Microsoft warns about a hacking gang that is far from cuddly, algorithms rather than managers are firing people, and our guest receives a surprising email from “Amazon”…
And you will NOT want to miss checking out a very special “Pick of the week”!
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by David Bisson.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This is something then that's outside the normal realm of normal Amazon-type dildo stuff. Maybe you could find a used seller that's price gouging it, offering it for $1,000.
But David, I don't think you buy used dildos on Amazon. Or maybe you can, I'm not sure.
I did not look into that.
I wouldn't recommend it.
Well, pretty good condition. Few scrapes and bumps, but still works.
Often bought with antiseptic. I don't get it quite.
There's just some things you don't want to share, you know.
Smashing Security, episode 234: Cozy Bear, Dildo Scams, and Robo Hires and Fires with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 234. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, episode 234. My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by returning guest, a chap who hasn't been on the show for far too long. It's David Bisson. Hello, David.
Hey guys, how's it going?
Good. Am I right in remembering that the last time you came on, we tried to record in the worst storm ever?
Yes.
Sure did. And then, yeah, it cut out halfway before the end of the episode.
And I think we have it live, but we have you just having disappeared and we carried on.
Yeah.
We haven't done that with anybody else. So, you know, that gives you a unique quality, David.
I gotta say, I feel real special about that.
Come on up, it's funny.
Well, let's hope lightning doesn't strike twice, eh?
Boo!
Boo! So how's it going, David? What's going on in your life?
Just, you know, writing and doing all kinds of stuff, you know, always looking for new opportunities. So if anyone knows of any writing stuff, send it my way.
Okay.
Always looking.
Yeah, yeah. You and Graham worked together for a bit, right?
Yes, we did. We were very chummy those days.
In those days.
Graham, is he any good? Is he any good?
David's terrific.
Graham is one of the best people that I've actually had the experience of working for. That was a lot of fun. I miss it.
I can't say I share that feeling all the time.
Yikes.
Yikes.
All right, I guess this is 234, the last episode.
Moving on.
Thanks to this week's sponsor, 1Password. Its support helps us give you this show for free. So coming up on today's show, Graham, what do you got?
I'm going to be cozying up to some bears who aren't that cuddly.
Oh, okay. David, what about you?
I've got a story about dildos. Whoa!
And I have to follow with, should we care that robots are firing people? All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, allow me to get theatrical for a moment. What's Montague? It is nor hand, nor foot, nor arm, nor face, nor any other part. Belonging to a man.
Oh, be some other name. What's in a name? That which we call a rose by any other name would smell as sweet.
Oh, be some other name. What's in a name? That which we call a rose by any other name would smell as sweet.
Is this Macbeth?
No, Romeo and Juliet.
Oh, is it Juliet?
Oh, that's my impression of Juliet.
I should know that from Montague, actually. You're right.
That's pretty good, I gotta say.
Thank you very much.
The dramatic pauses and everything. You seem like you've read that before.
Well, you see, in my day—
I thought he was having trouble with the three-syllable words.
The female parts were taken by men back then, you see, so I didn't think is that out of character for me to do it?
Yeah, times haven't changed. You're right.
They haven't really. The reason why I bring this up is it's all about names. 'Cause I don't know about you, but I find it somewhat confusing, the naming of hacking groups.
Yeah.
And how every security company seems to call hacking groups by different names. I'm trying to keep track.
Oh, they should be all called the same name.
Well, wouldn't that be handy? If we all knew they were talking about the same one?
Hacker 234.
And is that just a branding thing for the company? Is that just saying, oh, look at what we've done?
I think sometimes it is, because sometimes I feel like the headline goes to the one with the grooviest name.
So what I thought I would do is I would talk about a hacking group called Cozy Bear, and I am going to give you some other names used by other security companies for Cozy Bear, right?
You can tell me if this is really a name used by another security company for Cozy Bear, or one that I've added. Okay?
So what I thought I would do is I would talk about a hacking group called Cozy Bear, and I am going to give you some other names used by other security companies for Cozy Bear, right?
You can tell me if this is really a name used by another security company for Cozy Bear, or one that I've added. Okay?
I'm not sure I'm following you at all. Are you saying that different companies are referring to this hacking group by different names?
Correct.
And they are doing this because—
Because... who knows why, but they are. Maybe for convenience, maybe for marketing. Maybe just because shits and giggles. I'm not sure.
Are these security companies that are doing it?
Yes, they're doing this 'cause they can't agree on the name.
Wouldn't that be fun if every journalist gave it a different name? It's Schmuggledorf.
And what then happens is that the journalists they will say Cozy Bear, brackets, also known as blah blah, or blah blah, or sometimes blah blah blah blah blah.
And you end up listing umpteen names. Partly for the search engine optimization. Alright, so this is what we're going to do, guys.
And you end up listing umpteen names. Partly for the search engine optimization. Alright, so this is what we're going to do, guys.
I'm going to read you an alternative name for Cozy Bear. And you have to tell me if it is an alternative name for Cozy Bear or one that I've made up. Alright?
Gosh, okay.
Every time it's a bloody quiz.
Carole, I'm going to start with you. Dark Halo. Is that a name for—
Yes.
Yes, absolutely correct. David, Cozy Duke. Is that a name for Cozy Bear? Cozy Duke?
Yes.
Absolutely correct.
Okay.
Carole, Daisy Duke.
Yes.
Daisy Duke, is that a—
Yes. No, what? Yes.
No, I'm afraid it's a character from The Dukes of Hazzard. David, the Dukes, the Dukes. Is that another name for Cozy Bear?
I'm gonna say no.
Do you wanna have a second guess? Yes? Absolutely right. Carole?
Yes.
Grizzly Steppe. Grizzly Steppe.
Yes.
Absolutely correct. David, Office Monkeys. Office Monkeys.
You know, I wanna say yes, but I'm gonna go no.
I'm afraid it is another name for Cozy Bear. It is, man. David?
Carole, Stellar Particle.
I don't wanna play anymore.
We're very nearly finished. Stellar Particle.
No.
I'm afraid it is a name for Cozy Bear.
Good.
David, Stella McCartney. Stella McCartney.
Is that another one?
No.
Absolutely correct.
Carole, APT24. APT24.
Well, you wrote 29 in your document, so—
Behind the scenes, folks.
I'm trying to catch you out. APT29 is absolutely correct. And David, nobelium. Nobelium.
Ugh, that's— yes.
You're absolutely right. It's not just a— what is it? It's an element, isn't nobelium? I think it's named after Nobel, but is another name for Cozy Bear.
Now, Cozy Bear, all of those crazy names, that's who we're talking about today, right?
Not Daisy Duke, we're talking about Cozy Bear by one of those previous names, not Stella McCartney. Cozy Bear is one of the most notorious hacking gangs in the world.
They are known for compromising organizations, political think tanks, and governments since at least 2010. They've stolen data from Germany, Uzbekistan, South Korea.
They've attacked the Netherlands, the United States. They were the gang who were accused of the hack of the US Democratic Party a few years ago.
Now, Cozy Bear, all of those crazy names, that's who we're talking about today, right?
Not Daisy Duke, we're talking about Cozy Bear by one of those previous names, not Stella McCartney. Cozy Bear is one of the most notorious hacking gangs in the world.
They are known for compromising organizations, political think tanks, and governments since at least 2010. They've stolen data from Germany, Uzbekistan, South Korea.
They've attacked the Netherlands, the United States. They were the gang who were accused of the hack of the US Democratic Party a few years ago.
Oh yes, where they lost millions, millions, millions, millions. Yeah, yeah, yeah.
And the UK's own NCSC, National Computer Security Centre.
My buddies.
They have accused Cozy Bear of trying to steal research into coronavirus vaccines. From Britain, the United States, Canada. So, you know, they're quite, you know, you think—
Not that cozy.
You don't want to cozy up to them. Why are they— where is this gang based? Where do they come from?
And the clue, the clue is in the name Cozy Bear, because one of the things security companies do is they try to group hacking groups which come from the same part of the world with similar names.
