle not just which aisle in the supermarket but they can tell which vegetable you’re in front of.

They can see what tampons I’m looking at. It’s really annoying. Exactly. Now what’s interesting is the drive among advertisers. Advertisers are super, super excited about this in marketers because they can do really localized advertising, coupons for that brand of tampon or that vegetable, whatever. But in order to do that, people have to have their Bluetooth switched on.

Now, at the moment, they can do, if they want, they can do push notification if they change the systems, which means you have no option. Your phone comes up with a, hey, Geoff, you’re in front of the potatoes, buy some. I feel the industry is holding back from that because they don’t want to creep people out. But as you start to get Bluetooth headphones, as you start to get Bluetooth enabled by default, these advertising methods are going to start coming through. I really think we’re going to see a boom in this.

CAROLE. I actually recently bought an iPhone and I bought the 6S so I wouldn’t have to deal with the whole wireless headphones which would require me to have Bluetooth on all the time. And the reason Graham for example needs Bluetooth on all the time is because he uses it in his car so he pairs it with his car because he’s got a fancier car than I have. So there’s a lot of technology that they’re making it very easy for people to have it on all the time. And I think there is a cost.

The other cool idea here is that you can actually, so when your Bluetooth is turned on, you are effectively discoverable. And it might be a good idea to change your phone’s name. And you can do that in settings, general, and about. So using a code name or initials or something that doesn’t infer, well, in this case, as we’re talking about dick pics, infer gender or age might be a good thing. If you had John Smith written there, maybe you’d be less likely to get—

GRAHAM. I think that’s a good idea. I’ve changed the name of my iPhone to Carole Theriault. And…

CAROLE. Well, you’re going to get inundated now. Let me tell you. The number of penis pictures

GRAHAM. I’m now getting is enormous. Bing, bing, bing, bing, bing, bing.

GEOFF. It is… Just going back quickly to the show that we’re doing up at Edinburgh, it is astonishing how people have named their phones after themselves. And what we do in the show is we show where people… We can find people’s work. Wi-Fi networks who know where they work. We can locate their home Wi-Fi. We can also then tell what their name is. Yeah, but Jeff,

CAROLE. I’m not sure that’s fair because I think when you get a new iPhone, it says, what’s your name? And then it automatically assumes you want to be called by your name. So I think it actually might be in the setup section. So it’s a good idea for everyone, just check your phone’s name, do that settings general and about on the iPhone, just see what’s written there and maybe change that to make it a little less…

At least Apple during

GRAHAM. setup isn’t asking you for your stripper name or your porn name. And then it would get, of course, that, what is it, your mother’s maiden name and the street where you used to live, which obviously would be useful information for thieves as well. But the advice you’re giving people, Carole, is if you’re going to have airdrop on, make it contacts only.

Yeah, if

CAROLE. you’re going to have it on. I say turn it off whenever you’re not using it.

Okay,

GRAHAM. but sometimes there are situations where you want to, in this particular case, this victim on the New York underground system, she had enabled it so everyone could contact her. I think she was using it like that for her office. Wouldn’t it be great if Apple gave you an option of saying, turn it on for everybody, but only for half an hour and then switch back to contacts because you will forget to change it back?

I love

CAROLE. that idea. Yes. Call them now. That’s a great idea.

GRAHAM. I’ll have a word with Tim.

CAROLE. Yeah. No worries. Good, good. Now, one thing. I saw a lot of articles about this piece this morning. And there’s a lot of in the titles I’m seeing cyber flashing, you know, a trend. I don’t think via airdrop it is a trend. Okay, from my research this morning, I don’t think it’s been happened very often. I saw one case in 2015. There was a few in 2016, but I haven’t really seen any others. So I think that is a bit of hyperbole. However, there is a problem with, and there’s many reports of women on dating apps receiving unwanted pics of male junk.

