“Demonically” possessed devices print out antiwork propaganda, advice on how to secure your store, and is Twitter’s new photo privacy policy practical?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dinah Davis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And they're doing this, they're spreading these words by demonically possessing printers normally used to print out receipts at checkout.
Demonically? Can you just explain that use of that adverb? I just don't understand.
Yeah, well, it's a bit like it was demonically possessed. Okay, they're not really, they're just hijacking it, right?
Right.
Smashing Security, Episode 255: Revolting Receipts, a Twitter Fandango, and Shopkeeper Cyber Tips with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 255. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 255. My name is Graham Cluley.
I'm Carole Theriault.
And this week we're joined by a special guest, someone who hasn't been on the show before. It is the founder of Code Like a Girl and VP of R&D at Arctic Wolf. It is Dinah Davis.
Hello, Dinah. Hi. I am super pumped to be here.
I listen to your show all the time, and I kept thinking to myself, I would have so much fun with them on this show that I'm so glad you invited me to come.
I'm really excited about it.
I listen to your show all the time, and I kept thinking to myself, I would have so much fun with them on this show that I'm so glad you invited me to come.
I'm really excited about it.
Well, steady on. Steady on. Don't—
Wait, Graham, she's not flirting with you.
No, don't expect to be that much fun.
Don't worry. It's going to be fun. I'm here now.
I'm here too, and Dinah's here.
Shall I leave?
Yeah, sure.
Shall we thank this week's sponsors first? 1Password and Upticks. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
Oh, I've got grumpy people. Grumpy people at work.
And Dinah, what about you?
I want to talk about how to keep your small business safe online during the holiday season.
Hey, good, because I am talking about Twitter's new privacy feature and how it bites them where the sun doesn't shine.
All this and much more coming up on this episode of Smashing Security.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, have you ever had a terrible, appalling, ghastly job?
Yes, definitely.
A job where you didn't feel that you were being properly appreciated, perhaps?
Yes.
Yeah? Anything you'd like to talk about? Any current jobs that you want to co-host on a security podcast?
No, I love my co-host. I love my co-host.
Oh, okay.
Yeah.
Oh, that's lovely.
Yeah.
Well, pity the 900 employees of mortgage company Better.com.
Oh.
Who were last week fired, somewhat unsympathetically, via a Zoom call. Thank you for joining. I come to you with not great news.
This isn't news that you're going to want to hear, but ultimately it was my decision and I wanted you to hear from me. It's been a really, really challenging decision to make.
This is the second time in my career I'm doing this and I do not want to do this. The last time I did it, I cried. This time I hope to be stronger.
If you're on this call, you are part of the unlucky group being laid off. Your employment here is terminated effective immediately. I wish you all the best of luck.
Thank you for everything you've done for Better.
This isn't news that you're going to want to hear, but ultimately it was my decision and I wanted you to hear from me. It's been a really, really challenging decision to make.
This is the second time in my career I'm doing this and I do not want to do this. The last time I did it, I cried. This time I hope to be stronger.
If you're on this call, you are part of the unlucky group being laid off. Your employment here is terminated effective immediately. I wish you all the best of luck.
Thank you for everything you've done for Better.
That is not very warm. No. It's not very sympathetic.
It's not very sympathetic, is it?
No. I have seen people get fired with about that much care though, in my previous life, but—
Do you think it's worse face-to-face, being treated like that, or via Zoom?
Face-to-face would be way worse.
Because you have to get dressed. Yes. So this became sort of viral. You know, people were sharing this video left, right, and centre.
And the company said that the layoffs had been gut-wrenching, especially at this time of year. So pity them, you know, they must have had a terrible time.
And the company said that the layoffs had been gut-wrenching, especially at this time of year. So pity them, you know, they must have had a terrible time.
Can I make one comment though, just to make sure? It is edited, that little video. There's a lot of stuff taken out of that.
Oh, well, they mostly took out the swear words of the person reacting. So they just got to the juicy bits. Yeah, there are other versions. Fuck you!
Yeah.
The terrible thing about a Zoom call is that some people make themselves presentable before they go on a Zoom call, don't they?
So they have a shower and comb their hair and put some makeup on.
So they have a shower and comb their hair and put some makeup on.
What a waste if you're just gonna get fired.
And then you're told, get stuffed.
Yeah, why did I brush my teeth again?
Anyway, the company said this was gut-wrenching. They said it was a terrible thing for them. You know, they really didn't enjoy it at all.
But it later emerged that the CEO had claimed that at least 250 of those people who'd been terminated were stealing from the company, because some people apparently were working 2 hours per day but actually claiming to have worked 8 or more hours per day.
But it later emerged that the CEO had claimed that at least 250 of those people who'd been terminated were stealing from the company, because some people apparently were working 2 hours per day but actually claiming to have worked 8 or more hours per day.
The question is, how do you know, Mr. CEO?
Yeah, that's the same question I have.
Yeah.
And this wasn't the first time the CEO of Better.com had taken a swing at his employees. The same chap, he emailed employees in November 2020.
And what he said to them was, "You're a bunch of dumb dolphins. Dumb dolphins get caught in nets and eaten by sharks. So stop it, stop it, stop it right now.
You're embarrassing me." Dumb dolphins?
And what he said to them was, "You're a bunch of dumb dolphins. Dumb dolphins get caught in nets and eaten by sharks. So stop it, stop it, stop it right now.
You're embarrassing me." Dumb dolphins?
Where does that even come from?
What were we called? We were called monkeys, weren't we? By our CEO. By our monkeys, yes. We were called monkeys.
Well, sometimes he would lie on the ground and bleat like a sheep by your desk if he thought you were wasting time.
Well, sometimes he would lie on the ground and bleat like a sheep by your desk if he thought you were wasting time.
And he carried Fijian instruments of torture around with him as well, didn't he?
Yep.
He was a strange man. Oh my God. But now, just to remind you, Better.com, they sell mortgages and things.
So quite why he's employing dolphins, dumb or otherwise, to do the job is a bit of a mystery to me.
So quite why he's employing dolphins, dumb or otherwise, to do the job is a bit of a mystery to me.
Haven't you heard how cool AI is? You don't really need people anymore.
Dolphins are really smart. I mean, they are really smart.
Yeah.
Oh yeah, so long and thanks for all the fish.
But compared to who though, dolphins are smart? Compared to your average person?
Hamsters.
No, your dog.
Yeah. Yeah.
Dogs can do amazing things. I've seen dogs on skateboards, dogs driving cars.
Dogs saving people in perilous conditions.
Dogs getting dressed up in nice suits.
Using a knife and fork.
Yes.
No, wait a minute.
So, don't be so doggist, Dinah. Right.
Good, Graham. Good.
Good. Right. Anyway, on with the story. So this made me think about some of the bad jobs I've had over the years. And did you ever feel you've been underpaid?
Wonder how much cash your coworkers were making?
And then you kind of think, "Oh, but do I ask them or not?" Because it's gonna feel bad if they're making more, but it's also gonna feel bad if they're making less than me.
And you're sort of in this quandary.
Wonder how much cash your coworkers were making?
And then you kind of think, "Oh, but do I ask them or not?" Because it's gonna feel bad if they're making more, but it's also gonna feel bad if they're making less than me.
And you're sort of in this quandary.