So if it's a Chinese hacking group, they will often call it something dragon or influential panda or something like that. And if it's Russian, then it's the bears. That works.
So if you see a hacking group with bear in the name. In the UK, we just call them GCHQ. And that's how you work out what the name of the hacking group is.
So Cozy Bear is a Russian hacking gang, and its work appears— this is the curious thing— it appears to support the aims of the Russian regime and the people in charge in Moscow and those of its allies as well.
So it's strongly believed to be tied up with the folks at the Russian intelligence agencies. Would I go so far as to say working for the Russian intelligence agencies?
And the clue, the clue is in the name Cozy Bear, because one of the things security companies do is they try to group hacking groups which come from the same part of the world with similar names.
So if it's a Chinese hacking group, they will often call it something dragon or influential panda or something like that. And if it's Russian, then it's the bears. That works.
So if you see a hacking group with bear in the name. In the UK, we just call them GCHQ. And that's how you work out what the name of the hacking group is.
So Cozy Bear is a Russian hacking gang, and its work appears— this is the curious thing— it appears to support the aims of the Russian regime and the people in charge in Moscow and those of its allies as well.
So it's strongly believed to be tied up with the folks at the Russian intelligence agencies. Would I go so far as to say working for the Russian intelligence agencies?
No, no, you would not.
Yes, I probably would. I probably would. I probably would. Yeah, yeah, I probably would.
Note, I didn't do that. I said nothing.
Carole didn't, but I think probably.
And there's good reason for that, because a few years ago it was revealed that the Dutch security and intelligence services, they actually hacked into the computer systems of the Cozy Bear hacking gang.
And there's good reason for that, because a few years ago it was revealed that the Dutch security and intelligence services, they actually hacked into the computer systems of the Cozy Bear hacking gang.
Oh yeah, yeah, yeah.
Do you remember this?
Yes, didn't you cover it?
I think we might have mentioned it. I mean, we've been doing this podcast for so long.
Anyway, so they spied, they spied on the hackers there for at least a year, and they even managed to catch the hackers on CCTV cameras going about their work, going to get a coffee, going along the corridor, because they were in these offices.
And I think they sort of got hold of CCTV cameras outside the office so they could see when people were checking in.
Anyway, so they spied, they spied on the hackers there for at least a year, and they even managed to catch the hackers on CCTV cameras going about their work, going to get a coffee, going along the corridor, because they were in these offices.
And I think they sort of got hold of CCTV cameras outside the office so they could see when people were checking in.
Going for a smoke and stuff.
Right. And the time of day, and they'd begin to assess—
Picking their nose.
All these kinds of things. So quite extraordinary. And it's widely understood that the Dutch intelligence services, they helped America oust Crazy Bear. Sorry, not Crazy Bear.
That's the name of a pub near where I live.
That's the name of a pub near where I live.
You hit that pub a little early today, huh, Graham?
The Crazy Bear is— Have you been to the Crazy Bear, haven't you, Carole?
Of course, yes.
They've got a double-decker bus park.
It's for swank people.
It is a bit swanky, isn't it? Yeah. It's a little bit over-swanky.
Too swanky for me.
Yeah, yeah, yeah. Anyway, they managed to oust Cozy Bear. I don't know if the Crazy Bear pub is run by Russian hackers or not.
Doubt it, baby.
Yeah, I wouldn't go so far as to say that. That would be dangerous.
But anyway, the Dutch spies managed to help America oust these Cozy Bear hackers from computers at the US State Department back in 2014.
And according to reports, the US spies were so grateful for this that they sent their Dutch colleagues cake, cookies, flowers, which is—
But anyway, the Dutch spies managed to help America oust these Cozy Bear hackers from computers at the US State Department back in 2014.
And according to reports, the US spies were so grateful for this that they sent their Dutch colleagues cake, cookies, flowers, which is—
What? So the US were, oh, thanks so much. Here's some cake.
Yeah, exactly. Imagine sending cookies to Dutch people. You know, they're going to be disappointed, aren't they, when they nibble on them?
Seriously?
Sending flowers to Dutch people. It's tulips to Amsterdam, isn't it? It's not really.
It's sending a Canadian maple syrup.
Yeah, it didn't really make sense, did it, for them to do that? But anyway, anyway.
So you're wondering, what is the latest with Cozy Bear, also known as Nobelium, which is the name which Microsoft gave them?
Well, they have been fingered for the SolarWinds hack that targeted governments and other agencies earlier this year.
We spoke about that in episode 214 with Professor Alan Woodward. Let's not go into that again. But most recently, news has reached us from the chaps and chapesses at Microsoft.
And Microsoft says that it has been tracking new activity by the Nobelium or Cozy Bear gang.
They say IT companies and government departments, mostly in the US and UK, are being targeted. But in all, something like 36 different countries.
And according to Microsoft, most of these attacks have been unsuccessful, but— excuse me.
So you're wondering, what is the latest with Cozy Bear, also known as Nobelium, which is the name which Microsoft gave them?
Well, they have been fingered for the SolarWinds hack that targeted governments and other agencies earlier this year.
We spoke about that in episode 214 with Professor Alan Woodward. Let's not go into that again. But most recently, news has reached us from the chaps and chapesses at Microsoft.
And Microsoft says that it has been tracking new activity by the Nobelium or Cozy Bear gang.
They say IT companies and government departments, mostly in the US and UK, are being targeted. But in all, something like 36 different countries.
And according to Microsoft, most of these attacks have been unsuccessful, but— excuse me.
Oh, they got you already. Biohack.
For most—
They COVID your ass.
According to Microsoft, most of the attacks have been unsuccessful.
They've taken the form of password spray and brute force attacks, but Microsoft says they are aware of, quote, "three compromised entities." Entities. Yes.
Now, this is where it gets interesting, right?
Because I'm reading, I'm reading this Microsoft blog post, blah, blah, Nobelium, blah, blah, hackers, password spraying, brute force, yadda, yadda, yadda.
I was about two-thirds of the way through the blog post before I came to something juicy, because there, nestled all amongst all the yadda, yadda, you know, meh, meh, meh, and all this, was this tiny little detail from Microsoft, right?
Two-thirds of the way down.
They've taken the form of password spray and brute force attacks, but Microsoft says they are aware of, quote, "three compromised entities." Entities. Yes.
Now, this is where it gets interesting, right?
Because I'm reading, I'm reading this Microsoft blog post, blah, blah, Nobelium, blah, blah, hackers, password spraying, brute force, yadda, yadda, yadda.
I was about two-thirds of the way through the blog post before I came to something juicy, because there, nestled all amongst all the yadda, yadda, you know, meh, meh, meh, and all this, was this tiny little detail from Microsoft, right?
Two-thirds of the way down.
Was it written in superscript?
No, no, no. It was written in white text on a white background. You have to select it with your mouse. No, it's not quite that. Not quite that.
But they said, they said, well, during our investigation, they said, we found evidence that data stealing malware had been found on one of our own computers.
But they said, they said, well, during our investigation, they said, we found evidence that data stealing malware had been found on one of our own computers.
Is that one of the entities? It's, we're aware that we've been one of those entities.
Yeah. So could you say a bit quicker, please? Could you say a bit quicker? Doxing malware was found on one of our computers.
So what Microsoft said was, oh yeah, we found some malware on the computer of one of our customer support staff, which was stealing data, basic account information on a small number of our customers.
In other words, the headline should have been, 'Holy fuck, we screwed up again.' I mean, way to bury the lead. If you've been hit, it's possible—
So what Microsoft said was, oh yeah, we found some malware on the computer of one of our customer support staff, which was stealing data, basic account information on a small number of our customers.
In other words, the headline should have been, 'Holy fuck, we screwed up again.' I mean, way to bury the lead. If you've been hit, it's possible—
Like the story you're telling—
It's possible because we got hacked. So Microsoft, they say that the— by the way, I hate the way hackers are sometimes called actors.
You know, they call them bad actors, don't they?
You know, they call them bad actors, don't they?
Oh, I don't have any problem with that.
I don't really like that. I find it confusing.
Oh, well, I understand, honey. It's maybe a word that the kids use.
