Bearded man entangled in dark web drugs market bust, Google researches how to make browser security warnings less confusing, and “bedroom entertainment systems” (ahem) probed for security holes.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Rich Baldry.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 46: Good Beard, Bad Beard, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, number 46, for the 5th of October 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host Carole Theriault. Hello, Carole, how are you?
Hello, hello, and welcome to another episode of Smashing Security, number 46, for the 5th of October 2017.
My name is Graham Cluley, and I'm joined as always by my good chum and co-host Carole Theriault. Hello, Carole, how are you?
I'm good, and I just realized we've done way more episodes than I am old, so that's really cool.
You're revealing your age?
No, no, I'm not revealing my age, actually.
Okay, just a lot more. I'm saying I'm under 46.
I'm not claiming, I'm stating.
And we are joined this week by a special guest, Rich Baldry. Hello, Rich, all the way from Vancouver.
Hello, Graham. Hello, Carole. It's wonderful to be here.
It's very early in the morning for you, isn't it, Rich?
It's fairly early, yes. It's still cool outside and I'm still wearing my slippers.
I think everyone— oh, Carole, why didn't we have a sponsor slot before we began the show today? What's going on?
Wow. Rather than having a sponsor this week, we thought we should try and make an appeal to the people rather than have a sponsor slot.
So it was International Podcast Day very recently. Was it Friday, I think?
So it was International Podcast Day very recently. Was it Friday, I think?
Yeah, over the weekend or something. Yes, that's right.
Exactly. And so what we're trying to do is ask all of you to introduce Smashing Security to at least one new person.
Now we know lots of people don't know how podcasts work, so that is the mandate. Can you teach them how podcasts work and maybe even subscribe them to the show?
Now we know lots of people don't know how podcasts work, so that is the mandate. Can you teach them how podcasts work and maybe even subscribe them to the show?
Yeah, absolutely. Maybe just wrestle their phone off them, find out their PIN code or crack their password and subscribe them to the show.
Yeah, because for us to produce this takes a lot of effort and the more listeners we have, the easier that is.
Oh, we do love producing the show though, don't we? But it would be fun if we had even more people listening.
Yep, absolutely.
We're not doing badly in Zimbabwe, you know.
We're not doing badly, period. I think more would be better.
It would be smashing. So I guess this episode of the Smashing Security podcast is sponsored by our good friends, Smashing Security. Fantastic.
Wow.
So as you know, every week we look back on the week's news and the things which caught our eye and comment on, and I have seen a story which tickled my, well, maybe tickles quite a good word to use actually.
Because, you know, Carole, I mean, we're talking here about Smashing Security.
You know, since Vanja Svajcer, if you remember him, since he left Smashing Security, there's been a lot of debate online as to which of our team has the best facial hair. Is it me?
Is it you? Because previously it was clearly Vanja, right?
Because, you know, Carole, I mean, we're talking here about Smashing Security.
You know, since Vanja Svajcer, if you remember him, since he left Smashing Security, there's been a lot of debate online as to which of our team has the best facial hair. Is it me?
Is it you? Because previously it was clearly Vanja, right?
Yes. Now, sorry. So you're including me in this?
What?
You're including me in this?
You are?
You think my baby face skin, my perfect skin is comparable to your stubbly little— I'm quite honoured that you call me stubbly, because I mean, I've always struggled to grow facial hair.
I did once grow a moustache for Movember.
I did once grow a moustache for Movember.
Sorry, what?
A moustache.
What did I say? Moustache. I don't know. I thought it was some English.
What's wrong? Moustache? Moustache?
I don't know.
Anyway, one of those things, those hairy caterpillars. But I ended up looking like an Egyptian taxi driver, quite frankly. Well, it wasn't that convincing.
I think everybody does. Everybody does for Movember, isn't it? That's what most people shoot for.
Well, you have a fine chin of hair, as I remember, Rich, don't you?
Yes, I do. Yes, yes. Well, not quite as fine as some, but certainly it keeps me warm in the wild north of Canada.
I'm pretty impressed by it.
You're right, it's impressive, but not as impressive, I would argue, as a chap who lives in France or was living in France called Gal Valerius, who has been arrested in the United States by the DEA in connection with the darkweb website Dream Market, which is basically— it's like the eBay of drugs if you want to buy all sorts of— yeah, yeah, you're making a note, aren't you?
You're right, it's impressive, but not as impressive, I would argue, as a chap who lives in France or was living in France called Gal Valerius, who has been arrested in the United States by the DEA in connection with the darkweb website Dream Market, which is basically— it's like the eBay of drugs if you want to buy all sorts of— yeah, yeah, you're making a note, aren't you?
I'm just writing a note.
Yeah. So anyway, this chap was arrested at Atlanta International Airport because he was traveling from France to Austin, Texas to take part in a competition.
Okay. And not because of his beard.
Well, yes, the competition he was going to was the World Beard Championships. Oh, marvellous, eh?
Yeah.
Yes, that's right. And we'll put a link in the show notes to the World Beard Championships, because once I started going down that particular rabbit warren, it was hard to get out.
There's lots of different categories, you know.
There's lots of different categories, you know.
Oh, were you jealous?
I was.
Were you jealous of all the hirsute men?
Oh, it's very impressive. There's the English. Sounds fairly ordinary, you know. The Dali. I think we know where that's going. The Hungarian. You imagine something a little bit Russian.
The Musketeer, which isn't so much a beard, is it? It's just sort of a thing on your— well, I suppose it's a mini beard. The Imperial. The Alaskan Whaler. The Fu Manchu.
The Musketeer, which isn't so much a beard, is it? It's just sort of a thing on your— well, I suppose it's a mini beard. The Imperial. The Alaskan Whaler. The Fu Manchu.
Okay. You are so obsessed with beards.
I am. It's fantastic. And if you go into the full beards category, they actually measure them by length.