Did you ever feel that someone was making more than you?
Yes, some people, yes.
Really?
Yes.
Right, the CEO, CTO.
Yeah, and some other people.
VPs, a few VPs.
I remember at one company that shall remain nameless where the HR department left a spreadsheet of everyone's salary on a publicly shared drive for anyone to access, which was a very valuable asset when it came to salary negotiation.
I remember a company that shall remain nameless that had an HR meeting discussing everyone's salary with name and the amount of money they were gonna get at that new year.
And did it in a meeting room that wasn't, shall we say, soundproof. And a particular employee was next door taking notes.
And did it in a meeting room that wasn't, shall we say, soundproof. And a particular employee was next door taking notes.
Well, have you ever had your bosses discuss your salary in front of you? Going through everyone's salary in the group.
Oh no.
Yes, going through everyone's salary in the group and then realizing they didn't take you off this list to be discussed.
And then instead of just skipping, and not discussing that, just going full force and having a negotiation in front of you of how much you should get paid.
That actually happened to me once.
And then instead of just skipping, and not discussing that, just going full force and having a negotiation in front of you of how much you should get paid.
That actually happened to me once.
You see? I feel though, I feel community. I feel that I'm not alone anymore.
Well, it is about community, Carole. There is on Reddit a subreddit called Antiwork, not to be confused with anti-woke. And Antiwork, it describes itself as a community—
Oh, I get it.
A community for those who want to end work, are curious about ending work, want to get the most out of a work-free life, want more information on anti-work ideas, or want personal help with their own jobs or work-related struggles.
Now I've checked out this subreddit and it's rather interesting. It's clear a lot of people aren't terribly happy with their jobs at the moment or how they're being treated.
They'd like more money, more respect, just to be treated like human beings. In fact, there are 1.2 million members of this subreddit where they're posting jokes and memes and—
Now I've checked out this subreddit and it's rather interesting. It's clear a lot of people aren't terribly happy with their jobs at the moment or how they're being treated.
They'd like more money, more respect, just to be treated like human beings. In fact, there are 1.2 million members of this subreddit where they're posting jokes and memes and—
You sound like a granddad.
What? What? I don't know.
Keep going. It's fine. 1.2 million members.
Yeah, there's a lot.
Well, it's the fourth most popular website in the world according to Mika the other day.
Just a bit, which is called Antiwork. I just, I found it surprising.
A lot of people work and a lot of people aren't happy. Anyway, carry on. You're doing great.
And generally, people are grumbling, perhaps quite rightly, about their jobs, their wages, but they're also rallying the masses.
They're saying, you know, we need union representation. We need to be part of it. We need to fight for our rights of a decent wage.
They're saying, you know, we need union representation. We need to be part of it. We need to fight for our rights of a decent wage.
I agree with that.
So this fight, this battle, is now taking place digitally across devices because what has happened in recent days is that hackers have been targeting poorly paid workers and trying to recruit them with anti-work manifestos, basically saying, "Come on, all you've got to lose are your chains.
Come on, rise up, battle against your bosses." And they're doing this, they're spreading these words, not by doing an airdrop, not by dropping things from a helicopter above people, but instead demonically possessing printers normally used to print out receipts at checkout.
So, demonically—
Come on, rise up, battle against your bosses." And they're doing this, they're spreading these words, not by doing an airdrop, not by dropping things from a helicopter above people, but instead demonically possessing printers normally used to print out receipts at checkout.
So, demonically—
Can you just explain that use of that adverb? I just don't understand.
Yeah, well, it's a bit like it was demonically possessed. Okay, they're not really, they're just hijacking it, right? They're sort of exploiting the receipt printer.
So if you were somebody who worked in a sort of customer service role where you took a payment for something and then said, would you like your receipt?
Your receipt machine would start spitting out. It would spit out messages like this.
It would say, riddle me this, how can McDonald's in Denmark manage to pay their staff $22 an hour and still sell a Big Mac for less than in America? Answer, unions.
Did you know it is rather simple task to organise a union?
So if you were somebody who worked in a sort of customer service role where you took a payment for something and then said, would you like your receipt?
Your receipt machine would start spitting out. It would spit out messages like this.
It would say, riddle me this, how can McDonald's in Denmark manage to pay their staff $22 an hour and still sell a Big Mac for less than in America? Answer, unions.
Did you know it is rather simple task to organise a union?
So this would come out on the receipt?
On the receipt. So the receipt print, you know, that cheap bit of paper. And then there's a link to the Reddit subgroup.
And it's not just that message, there's oodles of other messages as well.
And it's not just that message, there's oodles of other messages as well.
I just love the, "Do you want a receipt, sir?" "Yeah, yeah, no, I do." "No, I'm not giving it to you." "Give me my fucking receipt!" "No, you can't have your receipt." "Why?" "I can't tell you why." Yeah.
Beautiful. And so there's all kinds of different messages, but they're all promoting this subreddit and saying, "Go and join it, and then you can join the community.
Life is short," they say. "Time is your most valuable asset. And so, you know, what are you doing to make sure that you have a decent life?
Stop working for slave wages," they're saying.
So people are getting these messages on the receipts in front of them, and they're thinking, "That's funny." And then they go on to Reddit and check it out and say, "What on earth is this that's just appeared?" Brilliant.
And so they're joining the subreddit. So the subreddit is growing in popularity.
And some people are saying, look, you know, I find this amusing, but what I really find funny is my boss who's unhappy that this thing keeps on getting printed out and that we're beginning to talk more about our wages and salary.
Life is short," they say. "Time is your most valuable asset. And so, you know, what are you doing to make sure that you have a decent life?
Stop working for slave wages," they're saying.
So people are getting these messages on the receipts in front of them, and they're thinking, "That's funny." And then they go on to Reddit and check it out and say, "What on earth is this that's just appeared?" Brilliant.
And so they're joining the subreddit. So the subreddit is growing in popularity.
And some people are saying, look, you know, I find this amusing, but what I really find funny is my boss who's unhappy that this thing keeps on getting printed out and that we're beginning to talk more about our wages and salary.
Can you imagine?
So question, who's behind this? Who's the one driving all this?
Oh, there's so many possibilities.
Is it someone who's very keen on the anti-work movement, or is it a Joe job? Is it trying to damage the anti-work subreddit by bringing it into controversy?
Yeah, I don't even know what the goal is.
But also, if you're thinking about how things are politically motivated, is this a nation-state trying to help destabilise businesses in the US, right?
I think I've been reading too many cybersecurity books, but—
I think I've been reading too many cybersecurity books, but—
Well, I have a theory, which is maybe it is the salesmen who sell the receipt paper. Probably don't make that much out of it, so the more they can use—
Right, double, double. Yeah, yeah, double, double. Double-ply.
Yeah, exactly. Yeah, the good stuff, the quality stuff.
Quilted.
Dinah.
Yes.
What have you got for us this week?
Okay, so do either of you know when the first e-commerce transaction happened online? Any ideas?
Ooh.
Ooh.
I'll say after 2010.
Oh no.
I'm kidding, I don't know. I have no idea. 1990?
Is it pre the invention of the World Wide Web?
No.
No? So it was actually on an HTML-signed sort of webpage rather than something a bit more nerdy. Okay, so—
I'm going with August 2001.
Mid-'90s?