I just always think of Nicolas Cage or something. And I just think of—
Oh, whoa, whoa, whoa.
Hang on, hang on. Nicolas Cage fan club on the line right now.
The Rock is a cinematic masterpiece. I mean, Nic Cage, Sean Connery, one of the best movies ever. Face/Off? Come on.
Oh my God. I think I walked out in Face/Off.
Off.
Oh, but it's so good because it's so over the top. That fight scene at the end, it's 15 minutes long. There are doves, there are boats exploding. I mean, spoiler, but you know.
That's the one where Nicolas Cage and John Travolta swap places or something. Literally. In order to pretend to be the other person, or?
It would be very useful now in this land of deepfakes and streaming. You know? Hey Graham, let's swap faces. I just want to go to Sainsbury's, not be noticed.
Oh my gosh.
So Microsoft, or maybe it wasn't Microsoft, right? Maybe it was Oracle. Maybe Oracle swapped faces with Microsoft and maybe this isn't a blog post. Who knows?
Who knows what we can trust anymore?
Who knows what we can trust anymore?
Maybe it was a typo.
Maybe.
Microsnot, they said. Never heard that funny sentence. They say that the bad actor used the information to launch highly targeted attacks against some of their customers.
And they said, we responded quickly and we've been in contact with those customers to explain what happened. Can you imagine that call where they ring up?
And they said, we responded quickly and we've been in contact with those customers to explain what happened. Can you imagine that call where they ring up?
I'm sure companies do it all the time.
Yeah.
Hello? Yes, this is the— what should we be? Should we be the Dutch government? Yes, Dutch government here. Oh, hello, it's Microsoft.
Why are we Sean Connery? You started.
Don't, I just, I just, yeah, I've given up. I don't even know anymore.
Kind of embarrassing, isn't it?
What, you?
Anyway, finally, Microsoft goes on to tell everyone about the importance of best practice safety precautions to keep the bad guys out of your network, which is certainly good advice coming from them.
So no complaints there. So well done, Microsoft, for that. But yeah, way to hide the story, I thought. Yeah.
So no complaints there. So well done, Microsoft, for that. But yeah, way to hide the story, I thought. Yeah.
Which—
No offense, Graham, but you kind of buried the lead two-thirds down your story on this show reporting this. You did exactly the same thing. So pot kettle, dude.
Don't know what else to say, but—
Don't know what else to say, but—
I'd say thank you for that input, Carole, and I'll send you some flowers, cake, and cookies to make up for it. David, what have you got for us this week?
I have something that affected me personally that happened to me a few weeks ago. So I get the spam email talking about a shipping confirmation.
It looks like something that you would get from Amazon.
It looks like something that you would get from Amazon.
Okay.
And I look down and it looks like it's for a dildo. So I was like, okay, well, that's interesting. I look at it, comes with this picture, and just straight away.
Could you describe it for us, David?
Well, yeah, okay. So, I mean, it has various shapes. And there's a remote controller involved, so I—
If you can't reach?
I guess for vibration.
It looks painfully purple to me. It's very purple.
I don't think you need to look at it whilst it's in use. Very purple.
But the interesting thing is that the way that it's marketed in the image it looks like it's sort of superimposed on top of a sanitary napkin.
But the interesting thing is that the way that it's marketed in the image it looks like it's sort of superimposed on top of a sanitary napkin.
Oh yeah.
Which is really weird. Is that part of the design or are they showing where it's supposed to go?
Yeah, it looks like a cartoon character.
The sanitary napkin?
No, the whole thing.
It does. It looks a bit like—
It has ears and eyes.
I'm not going to name it.
And then a big nose.
One of you can name it. I'm not naming that character.
I don't know if the connotation is right. It looks a bit to me like Droopy. But you don't really want a droopy dildo, do you?
It's not that big a nose.
What's his name, Droopy? The dog?
Are you talking about Dumbo?
No, Droopy.
Now that's the name for a dildo.
Yes!
TM it, TM it, Dave.
I really hoped we'd raise the tone this week.
Oh, really?
David, according to this email you've received, you've paid £790 and $100 for this. And yeah, you've also agreed to pay $100 worth of shipping. How heavy is this thing?
I mean, I don't think it goes by weight.
I'm really hoping that I can incorporate it into my workout routine, maybe do some shoulder presses or something with this thing.
And that's really—the cost was really the thing that got me. I was like, really? Wait a second.
And that's really—the cost was really the thing that got me. I was like, really? Wait a second.
That's like a month's rent.
It's like, hold on, sanitary napkin. We got to look into this price thing.
So your advice to people is to sign up for Amazon Prime, I imagine, because you'd save an awful lot on the shipping if you did that.
Why $100? That is insane for you to spend.
You're the one who ordered it, David. I don't know why you brought it to our podcast. I mean, it's just—
You know, I mean, Prime Day, man, comes around. It's like, ooh, got to jump on it. So yeah, I looked at the price and I said, okay, I want to know more about this dildo.
So first I want to know, is this even a thing that I could buy on Amazon? So I said, let me go into Amazon, let me search dildos.
So first I want to know, is this even a thing that I could buy on Amazon? So I said, let me go into Amazon, let me search dildos.
And what, you've entered that into Amazon?
I was logged out in an incognito window, so it has not affected my search results.
Oh, okay. Yeah, I was expecting you're going to get so many recommendations if you do that.
Okay. Nope, nope.
Sensible.
So I searched it, I filtered it by high price first, and the most expensive dildos were about like $150.
So it's like, okay, this is something then that's outside the normal realm of normal Amazon-type dildo stuff.
Like maybe you could find a used seller that's price gouging it, offering it for like $1,000.
So it's like, okay, this is something then that's outside the normal realm of normal Amazon-type dildo stuff.
Like maybe you could find a used seller that's price gouging it, offering it for like $1,000.
But David, I don't think you buy used dildos on Amazon. Or maybe you can, I'm not sure.
I did not look into that.
I wouldn't recommend it.
Well, pretty good condition. A few scrapes and bumps, but still works.
Often bought with antiseptic wipes.
There's just some things you don't want to share, you know?
Yep. So, okay, when I found that out, it's like, okay, so I can't buy this on Amazon. So let's actually look up the name of the company. It's referenced in the email.
So I tried searching the model of the dildo. And while I couldn't find the exact model, I did find something similar. I ended up on this bulk purchasing website.
I'm not going to say which one. And I found that I could basically buy — I think I could buy about 100 of them for about $16, $18 per unit.
So, oh, a far cry from $890 for just one, you know.
So I tried searching the model of the dildo. And while I couldn't find the exact model, I did find something similar. I ended up on this bulk purchasing website.
I'm not going to say which one. And I found that I could basically buy — I think I could buy about 100 of them for about $16, $18 per unit.
So, oh, a far cry from $890 for just one, you know.
It's a healthy markup. It's a healthy markup, to say the least.
So I said, okay, well then there's kind of a model. Let's get back to the email. Let's see what I can find out more about it. So I said let's look at the customer support number.
I mean, that's sort of the main crux about the email. It's saying, if you haven't placed this order, call this number. So it's like, okay, what can I learn about this number?
And as it turned out, you know, I just Googled it.
I came up with several different reports about scams, including one regarding a fake amazon.com order from someone named Mark Angel.
So, you know, it's like, okay, well, let's look at the sender address for this email, see if anything comes up. Yeah, sure enough, it comes from someone named Mark Angel.
It's — I'm not going to give the full email address, but it's a kind of sketchy domain name.
And I looked up that email address and there were also various spam reports using that same email address. So, you know, I didn't call the customer support number.
I know lots of other people do that and have fun.
I mean, that's sort of the main crux about the email. It's saying, if you haven't placed this order, call this number. So it's like, okay, what can I learn about this number?
And as it turned out, you know, I just Googled it.
I came up with several different reports about scams, including one regarding a fake amazon.com order from someone named Mark Angel.
So, you know, it's like, okay, well, let's look at the sender address for this email, see if anything comes up. Yeah, sure enough, it comes from someone named Mark Angel.