So you can start off at one centimetre or whatever, but it goes up to 60 centimetres plus. Now, I don't know—
So you can start off at one centimetre or whatever, but it goes up to 60 centimetres plus. Now, I don't know—
So what is that, is that the longer the better? Is that what you're saying?
Well, no, I think they're sort of artistic. It's a bit like ice skating, isn't it, growing a beard?
It's slightly less sequins maybe and tight trousers, but it's basically about artistic impression. What do you think, Rich, with your beard? What's your plans with that?
It's slightly less sequins maybe and tight trousers, but it's basically about artistic impression. What do you think, Rich, with your beard? What's your plans with that?
Well, yes, it does seem like an awful lot of work what they do, doesn't it? I mean, I have my beard for convenience rather than for show, I have to say.
You don't backcomb and use hairspray?
No, no, I have tried beard oil, which is supposed to make it softer, but that doesn't seem to have worked. So I'll just keep it.
I did notice though that there is a section for the ladies as well in the contest, isn't there? So Carole, you're not excluded from this.
I did notice though that there is a section for the ladies as well in the contest, isn't there? So Carole, you're not excluded from this.
Is there?
Yeah.
What kind?
Seriously, you should click through on the links, Carole. There are some links to the Austin Facial Hair Club.
And if you go down, I can't remember which one it is in particular, but yes, there is a sort of freestyle women's beard.
There's someone who appears to have a couple of branches coming out of the side of her head with little people on swings swinging on it. I mean, this is art, quite frankly.
And if someone who was running an underground drug dealing website, of all the competition, I think this is a fantastic place for him to go to because potentially there's new customers here.
One should take a look at them. So what happened was this: he was stopped by border control and his laptop was searched.
And according to the DEA, the contents of the laptop identified him as Oxy Monster.
And if you go down, I can't remember which one it is in particular, but yes, there is a sort of freestyle women's beard.
There's someone who appears to have a couple of branches coming out of the side of her head with little people on swings swinging on it. I mean, this is art, quite frankly.
And if someone who was running an underground drug dealing website, of all the competition, I think this is a fantastic place for him to go to because potentially there's new customers here.
One should take a look at them. So what happened was this: he was stopped by border control and his laptop was searched.
And according to the DEA, the contents of the laptop identified him as Oxy Monster.
Okay.
Not to be mixed up with Cookie Monster. He had the Tor—
Boom, Graham, boom, boom.
Well, you know, cookies, they could, you know, if you had the munchies or something.
He had the Tor browser on it, which is the thing which keeps you all sort of secret and safe and warm on the dark web and covering your tracks.
But he also had the login credentials for Dream Market. And get this, half a million dollars worth of bitcoin. It's quite nice, isn't it? Nice to have in your back pocket.
He's said to be the secret administrator and moderator of the dark web website Dream Market, which is obviously earning money through commissions on every transaction.
And the site listed him as official staff.
Investigators had been reading posts which he'd posted about how to stay anonymous on the web, and they'd managed to link the bitcoin payments to Valerius.
And so they think they've got their man, and then he arrives on their doorstep, on their runway, with an enormous beard.
And they had actually looked at some of the postings he'd made on this dark web website and compared the language to the language he was using on his Twitter account.
He had the Tor browser on it, which is the thing which keeps you all sort of secret and safe and warm on the dark web and covering your tracks.
But he also had the login credentials for Dream Market. And get this, half a million dollars worth of bitcoin. It's quite nice, isn't it? Nice to have in your back pocket.
He's said to be the secret administrator and moderator of the dark web website Dream Market, which is obviously earning money through commissions on every transaction.
And the site listed him as official staff.
Investigators had been reading posts which he'd posted about how to stay anonymous on the web, and they'd managed to link the bitcoin payments to Valerius.
And so they think they've got their man, and then he arrives on their doorstep, on their runway, with an enormous beard.
And they had actually looked at some of the postings he'd made on this dark web website and compared the language to the language he was using on his Twitter account.
Do you think there was a Clouseau French detective who was "Look for the man with the beard!" Yeah, the beard.
Well, he had an Instagram account as well. I should go and check that out because we've probably got some fantastic pictures of his beard up there.
Anyway, according to the Miami Herald, who wrote all about this, there were similarities in the use of words and punctuation, including the word "cheers." It's well, come on, that's not really— is that it?
Anyway, according to the Miami Herald, who wrote all about this, there were similarities in the use of words and punctuation, including the word "cheers." It's well, come on, that's not really— is that it?
Oh my goodness. I use that.
Oh no.
Oh no.
And I have a beard.
You better watch out, RB.
Do you use double exclamation marks, Rich? Because apparently that was the other clue.
No, no, absolutely not. Very vulgar.
Frequent use of quotation marks.
When you're quoting something.
And it's brilliant, this, isn't it? It's going to stand up in court. And intermittent French posts, which perhaps isn't that unusual for a Frenchman. Sacré bleu.
Anyway, he's obviously got some questions to answer. The DEA think they've got their man and potentially he could face up to life in prison for this.
So if you've got a fancy beard, maybe, you know, think twice about showing it off in America because they might want to take a look at your laptop.
And what are you doing keeping sensitive information on your laptop anyway?
Anyway, he's obviously got some questions to answer. The DEA think they've got their man and potentially he could face up to life in prison for this.
So if you've got a fancy beard, maybe, you know, think twice about showing it off in America because they might want to take a look at your laptop.
And what are you doing keeping sensitive information on your laptop anyway?
And Graham, hold on. I think I may have fallen asleep at one point during your segment. What has he done?
What has Valerius done other than have lots of bitcoin and the Dream Market login credentials?
What has Valerius done other than have lots of bitcoin and the Dream Market login credentials?
It's alleged that he was high up in this dodgy website, which was making a huge amount of money.
Off drugs.
Off drugs.
Okay, okay.
Breaking news, Carole. You're not supposed to be doing.
Drugs are bad. Yes. Gotcha. Just say no. Yeah, gotcha. With you 100%. That's bad. I'm with you.
