Students are being spied on as they do online exams, how did a televised football match reveal the truth about artificial intelligence, and what on earth is the Canny Lumpsucker vulnerability?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford from The Host Unknown podcast.
Plus don’t miss the second part of our featured interview with LastPass’s Dalia Hamzeh.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I love this tune. Okay, you know what time it is. It's time to say, wow, you guys are so cool to our Patreon supporters of Smashing Security.
This week's shout out goes to Hans Aabaken, Gary Porter, Timothy Zimmerman, Ella Goss-Endinflame, Alex Tasker, Delaney Scaringella, Sean Dyer, Hiroki Burke, Henry Walshaw, and Nate East.
Nate East.
This week's shout out goes to Hans Aabaken, Gary Porter, Timothy Zimmerman, Ella Goss-Endinflame, Alex Tasker, Delaney Scaringella, Sean Dyer, Hiroki Burke, Henry Walshaw, and Nate East.
Nate East.
Estes.
Nate Estes. That's gotta be it. If you want your name destroyed by me, please join us on our Patreon community.
You can find out all the info you need at www.smashingsecurity.com/patreon. Now let's get this show on the road.
Some have hardware such as smartwatches and fitness monitors that will detect changes in pulse and temperature of the testee, not the testes.
You can find out all the info you need at www.smashingsecurity.com/patreon. Now let's get this show on the road.
Some have hardware such as smartwatches and fitness monitors that will detect changes in pulse and temperature of the testee, not the testes.
Welcome to the Filthy Double Entendre Podcast. And Smashing Security, episode 203. Testing times, naming names, and the bald truth about AI with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 203. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 203. My name's Graham Cluley.
My name's Carole Theriault.
And we're joined this week by a fellow podcaster. It is the star, I think it'd be fair to say, of the Host Unknown podcast, Thom Langford.
Hello, I think it would be very fair to say that. Hello, how are you?
Hi, Javad. Hi, Andy. Hi, Thom.
Oh, at least you remembered Andy's name. I know Graham can't.
What are you talking about, Graham?
He just calls him that other fella.
Never. Now, talking about things we're not going to mention.
Yeah.
Let's not talk about it, okay?
Yeah, let's just shut up about it.
Yeah.
About the Host Unknown podcast?
No, no, no, we're not going to—
Just other stuff.
We're just not going to talk about something, alright? Whole episode, please. Do you agree? Everyone alright with that?
Yeah, I think actually if anyone brings it up, it's a fiver in the charity pot.
But we're not allowed to know what it is.
Just be careful. It's like, it's like—
I think if you think about it, Thom, you'll be able to work out what we're talking about.
Oh, oh, yes.
Carole, what's coming up on the show this week?
First, let's thank this week's sponsors: Canva, LastPass, and Mimecast. Their support helps us give you this show for free.
Now, coming up on today's show, Graham gives us an education on how vulnerabilities are named, Thom gets all sporty on our geeky asses, and I learn why students have their knickers in a twist.
Plus, we have the much awaited second half of our featured interview with Dalia Hamzeh, the security engagement manager at LogMeIn, the makers of LastPass.
All this and much more on this episode of Smashing Security.
Now, coming up on today's show, Graham gives us an education on how vulnerabilities are named, Thom gets all sporty on our geeky asses, and I learn why students have their knickers in a twist.
Plus, we have the much awaited second half of our featured interview with Dalia Hamzeh, the security engagement manager at LogMeIn, the makers of LastPass.
All this and much more on this episode of Smashing Security.
Now, chums, I think it is time for a quiz. Here on the Smashing Security podcast.
Oh, I love a quiz, 'cause I'm in such a good mood today, and I'm so calm and happy. I'm really looking forward to a quiz.
We are going to play a little vulnerability naming game.
So what I'm gonna do is I'm gonna go to each of you, Carole and Thom, I'm gonna get each of you in turn, and I'm gonna name a vulnerability, and you have to tell me whether it is a real vulnerability or whether it's a made-up vulnerability.
So what I'm gonna do is I'm gonna go to each of you, Carole and Thom, I'm gonna get each of you in turn, and I'm gonna name a vulnerability, and you have to tell me whether it is a real vulnerability or whether it's a made-up vulnerability.
Whoa, whoa, whoa. What?
What?
The rules are shit. What are the rules? How do we know?
Yeah, and also, does it include zero days? 'Cause we don't know, 'cause it's a zero day.
Exactly. The judge's decision is final. I will name it. You would either tell me, yes, it's a real vulnerability, or you'll say—
But it could be a real vulnerability in the future.
Oh, for goodness' sake.
Oh, what? So you just mean right now, is it real at this point?
I love to time you wind stuff here, yeah.
You know what? You're not doing yourself any favors at all in terms of scoring points, Carole. So actually, Carole, you're gonna go first. Oh, oh, oh, oh, oh.
You're gonna go first. You wanna see how this works now? Let's not play fair because someone's mouthy.
Interesting. So Carole, let's play the Vulnerability Name Game. Meltdown. Meltdown.
Oh, yes, yes, yes.
That's real.
Defo.
Ding! Correct. It is real.
Where'd you get your jingles from and your little sound effects? That's amazing.
Yeah, we're going to have to start doing them with our mouths, Graham, so he doesn't steal them. We're going to have to write them a cease and desist letter.
So just to explain to any listeners who possibly haven't heard Thom's podcast, which will probably be about 99.9% of you.
Quite a few of you, in fairness, given the scale of your listenership.
I mean, it's not as good as Sticky Pickles, but it's pretty good.
Is everyone here just to plug their podcast?
It's about 1/6 as good as Sticky Pickles, as we've established already, it would seem.
Thom Langford's Host Unknown podcast, as I believe is its official name, seems to have acquired the theme music of Smashing Security, and it uses it as a jingle.
Outrageous copying.
Slightly munged, slightly scratched version.
Can I play it?
This week in InfoSec.
That is a total rip-off, right guys?
Outrageous.
You know what? I say listeners do not listen to Host Unknown until they get a bit of originality and change it up a bit. And then maybe we'll recommend you.
Do you know whose voice that is?
Whose?
That's my son's.
Oh.
'Cause he made the jingle. I just said—
Oh.
Here, try something.
A family business then of—
Family of crime. Can we get back to my quiz?
Yeah, but I already won.
Carole, meltdown. Yes, that's the first question.
Yeah, it was a quiz of one question.
Thom, Thom, your turn. Filthy Python. Filthy Python.
Sorry, which game are we playing again?
Filthy Python.
I don't think it's a virus, but it could well be the—
Okay, just to explain, this is the vulnerability name game. It's not the malware name game.
Sorry, this truly is yes or no answer, Thom.
Okay. No.
I'm afraid it is a vulnerability. Carole, Heartbleed. Heartbleed.
Yes.
Oh, we know.
Correct. Thom, Ghost. Ghost.
Is Ghost a vulnerability? Yes.
Correct. Carole, Dirty Cow. Dirty Cow.
No.
Dirty cow is a vulnerability. And finally, canny lumpsucker. Canny lumpsucker.
I just say go yes, because— Or is he fucking with you in the last one?
I don't know, Thom.
If it isn't, it should be. I reckon we're gonna hear about this in the next few weeks, but no.
What?
Oh, I'm afraid that is a genuine vulnerability.
Canny lumpsucker.
The canny lumpsucker.
Is that a word for— you know?
I reckon that's a Scottish vulnerability.
Sorry, Graham, am I being naive? Is the word 'lumpsucker' mean what it might—
Oh, okay, hang on. Urban Dictionary.
Oh, you don't know either? Okay, it's not a known term that I don't know.
A lumpsucker. It's a type of fish, apparently.
Oh. A suckerfish.
Anyway, I think, Crow, you won that game, didn't you? I think the chap from Host Unknown failed to win that game.
Yeah.
Mine were a little bit easy though, Clue, come on.
They were. It was deliberately engineered that way.
I'm an ex-CISO, come on.
The truth is most of us find it much easier to remember a name like Filthy Python or Meltdown or Spectre than CVE-2017-5753.
So normally vulnerabilities have a really nerdy numeric name.
But if you have a memorable name and maybe even a logo, that can help in communication of an exploit and get people's attention and maybe help them to fix the vulnerability.
So normally vulnerabilities have a really nerdy numeric name.
But if you have a memorable name and maybe even a logo, that can help in communication of an exploit and get people's attention and maybe help them to fix the vulnerability.
It's almost like a domain name service for vulnerabilities.
That's right. So with DNS, you enter, you know, a website, smashingsecurity.com, and it takes you to the IP address.
Yeah.
And works really well.
Friendly name to unfriendly name and vice versa.
And so we have that system as well for vulnerabilities. We have it for hurricanes, we have it for all manner of things. Right.
But if a vulnerability doesn't have as cool a name, it might get overlooked and that's a big issue.
But if a vulnerability doesn't have as cool a name, it might get overlooked and that's a big issue.
I don't think it has to do with coolness. I just think it has to do with memorability.
Well, a name and a logo. If it doesn't have a logo, the board isn't interested.
A logo matters as well, yeah.
But sometimes, Carole, you can have a really, well, I don't know if memorable is the right word, but you can have a name which really stands out and yet it is still often overlooked.
Have you, for instance, heard of a vulnerability which is actually unpronounceable?
I think they've called it Thrangy Cat, but the way in which it's actually displayed is 3 emojis of a cat.
But sometimes, Carole, you can have a really, well, I don't know if memorable is the right word, but you can have a name which really stands out and yet it is still often overlooked.
Have you, for instance, heard of a vulnerability which is actually unpronounceable?
I think they've called it Thrangy Cat, but the way in which it's actually displayed is 3 emojis of a cat.
Okay.
So these researchers found a vulnerability in some Cisco gear. The name they assigned it was an emoji of a cat 3 times in a row, a cat's face.
Okay. And what was it in the metadata? What do they call it in file terms in actual letters and numbers?
I think it's just 3 cat faces.
So what, they did ASCII art?
The ASCII text.
No, it's not ASCII art. It's actual— No, I know.
