Voting machines are under the microscope, scammers are posing as rap stars, and American politician AOC isn’t the only one who’s been getting into the Among Us game.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.
Plus don’t miss the first part of our featured interview with LastPass’s Dalia Hamzeh.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hi everybody, Carole Theriault here. This is a shout out from all of us at Smashing Security. That's Graham Cluley and I to all of you Patreon supporters for supporting us.
It's amazing.
This week, special mention goes to Jonathan Bowen, Jamie Schwendinger, Will Costin, John Nicholas, Richard Anand, Marvin 71, Stuart Settliff, Amber, Simon Yacan, and the hilarious I come from a land down under where beer does flow and men shunder.
So thank you all for your support. It means the world. If you want to join these hilarious Patreon supporters, everything you need to know is on smashingsecurity.com/patreon.
And know that we welcome you with open arms, socially distanced GoGoGadget arms. Okay, let's get this show on the road.
It's amazing.
This week, special mention goes to Jonathan Bowen, Jamie Schwendinger, Will Costin, John Nicholas, Richard Anand, Marvin 71, Stuart Settliff, Amber, Simon Yacan, and the hilarious I come from a land down under where beer does flow and men shunder.
So thank you all for your support. It means the world. If you want to join these hilarious Patreon supporters, everything you need to know is on smashingsecurity.com/patreon.
And know that we welcome you with open arms, socially distanced GoGoGadget arms. Okay, let's get this show on the road.
Do you actually know what Wu-Tang means, as in the Wu-Tang Clan?
You can't say the word, can you? Wu-Tang Clan.
Yes, I'm saying that correctly.
It sounds like you're saying Wu-Tang Clang.
Oh.
Yeah.
Oh no, but it has a G on the end.
No, it doesn't.
Yes, it does. It's Wu-Tang Clang.
Right.
No, no, no, Clang doesn't have a G on it.
Clang, Clang, okay, Wikipedia. Wikipedia.
Okay.
Jeez, we're trying to do a podcast here.
Wu-Tang Clan.
Oh, shit. Thank you.
Thank you very much.
Smashing Security, Episode 202: The Wu-Tang Clan Are Among Us, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 202.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by a special guest, aren't we, Carole?
Yes, we are. Very good friend of mine and Brainiac and regular on the show, I'd say, Mr. James Thomson.
A friend of Graham's too, one would hope. But yes, hello.
Hello, James. So, James, you're stuck out in Slovakia. Well, I say stuck out, you actually live there, don't you?
I do, yes.
Yeah, but you're in lockdown right now, aren't you?
Well, yeah, it's a kind of half-assed lockdown where you're allowed to go to the shops and go to work and primary schools are still open.
Do all the shit stuff, but none of the fun stuff.
Yeah, exactly.
Yeah.
Everything's shut at 5 o'clock in the afternoon.
Well, thank God for us then.
We've livened up your day, haven't we?
You have. Thank you.
Carole, what's coming up on the show this week?
First, let's thank this week's sponsors, Recorded Future, LastPass, and Immersive Labs. Their support helps us give you this show for free.
Now, coming up on today's show, Graham regales us with a story of scammers pretending to be rappers.
James talks election voting machines, and I ask what politicians are doing on gaming platforms. Also, we have a fab interview with LastPass's Dalia Hamze. She's new to the show.
She's a security engagement manager, and she talks frankly about how she got into security and gives us a few fresh ideas on how we can communicate it to others.
All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham regales us with a story of scammers pretending to be rappers.
James talks election voting machines, and I ask what politicians are doing on gaming platforms. Also, we have a fab interview with LastPass's Dalia Hamze. She's new to the show.
She's a security engagement manager, and she talks frankly about how she got into security and gives us a few fresh ideas on how we can communicate it to others.
All this and much more coming up on this episode of Smashing Security.
Now, chums, we've all heard of identity theft, haven't we? We're all familiar with that?
No.
No? Never?
No. Have we talked about it before?
It was a rhetorical question. I wasn't really expecting you to answer. Oh, oh right.
I'll just shut up.
Sorry. In an untrue way. No, you can jump in if you want, Carole. But of course, identity theft's when someone pretends to be someone they're not with naughtiness and fraud in mind.
But have you ever heard of people pretending to be a rap band? People who might pretend to be a rock group or some sort of artiste, but in fact they're not really the real thing.
But have you ever heard of people pretending to be a rap band? People who might pretend to be a rock group or some sort of artiste, but in fact they're not really the real thing.
No, have you?
Yes, I have, and I'm going to tell you about some right now.
Oh, okay, here we go.
I'm going to tell you about a couple of chaps. One of them, his name is— and these are their real names— Aaron Barnes Burpo.
Come on, it's very juvenile to laugh at somebody's name.
Come on, it's very juvenile to laugh at somebody's name.
I'm sorry, Graham, that is not anybody's name.
It is. Aaron Barnes Burpo. And Walker Washington. And these two chaps got into a little pickle. They got themselves into a sticky pickle because—
TM Carole Theriault.
What they found themselves doing was they rented a Rolls-Royce Phantom limousine.
And having rented this Rolls-Royce Phantom limousine for a not inconsiderable amount of money— in fact, they actually spent nearly $60,000 renting this Rolls-Royce Phantom limousine.
And having rented this Rolls-Royce Phantom limousine for a not inconsiderable amount of money— in fact, they actually spent nearly $60,000 renting this Rolls-Royce Phantom limousine.
For how long? Well, I'm—
Do you know, I've actually been in a Rolls-Royce Phantom limousine before.
Yes, I have.
Was it with a couple of rappers?
A mutual friend of James and mine once came to my work and picked me up because he's a car journalist.
And—
Oh, I think I know who that is.
Uh-huh. And we went for lunch. And inside the logbook, it had already been driven by someone Sophie Dahl. And Robbie Williams had rented it the week before.
Oh, I hope he cleaned up afterwards.
Yeah, I'm up with the big crew.
This is the kind of company we move in.
That's right.
Very impressive. Well, on this particular occasion, it was Messieurs Barnes-Burpo and Washington who took this limousine.
I would love to see their name in the book.
Well, that's interesting. Yes. What name would they put in the book? Because what they did was they pretended to be other people because they used other names.
One of them pretended to work for Roc Nation. James, you're down with the kids. Are you familiar with Roc Nation? The music company run by Jay-Z?
One of them pretended to work for Roc Nation. James, you're down with the kids. Are you familiar with Roc Nation? The music company run by Jay-Z?
I am as unfamiliar with Roc Nation as I am with Aaron Barnes Burpo.
James is very aware of Huey Lewis and the News. Other than that—
No, those heights have never been scaled since.
That's right.
Well, maybe you are more familiar with the Wu-Tang Clan. The Wu-Tang Clan, one of the—
Is that the Wuhan Clan? Is that—
No.
No, it's— Do you actually know what Wu-Tang means? As in the Wu-Tang Clan?
You can't say the word, can you? Wu-Tang Clan.
Yes, I'm saying that correctly.
It sounds like you're saying Wu-Tang Clang.
Oh.
Yeah.
Oh no, but it has a G on the end.
No, it doesn't.
Yes, it does.
Oh, well, not in your notes.
Well, you shouldn't be reading my notes. It has a G on the end. At first, I thought it didn't have a G, but it has a G. It's Wu-Tang Clan.
No, no, no. Clan doesn't have a G on it.
Clan, clan, da. Okay, Wikipedia.
Wikipedia. Okay.
Jeez, we're trying to do a podcast here. 202 episodes. And now, is anyone else looking?
I'm looking. Wu-Tang Clan.
Oh, shit.
Thank you.
Thank you very much. This is where you say you were right, Carole. I apologise.
You were right. What's confused me is that Tang has a G in it.
Yes, I— yes, I— yes. Wu-Tang Clan.
Yeah.
Okay, do you know what Wu-Tang means?
Wu-Tang? No.
Witty, unpredictable, talent, and natural game. So if you ever hear of the Wu-Tang Clan, that's what they are. Now, I'm quite familiar with these two, right? These two.
Sounds it.
I'm quite familiar with this group. And I'm a big fan actually of the Wu-Tang Clan, which people may not realise.
I meant— I meant— The good old days of Method Man and Ghostface Killah and Inspectah Deck. Remember that? James, remember Master Killah?
I meant— I meant— The good old days of Method Man and Ghostface Killah and Inspectah Deck. Remember that? James, remember Master Killah?
I have no idea what you're talking about.
And they haven't been the same since Ol' Dirty Bastard passed away, have they?
Oh no, no, of course, now you mention him.
Yeah. Well, many's the time I've put Fish Scale on my decks and recognised the influence of big— Hang on, I'm sorry.
On your decks?
I'm reading this piece of paper. The influence of Big Daddy Kane on their art. I'm lying, of course. I know nothing of the Wu-Tang Clan. My wife, however, does.
I said to her, I'm going to be talking about the Wu-Tang Clan later. And she said, that's not how you say the name.
But she did say that she had some of their CDs and she's regularly bopping around, jumping up and down like Zebedee, reeling off. And she told me some names of their famous songs.
She said, there's a really good one, she said, called Da Mystery of Chessboxin'. Anyway.
I said to her, I'm going to be talking about the Wu-Tang Clan later. And she said, that's not how you say the name.
But she did say that she had some of their CDs and she's regularly bopping around, jumping up and down like Zebedee, reeling off. And she told me some names of their famous songs.
She said, there's a really good one, she said, called Da Mystery of Chessboxin'. Anyway.
Did you listen to this Da Mystery song?
She did play a little bit of it. It was rap, so it's not really my cup of tea.
Right.
But Aaron Barnes-Burpo and Walker Washington.
Is that why you chose to tell this story, just because of their names?
They were arrested in February this year, right?
And charged with conspiring to commit wire fraud and aggravated identity theft, presumably the aggravated identity theft of pretending to be the Wu-Tang Clan.
And charged with conspiring to commit wire fraud and aggravated identity theft, presumably the aggravated identity theft of pretending to be the Wu-Tang Clan.
Okay.
Now, you know how sometimes they say a crime is aggravated? What is an aggravated identity theft?
I've never heard those two words together.
Have you not? Have you never heard of an aggravated robbery or something like that?
Aggravated assault.
Yeah, aggravated assault. But aggravated identity theft. What do they do, rip off your name? Off your personality? Just—
I thought it could be just someone very, very annoying pretending to be you, or exasperating, and they kept on pretending to be you. So I had to look it up.
And so this is my little bit of education for everyone listening. Maybe everyone knows this. When a crime is aggravated, it just means it's a bit worse.