That in itself is bad enough if it turns out to be true.
But he, according to one of the reports I read about this, he actually had also been hacking an app that allows beard wearers to sort of compare their beards and compete their beards and gamble and bet how good their beards are.
But he, according to one of the reports I read about this, he actually had also been hacking an app that allows beard wearers to sort of compare their beards and compete their beards and gamble and bet how good their beards are.
What? What?
What? An app called Beard Wars. If you read this, I think it's The Guardian, The Guardian's article about this guy. So Beard Wars, there's an app apparently called Beard Wars.
I love it. And it allows people to post photos of their beards and have them voted on.
I love it. And it allows people to post photos of their beards and have them voted on.
And it's Hot or Not, but good beard, bad beard.
And you're able to gamble on this and take that.
Yeah. So there were a couple of guys who they interviewed were obviously are regulars on this site and they used to win regularly.
And then all of a sudden this new user came along out of nowhere and started amassing loads and loads of chips.
And then all of a sudden this new user came along out of nowhere and started amassing loads and loads of chips.
I love it.
And they tracked these false accounts apparently back to the same guy, back to Valerius.
You see, he's a bad man.
Truly dusted.
Yeah.
Yeah. Forget the drugs. I mean, I think cheating at Beard Wars is completely outrageous.
Yeah.
Rich, what have you got for us today?
Well, my topic is a little less frivolous, but we all know that privacy on the web depends on HTTPS, don't we? We've talked about that.
I know you guys have talked about that quite a lot, the importance of seeing that little padlock on the browser.
And the proportion of web traffic is growing a lot and growing very quickly. So that's a good thing too.
But obviously, like all security measures, it can come at a cost of convenience.
So browsers warn us if there seems to be a problem with the authenticity of a site, if they can't make a secure connection. Yeah, I'm sure you see these warnings all the time.
Oh yeah. But do they always mean there's something bad going on? You know, or is it a case of the boy who cried wolf?
Is it a case where we end up getting very blasé about the warnings because too often they're inconvenient?
You know, it's a site we really want to go to, so we just click through anyway. And what I've seen this week was a paper that was published by a group of researchers from Google.
So they've been looking into this a lot. They've published a few papers over the years about how users respond to these warnings.
And basically, you know, what they're interested in doing is trying to make people trust the browsers and make people actually take these warnings seriously.
But in order to do that, they have to make sure the warnings are genuine.
What these researchers are able to do because they had access to Chrome, they put some code into Chrome so that every time someone was shown a warning, if they had the feedback option turned on where there's options to help the Chrome developers improve the product.
And if they had that feedback option turned on, it would send back a bunch of information about the warning and about the connection and what problems were found.
And they've been able to amass a huge amount of data and see for the first time really what's going on and why these problems are coming up.
I know you guys have talked about that quite a lot, the importance of seeing that little padlock on the browser.
And the proportion of web traffic is growing a lot and growing very quickly. So that's a good thing too.
But obviously, like all security measures, it can come at a cost of convenience.
So browsers warn us if there seems to be a problem with the authenticity of a site, if they can't make a secure connection. Yeah, I'm sure you see these warnings all the time.
Oh yeah. But do they always mean there's something bad going on? You know, or is it a case of the boy who cried wolf?
Is it a case where we end up getting very blasé about the warnings because too often they're inconvenient?
You know, it's a site we really want to go to, so we just click through anyway. And what I've seen this week was a paper that was published by a group of researchers from Google.
So they've been looking into this a lot. They've published a few papers over the years about how users respond to these warnings.
And basically, you know, what they're interested in doing is trying to make people trust the browsers and make people actually take these warnings seriously.
But in order to do that, they have to make sure the warnings are genuine.
What these researchers are able to do because they had access to Chrome, they put some code into Chrome so that every time someone was shown a warning, if they had the feedback option turned on where there's options to help the Chrome developers improve the product.
And if they had that feedback option turned on, it would send back a bunch of information about the warning and about the connection and what problems were found.
And they've been able to amass a huge amount of data and see for the first time really what's going on and why these problems are coming up.
Okay.
So they wrote a bunch of rules that would allow them to analyze these reports, look for specific types of problem.
And they found that over two-thirds of the reports where they were able to automatically classify them into things which weren't really security problems, were problems either with the network or misconfigured servers or misconfigured computers.
And they found that over two-thirds of the reports where they were able to automatically classify them into things which weren't really security problems, were problems either with the network or misconfigured servers or misconfigured computers.
Yeah.
Two-thirds?
Yeah. So they were all automatic. So it just goes to show that a pretty small amount of this, of the times that you see these warnings, is there actually really something wrong?
So for example, one-third of the warnings for Windows users were actually caused by the time and date being wrong on their computer.
You know, the certificate that secure HTTPS, they have an expiry date. They also have dates where they start being effective.
So for example, one-third of the warnings for Windows users were actually caused by the time and date being wrong on their computer.
You know, the certificate that secure HTTPS, they have an expiry date. They also have dates where they start being effective.
Right.
So if people's computers are set up incorrectly, then it will all of a sudden think that you're using an expired certificate.
Okay. That's good to know.
So there was that one. And then about another third of all the warnings were from misconfigured servers. So where the certificate doesn't match the name of the website properly.
So if maybe it has a www in the certificate, but people went to the website and it served up just without the www, or when the certificate chain, which is how the certificates are linked back to the ultimate trust authority, the certificate authority, where the certificate chain isn't provided by the website.
So what did they do?
Well, they took all these different problems and then they tried to find ways to actually advise the users and give the users something actionable to do to deal with it.
So for example, with the time issue that I mentioned, where they found that all these Windows machines were not set to the right time, they started off by trying to check to see if the time on the computer was radically different to the time that version of Chrome was released, for example, because sometimes people were years out and they never really noticed it.
But that wasn't really precise enough. So what they actually then did was they built a whole new cloud time service which Chrome can talk to.