It's — I'm not going to give the full email address, but it's a kind of sketchy domain name.
And I looked up that email address and there were also various spam reports using that same email address. So, you know, I didn't call the customer support number.
I know lots of other people do that and have fun.
Yeah, I got enough for a story here. Yeah.
Yeah.
You've got better ways to have fun than ringing them up, right?
Yeah.
You want to play around with your new toys.
Exactly. It's already on all these bulk websites. It's like, ah, you know, I've had my fun. So I mean, this came out before — I got this email before Prime Day.
So I'm guessing it was probably part of a campaign to try and say, oh, you know, call these probably tech support scammers or something like that.
Maybe someone posing as an Amazon representative to try and steal your account credentials or maybe your financial information and all that stuff.
But just as a last interesting thing. I said, is there a dildo out there that's worth $890? So I went to the interwebs to try and find out.
And as it turns out, not only can you spend that much money on a dildo, you can spend much more.
I found one, the crème of the crème of dildos, to use a phrase, you can buy for $1.3 million.
So I'm guessing it was probably part of a campaign to try and say, oh, you know, call these probably tech support scammers or something like that.
Maybe someone posing as an Amazon representative to try and steal your account credentials or maybe your financial information and all that stuff.
But just as a last interesting thing. I said, is there a dildo out there that's worth $890? So I went to the interwebs to try and find out.
And as it turns out, not only can you spend that much money on a dildo, you can spend much more.
I found one, the crème of the crème of dildos, to use a phrase, you can buy for $1.3 million.
Shut up.
Oh, for goodness sake.
It's diamond studded. Ow. Ow.
That sounds uncomfortable.
And it's just, you know, finding that type of thing, you know, I just couldn't sit back and just wonder, what would my life look like if I could spend $1.3 million on a dildo?
Well, if you shoved it up your butt, you'd probably have a ripped butthole.
Well, if you shoved it up your butt, you'd probably have a ripped butthole.
That's what would happen.
Oh.
We can bleep that out.
But diamond encrusted.
Yeah, I know. I mean, that's fancy living.
That is fancy living. Kim Kardashian, get in touch. We want to know.
So you've never— so you still haven't received this. Is that why you're complaining? Is that the scam?
They charged you but not sent it through.
You really wanted electric blue.
This is, you know, purple-ish.
Just putting you off. You know, you got to wonder whether this works, right?
Because if they're sending something to you, this is obviously a fake invoice, but it's basically, it's a dildo. And then they want you to call to complain.
But you've got to complain about receiving this thing for a dildo. And maybe that works. Maybe that kind of sends a message.
Because if they're sending something to you, this is obviously a fake invoice, but it's basically, it's a dildo. And then they want you to call to complain.
But you've got to complain about receiving this thing for a dildo. And maybe that works. Maybe that kind of sends a message.
Oh no, I think it does, because you ring up and say, there is no way I would have ordered something this, at least not for $790.
Exactly. If it was a shipping confirmation thing for, oh, I ordered some cat food for $60. It's, ah, probably not.
But 600 rolls of toilet paper or something that.
I guess the person on the other end of the line, they say, oh, you know, let me sort this out for you. I'm Amazon customer support. All I need is your password or all I need is—
Yes.
This is a delicate matter. Let me just handle it for you.
It's, oh, we'll refund it. Just give us your payment account number.
Yeah. So the advice is don't call the number, folks.
Don't.
I guess log into the real Amazon and you can see there if you've ordered something or not. Yeah.
Yeah. That also helps in, you know, just in general, maybe consider getting dildos elsewhere.
Yeah.
So.
And now to our sponsors. Oh no.
No, thank God you have me as a buffer first.
Oh yes.
Carole Theriault. Yes, Graham.
What have you got for us this week?
Well, Graham, we've done hundreds and hundreds and hundreds of these shows, have we not? I've paid my dues, right? You've paid your dues.
Definitely.
And we've proven to be reliable, right? We get a quality show out every week.
Yeah, well, they say.
Now, imagine if today you showed up 10 minutes late to our recording. Let's say you got tangled up in your curtains or something.
Okay, yes. I thought you were going to say caught short on the loo. Yeah.
Right? And then you finally connect with David and I, right? And you're, hi, hi, hi, hi.
Yeah.
What would you say? You'd go, sorry, curtain trouble.
Yeah, exactly. I'd say, yeah.
And we're supposed to know what that means.
Yeah.
Yeah. I locked myself in the loo or something that. Couldn't get out. Yeah. Something that.
Yeah. And then what would you expect us to say? Go, oh, no problem.
Yeah.
Fine. Glad you're here.
Yeah. Glad you're not dead.
What if I labeled you instead of being at risk of losing your job on the Smashing Security show? Whoa.
Oh, Graham Cluley.
Right?
I thought we were buds.
Well, let me introduce you to Amazon Flex.
So this is a delivery service that has been in the news this week thanks to a Bloomberg reportage that basically says that Amazon Flex uses imperfect algorithms to fire its employees.
And there's little to no recourse. Now, before I kick off, I know this is not a brand new topic, right?
People have been writing about algorithmic hiring and firing, I don't know, almost a decade, I bet. But this is 10 years on. And David, you're a millennial, if I'm correct.
I think I'm allowed to say that.
So this is a delivery service that has been in the news this week thanks to a Bloomberg reportage that basically says that Amazon Flex uses imperfect algorithms to fire its employees.
And there's little to no recourse. Now, before I kick off, I know this is not a brand new topic, right?
People have been writing about algorithmic hiring and firing, I don't know, almost a decade, I bet. But this is 10 years on. And David, you're a millennial, if I'm correct.
I think I'm allowed to say that.
Yeah.
And Graham, you're practically a grandpa. So, but you both have been, you've both hustled in your time, right? You've both hustled. You've both, you know.
What does that mean, hustle?
Yeah, I don't know.
You've worked, you've worked, you've worked, right? You've gone out and, you know, got jobs and done your jobs and then got paid for those jobs.
Oh, okay.
Right? In a kind of gig economy. And I'd be interested to know what your thoughts are on this. If this is the future of work, are you glad, Graham, you're checking out soon?
Or are you looking forward to a day that basically— She knows something about me I don't know.
Or are you looking forward to a day that basically— She knows something about me I don't know.
I'm gonna be checking out soon.
Graham, can we stay on the topic? It's my story time.
The great podcast in the sky.
Okay, so Amazon Flex, this delivery service started in 2015 and its strapline is adjust your work, not your life. Do it your way, drive your car, listen to your music and get paid.
And so the big sales pitch around here is that you can work when you want to in your own car, et cetera, et cetera.
And so the big sales pitch around here is that you can work when you want to in your own car, et cetera, et cetera.
Oh, I think I've got a mate who does this.
Oh yeah?
Because the other day I had an Amazon delivery and he came to the door and he handed over the thing and all the rest of it and I said thank you very much and he went off.
And then 30 seconds later he knocked on the door and he went, Graham Cluley.
And then 30 seconds later he knocked on the door and he went, Graham Cluley.
Oh yeah, I remember you telling me. Yeah, yeah, tell me.
And it was some guy who I used to know 20 or 30 years ago.
Oh wow.
I haven't seen him since.
You did not remember his name?
No, I did remember his name. Oh wow. Steve. I knew his surname as well, but I won't say it here. But yeah, it was Steve and so we had a little chat.
Jeez.
And I don't even live where I used to— where he used to live and where I used to live ages ago. So it was a bit of a surprise. But this is what he does.
He drives his car and he does Amazon deliveries.
He drives his car and he does Amazon deliveries.
Okay. Well, did he meet this criteria? Because this is the criteria you need to meet to work as an Amazon Flex worker.
You need a car, and it needs to be a 4-door midsize car or larger. No motorbikes, no scooters, no 2 doors. You need to be at least 18.
They'll do a background and criminal record check on you potentially.
And you need to have Business Class 3 insurance, which I looked up in the UK is about, looks like the average is £550.
So I would not be surprised if people were paying about a grand a year for that. And you need to have an Android phone or an iOS phone.