So it's more serious than it would otherwise be. So that's why if you ever hear Americans talk about aggravated something—
And so this is my little bit of education for everyone listening. Maybe everyone knows this. When a crime is aggravated, it just means it's a bit worse.
So it's more serious than it would otherwise be. So that's why if you ever hear Americans talk about aggravated something—
So this is serious identity theft rather than crappy identity theft. Serious identity theft.
Exactly.
And I imagine because of the amount of money involved, because they did obviously defraud quite a lot of money out of this limousine company because they didn't pay them real money.
They just rolled in pretending to work for Jay-Z.
And I imagine because of the amount of money involved, because they did obviously defraud quite a lot of money out of this limousine company because they didn't pay them real money.
They just rolled in pretending to work for Jay-Z.
Oh, so this is what it's all about.
Yes.
They just walked in, said, hey, we're the Wu-Tang Clan. Yeah, yeah, yeah, $60K. Yeah, yeah, yeah, yeah, no problem, throw in the champers.
And then they went off and with the, you know, rapping in their car, and then they got the invoice and didn't pay it.
And then they went off and with the, you know, rapping in their car, and then they got the invoice and didn't pay it.
And then they've got this fancy limo, this Phantom Rolls-Royce.
How long did they have it for?
Oh, they had it for a while because they would—
About 6 months at that price, I would argue.
They were going from hotel to hotel using fake and stolen credit cards, booking hotel rooms. And it wasn't just them. They also had a posse.
So they had men and women with them as well.
So they had men and women with them as well.
Well, to make them look more famous. You need the hangers-on.
To make it look like they're on entourage.
So they would go, for instance, to the Georgian Terrace Hotel in Atlanta, and they booked like, you know, 10 rooms for all of these people.
So they had some women, they had some men, some of them were homeless people who they'd hired to pretend to be bodyguards for them.
And they were raking up huge bills in goods and services in cities— Atlanta, Nashville, across the southern states.
And another hotel they went to, the Hyatt Regency in Atlanta, they walked away without paying its $39,000 tab. And they also hired some recording studios.
So they would go, for instance, to the Georgian Terrace Hotel in Atlanta, and they booked like, you know, 10 rooms for all of these people.
So they had some women, they had some men, some of them were homeless people who they'd hired to pretend to be bodyguards for them.
And they were raking up huge bills in goods and services in cities— Atlanta, Nashville, across the southern states.
And another hotel they went to, the Hyatt Regency in Atlanta, they walked away without paying its $39,000 tab. And they also hired some recording studios.
How do they not pay if they have stolen credit cards and the like?
Ah, well, you see, Carole, let me tell you what happens, right?
What can happen is if you've got a stolen credit card, from what I've heard, what you can do is you can book in and quite often they'll say, oh, can we take an imprint of your credit card for $50 in case you use the minibar?
What can happen is if you've got a stolen credit card, from what I've heard, what you can do is you can book in and quite often they'll say, oh, can we take an imprint of your credit card for $50 in case you use the minibar?
Yeah, yeah, of course.
And you go, yo, yo, yo, no problem, man. Take it.
Oh, there's your rap character.
And then of course you pay the big bill when you leave, don't you?
But if you sneak out in the middle of the night, or if you're such a celebrity that they kind of, you kind of go, oh, put it on the account, you know, send it, send through the invoice to my company and we'll sort it out there.
But if you sneak out in the middle of the night, or if you're such a celebrity that they kind of, you kind of go, oh, put it on the account, you know, send it, send through the invoice to my company and we'll sort it out there.
Okay.
Now you might be wondering how these guys were caught.
No, I'm wondering what this has to do with IT security.
Well, I've got—
Well, it's cryptocurrency, phishing, and Smashing Security.
Sorry?
Was it when they pronounced his name Jay-Z? Was that when the penny finally dropped?
What's wrong?
What?
It is Jay-Z.
Graham, even I know it's not Jay-Z.
It's too much, James. It's just, there's too many of them. You can't point out every single one.
So. How were they caught? Well, would you believe the receptionist at the Fairfield Inn in Augusta was suspicious when they checked in?
He thought, hang on a minute, maybe he knew his rappers. I don't know.
And so he questioned them a bit, and they tried to convince him that they were really members of the Wu-Tang Clan.
He thought, hang on a minute, maybe he knew his rappers. I don't know.
And so he questioned them a bit, and they tried to convince him that they were really members of the Wu-Tang Clan.
How would you— I would just test them with the lyrics.
Well, exactly. Exactly. So the receptionist asked them to sing for him.
Okay.
And they said they couldn't do it without backing music.
So what happened was they got out a ghetto blaster, put a track on, and these guys lip-synced to the music, pretending to be singing.
So what happened was they got out a ghetto blaster, put a track on, and these guys lip-synced to the music, pretending to be singing.
Oh, for God's sake.
And the receptionist spotted this.
Spotted that their lips weren't in perfect sync.
If they'd been Milli Vanilli, they'd have got away with it. Then it would have been slightly more convincing. But as it was, they found it slightly implausible.
Actually, that isn't what happened. But I think that's how I would have got it. That's what I'd have gotten.
Instead, what the receptionist did was he rang up Jay-Z's company, Roc Music.
Actually, that isn't what happened. But I think that's how I would have got it. That's what I'd have gotten.
Instead, what the receptionist did was he rang up Jay-Z's company, Roc Music.
What was on speed dial?
Yeah, yeah, if you're in— if, yeah, of course you would be. If you're a swanky hotel, you've probably— you're prepared for this.
Rang them up and said, hey Jay, these guys claim they work for you, claim they're the Wu-Tang Clan.
Rang them up and said, hey Jay, these guys claim they work for you, claim they're the Wu-Tang Clan.
Clan?
And they said, no, Oh, for goodness' sake, can't they just change their name? It's really difficult. And they said the booking is absolutely nothing to do with us.
And so they were caught. So the whole point of this story is about what happens when your credit card details get stolen.
You might think they've been stolen by some lowlife to score a deal down some dark alleyway.
But in fact, they might end up in the hands of someone who's planning to perpetrate a Wu-Tang scam. And so—
And so they were caught. So the whole point of this story is about what happens when your credit card details get stolen.
You might think they've been stolen by some lowlife to score a deal down some dark alleyway.
But in fact, they might end up in the hands of someone who's planning to perpetrate a Wu-Tang scam. And so—
I think that was his punchline.
And so these guys have been nabbed. They've now pleaded guilty to conspiracy to commit wire fraud. They face up to, get this, they face up to 20 years in prison.
Presumably because of the amount of money that they racked up.
It's quite hefty, isn't it? The guys who are homeless, the homeless bodyguards, they've got away scot-free.
And I think that's a little bit unfair, because those guys, if they're really homeless— 20 years, you know, I don't know what it's like in a federal prison.
I imagine it's not very pleasant. But even so, something to think about. So that is—
And I think that's a little bit unfair, because those guys, if they're really homeless— 20 years, you know, I don't know what it's like in a federal prison.
I imagine it's not very pleasant. But even so, something to think about. So that is—
Okay, can I just—
Yes.
So as a person whose credit card details might be stolen, say I were someone who had been caught up in this little rigmarole, I probably wouldn't have to pay out, right?
It would be the credit card company that would have to pay out on that.
It would be the credit card company that would have to pay out on that.
Well, hopefully, yes, indeed. Yes. But Carole, you have to understand that even if the credit card company pay out, we all end up paying in the end.
Yeah, no, thanks. Thanks for that.
Right? No, but it's an important point, isn't it? It's not as though there aren't victims of this and we all suffer as a result of these kinds of scams.
Stop claiming this is a victimless crime because it's not, is it?
Stop claiming this is a victimless crime because it's not, is it?
Well, I don't know. I mean, I don't think it's a victimless crime.
I just think from a view of someone whose credit card might be stolen, you'd be worried more about being liable in these instances, right?
And I guess that's what I'd be wondering, since I'm sure you've done that research, so what do our listeners need to take away from this?
I just think from a view of someone whose credit card might be stolen, you'd be worried more about being liable in these instances, right?
And I guess that's what I'd be wondering, since I'm sure you've done that research, so what do our listeners need to take away from this?
Well, what I think you need to take away is that you always need to be suspicious of fraudsters.
You have to keep your eyes open for people who might claim to be someone that they are not. And you may encounter them in real life, you may encounter them in your inbox.
And don't be so dazzled by the fact that you believe you have a celebrity, for instance, booking a room with you that you won't question them. So don't be afraid to question.
Don't be afraid to double-check.
Don't be afraid like this receptionist at the Fairfield Inn in Augusta wasn't afraid to ring up Roc Music and confirm that they really were who they claimed to be.
You have to keep your eyes open for people who might claim to be someone that they are not. And you may encounter them in real life, you may encounter them in your inbox.
And don't be so dazzled by the fact that you believe you have a celebrity, for instance, booking a room with you that you won't question them. So don't be afraid to question.
Don't be afraid to double-check.
Don't be afraid like this receptionist at the Fairfield Inn in Augusta wasn't afraid to ring up Roc Music and confirm that they really were who they claimed to be.
And who do they claim to be?
The Wu-Tang Clan.
Very good. Well done, Graham, you got it.
Honestly, I think this guy had a good enough name to begin with. I don't know why he was impersonating other people.
Aaron Barnes Burpo. James, what story have you got for us this week?
Well, as you may be aware, the Americans are holding a presidential election next week, and I am always in awe of the fact that Americans love tech.
I mean, how else can you explain voting machines?
Now, you might be aware that when Americans go to vote for the most part, they do not put a cross in a box in the method with which we are familiar, but they go and either prod a computer screen or in some cases pull a lever.
You might recall that back in 2000, there was a disputed presidential election which came down to a few hundred votes in Florida.
I mean, how else can you explain voting machines?
Now, you might be aware that when Americans go to vote for the most part, they do not put a cross in a box in the method with which we are familiar, but they go and either prod a computer screen or in some cases pull a lever.
You might recall that back in 2000, there was a disputed presidential election which came down to a few hundred votes in Florida.
The hanging chads.
Exactly, the hanging chads. But not just the hanging chads, the dimpled chads, the pregnant chads, the open and closed chads.
There was a whole kind of lexicon that developed out of this crisis, which was partly to do with— well, there was a whole series of issues, but one of it was bad ballot paper design and also these devices that people used to punch holes in cards.
In the wake of that fiasco, they decided to upgrade their voting systems.
And they gave the states who are responsible for holding elections in the United States, the individual states, a huge dollop of cash, billions of dollars to upgrade their voting systems, and they all went out and bought the most astonishing collection of digital— well, I don't know, this is a family show, I don't want to offend people.