So that led to this interesting and related conundrum for me. So we all know that flashing in public is illegal in most places that I frequent. Anyway, in the US, for example, indecent exposure. Basically, I think that you have to purposely display your genitals in public, causing others to be alarmed or offended. And in the UK, you can get a two year prison sentence if you’re convicted under the Sexual Offence Act. However, seems to be quite grey as to whether sending someone a dick pic, for instance, is considered indecent exposure. So it’s like digital problem of cyber

GEOFF. flashing. It’s interesting because it’s not actually, it’s not publication or exposure generally, is it to the public? You’re actually targeting it to a specific person, albeit a stranger you don’t know. But there’s indecent communications legislation. So if you send someone a picture through the post of your junk, so maybe that’s the legislation that would apply. But you are. I don’t think the flashing legislation would apply. Barrick Room lawyer here.

I

CAROLE. know, but I think you may be right. And that’s very, you know, it’s going to get greyer and greyer as our world becomes more online. How do we apply, you know, our old laws to this new world that we’re living in? Very deep.

Yeah.

GRAHAM. Well, thanks, sir. Anytime. Nice cheery note to perk us up. Hey. Get it? Really, we’re going to make innuendos about the word up.

CAROLE. You didn’t even laugh at my peacocking joke. I thought that would…

I didn’t notice it. I didn’t notice it. Oh, well, I was talking too fast. Above your head.

Let’s

GRAHAM. find out who our sponsor is This week Shall we Who is going to be our sponsor This week sponsors. Yeah, we love sponsors. Are you going to interrupt me? I thought you were going to interrupt me. Say, Graham, who’s the sponsor? Graham. Let me, let me, yes. Hi. Hi. Hi. Graham, who’s our sponsor this week?

Our sponsor is Recorded Future. You know them. They’re cool. They do all kinds of cool things. Like? They look on the web. They look on the dark web. They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity. And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email.

CAROLE. If you want to be ahead of the game, I guess you get their free daily

GRAHAM. Email. Of course you do. But first of all, you’ve got to sign up for it. Otherwise, they won’t know to send it to you. They’re not that clever. Go to recordedfuture.com slash intel. And thanks to Recorded Future for supporting the show.

Welcome back to the show. And it’s our favourite bit of the show. It is what we like to call pick of the week. Pick of the week. Gotta say it, Geoff. Pick of the week.

Thanks, Geoff. It’s important. I feel cheap.

You can have a shower after the show. Hey, look, we’ve plugged your Edinburgh show enough. You can at least say pick of the week for us.

Pick of the week.

So pick of the week could be a funny story, a book we’ve read, a TV show, a movie, a record, an app. It doesn’t have to be security related necessarily. It can be though.

And my pick of the week this week, I’m a bit of a chess fan. I’m not very good at playing chess, but I love chess. And right now there is an incredible tournament going on. It has been going on for a few months. It’ll be going on for a little bit longer. It’s going on around the world. But right at this specific moment, the Grand Chess Tour is in St. Louis in America where they are having a rapid and blitz chess tournament.

I know, I can hear the excitement right now. No, no, no. It’s not boring because normally a chess game will last about four or five hours, which maybe not everyone will enjoy watching.

You don’t even get cucumber sandwiches. Yes, do you, I bet. It is fantastic though.

Anyway, what’s happening right now is a rapid and blitz tournament, Carole. So it’s only four hours.

No, no, no. So the Rapid tournament, you have about 25 minutes each. And the Blitz tournament, I think you have about 5 minutes each. So this is Rapid Fire chess. This used to be called Bullet chess. Wasn’t this Bullet chess? There is bullet, there’s Blitz, and there’s Rapid.

CAROLE. I don’t know a lot about chess. So you’re saying in this Rapid chess someone has 5 minutes to make a move or finish a game?

In Blitz chess. No,

GRAHAM. No, no. 5 minutes to make a move? No, no. The whole game.

Okay. And then your clock runs out. So as Geoff just said, there’s also bullet chess, where I think it’s just a minute for the entire game. And you’ve never seen anything like it. It’s so exciting.

Anyway, there are some amazing players. Levon Aronian, crazy player. He’s been doing some fantastic games. Hikaru Nakamura and the return of the incredible Gary Kasparov is back from retirement playing chess. And it’s terrific to watch. You can watch this live streaming on the internet.