And you will maybe make between £13 and £15 an hour, or in the States, $18 to $25 an hour.
And the reason there's this spread of money is whether you get tips or not, you might make more, right? If someone tips. Do people tip Amazon drivers? Do you tip?
You need a car, and it needs to be a 4-door midsize car or larger. No motorbikes, no scooters, no 2 doors. You need to be at least 18.
They'll do a background and criminal record check on you potentially.
And you need to have Business Class 3 insurance, which I looked up in the UK is about, looks like the average is £550.
So I would not be surprised if people were paying about a grand a year for that. And you need to have an Android phone or an iOS phone.
And you will maybe make between £13 and £15 an hour, or in the States, $18 to $25 an hour.
And the reason there's this spread of money is whether you get tips or not, you might make more, right? If someone tips. Do people tip Amazon drivers? Do you tip?
No, I've never, I've never even thought of it.
People do. People do.
Do they?
Yeah. Wow.
But what's the criterion that you use?
I know, because you don't know what you're getting half the time, right?
You don't know how long it's taken. I mean, I don't know.
I don't know. We should maybe just offer cookies.
Cookies and cake and flowers.
Quite often I receive parcels which are actually intended for my neighbor, and so I have to complete the last bit of the delivery on behalf of the Amazon driver who appears to be too—
Yeah, you don't want to be out 10 quid.
Has your neighbor tipped you thinking that you're the Amazon driver?
I'm wondering if I can make money from Amazon Flex for doing the final part of the—
Just get an Amazon hat and just walk over. It's "here you go."
Okay, now something else you need to note is they have no trouble finding contractors. That's what they call them. These are not employees, they're contractors, right?
So globally, 4 million drivers have downloaded the app. So who knows if they're all on the roads, but they're active on the app, including about 3 million in the States.
This is according to App Annie. Okay, so let's say you wanted to be one of these drivers, right?
You passed all these checks, you have an insured car, you got the app, and you basically use it like Tinder. You peruse the offerings, and they're done in blocks.
So maybe it's 4 square blocks of a city or 1 square block of city, depending on where you are.
So globally, 4 million drivers have downloaded the app. So who knows if they're all on the roads, but they're active on the app, including about 3 million in the States.
This is according to App Annie. Okay, so let's say you wanted to be one of these drivers, right?
You passed all these checks, you have an insured car, you got the app, and you basically use it like Tinder. You peruse the offerings, and they're done in blocks.
So maybe it's 4 square blocks of a city or 1 square block of city, depending on where you are.
When you say "like Tinder," are you sort of swiping through to see the attractiveness of the recipient and think, oh yes, I'll deliver something for her?
Oh gosh. You're looking at where you have to pick up these packages and where you need to deliver them to. And you might see how much Amazon is offering to pay you.
So they might say, here's 5 deliveries within this area of the city, about 2 miles from where you are right now, and we'll give you $30 minimum if you get them all delivered in time.
So they might say, here's 5 deliveries within this area of the city, about 2 miles from where you are right now, and we'll give you $30 minimum if you get them all delivered in time.
I think my way is better. I think if all Amazon customers uploaded photographs of themselves looking sexy, and then we could get deliveries more quickly, nothing would go wrong.
Yeah, it would be great.
Yeah, next week's episode.
Yeah, all women right now are thinking it's fantastic.
TM, TM, it's trademarked.
Yeah, it's all yours. Okay, so Graham, stay with me.
You've passed all the checks, you're looking at the app and you're going, hey, there's some packages I can deliver and this is how much I'm going to get, and I have got an hour free, let's go.
And you go off and deliver these things and on it goes. From the moment you sign on, this is according to Bloomberg, okay?
Quote, flex drivers discover algorithms are monitoring their every move. Did they get to the delivery station when they said they would?
Did they complete their route in the prescribed window? Did they leave the package in full view of porch pirates instead of hidden behind the planter as requested?
And Amazon algorithms scan the gusher of incoming data for performance patterns and decide which drivers get more routes and which are deactivated. By deactivated, fired. Okay.
It's a kind of weird—
You've passed all the checks, you're looking at the app and you're going, hey, there's some packages I can deliver and this is how much I'm going to get, and I have got an hour free, let's go.
And you go off and deliver these things and on it goes. From the moment you sign on, this is according to Bloomberg, okay?
Quote, flex drivers discover algorithms are monitoring their every move. Did they get to the delivery station when they said they would?
Did they complete their route in the prescribed window? Did they leave the package in full view of porch pirates instead of hidden behind the planter as requested?
And Amazon algorithms scan the gusher of incoming data for performance patterns and decide which drivers get more routes and which are deactivated. By deactivated, fired. Okay.
It's a kind of weird—
Terminator or something?
Yeah.
It's like, you are deactivated.
Yes. You have imploded as far as I'm concerned.
That's really threatening language.
What's even worse is human feedback. So any communications with any team leader or anything is super rare.
Okay, so you get these automated emails, but most of the time you have this rating system, which basically says whether you're doing good or bad.
And there's 4 categories: fantastic, great, fair, at risk. And so every day, you're basically obsessed with these staying at the fantastic level.
Okay, so you get these automated emails, but most of the time you have this rating system, which basically says whether you're doing good or bad.
And there's 4 categories: fantastic, great, fair, at risk. And so every day, you're basically obsessed with these staying at the fantastic level.
Yeah.
And we know this from Uber and Lyft and all these kinds of things.
Black Mirror.
Right? So one of the arguments is Uber and Lyft.
If you're the customer and you're in the car and there's a traffic jam, you're kind of aware that it's not the driver's fault, that there's just shit tons of traffic.
So you're less likely to go, one star, it took me 4 minutes longer than I expected.
But if you're waiting for a package and it happens to be late and you decide to give a shitty rating or complain, you can get someone fired.
You know how I was saying, Graham, if I just got rid of you after 10, a little fuck-up of being 10 minutes late, right, on the show?
So one of the stories Bloomberg talks about is this woman, Nedra, 42-year-old bus driver, school bus driver, mom of 3, right, lives in Texas.
And then she was making deliveries through the Amazon Flex app from 2017, you know, just to make a bit of extra money to pay for kids' activities.
Pandemic hits, schools close, she doesn't have any work and has no money. But thanks to Amazon Flex, this becomes her primary income.
She estimates she's delivered about 8,000 packages in that time. 8,000. So all's great, but one day while flexing, she spots a nail in her tire.
She's already picked up the packages and she calls them and goes, "I don't know what to do." And they say, "You have to come and bring them back to the delivery station." And she was really afraid that it would blow her tire because guess what?
That's her money, right? That's her responsibility if she fucks the whole tire. She has to pay to get that fixed to carry on working.
But she goes because she doesn't want to lose her rating. And despite explaining the situation, her rating dropped from great to at risk.
So from the top level to the bottom level, just like that. She— and it was for abandoning the route. That's why she got that thing, right?
So then, you know, she gets an email to say that she violated Flex's terms of service, and that's all she gets.
She goes, as a result, you are no longer eligible to participate in Amazon Flex program, and you won't be able to sign into the Amazon Flex. That's it.
So then you're like, okay, well, how do you say, whoa, you guys got something wrong. I did what you told me to do, right? And apparently the support is just abysmal.
So if you have a complaint, there's no real useful way to get an answer. So you can appeal a termination if within the 10 days, but then you send an email, no one answers.
You follow up, no one answers.
If you're the customer and you're in the car and there's a traffic jam, you're kind of aware that it's not the driver's fault, that there's just shit tons of traffic.
So you're less likely to go, one star, it took me 4 minutes longer than I expected.
But if you're waiting for a package and it happens to be late and you decide to give a shitty rating or complain, you can get someone fired.
You know how I was saying, Graham, if I just got rid of you after 10, a little fuck-up of being 10 minutes late, right, on the show?
So one of the stories Bloomberg talks about is this woman, Nedra, 42-year-old bus driver, school bus driver, mom of 3, right, lives in Texas.
And then she was making deliveries through the Amazon Flex app from 2017, you know, just to make a bit of extra money to pay for kids' activities.