Okay. Graham, you are closest. So August 12th, 1994. So yeah. So Phil Brandenburg of Philadelphia bought the CD Ten Summoner Tales by Sting. Either of you have that?
I know you're a bit older than me.
I know you're a bit older than me.
You might have it. Oh, that is such a cruel indictment on the world, to think that the first online purchase was a ruddy Sting album.
Yes, it was.
He turned into a tantric sex lover.
Oh, there he is with his little mandolin or whatever.
He got married. He didn't ride in onto his wedding on a white horse.
Oh, he's such a poser. I cannot stand Sting.
Yeah, but come on, the police were great. There you go.
The police were good. Yeah, but I mean, oh, imagine a supergroup made of Michael Bublé and Sting and Piers Morgan and Il Divo, and then if Thom Hanks leading the group.
Oh, oh, just—
Oh, oh, just—
Okay, so horrendous. So anyway, sorry, Dinah, are you a Sting fan? I am definitely not. No, not at all.
I was very— I was actually— I read that when I was doing the research and I went, really? That was the first thing? Couldn't we have done better than that?
I was very— I was actually— I read that when I was doing the research and I went, really? That was the first thing? Couldn't we have done better than that?
So this is the fascinating thing. Who did he buy it off? Someone created an online store to sell Sting LPs. Well, and suddenly, whoa, we've actually had someone who's bought one.
He was big back then. There were tons of people that loved that shit.
Well, apparently his friend Dan Cohen did, because that's who Phil bought it from.
And they did it on a Unix machine loaded with an X-Mosaic browser, and they used PGP, or Pretty Good Privacy, you see.
And they did it on a Unix machine loaded with an X-Mosaic browser, and they used PGP, or Pretty Good Privacy, you see.
Very good. Well, I think that's pretty good. Yeah, well done them.
They seem to have— they did it in a secure way rather than just sort of, yep, emailing their credit card numbers through or something.
They seem to have— they did it in a secure way rather than just sort of, yep, emailing their credit card numbers through or something.
So they were actually trying to start an online store. And that online store is called netmarket.com. And I kid you not, that store is still up today.
No!
Yeah, I went and looked at it. It looks like it's still from the '90s, but I went through— you can add things to the cart.
I didn't— I didn't go so far as to actually try and buy something because I was a little bit skeptical about it.
I didn't— I didn't go so far as to actually try and buy something because I was a little bit skeptical about it.
But here it is. I'm on it right now.
You know what I love? I think there should be revival websites. I love mid-'90s, late '90s websites so much because they were so clear, Lycos web pages or the marquee effect.
Do you remember marquee or blink, the blink tag which would blink text at you in neon green?
Beautiful. Okay, I love it.
So at the time, New York Times classified it as the first retail transaction on the internet using a readily available version of powerful data encryption software designed to guarantee privacy.
And the author of PGP, Phil Zimmerman, was this is an important step towards the creation of digital cash. And look at that now. Now we're here, right?
And the author of PGP, Phil Zimmerman, was this is an important step towards the creation of digital cash. And look at that now. Now we're here, right?
Yeah.
Yeah. Okay.
So what do you think the total e-commerce sales were for 2020 in US dollars?
For Sting LPs?
No, no, for everything.
Just complete e-commerce sales 2020.
Oh, I'm saying billions, billions, billions, billions.
I'm going to say $1 trillion.
Wow. $4.28 trillion. What is that?
What is that? What is US debt at the moment?
No, but it's probably— yeah, but it's close to that, or less than that even. Yeah.
So this was up a trillion, almost a trillion from 2019, and the sales projected for 2021 are about $4.9 trillion. So this is crazy, right?
So this was up a trillion, almost a trillion from 2019, and the sales projected for 2021 are about $4.9 trillion. So this is crazy, right?
Yeah, I think it's all down to pets. People got a lot of pets during the pandemic.
And, you know, if you have a cat, you need that stuff that they pee in, whatever it's called, the cat litter. And, you know, dog leashes, dog food, all the pets, hamster stuff.
And, you know, if you have a cat, you need that stuff that they pee in, whatever it's called, the cat litter. And, you know, dog leashes, dog food, all the pets, hamster stuff.
So the holidays are upon us, right? And I am definitely guilty of shopping online. I think I've done 90% of my Christmas shopping already online. What about you guys?
I've decided that I'm gonna be the gift. I can't— You know what? I had to go do a PCR test 'cause I'm gonna be traveling soon. And I went there—
That's a nice Christmas present.
Right? 'Cause it's fricking expensive. Yeah. And I have to do 4 for this travel I'm gonna do. Like, literally. And that's a lot.
Anyway, so, and I'm in this mall, you know, and everyone's scream buying stuff, and I couldn't get into it. I don't think I'm doing Christmas this year. I want to do it with love.
All right.
Anyway, so, and I'm in this mall, you know, and everyone's scream buying stuff, and I couldn't get into it. I don't think I'm doing Christmas this year. I want to do it with love.
All right.
Well, well, I have a child, so that's not an option.
Ah, I got you, Dinah.
Yeah, nieces and nephews. So definitely have—
My niece has 5 presents.
Yes, of course.
Everyone else can fuck off.
So here's the thing. When we get to this time of year, we hear all things about what people can do to help keep them safe online while they're shopping.
But what we don't hear a lot of is what can small businesses do? Because there's almost $5 trillion up for grabs, right? So small businesses want to get online.
They got to sell stuff. You know, they want to sell their soap or their handmade jewelry or maybe, Carole, one day you want to sell your paintings.
You need to sell that in a safe way, right?
So I thought I would talk a little bit about the things that small businesses could do to make sure that they stay safe during the holiday season.
But what we don't hear a lot of is what can small businesses do? Because there's almost $5 trillion up for grabs, right? So small businesses want to get online.
They got to sell stuff. You know, they want to sell their soap or their handmade jewelry or maybe, Carole, one day you want to sell your paintings.
You need to sell that in a safe way, right?
So I thought I would talk a little bit about the things that small businesses could do to make sure that they stay safe during the holiday season.
I like that. It's about time we had some helpful advice on this.
I agree 100%.
Some top tips.
There we go. So according to the Association of Certified Fraud Examiners, 50% of small businesses fall victim to fraud.
At some point in their business lifecycle, and it costs them on average about $100,000 US, right? So that's a lot. And there's kind of two main ways small businesses get attacked.
The first is the account takeover.
So maybe the attacker will go to your customers, try and do some phishing attacks and take over their accounts and then make fraudulent purchases, right?
And the store is then left in the lurch having to pay for these purchases because, you know, the credit card company's refunded the other person back and they have to carry the cost, right?
And then the second is identity theft, right? So hackers hack into the company database, steal the usernames and passwords.
But both of these attacks lead to financial and reputational impacts for the small businesses.
At some point in their business lifecycle, and it costs them on average about $100,000 US, right? So that's a lot. And there's kind of two main ways small businesses get attacked.
The first is the account takeover.
So maybe the attacker will go to your customers, try and do some phishing attacks and take over their accounts and then make fraudulent purchases, right?
And the store is then left in the lurch having to pay for these purchases because, you know, the credit card company's refunded the other person back and they have to carry the cost, right?
And then the second is identity theft, right? So hackers hack into the company database, steal the usernames and passwords.