And so when Chrome sees a certificate invalid error, caused by the date being wrong.
So if maybe it has a www in the certificate, but people went to the website and it served up just without the www, or when the certificate chain, which is how the certificates are linked back to the ultimate trust authority, the certificate authority, where the certificate chain isn't provided by the website.
So what did they do?
Well, they took all these different problems and then they tried to find ways to actually advise the users and give the users something actionable to do to deal with it.
So for example, with the time issue that I mentioned, where they found that all these Windows machines were not set to the right time, they started off by trying to check to see if the time on the computer was radically different to the time that version of Chrome was released, for example, because sometimes people were years out and they never really noticed it.
But that wasn't really precise enough. So what they actually then did was they built a whole new cloud time service which Chrome can talk to.
And so when Chrome sees a certificate invalid error, caused by the date being wrong.
Yeah.
It will actually ping the server and say, the server says this is the time, does it match? And then they'll tell the user.
So there's all sorts of things which they've done to try and make these warnings much more useful and much more actionable. And at the same time to solve the problem.
So there's all sorts of things which they've done to try and make these warnings much more useful and much more actionable. And at the same time to solve the problem.
You make a really good point though, because if you do get anything too often, you start to ignore it. It's just human nature, isn't it?
Yeah. And if you get something too confusing as well, I think the typical computer user when faced with awful gloop.
I'm just going to press the button, which makes the gibberish go away.
I'm just going to press the button, which makes the gibberish go away.
We all know that makes perfect sense to you, Graham.
And there is an awful lot of gibberish in the world of encryption.
Yeah.
And from the website's point of view as well, it's not always completely simple setting up your HTTPS. I mean, we set it up for Smashing Security.
We thought, oh crumbs, you know, we can't do a security website without SSL.
We thought, oh crumbs, you know, we can't do a security website without SSL.
Yeah, that was a pain in the butt.
And we messed it up a bit. And thankfully Scott Helmee was around to give us a little bit of advice and we were able to fix it.
But of course, this is becoming more and more important to get your site having HTTPS because of course Google Chrome is, I think it's this month, isn't it?
It's going to start making it clearer that sites are insecure if they don't have it.
But of course, this is becoming more and more important to get your site having HTTPS because of course Google Chrome is, I think it's this month, isn't it?
It's going to start making it clearer that sites are insecure if they don't have it.
That's right. Yes, they're going to start warning if you're going to a non-HTTPS website, certainly if it's a non-HTTPS website that you're actually putting information.
And I think over time they're planning to increase that to just to all HTTP sites.
And I think over time they're planning to increase that to just to all HTTP sites.
Right. Which ultimately is going to panic people into rushing to HTTPS and potentially not implement it right, which means more error messages appearing.
So we have to make sure these error messages are easy to understand, easy to action.
It's astonishing what those figures you gave us, a third being related to the time being wrong, for instance.
So we have to make sure these error messages are easy to understand, easy to action.
It's astonishing what those figures you gave us, a third being related to the time being wrong, for instance.
And two-thirds not being. That's a huge amount.
And of course it's worse sometimes being, giving people a false sense of security. If you think you're protected by HTTPS, but actually you're not.
And sometimes that can be worse really than knowing that you're just going over the ordinary web.
And sometimes that can be worse really than knowing that you're just going over the ordinary web.
Yeah. Oh, it sounds some interesting research. So we'll put a link in the show notes so people can read more about that.
But yes, Google have been doing a fair bit in this area, haven't they? And I expect we'll see more from them in the future on this. Carole, over to you. What have you got for us?
But yes, Google have been doing a fair bit in this area, haven't they? And I expect we'll see more from them in the future on this. Carole, over to you. What have you got for us?
I can just say I'm very happy that Rich did something with some teeth because mine is a bit more fun.
So media campaigns, we have certainly done a few in our time, haven't we, Graham, over the years? And we all know what makes the infosecurity journos drool, right?
I'm going to talk about a piece that was in The Reg and I recommend everyone goes and reads it because just for the comments, it's worth it.
So this is all about a company called Pentest Partners. They're a UK-based security consultancy.
So media campaigns, we have certainly done a few in our time, haven't we, Graham, over the years? And we all know what makes the infosecurity journos drool, right?
I'm going to talk about a piece that was in The Reg and I recommend everyone goes and reads it because just for the comments, it's worth it.
So this is all about a company called Pentest Partners. They're a UK-based security consultancy.
Oh yeah, yeah, I know that.
Yeah, you're right. And they've issued some rather sexy research this week.
So PTP, as we're gonna call them, their main message in all of this research is that a lot of people out there really love the new Bluetooth Low Energy or BLE.
They prefer this over traditional Bluetooth, partly because it's improved battery life, and also its ease of use.
However, the PTP team says that this new Bluetooth security features are rarely implemented correctly, if at all.
And that can lead to some unexpected and perhaps even embarrassing consequences.
So PTP, as we're gonna call them, their main message in all of this research is that a lot of people out there really love the new Bluetooth Low Energy or BLE.
They prefer this over traditional Bluetooth, partly because it's improved battery life, and also its ease of use.
However, the PTP team says that this new Bluetooth security features are rarely implemented correctly, if at all.
And that can lead to some unexpected and perhaps even embarrassing consequences.
All right.
So where are poorly secured Bluetooth devices a bit of a yucky problem? Well, in the smart how shall I put this, intimate massage equipment industry. I'll put it that way.
I'm sorry.
Intimate, intimate massage equipment industry. Smart personal de-stressors is another word we could use for them. These are basically adult sex toys.
Oh my goodness.
Yes. And now they have looked at a number of different smart toys, including ones from company Lelo and Lovense and Kiiroo, which produces the horribly named Fleshlight.
And they found the security vibe was sorely missing in this. So Braxton—
And they found the security vibe was sorely missing in this. So Braxton—
You're doing this deliberately, aren't you?