Okay, I understand what you're saying, but somewhere you have to actually name it. In the metadata, you're naming it. It's not just an emoji in the metadata, right?
They are giving it the name of 3 emoji characters. 3 Cool Cats.
3 Cool Cats.
That's what I'm calling it.
And this is why information security has a problem. Talk about trying to make it as unapproachable and not understandable as possible. You know, that doesn't help anybody.
Well, there's an example of a ridiculous name which has been chosen in the past. And this problem of naming doesn't just apply to vulnerabilities.
Some of us here, I think, Thom, you're quite old, aren't you?
Some of us here, I think, Thom, you're quite old, aren't you?
Yeah, not as old as you, but yeah.
Well, you look it. Some of us—
I don't have all my own hair on wig stand.
In those early days, we would often name viruses by the place where they were discovered. So the Stoned virus was also called New Zealand because it first popped up in New Zealand.
Not because they're all marijuana users.
Well, it said your PC is now stoned when you boot it up.
Wasn't you used once in one of the shows a jazz cigarette?
A jazz cigarette.
I loved that so much.
The Ping Pong virus was called the Italian virus. And other times a virus would be named after the day in which it triggered.
So the Jerusalem virus, for instance, first seen in Jerusalem, but it triggered on Friday the 13th. It would delete your files on that particular day.
So the Jerusalem virus, for instance, first seen in Jerusalem, but it triggered on Friday the 13th. It would delete your files on that particular day.
We remember all those names.
Yeah, Michelangelo, March 6th. Yeah, exactly. But that didn't scale. It didn't scale because you run out of places.
Otherwise you start calling it the Cirencester virus or the Basingstoke virus, or, you know, Slough virus.
Plus, of course, you can get a virus which is discovered in more than one geographic location at the same time, so it's just not...
Well, you could have a virus that's twinned with cities.
Otherwise you start calling it the Cirencester virus or the Basingstoke virus, or, you know, Slough virus.
Plus, of course, you can get a virus which is discovered in more than one geographic location at the same time, so it's just not...
Well, you could have a virus that's twinned with cities.
Yeah, and you're obfuscating that whole problem where different companies are analyzing a new virus at the same time, and they both decide they name it uniquely, and then they both push it out around the same time, and both sit there fighting going, "No, this is my virus name." "No, no, my virus name." And then we grew up in the situation where all the time it was virus known by this company as this, this company called it this, this company called it that.
Yeah, frustrating. And we still see to this day those sort of arguments going on. And there are disagreements sometimes about the name of, for instance, hacking gangs.
So for instance, the Pawn Storm, not that kind of porn, Thom, the Pawn Storm hacking gang, also known as APT28, also known as Fancy Bear, also called Strontium.
So many different names and there's no real agreement on what they should be called. So naming can be really, really complicated.
So for instance, the Pawn Storm, not that kind of porn, Thom, the Pawn Storm hacking gang, also known as APT28, also known as Fancy Bear, also called Strontium.
So many different names and there's no real agreement on what they should be called. So naming can be really, really complicated.
So even amongst themselves, they can't decide what they're called.
What, the gang?
Yeah. So surely they can just say, no, you're all wrong. We're called Dave or something.
They should really put a message inside their malware making very clear what they want to be called.
Exactly.
But then you don't want to give them that pleasure either. You kind of want to frustrate them a little bit.
I think that's the problem with these, you know, socio-anarchic collective groups.
And sometimes because now, of course, we see so much more malware, there's a lot less thought given sometimes into the name of the malware.
So to give an example from, oh, I don't know, 20-odd years ago, we saw the Anna Kournikova virus, but antivirus products didn't call it Anna Kournikova.
Sophos, for instance, called it VBS/SST-A. Really catchy name. Thank you to the guys in the labs for that one. It helped us.
So to give an example from, oh, I don't know, 20-odd years ago, we saw the Anna Kournikova virus, but antivirus products didn't call it Anna Kournikova.
Sophos, for instance, called it VBS/SST-A. Really catchy name. Thank you to the guys in the labs for that one. It helped us.
God, you're a dick.
Why would they do that?
What do you mean I'm a dick?
Why are you still calling people out? No, I just, no, it's just... It's just, get over it.
I remember at the time I worked with you at the time and you were all got your knickers in a whole twist about the naming and couldn't people understand your media brain?
And it's just, you know, no.
I remember at the time I worked with you at the time and you were all got your knickers in a whole twist about the naming and couldn't people understand your media brain?
And it's just, you know, no.
So maybe naming matters even more with vulnerabilities and exploits than it does with malware.
Someone who certainly isn't happy about what's happening in the security research community regarding the naming of vulnerabilities is a chap called Lee Metcalf at the CERT cybersecurity division of Carnegie Mellon University.
He has written a blog post which I will link to in the show notes where he says sensational names are often the tool of the discoverers to create more visibility for their work.
Absolutely true, right?
Someone who certainly isn't happy about what's happening in the security research community regarding the naming of vulnerabilities is a chap called Lee Metcalf at the CERT cybersecurity division of Carnegie Mellon University.
He has written a blog post which I will link to in the show notes where he says sensational names are often the tool of the discoverers to create more visibility for their work.
Absolutely true, right?
That's right.
To get attention.
Yeah.
But he says he wants to reduce any fear, uncertainty and doubt, any FUD being caused by the vendors' research and to the general public. So how is he going to do it?
Because he does recognize that the use of these numbers, CVE numbers, doesn't really work.
Because he does recognize that the use of these numbers, CVE numbers, doesn't really work.
I don't know. I have a lot of issues with this. I don't like the idea that we have to give sensational names to threats in order to get notoriety.
Surely what they do and how they spread is way more important. Something should have a CVE name, right? That's an important thing to have, a kind of scientific backbone.
And then what you're arguing for is a nickname that people can use in the press.
Surely what they do and how they spread is way more important. Something should have a CVE name, right? That's an important thing to have, a kind of scientific backbone.
And then what you're arguing for is a nickname that people can use in the press.
When you go gardening, Carole, do you refer to everything by its Latin name or do you refer—
I'm not a big gardener, Graham.
What about animals?
The red ones.
Yes, I call them by the real names, the animals.
Dog.
You mean the Latin name?
Yes.
Why? What does Latin have to do with this?
Well, no, I'm just saying that is the equivalent to the CVE in a way, isn't it? No, it's not.
It is. That's his proper genealogical name.
You're just using— So when you look at your husband, do you call him John, or do you call him Wookieus Emperorus, or whatever that he might be, for instance?
It depends if it's his birthday or not.
Do you know what I actually call him, ironically? My nickname for him is Man.
Man.
For real. And it turns out my grandmother used to call her husband man as well.
Literally.
Say it again.
Please tell me that his for you is something snooky dumpling or something.
No, it's much cooler than that actually.
Woman.
Yeah, yeah.
Woman.
Actually it's beauty, so put that in your pipe, Thom.
So I don't think, Carole, I don't think you're gonna get the Daily Mail or indeed maybe some IT—
I don't care what you say about the Daily Mail.
Or maybe some IT publication saying, oh, watch out for CVE-2019-1347.
Every single freaking first Tuesday of the month, that's exactly what comes out from Microsoft in order to get vulnerabilities updated.
Well, it's not very helpful, is it, when you're in a meeting with the boss and they're trying to get their head around which one is important and which one isn't?
No, no, I'm okay with, I'm totally fine with the idea of let's slap a nickname on one that we are in, but I just think we should not, it's not about naming.
There is a naming convention amongst everyone of what these things are and how we detect them.
There is a naming convention amongst everyone of what these things are and how we detect them.
If you let me, let's just move on to what Lee Metcalf has done. You brought it up.
Welcome everybody to the Violently Agreeing Podcast.
Yeah, well.
Right, so this researcher has created a Twitter bot.
And what the Twitter bot does is every time there is a new CVE come out, a new vulnerability announced with some numeric number which we'll never ever remember, the Twitter bot automagically assigns it a random name constructed out of an adjective and a noun.
And so he's given it names. So if it was one which you wanted to refer to, there is then a name which is independent of the marketing department.
And what the Twitter bot does is every time there is a new CVE come out, a new vulnerability announced with some numeric number which we'll never ever remember, the Twitter bot automagically assigns it a random name constructed out of an adjective and a noun.
And so he's given it names. So if it was one which you wanted to refer to, there is then a name which is independent of the marketing department.
I think this is fucking disgusting.
What?
I'm going to tell you why.
Why?
Because his names have absolutely nothing to do with the payload or what's involved in it. And you know what?
That is something that researchers, whilst maybe some have not been successful in their naming conventions, have tried to allude to. It's ping pong, right?
The virus we know as ping pong.
That is something that researchers, whilst maybe some have not been successful in their naming conventions, have tried to allude to. It's ping pong, right?
The virus we know as ping pong.
Yes. It plays ping pong on your screen.
Exactly. I don't think shapeless screwdriver is giving me any indication of what the vulnerability might do.
Suggestive bunny?
Yep.
Unmarked slap tickle? One of those? I think they're— I think he's been—
Did you come up with these?
No.
That last one just sounds like a hobby.
Why is he giving them all a little sexual nuance?
No, these are just the ones I've picked out.
Oh, of course. I picked them out from the list.
These are the ones which caught my eye. So they are trying to avoid offensive words and anything that sounds too suggestive or scary.
See, it's very difficult, isn't it, working out if a name is suggestive or offensive or not? Because there were a couple— there was, for instance, Headed Bottom. Is that filthy?
Headed Bottom?
See, it's very difficult, isn't it, working out if a name is suggestive or offensive or not? Because there were a couple— there was, for instance, Headed Bottom. Is that filthy?
Headed Bottom?
I don't know. Beef Curtains, what do you think?
Canny Lump Sucker, that was one of his. And Filthy Python. Those names were created by the bot for real vulnerabilities.
And there's also one which the Register spotted, which is Perceptive Ejaculate. Which, yeah.
And there's also one which the Register spotted, which is Perceptive Ejaculate. Which, yeah.
I don't know what that even means. What does it mean? Explain it to me. As an owner of ejaculate.
As opposed to accurate ejaculate or non-perceptive ejaculate. Random ejaculate? I don't know.