But both of these attacks lead to financial and reputational impacts for the small businesses.
And not good impacts.
Yeah, no, not good ones either. So no. Okay, so here are the tips. So one, make sure your website's using HTTPS, right? You gotta ensure all communications on your site are secure.
Yeah, yeah, right? It's a basic step but not always used. Second, if you're a really small business, don't try and implement all of this yourself, right?
You don't want to hold credit card information. So you want to go and look for an e-commerce platform. But the thing is, there's a few different ones out there, right?
Like there's, there is a large market for this now. So things to look for when you're choosing an e-commerce platform. So do they use the address verification system or AVS?
So do they check the billing address against the address on file of the credit card company? Do they require the CVV or the card verification value? Are they PCI compliant?
What data do they store from your customers? What responsibility do they have if your client data is breached? Like, what do you get for this?
And Carole, you're going to like this one. You got to really make sure you read the T's and C's before signing up.
Yeah, yeah, right? It's a basic step but not always used. Second, if you're a really small business, don't try and implement all of this yourself, right?
You don't want to hold credit card information. So you want to go and look for an e-commerce platform. But the thing is, there's a few different ones out there, right?
Like there's, there is a large market for this now. So things to look for when you're choosing an e-commerce platform. So do they use the address verification system or AVS?
So do they check the billing address against the address on file of the credit card company? Do they require the CVV or the card verification value? Are they PCI compliant?
What data do they store from your customers? What responsibility do they have if your client data is breached? Like, what do you get for this?
And Carole, you're going to like this one. You got to really make sure you read the T's and C's before signing up.
I like that one. That's how Carole's spending most of her Christmas holidays is reading terms and conditions. She knows how to have a good time.
Yeah, well, you know, about to have a family party, so definitely contracts are required.
So outside of the e-commerce site you're using, don't store sensitive user data, right?
Only collect what you need for transactions and nothing else, especially credit card information. That's bad.
If you get caught with that, you know, it's a violation of PCI and there can be fines. But the biggest thing to remember here is hackers cannot steal what you don't have. Right?
So only get what you absolutely need. And then approximately 71% of merchant loss can be attributed to friendly fraud.
So to help you not be affected by this, you can ensure there's proper notation of charges on your customer credit card statement.
So the more information that's on the customer credit card statement, the better it can match up to what was actually sold.
And it'll help you as a business when the credit card comes in and says somebody's disputing a charge, right?
Only collect what you need for transactions and nothing else, especially credit card information. That's bad.
If you get caught with that, you know, it's a violation of PCI and there can be fines. But the biggest thing to remember here is hackers cannot steal what you don't have. Right?
So only get what you absolutely need. And then approximately 71% of merchant loss can be attributed to friendly fraud.
So to help you not be affected by this, you can ensure there's proper notation of charges on your customer credit card statement.
So the more information that's on the customer credit card statement, the better it can match up to what was actually sold.
And it'll help you as a business when the credit card comes in and says somebody's disputing a charge, right?
Okay, so friendly fraud is when, what, like you purchase something and then there's a dispute, or— yeah, I didn't know that. I didn't know that term.
Exactly. And then you want to make sure you're also using tracking numbers for every order that is shipped, so that you have proof of delivery.
I mean, this is also how some of the other side of the fraudsters work, where they ship you something crappy and then you're like, I didn't get it, and they're like, yeah, you did, you got this tiny little piece of crap.
But for you as a business, this is the right way to go. And then of course, get a list of the chargeback codes.
Like anytime somebody is saying, no, this isn't what I wanted, or I'm trying to dispute this purchase, make sure you get the chargeback code so you can really see what the credit card company is saying.
One more really good one is consider setting limits, right?
So based on your orders and your revenue trends, set limits for the number of purchases or total dollar value that you will accept from one account in a single day.
So you don't get hit by somebody going crazy buying a whole bunch of your things and then you shipping them out and then it's like they refuse to say that that was theirs and then you're on the hook, right?
I mean, this is also how some of the other side of the fraudsters work, where they ship you something crappy and then you're like, I didn't get it, and they're like, yeah, you did, you got this tiny little piece of crap.
But for you as a business, this is the right way to go. And then of course, get a list of the chargeback codes.
Like anytime somebody is saying, no, this isn't what I wanted, or I'm trying to dispute this purchase, make sure you get the chargeback code so you can really see what the credit card company is saying.
One more really good one is consider setting limits, right?
So based on your orders and your revenue trends, set limits for the number of purchases or total dollar value that you will accept from one account in a single day.
So you don't get hit by somebody going crazy buying a whole bunch of your things and then you shipping them out and then it's like they refuse to say that that was theirs and then you're on the hook, right?
Oh, that's interesting. 'Cause I mean, there are people I know who possibly their purchasing behavior online would look like a crazy kind of attack.
You would think this must be a bot who is ordering everything in every size imaginable to be delivered, and then they'll return anything that they decided they didn't like or didn't fit properly.
So companies actually do put some kind of limit, do they? That's encouraging to know.
You would think this must be a bot who is ordering everything in every size imaginable to be delivered, and then they'll return anything that they decided they didn't like or didn't fit properly.
So companies actually do put some kind of limit, do they? That's encouraging to know.
Yeah, exactly.
This is seriously good advice, guys. You may want to have to listen to it one or two or three times.
Of course it's good advice. It's the Smashing Security podcast, Carole.
It is!
He's offering good advice. What do you? Yes!
No, Dinah's offered good advice.
Carole, what have you got for us this week?
We are entering Twitterland. Now, I'm not a big Twitter follower, but Graham, I know you are.
Yeah.
Dinah, do you do the Twitter stuff?
Yeah, I'm on Twitter.
I'm actually super glad that you both do that because I'm talking about Twitter and I know nothing what I'm talking about. So you can call me out.
So you guys, and many of our listeners, probably know that about a week ago Twitter announced new privacy rules.
It was going to allow the takedown of pictures of people that were posted without that person's permission. So for example, if I were to find a video or a picture of you, Mr.
Cluley, at one of my famous, you know, pre-Rona parties in the '00s where you dressed up as a naked sumo wrestler, basically a plastic onesie with a fan inside to inflate your size.
And I took a video of this secretly, and then I slapped that up on the Twitters, right?
So you guys, and many of our listeners, probably know that about a week ago Twitter announced new privacy rules.
It was going to allow the takedown of pictures of people that were posted without that person's permission. So for example, if I were to find a video or a picture of you, Mr.
Cluley, at one of my famous, you know, pre-Rona parties in the '00s where you dressed up as a naked sumo wrestler, basically a plastic onesie with a fan inside to inflate your size.
And I took a video of this secretly, and then I slapped that up on the Twitters, right?
You could ping Twitter and say, "Oi, remove the evidence, I have not approved." Hang on, are you saying Twitter would look at this video footage of someone who appeared to be a sumo wrestler and think, yep, that's Graham Cluley, all right, we can take that down.
That's slightly insulting, actually. Thank you.
That's slightly insulting, actually. Thank you.
So the new policy basically states that photos or videos of private individuals that are posted without their permission will be taken down at their request.
Now, say you're chilling on Twitter as you do. And you see that someone posted a pic of you, Graham, taking a number 2 in a US bathroom stall. Remember?
Now, say you're chilling on Twitter as you do. And you see that someone posted a pic of you, Graham, taking a number 2 in a US bathroom stall. Remember?