Pandemic hits, schools close, she doesn't have any work and has no money. But thanks to Amazon Flex, this becomes her primary income.
She estimates she's delivered about 8,000 packages in that time. 8,000. So all's great, but one day while flexing, she spots a nail in her tire.
She's already picked up the packages and she calls them and goes, "I don't know what to do." And they say, "You have to come and bring them back to the delivery station." And she was really afraid that it would blow her tire because guess what?
That's her money, right? That's her responsibility if she fucks the whole tire. She has to pay to get that fixed to carry on working.
But she goes because she doesn't want to lose her rating. And despite explaining the situation, her rating dropped from great to at risk.
So from the top level to the bottom level, just like that. She— and it was for abandoning the route. That's why she got that thing, right?
So then, you know, she gets an email to say that she violated Flex's terms of service, and that's all she gets.
She goes, as a result, you are no longer eligible to participate in Amazon Flex program, and you won't be able to sign into the Amazon Flex. That's it.
So then you're like, okay, well, how do you say, whoa, you guys got something wrong. I did what you told me to do, right? And apparently the support is just abysmal.
So if you have a complaint, there's no real useful way to get an answer. So you can appeal a termination if within the 10 days, but then you send an email, no one answers.
You follow up, no one answers.
Yeah, there's no money they're gonna make, is there, from her?
Exactly. And after doing loads and loads of follow-up, she finally gets a message saying, we're still reviewing your appeal.
Then a week later, we reviewed the information, take another look at your history. Our position has not changed and we won't be reinstating your access to the Amazon Flex program.
We wish you success in the future endeavors.
Then a week later, we reviewed the information, take another look at your history. Our position has not changed and we won't be reinstating your access to the Amazon Flex program.
We wish you success in the future endeavors.
Wow.
And this woman almost lost her house, right? This was during the pandemic.
So I don't know, don't you think it's a bit like me getting rid of you for being late 10 minutes for a recording on episode 234? Like, it's that shitty. 8,000 packages.
So I don't know, don't you think it's a bit like me getting rid of you for being late 10 minutes for a recording on episode 234? Like, it's that shitty. 8,000 packages.
Well, I don't disagree with you, but if they have— what did you say, 4 million people signed up to this Flex thing worldwide?
Yeah.
How much resource would they have to put in to manage that manually? I don't know. And Amazon is all about algorithms, isn't it? This is how they've become such a goliath.
And if you want to appeal, take it to arbitration, you can pay $200 to do that. But few do because people say it's a complete waste of time.
It's no secret to anyone that Amazon is a very curious company, because in some ways it's incredible and amazing because you can buy anything there and it gets delivered really, really quickly.
But I think it's no secret that they're a ghastly and horrible company to work for or work with.
But I think it's no secret that they're a ghastly and horrible company to work for or work with.
There was a number of these. I went to Reddit to look around, right?
And people were saying, I went and the roads were flooded, you know, and I couldn't get through and I've now just been dropped. Dropped in one hour.
I was dropped from fabulous to shit. And some other guy in the notes said, I don't know why you just didn't take your shoes off and walk it over. I've done that before. Wow, right?
Just to keep their fantastic rating.
And people were saying, I went and the roads were flooded, you know, and I couldn't get through and I've now just been dropped. Dropped in one hour.
I was dropped from fabulous to shit. And some other guy in the notes said, I don't know why you just didn't take your shoes off and walk it over. I've done that before. Wow, right?
Just to keep their fantastic rating.
Yeah. Wow.
Anyway, so it just seems to me the way they're suckering people into these gigs is by the high money at the beginning, the $20 at the beginning.
But I think people are forgetting that you have to have a car, you have to have insurance, you have to keep your phone up to date, and you can be dinged by factors way outside your control.
And there's no real appeals process or anyone you can complain to when shit hits the fan.
And why are people taking these jobs instead of working at a supermarket where maybe you get paid a little less and you don't have the flex hours? So those are the two things.
You've got to be at your job at particular times if you're working in a restaurant or a supermarket or a store.
But I think people are forgetting that you have to have a car, you have to have insurance, you have to keep your phone up to date, and you can be dinged by factors way outside your control.
And there's no real appeals process or anyone you can complain to when shit hits the fan.
And why are people taking these jobs instead of working at a supermarket where maybe you get paid a little less and you don't have the flex hours? So those are the two things.
You've got to be at your job at particular times if you're working in a restaurant or a supermarket or a store.
Well, I mean, I guess the advantage sometimes, especially if you're a single parent and it's the pandemic and stuff like that, you can try and work around if you're doing homeschooling with your kids.
So you know, like a sitter or something like that. I mean, maybe doing a 9 to 5 at a supermarket just is outside what's possible.
So you know, like a sitter or something like that. I mean, maybe doing a 9 to 5 at a supermarket just is outside what's possible.
Yeah, and you need to have that flexibility because you don't know. Maybe you're looking after someone who's ill, right?
And you're like, oh, they're finally going to sleep, I've got 3 hours to go make some cash.
Yeah, the thing that pisses me off the most about this is I went and checked Amazon's money because I was thinking, oh, maybe they're hurting, right?
And you're like, oh, they're finally going to sleep, I've got 3 hours to go make some cash.
Yeah, the thing that pisses me off the most about this is I went and checked Amazon's money because I was thinking, oh, maybe they're hurting, right?
Maybe they're a bit hard up.
Maybe they're hard up and they're not able to pay people better, and they can't, you know. So net sales increased 44% to $108.5 billion—get this—in the first quarter.
That little in the first quarter?
They are hurting. They are hurting.
They're rolling in it. And despite that, they're basically saying, oh, anyway. So do we need better legislation? So in the States, there's a U.S. Senator, Chris Coons.
He introduced the Algorithmic Fairness Act, which would require the FTC to create rules to ensure that these algorithms are being used equitably.
So there's no bias, for example, in decisions, and there's an opportunity to reverse mistakes. But apparently his proposal's gone nowhere.
But recently, the UK's Trade Union Congress, TUC, warned about what it calls a huge gap in UK employment law over the use of artificial intelligence at work.
So literally saying that AI at work could be used to improve productivity in working lives, but it's already being used to make life-changing decisions about people at work who are getting hired and fired.
So that's good. I think that's good that they're acknowledging it. We need to think about what to do with these wonderful drivers.
Don't you think it's time to be a bit nicer to your drivers and give them the benefit of the doubt if they're 5 minutes late?
So if you're going to tip, for example, don't tip through the app, just tip in cash, right?
So that Amazon algorithms don't get to use these numbers to adjust how much you might make working for them, because that's what they're doing.
They're saying, on average, people get about 20 quid for, you know, a 4-hour shift. So therefore, that's how much you can make. They add it onto the money they'll give you.
It's disgusting.
He introduced the Algorithmic Fairness Act, which would require the FTC to create rules to ensure that these algorithms are being used equitably.
So there's no bias, for example, in decisions, and there's an opportunity to reverse mistakes. But apparently his proposal's gone nowhere.
But recently, the UK's Trade Union Congress, TUC, warned about what it calls a huge gap in UK employment law over the use of artificial intelligence at work.
So literally saying that AI at work could be used to improve productivity in working lives, but it's already being used to make life-changing decisions about people at work who are getting hired and fired.
So that's good. I think that's good that they're acknowledging it. We need to think about what to do with these wonderful drivers.
Don't you think it's time to be a bit nicer to your drivers and give them the benefit of the doubt if they're 5 minutes late?
So if you're going to tip, for example, don't tip through the app, just tip in cash, right?
So that Amazon algorithms don't get to use these numbers to adjust how much you might make working for them, because that's what they're doing.
They're saying, on average, people get about 20 quid for, you know, a 4-hour shift. So therefore, that's how much you can make. They add it onto the money they'll give you.
It's disgusting.
I don't know, Carole.
Now, I mean, is it something like if you don't tip through the app, will they interpret that as dissatisfaction on the part of the customer?
Wow, yeah.
Interesting. I like where you're thinking, David. I actually thought of something else, which is, I don't know when an Amazon parcel is meant to be delivered to me, right?
