Apps that belch out sensitive military information, what could the world learn from South Korea’s digital response to the Coronavirus pandemic, and who has been deepfaking Bill Clinton, Jay-Z, and Donald Trump… and why?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the “Power Corrupts” podcast.
Plus we have a bonus feature interview with Rachael Stockton from Logmein, the folks behind LastPass, all about their report into the psychology of passwords.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I've never drunk a pint of beer in my life.
Oh, wow. Nothing like a pandemic to start.
That's why my body's a temple.
Well done. Well done. Your halo is blinding me.
Smashing Security, Episode 179: Deepfake Jay-Z and Beer Apps Spilling Your Data with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 179.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
Hi, Carole.
Hi, Graham. You haven't said hi to me in a while on the show.
You know, I like to mix it up a little bit.
And we've mixed it up this week by bringing someone onto the show who's never been onto the show before, but he's no stranger to podcasts because it is the man behind the Power Corrupts podcast, Brian Klaas.
And we've mixed it up this week by bringing someone onto the show who's never been onto the show before, but he's no stranger to podcasts because it is the man behind the Power Corrupts podcast, Brian Klaas.
Hello. Hey, thanks for having me on.
Yeah, one of my pick of the weeks a few weeks ago. So thank you so much, Brian, for coming on the show and for creating it.
I'm flattered.
Brian, for those who don't know, maybe haven't heard Power Corrupts and More for Them, can you give a brief premise about what the podcast is all about?
Yeah, sure. I mean, so I sort of talk about it, I conceptualize it as if This American Life and Radiolab had a very sinister baby that was obsessed with the dark side of politics.
It's one episode a week where we focus on, you know, everything from conspiracy theories to election rigging, disinformation, propaganda, pandemics, biological warfare, all sorts of stuff.
And it's a scripted narrative-driven podcast.
So it's polished and brings together a lot of interesting experts and a lot of people who have actually lived these things, which is fun.
And the big news today, I'll say I was very, very flattered. We were nominated as a finalist for the smartest podcast of the year by the British Podcast Awards.
It's one episode a week where we focus on, you know, everything from conspiracy theories to election rigging, disinformation, propaganda, pandemics, biological warfare, all sorts of stuff.
And it's a scripted narrative-driven podcast.
So it's polished and brings together a lot of interesting experts and a lot of people who have actually lived these things, which is fun.
And the big news today, I'll say I was very, very flattered. We were nominated as a finalist for the smartest podcast of the year by the British Podcast Awards.
Yay! Hooray! Congratulations.
That is a worthy title to covet, isn't it?
Indeed. Yeah, I was very happy about that.
Brilliant. Congratulations.
Thank you.
Oh, so I had a question for you about your podcast actually. So I'm a big fan, but I saw that you had one titled Pandemic, and I saw that it came out March, right?
So I was thinking there's a lot of work that goes into each of your episodes. So had you thought about doing that beforehand?
'Cause it does fit into your wheelhouse quite comfortably. Or was this something that you reacted to because the world was melting?
So I was thinking there's a lot of work that goes into each of your episodes. So had you thought about doing that beforehand?
'Cause it does fit into your wheelhouse quite comfortably. Or was this something that you reacted to because the world was melting?
No, I did it before, and I have the receipts 'cause I announced the series on Twitter. And I listed the pandemic one in the original trailer, which came out in January.
So the interview that I did with the person who does epidemiological modeling of pandemics, I did that when it was starting to become clear that this was coming to Europe and perhaps the United States.
But the other stuff, there's a really interesting bit I did about this village in the UK where they effectively voluntarily locked down during the bubonic plague in 1665 and all died, mostly died.
To save their sort of compatriots. I went up there before any of this was known. So, yeah, it was sort of fortuitous.
So the interview that I did with the person who does epidemiological modeling of pandemics, I did that when it was starting to become clear that this was coming to Europe and perhaps the United States.
But the other stuff, there's a really interesting bit I did about this village in the UK where they effectively voluntarily locked down during the bubonic plague in 1665 and all died, mostly died.
To save their sort of compatriots. I went up there before any of this was known. So, yeah, it was sort of fortuitous.
Yeah.
In a very dark way.
Yeah. Fortuitous or perhaps a little bit creepy. Brian, you may have just stirred a new conspiracy theory inside me. You seem to know a bit too much.
Maybe that helps to promote your podcast.
Maybe that helps to promote your podcast.
Yeah, well, if only that little village had a 5G mast, then we would know.
What's coming up on the show this week, Carole?
First, let's thank this week's sponsors, Boxcryptor, Immersive Labs, and LastPass. Their support helps us give you this show for free.
Now on today's bumper episode, Graham tells us about an app that puts military folks at risk.
Brian reviews how South Korea handled a recent outbreak and whether we could do the same. And I'm going to look for the line between video satire and deepfakes.
Plus we have a special interview with Rachael Stockton from LogMeIn. So stay tuned after the show to find out how you can better protect yourself online for free.
All this and much more coming up on this episode of Smashing Security.
Now on today's bumper episode, Graham tells us about an app that puts military folks at risk.
Brian reviews how South Korea handled a recent outbreak and whether we could do the same. And I'm going to look for the line between video satire and deepfakes.
Plus we have a special interview with Rachael Stockton from LogMeIn. So stay tuned after the show to find out how you can better protect yourself online for free.
All this and much more coming up on this episode of Smashing Security.
Now, chums, are you drinkers?
Yes.
Yes.
Aha. See, I'm not.
I'm actually having a beer right now, actually.
You're having a beer at the moment?
Yes. Look, look, look, I'm gonna clink it against the microphone. There you go.
Well, if you are a beer drinker, Carole, then maybe you would want to use an app called Untappd. That's untapped without an E. I'm not quite sure why.
I know how to drink beer. I don't need someone to teach me.
It's not to help you drink beer. It's a geosocial networking service. That's how it describes itself.
It's a mobile phone application that allows you as a drinker to check in online as you drink beer.
It's a mobile phone application that allows you as a drinker to check in online as you drink beer.
I don't understand. So, okay. So I crack open a brewski in my house.
Right.
And then what? Get the app open?
Then you get the app open and you're thinking, oh, I'd rather like to tell my online beer drinking friends that I'm currently having this beer and I'll rate this beer or I'll rate this hostelry.
And so it's a free app for iOS and Android. Lets you discover and share beer, follow other drinkers.
And so it's a free app for iOS and Android. Lets you discover and share beer, follow other drinkers.
And it's just done out of the love of their hearts.
Well, people are doing it because I guess they're obsessed with beer, right?
Okay.
So they drink beer, they earn badges, you share pics of your beer. Surely you've done this sort of thing, Brian, haven't you? You haven't done this?
No, I'm afraid not. You're missing out. How can I get more followers? Do I need to get some craft beers?
Become an alcoholic seems to be the answer according to this app.
This is what the pandemic was designed for, right? Be sharing your drinking capabilities. You post reviews of the beer. You can see where your friends are drinking beer.
Oh, they're drinking at home at the moment. Beer, beer, beer, beer, beer.
Oh, they're drinking at home at the moment. Beer, beer, beer, beer, beer.
So do we have an app? Is there an Negroni'd app without the apostrophe D as well? Or an Old Fashioned without the E at the end?
Oh yeah, you might be onto something there. I mean, they haven't kept it too old school. This app has really kept up with the times because imagine you're drinking a beer.
And catastrophe, you finish your beer. What you can do with the Untappd app is you can scan the barcode on your beer.
And catastrophe, you finish your beer. What you can do with the Untappd app is you can scan the barcode on your beer.
Okay, I'm looking right now.
And the app will hail an Uber taxi to take you—
Shut up!
—to where you can drink more of that beer.
I would love someone up in the northern coast of Scotland, right? In the Hebrides or somewhere. Isle of Wight, try this out. Wow.
Could cost you a few quid, couldn't it? Anyway, so this is clearly for people who are really into their beer.
And as we know, people who are really into their beer are really into their beer. Well, investigative website Bellingcat, I don't know if you're familiar with them.
They've done some extraordinary work in the past using open source intelligence. They've looked into the criminal underworld. Do you remember the Russian poisonings in Salisbury?
Where those chaps came over and they claimed to be big lovers of the cathedral and knew how many metres high it was. They visited twice.
They've investigated the use of weapons in Syrian civil war. Well, now, they've turned their attention to beer drinking. They're on pandemic as well, right?
They're on lockdown, the guys at Bellingcat, and they're thinking, what can we do to amuse ourselves? So they've looked at the Untappd app.
And what they found was that it could be used to track military personnel, locate secret military installations, and even offer a glimpse at sensitive military documents.
Fancy that.
And as we know, people who are really into their beer are really into their beer. Well, investigative website Bellingcat, I don't know if you're familiar with them.
They've done some extraordinary work in the past using open source intelligence. They've looked into the criminal underworld. Do you remember the Russian poisonings in Salisbury?
Where those chaps came over and they claimed to be big lovers of the cathedral and knew how many metres high it was. They visited twice.
They've investigated the use of weapons in Syrian civil war. Well, now, they've turned their attention to beer drinking. They're on pandemic as well, right?
They're on lockdown, the guys at Bellingcat, and they're thinking, what can we do to amuse ourselves? So they've looked at the Untappd app.
And what they found was that it could be used to track military personnel, locate secret military installations, and even offer a glimpse at sensitive military documents.
Fancy that.
Okay, question.
Is it the fact that if a military personnel used this app, this information could be garnered, or is the app specifically designed to try and snuffle up military info?
Is it the fact that if a military personnel used this app, this information could be garnered, or is the app specifically designed to try and snuffle up military info?
Oh, it's not a malicious app. No, this has been designed by beer drinkers for beer drinkers, and they're all good people who believe in real ale.