Anyway, I think maybe it's a better idea if a bot is in control of naming these things than marketing departments, because maybe that makes it more level playing field.
It's not marketing departments. I just think you're just smoking the wacky backy.
What do you mean it's not marketing departments?
It's not marketing departments that name these things.
Of course it is.
It's researchers that name it.
No, no, no. They find the vulnerability, and then they need people to work on the logo. You don't think the logo is done by the guys? I didn't talk about the logo.
I talked about the name.
The marketing department are gonna have a big say in this.
They go hand in hand, definitely.
They're not gonna leave it to the guys in the labs.
It does remind me of that Dilbert cartoon where they're trying to get a project name.
I'm with the lab boys. I just want everyone to know that. I'm with the lab boys on this. They're the ones who do the work.
They're the ones who write the CVE, and they should call it whatever they want. And I don't think a Twitter bot would help.
The only thing I wish is the industry would just agree on a name. Right? Wow.
They're the ones who write the CVE, and they should call it whatever they want. And I don't think a Twitter bot would help.
The only thing I wish is the industry would just agree on a name. Right? Wow.
Seem to have touched a bit of a nerve with you there, haven't we?
Well, just, I'm just a little embarrassed being associated with you right now.
Are you going on the Host Unknown podcast this week? If you want to know about embarrassment.
I'm just annoyed. You know what D-Day is. We're not allowed to talk about it.
All right. Well, let's move on then. Anyway, I'll put a link in the show notes. You should go and check out, I believe, the bot, because I think it's quite interesting.
Its name is— I'm going to try and say it. Volnanim. Volnanim.
Its name is— I'm going to try and say it. Volnanim. Volnanim.
My God. Wootan Clan, and then Volnanim. That's a good name. That's hilarious. The irony of its name proves my point. Volnanim.
Thom, what have you got for us this week?
Hopefully something a little shorter and a little less— Thank you. Disruptive, to be honest with you. So AI is everywhere, as we know, artificial intelligence.
Everybody's saying that their product, certainly in the security space, is that their product is powered by AI and how wonderful it is and all that sort of thing.
Everybody's saying that their product, certainly in the security space, is that their product is powered by AI and how wonderful it is and all that sort of thing.
Powered. I think that word should go on business bingo cards, don't you think?
Oh, absolutely. Yeah.
Yeah.
AI, machine learning, blockchain.
Yeah.
Powered.
The view I take on AI is that it's very simple and you can tell the difference between AI and machine learning.
And so machine learning is written in Python, you know, or any other kind of programming language or whatever, whereas AI is only written in PowerPoint because it doesn't really exist.
And so machine learning is written in Python, you know, or any other kind of programming language or whatever, whereas AI is only written in PowerPoint because it doesn't really exist.
I know.
I've seen enough science fiction to know that it doesn't exist. And also then people start talking about how, you know, our robot overlords are going to take over the world, etc.
And if they do, by the way, I for one welcome our robot overlords and look forward to serving them very, very well.
And if they do, by the way, I for one welcome our robot overlords and look forward to serving them very, very well.
But have you ever kicked a vacuum cleaner? I hope not.
God, no. I named my vacuum cleaner.
What'd you name her?
Juan.
What?
Juan the Hoover. It's one of those little robot ones that pops around. So, you know.
You've got a— hang on a moment. Hang on a moment. You've got a robot vacuum cleaner.
Yeah. Why? I can't be asked to vacuum myself.
Do you not have leads and things and cables?
I am a very tidy leads and cable.
Are you?
Yeah, absolutely. Yeah. You have to come around one day.
No, I'm all right. Thanks.
Right. That's you off the fucking list. Anyways. So, AI. Please keep on the topic, Thom. Don't get distracted.
Oh, but then I saw this article and it had a little video on it, and it's of a football match of which I would normally not go near with a bargepole.
But the cameras— and I didn't know this— but the cameras on many of these are no longer controlled by humans, they're controlled by computers that track the movement of the ball.
Oh, but then I saw this article and it had a little video on it, and it's of a football match of which I would normally not go near with a bargepole.
But the cameras— and I didn't know this— but the cameras on many of these are no longer controlled by humans, they're controlled by computers that track the movement of the ball.
Of course.
Yeah, which makes sense, you know, if it's a very fast-moving game, etc., you can probably get more accurate.
Except in this particular game, the linesman who, I understand, was devilishly handsome, but also had a bald head.
And this particular camera got a little confused and was just following the linesman up and down the line, completely missing all of the action, the football being kicked up.
Except in this particular game, the linesman who, I understand, was devilishly handsome, but also had a bald head.
And this particular camera got a little confused and was just following the linesman up and down the line, completely missing all of the action, the football being kicked up.
Oh my god, I really hope your story is that their reply to this was that their AI malfunctioned.
I don't know if it got that far. But the alternative, however, is maybe AI is absolutely real and in this particular case has got the hots for a bald linesman.
Don't know, but I thought that perfectly summed up AI to my mind in that it's not AI at all.
It's just a little bit of machine learning that's found that a bright, small, round, shiny object is what it needs to follow.
And so the back of a bald linesman's head seemed to be the right thing.
Don't know, but I thought that perfectly summed up AI to my mind in that it's not AI at all.
It's just a little bit of machine learning that's found that a bright, small, round, shiny object is what it needs to follow.
And so the back of a bald linesman's head seemed to be the right thing.
Thom, is it possible you've brought this story to our podcast today because you are yourself the owner of a bright, round—
A beautifully polished pate.
I think it's called pâté, actually.
No, that's what you eat.
So basically you're saying it's all a load of rubbish. And this is the demonstration of this.
Yes, at the moment. Totally.
Says the man with the robot vacuum cleaner.
It's as dumb as ditchwater, but it does the job. It just goes round and round randomly. It doesn't map anything. It bumps into stuff and then sort of tries to go round it.
It's effective because it runs for an hour a day, 7 days a week.
It's effective because it runs for an hour a day, 7 days a week.
And so how often do you talk to it?
Every time it comes out, you know.
Hey, Juan.
What you doing?
Off to work, Juan.
Well, Carole, from that story of AR disaster, what do you think?
Yeah, really meaty. Thanks, Thom.
Yep.
Giving us a lot to think about.
Well, I thought, you know, popular news show like this—
Your time's up now, Thom. Stop trying to defend it. We've moved on.
So, time to come clean, boys. Okay. You're both old. You both must have cheated in your lives at some point. I mean, at school. I mean, at school.
I don't want to know any details otherwise. Come on, how'd you do it?
I don't want to know any details otherwise. Come on, how'd you do it?
I seem to remember I wrote a whole load of quotes from Chaucer down on a tiny, tiny piece of paper, because I just thought—
Oh yeah, yeah, yeah. Tiny, tiny writing?
Tiny, tiny writing, because I just thought this should not be a memory test of remembering Middle English Chaucer. I thought, that is unfair.
Did you then forget that it was a maths exam?
Thom, come on.
I'm trying to remember. I do recall that for a section of my degree, I think I copied 9 out of 13 essays from someone else.
Wow.
Only a small section in case anybody wants to take it away after. I didn't enjoy my degree.
I used to write my answer same as you, Graham, tiny, tiny writing, but I would write it in pen on my eraser.
Oh, and then you could rub it out?
Right. I always had a ginormous eraser, not like a ginormous, ginormous, palm-sized. But like, you know.
And then if a teacher approached, I'd frankly erase an answer that I was confident on, erasing the pen.
And then if a teacher approached, I'd frankly erase an answer that I was confident on, erasing the pen.
Wow.
That's good.
Yeah.
Very good. Thom, you didn't do that when you were at the University of Kent studying Industrial Relations, Personal Management with Computing, is that— between 1990 and 1993?
Yeah, certainly not.
Or when you were the chairman of the University of Kent Taekwondo Society?
That was the part of the university life that I enjoyed and why I got a third-class degree. 'Cause all I did was taekwondo 5, 6 days a week.
I'm just saying that if anyone from Kent wants to investigate Thom and his degree, all the information, I found it up on LinkedIn in real time.
At least he doesn't have his own Wikipedia page, Graham.
Has Graham got his own Wikipedia page?
Yes! Claims he had nothing to do with it.
Yeah, right.
I didn't create it.
Oh yeah, no, no, just a fan.
I am so going to join Wikipedia so I can do some editing.
Can we get back to me, boys? Can we get back to me? I actually did some work on my story, Thom, so if you don't mind, I'd like to just do a tap dance.
Okay, so all these cheating methods don't work very well if you're an online student sitting an exam from your home.
Then universities have gotten quite excited about the idea of remote proctoring services. So they've gloved up and are ready to take control.
Okay, so all these cheating methods don't work very well if you're an online student sitting an exam from your home.
Then universities have gotten quite excited about the idea of remote proctoring services. So they've gloved up and are ready to take control.
Oh, for goodness. You are so bad.
What?
You know what you just did.
I didn't do anything.
You've made—
You've made Thom titter. I don't understand how.
How did I—
What did they say? Well, let's just move. Okay, if you want to act all innocent, let's carry on.
Okay.
So in other words, this remote proctoring is also called in the UK remote invigilation. Okay?
So this basically allows candidates to take tests or assessments from home, from work, from anywhere really. And universities love it.
And other learning institutions, high schools, et cetera, et cetera, other academia want to jump on the bandwagon.
And the point, the whole point is to ensure that the exam goes well. So there's two big components in it. There's one which is the identity. Are you who you say you are?
So if Graham was going for his driver's test, I am sure he would love someone else to do it other than him if he wanted to pass. If you had to redo your test—
So this basically allows candidates to take tests or assessments from home, from work, from anywhere really. And universities love it.
And other learning institutions, high schools, et cetera, et cetera, other academia want to jump on the bandwagon.
And the point, the whole point is to ensure that the exam goes well. So there's two big components in it. There's one which is the identity. Are you who you say you are?
So if Graham was going for his driver's test, I am sure he would love someone else to do it other than him if he wanted to pass. If you had to redo your test—
Hang on, what was that? Hang on a minute. That was a bit of an unnecessary attack. What's wrong with my driving?
