Watch out for a whole different type of shoulder-surfing, researchers uncover the CostaRicto hackers-for-hire gang, and we take a peek at who is behind Parler.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Chris Cochran from the Hacker Valley Studio podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hi everybody, Carole Theriault from Smashing Security here, and this is just a quick shout out to all you Patreon supporters that help us week in, week out make this show.
This week, shout out goes to Mikey Wells, Raffaele the Doctor, Gepenst, Pavel Ponomarev, Jessica Orth, Nigel Scott, Martin Chapman, Yan Su, Xylar, and William Reddig.
Huge thanks to you all. Especially those of you that make me use Google Translate to try and get your names right.
Now, if you want to join this incredible group of people, you need only go to smashingsecurity.com/patreon. But if you're fine just as you are, we love you too.
Stay safe, stay warm, remember to smile as often as you can. All right, let's get the show on the road.
This week, shout out goes to Mikey Wells, Raffaele the Doctor, Gepenst, Pavel Ponomarev, Jessica Orth, Nigel Scott, Martin Chapman, Yan Su, Xylar, and William Reddig.
Huge thanks to you all. Especially those of you that make me use Google Translate to try and get your names right.
Now, if you want to join this incredible group of people, you need only go to smashingsecurity.com/patreon. But if you're fine just as you are, we love you too.
Stay safe, stay warm, remember to smile as often as you can. All right, let's get the show on the road.
And so if you were a bit of a rubbish country, I'm not going to name— What, the UK? We could.
I'm sorry, you're not a rubbish country. I was just which one? Which is a shit country, Graham?
Well, hang on, let me just look up our stats.
And with one listener.
Smashing Security, episode 205. Zoom password pinching and Parler problems with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 205.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Groom.
And we are— what? And we are joined this week by someone who's brand new to the podcast, but not new to security podcasts. It's Chris Cochran from the Hacker Valley Studio podcast.
Yay!
Hello, hello. How's it going?
Welcome, Chris.
Thank you. Glad to be here.
Chris, Smashing Security virgin.
Yes. You know, it's funny. I started podcasting about two years ago, and this was actually one of the first goals that I had was to be on the show.
Oh, wow.
No joke.
Well, you know, sit in your royal throne, darling, and enjoy it.
Love it. I'm going to take up every moment of time that I can and just bask in it.
And Hacker Valley Studios just celebrated, well, just a few weeks ago, its 100th episode, hasn't it? Well done. What an achievement.
Thank you. Thank you. Yeah, it's flown by, but I love every minute of it.
For those people who haven't heard the Hacker Valley Studio, how would you describe it?
Yeah. So Hacker Valley Studio, we're all about exploring the human condition to inspire folks to do their peak performance in cybersecurity.
So really we look at the fringes of cybersecurity. As you saw, we had Grandmaster Maurice Ashley on the podcast.
So we talk about strategy and how to succeed and become somebody in the thing that you want to do.
So really we look at the fringes of cybersecurity. As you saw, we had Grandmaster Maurice Ashley on the podcast.
So we talk about strategy and how to succeed and become somebody in the thing that you want to do.
Very cool.
I thought that's very cool you had a chess grandmaster on, because when we had Garry Kasparov on our show, all we did was ask him about Animal Crossing.
So yeah, you made better use, I think, of Maurice.
So yeah, you made better use, I think, of Maurice.
He hadn't played, unfortunately.
Carole, what's coming up on the show this week?
Well, first, let's thank this week's sponsors, Recorded Future and LastPass. Their support helps us give you this show for free.
Now, coming up on today's show, Graham tells us about an unusual way to steal passwords on a Zoom call.
Chris talks about a mercenary hacker group, and I see why people are talking about social platform Parler. All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham tells us about an unusual way to steal passwords on a Zoom call.
Chris talks about a mercenary hacker group, and I see why people are talking about social platform Parler. All this and much more coming up on this episode of Smashing Security.
Now, chums, I want you to picture the scene. There you are in the office and imagine maybe you have one actually. Imagine you had a business rival, an arch enemy in the office.
Have you ever had an arch enemy in your office?
Have you ever had an arch enemy in your office?
All the time.
Yeah. What sort of arch, what arch enemy did you have, Chris? I mean, don't name them obviously, but what was going on with them?
Yeah, it's usually children because I was a dancer. I'm serious. I was the dancer and I did a dance competition and—
Hang on a moment. You were a professional dancer?
I was.
Do you mean funk dancer? Do you mean ballet dancer?
Street dance. Yeah, so funk style.
Oh my goodness.
And I did a competition and I was killing the game. It was fantastic. I knew I was going to win.
And then they let a little girl in the competition and inside, I just knew that was the end for me. She could have done whatever she wanted to.
She could have sat on the stage, sucked her thumb, and then she would've destroyed me. But she actually did phenomenal. And I was, okay, at least I lost to a great dancer. But yeah.
And then they let a little girl in the competition and inside, I just knew that was the end for me. She could have done whatever she wanted to.
She could have sat on the stage, sucked her thumb, and then she would've destroyed me. But she actually did phenomenal. And I was, okay, at least I lost to a great dancer. But yeah.
Wow. So, Carole, have you ever had enemies in the office?
Yes.
Do you want to give us any details? Anyone I know?
Yes.
Right, okay.
You know them quite intimately.
I know them very well, Carole.
No, no.
Well, sometimes bitter rivalries do brew up, don't they, in the office? And you might want to get the better of them, right?
You might want to maybe steal some information or have the upper hand against your work nemesis, but maybe they're wise to phishing attacks.
Maybe they don't click on your malicious links. Maybe they haven't chosen dumb passwords. What are you going to do to get better than them? To drag yourself ahead of them?
Because there they are, brown-nosing up to your boss all the time, smarming away, "Mm, mm, mm," every week on the catch-up call with the rest of the team.
You might want to maybe steal some information or have the upper hand against your work nemesis, but maybe they're wise to phishing attacks.
Maybe they don't click on your malicious links. Maybe they haven't chosen dumb passwords. What are you going to do to get better than them? To drag yourself ahead of them?
Because there they are, brown-nosing up to your boss all the time, smarming away, "Mm, mm, mm," every week on the catch-up call with the rest of the team.
"Oh, and you know what else that I did? I'll tell you. Let me list all my achievements this week." That kind of person?
That kind of person. You do that so well, Carole. If only you could get the better of them. If only you could find out their dirty secrets or sneak an advantage.
Are you talking about a whack job?
See what they're— No, no, no, no, no. Okay, good. If you could just see what they were planning to present, then you could steal their thunder. You could get in before them.
It's, "Ahahaha!" So what you need, what you need is their password, right? So imagine you're in that mentality.
It's, "Ahahaha!" So what you need, what you need is their password, right? So imagine you're in that mentality.
And you decide, I want to get illegal. Okay, carry on.
And I want to get illegal. I'm prepared to break some rules.
And laws.
Yeah. So how are you going to get it? Because they're not going to click on your phishing link. They haven't chosen a dumb password. They're not going to install malware.
And you're all working remotely. You don't even have access to their computer.
But the one thing which brings you together each week is a Zoom call or a Skype call or a Hangout or a house party, or whatever it is.
And you're all working remotely. You don't even have access to their computer.
But the one thing which brings you together each week is a Zoom call or a Skype call or a Hangout or a house party, or whatever it is.