But even the military drink beer. Apparently they do, yes.
Hopefully not while they're on duty or if they're in charge of any important military equipment.
But according to the team at Bellingcat, all you need to do to find individuals working at military organizations or intelligence centers and track their general whereabouts is do a bit of digging deep into Untappd public data and cross-reference it with other social media.
And through this method, they were able to find, for instance, people who had checked in at Camp Peary, which is a place in Virginia, I think, where they're doing covert CIA training.
And from there, they were able to track Untappd users as they visited bases and presumably bars in the United States and across the Middle East.
They found, they logged over 700 check-ins at 500 unique locations.
There were even people who were checking in near the Guantanamo Bay detention center and other people who are also going to the Pentagon.
So this history of people moving around has all been revealed by the Untappd app.
But according to the team at Bellingcat, all you need to do to find individuals working at military organizations or intelligence centers and track their general whereabouts is do a bit of digging deep into Untappd public data and cross-reference it with other social media.
And through this method, they were able to find, for instance, people who had checked in at Camp Peary, which is a place in Virginia, I think, where they're doing covert CIA training.
And from there, they were able to track Untappd users as they visited bases and presumably bars in the United States and across the Middle East.
They found, they logged over 700 check-ins at 500 unique locations.
There were even people who were checking in near the Guantanamo Bay detention center and other people who are also going to the Pentagon.
So this history of people moving around has all been revealed by the Untappd app.
Okay, but did the Bellingcat people tell the Untappd people and indeed the military that this was happening before they trumpeted their news?
Oh yes, they've been in touch with everybody whose profiles they came across to say to them, hey, you might want to lock down your settings a little bit.
Because sometimes the snafus which happened were quite bad because people don't just like to drink and rate their beer.
They also like to take drunken photographs of their beer bottles. And sometimes, and this may surprise you—
Because sometimes the snafus which happened were quite bad because people don't just like to drink and rate their beer.
They also like to take drunken photographs of their beer bottles. And sometimes, and this may surprise you—
And their beer bottoms as well.
Well, I don't know. I think there's a different app for that, Carole.
Well, it depends how many beers they've had.
But apparently people will take a picture of their beer bottle and they're a little bit careless and they'll leave also in the same frame, debit cards, plane tickets, ID cards, Social Security card.
Right. Military documents, even an F-16 fighter jet and its location, all revealed on Untappd.
Because I guess they're sort of blearily taking the photograph or whatever and making a goof.
Right. Military documents, even an F-16 fighter jet and its location, all revealed on Untappd.
Because I guess they're sort of blearily taking the photograph or whatever and making a goof.
Plus you can find out if someone has a really bad taste in beer.
Right. I've never drunk a pint of beer in my life.
Oh, wow. Well done, well done. I know, aren't I impressive? Your halo is blinding me.
That's why my body's a temple.
Nothing like a pandemic to start.
OK, so don't you think there's a bit of shared responsibility here?
So on the one side, the military personnel or the users of the app need to think about what they're taking pictures of, right?
So don't take a picture of your beer bottle on top of your passport open, right?
So on the one side, the military personnel or the users of the app need to think about what they're taking pictures of, right?
So don't take a picture of your beer bottle on top of your passport open, right?
Are you suggesting that the Untappd app should actually display that warning before you take your photograph?
No, I think users should be smart enough to figure that out. I do kind of think that would be the responsibility of the user.
So what did Untappd say when Bellingcat got in touch with them? Did they say, "Ooh, jeez, we're gonna fix that right now"?
So what did Untappd say when Bellingcat got in touch with them? Did they say, "Ooh, jeez, we're gonna fix that right now"?
Well, actually, Untappd aren't gonna change anything. Because Untappd has already decent privacy settings, and you can set your profile to be private easily.
And users have to consciously select the location which they check into. And so their opinion is that they've already set this all up to be as private as required.
It's down to the ruddy users.
And maybe what needs to happen is some major general to speak to the people in the military and say, stop posting that kind of information onto social media apps.
And users have to consciously select the location which they check into. And so their opinion is that they've already set this all up to be as private as required.
It's down to the ruddy users.
And maybe what needs to happen is some major general to speak to the people in the military and say, stop posting that kind of information onto social media apps.
Isn't this also a story about how the power of opt-in versus opt-out is so important?
And you just need to have, you know, a critical mass arguing for opt-out of privacy settings rather than opt-in.
And you just need to have, you know, a critical mass arguing for opt-out of privacy settings rather than opt-in.
Yeah, I mean, all of these apps, of course, because they want to build up the network and they want to be as attractive as possible to new recruits, of course, they always automatically opt you into all of these.
They basically have privacy turned off by default, don't they?
They basically have privacy turned off by default, don't they?
Yeah, that's such a point to underline though. I think most people think, hey, if I just stick with the default options, they're going to be looking after me.
As long as I don't change anything, I'm running it as I should. But exactly to your point, they don't make it so it's the safest it can be for you.
It's so it can use as many features as possible.
As long as I don't change anything, I'm running it as I should. But exactly to your point, they don't make it so it's the safest it can be for you.
It's so it can use as many features as possible.
Yep, it's absolutely true.
And we do need to have a sort of, I don't know, some sort of mental shift when we use these apps and when we log into these websites as to what they're planning to do with our data and to double-check the settings.
Of course, sometimes the settings change without us even realizing.
And we do need to have a sort of, I don't know, some sort of mental shift when we use these apps and when we log into these websites as to what they're planning to do with our data and to double-check the settings.
Of course, sometimes the settings change without us even realizing.
Yeah, this is from the Facebook guy.
What are you using again? Facebook Portal, which I bought for the in-laws.
Well, not for the in-laws.
You have one in your house too. Well, yes, in order to communicate with them, we have—
Telephone doesn't work.
Okay. Here's the thing, Carole. The Facebook Portal, I give you an update, it's actually been turned off, and it's no longer being used.
And the reason is, having had two Portal calls with the in-laws to keep in touch with them during the pandemic, their dog ate the remote control or their Facebook Portal.
And the reason is, having had two Portal calls with the in-laws to keep in touch with them during the pandemic, their dog ate the remote control or their Facebook Portal.
So you've been saved yet again by your canine friends. That's true.
Now the Pentagon, of course, they banned Fitbits and GPS tracking. Do you remember the Strava app?
I think we spoke about it before and how that was logging how people were running around runways and military bases and submarines and things like that.
So the guidance from the Pentagon is that you shouldn't be using these kind of apps.
But I suspect apps like Untappd are sneaking through because your initial thought wouldn't be, this is something which is tracking my location.
But truth is, there's lots of apps out there which are asking you to check in and share information. So maybe they need to have a rethink on that.
I think we spoke about it before and how that was logging how people were running around runways and military bases and submarines and things like that.
So the guidance from the Pentagon is that you shouldn't be using these kind of apps.
But I suspect apps like Untappd are sneaking through because your initial thought wouldn't be, this is something which is tracking my location.
But truth is, there's lots of apps out there which are asking you to check in and share information. So maybe they need to have a rethink on that.
I think it's one of these things where it's astonishing still how much of this type of stuff comes out from groups like Bellingcat, which are doing amazing work.
But why is it that it takes their investigation to uncover these loopholes that could genuinely pose security risks for an entire country?
Why isn't the government spending money to, you know, as you say, you've got to have your personal device, but you can say here are the apps that you either can't use, or if you do, you have to change these settings.
And then I think it's a reasonable balance.
But why is it that it takes their investigation to uncover these loopholes that could genuinely pose security risks for an entire country?
Why isn't the government spending money to, you know, as you say, you've got to have your personal device, but you can say here are the apps that you either can't use, or if you do, you have to change these settings.
And then I think it's a reasonable balance.
Well, I wonder what else Bellingcat are currently investigating, which led them to look at the Untappd app. You know, what criminals or scoundrels are they currently after?
I think they have brainstorming sessions, right, where they're all in a meeting room, or in the old days, and someone would say, let's put beer and military together and see what happens.
And then they go down that route.
And then they go down that route.
It would be amazing though if there were actually beers that had, you know, clear national markers.
So in Ukraine, you end up seeing the pockets of the Russian soldiers based on the Untappd app. You know what I mean?
Because there's a specific type that the Ukrainians don't drink and the Russians do.
So in Ukraine, you end up seeing the pockets of the Russian soldiers based on the Untappd app. You know what I mean?
Because there's a specific type that the Ukrainians don't drink and the Russians do.
And imagine if this information is then sold on to beer advertisers to say, this is where your markets are.
That's an interesting— actually, I wonder how Untappd makes its money. I have no idea, not being a boozer like you.
He's saying everyone's drinking Beck's beer down in, you know, blah, blah.
Oh, we've all become so cynical, haven't we? Well, they're smart. Thank goodness for that. I don't know. Brian, what have you got for us this week?
Well, I've been looking at this story coming out of South Korea, which is, you know, South Korea sort of had a moment in the spotlight, so to speak, early on when it had what looked like a serious outbreak and now has had around 250 deaths total from COVID-19.
And there's this story that I think is just, it was this gut check moment for me, is basically you have them reopen because, you know, the country did pretty well with dealing with coronavirus and a whole bunch of young people flock to these nightclubs where social distancing is a pipe dream.
And a couple hundred of them got COVID-19 there, which, you know, completely predictable, unavoidable. Maybe they should have kept the nightclubs closed.
But what's astonishing is the next part of the story, which is that using a series of different digital tracking mechanisms, including purchases made at the nightclubs, asking for voluntary phone data from carriers, and also some CCTV, they were able to find tens of thousands of potential contacts from these couple hundred cases.
And with the span of, I think, less than a week, tested— the last number I saw was 46,000 people in those potential clusters.
And the reason why it was such a striking thing for me was to say, you know, could any North American or European country currently do this?