Whoa.
I've passed my driving test.
Are you kidding me? Are you seriously on air? Are you saying that you think you're a good driver?
I think I'm all right. I can pass the test.
Really?
Yeah.
Okay. And to our listeners joining us in couples therapy, we could get someone who actually does that professionally and they could actually help us on air.
I'd be happy to air our shit on air. I would have no problem.
I'd be happy to air our shit on air. I would have no problem.
I think we had the airing the shit episode in episode 173, if I remember correctly.
But again, back to me.
Jeez.
Okay, so you want to ensure the integrity of the exam as well. So did you cheat? So are you who you say you are? Did you cheat? Those are two big questions.
And there are big companies out there providing these remote proctoring services. AI Proctor, yes, that's their name, or ProctorU or Examity are big ones.
Now, I want you guys to actually imagine yourselves as students today. I don't know what you'd be wearing. Probably your asses would be out, right?
You'd be wearing those jeans with your top bits of your butts out. Skinny leg jeans, pointy shoes.
And there are big companies out there providing these remote proctoring services. AI Proctor, yes, that's their name, or ProctorU or Examity are big ones.
Now, I want you guys to actually imagine yourselves as students today. I don't know what you'd be wearing. Probably your asses would be out, right?
You'd be wearing those jeans with your top bits of your butts out. Skinny leg jeans, pointy shoes.
I wish. I remember those days vaguely.
Okay, so before the exam begins, you have to install the application so it can check your computer, right?
It needs to make sure you've got a mic and a camera or video screen and confirm it has the appropriate settings and access levels.
And of course, you have to identify yourself as well.
And the way you do this is you hold up your ID to the camera, and others demand other identity checks, such as biometric authentication, including facial recognition.
So they take all kinds of little data points on your face and make sure that when you actually sit the exam, they match.
It needs to make sure you've got a mic and a camera or video screen and confirm it has the appropriate settings and access levels.
And of course, you have to identify yourself as well.
And the way you do this is you hold up your ID to the camera, and others demand other identity checks, such as biometric authentication, including facial recognition.
So they take all kinds of little data points on your face and make sure that when you actually sit the exam, they match.
Oh my goodness gracious.
Right? And then, now it's the time of the assessment, right? It's time for you guys, you guys are nervous, right? It's time for the exam.
And first, we want to make sure you're you, right? So we might ask you to type a short phrase and make sure that your keystrokes can be analyzed compared to previous samples.
And first, we want to make sure you're you, right? So we might ask you to type a short phrase and make sure that your keystrokes can be analyzed compared to previous samples.
But you're nervous, you're fumbling, you're making mistakes. That's what happens.
Yeah, I know, I know. And you know what? I may not lock you out at that point as the software, but I might put a little mark, a black mark against you that you don't see.
You know, I might be going, "Hmm, I'm not sure this is the same guy." Often there's also a human proctor there and vigilating as well, right?
But they might be vigilating, God knows, they might be vigilating 300 different students at the same time.
You know, I might be going, "Hmm, I'm not sure this is the same guy." Often there's also a human proctor there and vigilating as well, right?
But they might be vigilating, God knows, they might be vigilating 300 different students at the same time.
Right.
So you don't know when they're looking at you or when they're not. Same as, I suppose, a teacher in a class. And this human proctor works in tandem with the software.
So we're going to call them Proctor Walter.
The first thing they're going to do is ask to share your screen and then to display both sides of your driver's license in the webcam's view.
Proctor Walter will then say, "I need to see your desk and workspace, Graham and Thom. Please rotate your webcam 360 degrees so I can see the area around you." What?
Then they might say, please take a step back and show me the entire desk, which would be hard with a desktop, wouldn't it?
So we're going to call them Proctor Walter.
The first thing they're going to do is ask to share your screen and then to display both sides of your driver's license in the webcam's view.
Proctor Walter will then say, "I need to see your desk and workspace, Graham and Thom. Please rotate your webcam 360 degrees so I can see the area around you." What?
Then they might say, please take a step back and show me the entire desk, which would be hard with a desktop, wouldn't it?
Please undo a few buttons. Please bend over and pick up this pencil.
It sounds like a script to a sub-dom thing going on here.
Yeah. No, but seriously, there's some— Proctor Walter might insist that you angle a mirror.
Oh, yes, sir.
Angle?
At the areas beneath the ordinary level of webcam viewing.
Okay.
Just to make sure you don't have your phone or your tablet hiding underneath your screen with the answers.
Thom, have you ever angled a mirror?
Frequently.
Graham, Graham, it's not that sort of show. If you want to talk about that, come on, sticky pickles. Okay, so then Proctor Walter requests remote access to your computer.
"Please open your system preferences and click on the lock icon," Proctor Walter says to you.
"Please open your system preferences and click on the lock icon," Proctor Walter says to you.
This sounds entirely reasonable. Yes.
Of course. Please enter your computer password now.
Now, during the test, the cameras record the entire test, and some systems relay video to the human proctor in real time, who observes your eye movements and other behaviors for signs of cheating, and compiles a report after testing for the proctor to review.
So the system puts out, oh, he looked, he picked his nose and looked left at one point. Or he looked at his watch.
There's also lockdown mechanisms to make sure that you can't access the web or other apps on your computer, of course. And it gets worse.
They even have— some have hardware such as smartwatches and fitness monitors that will detect changes in pulse and temperature of the testee. Not the testees.
Now, during the test, the cameras record the entire test, and some systems relay video to the human proctor in real time, who observes your eye movements and other behaviors for signs of cheating, and compiles a report after testing for the proctor to review.
So the system puts out, oh, he looked, he picked his nose and looked left at one point. Or he looked at his watch.
There's also lockdown mechanisms to make sure that you can't access the web or other apps on your computer, of course. And it gets worse.
They even have— some have hardware such as smartwatches and fitness monitors that will detect changes in pulse and temperature of the testee. Not the testees.
Welcome to the Filthy Double Entendre Podcast.
And they'll use, of course, facial recognition, sound recognition, keyboard analysis.
It's just like, Jesus. Okay, so on a scale of 1 to 10, boys, how invasive do you think this is? That's my question.
69. I don't know.
Shall we play a little game? Can we just go down the, what could possibly go wrong in this situation? Oh, what was this thing called? Should we play that game?
Right.
Yeah.
Da-da-da-da, go first.
Oh, we've got good jingles on this podcast, at least. What if the proctor— by the way, that word is very funny. What if the proctor—
I loved proctor.
Was a bit of a perv?
And he fancied his young 19-year-old budding student and thought, oh, I'd quite like to have a rummage around her hard drive somewhere and see if she's got any selfies or worse, or, you know, take over her webcam some other time when she's not doing a test, for instance.
And he fancied his young 19-year-old budding student and thought, oh, I'd quite like to have a rummage around her hard drive somewhere and see if she's got any selfies or worse, or, you know, take over her webcam some other time when she's not doing a test, for instance.
Okay, so for something less dirty, what about an unreliable internet situation, right? Where your internet's kind of glitchy.
Yes. What if the pupil has an actual detached retina or has an eye issue, which means that one of their eyes is pointing in the wrong direction?
A lazy eye.
A lazy eye. And so it appears that they are intentionally looking in a suspicious direction while doing the test.
Yeah.
Would the AI or the proctologist pick that up?
It's not a proctologist. Okay, what about data breaches? Remember I mentioned this company earlier, ProctorU?
ProctorU.
ProctorU disclosed that it was the victim of a major data breach earlier this year.
The firm was one of 18 organizations to have their database containing almost 400 million records stolen by hackers since January.
In late July, all these databases that were stolen were offered for free in online hacker forums.
The firm was one of 18 organizations to have their database containing almost 400 million records stolen by hackers since January.
In late July, all these databases that were stolen were offered for free in online hacker forums.
Did that include video as well?
Well, right.
And think about it, people have to show their passports or their driver's license or their birth certificates or their social insurance number to prove they are who they are.
In all this, there has been this weird twist.
In June, a Redditor posted a photo of a chat log on Reddit's University of British Columbia subreddit, claiming that Proctorio, this is another one of these services, Proctorio support had failed to help him with an online UBC test.
So he basically was saying, "I tried. I tried to get some help. They didn't respond. I was left on my own.
Poor me." And the thread got some sympathy online until the Proctorio CEO, Mike Olson, under username Artful Hacker, provided his own response to the student live on Reddit.
And he goes, "If you're going to lie, bro, don't do it when the company clearly has an entire transcript of the conversation." 'Shame on you.' And then he posted an edited transcript of the chat logs, which kind of confirmed that the student was kind of a little bit full of shit, that they did actually respond with him.
So he was basically calling out saying, 'You're a bit of a liar.' But in putting out all this whole transcript, people started going, 'WTF,' right?
And think about it, people have to show their passports or their driver's license or their birth certificates or their social insurance number to prove they are who they are.
In all this, there has been this weird twist.
In June, a Redditor posted a photo of a chat log on Reddit's University of British Columbia subreddit, claiming that Proctorio, this is another one of these services, Proctorio support had failed to help him with an online UBC test.
So he basically was saying, "I tried. I tried to get some help. They didn't respond. I was left on my own.
Poor me." And the thread got some sympathy online until the Proctorio CEO, Mike Olson, under username Artful Hacker, provided his own response to the student live on Reddit.
And he goes, "If you're going to lie, bro, don't do it when the company clearly has an entire transcript of the conversation." 'Shame on you.' And then he posted an edited transcript of the chat logs, which kind of confirmed that the student was kind of a little bit full of shit, that they did actually respond with him.
So he was basically calling out saying, 'You're a bit of a liar.' But in putting out all this whole transcript, people started going, 'WTF,' right?
What else have you got? And who's got access to it?
Exactly. Iain Linkletter, he's a UBC learning technology specialist. He was particularly outspoken on this whole scenario.
On August 25th, he criticized the company Proctorio for including the room scan feature in an instructional video that Proctorio has since removed.
So basically, inside their software, you can get a panorama room scan. You can—
On August 25th, he criticized the company Proctorio for including the room scan feature in an instructional video that Proctorio has since removed.