A little. You can't help it. And every journo has done it as well. You just can't help it. There's just too much.
All right, okay.
And they, you know, so basically let's get down to business, right?
So brass tacks, the question is, the question they're trying to answer here is, could someone using a Bluetooth discovery app be able to detect whether a device was in use?
So brass tacks, the question is, the question they're trying to answer here is, could someone using a Bluetooth discovery app be able to detect whether a device was in use?
Oh, okay. So if I was some sort of stalkery peeping Thom pervert.
If you're just walking around the street with your Bluetooth sniffer, right? As you do. And let's say someone was in their apartment having alone time.
It's lunchtime. There's not much on TV.
Exactly. They'd be able to potentially see. Now, how could they see?
Well, one of the reasons is because some of these toys use an identifier for all their smart bedroom entertainment systems.
Well, one of the reasons is because some of these toys use an identifier for all their smart bedroom entertainment systems.
Bedroom.
Okay. So in this case, Lovense use LVS-001. So all someone would need to do is walk around the streets of a city with a little Bluetooth sniffer and look for that identifier.
It's a strange way to get your kicks, isn't it?
I think there's a really important message here though. There is an important message in all this.
Okay, yes.
So what researchers are saying is that messing with the settings, like turning the device on or changing the speeds or mode, wouldn't take much because there is no unique PIN, right, for each device.
And the other thing with this Bluetooth is that when it's not connected to, like right now, if it's not connected to a mobile app, it's actually discoverable with a pretty powerful signal strength, right?
And the other thing with this Bluetooth is that when it's not connected to, like right now, if it's not connected to a mobile app, it's actually discoverable with a pretty powerful signal strength, right?
Oh, I see.
You can just insert commands any time you want.
Exactly.
Oh, please, Rich.
Exactly. Insert commands.
Don't encourage her.
But it's true, okay? So there is something to be said about being always discoverable.
Like, why couldn't there be potentially a button that would say, hi, I want to be discoverable now for the next limited time, 5 minutes, whatever?
Like, why couldn't there be potentially a button that would say, hi, I want to be discoverable now for the next limited time, 5 minutes, whatever?
And this, from what I've heard, it can be very difficult to find the right button to press where it is exactly.
I mean, you'd want it very clearly marked, wouldn't you, to make sure you could find it easily? So what are the opportunities for abuse here?
I mean, I get— so okay, so I'm trying to put myself in the shoes of a pervert. And so—
I mean, you'd want it very clearly marked, wouldn't you, to make sure you could find it easily? So what are the opportunities for abuse here?
I mean, I get— so okay, so I'm trying to put myself in the shoes of a pervert. And so—
A pervert? You're saying all users are perverts? No, no, no, no, no, no.
I'm the hacker dude, right? I'm the pervy stalker peeping Thom guy, right?
Or in this case, the researcher.
Or researcher, as they're also known.
And so I'm imagining, for instance, maybe I'm working in a hotel lobby and there's a lot of people coming through, bringing their private things into the hotel with them, right?
Now, they're obviously or at least hopefully, not using them in the actual lobby, right? That sort of thing, which normally you'd probably notice. I doubt they'd be that discreet.
But if you had some way of discovering them in their luggage, would you be able to turn them on or increase the frequency?
Would it become, would it be an amusing prank to play on people?
And so I'm imagining, for instance, maybe I'm working in a hotel lobby and there's a lot of people coming through, bringing their private things into the hotel with them, right?
Now, they're obviously or at least hopefully, not using them in the actual lobby, right? That sort of thing, which normally you'd probably notice. I doubt they'd be that discreet.
But if you had some way of discovering them in their luggage, would you be able to turn them on or increase the frequency?
Would it become, would it be an amusing prank to play on people?
This is what they're suggesting. They're suggesting that right now they're pretty easily discoverable if you know what you're looking for.
Right.
And the next sort of a penetration test.
Yes, exactly. And it wouldn't take, it wouldn't take a lot for someone to be able to take control of that device and, you know, make it turn it on.
Could be quite dangerous in a targeted attack if you had identified someone who was of interest to you and you knew they had one of these things.
Well, the other thing about this, right, is the signal strength is apparently really strong on these devices.
And what they're suggesting, this company PTP, is that maybe we can drop it to a lower value so that someone had to be really nearby to connect rather than 40 meters away.
And what they're suggesting, this company PTP, is that maybe we can drop it to a lower value so that someone had to be really nearby to connect rather than 40 meters away.
You know what annoys me is I keep hearing, and you're telling me that all these sex toys have got fantastic connectivity and really good at Bluetooth.
If I want to use my smartphone, I have to walk down to the end of my garden and sort of stand on the trampoline to get a signal. What is wrong with the world?
If I want to use my smartphone, I have to walk down to the end of my garden and sort of stand on the trampoline to get a signal. What is wrong with the world?
You live in the wrong location.
Yeah.
The other thing is also making more generic names for these things.
So that perhaps printers and adult toys could have the same names and you wouldn't know the difference between them.
So that perhaps printers and adult toys could have the same names and you wouldn't know the difference between them.
So if you do have a connected vibrator, maybe if you could rename it the HP LaserJet or something like that.
Well, see, I didn't know if you can rename Bluetooth signals or Bluetooth names. I've never even tried. So that's interesting itself.
What happens if someone tries to print a PDF? Well, it's in use. That could be even worse.
Good heavens.
Another thing is, you know, the whole concept of them having a unique PIN is very difficult because obviously there's no UI on these devices.
So one of the suggestions may be PIN stickers, which aren't cheap, but they could be on and allow for someone to kind of cue in or type in a PIN number, unique PIN number for the device.
So one of the suggestions may be PIN stickers, which aren't cheap, but they could be on and allow for someone to kind of cue in or type in a PIN number, unique PIN number for the device.
Right.
So anyway, I think the whole thing is about tweaking Bluetooth for these devices and always keeping security in mind.