And I think the answer is quite clearly no. And I don't think it's just a technical thing. I think there is obviously technical barriers.
I think there's testing capacity barriers, etc.
But I think there's also just sort of competence in government, trust in government, questions about aversion to privacy invasion, and cultural elements that all come together that mean that this really effective public health intervention is probably not going to be something we see anytime soon in European countries or the United States or Canada.
And it raises the point of sort of, well, okay, but there's trade-offs here, right? Because South Korea has, as I say, around 250 deaths.
The US is about to, at the point we're recording this, is about to be at 100,000.
And at some point you start to think, okay, what, what freedoms are we willing to give up relative to the possibility of highly invasive tracking around an outbreak and a pandemic?
And it's gonna put all these issues much more center stage, I suspect.
And there's this story that I think is just, it was this gut check moment for me, is basically you have them reopen because, you know, the country did pretty well with dealing with coronavirus and a whole bunch of young people flock to these nightclubs where social distancing is a pipe dream.
And a couple hundred of them got COVID-19 there, which, you know, completely predictable, unavoidable. Maybe they should have kept the nightclubs closed.
But what's astonishing is the next part of the story, which is that using a series of different digital tracking mechanisms, including purchases made at the nightclubs, asking for voluntary phone data from carriers, and also some CCTV, they were able to find tens of thousands of potential contacts from these couple hundred cases.
And with the span of, I think, less than a week, tested— the last number I saw was 46,000 people in those potential clusters.
And the reason why it was such a striking thing for me was to say, you know, could any North American or European country currently do this?
And I think the answer is quite clearly no. And I don't think it's just a technical thing. I think there is obviously technical barriers.
I think there's testing capacity barriers, etc.
But I think there's also just sort of competence in government, trust in government, questions about aversion to privacy invasion, and cultural elements that all come together that mean that this really effective public health intervention is probably not going to be something we see anytime soon in European countries or the United States or Canada.
And it raises the point of sort of, well, okay, but there's trade-offs here, right? Because South Korea has, as I say, around 250 deaths.
The US is about to, at the point we're recording this, is about to be at 100,000.
And at some point you start to think, okay, what, what freedoms are we willing to give up relative to the possibility of highly invasive tracking around an outbreak and a pandemic?
And it's gonna put all these issues much more center stage, I suspect.
Yeah, because so I was looking at the COVID apps that they had been organizing in different countries a few weeks back on the show, and one of the countries I looked at was South Korea.
And what was interesting about it is they were quite impacted by the MERS outbreak.
And they changed their privacy laws at that time, which has been very useful for them during this scenario because they are using a centralized network basically to track everybody.
But one of the big things they're doing is they can basically look at banks, right? They're getting it from loads of different sources. So they're really tracking individuals.
So it's a really interesting privacy versus disease point of view, which puts me in a really difficult situation, right? You don't want people to die.
And what was interesting about it is they were quite impacted by the MERS outbreak.
And they changed their privacy laws at that time, which has been very useful for them during this scenario because they are using a centralized network basically to track everybody.
But one of the big things they're doing is they can basically look at banks, right? They're getting it from loads of different sources. So they're really tracking individuals.
So it's a really interesting privacy versus disease point of view, which puts me in a really difficult situation, right? You don't want people to die.
But it's also really astonishing because South Korea was a dictatorship not long ago. I mean, it was a couple of decades away from its transition to democracy.
So the people that are aware of the risks of overbearing states, there's no question it's in many adults' life experiences.
And yet there's this sort of, I don't know if it's cultural or because of the MERS outbreak or whatever, but there's this acceptance that this is a rational and reasonable response.
And you think about the variation even within the United States, within individual states, right?
Because some states are much more willing to adopt this sort of policy and others are so against it.
And, you know, of course, showing up to protests with anti-tank rocket launchers and things like that to show their disdain for it.
So you're going to have quite a big, I think, variation internationally in terms of how this pans out if this becomes the new normal.
I mean, if the vaccine arrives in September, October, it's a different story. But if this is the next 15, 18 months, there's going to be massive variation on this question, I think.
So the people that are aware of the risks of overbearing states, there's no question it's in many adults' life experiences.
And yet there's this sort of, I don't know if it's cultural or because of the MERS outbreak or whatever, but there's this acceptance that this is a rational and reasonable response.
And you think about the variation even within the United States, within individual states, right?
Because some states are much more willing to adopt this sort of policy and others are so against it.
And, you know, of course, showing up to protests with anti-tank rocket launchers and things like that to show their disdain for it.
So you're going to have quite a big, I think, variation internationally in terms of how this pans out if this becomes the new normal.
I mean, if the vaccine arrives in September, October, it's a different story. But if this is the next 15, 18 months, there's going to be massive variation on this question, I think.
And it's an interesting point of view from a power play perspective too, because whoever gets it really right and can kind of show it through numbers and kind of over the years be able to say, you see, we did this, that was right, we did this, but this was right, they can become quite a leader in terms of being able to deal with these things in the future.
I think regardless of the result, some people will be claiming that they were the best. Do you think so? They have done remarkably better than any other country.
Don't look at the numbers. And the only problems that they've experienced have been because they've been doing too much testing.
If they didn't do so much testing, there wouldn't be as many cases. Oh. Maybe, maybe, yeah. Do we know how popular the Untappd app is in South Korea?
I wonder whether that may have, maybe it has an additional function, which is helping people. But it is astonishing, isn't it?
How some countries seem to have really succeeded in this and others are floundering.
Don't look at the numbers. And the only problems that they've experienced have been because they've been doing too much testing.
If they didn't do so much testing, there wouldn't be as many cases. Oh. Maybe, maybe, yeah. Do we know how popular the Untappd app is in South Korea?
I wonder whether that may have, maybe it has an additional function, which is helping people. But it is astonishing, isn't it?
How some countries seem to have really succeeded in this and others are floundering.
I think one other point that I just, I think it's worth mentioning is we'd be in a very dire state of narratives between democracy and authoritarianism were it not for South Korea and Taiwan, for example.
Because you look at the sort of state interventions that have taken public health seriously early on, and with the exception of— I guess you could also add, of course, Australia and New Zealand, though those countries are, you know, they're isolated in different ways, they face probably lower risk to begin with.
Okay, but you have those sort of four, right? You have Australia, New Zealand, Taiwan, and South Korea.
And finally, you can say, look, it's not authoritarianism, it's competent open government that's effective and state capacity and trust in government.
I think trust is hugely important so you can accept some of these things.
But otherwise, without those 4 cases, you'd have China going around the globe and saying, look, the US, the UK, France, Italy, Spain, they all had mass death.
And those are the countries that you're supposed to aspire to. And so I think it's really important to make clear it's not democracy.
It's just whether the individual leaders of those countries took it seriously early on. And I think that's really why I wanted to bring up this story.
Because you look at the sort of state interventions that have taken public health seriously early on, and with the exception of— I guess you could also add, of course, Australia and New Zealand, though those countries are, you know, they're isolated in different ways, they face probably lower risk to begin with.
Okay, but you have those sort of four, right? You have Australia, New Zealand, Taiwan, and South Korea.
And finally, you can say, look, it's not authoritarianism, it's competent open government that's effective and state capacity and trust in government.
I think trust is hugely important so you can accept some of these things.
But otherwise, without those 4 cases, you'd have China going around the globe and saying, look, the US, the UK, France, Italy, Spain, they all had mass death.
And those are the countries that you're supposed to aspire to. And so I think it's really important to make clear it's not democracy.
It's just whether the individual leaders of those countries took it seriously early on. And I think that's really why I wanted to bring up this story.
How's your feelings of trust with BoJo?
I mean, I think it's tricky because as an American living in the UK, you constantly are torn between US politics and UK politics, which has been a very dire thing to be torn between for the last 3 or 4 years.
Tell us about it.
But, you know, it's something where you look at Johnson and originally I think there were massive mistakes. And pandemics are unforgiving.
So if you make massive mistakes in this critical first month, first few weeks even.
So if you make massive mistakes in this critical first month, first few weeks even.
Yeah, he was flippant.
Yeah, I mean, it just magnifies the death toll massively. That being said, I think he's woken up to the risks by the fact that he was hospitalized.
Yeah, he got a good fish slap in the face there, didn't he?
And I think since that moment, and since the lockdown, there's been some mess-ups on messaging, some very unclear advice, et cetera.
But you compare it to Trump and you're sort of like, well, you know, they're really trying in the UK. Like, this is a genuine effort. They're not pretending it's fake.
They're not hypothesizing about various drugs that don't work and possibly kill you or putting disinfectant in your body or a powerful light.
These things are— so to me, it's one of these things where it's the perpetual lowering of the bar. But I sort of look at the UK and say, well, it could be much, much worse.
Yeah, he got a good fish slap in the face there, didn't he?
And I think since that moment, and since the lockdown, there's been some mess-ups on messaging, some very unclear advice, et cetera.
But you compare it to Trump and you're sort of like, well, you know, they're really trying in the UK. Like, this is a genuine effort. They're not pretending it's fake.
They're not hypothesizing about various drugs that don't work and possibly kill you or putting disinfectant in your body or a powerful light.
These things are— so to me, it's one of these things where it's the perpetual lowering of the bar. But I sort of look at the UK and say, well, it could be much, much worse.
Yeah, 100%. 100%. I agree. There you go. Well, cheery. Don't worry, mine's fun.
Carole, what have you got for us this week?
Okay, we're starting off with a music quiz, boys. No way. Not music. No, we're starting off with a quiz.
So I'm going to play something for you, and I want you to tell me who does this sound like? Who is this voice? Okay. Give me a moment.
So I'm going to play something for you, and I want you to tell me who does this sound like? Who is this voice? Okay. Give me a moment.