So basically, inside their software, you can get a panorama room scan. You can—
This is just insane. This is why— why on earth do they need to do that? I mean, I understand why on earth they need to do that, but really, I mean, for goodness' sake.
So this guy, Iain Linkletter, right, he gets really pissed off and he says, this is an unlisted video from Proctorio's YouTube channel about Display Room Scan.
And he says Display Room Scan allows you to click and drag through a panorama of a student's personal home. So you can click and drag through it. It's just insane.
And he goes, and he says, I'm agitated tonight because the CEO of Proctorio attacked a student in my university subreddit, calling them a liar and posting their chat support logs.
Unacceptable behavior.
So then the CEO freaks out, backtracks, deletes the transcripts, and reiterates that all user information has been anonymized in this transcript and writing that we at Proctorio take privacy very seriously.
And he says Display Room Scan allows you to click and drag through a panorama of a student's personal home. So you can click and drag through it. It's just insane.
And he goes, and he says, I'm agitated tonight because the CEO of Proctorio attacked a student in my university subreddit, calling them a liar and posting their chat support logs.
Unacceptable behavior.
So then the CEO freaks out, backtracks, deletes the transcripts, and reiterates that all user information has been anonymized in this transcript and writing that we at Proctorio take privacy very seriously.
What?
So a spokesperson for Proctorio wrote in a statement, trust is the sum of repeated actions. We will strive to improve upon the support we offer every day.
We commit to doing everything we can from our support team to our CEO to continuously show how much we value the trust of students, professors, and administrators.
So no apology there.
But the student, you know, the student at first who said, you know, I didn't get any help and, you know, fuck this, he came forward and is now super shame face saying, I'd just like to say that my post about Proctorio support, which was just supposed to be for comedic purposes, was extremely misleading.
I sincerely apologize for that as it was truly immature.
We commit to doing everything we can from our support team to our CEO to continuously show how much we value the trust of students, professors, and administrators.
So no apology there.
But the student, you know, the student at first who said, you know, I didn't get any help and, you know, fuck this, he came forward and is now super shame face saying, I'd just like to say that my post about Proctorio support, which was just supposed to be for comedic purposes, was extremely misleading.
I sincerely apologize for that as it was truly immature.
Newsflash, there's trolls on the internet.
I know, but good that he apologized. It's so rare. So I, you know, I know he fucked up, but he's owning it, so good for him.
That's true.
I think it's important when students make a mistake or, you know, for them to come clean, however many years later it might be, Thom. I think it's—
So Graham, did you go to university?
You mean 27 in my case?
It's a good thing just to own up to what you've done. Nine essays, wasn't it?
Yeah, something like that.
So just to wrap us all up, because of these kind of fiascos with the CEO who actually added fuel to the fire, there are students now rebelling against this eye-tracking exam surveillance tool.
I agree. I say they should make noise. They have online petitions and they're being really vocal about the invasiveness in the media. We are seeing traction.
Some universities have started declaring that they will not employ remote proctoring service due to privacy concerns, like University of Calgary.
The student union president posted three days ago on Reddit saying, "Hi everyone, my name is Frank and I'm your SU president.
I'm very happy to let you all know that we will not be proctoring for winter 2021." So at least he's got it for that time.
My colleagues and I have fought hard against this since the summer, and this is one of my many hills to die on. So students are making a difference. I say keep it up.
I agree. I say they should make noise. They have online petitions and they're being really vocal about the invasiveness in the media. We are seeing traction.
Some universities have started declaring that they will not employ remote proctoring service due to privacy concerns, like University of Calgary.
The student union president posted three days ago on Reddit saying, "Hi everyone, my name is Frank and I'm your SU president.
I'm very happy to let you all know that we will not be proctoring for winter 2021." So at least he's got it for that time.
My colleagues and I have fought hard against this since the summer, and this is one of my many hills to die on. So students are making a difference. I say keep it up.
And if your university hasn't stopped using these services, maybe you could do something like wear really dark sunglasses when you're doing your test.
Mirrored sunglasses so they can see your screen. Maybe that should be a rule.
They can't see what you're looking at. Today's show is sponsored by Mimecast, the number one cloud email security solution for Microsoft 365.
Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploit protection service, a layer of email security defense that picks up where Microsoft security leaves off.
Microsoft's innovative service blocks brand attacks before they can launch, stops live cyber attacks in their tracks, and gives you visibility into anyone using your domain without your permission.
Start today by downloading a free copy of the State of Email Security Report at smashingsecurity.com/mimecast. And thanks to Mimecast for supporting the podcast.
Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploit protection service, a layer of email security defense that picks up where Microsoft security leaves off.
Microsoft's innovative service blocks brand attacks before they can launch, stops live cyber attacks in their tracks, and gives you visibility into anyone using your domain without your permission.
Start today by downloading a free copy of the State of Email Security Report at smashingsecurity.com/mimecast. And thanks to Mimecast for supporting the podcast.
What would happen if there was a fire in your building?
Probably an alarm alerts you to the danger, emergency operators get you connected so you get help, and firefighters snap into action to put out the flames.
When it comes to Kroll Responder, it's the alarm, the operator, and the fire department all rolled into one.
You see, Kroll Responder merges hunting, detection, containment, and remediation to deliver best-in-class endpoint security.
Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24/7 with Responder.
See how Responder works at smashingsecurity.com/kroll, spelled K-R-O-L-L. You know, I kind of like your name. It's good. It's a really good name.
Probably an alarm alerts you to the danger, emergency operators get you connected so you get help, and firefighters snap into action to put out the flames.
When it comes to Kroll Responder, it's the alarm, the operator, and the fire department all rolled into one.
You see, Kroll Responder merges hunting, detection, containment, and remediation to deliver best-in-class endpoint security.
Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24/7 with Responder.
See how Responder works at smashingsecurity.com/kroll, spelled K-R-O-L-L. You know, I kind of like your name. It's good. It's a really good name.
This episode of Smashing Security is sponsored by LastPass. Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back. Can you join us on our favorite part of the show?
The part of the show that we like to call Pick of the Week.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back. Can you join us on our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
And my pick of the week this week is not security-related, but it is technology-related. Unsurprisingly, a lot of our picks of the week are.
Have you ever wanted to boot up your computer but not had any electricity to power it up? Not had a battery pack? Imagine you are in the middle of a field.
Have you ever wanted to boot up your computer but not had any electricity to power it up? Not had a battery pack? Imagine you are in the middle of a field.
Mm-hmm.
And you want to turn on your device, but you haven't got any battery. You haven't got any power.
I use my solar battery.
Are you going to do— Well, no, you don't have a solar battery of any kind.
We only have the one thing that Graham's about to talk about.
Okay. Okay.
Potatoes.
Yes, potatoes carry batteries. That's right.
That's an awful lot of them for a laptop though.
Yeah, it's going to be a fieldwork.
Well, history has been made by a YouTuber called Equalo, and Equalo has made a video because he was curious.
He thought, I wonder if I could power a Raspberry Pi Zero to play Doom only powered by potatoes.
He thought, I wonder if I could power a Raspberry Pi Zero to play Doom only powered by potatoes.
Okay, you know what the question is that we want to know?
What's that?
How many potatoes?
He wired up a massive array of hundreds of potatoes, which then proceeded to rot in his garage over the course of about 6 days with help from his wife and a friend.
They worked on this project for about a month or so, working out how to do it, and they set up all these potatoes, they sliced them up, they wired them up, they plugged them into the Raspberry Pi, they had Doom installed on the Raspberry Pi, they plugged it in, and it failed.
It didn't work.
They worked on this project for about a month or so, working out how to do it, and they set up all these potatoes, they sliced them up, they wired them up, they plugged them into the Raspberry Pi, they had Doom installed on the Raspberry Pi, they plugged it in, and it failed.
It didn't work.
Because there's not enough energy.
Well, he'd been measuring the energy, but there wasn't quite enough to drive it to the monitor.
And so then, as a last gasp, he thought, what about my Texas Instruments graphing calculator? It doesn't need quite so much power.
But believe it or not, his Texas Instruments calculator can actually run Doom. Someone has ported Doom onto his calculator.
So he plugged these hundreds of rotten stinking potatoes into his calculator, and well, let's just put it this way, there was a happy ending.
But I would encourage you to go and watch the video of a man doing a pointless pursuit, which he later regretted because of the stench of the rotten potatoes, which went all mouldy.
But I was impressed by it. Yeah, this is the kind of thing you want to do.
This is the kind of thing I don't want to do, but the kind of thing I want to watch other people doing with their Raspberry Pis and good for him, I thought.
So that was my pick of the week.
And so then, as a last gasp, he thought, what about my Texas Instruments graphing calculator? It doesn't need quite so much power.
But believe it or not, his Texas Instruments calculator can actually run Doom. Someone has ported Doom onto his calculator.
So he plugged these hundreds of rotten stinking potatoes into his calculator, and well, let's just put it this way, there was a happy ending.
But I would encourage you to go and watch the video of a man doing a pointless pursuit, which he later regretted because of the stench of the rotten potatoes, which went all mouldy.
But I was impressed by it. Yeah, this is the kind of thing you want to do.
This is the kind of thing I don't want to do, but the kind of thing I want to watch other people doing with their Raspberry Pis and good for him, I thought.
So that was my pick of the week.
Okay.
Do you know there's starving kids in the world who would, you know, just be desperate for those potatoes?
Love to play Doom.
Yeah.
Do you know— yeah, there's this artist, right? There's this artist, this modern artist who basically took a banana, taped it to a wall with duct tape.
Literally, ripped off duct tape from their mouth, right? And put the banana on the wall, and that was their art. And it went for a ginormous amount of money.
And what you got as the purchaser of this artwork was the manual, which is how to replace— you have to replace the banana every two days, otherwise it rots.
Yeah, it's quite interesting.
Literally, ripped off duct tape from their mouth, right? And put the banana on the wall, and that was their art. And it went for a ginormous amount of money.
And what you got as the purchaser of this artwork was the manual, which is how to replace— you have to replace the banana every two days, otherwise it rots.
Yeah, it's quite interesting.
Yep. This is educational.