Well, I think before that I would have probably gone and visited their social media, lurked around their LinkedIn and stuff, maybe. If my goal was to try and find their password.
Alright.
Alright.
Well, I'm going to give you a different method. Because researchers have been exploring how to steal someone's password via a video call, and it's entirely app independent.
Doesn't matter which video calling system you're using. They say there's a chance you could find out their password just by having a video call. Now, it ain't easy, right?
Doesn't matter which video calling system you're using. They say there's a chance you could find out their password just by having a video call. Now, it ain't easy, right?
It's not. I'm just waiting to hear it before I— It's not easy. Yeah, I can't wait to hear this. Okay, so just from a video call, just a video call.
Yes. And these researchers, they're not dumbos, Carole.
These— I don't even know where they're from yet. You haven't said.
They're from the University of Texas at San Antonio and the University of Oklahoma.
Shout out to the guys and the girls there. Yeah.
They have worked out how to steal people's passwords using a video call. And obviously, security in video conferencing systems has been under the spotlight because of Zoom.
There's now end-to-end encryption, so calls can't be intercepted or eavesdropped upon. People have got strong passwords, multifactor authentication.
There's now end-to-end encryption, so calls can't be intercepted or eavesdropped upon. People have got strong passwords, multifactor authentication.
It's like an episode of Horizon, you know, they're gonna tell you the big reveal and they always wait to the 50th minute to say, "And this is why." You're excited, aren't you?
This is what's happening right now. Okay, carry on.
This is what's happening right now. Okay, carry on.
You're excited, right? Yeah. So drum roll. Things like end-to-end encryption, that doesn't actually help you if your adversary is present on the other end of the video call.
So if you're having a legitimate video call with someone, it doesn't matter that the conversation's encrypted because you can see what they're doing.
So if you're having a legitimate video call with someone, it doesn't matter that the conversation's encrypted because you can see what they're doing.
And they could record you and they can see what you're doing behind you.
Yeah. Right. Right. So okay.
That's not the reveal. Okay. Are you ready?
Are you ready for me to reveal what the technique is?
I'm excited.
It is exciting, isn't it? These researchers at these American universities, they've been looking into people's typing styles and they said there's 3 methods.
You can split all types of typist into 3 groups. There's the hunter and pecker, which is sort of, which button do I press now? There's the touch typing sort.
You just obviously use the keyboard a lot.
You can split all types of typist into 3 groups. There's the hunter and pecker, which is sort of, which button do I press now? There's the touch typing sort.
You just obviously use the keyboard a lot.
And there's hybrid, which basically means they couldn't think of a third, but it's a mishmash of the others because some characters you can't do easily, the hash symbol, right?
That's always difficult for me working out what key combination I have to press or a pipe or something like that. So there's hybrid, there's touch typing, and hunting and pecking.
Okay, so those are the 3 groups of typists.
That's always difficult for me working out what key combination I have to press or a pipe or something like that. So there's hybrid, there's touch typing, and hunting and pecking.
Okay, so those are the 3 groups of typists.
Those are the 3 types of typists. Okay, sounds super researchy so far. Okay.
If you're trying to find out someone's password, first thing is you need to consider that there's different ways of typing.
You also need to consider the different types of keyboard. Because some keyboards are very clacky, right?
You also need to consider the different types of keyboard. Because some keyboards are very clacky, right?
Yeah. You have those bendy ones, those ergonomic bendy wendy ones. Those are crazy. Don't you? And you get those ones that roll up like cigars, you know, the soft foldy ones. Yes.
And you get membrane keyboards, you know, which don't make a lot of noise.
So your first thought might be, well, maybe I can do some analysis on the sound as people are typing on the video call.
And these researchers say, well, they looked into that, but it's not really very effective because there's all kinds of noises going on in the call anyway, which mess things up.
And audio on video calls isn't that great anyway, which is why we're not doing this as a video call right now, right? We've just connected.
Well, there's more reasons than that that we're not doing a video call, Graham. So I'm going to explain what they do. Okay, fuck. Nice. You get on the video call, right?
And the researchers say you observe the typing behaviour and you attempt to detect if typing is taking place off screen, because obviously the webcam isn't pointed at your keyboard.
So what these researchers do, they say, is they're able to look at the micro movements in people's shoulders and upper arms and work out what you might be typing. Oh my God.
So your first thought might be, well, maybe I can do some analysis on the sound as people are typing on the video call.
And these researchers say, well, they looked into that, but it's not really very effective because there's all kinds of noises going on in the call anyway, which mess things up.
And audio on video calls isn't that great anyway, which is why we're not doing this as a video call right now, right? We've just connected.
Well, there's more reasons than that that we're not doing a video call, Graham. So I'm going to explain what they do. Okay, fuck. Nice. You get on the video call, right?
And the researchers say you observe the typing behaviour and you attempt to detect if typing is taking place off screen, because obviously the webcam isn't pointed at your keyboard.
So what these researchers do, they say, is they're able to look at the micro movements in people's shoulders and upper arms and work out what you might be typing. Oh my God.
Okay. You know what? I have the defense for this. Right. Okay. Tell me. It's really good.
All right.
Shoulder pads.
Shoulder pads. Exactly. Yes. Joan Collins, Dynasty style, 1980s. Yes. Wear shoulder pads, hide your shoulders. I think that's genius. And it's cheap and it's easy.
Yep. What if you dance while you actually type in your password and shake your shoulders? You know, you can shake them back and forth. You would never know.
You would never know.
I couldn't dance for two reasons. I'm English and technical. So I don't think I could do it.
But— Well, Graham, this is serious news you're sharing with us here.
So seriously, they've produced this research paper, and I will link to it in the show notes, where they've looked at all the muscles and the bones in your arms and the ways in which just a small movement of your fingers, left or right, up or down, or as they call it, north, south, east, west, can begin to identify what key you are heading for.
Who is funding this frickin' research? I know you don't even know.
I know— see, this is what I would want to know right away, and I know you wouldn't even think about going to research that, but who is funding this research?
I know— see, this is what I would want to know right away, and I know you wouldn't even think about going to research that, but who is funding this research?
I don't know. I think it's just students, isn't it? This is the sort of thing students do. They have to come up with something. So they think, oh, what are we gonna do?
And there they are smoking on a doobie or something. I've got a crazy idea. Let's look for another one.
And there they are smoking on a doobie or something. I've got a crazy idea. Let's look for another one.
I don't think doobies are legal in Texas yet, Graham. Oh, okay. No, they're not.
I mean, this is a serious research paper. It's a PDF and everything. It's about 17 pages long.
It's got a university stamp.
Yeah, it's got a university sticker on it.
So what we need to do is we need to somehow protect against this problem because they also say that this is a problem which has become more serious because of the increased quality in webcams.
Everyone's been upgrading their webcam because they're stuck at home? Yes, Chris.
So what we need to do is we need to somehow protect against this problem because they also say that this is a problem which has become more serious because of the increased quality in webcams.
Everyone's been upgrading their webcam because they're stuck at home? Yes, Chris.
Why are people typing in their passwords in front of Zoom? Ah, I'll tell you.
Oh, because their screen's locked because they get so bored of listening to the call, they don't do anything?
Oh, because their screen's locked because they get so bored of listening to the call, they don't do anything?
Maybe, or maybe the call is so dull that you log into a personal pursuit website. Or maybe it's not the password you're after.