I like big butts, and I cannot lie.
You other brothers can deny that when a girl walks in with an itty-bitty waist and a round thing in your face, You get— Sounds like Bill Clinton. Bill Clinton. Okay, good.
You other brothers can deny that when a girl walks in with an itty-bitty waist and a round thing in your face, You get— Sounds like Bill Clinton. Bill Clinton. Okay, good.
One more. Here's a little hillbilly.
Here's another one. Who is this? Okay. To be or not to be, that is the question. Whether 'tis nobler in the mind to suffer the slings and arrows of oppression—
Is it someone like Kanye West or someone like that?
Yeah, it's Jay-Z. Well done, Graham. Well done.
I wouldn't really have known that, but it just sounded his sort of attitude.
Yes, okay. Well, the problem is that none of these people are Bill Clinton or Jay-Z, right? These are clips from a channel called Voice Synthesis. This is a YouTube channel.
Now I've put it in the show notes if you guys want to have a click on through to the channel. So you guys can see the playlist and stuff and you can see what's going on.
Now for you listeners at home, this is basically a site that purports and proudly states that it synthesizes voices and pairs them with a non-expectant text.
So you have Bob Dylan Billie Eilish covering Britney Spears. You have Frank Sinatra crooning Dancing Queen. You have various presidents reciting rap lyrics. You even have George W.
Bush take on 50 Cent's In Da Club.
Now I've put it in the show notes if you guys want to have a click on through to the channel. So you guys can see the playlist and stuff and you can see what's going on.
Now for you listeners at home, this is basically a site that purports and proudly states that it synthesizes voices and pairs them with a non-expectant text.
So you have Bob Dylan Billie Eilish covering Britney Spears. You have Frank Sinatra crooning Dancing Queen. You have various presidents reciting rap lyrics. You even have George W.
Bush take on 50 Cent's In Da Club.
I'm looking at it right now. You've got Bob Ross in here. One of your heroes. One of my heroes. Mr. Rogers, who's a big American icon, isn't he? Or was?
Yes, he was one of my— all through my childhood, he was around, yeah.
Oh, goodness me.
So what's interesting is check the number of subscribers to the channel.
Okay. How do I do that? Geez. Oh, 50,000.
Are you surprised by how small it is? Well, let me carry on with my story and you can tell me if you think— Okay. If that plays a role in anything of this.
Now you can see on the page, you can see that at the end of each title of any video, it says in brackets, voice synthesis. Yes. Right.
And so, and then underneath in the description, it says the voice in this video is entirely computer generated using a text-to-speech model trained on the speech patterns of Jay-Z or whoever he's mimicking in that particular video.
Apparently, the YouTuber behind the Jay-Z deepfake says they were created by Tacotron 2. This is the text-to-speech program from Google.
Now you can see on the page, you can see that at the end of each title of any video, it says in brackets, voice synthesis. Yes. Right.
And so, and then underneath in the description, it says the voice in this video is entirely computer generated using a text-to-speech model trained on the speech patterns of Jay-Z or whoever he's mimicking in that particular video.
Apparently, the YouTuber behind the Jay-Z deepfake says they were created by Tacotron 2. This is the text-to-speech program from Google.
And a lot of these have got hundreds of thousands of views, haven't they? I mean, some of them are quite popular.
Yeah, interesting. Question I have for you too. Do you, so the term deepfake, do you think at this moment, do you think that's fair? So they're not videos, it's just the audio.
It's almost you're at a presentation or something. So there's a slideshow and then you hear the voice of the purported person behind it.
It's almost you're at a presentation or something. So there's a slideshow and then you hear the voice of the purported person behind it.
Do I think deepfake is a correct way of describing it? Is that the question?
Is it an impersonation? Is it a deepfake?
The way I understood deepfakes is that they have to use generative adversarial neural networks to generate content.
But I understood it as these GANs were used to create new content using machine learning and AI. Again, I'm a political scientist, so I'm wading outside of my comfort zone.
But I understood it as these GANs were used to create new content using machine learning and AI. Again, I'm a political scientist, so I'm wading outside of my comfort zone.
Right now, there is a bit of a brouhaha going on between Jay-Z and this YouTube channel.
So according to Ars Technica, right, this was April 26th, a new video— this is how it all came to light— a new video was posted on this channel, right, saying that YouTube had taken down the Jay-Z related videos.
There were two of them that he created.
One was Shakespeare's "To Be or Not to Be," which we were listening to earlier, and then there's Billy Joel's "We Didn't Start the Fire." And apparently the request came from Jay-Z's company, Rock Nation.
Now, the way in which voice synthesis told their followers was rather novel.
They put together a video featuring the simulated voices of Barack Obama, Donald Trump, Ronald Reagan, JFK, and FDR to explain this.
So according to Ars Technica, right, this was April 26th, a new video— this is how it all came to light— a new video was posted on this channel, right, saying that YouTube had taken down the Jay-Z related videos.
There were two of them that he created.
One was Shakespeare's "To Be or Not to Be," which we were listening to earlier, and then there's Billy Joel's "We Didn't Start the Fire." And apparently the request came from Jay-Z's company, Rock Nation.
Now, the way in which voice synthesis told their followers was rather novel.
They put together a video featuring the simulated voices of Barack Obama, Donald Trump, Ronald Reagan, JFK, and FDR to explain this.
The channel was created by an individual hobbyist with a huge amount of free time on his hands, as well as an interest in machine learning and artificial intelligence technologies.
He would to emphasize that all of the videos on this channel—
He would to emphasize that all of the videos on this channel—
Okay. Yes.
Now, is that an understandable response?
Because this guy is kind of saying, I'm thinking he's going, look, I have been super clear on my channel that I'm doing this for fun and I'm taking a synth voice, not the real person.
Because this guy is kind of saying, I'm thinking he's going, look, I have been super clear on my channel that I'm doing this for fun and I'm taking a synth voice, not the real person.
And what's the big deal? The thing is, a lot of people could see these videos without seeing the video description, couldn't they?
If they're shared on social media, I suspect you might see the title, maybe.
But having speech synthesis in brackets at the end, you might only see the start of the title on your mobile phone. I'm a little disappointed they didn't get Mr.
Rogers to join in on the rebuttal as well. That would have been a bit classier.
If they're shared on social media, I suspect you might see the title, maybe.
But having speech synthesis in brackets at the end, you might only see the start of the title on your mobile phone. I'm a little disappointed they didn't get Mr.
Rogers to join in on the rebuttal as well. That would have been a bit classier.
The original video might have a disclaimer, but people who do not have a sophisticated understanding of fake video, fake audio, will not see it.
And I think what Photoshop did for photos was that people started to understand that it could be doctored easily. And I don't think that most people have made that leap.
Most people who are not dialed into this world of disinformation have made the leap to understand how easy it is becoming to do the same with video and audio.
And I had this debate, I hate to do the plug of the podcast, but I had this episode called The Godfather of Fake News, where there's a guy who just deliberately writes fake news.
That was a brilliant episode. And he just, he does it for clicks, right? And he makes money off of it.
And he has in every single post, a disclaimer that says this is satire, but it still goes viral.
And you know, a lot of the people who are consuming it don't know what the S means on the story. They don't understand it. They don't click on the actual story.
So the headline seems plausible and the story is absurd. And I think with this, it's the same type of thing, right?
You could just have it go around the world and change people's minds and have them either vote on it or make decisions based on something that's totally wrong.
And I think the scariest thing is the idea of the world leaders because they can miscalculate in terrible, terrible ways.
And I think what Photoshop did for photos was that people started to understand that it could be doctored easily. And I don't think that most people have made that leap.
Most people who are not dialed into this world of disinformation have made the leap to understand how easy it is becoming to do the same with video and audio.
And I had this debate, I hate to do the plug of the podcast, but I had this episode called The Godfather of Fake News, where there's a guy who just deliberately writes fake news.
That was a brilliant episode. And he just, he does it for clicks, right? And he makes money off of it.
And he has in every single post, a disclaimer that says this is satire, but it still goes viral.
And you know, a lot of the people who are consuming it don't know what the S means on the story. They don't understand it. They don't click on the actual story.
So the headline seems plausible and the story is absurd. And I think with this, it's the same type of thing, right?
You could just have it go around the world and change people's minds and have them either vote on it or make decisions based on something that's totally wrong.
And I think the scariest thing is the idea of the world leaders because they can miscalculate in terrible, terrible ways.
And if you look at this channel, right, and you see what videos this person is producing, I mean, there is a political slant.
You've got Bernie Sanders, you've got past presidents, you've got Ayn Rand.
You've got Bernie Sanders, you've got past presidents, you've got Ayn Rand.
I'm not sure that they're doing it necessarily with malice in mind. I think it's just more the juxtaposition of having Frank Sinatra singing, dancing.
Graham, I'm so glad you're saying that because I'm going to do this for you. I'm going to take your voice and I'm going to have you read Piers Morgan's tweets.
And I'm going to just stream it live. And I'm so glad because I was worried that you think it was unfair that I used your voice. And I'll add in some, "Oh, Piers, I love you.
You're so great. You're fantastic." That's okay, right?
And I'm going to just stream it live. And I'm so glad because I was worried that you think it was unfair that I used your voice. And I'll add in some, "Oh, Piers, I love you.
You're so great. You're fantastic." That's okay, right?
No one's going to believe that, girl.
So now this isn't the end of the story. So a few days go by, right? And suddenly the videos reappear.
And they reappeared because Google said, actually, the takedown requests were incomplete.
And so the YouTube spokesperson told Ars Technica that the videos have been temporarily reinstated pending more information from whoever filed the claims.
So now the ball seems to be in Jay-Z's court. And this is really interesting for me. So this is why I come back to the 50,000 subscribers.