There was a whole kind of lexicon that developed out of this crisis, which was partly to do with— well, there was a whole series of issues, but one of it was bad ballot paper design and also these devices that people used to punch holes in cards.
In the wake of that fiasco, they decided to upgrade their voting systems.
And they gave the states who are responsible for holding elections in the United States, the individual states, a huge dollop of cash, billions of dollars to upgrade their voting systems, and they all went out and bought the most astonishing collection of digital— well, I don't know, this is a family show, I don't want to offend people.
No families listen to this.
Digital dogshit, if you will. Of course, yes, in the style of the Wu-Tang Clan, or Klan even.
Klan.
Thank you.
Now, this means that there are now several states in the US where if the aging computers that they bought 20 years ago fall over, or the Russians manage to hack them, there is no paper record of how people voted.
That's to say, you go into the booth, you press on a screen.
Now, this means that there are now several states in the US where if the aging computers that they bought 20 years ago fall over, or the Russians manage to hack them, there is no paper record of how people voted.
That's to say, you go into the booth, you press on a screen.
Yeah.
Yeah.
It goes, "Thank you very much, you may now leave." And there is no record other than in the guts of this creaking Windows XP-fired machine.
Oh, can't even print out logs.
There is nada. Well, the voters see nothing. I'm sure at some point in the process they can print some log out, but basically you're relying on this technology.
Do nobody else? I mean, you're right, in the UK we certainly don't have voting machines.
We've got a very sophisticated— I mean, it's worth saying to our American audience, we have a very sophisticated system in operation here in the United Kingdom where on election day you take your dog to a church hall.
You are asked for your name. You're then notably not asked for any identification whatsoever because we're British and thus trustworthy.
And they give you a little stubby pencil and you go into a cubicle and you just mark a name, don't you, and say, this is the one I'd quite like, thank you very much.
You are asked for your name. You're then notably not asked for any identification whatsoever because we're British and thus trustworthy.
And they give you a little stubby pencil and you go into a cubicle and you just mark a name, don't you, and say, this is the one I'd quite like, thank you very much.
Are you marking this? Are you marking this?
No, I'm so— I think it's a remarkable system. And then there are these wonderful people who stay up until 3 o'clock that morning counting up all the pieces of paper.
Yeah, it's kind of like the book. It's a kind of unimprovable technology because—
It's hack-proof really, isn't it? The way we do it in the UK.
Look, I mean, back in the 18th and 19th centuries, there was plenty of electoral fraud, but to arrange electoral fraud using a paper-based system now just is impossibly expensive.
You just require too many people and too many physical resources.
And yet these machines are a gift to people who either want to screw up your electoral system or else to cast doubt on the electoral system.
And as you might be aware, there has been a lot of casting of doubt lately.
You just require too many people and too many physical resources.
And yet these machines are a gift to people who either want to screw up your electoral system or else to cast doubt on the electoral system.
And as you might be aware, there has been a lot of casting of doubt lately.
Come, come.
But the amazing thing is that in the wake of the last election, obviously there was a lot of concern because of the alleged Russian hacking of, well, the attention economy, but also allegations that there have been attempts to hack electoral systems.
And so there's actually a rather good New York Times video in which they've explored the security of the electoral system in the US.
And it comes to a sort of positive conclusion, moderately, that this US election could be the most secure yet.
But in the course of it, they interview some of the people responsible for the system, including the wonderfully named Dana de Beauvoir, who is the— yeah, she's no Barnes Burpo, but still, you've got to respect a name like that.
And she's the county clerk of Travis County, Texas. Which is one of these places you've never heard of but has a million people living in it.
And she said that with all of this federal money they got 20 years ago, they asked their voters what they wanted and the voters told them that the most important thing was to have a paper trail.
It was well, you know, duh. And before that they'd been using these machines which left no record.
But instead of just deciding to use paper ballots, they went on a 15-year search for voting machines that print out the result of you having pressed a screen.
Now, I can't quite work out, although I don't claim to have any inside knowledge of the American electoral system, why you can't just cut the computer out of this equation.
Why does there have to be a digital middleman in this process? Now, I know that in America when they go to vote, they go to vote on about 300 different things at the same time.
There's the presidency, there's in some places the Senate, there's always a congressional election, there's local council, there's governors, there's dog catchers, you name it.
Judges even. I mean, they elect judges, don't ask me how that works.
But the problem is that there's this mishmash of systems, almost all of which rely at some level on a machine either to vote with or to count the votes or to do various other things during the process.
And a lot of these are horribly underprotected and the New York Times reporter David Sanger who focuses mostly on intelligence issues says the real danger here is not a major hack, although that can't be ruled out, that somebody might try to get into the system and change all of the totals, because there's normally ways to check if someone's just screwed with a few numbers in the system.
The problem is more of what's called a perception hack, which is where you just go in, you cause a few little screw-ups here and there, and then you get your Twitter bot armies to go in hard and say, that's it, the whole thing is corrupted, you can't trust the result.
So all I can say is thank goodness no one is trying to undermine confidence in the result. Oh, oh wait.
And so there's actually a rather good New York Times video in which they've explored the security of the electoral system in the US.
And it comes to a sort of positive conclusion, moderately, that this US election could be the most secure yet.
But in the course of it, they interview some of the people responsible for the system, including the wonderfully named Dana de Beauvoir, who is the— yeah, she's no Barnes Burpo, but still, you've got to respect a name like that.
And she's the county clerk of Travis County, Texas. Which is one of these places you've never heard of but has a million people living in it.
And she said that with all of this federal money they got 20 years ago, they asked their voters what they wanted and the voters told them that the most important thing was to have a paper trail.
It was well, you know, duh. And before that they'd been using these machines which left no record.
But instead of just deciding to use paper ballots, they went on a 15-year search for voting machines that print out the result of you having pressed a screen.
Now, I can't quite work out, although I don't claim to have any inside knowledge of the American electoral system, why you can't just cut the computer out of this equation.
Why does there have to be a digital middleman in this process? Now, I know that in America when they go to vote, they go to vote on about 300 different things at the same time.
There's the presidency, there's in some places the Senate, there's always a congressional election, there's local council, there's governors, there's dog catchers, you name it.
Judges even. I mean, they elect judges, don't ask me how that works.
But the problem is that there's this mishmash of systems, almost all of which rely at some level on a machine either to vote with or to count the votes or to do various other things during the process.
And a lot of these are horribly underprotected and the New York Times reporter David Sanger who focuses mostly on intelligence issues says the real danger here is not a major hack, although that can't be ruled out, that somebody might try to get into the system and change all of the totals, because there's normally ways to check if someone's just screwed with a few numbers in the system.
The problem is more of what's called a perception hack, which is where you just go in, you cause a few little screw-ups here and there, and then you get your Twitter bot armies to go in hard and say, that's it, the whole thing is corrupted, you can't trust the result.
So all I can say is thank goodness no one is trying to undermine confidence in the result. Oh, oh wait.
And these machines are all connected. I wonder why the machines have to actually be connected to each other. Why can't they just be standalone and then—
Well, the irony is that the oldest ones that date back more than 20 years, they're not actually internet-enabled. So in a way, they are actually safer.
But the problem with those, of course, is that they're running on ancient hardware and software, which, you know, under severe pressure might well give way.
And then with these machines that don't keep a paper record, that's it. You've lost all the votes. There's no other record anywhere.
I mean, of course, we've seen in the last few weeks, there have been, I think now, 60 million people have voted early in the US.
And that's partly because they, for no very good reason, but mainly because of the propaganda of one side, a certain Donald J.
Trump, not that the mail-in ballots aren't correct, but that they won't be validated in the same way. So they've actually been queuing up.
You might've seen these amazing videos of people queuing for hours on end just to vote early so that they know that their ballot has gone into the box and can't be later ruled invalid.
But the problem with those, of course, is that they're running on ancient hardware and software, which, you know, under severe pressure might well give way.
And then with these machines that don't keep a paper record, that's it. You've lost all the votes. There's no other record anywhere.
I mean, of course, we've seen in the last few weeks, there have been, I think now, 60 million people have voted early in the US.
And that's partly because they, for no very good reason, but mainly because of the propaganda of one side, a certain Donald J.
Trump, not that the mail-in ballots aren't correct, but that they won't be validated in the same way. So they've actually been queuing up.
You might've seen these amazing videos of people queuing for hours on end just to vote early so that they know that their ballot has gone into the box and can't be later ruled invalid.
I can't understand that either. How can there be lineups so far ahead of the election? Because there's so few stations?
Or because it takes so long to fill in the 80,000 different things they have to fill in for all the different—
Or because it takes so long to fill in the 80,000 different things they have to fill in for all the different—
I think a lot of the places where you can make your vote have been shut down, haven't they? There's an absence of opportunity.
So we might, for instance, have to drive up to Chester if we wanted to vote here in Oxford.
So we might, for instance, have to drive up to Chester if we wanted to vote here in Oxford.
I would have to walk across the street.
Well, yeah, but I'm saying if we had a similar situation to what's going on in America, you may require quite a trip.
Yeah, there have been a series of efforts to— well, I mean, these are allegations, but I think they're pretty well substantiated— to limit access to voting.
And it's worse in some states than others, but like Graham says, in Britain, if you want to vote, you just toddle off down to the local primary school or the church hall, and in every village or town there is somewhere to vote.
And it's worse in some states than others, but like Graham says, in Britain, if you want to vote, you just toddle off down to the local primary school or the church hall, and in every village or town there is somewhere to vote.
You know what could solve all these security issues though with voting machines, and I think they need to introduce— maybe they need to get the blockchain involved.
Oh God.
Or pen and paper. When we go back old school, I'm, you know—
That is my proposal.
Luddites unite.
But you know, this is the thing which has impressed me of American elections in the past, is that at certain, like 10 o'clock at night or 11 o'clock or whatever, they suddenly announce lots of different states and what the vote is.
And I guess it's because of these machines, whereas here in the UK you may have to wait until 6 o'clock the next morning.
And I guess it's because of these machines, whereas here in the UK you may have to wait until 6 o'clock the next morning.
Oh, you'll be waiting this year, honey?
Well, presumably we will be waiting maybe for a week or two, and what's going to happen in the meantime?
It could be longer. I mean, if there's disputes over mail-in ballots.
So, James, this is our last podcast before Election Day USA. Can you make any predictions? Are there going to be some shenanigans, do you think?
Or will it all be plain smooth sailing?
Or will it all be plain smooth sailing?
I think I can— I think I'd confidently predict there will be shenanigans.