Maybe you're simply after a URL or a credit card number or who knows what.
Maybe you're simply after a URL or a credit card number or who knows what.
Ah, so password managers are the answer, I guess.
Well, yeah, but I think your idea, Carole, of the shoulder pads is much better. Or you could dress up as an American footballer because they have big shoulders.
That's not really their shoulders, honey. That's actually shoulder pads. Is it? To protect them from injury and stuff. I have some other ideas.
So the software which they produced does a little bit of artificial intelligence, an analysis of the image to work out where your head is, and they make assumptions as to where your arms are compared to your head, right?
And where your shoulders are, because most people have them more or less in the same place.
And where your shoulders are, because most people have them more or less in the same place.
Okay, so you're gonna dress as an— you're gonna get a papier-mâché giraffe head. Right.
Just to confuse them. I think you could do that, or you could have a fancy dress costume and dress up as an octopus.
Or if you were a fly, not actually a real fly, but if you had more than one arm, you could do that.
Or if you were a fly, not actually a real fly, but if you had more than one arm, you could do that.
Another perhaps more viable solution is learning to type with your feet. Oh yeah. Oh no, that's a really good idea.
Right? And then you can have a USB keyboard.
Put that on the floor. Clicky, clicky, click, click. Right?
No problem. No problem at all.
How effective was this software?
Well— Good question, Chris. I like Chris.
They said they were able to work out some passwords from it. Now, it seems it was much better when people chose a particularly dumb password.
So, for instance, if they used a dictionary—
So, for instance, if they used a dictionary—
Bob was easy to tell.
The letter A repeated, AAAA. No, they said if it was a dictionary word.
So, what they do is they feed the software common passwords or common dictionary words, which they're looking for.
And that helps them begin to identify what the most likely word is if your hand and your shoulder indicate that you've gone left on the keyboard or up or whatever.
And so they're trying to make a guess. So they did have some success, but they also came up with some solutions. So having dreamt up this frankly ridiculous threat—
So, what they do is they feed the software common passwords or common dictionary words, which they're looking for.
And that helps them begin to identify what the most likely word is if your hand and your shoulder indicate that you've gone left on the keyboard or up or whatever.
And so they're trying to make a guess. So they did have some success, but they also came up with some solutions. So having dreamt up this frankly ridiculous threat—
Do any of them compete with mine? The shoulder pads?
Carole, no, not really. They came up with ideas like pixelation. So what they should do is people are only really interested in your head on the Zoom call.
And so the rest of your body should be pixelated or blurred.
And so the rest of your body should be pixelated or blurred.
So, okay. Yes. So, you know, when you're on Zoom and you have those virtual backgrounds, right?
So instead of having your whole body, it would just be this tiny little sun-like thing of your face.
So instead of having your whole body, it would just be this tiny little sun-like thing of your face.
Or it could superimpose lots of other arms randomly onto the thing. Or maybe—
You're thinking too much. You're thinking way too much. All you need is some grease on the camera and you won't be able to see anything.
Or just a cover for the webcam. Just put up the webcam.
No, but I wonder if that's a good idea for all these people who have to do their exams at home. Just put a tiny bit of Vaseline on the camera, right?
And go, "Look, I don't know, I'm sorry. It's the best thing I can do." Or it's a bit steamy in here. You know, I was cooking. That's why some of it missed me.
And go, "Look, I don't know, I'm sorry. It's the best thing I can do." Or it's a bit steamy in here. You know, I was cooking. That's why some of it missed me.
I think you're gonna be in the shower again. Yes. Yeah, I'm in the shower. I just thought I'd do my exam from here, my Zoom call. Multitasking.
You could maybe have some fake arms, like if you had a shop dummy. Okay, you're obsessed with fake arms. It's the fifth time you've brought it up.
It's octopus arms, different arms. Okay, I've got another idea.
You know if you go to the seaside in Britain, and maybe in other places which probably have seascapes as well, you get those cutout things where you stick your head through and you have your photograph taken and it looks like you're somebody else, like a fat person on the beach or something, right?
If you had one of those, and if you went onto your Zoom call with one of those, you just stick.
You wouldn't be able to type anything, of course, 'cause your arms wouldn't be able to come through.
If you had one of those, and if you went onto your Zoom call with one of those, you just stick.
You wouldn't be able to type anything, of course, 'cause your arms wouldn't be able to come through.
Or you could get, you know those things that they often have outside of car dealerships? Those kind of blow-up kind of columns that get with the air?
You could have two of them over each shoulder, right? With fans underneath. Just wiggle, wiggle, wiggle, wiggle.
You could have two of them over each shoulder, right? With fans underneath. Just wiggle, wiggle, wiggle, wiggle.
Anyway, this is a whole new security threat. This, which has been uncovered by the University of Texas, as I said. Thank you, University of Texas.
And the University of Texas.
And whoever's funding this project. More than one university have been working on this. I think it was a jolly interesting paper.
I'm not sure it was that serious a threat, to be honest, but maybe in some extreme circumstances it might be.
I suppose maybe the best advice of all is just choose a really strong complex password and don't type it in while you're on a Zoom call or get a worse webcam.
Like, or Chris's idea of get some grease.
I'm not sure it was that serious a threat, to be honest, but maybe in some extreme circumstances it might be.
I suppose maybe the best advice of all is just choose a really strong complex password and don't type it in while you're on a Zoom call or get a worse webcam.
Like, or Chris's idea of get some grease.
Have you identified any threat that actually uses this method for password collection? Not yet, Crow, not yet.
But now the research is out there.
Take heed, you say.
Now it's been published publicly. Who knows what threat actors are exploiting this? Hard to say, isn't it? Chris, I'm sorry.
This would be a hard one to pull off.
You'd have to say, "Hello, I made this meeting for no reason and you don't know me, but please type in your password now." And you'd be like, "Okay, sure." I don't think that's gonna work.
You'd have to say, "Hello, I made this meeting for no reason and you don't know me, but please type in your password now." And you'd be like, "Okay, sure." I don't think that's gonna work.
You don't think it's gonna work? Okay. You've just been a bit laid back about it. Some people might say you've just been a bit blasé.
Yeah. Some people might say you're a little QAnon-y for bringing this up. I don't know.
On which note, Chris, what's your story for us this week?
So there have been hackers for hire in the past and there's a new one on the streets. There's a new hacker for hire group tracked as Costa Rico.
Costa Rito?
Costa Rito. Oh, so okay, difficult name to spell.
Yeah, like Costa Rica, but with a toe on the end.
That seems to be the theme for most cybersecurity companies. They want to make things hard to pronounce, and that still might be wrong.
But yeah, BlackBerry Research, the reason they believe it's a mercenary group is because they are targeting all over the place, different countries, different industries.
And what's interesting from a threat intelligence perspective is that you're not gonna know or be able to predict where they're going next because they're hackers for hire, so they will go where the money takes them.
But yeah, BlackBerry Research, the reason they believe it's a mercenary group is because they are targeting all over the place, different countries, different industries.
And what's interesting from a threat intelligence perspective is that you're not gonna know or be able to predict where they're going next because they're hackers for hire, so they will go where the money takes them.
Oh, so you can't follow them as a pattern of them, they always go after, you know, single widows, for example, to get their cash or whatever, or these type of businesses.
Right, exactly. You just never know. They could go wherever the money takes them.