And whilst this research is very, you know, it's all very fun, this would be horribly embarrassing for people, I imagine. And so my advice in all this is go old school, right?
There are a few things in your life you don't want to be smart, including butt plugs and vaginas and shittings, I think.
And whilst this research is very, you know, it's all very fun, this would be horribly embarrassing for people, I imagine. And so my advice in all this is go old school, right?
There are a few things in your life you don't want to be smart, including butt plugs and vaginas and shittings, I think.
Did you just say that on our podcast?
I'm assuming they're all going to be beeped out. You're editing this one.
Is this why we're not having a sponsor this week? Because we thought they'd complain.
Talking of which, I think it's time to mention— oh, we've got a fantastic sponsor this week, Krill.
Talking of which, I think it's time to mention— oh, we've got a fantastic sponsor this week, Krill.
No, no, we can't do it twice, man.
What? Just move on.
They heard it. Next.
Okay. Forget all that then. So we're on to our favourite part of the show, the part of the show which we call Pick of the Week.
Pick of the Week. Rich.
Pick of the Week.
Pick of the Week is the part of the show where we choose a funny story, a book we've read, a TV show, a movie, a record, an app, something which just has tickled our fancy or something that we think is really cool that we wanted to share with you.
Not security related.
It doesn't have to be security related.
Definitely not.
It can be, but doesn't have to be. So my pick of the week is something called the Topo.
Oh, is it chess related?
It's not. No, it's not chess related. It's not topiary related either. The Topo is my standing desk mat.
I think you've talked about this before on the show.
No, I haven't talked about it on the show before. It comes from a company called Ergodriven. And it's really cool. It's made out of polyurethane.
Normally, on a standing desk mat, it's really flat, right? I just think that's a bit boring. Where's the fun in that?
I mean, okay, you're standing on it, but you're not sort of, you know, you're still sort of static, aren't you? You're sort of just standing there.
The beauty of the Topo is that it's contoured. It has ridges, and it has this little teardrop. And so you're sort of exercising your feet. It's a party for your feet, basically.
And I'm loving it. And you're moving about subconsciously all the time. You're kind of doing, oh yeah, I'm riding the sides.
I'm cupping the teardrop, I'm opening my hips, you know, I'm exploring the contours. And you just think, wow, what a fantastic way to live.
And it's got to be better than sitting all the time. So I think the important thing is to move and the Topo helps you move.
And that is why I am recommending as my pick of the week, the Topo from Ergodriven.
Normally, on a standing desk mat, it's really flat, right? I just think that's a bit boring. Where's the fun in that?
I mean, okay, you're standing on it, but you're not sort of, you know, you're still sort of static, aren't you? You're sort of just standing there.
The beauty of the Topo is that it's contoured. It has ridges, and it has this little teardrop. And so you're sort of exercising your feet. It's a party for your feet, basically.
And I'm loving it. And you're moving about subconsciously all the time. You're kind of doing, oh yeah, I'm riding the sides.
I'm cupping the teardrop, I'm opening my hips, you know, I'm exploring the contours. And you just think, wow, what a fantastic way to live.
And it's got to be better than sitting all the time. So I think the important thing is to move and the Topo helps you move.
And that is why I am recommending as my pick of the week, the Topo from Ergodriven.
And this is the second time he does it. I'm sure of it. Any listener remembers he's done it again, please send me the episode number else on your t-shirts.
Does it come in different shapes? I mean, can you, for example, choose a particular landscape region for your contours?
The Cotswolds.
Yeah, the Snowdonia, the majestic Rocky Mountains, the Dolomites.
Sadly, not as far as I know, no. I think a group of scientists have found the optimum mountain range.
You better TM that, Rich. You better TM it before Topo steal it.
Yeah, good point. Yeah. Anyway, that's my pick of the week. Rich, what's your pick of the week?
Well, my pick of the week is a television show that I've been watching. Well, I watched a while ago, but it's just about to start its second season.
And so I think it starts in a couple of weeks. And so it's your opportunity to binge watch it if you haven't seen it before, before the new season starts.
And it's Dirk Gently's Holistic Detective Agency.
And so I think it starts in a couple of weeks. And so it's your opportunity to binge watch it if you haven't seen it before, before the new season starts.
And it's Dirk Gently's Holistic Detective Agency.
But have you seen it, Graham?
I've never seen the TV show. I read the books, which are by Douglas Adams, of course. Many, many years ago.
Yeah. So this is the, I think this is the second or third time that it's been turned into a TV show. And in fact, it doesn't really base itself on the books itself.
And in fact, some people would say it hardly bases itself on the characters either, but the ideas are all there.
And I think you can go on and argue about whether it should have been called Dirk Gently or whether it shouldn't have been called Dirk Gently, but whichever way you look at it, it's a really good fun TV show.
It's actually filmed in Vancouver as well, which makes it extra fun for me.
And in fact, some people would say it hardly bases itself on the characters either, but the ideas are all there.
And I think you can go on and argue about whether it should have been called Dirk Gently or whether it shouldn't have been called Dirk Gently, but whichever way you look at it, it's a really good fun TV show.
It's actually filmed in Vancouver as well, which makes it extra fun for me.
Are you working for the tourist board?
Is it a North American show then? It's not BBC?
Well, it's BBC. It's actually BBC Americas that produce it. And it's, so it's coming up on BBC Americas. I don't know whether it's actually shown on BBC in the UK.
But I watched it on Netflix recently.
But I watched it on Netflix recently.
So I guess they must have flown in the British people, Graham, on a plane to Vancouver.
Are there British people?
There is one. Well, Dirk Gently himself is a Brit. Yes.
Yes, he is.
But it has Elijah Wood, who was obviously in Lord of the Rings, and has a bunch of other fantastic characters.
And so the stories are sort of reminiscent of Dirk Gently's Holistic Detective Agency and The Long Dark Tea-Time of the Soul, which was the second one, wasn't it?