But if someone comes to my door, knocks on my door and gives me a brown Amazon parcel.
If I could give them money, I suppose I could give them a couple of quid, say thank you very much, whatever.
But maybe when I then later open that parcel, I find out, oh, that wasn't an Amazon delivery man.
That's just someone who's going door to door with Amazon parcels in order to get tips. Right?
But if someone comes to my door, knocks on my door and gives me a brown Amazon parcel.
If I could give them money, I suppose I could give them a couple of quid, say thank you very much, whatever.
But maybe when I then later open that parcel, I find out, oh, that wasn't an Amazon delivery man.
That's just someone who's going door to door with Amazon parcels in order to get tips. Right?
Right.
Scammers. Am I too cynical to think this? That could happen.
No, I don't think so. I think I'm talking about the story because I think I messed up actually recently. So I ordered something from TK Maxx the other day, right?
An expensive thing and a not so expensive but bulky thing. Box arrives, I'm really nice, great, yay.
You know, inside it is a delivery receipt for both items, but only the cheap, big, bulky thing is in there. And I freak out a bit and I email the company.
And then an hour later, the guy shows up with the other package. The expensive thing arrives, but it also has an invoice for both items in that box.
So I felt like a Muppet because obviously, I emailed them back right away saying, stand down, all's cool. But what if that doesn't matter?
It's just an algorithm that goes, oh, complaint by John or whatever. It's too awful to think. Anyway, there you go. Cheery note to end on.
An expensive thing and a not so expensive but bulky thing. Box arrives, I'm really nice, great, yay.
You know, inside it is a delivery receipt for both items, but only the cheap, big, bulky thing is in there. And I freak out a bit and I email the company.
And then an hour later, the guy shows up with the other package. The expensive thing arrives, but it also has an invoice for both items in that box.
So I felt like a Muppet because obviously, I emailed them back right away saying, stand down, all's cool. But what if that doesn't matter?
It's just an algorithm that goes, oh, complaint by John or whatever. It's too awful to think. Anyway, there you go. Cheery note to end on.
Well done. Ruined someone's life. Well done. Thanks.
I know. It's the worst.
Smashing Security is sponsored this week by the experts at 1Password.
Did you know that almost two-thirds of all IT workers admit to reusing enterprise secrets between different projects, creating a potential gateway for attackers?
1Password's new research report, Hiding in Plain Sight, reveals the breadth and depth of mismanaged business secrets like code, passwords, credentials, and keys, and that secrets mismanaged phishing is the next big cybersecurity threat.
Learn more by reading the full report at 1password.com/resources. And thanks to 1Password for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Did you know that almost two-thirds of all IT workers admit to reusing enterprise secrets between different projects, creating a potential gateway for attackers?
1Password's new research report, Hiding in Plain Sight, reveals the breadth and depth of mismanaged business secrets like code, passwords, credentials, and keys, and that secrets mismanaged phishing is the next big cybersecurity threat.
Learn more by reading the full report at 1password.com/resources. And thanks to 1Password for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security-related.
I don't know if listeners have picked this up, David, maybe you have, maybe you haven't, but I consider myself very much a Renaissance man. I'm a fine athlete.
I don't know if listeners have picked this up, David, maybe you have, maybe you haven't, but I consider myself very much a Renaissance man. I'm a fine athlete.
I've always thought that about you.
An excellent scholar, I have an ear for music, a talent for art, and a way with the ladies.
And I think I'm the all-round package, but then I come across other people with talents as well. People who maybe are even more artistic than me.
David, I invite you to visit a website. Type it into your browser right now. And you listening at home—
And I think I'm the all-round package, but then I come across other people with talents as well. People who maybe are even more artistic than me.
David, I invite you to visit a website. Type it into your browser right now. And you listening at home—
I feel like this is just social engineering.
Why can't I go visit?
You can as well, Carole, if you wish. If you wish to, you can. Listeners, don't do this if you're driving your car or in charge of heavy machinery.
Wait until you're in a safe place, and then go to a website called carole.wtf. Not .com. Carole, so that's Carole with an E on the end. Carole.wtf. I don't know what WTF stands for.
Give it a try. I'm wondering what you'll find there.
What you will find there is a website of art from our very own Carole— How do you spell— How do you pronounce your second name? Theriault. Theriault. Carole Theriault.
Wait until you're in a safe place, and then go to a website called carole.wtf. Not .com. Carole, so that's Carole with an E on the end. Carole.wtf. I don't know what WTF stands for.
Give it a try. I'm wondering what you'll find there.
What you will find there is a website of art from our very own Carole— How do you spell— How do you pronounce your second name? Theriault. Theriault. Carole Theriault.
You can find out on the homepage.
Yeah, it tells you how to say it. It doesn't tell you how to say Carole. Oh, wow.
These are incredible.
Oh.
Shut up, Dave.
Keep going.
No, no.
No, looking at the one— Like, I'm looking on the art gallery one, the first one with the field and the color. Like, it's— this is awesome.
Oh, you see?
Oh, the lighthouse.
Carole, for the last couple of years maybe, has been painting.
Oh, Mindscape! Mindscape! Oh, so cool!
I love you.
And she sends them to me and some of her other friends, and she's quite clear about— Carole is a little bit shy. You wouldn't know that.
And, but this website has just been created with amazing artwork. Who could have known she was so talented? Carole.wtf is my pick of the week.
And, but this website has just been created with amazing artwork. Who could have known she was so talented? Carole.wtf is my pick of the week.
Now I feel like a dick for being a jerk to you the whole show.
I think you should.
I do.
Jeez. This is incredible.
Isn't she clever?
I mean, it is amazing because if I tried to paint something, it would look like someone in a straitjacket had painted something with a paintbrush shoved between his teeth.
That's how my painting would look. It would look like a two-year-old.
I mean, it is amazing because if I tried to paint something, it would look like someone in a straitjacket had painted something with a paintbrush shoved between his teeth.
That's how my painting would look. It would look like a two-year-old.
It's really weird seeing them because they're all obviously physical, real paintings, not digital paintings, right?
So it's kind of weird seeing them up here and looking at them like this, but it's very exciting. It's just scary as shit.
So it's kind of weird seeing them up here and looking at them like this, but it's very exciting. It's just scary as shit.
You know, it'd be cool, you know, maybe you could have prints and stuff, or people could order some.
Oh yes.
Yeah, I would order Gold Country. I mean, that's—
Yeah, you could put these up on Redbubble maybe, Carole. You could get prints. Maybe some people would like them on a t-shirt.
I'm open to advice on this if there's any artists out there that want to recommend. I was thinking Society6 is the one I was thinking about.
Oh, I don't know. I think Mindscape, that could be on the cover of a prog rock album.
It could.
Greg the Goat. Greg the Goat could be on the cover of maybe a yogurt or something like that in the supermarket. I mean, some of them are funny. Some of them are spooky. carole.wtf.
Have I mentioned the domain name? What made you choose that domain name, Carole?
Have I mentioned the domain name? What made you choose that domain name, Carole?
Carole? It's very easy to remember.
Okay. Yeah.
So, no, I know—
Sounds appropriate for you as well.
Well, yes. And you won't forget it.
Very cool. Very cool.
Thank you, Kate. That's really sweet.
David, what's your pick of the week?
Alright, well, there is a new album that came out earlier this year. It's by this artist called Porter Robinson. That's his name.
It's sort of—calling it EDM sort of reduces it because there's a lot of other influences that go into it, but it is electronic music.
So he came out with this new album this year called Nurture, and it's just incredible.
You know, if you're—I mean, especially with it being summer, and if you're just chilling and stuff, just putting this on and just sort of losing yourself for an hour while you're staring absentmindedly outside is an afternoon well spent.
It's sort of—calling it EDM sort of reduces it because there's a lot of other influences that go into it, but it is electronic music.
So he came out with this new album this year called Nurture, and it's just incredible.
You know, if you're—I mean, especially with it being summer, and if you're just chilling and stuff, just putting this on and just sort of losing yourself for an hour while you're staring absentmindedly outside is an afternoon well spent.