Okay. So this Costa Ricto hacking group, are they hacking little old ladies or are they hacking sort of more serious organizations?
No, it seems like that they're hacking serious organizations.
They might be going after governments, things like that, because they believe that those are the types of folks that are hiring them.
So government entities, to give them a little bit of that separation between who is actually doing the operations.
And that's another thing that's interesting from an intelligence perspective, because you might think it's this team, but really it's X country.
So that really can muddy the waters in terms of attribution.
So government entities, to give them a little bit of that separation between who is actually doing the operations.
And that's another thing that's interesting from an intelligence perspective, because you might think it's this team, but really it's X country.
So that really can muddy the waters in terms of attribution.
Yeah, obfuscate the route to who owns it, who's doing it. Make it all complicated so that no jurisdiction can actually take control of it and do some research.
And so if you were a bit of a rubbish country, I'm not going to name—
What, the UK? I'm sorry, you're not a rubbish country. I was just which one? Which is a shit country, Graham?
Well, hang on, let me just look up our stats.
And with one listener.
I think the Pitcairn Islands. So if you were the Pitcairn Islands, then, and you thought, oh man, you know, we're never getting any headlines for our state-sponsored hacking.
We haven't got much resource here on the island to do some hacking.
They would approach a group like Costa Ricto and say, hey, can you do some hacking for us to find out what other islands in the Pacific might be up to? Or stealing information.
We haven't got much resource here on the island to do some hacking.
They would approach a group like Costa Ricto and say, hey, can you do some hacking for us to find out what other islands in the Pacific might be up to? Or stealing information.
And what about how they hack? There's no kind of pattern, I guess. They just do whatever they want.
There is a little bit of a pattern because they use their own malware.
So you could go based off of that, but they don't know whether that malware came from this group or they hired another group to build it for them. So there's that.
There's some behavioral stuff that they can track, some tunneling stuff, but again, that could be anybody, so tracking them is going to be unique.
So you could go based off of that, but they don't know whether that malware came from this group or they hired another group to build it for them. So there's that.
There's some behavioral stuff that they can track, some tunneling stuff, but again, that could be anybody, so tracking them is going to be unique.
So I'm imagining, so countries who want to, or intelligence agencies who want to hire Costa Ricto to do some dirty work for them, they presumably have to go to some murky area on the web and do a deal and negotiate in some way.
How does that intelligence agency know they're dealing with the real Costa Ricto gang and not—here's an idea for anyone enterprising who's listening—and not some fake Costa Ricto hacking gang who's gonna scam, because it'll all be cryptocurrency, won't it, who will scam the intelligence agency or the country into paying them to do something, and then they'll not do anything?
How does that intelligence agency know they're dealing with the real Costa Ricto gang and not—here's an idea for anyone enterprising who's listening—and not some fake Costa Ricto hacking gang who's gonna scam, because it'll all be cryptocurrency, won't it, who will scam the intelligence agency or the country into paying them to do something, and then they'll not do anything?
I don't know how they're going to do it. I don't know how they recruit. What kind of question is that? How do you get recruited for a hacking mercenary group?
Oh yeah, I'm retired, we need you to come back in, you know, that type of thing. Is it like that? You go and get the retired hackers?
Oh yeah, I'm retired, we need you to come back in, you know, that type of thing. Is it like that? You go and get the retired hackers?
Rudy Giuliani calls you up as the cybersecurity czar, right? Or the equivalent of any other country.
Are you suggesting, Carole, that the Costa Ricto hacking gang are actually based at the Four Seasons Landscaping? Any excuse.
Anyway, so interesting question you've got there, Chris, which is how are they going to hire members of their team? Because it would be a bit like bringing in Stallone, wouldn't it?
Anyway, so interesting question you've got there, Chris, which is how are they going to hire members of their team? Because it would be a bit like bringing in Stallone, wouldn't it?
Let's say I wanted to just, you know, crack down on you, Graham. Just crack down on you.
Right, because the attempt to steal my password via Zoom failed for some reason. I dressed up as an octopus.
Couldn't see through your shoulders what movements you were doing.
Your shirt was just too—way too many fake arms attached to his body.
I was typing with my toes again.
He was using an octopus, you know, virtual background. I couldn't tell.
So you'd have to try and hire CostaRicto girls. So what do I just go?
CostaRicto.com? Go yo, yo, yo, guys.
I don't think so, cause that's BlackBerry's name for them. So they probably have some other cool ominous name that no one knows.
Bob Smith. There you go. They haven't really thought this through at all, have they? I need a bit of help with this. Their marketing is crazy.
Maybe they should sponsor our podcast, Carole.
Maybe they should sponsor our podcast, Carole.
Hey.
Carole, what have you got for us this week?
Okay, parlay, parlay, parlay, guys. Have you heard of parlay?
So the only time I've heard parlay is in the Pirates of the Caribbean movie where you want to talk to the captain of the ship.
I love that expression so much. Let's parlay. Yeah, I love that. I say that to my husband when we're having a fight.
You know, a silent war, I'll go, "Look, we need to parlay." And he grabbed it from, I don't know, some TV show, but it was great.
You know, a silent war, I'll go, "Look, we need to parlay." And he grabbed it from, I don't know, some TV show, but it was great.
I watch a show sometimes about art and forgeries, and they're always talking about the provenance. And I love a bit of provenance.
That has nothing to do with parlaying. No, but it begins with the letter P. Yeah, it does. And it's French. So that's well done.
Thank you. Good job, Graham.
He's so cool. Okay, so Parler, for those that don't know, is an American microblogging and social networking service, right? It launched about two years ago, so brand new-ish.
And recently they've seen a huge uptick in users, but they've also been getting some heat.
So I say, gentlemen, let's grab our trowels and let's do a little digging and see what's going on.
So if you go first to the Parler website or in their messaging, Parler is an unbiased social platform focused on open dialogue and user engagement.
We allow free speech and we do not censor ideas, political parties, or ideologies. We protect your privacy and we'll never sell your personal data. Log in, sign up, right?
So it started with this messaging and it was bubbling along slowly, but then it burst into the spotlight this past June.
And this is when Twitter had labeled 5 of the current president's tweets with warnings that perhaps the information was not based in 100% truth.
And Trump retaliated by signing an executive order that opened the door for an internet shield law to be considered. And then Facebook announced it would start labeling posts.
The Trump campaign even publicly declared that it might decamp from Facebook and Twitter and refocus its efforts through Parler.
Surprise, surprise, Parler got an upshot of users, possibly because the Trump campaign had given it some endorsement, but also because it markets itself as a free speech and unbiased alternative to Twitter and Facebook.
The go-to place for people who may have been banned from mainstream social networks as well.
And recently they've seen a huge uptick in users, but they've also been getting some heat.
So I say, gentlemen, let's grab our trowels and let's do a little digging and see what's going on.
So if you go first to the Parler website or in their messaging, Parler is an unbiased social platform focused on open dialogue and user engagement.
We allow free speech and we do not censor ideas, political parties, or ideologies. We protect your privacy and we'll never sell your personal data. Log in, sign up, right?
So it started with this messaging and it was bubbling along slowly, but then it burst into the spotlight this past June.
And this is when Twitter had labeled 5 of the current president's tweets with warnings that perhaps the information was not based in 100% truth.
And Trump retaliated by signing an executive order that opened the door for an internet shield law to be considered. And then Facebook announced it would start labeling posts.