Oh, no,

ROBOT. It’s not because he could go to D6 anyway. Knight c6 is king d6. Oh, and Gary’s playing knight c6, queen takes c6. It was made because of queen d7, but now he’s, oh, he’s winning the queen back. Yes, he’s playing rook d6 here. He’s winning the queen back. Rook d6, and what’s that pawn end game? And the pawn on f4. What’s the pawn end game? Look at Gary, he’s devastated. The pawn on f4 is winning. Oh, my goodness. After Queen takes D6, King D6 takes an S7, the King is coming back to E7. Unbelievable game. Wow. Wow, that was very exciting, but not exciting in the way that Gary Kasparov’s fans would have had it, Yasser. Oh my God, I feel the chill. I feel this stone cold chill.

GRAHAM. I can’t. You can go and check it out on YouTube. I’ll put a link in the show notes as well. And there’s live commentary on the games as well.

Do you have insomnia? I know. I’ve basically been doing no… Don’t tell the wife. I’ve been doing no work all week because I’ve been watching these broadcasts.

Does she like being called the wife? Well, she is the wife. She’s not a wife. I can’t say a wife. Why would I tell a random wife? I’m telling my wife.

Oh, okay. But that suggests possession as well. That could cause controversy in the household.

Anyway, go and check it out if you’re into chess. If you’re not into chess, don’t worry. Well let’s hurry up

CAROLE. The show so I can go check it out. Alright, alright, Geoff,

GRAHAM. Pick of the week. Tell us your pick of the week.

GEOFF. My pick of the week is tech related actually, but in a sort of vintage tech related way. The demise of the LoveFilm DVD by Post Service.

They’re still doing that? Yes, and that just shows, doesn’t it, how out of touch you are with the diversity of people in the country.

You know, my mum, for example, I went home to visit and she said, oh, should we watch a DVD? And I sort of felt like being invited on the Antiques Roadshow.

And so this is basically, you know, Amazon are like, nope, streaming is the way forward, DVDs no more. And obviously that does throw up the question of what they do with all of the old DVDs. LoveFilm’s catalogue covers apparently more than 80,000 titles. Amazon has told the BBC that they will donate the DVDs to charity partners.

And I just have this image of a guy going to Oxfam with bin bags for here you go, here you go, and Oxfam’s saying no. Your problem now.

CAROLE. You know what, actually that would be amazing for a lot of charities actually, you know. I can imagine that would be a good thing.

GEOFF. I don’t know, I’m interested what charities think about this because they must get inundated with these old rubbish DVDs. Oh this is my, here’s my All Creatures Great and Small collection. DVDs, do they actually manage to sell any of that stuff, you know?

GRAHAM. They’re probably pleased people have finally stopped bringing in their AOL sign up DVDs and things like that now. Again, LoveFilm ones, oh Craig will shift these now too.

CAROLE. They don’t have to go to charities that are actually reselling. It could actually just go to a place which is helping people, you know, just be on the shelves. I don’t know. Not everyone can afford a Wi-Fi connection, you know, a strong one for streaming. So I don’t know. I think it could be really good if they do

GEOFF. That is true. But I used to love the DVD. I used to love getting those little packages in the post. And that little thing they had that kept the discs in and then you’d return them. You’d think, what’s next on my list? Oh, it’s rubbish.

GRAHAM. It was kind of. At the time, it felt revolutionary. They had such cool little envelopes, didn’t they? Which sort of folded over.

CAROLE. Isn’t that three a month you were allowed for a fixed fee?

GEOFF. For several years, I managed to keep doing the free trials with different email addresses. We shouldn’t say that on the podcast.

CAROLE. You’re the one that led to their demise.

GRAHAM. So now we’re all wondering why they’ve gone kaput.

CAROLE. R.I.P. LoveFilm DVD. We know who’s responsible.

GEOFF. I think Amazon have a bit of money, though. I seem to remember them being quite comfortable. Well, the main guy does. We don’t have anybody else.