Thanks a lot for that mental image, Carole.
Well, it happened. Graham was having a quiet business meeting in a bathroom stall, which is what my sister-in-law calls it, and I absolutely adore that.
So I'm off for a business meeting. So, okay, so he's having a business meeting and a camera shows up. We've talked about this.
So I'm off for a business meeting. So, okay, so he's having a business meeting and a camera shows up. We've talked about this.
You've been—
It was at a restaurant. That's right. An old-style video camera came under the door, pointed at me.
No.
Oh my God.
Welcome to America, everybody. That's my experience. It's like, oh, shit.
Well, that would never happen in Canada.
It's not that the Canadian design of the toilet stalls are any different, but a Canadian would never do that.
One would hope.
Okay, so what would happen? What would Twitter do then?
Okay, Twitter would just take it down, say, oh, you're absolutely right, we will remove this for you. That was what they were promising to do about a week ago.
And just to be clear, Twitter's rules already prohibited the posting of private information like addresses, phone numbers, and medical records.
And just to be clear, Twitter's rules already prohibited the posting of private information like addresses, phone numbers, and medical records.
If I did something incriminating that was newsworthy, if for instance I went up to Boris Johnson and I slapped him with a custard pie or something like that.
People were sharing that and I decided I didn't want people to share it. Would I then be able to say to Twitter, "Ah, could you remove all of that off Twitter, please?
I don't want that spreading around."
People were sharing that and I decided I didn't want people to share it. Would I then be able to say to Twitter, "Ah, could you remove all of that off Twitter, please?
I don't want that spreading around."
Yeah, no, so interesting because it notes that the policy is not applicable to media featuring public figures or individuals when the media and accompanying tweet are shared to the public.
You know, basically, if Twitter deems that the video or picture is of public interest and adds value to public discourse, they will allow it.
You know, basically, if Twitter deems that the video or picture is of public interest and adds value to public discourse, they will allow it.
Oh, this is such a slippery slope. This is so— what about all the people that record the police officers in the U.S.?
Right?
Can the police officer then go and say, "Please take this down"? And what's considered media? Is it somebody's phone, or do you have to have badge credential that you're media?
And what about if someone constructed some ASCII art of somebody? Would that be something which they'd have to take down rather than a photograph?
Wow. I think that's gonna be a real problem that we have to watch out for.
I have a question for you Twitter users on this, okay? So say someone leaked the famous pee pee tapes online, alleged famous pee pee tapes online.
Oh, from the Moscow hotel room.
Yes.
Right.
And say Mr. Trumpy, who is, as far as I know, currently a non-Twitter user due to being banned from Twitter.
Right.
Would he be able to complain and request the takedown? Because how does Twitter verify his authenticity?
Well, yeah, I see what you mean.
Basically, if you're on Twitter, you'll be able to take down pictures, but if you're not— and maybe you have to be a verified user of Twitter.
That was the other question I might have. Maybe you might get extra service there, right? Because they definitely know who you are.
That was the other question I might have. Maybe you might get extra service there, right? Because they definitely know who you are.
It could be argued that such a tape would be of public interest, even though no one would really want—
I am not interested in the pee-pee tape.
No, but the existence of it, proof of the existence of it.
I don't need to see it.
No, but no, I agree. Look, no one wants to see— and by the way, it wasn't him doing the pee-peeing.
I have no idea. I don't want to talk about the pee-pee. I was just—
It was hired ladies apparently were alleged to be the ones who did the weeding.
It's already too much.
All right. Anyway, the thing— the point is that I think the existence of such a tape would be of public interest and it would be judged as such.
Okay.
So Twitter says the rule, this new rule, would help, quote, curb the misuse of media to harass, intimidate, and reveal the identities of private individuals "Which disproportionately impact women, activists, dissidents, and members of minority communities." Well, that's the thing, because there are people who post up pictures of minority groups or women and say vile things.
So Twitter says the rule, this new rule, would help, quote, curb the misuse of media to harass, intimidate, and reveal the identities of private individuals "Which disproportionately impact women, activists, dissidents, and members of minority communities." Well, that's the thing, because there are people who post up pictures of minority groups or women and say vile things.
And there should be some way of just saying, "Oh, for goodness' sake, can we put a stop to this?"
This is where I thought you might do your catchphrase, you know? "What could possibly go wrong?" Sorry, whose voice is that? Sorry, it was yours.
Oh.
So for me it'd be like, how do you police it, right? Or if it's misused. And that happened very quickly.
So it seems that activists are reporting that members of the far right are using this very policy to have accounts identifying them suspended.
I don't know if this is definition of irony. I know you guys are probably smarter than me. Dinah, you went to my alma mater. Graham, that's university.
So it seems that activists are reporting that members of the far right are using this very policy to have accounts identifying them suspended.
I don't know if this is definition of irony. I know you guys are probably smarter than me. Dinah, you went to my alma mater. Graham, that's university.
That's right.
All right, thank you. What do you mean identifying them? You mean accounts which have doxxing them?
So in the days following the introduction of the new policy, a group of far-right activists reportedly began urging their followers on services like Telegram and Gab to file reports against anti-extremist accounts.
As far as I'm reading, it includes researchers, journalists, activists.
The Washington Post says that these far-right activists were coaching followers on how to use the new Twitter rule to persuade the social media platform to remove photos of them posted by anti-extremism researchers and journalists.
As far as I'm reading, it includes researchers, journalists, activists.
The Washington Post says that these far-right activists were coaching followers on how to use the new Twitter rule to persuade the social media platform to remove photos of them posted by anti-extremism researchers and journalists.
Yeah, because social media was being used after the January 6th riots, wasn't it, at the Capitol, to identify individuals.
Although we saw it earlier, way earlier, the Boston Marathon, we saw loads of people.
So due to the new privacy policy at Twitter, things now unexpectedly work in our favor, a far-right sympathizer wrote to followers on Telegram. And this is last Wednesday.
He included a list of nearly 50 Twitter accounts and urged people to report them for suspension under the new rule.
Another far-right activist shared tips on how to find potentially reportable images using Twitter search queries such as images Fascist Exposed.
Washington Post interviewed Gwen Snyder. She's an anti-fascist researcher and organizer in Philadelphia. You mentioned Philadelphia earlier, Dinah.
And Snyder's Twitter account was suspended early Thursday after someone reported a 2019 tweet of hers.
So this means Twitter weren't clear that this goes from this day forward, right? This is from all time.
So due to the new privacy policy at Twitter, things now unexpectedly work in our favor, a far-right sympathizer wrote to followers on Telegram. And this is last Wednesday.
He included a list of nearly 50 Twitter accounts and urged people to report them for suspension under the new rule.
Another far-right activist shared tips on how to find potentially reportable images using Twitter search queries such as images Fascist Exposed.
Washington Post interviewed Gwen Snyder. She's an anti-fascist researcher and organizer in Philadelphia. You mentioned Philadelphia earlier, Dinah.
And Snyder's Twitter account was suspended early Thursday after someone reported a 2019 tweet of hers.
So this means Twitter weren't clear that this goes from this day forward, right? This is from all time.
Oh, really?
Well, isn't that interesting that someone reported a 2019 tweet of her showing photos of a local mayoral candidate attending a public rally alongside the Proud Boys?