No, it's more desperation at the people who would have bought that.
I don't know, I think it says a lot about the art world.
I always have wanted to be a modern artist. I always thought that would be the ultimate scam, to be a modern artist.
You might want to start doing some art then.
Well, you settled for piss artist in the end.
He certainly did.
Right. Thom, what's your pick of the week?
Hopefully something a little bit more useful than a shed full of potatoes.
Rotting potatoes.
Rotting potatoes. Yes, indeed. Actually, that'd make a good vulnerability name, wouldn't it? Rotting potatoes.
Yeah.
There you go.
No, no, you can't. You have to— the machine has to get it. So you can't use it. Maybe they'll come up with it one day, Thom. We don't want your suggestion.
Raspberry Pi, you mentioned that the Raspberry Pi Zero.
We're now on the Raspberry Pi 4, which I think has, is it two or three different variants with different amounts of memory in it?
The Raspberry Pi, very accessible, small, powerful, small computer, very useful in schools, etc., because they're very cheap.
So, you know, the mid-range Raspberry Pi 4 goes for only about £40 or so. Very useful.
And in fact, I've basically got a hobby now of buying Raspberry Pis and then finding something to do with them.
So I got, I think, 4 running various things in the house at the moment.
We're now on the Raspberry Pi 4, which I think has, is it two or three different variants with different amounts of memory in it?
The Raspberry Pi, very accessible, small, powerful, small computer, very useful in schools, etc., because they're very cheap.
So, you know, the mid-range Raspberry Pi 4 goes for only about £40 or so. Very useful.
And in fact, I've basically got a hobby now of buying Raspberry Pis and then finding something to do with them.
So I got, I think, 4 running various things in the house at the moment.
What do you have them doing, Thom?
I've got a Plex server. I've got a Homebridge. I got a Magic Mirror and I'm just working on a Pi-hole, which is an advertising, you know, online advertising sort of sync.
It's like an ad blocker, isn't it? Yeah.
You know, and it's really interesting. I actually have no idea what I'm doing.
You know, my type of coding is to copy and paste from stuff, which actually I've been reliably informed is a lot like everybody else's coding.
But I think that's the beauty of the Raspberry Pi is that there are so many different add-ons, both, you know, both from a hardware perspective and, you know, as well as what you can do with it software-wise.
But my pick of the week is they have just released the Raspberry Pi 400, which is, this is the Raspberry Pi Foundation, which is a Raspberry Pi 4 slight upgrade, faster processor.
But it is built into the Raspberry Pi keyboard. So you can buy, you know, the keyboard and mouse to go with this Raspberry Pi.
The Raspberry Pi itself is now built wholly into the keyboard.
You know, my type of coding is to copy and paste from stuff, which actually I've been reliably informed is a lot like everybody else's coding.
But I think that's the beauty of the Raspberry Pi is that there are so many different add-ons, both, you know, both from a hardware perspective and, you know, as well as what you can do with it software-wise.
But my pick of the week is they have just released the Raspberry Pi 400, which is, this is the Raspberry Pi Foundation, which is a Raspberry Pi 4 slight upgrade, faster processor.
But it is built into the Raspberry Pi keyboard. So you can buy, you know, the keyboard and mouse to go with this Raspberry Pi.
The Raspberry Pi itself is now built wholly into the keyboard.
And this is so cool.
Very cool. It comes with a mouse as well and an HDMI cable. So all you need is a monitor and it costs £70.
It's amazing. It's going to sell like hotcakes.
Absolutely. It's got access to all of the ports on the back. So the GPIO, which is basically an interface port you can plug other stuff in, is all accessible there.
And the other pinouts are there. USB, the mini-DVI, because you can drive twin monitors off it, all within the form factor of, frankly, a very smart-looking keyboard.
And the other pinouts are there. USB, the mini-DVI, because you can drive twin monitors off it, all within the form factor of, frankly, a very smart-looking keyboard.
It does look very nice. I've watched some videos of this. Was it launched this week, wasn't it?
Literally, last couple of days.
Yeah.
Because I've got the keyboard and mouse, which I use whenever I just now buy a Pi. I just plug in this keyboard and mouse and plug into a monitor, etc. And they're good quality.
They're basic, but they're good quality. But if all of this is within the keyboard as well, brilliant. Absolutely brilliant.
They're basic, but they're good quality. But if all of this is within the keyboard as well, brilliant. Absolutely brilliant.
Yeah, absolutely brilliant. It looks really nice. It's a bit like— so if any of our older listeners remember things like the ZX Spectrum and the Spectrum Plus.
Yeah, it does look a bit like that.
It's a bit like an old home computer which used to plug into your TV. Obviously, you can put it— plug it into either an HDMI TV or into a monitor.
And I think this would make a great starter computer.
Better for people as well, people who just want to first get into computers, kids, and you can still browse the web, you can do documents, you can do pretty much everything I imagine you'd be able to do on a Chromebook.
And I think this would make a great starter computer.
Better for people as well, people who just want to first get into computers, kids, and you can still browse the web, you can do documents, you can do pretty much everything I imagine you'd be able to do on a Chromebook.
Absolutely.
A lot harder to break too.
Absolutely. Absolutely. It's, it's, they're very capable machines and very, very flexible.
You, if you, if you want it just out of the box, there's plenty there and you don't have to know any kind of programming or anything.
But you'll be able to browse the web and as you say, get your email, write basic documents, even read, you know, other people's Word documents and stuff.
If you want to do fancy stuff with it, you've got to— it's Linux at the end of the day.
You know, you're going to have to spend 4 days trying to work out how to get the latest web browser from, you know, Firefox installed or whatever.
You know, I always imagine people, you know, in The Matrix with the dripping green letters. That's basically a Linux admin trying to install a web browser.
You, if you, if you want it just out of the box, there's plenty there and you don't have to know any kind of programming or anything.
But you'll be able to browse the web and as you say, get your email, write basic documents, even read, you know, other people's Word documents and stuff.
If you want to do fancy stuff with it, you've got to— it's Linux at the end of the day.
You know, you're going to have to spend 4 days trying to work out how to get the latest web browser from, you know, Firefox installed or whatever.
You know, I always imagine people, you know, in The Matrix with the dripping green letters. That's basically a Linux admin trying to install a web browser.
But yes, but there is a great community out there.
So if you need advice as to how to do so, someone else will already have asked the question which you have, and you'll be able to find the answer.
So if you need advice as to how to do so, someone else will already have asked the question which you have, and you'll be able to find the answer.
Or done it and written a guide and you just copy and paste into, into your console, which is exactly what I do.
Thom, I have to say, I think that is an excellent pick of the week.
Well, one out of two this week.
You've surprised me quite honestly.
After the last one. The, the dud just we've had just now, you know, from me.
Carole, what's your pick of the week?
Well, my pick of the week demands that Thom sit down and has to watch a video.
Oh, okay.
And what I would is for you guys to watch just the first sketch. Okay.
And watching.
Yep.
So I'm going to count you in. 3, 2, 1.
Oh, hang on. Yeah, hang on. Tell us when.
Okay, get yourselves all ready. Okay, 3, 2, 1.
Whoa, whoa, whoa, whoa!
Hang on, he's an old man. He can't do things quickly.
3...
So it takes him a while to rev up.
Okay.
2, 1, go! You've tried and tell me what's going on.
Okay, so it's a TV show. He's a bit an Alan Partridge character.
Mm-hmm.
He's sort of sat behind a desk talking about Marco Polo.
Yeah, but do you think anything's weird about him?
Ah, okay. Okay. So this has been filmed—
Upside down.
At an angle. So he—
Oh, yeah, yeah, yeah. It looks to us— Yes.
Yes. So it's played a trick on us regarding the perspective. It's the wall is the gravity. Yeah.
It is glorious.
Okay.
So basically, this—
You describe this, Carole.
I know it's really hard, but okay. This is Sean Micallef. He's an Australian comedian, and he was a cast member of sketch comedy show Full Frontal and The Mikleff Program.
And this is one of his many tilted room sketches, where the camera is fixed to a room that can be rotated at will backwards and forwards or any other directions without the viewer being able to see.
And you can just tell by the gravity of how the actor is trying to hold on or fall whilst acting completely normal.
And this is one of his many tilted room sketches, where the camera is fixed to a room that can be rotated at will backwards and forwards or any other directions without the viewer being able to see.
And you can just tell by the gravity of how the actor is trying to hold on or fall whilst acting completely normal.
And it's perfectly wonderful, right? Boys, isn't it great?
Yeah, yeah, it is great.
It is. And in these trying times, everyone, we need a giggle. So my neighbor sent me this link last week and I watched the whole list of them.
So this is apparently a full spectrum of all his sketches.
So this is apparently a full spectrum of all his sketches.
I put it, it's a YouTube link, so it's free to view and it's silly and unpolitical. So check it out. The Tilted Room Sketches by Sean Micallef.
Nice. Like it.
In a similar vein, and if you don't mind, I will add it to the show notes as well. There is a show on BBC iPlayer called The Goes Wrong Show, all about a theatre group which all—
Oh, yes!
And they are very, very funny. There's been about 6 episodes of them, but one of them is called 90 Degrees, and I'll put a link in the show notes.
I saw that one. That is hilarious.
And it is absolutely hilarious.
Really?
They have about half an hour with multiple people going through this.
And moving from different room to one room to another.
Yes, there you go.
Which is a different orientation to the one behind it, but they're trying to get through it. Yeah, yeah.
Yeah, I should say this is quite old, what I've got here, right? This looks maybe 20 years old, 30 years old. So that would be great to put that link in.
If only that had been my pick of the week.
If only that had been my pick of the week.
Damn it.
Oh, no, no. Clearly, they stole that. Stole the entire idea from Sean Micallef. So good to go back to the original.
They stole it from 2001: A Space Odyssey. That was when it was first done properly.
Very cool. Very cool. That was a lot of fun. And you know what else I think would be a lot of fun right now, Carole?
Tell me.
Have you possibly got the second half of that featured interview with Dalia from LastPass?
You bet I do, buddy. You bet I do. Listen up, guys. Here's part 2 with Dalia Hamzeh from LastPass.