And he actually refers to them in the first episode as things that happened in his past. So obviously this is supposed to be—
And so the stories are sort of reminiscent of Dirk Gently's Holistic Detective Agency and The Long Dark Tea-Time of the Soul, which was the second one, wasn't it?
And he actually refers to them in the first episode as things that happened in his past. So obviously this is supposed to be—
It's very clever.
What happens next. But yeah, it's very clever, very funny, a little bit violent from time to time.
But there's this one particular character who's just absolutely fantastic, who's a holistic assassin who, much like Dirk, who sort of just meanders around and finds his way through the investigation, she just wanders around and just kills people because she believes she should.
But she's just amazing. And she's actually played by Fiona Dourif, who also has a connection to Lord of the Rings. Her father was in Lord of the Rings. But anyway—
But there's this one particular character who's just absolutely fantastic, who's a holistic assassin who, much like Dirk, who sort of just meanders around and finds his way through the investigation, she just wanders around and just kills people because she believes she should.
But she's just amazing. And she's actually played by Fiona Dourif, who also has a connection to Lord of the Rings. Her father was in Lord of the Rings. But anyway—
Rich, Rich, can I ask you a question?
Yes.
So if Doctor Who was on one island and Dirk Gently Holistic Detective Agency was another island—
I can answer this question.
I'm not asking you.
Yeah, but I can answer this question.
You're in the middle. Which way are you going to swim?
I think it would have to be Doctor Who.
Good man.
Just because there's more.
Just because there's more of it.
And then, well, the interesting thing is, Dirk Gently, the character of Dirk Gently, or at least the storyline of the original Dirk Gently, started off as a Doctor Who episode.
And then, well, the interesting thing is, Dirk Gently, the character of Dirk Gently, or at least the storyline of the original Dirk Gently, started off as a Doctor Who episode.
It did?
Yeah.
I didn't know that.
Yes, you see, Carole.
I fell into the trap.
Yeah. Douglas Adams was famous for reusing ideas. And he wrote a couple.
You see?
He wrote a couple. Well, no, he wrote— He really struggled with this and he wrote a couple, maybe two or three Doctor Who stories, and one of them never actually got broadcast.
It was only half made. And a lot of the concepts in that particular Doctor Who story were then put into the first Dirk Gently book. So there was a lot of reusing of material.
So Doctor Who fans are kind of keen on Dirk Gently a bit because of the Douglas Adams connection, who was working on Doctor Who in about 1978, 1979. TIL.
It was only half made. And a lot of the concepts in that particular Doctor Who story were then put into the first Dirk Gently book. So there was a lot of reusing of material.
So Doctor Who fans are kind of keen on Dirk Gently a bit because of the Douglas Adams connection, who was working on Doctor Who in about 1978, 1979. TIL.
There you go.
TIL.
Today I learned.
Such a millennial.
Oh yeah. So millennials. Yeah. I can't even say it. I'm that old.
Okay. Carole, what's your—
Thank you.
Thank you, Rich. I will check it out. I haven't seen any of that. So you've seen some of that, have you, Carole?
Oh, I've watched it all. It's great. I thought it was really, really— I watched it when it came out because my other half is a very big fan. Right.
All right.
So yeah.
Oh, thanks for telling me about— Right, sure. So, Carole, what's your pick of the week?
Well, my pick of the week is about DerbyCon. It all starts with DerbyCon, which is a computer security conference in Louisville, Kentucky.
Now, during the conference, a delegate from Salt Lake City known as Grifter801 on Twitter went to a nearby burger joint to have a bit of a spot of food.
And from that joint, he sent the following tweet. Now, I've sent you guys the picture of the tweets. You can take a look at that. And it says, watch out, DerbyCon.
This is the roach I sucked up the straw of my milkshake from, enter name of burger joint here. I'm going to call him Trevor. You know, #DerbyCon #yum.
Now, during the conference, a delegate from Salt Lake City known as Grifter801 on Twitter went to a nearby burger joint to have a bit of a spot of food.
And from that joint, he sent the following tweet. Now, I've sent you guys the picture of the tweets. You can take a look at that. And it says, watch out, DerbyCon.
This is the roach I sucked up the straw of my milkshake from, enter name of burger joint here. I'm going to call him Trevor. You know, #DerbyCon #yum.
And just for any listeners, this is a cockroach we're talking about rather than some drug reference.
I didn't even think about that. Okay. Yeah. So it's a cockroach. So you look at the pictures, a dead cockroach. So this guy apparently sucked up a straw. Gross, gross.
Now you'd expect loads of disgusting—
Now you'd expect loads of disgusting—
Not that pleasant for Trevor the cockroach either, I would imagine.
Well, no. And you know what?
People on Twitter agree with you because I expected loads of disgust and anger, but instead it turned out to be an online memorial for Trevor the cockroach.
So people started leaving odd tributes to Trevor outside the burger joint, and Trevor the #TrevorForget. Get it, Graham? Never forget Trevor, forget.
Okay, these were all born on Twitter. And passersby left everything from boxes of tissues to a bottle of Mountain Dew as tributes to the deceased roach.
People on Twitter agree with you because I expected loads of disgust and anger, but instead it turned out to be an online memorial for Trevor the cockroach.
So people started leaving odd tributes to Trevor outside the burger joint, and Trevor the #TrevorForget. Get it, Graham? Never forget Trevor, forget.
Okay, these were all born on Twitter. And passersby left everything from boxes of tissues to a bottle of Mountain Dew as tributes to the deceased roach.
Why boxes of tissues?
Because it's probably what they had in their bag.
Oh, I see, right.
Yeah, they were just walking by and, you know, saw it on Twitter and thought, oh well, why not? And there's even a tribute movie which I've put a link in the show notes to.
So the question is, is Trevor the most famous dead roach in history? And I thought, actually, I'm sure I've heard of a dead roach before. I seem to remember this.
And there was one in 2015. Graham, you might remember this. There was a dead cockroach in the stairwell of a Texas A&M anthropology building.