You know what, I think maybe that should be the way it is.
I think maybe if you're going to set a rule as to what is acceptable to post on Twitter, maybe you should be able to go back in time and say, actually, we've decided we're going to delete that old tweet because it's broken our rules.
I think maybe if you're going to set a rule as to what is acceptable to post on Twitter, maybe you should be able to go back in time and say, actually, we've decided we're going to delete that old tweet because it's broken our rules.
Okay, do you think that Twitter have the manpower or the resources to manage this if it's for all time since they became—
Well, they could hire these 900 people who've just been let go from Better.com.
That won't make a dent, dude.
It's huge. Yeah, who gets to decide which things get taken off and which stay on? Brutal.
Because one time I had my— I don't even know what I did, but my Instagram account all of a sudden wouldn't let me post for 30 days.
And I was like, I can't— there's no way to tell them.
Because one time I had my— I don't even know what I did, but my Instagram account all of a sudden wouldn't let me post for 30 days.
And I was like, I can't— there's no way to tell them.
What did you do, Dinah?
I don't know.
I posted a whole bunch on one day, but it could just be that somebody didn't like the message I was sending and then said I was doing something nefarious when really I wasn't.
But there's no way to get it back. You just have to wait the 30 days out. It's horrible. You can't get a contact with anyone.
I posted a whole bunch on one day, but it could just be that somebody didn't like the message I was sending and then said I was doing something nefarious when really I wasn't.
But there's no way to get it back. You just have to wait the 30 days out. It's horrible. You can't get a contact with anyone.
And can you imagine if you're a small business utterly dependent upon these services and you get blocked? Right, you're screwed.
Yeah, exactly.
So Graham, Twitter lover. Dinah, Twitter lover user. Did Twitter bite off more than it could chew with this new rule, do you think?
Oh, it always does. It's always shooting itself in the foot, isn't it?
Or is it shooting for the stars? Yeah, that's shooting for the stars.
No.
Well, I think it's trying to do a good thing. I think it's trying to differentiate itself from Facebook. Of course it is, but— Sorry, Meta. Meta.
Ugh. It's between a rock and a hard place, isn't it? These sort of things are so difficult to do. You're never going to win, really, are you?
And you can put in some rules which on the— at first glance appear really good, but of course there are always ways to abuse them and to use them in other ways.
They just end up in this humongous mess. I think we should just probably shut down everything.
And you can put in some rules which on the— at first glance appear really good, but of course there are always ways to abuse them and to use them in other ways.
They just end up in this humongous mess. I think we should just probably shut down everything.
I don't blame Twitter though on this. I kind of just think people are taking the piss. I don't think it's their intention. I think the intention was good. It just maybe—
They didn't think through how it would get implemented and how it would be used, right? And I think that's something that big tech does a lot, right?
They think of the really positive outcome of what their technology can do and they don't, They choose often not to think about what bad could be done with it, or they're just being very idealistic and they don't even consider it.
They think of the really positive outcome of what their technology can do and they don't, They choose often not to think about what bad could be done with it, or they're just being very idealistic and they don't even consider it.
I think they just look at the algorithm. They just think, "I can code around this." And there are some things you can't code around because you're dealing with fleshy human beings.
Yeah, exactly.
Graham, you must be crying because Jack Dorsey's leaving soon and you love Twitter. And aren't you worried about its future?
I don't care about Jack Dorsey.
What I want is I want to pay for a Twitter account so I don't have any ads, I don't have any messing around with my timeline, and I can use Twitter the way that I want to use it.
So I'd be very happy. If you're listening, whoever's in charge now.
What I want is I want to pay for a Twitter account so I don't have any ads, I don't have any messing around with my timeline, and I can use Twitter the way that I want to use it.
So I'd be very happy. If you're listening, whoever's in charge now.
Fading to black. Fading to black. Fading to black.
It's that time again when we're all thinking about plans for the upcoming year. Does your plan include making your team more productive and secure?
100,000 businesses use 1Password to secure employees at scale by encrypting their passwords and sensitive information and helping them get more done faster.
That's why for a limited time only, new customers can get 25% off the first year of 1Password Business and find out how 1Password can boost productivity while protecting their most sensitive data.
But you better act fast. This deal is only good until December 16th, 2021. Find out more and claim your discount at 1password.com. And thanks to 1Password for supporting the show.
100,000 businesses use 1Password to secure employees at scale by encrypting their passwords and sensitive information and helping them get more done faster.
That's why for a limited time only, new customers can get 25% off the first year of 1Password Business and find out how 1Password can boost productivity while protecting their most sensitive data.
But you better act fast. This deal is only good until December 16th, 2021. Find out more and claim your discount at 1password.com. And thanks to 1Password for supporting the show.
We are also sponsored by Uptycs. Uptycs is a cloud-native security analytics platform built to protect the modern attack surface.
Uptycs zeroes in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem.
Plus, Uptycs normalizes telemetry across macOS, Linux, Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections.
In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform.
Visit smashingsecurity.com/uptycs, that's U-P-T-Y-C-S, to learn more about its cloud-native security analytics platform. And thanks to Uptycs for sponsoring the show.
Uptycs zeroes in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem.
Plus, Uptycs normalizes telemetry across macOS, Linux, Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections.
In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform.
Visit smashingsecurity.com/uptycs, that's U-P-T-Y-C-S, to learn more about its cloud-native security analytics platform. And thanks to Uptycs for sponsoring the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. In these simple days of mostly staying at home, I've been finding new ways to amuse myself.
Oh, that sounds a bit perverted. Jesus.
I did not join this chat for this.
Aren't you lucky?
Free.
I'm feeling very lucky right now, yeah.
And one of the things that I have been doing, I've been occasionally engaging in the odd little crossword. And— Shut up. I have, I have.
Cryptic crosswords? Proper ones?
Well, that's the thing, Carole. I haven't had— But you know, sometimes it's been cryptic. Quite often it's been the quick one as well. So earlier I only had 20 minutes spare.
So I did a quick crossword from The Guardian. And I thought, this is a lot of fun. So I was doing this, and there was one where I was completely stumped.
And I thought, what's the answer to that? I just can't work out what would fit in.
And I found out that The Guardian had a little webpage, a very slick webpage where they put the answer, but you can type in your answers and you can press a button and it'll say, "Eh-eh," or it will even, if you want, reveal an answer to you as well.
And I thought, "This is terrific." And then I found out that they had an app as well where I could see not only today's crosswords, but thousands and thousands of other crosswords, cryptic ones, Quiptic, which are cryptic puzzles for beginners.
I would argue actually, Carole, that cryptic puzzles sometimes are easier than the quick puzzles, the quick crosswords.
Because with cryptic, you know if you've got it right and you don't always know that with the quick. Sudoku as well. Anyway, they've got loads of them.
There's an app, you can try it out for 14 days for free. You can carry on using it with one and just do one crossword a day for free forever if you want, or you can pay some money.
But if you pay some money, you can also, if you have an online chum, you can actually complete the crosswords together, which is a lovely thing to do.
So I did a quick crossword from The Guardian. And I thought, this is a lot of fun. So I was doing this, and there was one where I was completely stumped.
And I thought, what's the answer to that? I just can't work out what would fit in.