I mean, there have been shenanigans for the last 4 years, so the idea that there won't be next week is implausible. The question is whether there's just a tidal wave.
I mean, there have been shenanigans for the last 4 years, so the idea that there won't be next week is implausible. The question is whether there's just a tidal wave.
Oh, don't worry, Kanye's probably gonna win it.
That's my call. I thought Ol' Dirty Bastard was on the ballot too until his unfortunate demise.
Not been the same since.
No.
Carole, what have you got for us this week?
Oh, well, I'm staying on the political track, but just taking a left turn here.
Right.
So, as we've been saying, all eyes are on America right now, politically speaking. You know, it's a crazy situation to think pandemic plus volatile elections, it's a crazy ride.
With the pandemic, most of us are staying home way more than normal. And so how does a politician get their messages across?
We've been seeing a few different people representing various parties take to the digital motorways to do this.
And one of the interesting places politicians have been showing up is the gaming world.
So two weeks ago on Animal Crossing, Nintendo Switch game we've talked about before on the show, Biden launched its own island called Biden HQ, featuring a Biden avatar in aviators who only says, "No malarkey." And interestingly, the island had a shop and a voting area with text codes for players to sign up to vote and buy in-game merchandise that would benefit the campaign.
And this, when it was launched, was streamed to hundreds of thousands live on Amazon-owned Twitch.
And then again, last Tuesday, we saw two US Congress members, Alexandria Ocasio-Cortez and Ilhan Omar, take to Twitch's very popular game called Among Us.
Do you guys ever heard of it?
With the pandemic, most of us are staying home way more than normal. And so how does a politician get their messages across?
We've been seeing a few different people representing various parties take to the digital motorways to do this.
And one of the interesting places politicians have been showing up is the gaming world.
So two weeks ago on Animal Crossing, Nintendo Switch game we've talked about before on the show, Biden launched its own island called Biden HQ, featuring a Biden avatar in aviators who only says, "No malarkey." And interestingly, the island had a shop and a voting area with text codes for players to sign up to vote and buy in-game merchandise that would benefit the campaign.
And this, when it was launched, was streamed to hundreds of thousands live on Amazon-owned Twitch.
And then again, last Tuesday, we saw two US Congress members, Alexandria Ocasio-Cortez and Ilhan Omar, take to Twitch's very popular game called Among Us.
Do you guys ever heard of it?
Oh, Among Us, yes.
Yeah, see, I haven't. I hadn't at all.
Oh, Among Us is huge, Carole. I haven't played it. I know it came out probably a year or two ago, but it became huge this summer.
That's right. That's right.
When some popular YouTube streamers started to play it, and then everyone is playing it.
Exactly right.
It's a whodunit on a spaceship or something where you go around with a funny character trying to work out who the baddie is.
Is it Jet Set Willy?
It reminded me a bit of that game Mafia we used to play, Graham, you know?
Yes.
Someone is kind of tapped on the shoulder to be the bad guy in the crew and you have to try and identify who that is, is basically what seems to be going on.
Now anyway, AOC, as we'll call her, Alexandria Ocasio-Cortez, AOC, 4 minutes into her Twitch game, she admits she's no gamer, right?
So it's not she's a diehard gamer and this is her space. This is in her wheelhouse. And she didn't just kind of do a kind of fly-by-the-seat-of-her-pants kind of public affair.
You know, when a politician shows up, does a quick shimmy, yells a few things, shakes a few babies, kisses— Oh, I did that wrong.
Now anyway, AOC, as we'll call her, Alexandria Ocasio-Cortez, AOC, 4 minutes into her Twitch game, she admits she's no gamer, right?
So it's not she's a diehard gamer and this is her space. This is in her wheelhouse. And she didn't just kind of do a kind of fly-by-the-seat-of-her-pants kind of public affair.
You know, when a politician shows up, does a quick shimmy, yells a few things, shakes a few babies, kisses— Oh, I did that wrong.
Shakes a few babies?
Shakes a few babies, kisses a few hands. You know what I mean?
Carole, you're not supposed to do that. Don't shake the babies. Maybe.
That's why I'm not a politician. She played not for 5, 10 minutes, but for 3.5 hours. And during this entire time was utterly engaged in the game.
She was totally engaged and she was totally engaging to watch.
She was totally engaged and she was totally engaging to watch.
I watched it.
Did you watch all of it?
No, I didn't. I didn't watch all of it, but I saw some of it. Yeah.
Can I ask, as a spokesperson for somebody who knows nothing about computer games, is this one of these games that you can start playing relatively easily as opposed to some of these, you know, these ones sometimes they talk about these esports games and there's a shot of these kids playing these games and it's just completely baffling to anyone who doesn't know how these games work.
Yeah, it's not one of those, you could definitely play Among Us.
Yeah, right, right.
It's like a party game.
You play with other people and you can play in the same, if we were hanging out together, we could play together, you and I, or we could get remote players and Graham could join us and other people.
And you have a spaceship, you're preparing it for departure, you know, with your crew.
You play with other people and you can play in the same, if we were hanging out together, we could play together, you and I, or we could get remote players and Graham could join us and other people.
And you have a spaceship, you're preparing it for departure, you know, with your crew.
So AOC could just dive straight in and just play a game.
Right, and she called certain big high-profile gamers to come and be on her team, right? So she was playing with a lot of the hotshots in the Twitchosphere and the Among Usphere.
As they call it.
As they call it. Now, this is, as Graham said, one of the hottest games in the US. Worldwide in September alone, can you guess how many times it was downloaded?
Is it more or less than 2,000?
It's more than 2,000.
I never want to go in too high, you see, because that ruins your—
Oh, I don't know.
Try. Just go high.
Was it more or less than 1 million?
It was downloaded nearly 84 million times in one month.
By Jove.
Yeah. Big. Yeah. Her own stream attracted at one point more than 400,000 viewers. Right now, of course, you can go see this. This was just for the live show.
And this was making— this made it the third most popular stream on the site. So not bad for a first try.
And this was making— this made it the third most popular stream on the site. So not bad for a first try.
And she's now one of the most followed Twitch streamers who exists, I believe.
Yeah, she came in hot and fast. Yeah, she's— that's how I want to join a new industry, I tell you.
Do you think she might give up her political career now?
I mean, she's certainly got this on the back burner now, doesn't she? Now, Twitch isn't just used for the Dems. Republicans have a few channels too.
The Republican convention was streamed on the platform a couple of months ago. And Donald Trump has his own account.
The Republican convention was streamed on the platform a couple of months ago. And Donald Trump has his own account.
The best is yet to come.
Yes, the best is yet. Oh my God.
Was that as popular as AOC playing Among Us?
There's a market for that stuff, Graham.
I would quite like to see Mike Pence or William Barr. I'd like to see them playing Metal Gear Solid or something like that on Twitch to attract the kids.
That'd be great, wouldn't it?
That'd be great, wouldn't it?
Okay, so whilst the Republicans have been on these channels, they haven't used it in the gaming sphere.
They kind of do it to show off latest video campaigns or new segments that are favorable or that sort of thing.
They kind of do it to show off latest video campaigns or new segments that are favorable or that sort of thing.
Yeah, boring.
As this is a security show, right? I'm going to get to it. So two days after AOC and Omar's Twitch game was streamed, Among Us was hit by a spam attack.
Ooh.
And it affected most of the gaming community that were playing online according to Engadget.
So it started two days later on Thursday evening, players in public matches found their game chats.
So you have this kind of chat where you can chat with the other players, started broadcasting new messages demanding that users subscribe to a YouTube channel called Eris Loei.
So it started two days later on Thursday evening, players in public matches found their game chats.
So you have this kind of chat where you can chat with the other players, started broadcasting new messages demanding that users subscribe to a YouTube channel called Eris Loei.
Right.
Now, in various permutations of the messages which were being dumped and spammed out on these public broadcast messages, Loris threatens to hack your device or blow up your phone if you don't subscribe to his YouTube channel.
I'm imagining they're about 14 years old, is that right?
And it concluded with an unrelated Trump 2020 at the end. So, you know, God, if it were MAGA 2020, it would have been much way funnier, actually.
Because that's the way to motivate someone to vote a particular direction, isn't it? Is to spam them constantly and tell them to visit your YouTube channel.
Well, I have another theory.
So basically this Eris Loris, with the help of a dozen or so volunteers, claims to have hit as many as 1.5 million games affecting around 5 million players.
And I mean, look, if I was looking around today, the Among Us subreddit is filled with threads dedicated to this situation, right?
You go to Twitter and you see hundreds of messages too. So things like, okay, what the hell just happened? I'm in Among Us lobby.
Next thing I know, the entire lobby is black and the chat is spammed, subscribe to Eris Loris on YouTube. Do you have any clue?
And they're asking the developers of the game Among Us, which is InnerSloth, who I think are quite a small company. Don't take all my lines away from me.
Oh, I'm sorry, you've researched this already.
So basically this Eris Loris, with the help of a dozen or so volunteers, claims to have hit as many as 1.5 million games affecting around 5 million players.
And I mean, look, if I was looking around today, the Among Us subreddit is filled with threads dedicated to this situation, right?
You go to Twitter and you see hundreds of messages too. So things like, okay, what the hell just happened? I'm in Among Us lobby.
Next thing I know, the entire lobby is black and the chat is spammed, subscribe to Eris Loris on YouTube. Do you have any clue?
And they're asking the developers of the game Among Us, which is InnerSloth, who I think are quite a small company. Don't take all my lines away from me.
Oh, I'm sorry, you've researched this already.
Okay, shush.
Now, if you play Among Us today, People are all over chatting about this, and it was bad.
The creator of the game, InnerSloth, tweeted people asking them to stop playing the game until the problem was resolved.
And they ended up pushing out an emergency server update to try and mitigate the problem.
But there are still some people complaining on Twitter about it today, which is 4 days later. So maybe there's latency in the rollout.
But one of the big problems is no matter how amazingly dedicated the Among Us dev team, InnerSloth, is they're only a 3-person band.
And as you were saying, it was released 2 years ago. And by when did they have millions in play? It was this summer that it went crazy with the pandemic.
So millions and millions of people started playing after some streamers were like, hey, this is cool. And yet they haven't built their team.
So how can a handful of developers manage such an environment? Like, it doesn't scale if shit hits the fan, and I don't know if that's very responsible.
The creator of the game, InnerSloth, tweeted people asking them to stop playing the game until the problem was resolved.
And they ended up pushing out an emergency server update to try and mitigate the problem.
But there are still some people complaining on Twitter about it today, which is 4 days later. So maybe there's latency in the rollout.