And he just was basically sitting in the stairwell for about three months or something. And someone finally just said, we need to look after this guy.
So they made a little memorial for him. And there's a picture of it there. I sent it to you.
So the question is, is Trevor the most famous dead roach in history? And I thought, actually, I'm sure I've heard of a dead roach before. I seem to remember this.
And there was one in 2015. Graham, you might remember this. There was a dead cockroach in the stairwell of a Texas A&M anthropology building.
And he just was basically sitting in the stairwell for about three months or something. And someone finally just said, we need to look after this guy.
So they made a little memorial for him. And there's a picture of it there. I sent it to you.
Why are you saying I would remember this?
Well, because I seem to think we talked about this.
Really?
Yeah.
Oh, maybe that's on the same podcast where I recommended the topo.
That probably—
Some imaginary conversation we had.
No, it was never on the podcast we talked about it. Now sadly, this first cockroach was never named, right?
So Trevor's getting all the limelight, and I just think we should name him Alpha Roach or something. Now, okay, all this roach talk. The thing is, they got a bit smart.
The Trevor campaign went a step further, and they're doing something actually quite wonderful. They've created a GoFundMe page for Trevor the Roach, right?
And let me quote from the page: As you know, the InfoSec community lost a beloved member over the weekend, Trevor the Roach.
To make matters worse, his entire family is also caught up in the disaster in Puerto Rico.
Funds contributed will go directly to Friends of Puerto Rico, a long-standing and respected nonprofit working to better Puerto Rico.
And so far they've raised over $3,600 to help those who are living in peril thanks to Hurricane Maria.
So Trevor's getting all the limelight, and I just think we should name him Alpha Roach or something. Now, okay, all this roach talk. The thing is, they got a bit smart.
The Trevor campaign went a step further, and they're doing something actually quite wonderful. They've created a GoFundMe page for Trevor the Roach, right?
And let me quote from the page: As you know, the InfoSec community lost a beloved member over the weekend, Trevor the Roach.
To make matters worse, his entire family is also caught up in the disaster in Puerto Rico.
Funds contributed will go directly to Friends of Puerto Rico, a long-standing and respected nonprofit working to better Puerto Rico.
And so far they've raised over $3,600 to help those who are living in peril thanks to Hurricane Maria.
That's awesome.
Yeah, so you see, I kind of like it because it's not too earnest, but it's doing the right thing. And it's kind of unusual. So there you go.
And it's a great tribute to Trevor the cockroach.
Right, exactly, and all his family. And apparently the restaurant wouldn't contribute to the fund. That's what I read somewhere.
I don't know, I didn't double-check that, but I hope they do. I hope they do.
I don't know, I didn't double-check that, but I hope they do. I hope they do.
Is that why we're not giving them a name check?
Well, I don't want to name them. You know, they keep going on Twitter going, please stop talking about us. So I don't know anything about this burger joint.
I don't know if they're a chain or a one-off jobbie. So I thought, you know, if someone really wants to find their name, they will find their name.
I don't know if they're a chain or a one-off jobbie. So I thought, you know, if someone really wants to find their name, they will find their name.
And if they want to sponsor next week's show, get in touch via our website at www.smashingsecurity.com.
You can also follow us on Twitter and on Facebook group as well, smashingsecurity.com/facebook.
And maybe you want to buy some swag, get yourself a t-shirt or a sticker or something like that. Who wouldn't want to do that? At smashingsecurity.com/store.
Well, it just about wraps it up. Thank you very much, Rich, for joining us today. If people want to learn more about you, where should they follow you online?
Is there anywhere they should go?
You can also follow us on Twitter and on Facebook group as well, smashingsecurity.com/facebook.
And maybe you want to buy some swag, get yourself a t-shirt or a sticker or something like that. Who wouldn't want to do that? At smashingsecurity.com/store.
Well, it just about wraps it up. Thank you very much, Rich, for joining us today. If people want to learn more about you, where should they follow you online?
Is there anywhere they should go?
Well, you can follow me on Twitter @rbaldry. If you really want to, I tweet about all sorts of strange things.
That sounds fantastic. Well, thank you very much for tuning in, everybody.
And if you, as we said at the start of the show, if you know someone else who might like the show, go and tell them about it.
Celebrate International World Podcast Day or whatever it was. And you can go to our website to check out past episodes as well and find easy links to subscribe in a variety of apps.
And until next time, cheerio, bye-bye.
And if you, as we said at the start of the show, if you know someone else who might like the show, go and tell them about it.
Celebrate International World Podcast Day or whatever it was. And you can go to our website to check out past episodes as well and find easy links to subscribe in a variety of apps.
And until next time, cheerio, bye-bye.
Yeah. P.S. He didn't come to me, but if anyone's at the VB conference and wants to say hi, I'll be there.
What? The VB conference? Yeah.
It's in Madrid this year.
Oh, the virus bulletin. You're off, are you? You're going to be there.
I'll be there during the show.
Oh, cool. And if it goes public. Right. Awesome. Have fun.
Have a great time. Bye-bye.
Toodaloo. Pick of the week.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Rich Baldry – @RBaldry
Show notes:
- Feds catch a lord of the 'dark web' suspected of drug deals – Miami Herald
- Trip to world beard competition ends in arrest for alleged dark web drug dealer – The Guardian
- Austin Facial Hair Club
- The World Beard and Moustache Championships
- Glorious Portraits from the 2017 World Beard And Mustache Championship
- Where the wild warnings are: Root causes of Chrome HTTPS certificate errors [PDF]
- Screwdriving. Locating and exploiting smart adult toys – Pen Test Partners
- Wi-Fi sex toy with built-in camera fails penetration test – The Register Forums
- Topo by Ergodriven
- Dirk Gently's Holistic Detective Agency – IMDb
- Dead roach in Utah man’s milkshake becomes Twitter hero – KSL.com
- Trevor The Roach: A Tribute Movie
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