And I found out that The Guardian had a little webpage, a very slick webpage where they put the answer, but you can type in your answers and you can press a button and it'll say, "Eh-eh," or it will even, if you want, reveal an answer to you as well.
And I thought, "This is terrific." And then I found out that they had an app as well where I could see not only today's crosswords, but thousands and thousands of other crosswords, cryptic ones, Quiptic, which are cryptic puzzles for beginners.
I would argue actually, Carole, that cryptic puzzles sometimes are easier than the quick puzzles, the quick crosswords.
Because with cryptic, you know if you've got it right and you don't always know that with the quick. Sudoku as well. Anyway, they've got loads of them.
There's an app, you can try it out for 14 days for free. You can carry on using it with one and just do one crossword a day for free forever if you want, or you can pay some money.
But if you pay some money, you can also, if you have an online chum, you can actually complete the crosswords together, which is a lovely thing to do.
You're getting help from somebody else. Someone else is basically coming up with all the hard ones.
And so that is my pick of the week, The Guardian crossword and The Guardian crossword app.
Can I just tell you, The Observer one is way easier. This might be a place to start.
Yeah, I've done The Observer one as well, 'cause I was—
Oh, right. Have you completed any?
The Observer is The Guardian on Sunday, isn't it? It's the Sunday edition.
Probably. A little bit easier.
Yes, I have completed some of them. Mm-hmm. Thank you. Mm-hmm.
Have we lost Dinah?
No, I'm still here.
You're just, "Fuck the crosswords, who cares?"
I can do that in my sleep, she's thinking.
No, no, what I'm thinking is, I can't think of something more mind-numbing to do than trying to do a crossword.
Yeah. But I enjoy having my mind numbed. I enjoy that. I enjoy the— I'm slow. I'm peaceful. I'm my Werther's Original. I enjoy something. I don't want any big shocks.
Don't want any rude language. Dinah, what's your pick of the week?
Don't want any rude language. Dinah, what's your pick of the week?
Okay, so last few episodes, you know, Carole had pick of the year. You had, what was it, pick of the century or something with the Beatles thing?
It's always bigger.
I'm going with pick of the pandemic. So during the pandemic in Canada, we were locked down for a long time, a very long time.
And it's just my daughter and my husband and I, and we needed some laughs. And a friend of mine said, hey, check out this show Taskmaster.
Now you have to understand, I know this is huge in the UK, but nobody knows about it in North America. It's not a big named thing at all in North America.
So my husband says, okay, well, watch the first episode, see if you like it, and then we can watch it together. So I start watching it, and I start laughing hysterically.
And my daughter, my poor 12-year-old daughter at the time, comes down the stairs trying to fall asleep.
And she's "Mom, what are you laughing at?" And I'm "you got to see this." And it's the first episode ever where Tim Key is losing watermelon out of his face.
And we just died laughing.
And it's just my daughter and my husband and I, and we needed some laughs. And a friend of mine said, hey, check out this show Taskmaster.
Now you have to understand, I know this is huge in the UK, but nobody knows about it in North America. It's not a big named thing at all in North America.
So my husband says, okay, well, watch the first episode, see if you like it, and then we can watch it together. So I start watching it, and I start laughing hysterically.
And my daughter, my poor 12-year-old daughter at the time, comes down the stairs trying to fall asleep.
And she's "Mom, what are you laughing at?" And I'm "you got to see this." And it's the first episode ever where Tim Key is losing watermelon out of his face.
And we just died laughing.
Dinah, do you want to explain what Taskmaster is all about, for people who haven't seen it?
Absolutely. So it's basically a task show for comedians.
So they get five or six comedians and they've got the taskmaster, which is Greg Davies and Alex Horne, who is his little helper.
And they do all of these random tasks and then they have a show where they then show each other what they did and Greg Davies rates them and gives them points very arbitrarily.
And so the best shows for me are the ones where they try to cheat and figure out a way to convince Greg Davies that they're not actually cheating. But we laughed hysterically.
Gave us a laugh every single time. And last year at Christmas, it was the first time we could not spend Christmas with my sister and her kids, and that was very difficult.
And so my daughter was super into this, and I kind of said to her, "Well, what if we did our own Taskmaster?" And she was "what?" And I was "yeah, let's do our own Taskmaster."
So they get five or six comedians and they've got the taskmaster, which is Greg Davies and Alex Horne, who is his little helper.
And they do all of these random tasks and then they have a show where they then show each other what they did and Greg Davies rates them and gives them points very arbitrarily.
And so the best shows for me are the ones where they try to cheat and figure out a way to convince Greg Davies that they're not actually cheating. But we laughed hysterically.
Gave us a laugh every single time. And last year at Christmas, it was the first time we could not spend Christmas with my sister and her kids, and that was very difficult.
And so my daughter was super into this, and I kind of said to her, "Well, what if we did our own Taskmaster?" And she was "what?" And I was "yeah, let's do our own Taskmaster."
Do you want to be the Taskmaster?
So she said yes. So she was the Taskmaster, and myself and my husband and my mom and my dad, we were the contestants. And this child just told us a list of things we had to buy.
I was getting a little bit scared when on the list was shaving cream and sour cream.
I was "what are those for?" And so I thought she'd give us ten tasks and they would take a few minutes each. Oh no, this child really thought this through.
So first we, of course, we did the task where you have to bring something shiny. And then we did, you had to make slime. And she knows I hate slime. I hate it. It's so yucky and gross.
And she made us make it.
But the pièce de résistance was the third task in which she pairs us up into teams, and then she goes, "make me my favorite dessert." So she conned us into making her desserts.
I was getting a little bit scared when on the list was shaving cream and sour cream.
I was "what are those for?" And so I thought she'd give us ten tasks and they would take a few minutes each. Oh no, this child really thought this through.
So first we, of course, we did the task where you have to bring something shiny. And then we did, you had to make slime. And she knows I hate slime. I hate it. It's so yucky and gross.
And she made us make it.
But the pièce de résistance was the third task in which she pairs us up into teams, and then she goes, "make me my favorite dessert." So she conned us into making her desserts.
She's a smart kid.
So anyway, we ended up watching all 11 seasons. Frustratingly, right now we cannot watch the 12th season because it's not available in Canada.
If you're in North America or someplace else, you can watch seasons 1 through 11 on YouTube for free. But I don't know when or if they're going to release season 12.
And then quite hilariously, my office is now doing this.
And so I have just become another participant of Taskmaster for a secret little Christmas show we're doing for our team at Arctic Wolf. And I got roped in again. But it's great fun.
Every single show resulted in a laugh. Every single show.
If you're in North America or someplace else, you can watch seasons 1 through 11 on YouTube for free. But I don't know when or if they're going to release season 12.
And then quite hilariously, my office is now doing this.
And so I have just become another participant of Taskmaster for a secret little Christmas show we're doing for our team at Arctic Wolf. And I got roped in again. But it's great fun.
Every single show resulted in a laugh. Every single show.
Yeah, yeah, yeah. No, I can vouch for Taskmaster. It's a great show.
I think my husband's actually an amalgamation of Alex and Greg Davies, and they have a love child, and that's my husband, literally.
I think my husband's actually an amalgamation of Alex and Greg Davies, and they have a love child, and that's my husband, literally.
I can totally see that. Yeah.
That's amazing.
No, but it's true.