But one of the big problems is no matter how amazingly dedicated the Among Us dev team, InnerSloth, is they're only a 3-person band.
And as you were saying, it was released 2 years ago. And by when did they have millions in play? It was this summer that it went crazy with the pandemic.
So millions and millions of people started playing after some streamers were like, hey, this is cool. And yet they haven't built their team.
So how can a handful of developers manage such an environment? Like, it doesn't scale if shit hits the fan, and I don't know if that's very responsible.
Can I ask a Luddite question? How can this guy screw up your phone just from you playing a game you downloaded on it?
But the game, I think, uses your phone as well, right? So I don't know if it can screw up your phone other than just make it spam, spam, spam, spam.
You probably ruined just the game.
You probably ruined just the game.
Okay, well, that's a small loss. I think I can just delete that game.
I might be wrong. I didn't think there was even a smartphone version of—
No, no, no, there definitely is Android and iOS.
Oh, is there? You can play it on all of them, yeah.
Oh, okay.
Yeah.
Surprised my son hasn't already downloaded it then.
So meanwhile, so right, so these guys have 3 people and seeing how they handled it, watching how quickly they tried to manage this problem was good, but this is not the first time Among Us has been hit by some kind of crap.
There's lots of complaints online about, hey, people have workarounds or people are cheating. And there's this 3-person band trying to handle it all.
Now, meanwhile, gaming publication Kotaku reached out to this Eris Loris, who claimed responsibility for the spamming spree.
And like many hackers, he says he does not regret pissing off a boatload of players, 'cause that was his goal.
There's lots of complaints online about, hey, people have workarounds or people are cheating. And there's this 3-person band trying to handle it all.
Now, meanwhile, gaming publication Kotaku reached out to this Eris Loris, who claimed responsibility for the spamming spree.
And like many hackers, he says he does not regret pissing off a boatload of players, 'cause that was his goal.
Oh, so he admits it was him?
Yeah.
And if you go see his Twitter, it is, you know, when you were saying earlier, someone says, oh, he sounds like a 14-year-old guy?
Yeah.
I think you might be right. I think you might be right. There's huge threads on Twitter, all him responding to everybody. So really enjoyed the day, it seems.
How do you know from that that he's 14? Is he posting pictures of Heather Locklear or something?
No, no, no.
I'm just guessing from the way he talked and the way he was responding to people. I didn't get a feeling of a very mature mind.
I see.
I may be wrong. I may be wrong. He's not my bud. So he says, according to Kotaku, he said, "I was curious to see what would happen and personally found it funny.
The anger and hatred is the part that makes it funny.
If you care about a game and are willing to go and spam dislike some random dude on the internet because you can't play it for 3 minutes, it's stupid." So he's claiming, I just ruined your game for a bit.
What's your big deal? But users are not happy. People have even been giving online thumbs up to people trying to dox this Eris Loris.
So this is where people try and reveal his identity and personal information online so people can make his life hell. Please don't do this, folks.
Even if he totally ruined your game, please don't do this. And someone's even already put something up on Urban Dictionary about Eris Loris.
Quote, "A fat nobody who hacks innocent people Among Us games for clout. Oh, my game is botted by Eris Loris." So there you go.
The anger and hatred is the part that makes it funny.
If you care about a game and are willing to go and spam dislike some random dude on the internet because you can't play it for 3 minutes, it's stupid." So he's claiming, I just ruined your game for a bit.
What's your big deal? But users are not happy. People have even been giving online thumbs up to people trying to dox this Eris Loris.
So this is where people try and reveal his identity and personal information online so people can make his life hell. Please don't do this, folks.
Even if he totally ruined your game, please don't do this. And someone's even already put something up on Urban Dictionary about Eris Loris.
Quote, "A fat nobody who hacks innocent people Among Us games for clout. Oh, my game is botted by Eris Loris." So there you go.
Charming.
I think I'd rather work burpo into that line than Eris Loris.
Aaron Barnes Burpo.
Okay, but just, you know, just because we're on the political slant here, what's kind of interesting is that political parties can't raise money in these campaigns by saying, hey, you know, advertising, you know, give us cash.
But they can sell in Animal Crossing, they can sell these kind of virtual clothing or campaign stuff, and that money can go to the campaign.
So it's kind of a weird workaround of how you can fund the campaign.
But they can sell in Animal Crossing, they can sell these kind of virtual clothing or campaign stuff, and that money can go to the campaign.
So it's kind of a weird workaround of how you can fund the campaign.
Bizarre.
It is bizarre.
It is bizarre. But huge audience, 400,000. That's bigger than a rally.
Is America just crazy?
Oh, you don't think you're going to see BoJo on one of these next election cycle?
God, heaven forbid.
Yeah.
Tell me about it.
Smashing Security is sponsored this week by Recorded Future.
They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster.
Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and dark web sources.
Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express.
Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture.
They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster.
Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and dark web sources.
Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express.
Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture.
This episode of Smashing Security is also sponsored by Immersive Labs. They have created a free ebook. It's called Aligning Cyber Skills to the MITRE ATT&CK Framework.
The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity skill strategy.
It literally is a go-to framework. Learn more at immersive labs.com/smashing. And thanks to Immersive Labs for sponsoring the show.
The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity skill strategy.
It literally is a go-to framework. Learn more at immersive labs.com/smashing. And thanks to Immersive Labs for sponsoring the show.
This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, book that they've read, TV show, movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, book that they've read, TV show, movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Now, I've noticed that both of you have been quite political today, whereas I have kept my nose clean and have not dared to put my foot into the quagmire that is American politics.
No, you told us about a non-existent band called Clue Clang Clang.
Sounds like someone dropping a whole load of pans and pots in the kitchen, doesn't it?
A bag of spammers.
Well, I'm now going to put my foot very much in it because I'm going to go political because my pick of the week today is a website and a podcast and a newsletter called What the Fuck Just Happened Today.
Oh, and this—
Oh, and this—
We can't censor that one because otherwise no one will know how to get there.
Well, the name of the podcast, presumably because Apple objected to the F word, is WTFJTT. WTF just happened today, if you want to look that up.
And for your amusement, that is actually a word in Slovak.
WTF?
People actually say here, WTF.
WTF.
Oh, that's so lovely. Yeah, chummy.
Well, the whole purpose of this website and this podcast is, I don't know if you've noticed, there's quite a lot of political news and quite a lot of crazy shit is happening all the time.
Sometimes from the UK, quite a lot of the time from America. Now—
Well, the whole purpose of this website and this podcast is, I don't know if you've noticed, there's quite a lot of political news and quite a lot of crazy shit is happening all the time.
Sometimes from the UK, quite a lot of the time from America. Now—
A few other places as well.
I know, but this particular website seems to devote itself to what is happening in the Americas of USA. And what they do is they distill the day's events.
And so they give you a quick, maybe 5-minute summary of what has happened.
And the beauty of this, of course, is that you don't have to watch some cable news for hours and hours where they're endlessly re-interviewing experts and commentators to pontificate about something that's happened.
And then you have journalists who are interviewing other journalists going on, going on, going on forever and ever and ever. You just think this is ridiculous.
There's too much of this.
And so they give you a quick, maybe 5-minute summary of what has happened.
And the beauty of this, of course, is that you don't have to watch some cable news for hours and hours where they're endlessly re-interviewing experts and commentators to pontificate about something that's happened.
And then you have journalists who are interviewing other journalists going on, going on, going on forever and ever and ever. You just think this is ridiculous.
There's too much of this.
You're the only one of the three of us that does that.
Does what?
Watches TV and watches news. You're a bit like Trump yourself. You're always watching the press and always watching the news, aren't you?
You.
So are you trying to alleviate that? Are you actually just read this instead?
I'm trying to address the problem, which clearly I have, which is an obsession with US politics for the last 4 years or so.
And so I'm hoping things are going to come to an end and I'll be able to move on. But maybe what part of my weaning process is the WTF Just Happened Today podcast.
And so I'm hoping things are going to come to an end and I'll be able to move on. But maybe what part of my weaning process is the WTF Just Happened Today podcast.
It's very cheery. The first thing on the page today is that there's 82,600 cases, a new daily record for coronavirus in the United States. So that's fun.
There you go.
Yeah, great pick of the week.
So, well, you know, you just get the facts, you get some links, and there you go. And then you can move on and get on with the rest of your life.
And that is why it is my pick of the week.
And that is why it is my pick of the week.
Dun dun.
James, what's your pick of the week?
Okay. How many people do you think are on Instagram?
I don't know.
100 million?
Oh, more than that. 500 million?
No, a billion. Yeah, over a billion. Somewhere over a billion.
But how many followers do you think you need on average on Instagram to make a living from brand sponsorship, from companies giving you money or products to on your feed?
But how many followers do you think you need on average on Instagram to make a living from brand sponsorship, from companies giving you money or products to on your feed?
How many followers? Does it work by followers, I'm guessing?
Yeah, yeah. How many, ballpark?
Right, 10,000.
Would it be all right if you had one follower, but it was someone who was very, very rich indeed?
Or had a stolen credit card like Aaron Barnes and Burpo? Yes.
Or had multiple personality disorder and had different entry for each one.
Tell us, how many followers do you need to make money?
The ballpark figure is around 50,000 followers.
Oh, okay. I thought 10.
Okay, so—
Oh, I'm getting close. I'm getting close.
But it depends on guess where you are.
Look, if you're here, then you could probably get by on about 10 or 20, but in a big country, probably 50 to 100. But this is the astonishing thing.
How many Instagrammers do you think have 50,000 followers at least?
How many Instagrammers do you think have 50,000 followers at least?
How? Okay, so there's a billion accounts, billion of them.
Yep. I'm gonna say a thousand. No, more than that. I'm going to say 50,000.
So, Carole, your guess is 1,000?
Yeah.
Out of a billion, you think 1,000 have 50,000 followers? Graham, yours is— what was it? 200,000?
Yes, 200,000. That's what I'm saying. Yes, I said 50, but I'm now saying 200.
You're out, Graham, but only by 3 orders of magnitude.
Because the answer, according to Sarah Fryer, who is the author of a book called No Filter, about Instagram, and which is the definitive account of Instagram currently, was published a couple of months ago.
The answer is 200 million.
Because the answer, according to Sarah Fryer, who is the author of a book called No Filter, about Instagram, and which is the definitive account of Instagram currently, was published a couple of months ago.
The answer is 200 million.
What?
200 million? Okay, so bots, body, bot, bot, bot.
Yeah, exactly.
It's the only way that I can make sense of this claim, but I've read the book and she drops it in there, and it's credited to a market research company called Dovetail.
But it hasn't been challenged anywhere.