The Trump campaign even publicly declared that it might decamp from Facebook and Twitter and refocus its efforts through Parler.
Surprise, surprise, Parler got an upshot of users, possibly because the Trump campaign had given it some endorsement, but also because it markets itself as a free speech and unbiased alternative to Twitter and Facebook.
The go-to place for people who may have been banned from mainstream social networks as well.
People who've got something offensive to say, here is your home.
If you're worried about— if you've been thrown off another system, because I don't know, you've said something grossly and utterly horrible, don't worry, come here, because you can definitely do it here, right?
Is the basic message. Okay, so I think that's true.
If you're worried about— if you've been thrown off another system, because I don't know, you've said something grossly and utterly horrible, don't worry, come here, because you can definitely do it here, right?
Is the basic message. Okay, so I think that's true.
But there's also a group of people which may have been marginally radicalised by the amount of power that these technology firms, Facebook, Twitter, have over being able to censor information, right?
I can understand there'd be a group of people that say, 'You know what, I don't think that's fair.
I want to go somewhere else.' And certainly Parler it's advertising itself as that, right?
And you've got, you know, Trump's endorsement of, you know, well, I might go if you don't do what I want.
Now, the chief executive and co-founder of the company is called John Matze, right?
And he said, quote, we initially attracted conservative users because they felt disenfranchised by other social media platforms.
And he is right, because conservative influencers such as Katie Hopkins, Lara Loomer, and Alex Jones have sought refuge on Parler after being banned from other platforms.
I can understand there'd be a group of people that say, 'You know what, I don't think that's fair.
I want to go somewhere else.' And certainly Parler it's advertising itself as that, right?
And you've got, you know, Trump's endorsement of, you know, well, I might go if you don't do what I want.
Now, the chief executive and co-founder of the company is called John Matze, right?
And he said, quote, we initially attracted conservative users because they felt disenfranchised by other social media platforms.
And he is right, because conservative influencers such as Katie Hopkins, Lara Loomer, and Alex Jones have sought refuge on Parler after being banned from other platforms.
Yep, you're really selling it to me.
Yeah. The thing is, journalists have now done, you know, because they grew suddenly, they had a real uptick at this time.
So, you know, people started digging around, and journalists and users have been criticizing the service for its content policies that some are saying are more restrictive than the company portrays.
They're flying in the face of the free speech banner, right?
There's a number of rules they have, you know, we're not gonna have violence, we're not gonna have hate, we're not gonna have this, we're not gonna have that.
But he also added, building off the company's existing guidelines, when you disagree with someone, posting pictures of your fecal matter in the comments section will not be tolerated, said the CEO of Parler.
So that's the kind of thing they want to censor.
So, you know, people started digging around, and journalists and users have been criticizing the service for its content policies that some are saying are more restrictive than the company portrays.
They're flying in the face of the free speech banner, right?
There's a number of rules they have, you know, we're not gonna have violence, we're not gonna have hate, we're not gonna have this, we're not gonna have that.
But he also added, building off the company's existing guidelines, when you disagree with someone, posting pictures of your fecal matter in the comments section will not be tolerated, said the CEO of Parler.
So that's the kind of thing they want to censor.
It's really specific. It's so weird.
However, by the CEO's own admission, they seem to have what they are calling a troll problem. And that has to do with a group of people that seem to hold a different ideology.
And this ideology clash is basically causing Parler to up its moderator game. And even the CEO misses lunch, right?
Too distracted by banning these trolls, quote unquote, that he calls them. He, Matze, this is CEO, says he knows the leftist trolls.
He knows their ages because some have verified their accounts, coughing up selfies and driver's licenses and passports.
And some are saying that's quite a high set of unusual requirements for proving identity and registering for an online account.
And this ideology clash is basically causing Parler to up its moderator game. And even the CEO misses lunch, right?
Too distracted by banning these trolls, quote unquote, that he calls them. He, Matze, this is CEO, says he knows the leftist trolls.
He knows their ages because some have verified their accounts, coughing up selfies and driver's licenses and passports.
And some are saying that's quite a high set of unusual requirements for proving identity and registering for an online account.
Well, this is the thing which I'd heard about it, which was, yes, to get a verified account, to get the equivalent of a tick, you have to scan in the front and back of your driving licence as well as a selfie.
And sometimes social insurance number I've read as well.
If it's being stored securely, then maybe that's all right.
But there has to be a bit of a worry about that because people want to feel comfortable saying what they're going to say without repercussions, and now the company will know who you really are.
But there has to be a bit of a worry about that because people want to feel comfortable saying what they're going to say without repercussions, and now the company will know who you really are.
Right? Let's assume that they're keeping their data super, super encrypted. No one can get to it just for the rest of the story.
And then at the end, I want to know whether you'd use Parler, right? Okay.
So in talking about these trolls, right, as Matt Sey labeled them, and he's saying that some are making it unpleasant for the app's conservative users to post and interact with each other.
Quote, "They're trying to get people to have a bad experience and leave. We've got a big army of volunteers to help take care of this.
It's going to be handled within 48 hours." So there's this whole free speech question, right? Like you have free speech, but only if you do what we like you to do.
And free speech is a whole weird thing in the digital world anyway, because presumably spammers could be, you know, that's free speech, surely, to get your message out, right?
But yet we stop spam.
And then at the end, I want to know whether you'd use Parler, right? Okay.
So in talking about these trolls, right, as Matt Sey labeled them, and he's saying that some are making it unpleasant for the app's conservative users to post and interact with each other.
Quote, "They're trying to get people to have a bad experience and leave. We've got a big army of volunteers to help take care of this.
It's going to be handled within 48 hours." So there's this whole free speech question, right? Like you have free speech, but only if you do what we like you to do.
And free speech is a whole weird thing in the digital world anyway, because presumably spammers could be, you know, that's free speech, surely, to get your message out, right?
But yet we stop spam.
But if I create an app, right?
Which is, you know, and I invite people to join if they want to, can I not as the app owner decide who I want to come to my party and who doesn't come to my party?
Because that's how it would work at a dinner party, right?
If I find someone objectionable, if they say something or they behave in a way I don't like, then I'm allowed to say, well, actually, you can't come to my dinner party.
Which is, you know, and I invite people to join if they want to, can I not as the app owner decide who I want to come to my party and who doesn't come to my party?
Because that's how it would work at a dinner party, right?
If I find someone objectionable, if they say something or they behave in a way I don't like, then I'm allowed to say, well, actually, you can't come to my dinner party.
Sure, if you want to be a dictator and not a democratic app provider. Sure.
Well, you know, I just—
So you're gonna choose— so you're gonna be like that cake shop that says, oh, I'm sorry, you're gay, no, we're not making cakes for you?
Well, no, I don't want to be like that, but why is that different? All right, okay, interesting.
Anyway, a Wired journalist, Ariel, decided to open an account to see what would happen. So after she chooses a username, the app prompted her to follow a few of its star users.
Okay, the suggestions included the conservative political commentator Sean Hannity. Yes, Sean, who has called for an exodus from Twitter.
You have internet personalities Diamond and Silk who were throttled by Facebook in 2018 for sharing dangerous content.
And you also have conservative talk show host Mark Levin whose Facebook account was recently restricted for repeated sharing of false news, right?