So Dalia, we left off our last conversation talking all about IoT and the difficulties managing all those devices.
I think it's a really scary time for everyone right now because IoT is marching at a clip and the people that are creating these devices are not LastPass.
They're not security experts. And some of them are doing their due diligence, but lots of them aren't.
I think it's a really scary time for everyone right now because IoT is marching at a clip and the people that are creating these devices are not LastPass.
They're not security experts. And some of them are doing their due diligence, but lots of them aren't.
And that's where it gets really difficult for us because how do you update a fridge?
As you were talking and you're like, these aren't security companies, right?
So I was just thinking wow, Fitbit was just in the news for compromised credentials or customer information.
And I don't know if everybody would think— I mean, that brings up a good point. Fitbit is not a security company.
So I was just thinking wow, Fitbit was just in the news for compromised credentials or customer information.
And I don't know if everybody would think— I mean, that brings up a good point. Fitbit is not a security company.
They're a health company. And of course, all these public companies have regulations they have to follow.
And I mean, that's a whole other topic, compliance versus actions we're taking to actually reduce human risk.
A lot of times we do things for compliance reasons and for our audits, they make sense.
And I mean, that's a whole other topic, compliance versus actions we're taking to actually reduce human risk.
A lot of times we do things for compliance reasons and for our audits, they make sense.
We want to pass them. But is it really reducing the human risk?
You've got baby monitors and you've got smart TVs and you've got smart fridges and all these things are connected.
And I think personally, and I know I'm drinking the cybersecurity Kool-Aid and I've been doing it for years, so of course I would say this, but I'm very careful about what new smart tech I put in my house.
My house is not smart tech free, obviously, but I'm very careful about it.
I'm not one of the early adopters, specifically if it's from a manufacturer that doesn't have security credentials or hasn't partnered with someone responsible that has security credentials.
People like, you know, my Graham, our co-host on the show, and he can't actually have a voice right now because he's not here, hahaha. But he really loves new tech.
He loves being an early adopter. And we need early adopters to find the flaws inside the tech, right?
So, I kind of say leave the early adoption to the big experts that can't resist and really know what they're doing.
And then come in round wave 2, right, when you're sure that all the things are ironed out.
And I think personally, and I know I'm drinking the cybersecurity Kool-Aid and I've been doing it for years, so of course I would say this, but I'm very careful about what new smart tech I put in my house.
My house is not smart tech free, obviously, but I'm very careful about it.
I'm not one of the early adopters, specifically if it's from a manufacturer that doesn't have security credentials or hasn't partnered with someone responsible that has security credentials.
People like, you know, my Graham, our co-host on the show, and he can't actually have a voice right now because he's not here, hahaha. But he really loves new tech.
He loves being an early adopter. And we need early adopters to find the flaws inside the tech, right?
So, I kind of say leave the early adoption to the big experts that can't resist and really know what they're doing.
And then come in round wave 2, right, when you're sure that all the things are ironed out.
Yeah. You know, here's another good idea for users at home. And I'm just thinking of this now as you were talking.
Yeah, we're spitballing here. We're spitballing.
Yeah.
If you get, let's say you get a Fitbit or a new piece of technology, set up a Google alert that alerts you that, hey, there might be a security issue that comes up with one of these different technologies that you adopt, then you would be aware of it, right?
Because you could get an email that says, hey, this new thing that you're doing, we just got word that they were breached.
If you get, let's say you get a Fitbit or a new piece of technology, set up a Google alert that alerts you that, hey, there might be a security issue that comes up with one of these different technologies that you adopt, then you would be aware of it, right?
Because you could get an email that says, hey, this new thing that you're doing, we just got word that they were breached.
Dalia, I think that is genius. I'm going to repeat it because it's so good. I think on Google you can set up news alerts, right?
And then what she's saying is, for all the smart tech in your house, write down the names so that you will get news alerts if the words, for example, security and Fitbit come up, right?
Or security and Samsung if that happens to be your TV, or security and Alexa. And that way you can stay ahead of the curve. Is that a fair way of saying it?
And then what she's saying is, for all the smart tech in your house, write down the names so that you will get news alerts if the words, for example, security and Fitbit come up, right?
Or security and Samsung if that happens to be your TV, or security and Alexa. And that way you can stay ahead of the curve. Is that a fair way of saying it?
I mean, you inspired me, Carole, and then that thought came. So that was really, that was the mutual effort there. And yes, 100%.
TM Dalia Hamzeh. I love it.
Oh, I mean, there's so much you can do, right? And really, this is when we go into the never-ending trickle of where does it end?
But I think to your point, IoT is such a big thing right now. We have to be very, very cautious and, you know, for our organizations as well, because everything is connected.
But I think to your point, IoT is such a big thing right now. We have to be very, very cautious and, you know, for our organizations as well, because everything is connected.
In my experience of, you know, and people in my echo chamber, and when I talk to them about what security goes on in their offices, and these are not cybersecurity offices, businesses.
These would be any other kind of office, retail or anything, doesn't matter. They, when I ask them about cybersecurity, they laugh. And then I say, well, don't you talk to your boss?
Or, you know, and they're like, he doesn't know, or she doesn't know anything about cybersecurity. They don't know anything about that.
So, I'm a big believer in trying to get staff trained on at least the basics on how to keep both the company safe and as well themselves at home.
What do you guys, what do you think about that?
These would be any other kind of office, retail or anything, doesn't matter. They, when I ask them about cybersecurity, they laugh. And then I say, well, don't you talk to your boss?
Or, you know, and they're like, he doesn't know, or she doesn't know anything about cybersecurity. They don't know anything about that.
So, I'm a big believer in trying to get staff trained on at least the basics on how to keep both the company safe and as well themselves at home.
What do you guys, what do you think about that?
No matter what industry you work in, I think everybody should. But I know that's not always realistic.
A lot of times training is offered because you're trying to hit a compliance requirement, right?
Maybe it's for SOC 2 or for ISO, one of these kind of third-party regulations that say, hey, we're not giving you a certificate if you don't assign training and show us evidence that everyone has taken it.
I think there's two ways to look at security training. One is we have to make it way more sexy than it is today.
There's a few people that I think are leading this space a little bit. I just don't think it's where it needs to be quite yet.
All right, for instance, use a longer password, use a longer password, right? It needs to be strong and unique for each site.
But does that tell the person on the other end of the computer taking this training that, well, why? Why does that matter?
A lot of times training is offered because you're trying to hit a compliance requirement, right?
Maybe it's for SOC 2 or for ISO, one of these kind of third-party regulations that say, hey, we're not giving you a certificate if you don't assign training and show us evidence that everyone has taken it.
I think there's two ways to look at security training. One is we have to make it way more sexy than it is today.
There's a few people that I think are leading this space a little bit. I just don't think it's where it needs to be quite yet.
All right, for instance, use a longer password, use a longer password, right? It needs to be strong and unique for each site.
But does that tell the person on the other end of the computer taking this training that, well, why? Why does that matter?
So do you mean I should use 24 A's?
Exactly. What does it mean?
And so I think almost that we need to flip the narrative when it comes to security training and not necessarily focus— this is going to come out wrong, but in my mind it's going to make sense here— not focus just on the here is your end behavior that we're looking for you to drive, right?
Here's actually— let's teach you a little bit about security itself, because I think that that's where the security training lacks. So we know about passwords, for instance.
And so I think almost that we need to flip the narrative when it comes to security training and not necessarily focus— this is going to come out wrong, but in my mind it's going to make sense here— not focus just on the here is your end behavior that we're looking for you to drive, right?
Here's actually— let's teach you a little bit about security itself, because I think that that's where the security training lacks. So we know about passwords, for instance.
How do they get hacked?
Well, there's a few ways.
One is through password cracking algorithms and these fancy software capabilities that these hackers have, and they can go in and guess an 8-character password in— what is it, 7 seconds?
Some of the really sophisticated ones.
And then once you go up to a 13 or a 16-character password, it can take, you know, if you're not using extremely common dictionary, it can take, I mean, years to crack that.
See, I think giving people that background, because then they might be, oh shit, wait, am I allowed to swear? I shouldn't.
One is through password cracking algorithms and these fancy software capabilities that these hackers have, and they can go in and guess an 8-character password in— what is it, 7 seconds?
Some of the really sophisticated ones.
And then once you go up to a 13 or a 16-character password, it can take, you know, if you're not using extremely common dictionary, it can take, I mean, years to crack that.
See, I think giving people that background, because then they might be, oh shit, wait, am I allowed to swear? I shouldn't.
Of course you can swear.
Oh my God.
Oh.
I'm surprised it took me this long not to swear.
But I think if you give people the context of this 8-character password can get breached and here's how it happens in let's say, you know, a minute versus if you double that, I know it seems like a pain in the ass, but that can take years, right?
So then giving the people the context of if you get, you know, oh well, my important stuff has these passwords. Yeah, but does it share a password?
'Cause if it shares a password, your Words with Friends account was just breached, and guess what?
Now your banking details, you know, they're gonna, that's the first thing they're gonna try.
So I think it's important for us to train people on the actual parts of the security and not just the result or the behavior change we're looking for them.
'Cause I think that's where people kind of ignore security stuff 'cause they don't fully understand it, which brings me back to earlier where if you don't understand something, it's not relevant to you and you just don't care as much.
But I think if you give people the context of this 8-character password can get breached and here's how it happens in let's say, you know, a minute versus if you double that, I know it seems like a pain in the ass, but that can take years, right?
So then giving the people the context of if you get, you know, oh well, my important stuff has these passwords. Yeah, but does it share a password?
'Cause if it shares a password, your Words with Friends account was just breached, and guess what?
Now your banking details, you know, they're gonna, that's the first thing they're gonna try.
So I think it's important for us to train people on the actual parts of the security and not just the result or the behavior change we're looking for them.
'Cause I think that's where people kind of ignore security stuff 'cause they don't fully understand it, which brings me back to earlier where if you don't understand something, it's not relevant to you and you just don't care as much.
Look, boom. Dalia has done a full circle and gone right back to the beginning and answered everything. Like, that is slick, Dalia. Seriously. Thank you.