It's true. It is true. It is.
I've never thought of it before, but there you go.
Crow, what's your pick of the week?
Okay. Mine's very wacky. Okay. User, Reddit user, Dad of Lucifer posted a link to a GitHub repo on Reddit and it tickled me so much so it's become my pick of the week.
So I'm literally going to read it. Okay. Quote, okay, so our build engineer has left for another company. The dude was literally living inside the terminal.
You know, the type of guy who loves Vim, creates diagrams in Dot, writes wiki posts in Markdown.
If something, anything requires more than 90 seconds of his time, he writes a script to automate that.
So I'm literally going to read it. Okay. Quote, okay, so our build engineer has left for another company. The dude was literally living inside the terminal.
You know, the type of guy who loves Vim, creates diagrams in Dot, writes wiki posts in Markdown.
If something, anything requires more than 90 seconds of his time, he writes a script to automate that.
Okay.
So we're sitting here looking through his, quote, legacy, unquote. Okay. Number 1, smackmybitchup.sh.
Sends a text message, "Late at work," okay, quote unquote, "Late at work," to his wife. Automatically picks reasons from an array of strings randomly.
The job fires if there are active SSH sessions on the server after 9:00 PM with his login. So he's written a script to tell his wife, "Oh, I'll be late." Number 2, kumarasshole.sh.
Scans the inbox for emails from Kumar. He was a database admin at a client's. Looks for keywords help, trouble, sorry, etc.
If keywords are found, the script SSHs into the client's server and rolls back the staging database to the latest backup, then sends a reply, no worries, mate, be careful next time.
Sends a text message, "Late at work," okay, quote unquote, "Late at work," to his wife. Automatically picks reasons from an array of strings randomly.
The job fires if there are active SSH sessions on the server after 9:00 PM with his login. So he's written a script to tell his wife, "Oh, I'll be late." Number 2, kumarasshole.sh.
Scans the inbox for emails from Kumar. He was a database admin at a client's. Looks for keywords help, trouble, sorry, etc.
If keywords are found, the script SSHs into the client's server and rolls back the staging database to the latest backup, then sends a reply, no worries, mate, be careful next time.
Oh my God, how many times did that guy contact him? Right?
Okay, I've got two more. Number 3, hangover.sh. Another cron job that is set to specific dates.
Sends automated emails, quote, not feeling well slash gonna work from home, unquote, et cetera. Adds a random reason from another predefined array of strings.
Fires if there's no interactive sessions on the server at 8:45 AM. So if he's late, he just has a random, he just doesn't have to get up and tell anybody.
It just automatically happens.
Sends automated emails, quote, not feeling well slash gonna work from home, unquote, et cetera. Adds a random reason from another predefined array of strings.
Fires if there's no interactive sessions on the server at 8:45 AM. So if he's late, he just has a random, he just doesn't have to get up and tell anybody.
It just automatically happens.
If he's sick, he just sleeps in, doesn't worry about it, knows the notification's going out.
Genius.
And the Oscar, this is all written in this GitHub link, fucking-coffee.sh. This one waits exactly 17 seconds, then opens the Telnet sessions to our coffee machine.
We had no fricking idea the coffee machine was even on the network. Runs Linux and has a TCP socket up and running.
And sends something "sys brew." Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 seconds before pouring it into a cup.
The timing is exactly how long it takes to walk from the machine to the dude's desk.
We had no fricking idea the coffee machine was even on the network. Runs Linux and has a TCP socket up and running.
And sends something "sys brew." Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 seconds before pouring it into a cup.
The timing is exactly how long it takes to walk from the machine to the dude's desk.
That's genius. That's amazing. That's amazing.
Listeners, I have provided the links you require to see this and many more scripts that this particular individual apparently wrote. If nothing, it will make you laugh.
So that is my pick of the week.
So that is my pick of the week.
Very fun. Well, that just about wraps up the show for this week. Dinah, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Yep, on Twitter @dinah_davis or on LinkedIn @dinah_davis.
Super. And you can follow us on Twitter @SmashingSecurity, no G, Twitter.com/smashingsecurity. And we've also got a Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
Huge shout out to this episode's sponsors, the fabulous 1Password and Upticks, and to our wonderful Patreon community. It's thanks to them all this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 254-ish episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 254-ish episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye.
Bye.
Carole, I may have made a slight error.
Okay, where?
With my audio recording at my end.
Right, and you also dropped off ours, so great.
Yeah, so I'm hoping Zoom got the first half of the recording before I dropped off.
Fantastic. I will stop recording and let's keep our fingers crossed. Note my tone. Note my tone. Very calm. Very calm. And this is about 12 hours later. I've just finishing up the edit.
And we've made it despite audio snafus. Technology saw us through. So I gotta say it, high five to Zoom.
And we've made it despite audio snafus. Technology saw us through. So I gotta say it, high five to Zoom.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dinah Davis – @Dinah_Davis
Show notes:
- CEO of US mortgage company fires 900 employees on a Zoom call — YouTube.
- Better.com Zoom firing: Employees share what it was like — CNN.
- Antiwork subreddit — Reddit.
- Hackers Are Spamming Businesses’ Receipt Printers With ‘Antiwork’ Manifestos — Motherboard Vice.
- Hackers are spamming printers with 'antiwork' slogans — Metro.
- How To Get Back At Your Annoyingly Loud Neighbors — Dumpaday.
- Attention Shoppers: Internet Is Open — The New York Times.
- A Brief History of E-commerce — Michael Tefula.
- NetMarket.
- Global retail e-commerce market size 2014-2023 — Statista.
- Ecommerce Fraud Prevention: How To Protect Your Online Store — Big Commerce.
- How to Secure Your E-Commerce Website: 6 Basic Steps — PC Magazine.
- How to Secure Your eCommerce Website: 7 Tips — MailMunch.
- Twitter Will Take Down Pictures of People Posted Without Their Permission — The New York Times.
- Far-right activists using Twitter new rule against anti-extremist researchers — The Washington Post.
- Far-right target critics with Twitter's new media policy — BBC News.
- The Guardian Crosswords.
- Guardian Puzzles & Crosswords for iOS — iOS App Store.
- Guardian Puzzles & Crosswords for Android — Google Play store.
- Now that's what I call a Hacker — Jitbit.
- Taskmaster — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
- Support us on Patreon!
Sponsor: 1Password
It’s that time again when we’re all thinking about plans for the upcoming year. Does your plan include making your team more productive and secure?
100,000 businesses use 1Password to secure employees at scale by encrypting their passwords and sensitive information and helping them get more done, faster.
That’s why, for a limited time only, new customers can get 25% off the first year of 1Password Business and find out how 1Password can boost productivity while protecting their most sensitive data.
Act fast! This deal is only good until December 16, 2021. Find out more and claim your discount at 1password.com
Sponsor: Uptycs
Uptycs is a cloud-native security analytics platform built to protect the modern attack surface.
Uptycs zeros in on the blind spots that are preventing you from rapidly identifying and responding to existing threats and vulnerabilities in your ecosystem.
Uptycs normalizes telemetry from across macOS, Linux, Windows, and containers; records system activity for historical investigation even when no alert has fired; and enables you to build complex custom detections in addition to its industry-leading MITRE ATT&CK mapping.
Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform.
Find out more and try it for free at uptycs.com
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