But it hasn't been challenged anywhere.
I think you should challenge it. You do it here.
Yeah, but you need evidence to challenge it. They are using Instagram figures.
Now, of course, one would guess that yeah, a lot of that is bots, but even on the face of it, that would suggest that if each of these people who have 50,000 followers were tweeting, or whatever you call it when you send an Instagram message, once a week, 200 million of them are going out to eat.
All of their 50,000 followers once a week. You're up in the trillions. You're up in the trillions in terms of the number of these Instagram tweets flying around.
Now, of course, one would guess that yeah, a lot of that is bots, but even on the face of it, that would suggest that if each of these people who have 50,000 followers were tweeting, or whatever you call it when you send an Instagram message, once a week, 200 million of them are going out to eat.
All of their 50,000 followers once a week. You're up in the trillions. You're up in the trillions in terms of the number of these Instagram tweets flying around.
And this is quite interesting to me because I wrote an article in the last week about a couple of companies who Facebook are suing because they've been running fake follower services.
And so they've been selling their services for, you know, $30 per week to artificially inflate your number of followers and the likes which you get.
And of course, all these people who are desperate to be an Instagram influencer, they want to have big numbers to say to advertisers, oh, look how popular I am.
And I wonder whether all of these people are doing it and it's basically inflation which is going on. Everyone wants to be up above the rest.
And so they've been selling their services for, you know, $30 per week to artificially inflate your number of followers and the likes which you get.
And of course, all these people who are desperate to be an Instagram influencer, they want to have big numbers to say to advertisers, oh, look how popular I am.
And I wonder whether all of these people are doing it and it's basically inflation which is going on. Everyone wants to be up above the rest.
And so the people who are actually making the money are the people who are running the bots and selling that.
I think they should stop looking at how many people happen upon something as opposed to how many people...
It would be nice, for example, even in podcast land, if we could say, oh, how many people have dropped in and listened to one show and then gone on, versus those that decided, oh yeah, I'm going to stick with these guys.
I think they should stop looking at how many people happen upon something as opposed to how many people...
It would be nice, for example, even in podcast land, if we could say, oh, how many people have dropped in and listened to one show and then gone on, versus those that decided, oh yeah, I'm going to stick with these guys.
But you also do get bots who do ad click fraud though, don't you?
Which will click on these links and will might appear to people to be the genuine people interested in a service or product.
Which will click on these links and will might appear to people to be the genuine people interested in a service or product.
Exactly. So there you go. So are you on Instagram, James?
I think I might be very soon if all I need is 50,000 followers to make a living. But what will I, what will I influence people about? That's what I want to know.
I'm sure I can think of something.
I'm sure I can think of something.
I've got, I think I've got about 127 followers on Instagram. I'm doing jolly well.
Does it make you feel good to have that?
Oh, I've just looked, 174! Woohoo!
Yes, I don't really have anything to post, you see, because I don't want to post pictures of myself because I don't want to put people off their lunch.
Yes, I don't really have anything to post, you see, because I don't want to post pictures of myself because I don't want to put people off their lunch.
Are you hoping to be an influencer? Is that what you're working on?
I would love it. I would. Oh, wouldn't that be wonderful just to hang out with Aaron Burpo Bot or whatever his name was and Walker Washington and Old Dirty Dog.
And I can't remember their names now. Yeah, wouldn't that be fantastic? I think it'd be marvellous.
And I can't remember their names now. Yeah, wouldn't that be fantastic? I think it'd be marvellous.
Dame de Beauvoir.
Oh, marvellous. Okay, so your recommendation, what is this book, is it?
Yeah, I would, I mean, I would give it a look. It's actually a very well-written book and it's an interesting subject.
Give us the title again, would you?
It's called No Filter and it's by Sarah Fryer and I've dropped a link in, so there'll be a link in the program notes.
Marvellous. Carole, you're not on Instagram, but you have for us a Pick of the Week.
Yes, as I have for the last 200 episodes or so, 170. I don't know when we started doing Pick of the Week.
This is an oldie but a goodie radio program from Radio 4 that you and all three of us know very well: From Our Own Correspondent, F-O-O-C.
This is an oldie but a goodie radio program from Radio 4 that you and all three of us know very well: From Our Own Correspondent, F-O-O-C.
FOOC, as it's known in the BBC.
Is it really? Yeah. I didn't know it'd been going for 50 years. That blew my mind.
Oh, yeah.
Yeah.
Anyway, so currently hosted by the brilliant Kate Aidy.
And it's basically a show that happens every week where correspondents or journalists or writers from every corner of the world report on stories behind the headlines.
That's how they pitch it. And the stories often have a very strong human element, don't they? So they go everywhere.
Like, so they'll go to South Africa, I think was this week, or they'll be in Thailand or Bhutan or Japan or Armenia.
Romania, and you just get this kind of snapshot of daily life of what's going on in that particular location. I mean, you guys listen to this, or do you?
And it's basically a show that happens every week where correspondents or journalists or writers from every corner of the world report on stories behind the headlines.
That's how they pitch it. And the stories often have a very strong human element, don't they? So they go everywhere.
Like, so they'll go to South Africa, I think was this week, or they'll be in Thailand or Bhutan or Japan or Armenia.
Romania, and you just get this kind of snapshot of daily life of what's going on in that particular location. I mean, you guys listen to this, or do you?
Oh yeah, it's like a long-form essay, isn't it? It's not reporting, but it is wonderful.
Well, it is reporting.
Well, it is reporting, but it's not like they're going and interviewing people and they've edited it all together.
It is the correspondent basically as though they were writing a letter or writing an essay.
It is the correspondent basically as though they were writing a letter or writing an essay.
Is the correspondence kind of recollection or rumination on something that they've seen or witnessed or experienced or what's going on in the country that they're based in?
Yeah. So like you might be there, there's one like a 40-course Chinese banquet.
A writer was there and was able to write about that whole experience or someone who swam with sharks or someone who experienced zero gravity.
So these are all kind of interesting elements and you have a kind first-person account of what that was like. Is that fair?
A writer was there and was able to write about that whole experience or someone who swam with sharks or someone who experienced zero gravity.
So these are all kind of interesting elements and you have a kind first-person account of what that was like. Is that fair?
Yes.
Yeah.
Carole, is this available as a podcast?
Yes, it is. So you can get it. It's available both on the World Service, so everyone can get it from there, or it's available in the UK on the Beeb, on Radio 4.
It's also available as a podcast. And I recommend it because this is a very calming news program because it's not focused so much on the crazy.
It's more focused on the human element. And I don't know, just it's a breath of fresh air in these crazy times. So check it out from our own correspondent from the BBC.
It's also available as a podcast. And I recommend it because this is a very calming news program because it's not focused so much on the crazy.
It's more focused on the human element. And I don't know, just it's a breath of fresh air in these crazy times. So check it out from our own correspondent from the BBC.
Hear, hear. That is a great recommendation.
Thank you. I think it is too.
Well done, Carole. Very good pick of the week.
Mm-hmm.
Marvelous. Now, I know what else is quite good is that you've been speaking, haven't you, to our chums at LastPass?
Yes. So Dalia Hamze from LastPass, she and I had a very good chat, and you can listen to it right now.
Well, actually, you're going to be listening to part 1 because it was such a good chat. We talked for way more than half an hour, so we've cut it into 2.
So part 1 this week, part 2 next week. Enjoy. Hey, Dalia. This is Dalia, everybody. She's a senior security engagement manager with LogMeIn, or what people also know as LastPass.
And obviously, the rest of us, she wasn't born in the cybersecurity world, right? So when did you first get into cybersecurity, Dalia?
So I graduate college and I'm, I'm going to be my own boss.
And I start selling—I used to go around to different stores and get designer clothes and things at discount prices, and I would sell them on eBay.
And I had this store, it was called Dalia's Delights. Don't tell anybody, even though I think everyone's gonna hear that now. And I loved eBay, right? I was an eBay enthusiast.
And so I randomly get this job offer one day for—I think I was getting paid $11 an hour with some consulting firm that was, hey, do you want to process paperwork and eBay is your account?
I was absolutely I do. And so my hope was maybe eBay will hire me. Well, it actually happened, and I was managing their budget and doing some administrative work for them.
Moved out to California. It was for their information security team.
And so I remember I moved to California, I'm day one on the job, and people are talking about SIMs and servers and DLP and firewalls.
I think it's hilarious when people in our industry think that there's no jargon. It is really revolting, isn't it? You don't understand a word when you first walk into this.
I mean, the number of acronyms that I heard on day one, I actually cried on my way home because I was what did I get myself into? I mean, I genuinely have no idea where I am.
This was a huge mistake, right? But there is a lot of jargon and things. So now, fast forward about 6 months. And I'm starting to kind of get a little bit of the hang, right?
I mean, I feel I'm 10 years in the engagement space and I still don't fully grasp it, but so I'm 6 months in, I'm getting the hang of it.
And I realize that we're doing, now this is to our engineer and developer community, right?
So security is trying to say, hey, we need to patch and guys, we need to take these vulnerabilities seriously and all this different stuff, right? Secure coding.
Well, actually, you're going to be listening to part 1 because it was such a good chat. We talked for way more than half an hour, so we've cut it into 2.
So part 1 this week, part 2 next week. Enjoy. Hey, Dalia. This is Dalia, everybody. She's a senior security engagement manager with LogMeIn, or what people also know as LastPass.
And obviously, the rest of us, she wasn't born in the cybersecurity world, right? So when did you first get into cybersecurity, Dalia?
So I graduate college and I'm, I'm going to be my own boss.
And I start selling—I used to go around to different stores and get designer clothes and things at discount prices, and I would sell them on eBay.
And I had this store, it was called Dalia's Delights. Don't tell anybody, even though I think everyone's gonna hear that now. And I loved eBay, right? I was an eBay enthusiast.
And so I randomly get this job offer one day for—I think I was getting paid $11 an hour with some consulting firm that was, hey, do you want to process paperwork and eBay is your account?
I was absolutely I do. And so my hope was maybe eBay will hire me. Well, it actually happened, and I was managing their budget and doing some administrative work for them.
Moved out to California. It was for their information security team.
And so I remember I moved to California, I'm day one on the job, and people are talking about SIMs and servers and DLP and firewalls.
I think it's hilarious when people in our industry think that there's no jargon. It is really revolting, isn't it? You don't understand a word when you first walk into this.
I mean, the number of acronyms that I heard on day one, I actually cried on my way home because I was what did I get myself into? I mean, I genuinely have no idea where I am.