So for Jay-Z to go after someone with 50,000 subscribers is an elephant going after a flea. So he will build this person's channel by going after him.
And they reappeared because Google said, actually, the takedown requests were incomplete.
And so the YouTube spokesperson told Ars Technica that the videos have been temporarily reinstated pending more information from whoever filed the claims.
So now the ball seems to be in Jay-Z's court. And this is really interesting for me. So this is why I come back to the 50,000 subscribers.
So for Jay-Z to go after someone with 50,000 subscribers is an elephant going after a flea. So he will build this person's channel by going after him.
Yes, I think so. It's the Streisand effect.
Yeah, Streisand effect. Whoa, whoa, whoa, whoa, whoa.
Carole, is it possible that the person who's made the complaint isn't actually Jay-Z, but is a deepfaked Jay-Z who's making the complaint?
And now Google has thought, oh, maybe this wasn't a real complaint and therefore we're temporary. And now this channel's got all these interest.
Carole, is it possible that the person who's made the complaint isn't actually Jay-Z, but is a deepfaked Jay-Z who's making the complaint?
And now Google has thought, oh, maybe this wasn't a real complaint and therefore we're temporary. And now this channel's got all these interest.
That's interesting because YouTube would not confirm that it was Jay-Z's production company, Roc Nation, that had done it.
This is only— the only reason we say that is because the YouTuber himself or herself said that.
This is only— the only reason we say that is because the YouTuber himself or herself said that.
Look, we've got Brian on the podcast. He can unearth all the conspiracies, right? You can get to the— for goodness' sake, Brian, you've got some— you need something for series 2.
Can't you look into this?
Can't you look into this?
Maybe the most logical explanation is Jay-Z has been really comfortable having 99 problems. And now that he has 100, he has to get back to equilibrium. Funny, funny.
And so he has to get rid of this one problem. Told you he was a professional.
And so he has to get rid of this one problem. Told you he was a professional.
Sorry, is that— I think that reference may be too hip for me to understand.
I've missed something. It is the main song for which he is known.
I don't know.
I don't know what to do. Yeah. Very interesting, Krow.
Yeah, well, you're welcome.
So the whole issue is this is kind of cool because satire, no one's ever gone after Weird Al Yankovic and succeeded just because he did satires of all their songs.
And as far as I know, he didn't pay for the rights to do that. Everyone knew what was going on.
But the gray line between the satire, the pastiche, and the, "Hey, that's my face," or, "That's my voice," and I don't want to be fluffing Piers Morgan verbally.
Can you even copyright your voice?
So the whole issue is this is kind of cool because satire, no one's ever gone after Weird Al Yankovic and succeeded just because he did satires of all their songs.
And as far as I know, he didn't pay for the rights to do that. Everyone knew what was going on.
But the gray line between the satire, the pastiche, and the, "Hey, that's my face," or, "That's my voice," and I don't want to be fluffing Piers Morgan verbally.
Can you even copyright your voice?
Can you even claim, "That is my voice and not anybody else's"? Because there are people who sound quite similar.
What else can you copyright if not your voice and— how you move and stuff. And it's going to become that world. I think we should.
You sound a little bit like Marge Simpson's sisters, I've always thought. Yeah, I'm not going to say what you sound like.
I'm too polite. Hey, Graham? Yes? So I've got a problem. Yes? I use a cloud service. I put all my files and data up there, and I'm kind of nervous about prying eyes. Looking at it.
Any advice?
Any advice?
Yeah, you've got to encrypt it.
Because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account.
So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer.
And any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
They're offering a fantastic 40% discount to listeners of the Smashing Security podcast.
If you want a Boxcryptor personal license for private use or a Boxcryptor business account perfect for the self-employed, go to smashingsecurity.com/boxcryptor.
Because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account.
So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer.
And any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control.
They're offering a fantastic 40% discount to listeners of the Smashing Security podcast.
If you want a Boxcryptor personal license for private use or a Boxcryptor business account perfect for the self-employed, go to smashingsecurity.com/boxcryptor.
So the guys behind LastPass, LogMeIn, they've put out a report called The Psychology of Passwords: The Online Behavior That's Putting You at Risk.
And basically, as we do more working and purchasing and socializing online, hackers are chomping at the bit to take a little piece of us away.
The best thing you can do is get a password manager to help you make unique and difficult-to-crack passwords for every single account you have online.
Check out LastPass's report for loads more tidbits at smashingsecurity.com/lastpass.
And basically, as we do more working and purchasing and socializing online, hackers are chomping at the bit to take a little piece of us away.
The best thing you can do is get a password manager to help you make unique and difficult-to-crack passwords for every single account you have online.
Check out LastPass's report for loads more tidbits at smashingsecurity.com/lastpass.
If you listen to our show regularly, you'll know that hackers never stop innovating.
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week.
Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week.
Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.
On with the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Brian, if you would. Pick of the Week.
Thank you very much. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Really hope it's not this week.
Well, mine, I almost considered making this my main story on the podcast this week.
It's not really strictly speaking security related necessarily, but kind of anyway, see what you think.
My pick of the week is a blog post by a chap called Ranjan Roy, and I will link to it in the show notes so you can check it out some more.
But he's talking about a friend of his and his friend owns a few pizza restaurants.
And for 10 years, his friend resisted offering delivery of his pizzas because he was, I'm a classy joint, right? I'm not offering deliveries.
Come in, have the in-restaurant experience. It'd be better than Domino's. Takeaway, do you do that? I don't know. I don't have that information.
It's not really strictly speaking security related necessarily, but kind of anyway, see what you think.
My pick of the week is a blog post by a chap called Ranjan Roy, and I will link to it in the show notes so you can check it out some more.
But he's talking about a friend of his and his friend owns a few pizza restaurants.
And for 10 years, his friend resisted offering delivery of his pizzas because he was, I'm a classy joint, right? I'm not offering deliveries.
Come in, have the in-restaurant experience. It'd be better than Domino's. Takeaway, do you do that? I don't know. I don't have that information.
Not much research. Okay. Brian, see, this is what we work with here.
But then something odd happened. This guy who ran the pizza restaurants began to get complaints from customers complaining about their deliveries.
Saying, I got the wrong pizza, the pizza was cold. And this restaurant was, well, we don't, what? We don't do deliveries. What are you talking about? What are you complaining?
And it turned out when he looked up his own shop on Google, there was a delivery option listed in the Google listing and it had been put there by an organization called DoorDash.
And DoorDash, I think, they're Deliveroo or Uber Eats. They're an online delivery service, right? Who work with different restaurants.
Now, the guy who owned these pizza restaurants had never arranged for DoorDash to deliver his pizzas.
DoorDash had taken it upon themselves to do that, and they'd rather provocatively listed themselves.
Saying, I got the wrong pizza, the pizza was cold. And this restaurant was, well, we don't, what? We don't do deliveries. What are you talking about? What are you complaining?
And it turned out when he looked up his own shop on Google, there was a delivery option listed in the Google listing and it had been put there by an organization called DoorDash.
And DoorDash, I think, they're Deliveroo or Uber Eats. They're an online delivery service, right? Who work with different restaurants.
Now, the guy who owned these pizza restaurants had never arranged for DoorDash to deliver his pizzas.
DoorDash had taken it upon themselves to do that, and they'd rather provocatively listed themselves.
So they were going over and buying pizzas? That's right.
This was the thing.
They didn't have the proper bags for the pizzas, so they'd arrive cold, and you know, it wasn't always brilliant service, but it was the genuine restaurant employees who were wasting time dealing with all the bad reviews and the customer complaints, right?
So they were a bit miffed about this.
But then when they were looking at the listing on DoorDash as to how you could order pizzas for delivery from their own restaurant, they noticed something odd, which was they sold pizzas for $24, but you could have the same pizza delivered by DoorDash for just $16.
They didn't have the proper bags for the pizzas, so they'd arrive cold, and you know, it wasn't always brilliant service, but it was the genuine restaurant employees who were wasting time dealing with all the bad reviews and the customer complaints, right?
So they were a bit miffed about this.
But then when they were looking at the listing on DoorDash as to how you could order pizzas for delivery from their own restaurant, they noticed something odd, which was they sold pizzas for $24, but you could have the same pizza delivered by DoorDash for just $16.
Oh, I thought you were going to say they were adding on. I was no, well, no, no, no.
Tell us the price. $16 less. And apparently, the mistake DoorDash had made is that they were scraping— they scrape restaurant websites for their menus and their pricing.
So, DoorDash had taken the price for a plain cheese pizza, scraped it off the website, and somehow they had applied it to a specialty pizza with loads and loads of toppings.
So, like you said, someone could pay DoorDash $16. DoorDash would go into the restaurant, pay $24 for the pizza, and deliver it. So what does the owner of the restaurant do?
He orders 10 of his own pizzas via DoorDash. Brilliant. He was charged $160. The DoorDash driver then shows up, pays him $240. Brilliant. And takes away the pizzas.
So he's making— Well, it's keeping his costs down. Now, the story goes on from there, and it's well worth a read. I'm bookmarking it right now. I would recommend it.
So, yeah, so there's actually some hope, I think, for restaurants during the pandemic who maybe don't offer delivery.
Maybe there's some intermediary who'll do it and actually make you money in the process. You just order your own pizzas to be delivered to the kitchen around the back.
So, DoorDash had taken the price for a plain cheese pizza, scraped it off the website, and somehow they had applied it to a specialty pizza with loads and loads of toppings.
So, like you said, someone could pay DoorDash $16. DoorDash would go into the restaurant, pay $24 for the pizza, and deliver it. So what does the owner of the restaurant do?
He orders 10 of his own pizzas via DoorDash. Brilliant. He was charged $160. The DoorDash driver then shows up, pays him $240. Brilliant. And takes away the pizzas.