So these are people that were actually put on her page saying follow these guys. 5 minutes later, she saw that she had a comment on her intro post. It came from Team Trump.
Quote, "Welcome to Parler. Help us make America great again by clicking the link below.
Be sure to text TRUMP to 88022." And she navigated to the Team Trump page and they had left this exact comment on many, many other Parler user accounts up to 1.6 million times.
So then she's asking, is that spam? Why aren't you controlling that? I didn't ask to receive this. They're obviously sending this crap everywhere.
Okay, the suggestions included the conservative political commentator Sean Hannity. Yes, Sean, who has called for an exodus from Twitter.
You have internet personalities Diamond and Silk who were throttled by Facebook in 2018 for sharing dangerous content.
And you also have conservative talk show host Mark Levin whose Facebook account was recently restricted for repeated sharing of false news, right?
So these are people that were actually put on her page saying follow these guys. 5 minutes later, she saw that she had a comment on her intro post. It came from Team Trump.
Quote, "Welcome to Parler. Help us make America great again by clicking the link below.
Be sure to text TRUMP to 88022." And she navigated to the Team Trump page and they had left this exact comment on many, many other Parler user accounts up to 1.6 million times.
So then she's asking, is that spam? Why aren't you controlling that? I didn't ask to receive this. They're obviously sending this crap everywhere.
You don't ask to receive promoted tweets, do you? So companies can pay a little bit of money to Twitter and then tweets begin to appear in your timeline. Isn't that comparable?
I mean, presumably Trump has done some kind of deal with the makers of this in order to promote their account.
I mean, presumably Trump has done some kind of deal with the makers of this in order to promote their account.
Okay, good. I'll give you that one too. I'll give you that one too. Okay. So finally, let's see. So you're still, you're in, you're all in, you're all in.
I didn't just say I was all in, Carole.
I didn't just say I was all in, Carole.
I think he already has an account. He probably freaking does. He might already.
I swear to God. Okay. So the question when it started becoming really much more famous, right? And getting loads and loads of users.
It's like, I think it's got like 10 million users now or something like that. Wow. Who the heck is funding this? Right? Like the question I had for you earlier.
Now, Mike Masnick from TechDirt writes, there's no big VCs named or known investors behind the company. And it wasn't clear how it was surviving, right?
Because it wasn't making any obvious cash at this point. Anyway, so they dig around, they dig around, they dig around and they hit the motherlode. Okay.
This was, I think, the Wall Street Journal. And they revealed that Parler was being funded by the Mercer family.
It's like, I think it's got like 10 million users now or something like that. Wow. Who the heck is funding this? Right? Like the question I had for you earlier.
Now, Mike Masnick from TechDirt writes, there's no big VCs named or known investors behind the company. And it wasn't clear how it was surviving, right?
Because it wasn't making any obvious cash at this point. Anyway, so they dig around, they dig around, they dig around and they hit the motherlode. Okay.
This was, I think, the Wall Street Journal. And they revealed that Parler was being funded by the Mercer family.
Does that ring any bells to you. Aren't they big Trump supporters or something? Isn't that— or big Republicans?
Yes, they are quite Republican. Let me just tell you. So this is a Wikipedia page. Okay.
Robert Leroy Mercer is an American hedge fund manager, former principal investor of the now defunct Cambridge Analytica. Hmm.
Oh, Mercer played a key role in the campaign for Brexit by donating data analytics services to Nigel Farage.
Robert Leroy Mercer is an American hedge fund manager, former principal investor of the now defunct Cambridge Analytica. Hmm.
Oh, Mercer played a key role in the campaign for Brexit by donating data analytics services to Nigel Farage.
Thanks a bunch for that one.
He is also a major funder of organizations supporting right-wing political causes in the US, such as Breitbart News, Donald Trump's 2016 campaign for president, and he's the principal benefactor of the Make America Number One Super PAC.
But Carole, there's nothing really wrong with this, is there?
I mean, if he's someone who has maybe right-wing views and he feels that there isn't a place for people with similar opinions to congregate and exchange chit-chat, then he's well within his rights to fund a site which produces an app which does that, isn't he?
I mean, if he's someone who has maybe right-wing views and he feels that there isn't a place for people with similar opinions to congregate and exchange chit-chat, then he's well within his rights to fund a site which produces an app which does that, isn't he?
Yeah, sure, sure, sure. I'll give you that one too.
Now, over this weekend, this last weekend, Rebecca Mercer, Robert Leroy Mercer's daughter, took it up a further notch by claiming that it's not just CEO John Matze that's running the show.
She was also the co-founder of the company. Here's the working theory from Tech Dirt.
Cambridge Analytica's entire claim to fame was collecting a shit ton of data on people by abusing the rules on an academic personality quiz, wasn't it? From Facebook.
Then they used that to target political messages.
This is why Facebook got hit by that huge FTC fine because it let Cambridge Analytica extract a bunch of data that it promised it wouldn't.
Now, over this weekend, this last weekend, Rebecca Mercer, Robert Leroy Mercer's daughter, took it up a further notch by claiming that it's not just CEO John Matze that's running the show.
She was also the co-founder of the company. Here's the working theory from Tech Dirt.
Cambridge Analytica's entire claim to fame was collecting a shit ton of data on people by abusing the rules on an academic personality quiz, wasn't it? From Facebook.
Then they used that to target political messages.
This is why Facebook got hit by that huge FTC fine because it let Cambridge Analytica extract a bunch of data that it promised it wouldn't.
Are you spinning some conspiracy theory that maybe someone's trying to collect lots more data?
Former Cambridge Analytica data expert Christopher Wylie, who we've talked about on the show before, he was the kind of the brains behind the whole thing who then came clean and went, whoa, I hate what they're doing.
Do you remember? Yeah, yeah. He had pink hair. Yes.
Noted this weekend that the Mercers had always wanted their own social media network in order to cut the middleman out and collect the data directly. Right. How interesting. Right?
So you have some bona fide rich conservatives who have expressed publicly a wish to run their own social media platform, at least in front of Christopher Wylie.
And they really wanted to collect the data directly. And they had their thumbs right in Cambridge Analytica's. And presto, now they have Parler.
And they say obviously on their website that they don't share any data with anybody. But if you read their privacy policy, I need a jingle when I say privacy policy.
They say that, you know, your information can be used for marketing purposes and they also can remove any content that you put on.
So Graham, if you still decide to go on, just know that they can remove any content and terminate your access to the service at any time for any reason or no reason.
Do you remember? Yeah, yeah. He had pink hair. Yes.
Noted this weekend that the Mercers had always wanted their own social media network in order to cut the middleman out and collect the data directly. Right. How interesting. Right?
So you have some bona fide rich conservatives who have expressed publicly a wish to run their own social media platform, at least in front of Christopher Wylie.
And they really wanted to collect the data directly. And they had their thumbs right in Cambridge Analytica's. And presto, now they have Parler.
And they say obviously on their website that they don't share any data with anybody. But if you read their privacy policy, I need a jingle when I say privacy policy.
They say that, you know, your information can be used for marketing purposes and they also can remove any content that you put on.
So Graham, if you still decide to go on, just know that they can remove any content and terminate your access to the service at any time for any reason or no reason.
So, yes, that's the equivalent of me whipping away the plate with your beef Wellington, you see, if you've just been rude to the hostess of the dinner, I would take it away.
See, it's the same principle, Carole, same principle.