Thank you so much. I'm going to take the rest of the day off.
Is there anything else you'd like to add?
I'll leave with this.
I used to think when I first started in security and I was looking at all these, you know, our tech partners and all these guys and ladies that I used to work with, and I was like, God, they're just so smart.
And I could never understand that, and I could never, you know, do that.
Give your users, your end users, or yourself if you're listening to this as an individual, it's not as crazy as it seems, right? So, go in and you can learn a little bit.
I actually love security now. I think it's fascinating, the world of breaches and hacks, and it's moving our world forward.
So, you kind of, it's you have to keep up with the Joneses a little bit. I have to say that, but you're gonna be behind if you don't know much about it.
So I would say use resources like SANS.org. That's SANS.org.
They have a ton of free resources even to keep your kids safe online, you know, just a whole bunch of free videos and things like that.
You could sign up for some, obviously this podcast, you're already listening to that, so we didn't have to tell you to do that. Carole, I have to plug you on your own podcast.
No, but I'll plug you.
I used to think when I first started in security and I was looking at all these, you know, our tech partners and all these guys and ladies that I used to work with, and I was like, God, they're just so smart.
And I could never understand that, and I could never, you know, do that.
Give your users, your end users, or yourself if you're listening to this as an individual, it's not as crazy as it seems, right? So, go in and you can learn a little bit.
I actually love security now. I think it's fascinating, the world of breaches and hacks, and it's moving our world forward.
So, you kind of, it's you have to keep up with the Joneses a little bit. I have to say that, but you're gonna be behind if you don't know much about it.
So I would say use resources like SANS.org. That's SANS.org.
They have a ton of free resources even to keep your kids safe online, you know, just a whole bunch of free videos and things like that.
You could sign up for some, obviously this podcast, you're already listening to that, so we didn't have to tell you to do that. Carole, I have to plug you on your own podcast.
No, but I'll plug you.
Use LastPass for home use. One of the biggest important things is keeping unique passwords for every single account.
Definitely use LastPass. So LastPass now has a security challenge score, and here I am, 9 years into security engagement and awareness.
I'm— Rachel, and to all my LastPass people that are listening in here, I mean, I was ashamed at my score.
I won't say it out loud, but I was like, wow, I thought I was a rock star.
I'm— Rachel, and to all my LastPass people that are listening in here, I mean, I was ashamed at my score.
I won't say it out loud, but I was like, wow, I thought I was a rock star.
I'll find out after the show, people.
She's told I'm totally gonna tell her. So you find out that you're actually— when you think you're secure, let LastPass has that tool to help do it for you, right?
So generate those secure passwords, the long, the nice long ones. I mean, they can generate a 30-character whatever you want, just put in a number and complexity requirement.
And so I would highly, highly recommend going through— I went through mine, I'd say a few months ago, and I mean, I changed every single password that I had.
And I feel— because I actually— quick story— I was sitting on my couch and got an alert that Booking.com has your 6-digit PIN because somebody was trying to access my account.
So I said, okay, someone already has my password. This is just the second set of authentication to get PIN.
And then I got another one a few minutes later that Uber.com, here is your requested 6-digit PIN code. And I thought, oh shit, this is a problem.
Somebody's actively, you know, trying to get into anything they can with one of my compromised passwords.
So generate those secure passwords, the long, the nice long ones. I mean, they can generate a 30-character whatever you want, just put in a number and complexity requirement.
And so I would highly, highly recommend going through— I went through mine, I'd say a few months ago, and I mean, I changed every single password that I had.
And I feel— because I actually— quick story— I was sitting on my couch and got an alert that Booking.com has your 6-digit PIN because somebody was trying to access my account.
So I said, okay, someone already has my password. This is just the second set of authentication to get PIN.
And then I got another one a few minutes later that Uber.com, here is your requested 6-digit PIN code. And I thought, oh shit, this is a problem.
Somebody's actively, you know, trying to get into anything they can with one of my compromised passwords.
So they were using one— you had a same password for different accounts, and these guys were just trying it across various accounts, probably automatically.
So it was just spinning through them.
So it was just spinning through them.
It was, and it was petrifying.
Bing, bing, bing, we're trying to access your account. Bing, we're trying to access your account. Oh my God, yes!
And I don't know if people know that those alerts that you get, everybody, that's because somebody is already in your account. They've already guessed your password.
So those 6-digit codes is the second form. It was petrifying, and I stayed up for hours and changed all of my passwords. And yeah, I mean, it took a while, right, to do it.
But let me tell you, I sleep so much better at night, Carole, knowing that whoever that was, if you're listening, you cannot get into my bank account or my credit cards.
And so I feel good about that.
So those 6-digit codes is the second form. It was petrifying, and I stayed up for hours and changed all of my passwords. And yeah, I mean, it took a while, right, to do it.
But let me tell you, I sleep so much better at night, Carole, knowing that whoever that was, if you're listening, you cannot get into my bank account or my credit cards.
And so I feel good about that.
It's like a digital, you know, enema or something.
Yeah, I felt nice and clean and light and fresh after. It's exactly what I was like, it was phenomenal.
Our conversation has been amazing. Dalia Hamzeh, Senior Security Engagement Manager at LogMeIn, the makers behind LastPass.
Thank you so, so much for coming on the show and, you know, just speaking frankly about what goes on behind the scenes and what people should do.
Thank you so, so much for coming on the show and, you know, just speaking frankly about what goes on behind the scenes and what people should do.
No, absolutely. And thank you so much, Carole, for having me. This was great. And for everybody at home, take a minute, do some security hygiene. Clean cleansing in your life.
Get all your stuff secure and you'll feel good about it through the end of the year.
Get all your stuff secure and you'll feel good about it through the end of the year.
Okay, and one last question. Can you just confirm who you think might be funnier on the show? Is it Graham or is it me? Just checking.
I mean, you know I'm gonna say you. Yeah, I have to. Graham, listen, ladies, ladies unite, you know. I have to stay true to my— true to my lady here.
So, uh, but Graham, uh, you as well, you're funny too.
So, uh, but Graham, uh, you as well, you're funny too.
He's like 7.
And I'm not gonna lie, if I was in the pod, I don't know, I mean, I, you know, I get excited around the people I'm with.
Oh, flip-flops? Stop the recording right now.
That just about wraps it up for this week. Thom, I'm sure lots of our listeners would love to follow you online and maybe find out more about what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
So I'm on Twitter @ThomLangford.
Langford, that's Thom with an H, Twitter would let me have the H, or @HostUnknownTV on Twitter, which is also where you can find out about our podcast called Host Unknown, called the Host Unknown podcast indeed.
And if you want to watch, if you want to listen this week, you might actually get a special guest star.
Langford, that's Thom with an H, Twitter would let me have the H, or @HostUnknownTV on Twitter, which is also where you can find out about our podcast called Host Unknown, called the Host Unknown podcast indeed.
And if you want to watch, if you want to listen this week, you might actually get a special guest star.
And you can follow us on Twitter @SmashingSecurity. Smashingsecurity, no G, Twitter don't allow us to have a G, and we're also active on a Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
Or if you just want to help the show, tell your friends about Smashing Security because maybe they'd like it too.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
Or if you just want to help the show, tell your friends about Smashing Security because maybe they'd like it too.
Murky buckets for listening to us this week, each week, every week, supporting our work, sharing it with your friends, and of course, high five to this week's Smashing Security sponsors: Crawl, Mimecast, and of course, LastPass.
Their support helps us big time give you the show for free.
Also check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Their support helps us big time give you the show for free.
Also check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye.
Bye-bye.
Ta-ta for now.
Wow, what a mammoth of an episode that was.
That was long, guys. But hey, you know what? We managed to get through the entire episode without mentioning, uh, you know what.
What?
Lockdown. What?
No, not lockdown.
Anyway, I'm not falling for that one, Graham. I don't want to owe either of you a review of Fiverr.
Yeah, Graham, what are you talking about? What are you talking about, Graham?
All right, go on, Graham. See you next week then.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Show notes:
- Vulnonym: Stop the Naming Madness! — Carnegie Mellon University Software Engineering Institute.
- Vulnonym — A bot generating names for CVE IDs.
- Thrangrycat — Not better known as ????????????.
- Soccer match ruined when AI-controlled camera mistakes ref’s bald head for ball — SB Nation.
- Students Are Rebelling Against Eye-Tracking Exam Surveillance Tools — Motherboard.
- Proctorio sues UBC staff member for tweets sharing ‘confidential’ information about the software — The Ubyssey.
- ProctorU confirms data breach after database leaked online — Bleeping Computer.
- Proctorio CEO releases student’s chat logs, sparking renewed privacy concerns — The Ubyssey.
- Some news about proctoring at the University of Calgary — Reddit.
- My wife has proctored (webcam monitored) online classes. We live in a studio apartment, so I’m relegated to the bathroom. Rate my setup. — Reddit.
- How Many Potatoes Does It Take To Run DOOM? — YouTube.
- Raspberry Pi 400: the $70 desktop PC.
- Raspberry Pi 400: New All-in-One Pi! — YouTube.
- All Tilted Room Sketches — Shaun Micallef on YouTube.
- The Goes Wrong Show – Series 1: 6. 90 Degrees — BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Mimecast
Mimecast’s State of Email Security 2020 report helps you understand the most pervasive threats and how they attack organizations at their email perimeters, from inside the organization (through compromised accounts, vulnerable insiders, social engineering), or beyond the organization’s perimeters (the domains they own and their brands via impersonation).
Grab your copy at smashingsecurity.com/mimecasthub
Sponsor: Kroll
Rapidly detecting a threat is meaningless without the ability to respond with confidence. Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24×7 with Responder. Kroll Responder merges hunting, detection, containment and remediation to deliver best-in-class endpoint security.
See how Kroll Responder works at smashingsecurity.com/kroll
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
A few weeks ago, I asked the local business community about the same ML/AI | Python/PowerPoint dichotomy.
https://www.itwire.com/security/how-real-is-ai.html
BTW… Shaun Micallef is pronounced Shaun mic-AH-leff