So he's making— Well, it's keeping his costs down. Now, the story goes on from there, and it's well worth a read. I'm bookmarking it right now. I would recommend it.
So, yeah, so there's actually some hope, I think, for restaurants during the pandemic who maybe don't offer delivery.
Maybe there's some intermediary who'll do it and actually make you money in the process. You just order your own pizzas to be delivered to the kitchen around the back.
When AI fuck-ups work in your favour.
And that is why it is my pick of the week. That's pretty good. It's pretty good. Brian, what's your pick of the week?
Mine is very much not security related. And that's because I think in the hellscape we live in, you want to live away from it and escape a bit.
And so what I've been doing is watching a lot of old stuff. And so what I've gotten into recently is one of the weirdest shows that I like. It's called Iron Chef Japan.
When it was originally broadcast in Japan, of course, it was not called Iron Chef Japan, but it's one of the weirdest cooking shows you'll ever see. It's incredibly over the top.
And so what I've been doing is watching a lot of old stuff. And so what I've gotten into recently is one of the weirdest shows that I like. It's called Iron Chef Japan.
When it was originally broadcast in Japan, of course, it was not called Iron Chef Japan, but it's one of the weirdest cooking shows you'll ever see. It's incredibly over the top.
I've never seen it. So what's the deal with Iron Chef Japan?
So what you start with is you have this elaborate introduction that Chairman Kaga, who's the host, has this massive swelling music behind him and quotes from French chefs and things.
And then he takes this bite out of a bell pepper, and that's the intro.
And the way that the setup is, is you have these 3 Iron Chefs, Iron Chef Chinese, Iron Chef French, Iron Chef Italian, sometimes Iron Chef Japanese.
And there is a theme ingredient that a challenger will battle them on within Kitchen Stadium, which is custom built for this show.
And then he takes this bite out of a bell pepper, and that's the intro.
And the way that the setup is, is you have these 3 Iron Chefs, Iron Chef Chinese, Iron Chef French, Iron Chef Italian, sometimes Iron Chef Japanese.
And there is a theme ingredient that a challenger will battle them on within Kitchen Stadium, which is custom built for this show.
Okay, that's kind of like Iron Chef. I don't even know if he knows Iron Chef at all.
Yes. Yeah, yeah. No, no, no.
So Iron Chef America is a ripoff of Iron Chef Japan and way worse. Anyway, I didn't know that. So, so the point— yeah, because Iron Chef Japan ran from 1993 to 1999 and it shows.
So the point is that they— these Iron Chefs come out of the floor with dry ice and lots of—
So the point is that they— these Iron Chefs come out of the floor with dry ice and lots of—
It's like the World Wrestling Federation. Yeah, it's amazing.
And then there's this massive sheet over the theme ingredient. And Chairman Kaga, who's wearing a kimono, comes down and unveils it as the crescendo of the music happens.
And there's a series of tomatoes. And then they have an hour to make between 3 and 6 dishes using that theme ingredient as the main thing. And they're rushing around and stuff.
And then they have various B-list celebrities from the Japanese 1990s to judge them, an opera singer who will say, oh, this is really great.
And then the next person is actually a food critic and they're, this is garbage. And of course, it's just the most incredibly weird Japanese show and I love it.
And it gets your mind off of the pandemic nothing else.
And there's a series of tomatoes. And then they have an hour to make between 3 and 6 dishes using that theme ingredient as the main thing. And they're rushing around and stuff.
And then they have various B-list celebrities from the Japanese 1990s to judge them, an opera singer who will say, oh, this is really great.
And then the next person is actually a food critic and they're, this is garbage. And of course, it's just the most incredibly weird Japanese show and I love it.
And it gets your mind off of the pandemic nothing else.
I've been binging recently on Ally McBeal from 20-odd years ago.
I bet you love her.
Turns out at 20-odd years distance, it's perhaps not the most... You're watching some of these characters and just thinking, that's outrageous.
The guy she's in love with, he is a bastard. It's just like, what a git. Unbelievable. Anyway, fascinating. Anyway, excellent. Well done, Brian. Carole, what's your pick of the week?
The guy she's in love with, he is a bastard. It's just like, what a git. Unbelievable. Anyway, fascinating. Anyway, excellent. Well done, Brian. Carole, what's your pick of the week?
Last week, my neighbor says to me, "Hey, have you heard the Rabbit Hole podcast?" And I'm like, "What's Rabbit Hole?
The podcast from the New York Times." And he said, "You have to listen, you have to listen, you have to listen." So as I was doing some gardening last few days, I've been listening to Rabbit Hole.
I've listened to three or four so far and I'm totally hooked.
The podcast from the New York Times." And he said, "You have to listen, you have to listen, you have to listen." So as I was doing some gardening last few days, I've been listening to Rabbit Hole.
I've listened to three or four so far and I'm totally hooked.
What's it about?
Kind of a fascinating little glimpse into internet and humans and how they both work together.
So the first part was a three-parter on this guy called Caleb, and he had offered the journalist Kevin Roose his entire YouTube history for four years.
So the first part was a three-parter on this guy called Caleb, and he had offered the journalist Kevin Roose his entire YouTube history for four years.
Can you imagine doing that to a journalist? That's brave.
Isn't it? But amazing.
And Kevin Roose then went and also looked at the algorithms that YouTube were using and when the algorithms changed and tried to match the patterns to see if there were switches in how he viewed the world or what he was viewing.
It's totally fascinating.
And Kevin Roose then went and also looked at the algorithms that YouTube were using and when the algorithms changed and tried to match the patterns to see if there were switches in how he viewed the world or what he was viewing.
It's totally fascinating.
So you mean, was there a political bent or something? Was it the thought that he's been manipulated?
I don't know if it's more manipulation, but it's basically the engine says, "Oh, you like this? Let me give you more of it. Oh, you like this? Let me give you more of it.
Oh, you like this? Let me give you more of it," and really underline the point so you think everyone's thinking that way.
Oh, you like this? Let me give you more of it," and really underline the point so you think everyone's thinking that way.
You enjoy Iron Chef Japan, Brian? I'll give you more men in kimonos. Yeah. More vegetables for you. More vegetables.
Can't wait.
So anyway, really, really interesting.
And it's true, if you think about it, you probably look up chess stuff all the time, and then probably in your feed, it's always offering you new, probably the same chess videos you've seen millions and millions of times.
You're looking for new games potentially, and you're finding, "Why am I always being referred back to these same ones all the time?" Anyway, you can listen to the podcast and find out.
It's really good. I even reached out to Kevin Roose to see if he wanted to come on the podcast, so let's see. It's that good. In the meantime, go listen to it. Go listen to it.
It's called Rabbit Hole from the New York Times. There is a link on our webpage and show notes.
And it's true, if you think about it, you probably look up chess stuff all the time, and then probably in your feed, it's always offering you new, probably the same chess videos you've seen millions and millions of times.
You're looking for new games potentially, and you're finding, "Why am I always being referred back to these same ones all the time?" Anyway, you can listen to the podcast and find out.
It's really good. I even reached out to Kevin Roose to see if he wanted to come on the podcast, so let's see. It's that good. In the meantime, go listen to it. Go listen to it.
It's called Rabbit Hole from the New York Times. There is a link on our webpage and show notes.
That sounds fascinating. I mean, what a thing to do, to share your four-year history. I mean, was he aware that he had this history all this time?
Because whenever I've realized that something is storing a history of me, I just work out how to turn it off and delete it as quickly as possible.
Because whenever I've realized that something is storing a history of me, I just work out how to turn it off and delete it as quickly as possible.
At the time, yeah. Sorry, at the time that he was sharing with the journalist, he knew. And that becomes clear later in the episodes.
Did he have any ability to selectively delete?
I don't think so. I did feel, based on the information, I felt the New York Times weren't basically salaciously going through and trying to show anything that embarrassed him.
But I also felt that what they did call attention to showed a kind of route. You could see how that route would happen.
So, you know, there's artistic license and there's curation happening there.
But at the same time, there is an interesting approach to looking at how the internet might be shaping our brains.
But I also felt that what they did call attention to showed a kind of route. You could see how that route would happen.
So, you know, there's artistic license and there's curation happening there.
But at the same time, there is an interesting approach to looking at how the internet might be shaping our brains.
Okay, well, I guess your recommendation sounds good to me. That just about wraps it up for this week. Brian, thank you so much for coming on the show.
I'm sure lots of our listeners would love to follow you online or find out more about your podcast. What's the best way for folks to do that?
I'm sure lots of our listeners would love to follow you online or find out more about your podcast. What's the best way for folks to do that?
So it's @BrianKlaas on Twitter, which is K-L-A-A-S, and The Power Corrupts Podcast is what it's called. It's anywhere that you listen to podcasts.
And very good it is too. And good luck with those upcoming awards.
And you can follow us on Twitter at @smashingsecurity, no G, Twitter won't allow us to have a G, and you can also make sure that you never miss another episode of Smashing Security by subscribing in your favorite podcast app.
And you can follow us on Twitter at @smashingsecurity, no G, Twitter won't allow us to have a G, and you can also make sure that you never miss another episode of Smashing Security by subscribing in your favorite podcast app.
And as always, thank you brilliant, loyal listeners for your support and all your suggestions.
Also, a huge thank you to this week's Smashing Security sponsors: Boxcryptor, Immersive Labs, and LastPass. Their support helps us give you this show for free.
Oh, and stay tuned after the show for our special interview with Rachael Stockton.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, a huge thank you to this week's Smashing Security sponsors: Boxcryptor, Immersive Labs, and LastPass. Their support helps us give you this show for free.
Oh, and stay tuned after the show for our special interview with Rachael Stockton.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye. Bye-bye.
That was a lot of fun. So thanks for having me. I appreciate it.
Our pleasure.