See, it's the same principle, Carole, same principle.
I think it's a bit worse than that, but I completely respect your opinion and I am not going to try and shut it down.
This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So, whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. Smashing Security is sponsored this week by Recorded Future.
They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster.
Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and darkweb sources.
Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express.
Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So, whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. Smashing Security is sponsored this week by Recorded Future.
They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster.
Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and darkweb sources.
Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express.
Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture.
And welcome back, and you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my Pick of the Week this week is not security-related. It is a useful tool which I use on all of my Apple Macs and my MacBooks as well.
It is a tool called Hazel, and it is effectively a digital housekeeper.
What it does is it monitors folders on your computer, and when it sees certain things happen in the folder, like a new file appear for instance, it will run a series of rules over it.
And so you can create a rule to automate files being moved or sorted or renamed and other functions as well.
And you can create quite complicated rules on each folder on your Mac to get to do the really menial tasks that frankly you consider beyond you, and that's why you've hired Hazel to help you do it instead.
So for instance, I've got rules which if I take a screenshot rather than cluttering up my desktop.
So lots of people on their desktop, they've just got hundreds and hundreds and hundreds of icons, right?
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, my Pick of the Week this week is not security-related. It is a useful tool which I use on all of my Apple Macs and my MacBooks as well.
It is a tool called Hazel, and it is effectively a digital housekeeper.
What it does is it monitors folders on your computer, and when it sees certain things happen in the folder, like a new file appear for instance, it will run a series of rules over it.
And so you can create a rule to automate files being moved or sorted or renamed and other functions as well.
And you can create quite complicated rules on each folder on your Mac to get to do the really menial tasks that frankly you consider beyond you, and that's why you've hired Hazel to help you do it instead.
So for instance, I've got rules which if I take a screenshot rather than cluttering up my desktop.
So lots of people on their desktop, they've just got hundreds and hundreds and hundreds of icons, right?
That's me.
Yeah, me too.
I would find that— Can I just interrupt for a second?
Yes.
Not only that, but when my desktop gets full, I create a folder called Desktop ABX and then I just throw everything in.
And then when I get too many folders, I throw them all into a folder called 123.
And then when I get too many folders, I throw them all into a folder called 123.
It's ridiculous. You are— okay, you need something like Hazel.
Me too. No, well, if you'll set it up for me completely, I'm listening. But otherwise, no, I have search.
I just, I rely on search. Okay, well, it would just fry my brain to work the way you are working.
So what it would do is it would take different kinds of files which it sees on, for instance, your desktop, and then it could file them away into subfolders automatically.
So you could file all the MP3 files, all the screenshots, all the I don't know, Word documents or whatever it is. And you can even get cleverer than that.
You could change their names to include the date, and you could put them into subfolders.
I've got a script or a rule running in my Hazel on my computer, so if I take a screenshot, maybe for an article I'm writing on my blog, it will automatically run an AppleScript which will then optimize it to reduce the size of the image because I don't want really big fat images, it will remove any EXIF metadata and then convert it to the correct file format that I want.
So if it was a GIF, for instance, it will change it into a JPEG or whatever it is.
Or Carole, if I dump a podcast, an MP3 file into a folder, it will share it with you or it'll put it into an archive and make sure that we have a backup of it.
So just all those menial sort of really sort of spring cleaning kind of activities. Tidy maintenance, it will do all for me.
So what it would do is it would take different kinds of files which it sees on, for instance, your desktop, and then it could file them away into subfolders automatically.
So you could file all the MP3 files, all the screenshots, all the I don't know, Word documents or whatever it is. And you can even get cleverer than that.
You could change their names to include the date, and you could put them into subfolders.
I've got a script or a rule running in my Hazel on my computer, so if I take a screenshot, maybe for an article I'm writing on my blog, it will automatically run an AppleScript which will then optimize it to reduce the size of the image because I don't want really big fat images, it will remove any EXIF metadata and then convert it to the correct file format that I want.
So if it was a GIF, for instance, it will change it into a JPEG or whatever it is.
Or Carole, if I dump a podcast, an MP3 file into a folder, it will share it with you or it'll put it into an archive and make sure that we have a backup of it.
So just all those menial sort of really sort of spring cleaning kind of activities. Tidy maintenance, it will do all for me.
So can you buy it for my husband for Christmas so that he could do it on my system? Yeah, sure.
It doesn't cost very much as far as I remember. They've just brought out version 5. It's a lovely tool. It's surprisingly powerful, really intuitive. Cool. And it's called Hazel.
It comes from a company called NoodleSoft. So what more reason than a company called NoodleSoft do you need? It is cute. To choose. Do you identify with Hazel? Do you identify?
For having a soft noodle. You know, at my age, it does happen sometimes. Chris, I'm sure you don't have that trouble.
It comes from a company called NoodleSoft. So what more reason than a company called NoodleSoft do you need? It is cute. To choose. Do you identify with Hazel? Do you identify?
For having a soft noodle. You know, at my age, it does happen sometimes. Chris, I'm sure you don't have that trouble.
What have you got as your pick of the week? What a segue. What a segue. That might be my favorite segue of all time. Is it my turn for pick of the week? It is. All right.
My pick of the week is a book called Make Noise by Eric Newsom. It was actually recommended by a friend of yours and a friend of mine, Jack Rhysider.
It's his favorite podcast book and it's now mine. I'm sure people ask you all the time, how do I get into podcasting? How do I make my podcast better?
And I think this book does it really, really well. There's a part in the book where you talk about your 10-word description.
So our old description for our podcast, Hacker Valley Studio, was exploring the human element of cybersecurity programs and technology. And so you write it out in this activity.
And then in the paragraph below, he basically said, I can't read what you just wrote, but it is way too vague. And I was like, well, how did he know?
So then I reworked it and I made it better. And so now we're exploring the human condition to inspire peak performance in cybersecurity.
And I've mentioned it to Jack and he loved it. And so I think that folks need to learn that, you know, podcasting isn't always easy and there is a science and an art to it.
So I would say that that is my pick of the week this week.
My pick of the week is a book called Make Noise by Eric Newsom. It was actually recommended by a friend of yours and a friend of mine, Jack Rhysider.
It's his favorite podcast book and it's now mine. I'm sure people ask you all the time, how do I get into podcasting? How do I make my podcast better?
And I think this book does it really, really well. There's a part in the book where you talk about your 10-word description.
So our old description for our podcast, Hacker Valley Studio, was exploring the human element of cybersecurity programs and technology. And so you write it out in this activity.
And then in the paragraph below, he basically said, I can't read what you just wrote, but it is way too vague. And I was like, well, how did he know?
So then I reworked it and I made it better. And so now we're exploring the human condition to inspire peak performance in cybersecurity.
And I've mentioned it to Jack and he loved it. And so I think that folks need to learn that, you know, podcasting isn't always easy and there is a science and an art to it.
So I would say that that is my pick of the week this week.
Sounds very interesting. So the book's called Make Noise by Eric Newsom. Mm-hmm. Fantastic. Yeah. Carole, what's your pick of the week?
My pick of the week got swapped at the very last minute.
So my other half was perusing the New York Times this morning and he told me about this 8-minute film and said, no one says anything, there's only one camera, watch it, it's going to be your pick of the week.
So I was like, yeah, yeah, yeah, sure. I watched it, it's my pick of the week. It's called C'était un rendez-vous, it's a French film from 1976.