This was a huge mistake, right? But there is a lot of jargon and things. So now, fast forward about 6 months. And I'm starting to kind of get a little bit of the hang, right?
I mean, I feel I'm 10 years in the engagement space and I still don't fully grasp it, but so I'm 6 months in, I'm getting the hang of it.
And I realize that we're doing, now this is to our engineer and developer community, right?
So security is trying to say, hey, we need to patch and guys, we need to take these vulnerabilities seriously and all this different stuff, right? Secure coding.
Right, right, right.
And so, they do this series and it's like 10 people show up and I'm like, oh my God, because the presentation is painfully boring.
And so I was like, hey, can I take this over and offer some ideas? And that's when I realized I took it over and I started saying, you know what's sexy?
Let's talk about other people's breaches and then relate it back to here.
One of my favorite ones that I got approval to do, I don't know how, was the Ashley Madison breach and going through the kill chain of what we think may have happened.
Smashing Security happened, we had 400 people show up for that. And so then I realized, wait, this could be something - I'm really interested in this.
How do we translate security for the everyday? I mean, well, for every day now, that's really my focus. But how do you make other people interested in it?
And so I was like, hey, can I take this over and offer some ideas? And that's when I realized I took it over and I started saying, you know what's sexy?
Let's talk about other people's breaches and then relate it back to here.
One of my favorite ones that I got approval to do, I don't know how, was the Ashley Madison breach and going through the kill chain of what we think may have happened.
Smashing Security happened, we had 400 people show up for that. And so then I realized, wait, this could be something - I'm really interested in this.
How do we translate security for the everyday? I mean, well, for every day now, that's really my focus. But how do you make other people interested in it?
Yeah, but you had to learn on your feet, I guess, right?
Because if you were kind of working in that area and you suddenly said, look, let me take this over, you suddenly have to kind of learn all that info?
Did you come into this world kind of understanding things like, you know, unique passwords or safe passwords or long passwords or good passwords and all these kind of things?
Because if you were kind of working in that area and you suddenly said, look, let me take this over, you suddenly have to kind of learn all that info?
Did you come into this world kind of understanding things like, you know, unique passwords or safe passwords or long passwords or good passwords and all these kind of things?
Oh, definitely not. No, no, no. So, what I do is I find my allies and people on the team and I mean, it's really about relationship building in this specific role.
I think if you're a security awareness officer, if you do the engagement side of the house, you don't have to be the expert at everything, but you need to find the experts and you need to make good friends with them, right?
And then help their agenda. They have things they want to communicate. And so I try to make sure that, you know, it's a two-way relationship.
I'm not constantly asking them to present for me and that's it, right? Hey, what do you guys have to get out?
Is there a behavior change you're looking for from either, you know, anybody in the company or external? And so, it's definitely a very symbiotic relationship, I should say.
I think if you're a security awareness officer, if you do the engagement side of the house, you don't have to be the expert at everything, but you need to find the experts and you need to make good friends with them, right?
And then help their agenda. They have things they want to communicate. And so I try to make sure that, you know, it's a two-way relationship.
I'm not constantly asking them to present for me and that's it, right? Hey, what do you guys have to get out?
Is there a behavior change you're looking for from either, you know, anybody in the company or external? And so, it's definitely a very symbiotic relationship, I should say.
You know, I totally, totally get that because I feel that was basically my career as well.
If I look back now at what I did, I think my job was to take the very, very smart technical information that was being given to us by our researchers and somehow figure out a way to communicate it to the general public in a way that would make them understand what the threat was, what was important, and what they could do about it.
Is that a fair way of saying what you're doing now?
If I look back now at what I did, I think my job was to take the very, very smart technical information that was being given to us by our researchers and somehow figure out a way to communicate it to the general public in a way that would make them understand what the threat was, what was important, and what they could do about it.
Is that a fair way of saying what you're doing now?
I think 100%, yeah. And it's hard, right? Because different people digest information differently.
And so we know that depending on the generation maybe you're born in, some people prefer to read, you know, millennials and - God, I don't even know the ones after that.
I think I just hit -
And so we know that depending on the generation maybe you're born in, some people prefer to read, you know, millennials and - God, I don't even know the ones after that.
I think I just hit -
Gen Z, I think.
All right, yeah, there's other ones, right? I think in theory I'm a millennial, but if you ask my little sister, who's 10 years my junior, she's like, that's logistics.
You're definitely not. You just happen to fall. It's when you fall into the birthday a year before, so you graduate a year earlier.
But people digest depending on the industry you're in. Do you like to read? Do you like your information in short snippet videos?
Some people like to get in, you know, they're visual learners. Some people are hands-on learners.
Personally, for me, if I can't see it, feel it, and do it myself, it's hard for me to understand it, right? So you really have to accommodate.
You're definitely not. You just happen to fall. It's when you fall into the birthday a year before, so you graduate a year earlier.
But people digest depending on the industry you're in. Do you like to read? Do you like your information in short snippet videos?
Some people like to get in, you know, they're visual learners. Some people are hands-on learners.
Personally, for me, if I can't see it, feel it, and do it myself, it's hard for me to understand it, right? So you really have to accommodate.
Oh, so you're not a podcast junkie then, because some people love podcasts and some people - my brother, one of my brothers is - I really can't actually absorb information that way.
So I have one podcast. It's a personal one I listen to. I don't know if my friends at LastPass or LogMeIn would appreciate if I said what that was. I'll tell you offline, Carole.
It's a great podcast.
It's a great podcast.
But when it comes to education and for security, let's say, it's really hard for me to understand a security concept or a technical concept unless I can actually see it, feel it, get my hands dirty in it type thing.
Yeah, yeah. So, okay, so you're basically trying to identify how people learn and then package the messages they need to learn in a way that's easy for them to digest.
You're just trying to grease the wheels to make sure they get the message as clearly as possible.
You're just trying to grease the wheels to make sure they get the message as clearly as possible.
That's it, yeah. And different, all sorts of different mediums.
And I mean, I think too, whatever channel, communication channel that as security professionals we try to use, I think there's one thing that they should all have in common, right?
When it comes to the messaging, we love to kind of put the fear, security professionals, sometimes we put the fear in, if you do this, things are going to crash and burn.
And I think sometimes taking a different approach, and I don't say security professionals as an all-inclusive, but I think sometimes it's taking the approach of here's one or two quick simple things that you can do, little bite-sized pieces of digestible information, right?
And not the whole gamut.
So focus on one thing, is it passwords, you know, is it whatever it may be, and just one or two easy things that our end user can do at home or at work or whatever it may be.
And I mean, I think too, whatever channel, communication channel that as security professionals we try to use, I think there's one thing that they should all have in common, right?
When it comes to the messaging, we love to kind of put the fear, security professionals, sometimes we put the fear in, if you do this, things are going to crash and burn.
And I think sometimes taking a different approach, and I don't say security professionals as an all-inclusive, but I think sometimes it's taking the approach of here's one or two quick simple things that you can do, little bite-sized pieces of digestible information, right?
And not the whole gamut.
So focus on one thing, is it passwords, you know, is it whatever it may be, and just one or two easy things that our end user can do at home or at work or whatever it may be.
We are so cut from the same cloth. You know, even last year I did a talk to a bunch of security awareness professionals. I used the example of your car breaking down.
You know, I built a big story, but the idea was your car breaks down, you go to a mechanic, and the mechanic kind of looks at your car and goes, and then just rabbets off for, you know, 30 minutes about everything that could be wrong with your car.
And literally, if that happens to me, I just go blank. My brain just turns to mush. I'm not interested in. It's almost I want to find a new mechanic.
And so I totally get the mechanic you want is someone to go, what's the problem? This is what you need to do about it. And bite-sized. I'm totally with you on that.
You know, I built a big story, but the idea was your car breaks down, you go to a mechanic, and the mechanic kind of looks at your car and goes, and then just rabbets off for, you know, 30 minutes about everything that could be wrong with your car.
And literally, if that happens to me, I just go blank. My brain just turns to mush. I'm not interested in. It's almost I want to find a new mechanic.
And so I totally get the mechanic you want is someone to go, what's the problem? This is what you need to do about it. And bite-sized. I'm totally with you on that.
And that's actually a great— I might have to steal that. I love that. I love using the car. Because everybody has a car or has been in a car. So I love that. Again, relatable, right?
Easy to understand. Everybody's been there. I love that.
Easy to understand. Everybody's been there. I love that.
Yeah, totally. Okay, so maybe we can dive in because, you know, our listeners here are thinking— some of them are thinking, okay, what are these bite-sized tips, Dahlia?
So the message actually that I probably would have shared pre-COVID is going to be a little different today.
So, you know, given that most of us are now working from home, home security, right?
Securing your home network, which actually then really is securing your corporate confidential information as well. There's a blurred line there now.
And so I would say that if you're where do I start? I don't know what security is, and I don't know how to— I don't know about any of this.
My first suggestion would be let's take a look at your home, your home technology, your home Wi-Fi, your router, even your personal computers. Are all of these things up to date?
So for our listeners, those little those annoying pop-ups that say, "Would you to update this now?" Just do it. I know it's really important. They're really important.
You know, listeners, remember when you were little and your mom would say, "No, you really need to wear a coat 'cause it's really cold outside." And you're "I don't wanna wear a coat." And you're "I know you don't wanna wear a coat, darling.
You really need to wear a coat 'cause it's really cold outside." It's that kind of message. Just do it. Trust us, please.
So the message actually that I probably would have shared pre-COVID is going to be a little different today.
So, you know, given that most of us are now working from home, home security, right?
Securing your home network, which actually then really is securing your corporate confidential information as well. There's a blurred line there now.
And so I would say that if you're where do I start? I don't know what security is, and I don't know how to— I don't know about any of this.
My first suggestion would be let's take a look at your home, your home technology, your home Wi-Fi, your router, even your personal computers. Are all of these things up to date?
So for our listeners, those little those annoying pop-ups that say, "Would you to update this now?" Just do it. I know it's really important. They're really important.
You know, listeners, remember when you were little and your mom would say, "No, you really need to wear a coat 'cause it's really cold outside." And you're "I don't wanna wear a coat." And you're "I know you don't wanna wear a coat, darling.
You really need to wear a coat 'cause it's really cold outside." It's that kind of message. Just do it. Trust us, please.
Yes, for end users, if you don't know what all of those updates include, there are these vulnerabilities or these gaps and holes in the technology.
And every time they push out a software update, a lot of times it's filling, it's saying, "Hey, we realize that somebody can actually break in.
They can compromise your personal information." And so those updates aren't to be annoying. They're really there to keep you secure.
And sometimes they typically come with new fancy shiny features. So I would say update, update, update.