Rachael Stockton. It's been a while.
It has been a while, Carole.
And a lot has changed. More than I would have predicted has changed since we've last spoken.
My hair is much longer.
I'm a little more, shall we say, ashen. Ashen is the word.
Now, things at work must have changed particularly a lot for a company like you because it wasn't down tools time for LogMeIn, was it? You guys must have been really busy.
Now, things at work must have changed particularly a lot for a company like you because it wasn't down tools time for LogMeIn, was it? You guys must have been really busy.
Yeah, it has been a very busy couple months throughout the entire business, making sure that businesses have what they need so people can meet, so they can access the data that they need, and that they can do it securely.
So we've really been trying to make sure that our customers are having what they need so that they can continue their business as much as possible.
So we've really been trying to make sure that our customers are having what they need so that they can continue their business as much as possible.
Yeah, it's the first time I actually think of it, but I'm thinking of all these models that companies would have had on predicting how an environment will work, right?
This is our market and this is what our market requires of us. And suddenly that flips on its head. So what changes have you seen from your customers?
This is our market and this is what our market requires of us. And suddenly that flips on its head. So what changes have you seen from your customers?
You know, it's so interesting. I think there is — gosh, I'm going to quote High School Musical.
We have been spending a lot of time at home these days.
There is this element of everybody being in it together and really trying to solve the problems.
How do we make sure you are more productive at home as a worker, but also as an individual?
And on the LastPass side, we spent a lot of time on businesses, but we also spent a lot of time making sure consumers are safe.
And one of the things, you know, that being at home and having all of our stores shut down, I think has really driven is, I know myself, I've set up so many more online accounts, just trying to find different places to get food delivery.
You know, where can I get the best meat and all of this different stuff? And all of those accounts, more passwords, and all my friends are doing the same thing.
And there's so much more online shopping. So we're really taking our real lives that were outside and with people and then moving it much more virtual.
How do we make sure you are more productive at home as a worker, but also as an individual?
And on the LastPass side, we spent a lot of time on businesses, but we also spent a lot of time making sure consumers are safe.
And one of the things, you know, that being at home and having all of our stores shut down, I think has really driven is, I know myself, I've set up so many more online accounts, just trying to find different places to get food delivery.
You know, where can I get the best meat and all of this different stuff? And all of those accounts, more passwords, and all my friends are doing the same thing.
And there's so much more online shopping. So we're really taking our real lives that were outside and with people and then moving it much more virtual.
You know, it's interesting.
I've been using a password manager for so long, I can't think of the last time I created a password where I had to kind of go, okay, what random 5 words can I put together that I'll actually remember?
So obviously there's still people out there that do that. And you guys pulled together a pretty interesting report.
I had a read of it last night and this morning, and there's some really good stuff in there. I loved how you narrowed down the riskiest behaviors.
Maybe we could start there and go through some of that.
I've been using a password manager for so long, I can't think of the last time I created a password where I had to kind of go, okay, what random 5 words can I put together that I'll actually remember?
So obviously there's still people out there that do that. And you guys pulled together a pretty interesting report.
I had a read of it last night and this morning, and there's some really good stuff in there. I loved how you narrowed down the riskiest behaviors.
Maybe we could start there and go through some of that.
You know, we did a survey of a bunch of consumers, regular people, not business people, just Joe Folks like you and me.
Yeah.
And try to better understand password practices. And I'm also a psychology minor from many, many years ago, but I'm so interested in the why and the catalyst of human behavior.
And I think one of our takeaways is this concept of dissonance, which I think we're all very familiar now, right?
Which is, I know I need to be doing one thing, but I'm really doing another, and you get that friction in between.
And what we found from this report is, you know, I'll tell you, people out there, they're really smart.
They know that using the same kind of password or variation or reusing the password is really risky, but more than two-thirds of people still do it. Okay, that's so interesting.
And I think one of our takeaways is this concept of dissonance, which I think we're all very familiar now, right?
Which is, I know I need to be doing one thing, but I'm really doing another, and you get that friction in between.
And what we found from this report is, you know, I'll tell you, people out there, they're really smart.
They know that using the same kind of password or variation or reusing the password is really risky, but more than two-thirds of people still do it. Okay, that's so interesting.
So people know— I've been banging on this 20 years now, it's part of my career.
So, so people now know, this generation knows they have to use different passwords, but they don't know how to, or it's too much work, do you think?
So, so people now know, this generation knows they have to use different passwords, but they don't know how to, or it's too much work, do you think?
You know, I think there are a couple of things. One is there's an element of control, right? Access. A password is a key. I want the key to my house.
I want the key to my I want to know it myself. And by asking people to create really complex passwords, that takes away that sense of control.
Because what we also found is people are afraid of forgetting their login information, and they want to be in control of these passwords.
But the problem is that control is making people have risky behavior.
And a product manager that I used to work with gave just, I think, the best example of where passwords need to go from sort of a human perspective.
We need to think of passwords like we think of phone numbers. I know my phone number. That's pretty much it. And I'm okay with that because I have my phone.
And so we need to think about passwords too. We don't need to know our passwords because we have tools like LastPass and other password managers that can remember that for us.
I want the key to my I want to know it myself. And by asking people to create really complex passwords, that takes away that sense of control.
Because what we also found is people are afraid of forgetting their login information, and they want to be in control of these passwords.
But the problem is that control is making people have risky behavior.
And a product manager that I used to work with gave just, I think, the best example of where passwords need to go from sort of a human perspective.
We need to think of passwords like we think of phone numbers. I know my phone number. That's pretty much it. And I'm okay with that because I have my phone.
And so we need to think about passwords too. We don't need to know our passwords because we have tools like LastPass and other password managers that can remember that for us.
I wonder if it's like bank details, like if someone were to ask you, do you know what your bank account number is? Would you be able to say yes?
"LastPass, it's this." Or would you have no idea?
"LastPass, it's this." Or would you have no idea?
No, I would have no idea. And so I think it is part of it, but with passwords, we use them so much more often. I think the other piece too, right?
So you want to be in control and, you know, we are all, you know, slightly self-centered.
And I think that we believe that in the end, you know, nobody really cares that much about me.
Nobody's going to go after Rachael Stockton and my bank account and my retail accounts because, you know, whatever.
So you want to be in control and, you know, we are all, you know, slightly self-centered.
And I think that we believe that in the end, you know, nobody really cares that much about me.
Nobody's going to go after Rachael Stockton and my bank account and my retail accounts because, you know, whatever.
It's almost like, "Who am I? I'm not a celebrity. I'm not loaded. I don't have anything that anyone really wants. Why am I valuable? I can't see it.
Therefore, people are just making a storm in a teacup." But you know what?
Therefore, people are just making a storm in a teacup." But you know what?
It's not you. It's not about me. It's about the hundreds of thousands of records. We are just a number.
It's about the hundreds of thousands of records that are being stolen, and it's about the algorithms and the power that hackers have in their own systems to use and plow through that information to then take those passwords and not only get into the accounts that they stole from, but then use those passwords and try various variations to get into the plethora of other accounts that you have, including your work accounts.
So it goes beyond just you. They're not after you, but guess what? They're gonna find you anyway, and you're still worth money to them.
It's about the hundreds of thousands of records that are being stolen, and it's about the algorithms and the power that hackers have in their own systems to use and plow through that information to then take those passwords and not only get into the accounts that they stole from, but then use those passwords and try various variations to get into the plethora of other accounts that you have, including your work accounts.
So it goes beyond just you. They're not after you, but guess what? They're gonna find you anyway, and you're still worth money to them.
Yeah, so basically you've got this situation where people have to work from home, they're setting up more online accounts, they are frustrated because there's too many passwords to remember.
They're either using the same password or using small variations of it. This is basically, what's it called, like a red flag to a bull, I guess, for those hackers out there.
So this was a worldwide report. So did you guys look at different countries?
They're either using the same password or using small variations of it. This is basically, what's it called, like a red flag to a bull, I guess, for those hackers out there.
So this was a worldwide report. So did you guys look at different countries?
Were there differences? Yeah, you know, there are some differences. I think one of the things that is the same is there is still a very high level of awareness, and that's good.
But one thing that we saw in Germany is that only really about 30% of them are using this variation of 1 to 2 passwords versus globally 66%.
So there does seem to be a little bit more action-oriented there and maybe a little bit less dissonance.
But one thing that we saw in Germany is that only really about 30% of them are using this variation of 1 to 2 passwords versus globally 66%.
So there does seem to be a little bit more action-oriented there and maybe a little bit less dissonance.
So that means in the rest of the world, more than 60% of people are using just one password for all accounts? Yes. Wow. Yep. And then in Germany, only 30% are doing that.
So they're the lowest that you guys were able to spot?
So they're the lowest that you guys were able to spot?
Yes. That seemed to be the most aware and action-oriented, like linking that awareness to the action-oriented.
A couple of the other things that we saw even beyond passwords regionally was multifactor authentication.
For example, in Singapore, which is a region we don't talk that much about, we actually saw a big increase in multifactor authentication use, both from a work perspective, which the end user really can't control, that's up to the business, but from a consumer perspective too, with more than 70% of people responding that they are using multifactor authentication to protect their consumer accounts, which is great.
That's really interesting.
A couple of the other things that we saw even beyond passwords regionally was multifactor authentication.
For example, in Singapore, which is a region we don't talk that much about, we actually saw a big increase in multifactor authentication use, both from a work perspective, which the end user really can't control, that's up to the business, but from a consumer perspective too, with more than 70% of people responding that they are using multifactor authentication to protect their consumer accounts, which is great.
That's really interesting.
I wonder if legislation had any part to play in that.
Oh, yes, I definitely think so. There's been some very strong legislation in Singapore and actually all across Europe as well that's driving a lot of this.