Don't let that put you off, millennials or Gen Z, it's awesome.
So the premise is this: early one morning, the director of this little mini film, Claude Lelouch, got into his hairdresser's car, a Mercedes, and fastened the camera to his bumper.
And he just floored it down the broad Avenue Foch, right, Avenue Foch — I was waiting for you to laugh, Avenue Foch — okay, where he clocks 125 miles an hour.
He goes past the Louvre, past the opera, through red lights, around blind corners, even onto sidewalks, right?
And he goes to the height of Sacré-Cœur, and he scares people, he scares drivers, pigeons freak out, he careens, he's squealing around corners in the arrondissement.
But he has his reasons, and you only find out at the end if you watch it. Now, have you boys watched it? Okay, what did you guys think, am I overselling it?
So my other half was perusing the New York Times this morning and he told me about this 8-minute film and said, no one says anything, there's only one camera, watch it, it's going to be your pick of the week.
So I was like, yeah, yeah, yeah, sure. I watched it, it's my pick of the week. It's called C'était un rendez-vous, it's a French film from 1976.
Don't let that put you off, millennials or Gen Z, it's awesome.
So the premise is this: early one morning, the director of this little mini film, Claude Lelouch, got into his hairdresser's car, a Mercedes, and fastened the camera to his bumper.
And he just floored it down the broad Avenue Foch, right, Avenue Foch — I was waiting for you to laugh, Avenue Foch — okay, where he clocks 125 miles an hour.
He goes past the Louvre, past the opera, through red lights, around blind corners, even onto sidewalks, right?
And he goes to the height of Sacré-Cœur, and he scares people, he scares drivers, pigeons freak out, he careens, he's squealing around corners in the arrondissement.
But he has his reasons, and you only find out at the end if you watch it. Now, have you boys watched it? Okay, what did you guys think, am I overselling it?
It's an extraordinary piece of cinema because it is all in one shot. And he's driving like a complete maniac. You also think, why on earth is he doing this? How bloody dangerous.
Yeah, the whole time you're thinking you'd never get away with that now, right?
There's no — it's kind of a moment in history because there's just no way you could do it in any city now without getting caught.
There's no — it's kind of a moment in history because there's just no way you could do it in any city now without getting caught.
I watched a video which was about the making. It sort of went behind the scenes of this, and they were telling stories.
Did you do this after you watched it? After I asked you to watch it?
After I watched it.
Okay, so you could sound smart.
Yes, exactly.
And there are some extraordinary tales — for instance, there are a couple of completely blind corners which look suicidal, or if not for him, he's going to cause some damage to someone else.
And I heard that he had an assistant on a radio who would have been able to tell him if there was danger.
There was one particular place where he was turning left, I think it was, down a tunnel, and it was completely blind, especially at the speed which he was going.
And there are some extraordinary tales — for instance, there are a couple of completely blind corners which look suicidal, or if not for him, he's going to cause some damage to someone else.
And I heard that he had an assistant on a radio who would have been able to tell him if there was danger.
There was one particular place where he was turning left, I think it was, down a tunnel, and it was completely blind, especially at the speed which he was going.
Well, I think Princess Di died in a tunnel in France, didn't she?
In Paris.
Unfortunately, his assistant's radio actually cut out, so if there had been a problem, he would have had no way of communicating with the driver, which when you watch the video, you will think this really is bonkers.
But it's very impressive.
Unfortunately, his assistant's radio actually cut out, so if there had been a problem, he would have had no way of communicating with the driver, which when you watch the video, you will think this really is bonkers.
But it's very impressive.
It's spellbinding. What did you think, Chris?
Yeah, super spellbinding. And he blew through a lot of red lights, didn't he? Yeah, that was incredible because that could have been an issue really quickly.
But it's mesmerizing, almost like a meditation if you just sit there and watch it.
But it's mesmerizing, almost like a meditation if you just sit there and watch it.
Yeah, I thought so too. It reminded me of the opening sequence of that movie Subway, another 1970s fantastic film, but there's that huge car chase at the beginning.
I haven't seen it.
It's good. Anyway, so my pick of the week is C'était un rendez-vous — an 8-minute, one-camera, one-shot film on the front of a car.
Trust me, it's worth it, links in the show notes.
Trust me, it's worth it, links in the show notes.
Well, fantastic. And that just about wraps it up for this week. Chris, thank you so much for coming on the show.
I'm sure lots of our listeners would love to follow you online and find out more about the Hacker Valley Studio. What's the best way for folks to do that?
I'm sure lots of our listeners would love to follow you online and find out more about the Hacker Valley Studio. What's the best way for folks to do that?
Thank you so much for having me on the show.
The best way for folks to get in touch with us is just go to hackervalley.com and you'll see all of our social right there and be able to subscribe to our podcast as well.
The best way for folks to get in touch with us is just go to hackervalley.com and you'll see all of our social right there and be able to subscribe to our podcast as well.
Terrific. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G, and also join the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Overcast.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Overcast.
Huge thank you to you all, you humans and your pets, for listening to us each week. And for those of you trapped indoors, I hope this gives you a few extra giggles.
And of course, high five to this week's Smashing Security sponsors, Recorded Future and LastPass. And of course, our Patreon supporters.
These are the people whose support give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And of course, high five to this week's Smashing Security sponsors, Recorded Future and LastPass. And of course, our Patreon supporters.
These are the people whose support give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye, bye, see you.
Wouldn't want to be you. I used to say that all the time. All the time. Yeah, I can't think what else I used to say.
See you later at the gay day in the wild crocodile.
See, you don't want to be here.
I know, I remember, I remember.
You'd say "j'suis pas à vendre," which is basically Québécois French to mean "I'm not for sale." And you'd say that if someone was staring at you or looking at you funny.
You'd say, "I'm not for sale." Ridiculous.
You'd say, "I'm not for sale." Ridiculous.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Chris Cochran – @chriscochrcyber
Show notes:
- Hackers could now know what people type on Zoom video call by evaluating the shoulder movement of users — Digital Information World.
- Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Inference Attacks — Cornell University.
- The CostaRicto Campaign: Cyber-Espionage Outsourced — BlackBerry.
- New stealthy hacker-for-hire group mimics state-backed attackers — Bleeping Computer.
- The conservative alternative to Twitter wants to be a place for free speech for all. It turns out, rules still apply — Washington Post.
- Parler: what you need to know about the 'free speech' Twitter alternative — The Conversation.
- What If Cambridge Analytica Owned Its Own Social Network? CA Backer Rebekah Mercer Admits She's A Co-Founder Of Parler — Techdirt.
- Hazel — Automated organization for your Mac from Noodlesoft.
- Make Noise — A creator’s guide to podcasting and great audio storytelling by Eric Nuzum.
- Rendevous C'était un Rendez vous 1976 — YouTube.
- C'etait un Rendezvous, The Original Street Racing Video — YouTube documentary.
- C'était un rendez-vous — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Recorded Future
Recorded Future empowers your organization, revealing unknown threats before they impact your business, and helping your teams respond to alerts 10 times faster. How does it do this? By automatically collecting and analyzing intelligence from technical, open web, and dark web sources.
For up-to-the-minute security intelligence that can help you make fast and confident security decisions, install the free browser extension Recorded Future Express.
Get it now at smashingsecurity.com/recordedfuture
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