Now on your Wi-Fi routers, there's websites that you can Google how to update that, your modems and things like that.
You won't— that's not going to give you a pop-up, so you have to be a little proactive there. But I'd say get your home, your home network secure. That'd be my first one.
And every time they push out a software update, a lot of times it's filling, it's saying, "Hey, we realize that somebody can actually break in.
They can compromise your personal information." And so those updates aren't to be annoying. They're really there to keep you secure.
And sometimes they typically come with new fancy shiny features. So I would say update, update, update.
Now on your Wi-Fi routers, there's websites that you can Google how to update that, your modems and things like that.
You won't— that's not going to give you a pop-up, so you have to be a little proactive there. But I'd say get your home, your home network secure. That'd be my first one.
Actually, you're making a really good point. So the reason that Carole has to say that is because everyone has a different type of router, right?
And they all have their own configuration options on it, which makes our jobs really difficult to try and give super clear advice.
But the trick is to go see what configuration options they offer you and try and set it to be as secure as possible without totally impacting your usability.
So, you're trying to be as safe as you can, same way as you are in a car. You put a seatbelt on, you use your brake, right?
So, it's the same kind of thing with configuration options. So, don't assume that the default options are the safest options.
And they all have their own configuration options on it, which makes our jobs really difficult to try and give super clear advice.
But the trick is to go see what configuration options they offer you and try and set it to be as secure as possible without totally impacting your usability.
So, you're trying to be as safe as you can, same way as you are in a car. You put a seatbelt on, you use your brake, right?
So, it's the same kind of thing with configuration options. So, don't assume that the default options are the safest options.
Oh no, you know what, James, thank you, because you just brought me to a second point. You said the word default, default passwords.
So a lot of times, go to whatever local, here in the US it's Best Buy. And you go and you get a brand new Wi-Fi router modem, and you set it up.
A lot of times they have these default credentials, which is your login and your password. Let's say it's admin for the password and admin for your login.
These, if you don't change that, these passwords are actually posted on the manuals online.
Like if let's say you lose your paper manual, you buy this thing and then you want to go online.
So everybody knows that this is the password, so anybody can in theory break into your network.
So, changing default credentials— James, you said the word default and I was like, that's the word I was looking for. We're on the same wavelength. Yes, I love it.
So change the default credentials. That is so important.
So, so important because really your password is your first step, your first line of defense into anything, really, any account that you have.
So a lot of times, go to whatever local, here in the US it's Best Buy. And you go and you get a brand new Wi-Fi router modem, and you set it up.
A lot of times they have these default credentials, which is your login and your password. Let's say it's admin for the password and admin for your login.
These, if you don't change that, these passwords are actually posted on the manuals online.
Like if let's say you lose your paper manual, you buy this thing and then you want to go online.
So everybody knows that this is the password, so anybody can in theory break into your network.
So, changing default credentials— James, you said the word default and I was like, that's the word I was looking for. We're on the same wavelength. Yes, I love it.
So change the default credentials. That is so important.
So, so important because really your password is your first step, your first line of defense into anything, really, any account that you have.
Yeah, seriously. So now we've got the router set up, people have changed their default password and settings, they've made sure it's up to date. What's next on the list?
Now, this is when we get into the could be anything, right? You're right. So what about all these IoT devices around the house? Surely we got to focus on those as well.
This is where we get those blurred lines. So as— oh, my dog's like, I don't want us to talk about that. They have, you know, some beef with the doggy next door.
They to talk to each other sometimes back and forth. They're like, "Yo, you stuck indoors?"
This is where we get those blurred lines. So as— oh, my dog's like, I don't want us to talk about that. They have, you know, some beef with the doggy next door.
They to talk to each other sometimes back and forth. They're like, "Yo, you stuck indoors?"
Yeah, I am.
I'm stuck indoors. Socks, yeah, it does suck. Here's the challenge, especially now as people are working from home. To your earlier point, we have different devices.
So you might be an Android user, you might be an Apple user, you have gaming systems. I mean, there's a million things.
I mean, our refrigerators talk to us now and tell us if we're out of milk, right? I don't have one of those super fancy ones, but I mean, there's a ton of IoT devices.
And as a security organization, there's two things. We can't infringe on our employees' personal privacy, right?
So, all we can do, and you don't want to push and say, "You guys have to do these requirements.
It's your home, what you decide to do with your things." But a lot of times, if let's say your fridge or your Alexa or your phone is connected to your Wi-Fi, which is connected to your work machine, your corporate laptop, that's where the conflict of interest, that's where things start to get a little sticky.
So here's what I would say is that offer the resources for people, put it somewhere public.
As simple as it sounds, find those websites that give everybody instructions on how to update. Pick 20 of the most common IoT devices you think you'd find in someone's house.
I know Samsung does a lot of smart devices. You know, of course, Amazon and Google and all of those things.
But I would say make it easy for the end user and kind of do that legwork for them.
Because if you say, hey, just we gave you a site with all of the resources you need to find your device and figure out how to update it, I think that would be helpful. Totally.
So there you go, people. That is part one from Dalia Hamze.
She is a security awareness professional at LogMeIn, and you will hear from her again next week with part two on what are the best tips to help you secure your home environment.
So you might be an Android user, you might be an Apple user, you have gaming systems. I mean, there's a million things.
I mean, our refrigerators talk to us now and tell us if we're out of milk, right? I don't have one of those super fancy ones, but I mean, there's a ton of IoT devices.
And as a security organization, there's two things. We can't infringe on our employees' personal privacy, right?
So, all we can do, and you don't want to push and say, "You guys have to do these requirements.
It's your home, what you decide to do with your things." But a lot of times, if let's say your fridge or your Alexa or your phone is connected to your Wi-Fi, which is connected to your work machine, your corporate laptop, that's where the conflict of interest, that's where things start to get a little sticky.
So here's what I would say is that offer the resources for people, put it somewhere public.
As simple as it sounds, find those websites that give everybody instructions on how to update. Pick 20 of the most common IoT devices you think you'd find in someone's house.
I know Samsung does a lot of smart devices. You know, of course, Amazon and Google and all of those things.
But I would say make it easy for the end user and kind of do that legwork for them.
Because if you say, hey, just we gave you a site with all of the resources you need to find your device and figure out how to update it, I think that would be helpful. Totally.
So there you go, people. That is part one from Dalia Hamze.
She is a security awareness professional at LogMeIn, and you will hear from her again next week with part two on what are the best tips to help you secure your home environment.
Oh, that was excellent. I enjoyed that.
I knew you'd like her voice. I don't know why you've decided she'd do it with a bit more—
Oh, that was great, Carole. Good one. Excellent. Well done. I enjoyed that. Thank you, Dalia. Oh, she's gone. Well, that just about wraps it up for this week.
James, I'm sure lots of our listeners would love to find out more about what you're up to. Do you have any social media presence whatsoever?
James, I'm sure lots of our listeners would love to find out more about what you're up to. Do you have any social media presence whatsoever?
Nada.
Not at all. I love it.
How does he live, eh, Graham? How does he live?
Well, apparently he's on Instagram, you know.
I will be soon, don't worry.
Everyone will have to follow us on Twitter @SmashingSecurity, no G. Twitter allows to have a G. And you can also join the Smashing Security subreddit.
And don't forget, if you want to help the show, tell your friends about it.
Tell them that you enjoy Smashing Security and recommend that they subscribe in Apple Podcasts, Spotify, or Pocket Casts.
And don't forget, if you want to help the show, tell your friends about it.
Tell them that you enjoy Smashing Security and recommend that they subscribe in Apple Podcasts, Spotify, or Pocket Casts.
Yeah, Graham's getting a little nervous that my other podcast is getting a bit too many likes.
Well, what's the name of your other podcast, Carole?
I don't even think we need to repeat it. Sticky Pickles. You already said it already anyway.
Thank you, peeps, for listening each week, supporting our work, sharing it with your buds, and of course, high five to this week's Smashing Security sponsors: Recorded Future, Immersive Labs, and of course, LastPass.
Their support helps us big time in giving you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Thank you, peeps, for listening each week, supporting our work, sharing it with your buds, and of course, high five to this week's Smashing Security sponsors: Recorded Future, Immersive Labs, and of course, LastPass.
Their support helps us big time in giving you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye.
Bye-bye. Thank you, guys. We were a little subdued this week, eh guys?
We were.
I think it's because the clock's changed in Europe. I think we're all a little bit more tired than we normally would be.
It's got really— I'm in my little office and it's, it is so dark and I'm not used to it being so dark. And of course I've got no lights on other than the—
Maybe we just need digital hugs from people. Maybe we were just being a little too lonely and lockdown-y.
Yeah.
Yeah. All right, well, good luck with the elections, everyone.
Yeah. You want a digital hug?
Yeah, you're gonna— if he wins, we're gonna get a digital punch in the face. So yeah, you better hope so.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
James Thomson.
Show notes:
- Rapper scammers admit faking association with musical group in conspiracy to cheat hotels, bank, limo service — US Department of Justice.
- This U.S. Election Could Be the Most Secure Yet. Here’s Why — The New York Times on YouTube.
- Report: Ransomware disables Georgia county election database — AP.
- Pity the nation: Americans’ choice of president on November 3 will affect Slovaks too. — Slovak Spectator article by James Thomson.
- AOC’s Among Us livestream hints at Twitch’s political power — MIT Technology Review.
- AOC makes explosive Twitch debut with over 435,000 Among Us viewers — Ars Technica.
- A massive spam attack is ruining public 'Among Us' games — Engadget.
- AOC Among Us FULL STREAM — YouTube.
- Among Us Has A Cheating Problem — Kotaku.
- Trump News Today | What The Fuck Just Happened Today?
- WTF Just Happened Today — Apple Podcasts.
- No Filter — Book by Sarah Frier.
- Fake Instagram follower services slapped with lawsuit — HOTforSecurity.
- From Our Own Correspondent — BBC Radio 4.
- From Our Own Correspondent Podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Immersive Labs
Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats.
Check out their free ebook all about the MITRE ATT&CK framework, and how you can use it as part of your cyber skills strategy and improve your security posture by identifying weaknesses. Visit immersivelabs.com/smashing now.
Sponsor: Recorded Future
Recorded Future empowers your organization, revealing unknown threats before they impact your business, and helping your teams respond to alerts 10 times faster. How does it do this? By automatically collecting and analyzing intelligence from technical, open web, and dark web sources.
For up-to-the-minute security intelligence that can help you make fast and confident security decisions, install the free browser extension Recorded Future Express.
Get it now at smashingsecurity.com/recordedfuture
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