Cool.
I find myself constantly listening to certain songs, "Look at the Sky," "Wind Tempos," "Something Comforting." It is truly incredible. So can't recommend that enough, really.
Just give it a listen.
Just give it a listen.
He's got a very slick website.
Seriously.
A lot more whiz-bang than me, I tell ya.
So I'm checking, Porter Robinson, I've just been reading about this. He describes the music as quite melancholic. Is that right? A lot of pain and sadness.
Is there some of that going on with it?
Is there some of that going on with it?
Yes, a lot of nostalgia in it.
Yeah. What's wrong with—there's nothing—you sad music, Graham.
Oh no, I'm not saying there's anything wrong with it.
I love this. I'm totally going to turn this on tomorrow when I do my little painting time and check it out. That's how I'll do it. See what happens.
Fantastic. Carole, what's your pick of the week? Is it in fact your website?
No, I wasn't going to do it. I'm too scared. Okay. Mine is a show called Ways of Seeing. This was in 1972. Graham, did you have pubic hair by then? I don't know.
Couldn't say.
Yikes. That's a question.
Ways of Seeing, 1972 television series. Four-parter, 30-minute films each. They're created by John Berger and producer Mike Dibb.
This was broadcast originally on BBC Two, and it was adapted into a book of the same name. Now, you can find these shows on YouTube. And my advice is run, don't walk to watch this.
It is, to me, quintessential viewing for anyone who is a bit of a creative.
It will make you think about what you see, how you see, and how the very act of looking is effectively political. And I can see Graham right now is rolling his eyes.
This was broadcast originally on BBC Two, and it was adapted into a book of the same name. Now, you can find these shows on YouTube. And my advice is run, don't walk to watch this.
It is, to me, quintessential viewing for anyone who is a bit of a creative.
It will make you think about what you see, how you see, and how the very act of looking is effectively political. And I can see Graham right now is rolling his eyes.
No, not at all. I've watched this video. I've seen this. Yes, and it's fascinating. He seems an extremely interesting person. I would thoroughly recommend people watch this video.
Cool.
Okay, well, so it's a bit like— the best way to explain it is if, say, for example, I wanted to see David by Michelangelo, the statue, and I decided to do a pilgrimage to Florence to see it in person with my own eyes, and I spend the money, plan the trip, all the shit, and that will have an entirely different experience to me seeing a thumbnail image of it in my browser.
Right. But both people have seen the image or seen it in some way. So he kind of discusses all this.
And the one thing I learned today is this series is said to have introduced the term male gaze during the series, and feminists took hold of it.
And yeah, anyway, I just think it is incredible. There's a book as well that talks about the same issues, and there's a few more essays in it. Some of them are just visual essays.
So if you love art or know anyone that loves art and you want to support them, you can obviously just go to my site and say it's great.
Or you can read and watch John Berger's Way of Seeing, and it'll help you communicate and talk with them and support them. So there you go. That's my pick of the week.
Okay, well, so it's a bit like— the best way to explain it is if, say, for example, I wanted to see David by Michelangelo, the statue, and I decided to do a pilgrimage to Florence to see it in person with my own eyes, and I spend the money, plan the trip, all the shit, and that will have an entirely different experience to me seeing a thumbnail image of it in my browser.
Right. But both people have seen the image or seen it in some way. So he kind of discusses all this.
And the one thing I learned today is this series is said to have introduced the term male gaze during the series, and feminists took hold of it.
And yeah, anyway, I just think it is incredible. There's a book as well that talks about the same issues, and there's a few more essays in it. Some of them are just visual essays.
So if you love art or know anyone that loves art and you want to support them, you can obviously just go to my site and say it's great.
Or you can read and watch John Berger's Way of Seeing, and it'll help you communicate and talk with them and support them. So there you go. That's my pick of the week.
Fantastic. What a cultural clash of picks of the week we have had this week. I think we've all done jolly well, and that just about wraps up the show for this week.
David, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?
David, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?
Yeah, yeah. So you can find me online with Twitter. I'm @dmbisson. You can find me on LinkedIn. I'm there too and just write regularly for IBM and Zix and all these other companies.
So, you know, if you want to hit me up and if you have any jobs or anything like that too, I'm always looking working. So, you know, reach out, I'm available.
So, you know, if you want to hit me up and if you have any jobs or anything like that too, I'm always looking working. So, you know, reach out, I'm available.
Do it, people. He's great.
And you can follow us on Twitter at Smashing Security, no G. Twitter wants to have a G. And you can join us as well on our Smashing Security subreddit.
And don't forget to ensure you never miss another episode. Please follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Please follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And thanks to this week's episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to them all this show is free.
For episodes, show notes, sponsorship information, guest lists, and the entire back catalog of more than 234 episodes, check out smashingsecurity.com.
For episodes, show notes, sponsorship information, guest lists, and the entire back catalog of more than 234 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye-bye. Excellent, guys. Well done, David. Well done, Graham. I'm sorry you can't hear each other. Okay.
Oh, he can't hear me either.
It's almost better this way.
Yeah, he can't hear you, you can't hear him, and I'm—
Yeah, I don't have to listen to Graham prattle on.
I mean, Graham, he just said you were amazing. He misses your voice.
David, you are awesome too. Thanks so much.
Graham says you're a shitbag.
That's amazing.
Hey everybody, Carole Theriault here. This week I thought I would share with you how the sausage is sometimes made at Smashing Security.
We had a bit of a snafu, but I think we've hidden it fairly well. I don't know why I'm telling you about it now, but maybe because it's funny.
So while we were recording this episode, we just finished up David's Pick of the Week, and suddenly David and Graham could no longer hear each other. Listen to this.
You guys can't hear each other.
We had a bit of a snafu, but I think we've hidden it fairly well. I don't know why I'm telling you about it now, but maybe because it's funny.
So while we were recording this episode, we just finished up David's Pick of the Week, and suddenly David and Graham could no longer hear each other. Listen to this.
You guys can't hear each other.
Oh, David Bisson has left.
Oh no, I can't hear anything with Graham.
Okay, well look, if this is— this will maybe work. Graham, go to my story. Okay, we'll say it's amazing. Go to me. We're gonna crack this on.
We can do this.
We're all recording locally, right?
Yeah.
Okay, should we try? Should we try?
Yeah, but don't we want David on the call, on the recording?
We're so close, David. So basically, we carried on recording the show with me as the proper middle woman.
Fun.
Maybe you want to re-listen and see if you can spot it, but you know, we're pretty professional. As always, thank you to all of you for your support and kind words.
It means the world. See you guys next week.
It means the world. See you guys next week.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
David Bisson – @dmbisson
Show notes:
- Cozy Bear — Wikipedia.
- Bears in the Midst: Intrusion Into the Democratic National Committee — Crowdstrike.
- Coronavirus: Russian cyber spies attempting to steal vaccine research from Britain, US and Canada — Sky News.
- New Nobelium activity — Microsoft Security Response Center.
- Smashing Security episode 214: "Lockdown love scams, SolarWinds, and a data deletion bungle."
- Screenshot of email David received from "Amazon"
- This $1.3 Million Vibrator Is One Of The World's Most Expensive Sex Toys — Forbes.
- Amazon Flex.
- AI at work: Staff 'hired and fired by algorithm' — BBC News.
- Fired by Bot: Amazon Turns to Machine Managers And Workers Are Losing Out — Bloomberg.
- Horror stories from Amazon Flex workers — Reddit.
- Art'n'Doodles from Carole Theriault — Carole.wtf
- ⎌ Nurture ⎌ — Porter Robinson.
- How John Berger changed our way of seeing art — The Conversation.
- Ways of Seeing Episode 1, with John Berger — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
Did you know that almost two thirds of all IT workers admit to reusing enterprise secrets between different projects, creating a potential gateway for attackers?
1Password’s new research report, “Hiding in Plain Sight”, reveals the breadth and depth of mismanaged business secrets like code, passwords, credentials, and keys, and that secrets (mis)management is the next big cybersecurity threat.
Learn more by reading the full report at 1password.com/resources
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