GRAHAM. None of the rest of them are making any money, but Jeff is doing all right. Not that, not our Jeff. Jeff’s spelled the wrong way. Yes, exactly. So your pick of week is basically the death of LoveFilm, is that what you’re saying? Death of the DVD, generally. Oh, yeah. That is strange, isn’t it? That technology is already gone.

GEOFF. I like owning stuff. I’m a big owner of stuff, because then no one can take it away from you or change it. So this is a really interesting thing. If we’re streaming all the films now, they can change the films, like they did with Star Wars, this big controversy about that. So I’m slightly worried by the fact that if the studio says, actually, we’re going to recut this film and put out a new version, if I had the DVD, they couldn’t take that back. Whereas now, I know this might sound paranoid, but I do just, you know, I like owning the stuff. It’s control, it’s power. Carole, what’s your pick of the week?

CAROLE. Mine is brain food for those fascinated by science, morality, culture, politics, life. And this is a podcast called Waking Up with Sam Harris. Now, Sam Harris is no small-time fish. He’s written a number of books. He’s considered quite a genius in many circles. But I had never listened to his podcast. And someone recommended it to me. So I took a listen as I was on my way to Cambridge last weekend. And after only three episodes, I am delighted and feel much brainier. You know, it’s hard for me because I’m up there on the scale. So as I was talking about cyber flashing earlier, I would recommend checking out the episode called Living with Violence, a conversation with Gavin de Becker. Now, de Becker is like a three time presidential appointee. He did pioneering work changing how U.S. governments evaluated threats to the highest officials. He looks after lots of people in Hollywood. He’s like he is the business. In fact, years ago when I was on my way to university, my dad actually sat me down and made me watch a PBS episode with him explaining on how women could protect themselves better on the streets, on their own.

So he’s a guest on the latest Sam Harris podcast. And the whole format is really a kind of conversation between Sam Harris and experts in their field. So I definitely would check it out. So check out Living With Violence, Conversation With Gavin de Becker, and Feel Smarter.

GRAHAM. And the podcast is called Waking Up with Sam Harris.

CAROLE. Yes. I can say it a 15th time if you like. Burning hot today. Burning hot.

GRAHAM. As you’re such hot stuff. Have we got any other business for our listeners this week?

CAROLE. We have a new Facebook group, which Graham is managing beautifully. You can find it at smashingsecurity.com/Facebook. And you can buy a t-shirt. We were talking last week about the global thermal nuclear war, so the cotton here is good. It will protect you. You can find it at smashingsecurity.com/store.

GRAHAM. Yes, and I checked just before we started recording someone has bought a t-shirt and they’ve bought a sticker and I think the sticker, the t-shirt combined with a whole bunch of LoveFilm DVDs you could create a shelter out of them I think if there is a nuclear winter.

GEOFF. This is dangerously close to false advertising you guys. There’s so many lawsuits coming your way.

GRAHAM. So on that note I think that’s just about all we’ve got time for. Thank you for tuning in. Thank you, Geoff, for joining us this week. Really appreciate it. It’s been a pleasure. Good luck with your show up in Edinburgh. I hope it goes well.

Thank you. Yes, best of luck. If you at home enjoyed the show, please tell your friends. Let us know what you think. You can go to our website, smashingsecurity.com, or drop us a line at , or even leave us a little review on somewhere like iTunes. That’d be nice, wouldn’t it, Carole? Yes, or anywhere else. Why not? Feedback’s good. Feedback is good. Until next time. Toodaloo. Bye-bye. Bye-bye. See ya. Don’t say cheerio then, alright? Just be me then. Bye-bye. See ya. Carole doesn’t like saying that she never can say goodbye. That’s the end of the song. Never can say goodbye. Exactly. Geoff got it.

CAROLE. It sounds lame. How many people say goodbye?

GRAHAM. Well, I just think it’s polite. You know, we’re a friendly show.

Graham Cluley
Graham Cluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and hosts the popular "Smashing Security" podcast. Follow him on TikTok, LinkedIn, Bluesky and Mastodon, or drop him an email.

You may also like...

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.