There's some upcoming legislation in Brazil, so an entirely other region, where they actually understand a little bit better that their accounts are valuable to a hacker.
So I think that there's still a lot of education going on regionally, and a lot of it is driven both by, I think, businesses.
And what I mean by that is I'm gonna say the websites that you shop at, trying to one, educate people a little bit more about having tougher passwords, putting those requirements in, but also making multifactor authentication more available and having more integration.
There's some upcoming legislation in Brazil, so an entirely other region, where they actually understand a little bit better that their accounts are valuable to a hacker.
So I think that there's still a lot of education going on regionally, and a lot of it is driven both by, I think, businesses.
And what I mean by that is I'm gonna say the websites that you shop at, trying to one, educate people a little bit more about having tougher passwords, putting those requirements in, but also making multifactor authentication more available and having more integration.
I think a lot of it too has to do with an erosion of trust between consumers and companies.
There's been a lot of companies in the press that have either been breached or they've claimed they've had great security and they haven't had great security.
And people are just kind of like, who do I trust? And that's got to be challenging, right? So how do you go about building trust?
What can you tell companies to do to help build trust, to help improve their businesses right now?
There's been a lot of companies in the press that have either been breached or they've claimed they've had great security and they haven't had great security.
And people are just kind of like, who do I trust? And that's got to be challenging, right? So how do you go about building trust?
What can you tell companies to do to help build trust, to help improve their businesses right now?
I think the key piece is transparency. So when people are signing up for accounts, put those requirements for best practices in there, right? So you force the hand, number one.
Two, ensure that the consumer, that we understand what you're doing to protect our information. And then if something happens, let us know.
It becomes even more frustrating when it's 5 months down the line.
You know, when we read those articles that these breaches have happened and now we're being notified, we understand, I think now, that breaches really are part of everyday news.
But it's really, I think, how people are handling them and how companies are handling them that helps either one develop that trust or rebuild that trust once one happens.
Two, ensure that the consumer, that we understand what you're doing to protect our information. And then if something happens, let us know.
It becomes even more frustrating when it's 5 months down the line.
You know, when we read those articles that these breaches have happened and now we're being notified, we understand, I think now, that breaches really are part of everyday news.
But it's really, I think, how people are handling them and how companies are handling them that helps either one develop that trust or rebuild that trust once one happens.
And I think having a password manager actually allows you to slowly build trust with these people because it allows you to have a very unique, long, complicated— so complicated it's almost impossible to guess—
password. In a way, this is a way you are taking control, right? I mean, if you want to be in control of your password, it's not about memorizing them.
It's about putting them in something to ensure you can create the strongest one possible that you will not forget. It's unique.
And if and when it gets breached, you only have to worry about that one account. You don't have to worry about the other 10 that are using that LastPass.
And then, you know, you can easily go in, change that password, and then you're protected again.
It's about putting them in something to ensure you can create the strongest one possible that you will not forget. It's unique.
And if and when it gets breached, you only have to worry about that one account. You don't have to worry about the other 10 that are using that LastPass.
And then, you know, you can easily go in, change that password, and then you're protected again.
Exactly. That point, I haven't thought about that, but exactly.
If your password gets breached and you're using the same password across your hundreds or even maybe thousands of accounts, you have to go through every single one and change those manually if you don't have unique passwords for each one.
Yes.
If your password gets breached and you're using the same password across your hundreds or even maybe thousands of accounts, you have to go through every single one and change those manually if you don't have unique passwords for each one.
Yes.
And that one thing that we found out too is that even after a breach, 50% of people don't even change their passwords.
And it comes back to the idea that why me? Why would they target me? Yeah. Yeah.
I think the one other piece that's really important to put up here too is one area that can help with any kind of breaches, but it does ask more of us, right, is using multifactor authentication as a consumer.
So we talked a little bit about it regionally. Overall, which is some good news, is there is an increase we found in this survey of both the awareness of multifactor authentication.
Something you have, something you are, something that you know, right? That combination.
And that use with more than 54% of people globally are using it for some set of personal accounts that are allowing it.
So I think that's really important because then even if that really secure password does get breached, you're still protected with multifactor authentication.
So that account is still protected.
So we talked a little bit about it regionally. Overall, which is some good news, is there is an increase we found in this survey of both the awareness of multifactor authentication.
Something you have, something you are, something that you know, right? That combination.
And that use with more than 54% of people globally are using it for some set of personal accounts that are allowing it.
So I think that's really important because then even if that really secure password does get breached, you're still protected with multifactor authentication.
So that account is still protected.
Yeah, no, totally. I'm a big fan of multifactor authentication. I understand it can be, it's a little bit more painful, but I think it's really important to have.
So I love having something you know, something you are, something you have. I think using two of those at every opportunity is great.
So I love having something you know, something you are, something you have. I think using two of those at every opportunity is great.
Yeah, I think it's important because let's also be real, with all of us working from home and being lucky that we're able to, there are a lot more phishing attacks because we're all getting a lot more email from the core functions— HR, IT, facilities— keeping us informed.
So there are a lot more reasons why we may be contacted by odd people within our organization.
And so I think that's also why it's important to think about password management as well, because you need to be getting to a site. You can get to that through the password manager.
If you're clicking on a site and being asked to fill in your password and it's not automatically being filled by your password manager, you know, look at that site.
Is that the right one?
I think there are ways we can also use these tools to help prevent some of the increase in attacks that we're seeing as well beyond just protecting the password.
So there are a lot more reasons why we may be contacted by odd people within our organization.
And so I think that's also why it's important to think about password management as well, because you need to be getting to a site. You can get to that through the password manager.
If you're clicking on a site and being asked to fill in your password and it's not automatically being filled by your password manager, you know, look at that site.
Is that the right one?
I think there are ways we can also use these tools to help prevent some of the increase in attacks that we're seeing as well beyond just protecting the password.
Now you guys, obviously you have your enterprise solution, but you also make LastPass password management tools available for free for consumers. Is that right?
So there's no excuse for people not to use a password manager. This is the time, isn't it?
So there's no excuse for people not to use a password manager. This is the time, isn't it?
We sure do. It really is. You know what's the best about it?
The best about the free product, to be honest, is I spend so much time on my mobile phone, and I have the iPhone, and I know exactly how much time I spend on it.
I hate getting that report.
But I think it's also important to recognize that these same things, you know, you want to be able to have this access on your mobile device your phone, your tablet, as well as your computer.
And so being able to access all your passwords no matter where you are, I think is really important too. And I want people to understand that that's out there now.
You don't have to worry about getting into your accounts if you're on your phone and you don't know your password. It's one solution for all your platforms.
The best about the free product, to be honest, is I spend so much time on my mobile phone, and I have the iPhone, and I know exactly how much time I spend on it.
I hate getting that report.
But I think it's also important to recognize that these same things, you know, you want to be able to have this access on your mobile device your phone, your tablet, as well as your computer.
And so being able to access all your passwords no matter where you are, I think is really important too. And I want people to understand that that's out there now.
You don't have to worry about getting into your accounts if you're on your phone and you don't know your password. It's one solution for all your platforms.
Yeah, it's amazing. So listen, next week we have— my cousin is coming on.
She's an actress comedian who's based in Toronto, but she's trapped in an apartment like millions of other people out there. And her life's obviously changed dramatically, right?
She's not, you know, she's on stage. But one thing that hasn't changed is she's never given a hoot about security.
And so the game plan next week is to see if Graham and I can convince her to at least do something to improve her security now.
So I'm going to try and get her to go down the password manager route, and I'll let you know how I get on.
She's an actress comedian who's based in Toronto, but she's trapped in an apartment like millions of other people out there. And her life's obviously changed dramatically, right?
She's not, you know, she's on stage. But one thing that hasn't changed is she's never given a hoot about security.
And so the game plan next week is to see if Graham and I can convince her to at least do something to improve her security now.
So I'm going to try and get her to go down the password manager route, and I'll let you know how I get on.
Oh, I'm so curious. I can't wait to hear it.
Yeah, because I think that is one of the key things people do. And the reason I like it is it makes your life more simple. All you need to remember is your master password. That's it.
So consumers, check it out. We'll put all the links in the show notes. Rachael, always brilliant to have you on the show.
So consumers, check it out. We'll put all the links in the show notes. Rachael, always brilliant to have you on the show.
So great to talk to you.
My brother says going out now is like playing Pac-Man. You're constantly going down streets and going down blocks, then you see someone, you turn around, go different direction.
Being chased by ghosts.
Being chased by ghosts.
Don't eat the cherries. You don't know who's touched them before you.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Brian Klaas – @brianklaas
Show notes:
- Military And Intelligence Personnel Can Be Tracked With The Untappd Beer App — Bellingcat.
- What South Korea's Nightclub Outbreak Can Teach Other Countries — Time.
- When audio deepfakes put words in Jay-Z’s mouth, did he have a legal case? — Ars Technica.
- Jay-Z’s Deepfake Hamlet Recital — To Sue, Or Not To Sue — Forbes.
- Vocal Synthesis — YouTube channel.
- Doordash and Pizza Arbitrage — Ranjan Roy.
- Iron Chef Japan episodes — YouTube.
- Rabbit Hole podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass’s “Psychology of Passwords” report surveyed over 3,000 people around the world to highlight the current state of online security behaviors – and the results are alarming.
Download it now at smashingsecurity.com/passwordreport to learn more.
Sponsor: Immersive Labs
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Listeners can signup at immersivelabs.com/smashing to get instant access to more than 24 hours of free labs AND a new lab to try out each week.
Sponsor: Boxcryptor
Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.
Listeners can get a 40% discount on the Boxcryptor Personal License (private use) and Boxcryptor Business (perfect for self-employed) by visiting smashingsecurity.com/boxcryptor now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
