Smashing Security podcast #274: Hands off my biometrics, and a wormhole squirmish

They couldn't believe their luck because they thought fifty thousand dollars nothing that's nothing that's probably in the bottom of my shoe somewhere hold on yes it is there's probably someone snorting that in the corporate bathroom right now Smashing Security, episode 274. Hands off my biometrics and a wormhole squirmish with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 274. My name's Graham Cluley.

It's the stupid guest's fault.

Well, no, it's his employer. Yes. Who's unfortunately dumped a whole load of work on them at the last moment. We will get them on at some point. One day. It will. It'll probably be better, actually.

Probably. Now, why don't we thank this week's sponsors, Collide, Rumble and Good Access. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be master of my own domain. Okay. And I'm just going to ask, how legal is the whole face printing thing?

Now, chum chum, remember Carl Sagan? Carl Sagan, remind me.

I may be wrong, but I seem to think that he's involved or created an album to communicate with aliens and it was being played in space. He might have done. It may have been something completely different. A listener will correct me on Twitter.

He was an extraordinary American author and science communicator that everyone apart from you looked up to and admired. Okay, well, I'm maybe too young. My age and younger probably don't know him.

Anyway, he had fans around the world, including computer engineer Dick Merriman. And Dick Merriman, back in 1994, was watching Carl Sagan's famous TV show, which is called Cosmos, with his wife, Linda. That's Dick's wife, Linda, not Carl Sagan's wife. And now Carl Sagan, he wrote the book Contact in the mid-1980s. Is that the one with Jodie Foster? I've never seen it.

The movie, not the book. Well, He wrote the book. Right, right, right.

No. Really? Look it up for themselves. Don't trust me. The most biggest concern that we all face is getting our business cards changed. You're right.

So that is the end of the story. That's the end of it. No, no, not the end of a story. Not the end because there is more. There is more to tell with this story because 28 years after Dick bought the domain wormhole.com, there are other people who are rather keen on owning it themselves. Enter an outfit called the Jump Trading Group.

Jump Trading Group. Okay, this is crypto again, isn't it? Is this crypto?

Well, Jump do have a toe in the world of crypto. Yes. Amongst other things.

You're obsessed with crypto.

The whole world is crypto. I'm not. Jump says that they are building the next frontier in crypto infrastructure. They are the firm that is a significant player in the decentralized finance space. And one of the things that they run is a crypto platform called...

Wormhole. And they want to own wormhole.com. So this is a domain fight.

Yeah, this is a domain fight. Now, you might have heard of this Wormhole company because earlier this year, it suffered a $320 million blockchain hack. Yes, it was huge. But it was unlike just about every other crypto hack because after Wormhole got hacked, the people who lost all their money actually got their money back. Because Jump, the owners of Wormhole, did this extraordinary thing of replacing all the stolen funds because it has quite a lot of money in its back pocket. So it just, it didn't want to upset people. It didn't want them running off.

So they just said, oh, there's 320 million, no problem. Let me just get that out of my piggy bank.

Exactly. Which is pretty unusual, I think you'd agree. It replaced all the stolen funds. I mean, it's the way it should be but you know, so I think it's fair to say that Jump and Wormhole the company have got a few quid.

No shit. Well not maybe not anymore.

Well had a few quid yeah, but what they don't have is a good domain name because Wormhole the company hangs out at wormholenetwork.com.

Well they could have probably done better than that.

Wormhole with the O being a zero, maybe. Something like that. Anyway, Wormhole may be a hot name in the world of crypto, but anyone who visits, of course, Wormhole.com sees Dirk Merriman's tribute to Carl Sagan and Wormholes. Whereas Wormhole, the company, says, well, we are the best of blockchains. That's what you see when you go to their site.

And we got a lot of Wonga. Maybe not now, but we did.

Yes. A lot of it's gone down the plug hole, if not the wormhole. So Wormhole obviously think there's a future in their business, and they really want to own the domain wormhole.com. So I've now set the scene. In June 2021, someone at Jump approached Dick Merriman via a third-party domain broker, and they made him an offer for wormhole.com. Now, considering that they had $320 million burning a hole in their pockets not so very long ago, how much do you think they were prepared to pay for the domain?

No idea. I mean, it's a negotiation, right? This is a site that hasn't been touched in decades. What would you offer? Five grand?

They offered $2,500. Dick Merriman, he got the request. He wasn't impressed. He thought, $2,500. So he responded to the intermediary domain haggling service. And apparently he said, the price for wormhole.com is a firm $50,000. He said, that's what he was prepared to accept, he said. And Jump couldn't believe their luck because they thought $50,000. Brilliant. That's nothing. That's probably in the bottom of my shoe somewhere.

Hold on. Yes, it is.

Yeah. There's probably someone snorting that in the corporate bathroom right now. Fantastic. So Wormhole, the company, pressed the button to say accept, and the domain broking service marked the deal status as agreement reached, and the process of transferring the domain began from Dick to Wormhole. Oh, no. It didn't. Because Dick Merriman, who over the course of some days, kept receiving messages from the domain broker service, asking him to set up his account and initiate the transfer in exchange for the payment, he began to have second thoughts. Yeah. And by mid-July, having not responded for quite some time, he said, nope, sorry, changed my mind. This was too easy. I'm either leaving a lot of money on the table or this is a scam. Either way, not for sale. If you want to make a reasonable offer, then you're encouraged to do so.

Okay. This annoys me, I think. It annoys me because if you say to someone, what would you like for this? And they give you a number. And you meet that number. Shouldn't that be okay, we're all handshake, handshakes.

I don't know. I mean, I think people have the right to say, I've changed my mind. Shouldn't they? It's difficult, isn't it?

Yeah, totally. Everyone should have a cooling off period. I agree, actually. Everyone should have a cooling off period of anything. And let's remember Dick. But he signed everything and then said nothing for six weeks.

Yeah, I mean, well, what he did was when he was first offered $2,500, he said, no way, $50,000 or whatever. Then we're talking. And they came back with $50,000. Should he then have had to say, OK? No, because the way they would have tricked him, if they would have gone back and gone, "Ha ha ha, $50,000, are you crazy? No way." And then he would have gone, "OK, what about $40,000?" And then you would have been on the train. They just bit too soon. It's just bad negotiation tactics, really. So he thinks there's more money there. Right. And he's saying, "No, I'm not going to sell it for $50,000. You're either scamming me or I could be asking for a little more."

I mean, yeah, they're already 320 million out of pocket. So I get it, right? That hack actually happened later. That hack happened this year. This is still mid last year, right? So now they're playing just, they're just going, "And let's just twist the knife." OK, yeah, no, I don't them anymore. I don't wormhole anymore. Right, right. Now, Dick, according to media reports, he says he's now giving up. He spoke to a lawyer. The lawyer said, "Oh, I'm not interested in taking on this case." And so Dick has accepted. He has to throw in the towel and accept, whether he likes it or not, the offer of $50,000. He did sign. Well. And he didn't complain within a short period, a cooling off period.

Well, I don't know if there was a cooling off period.

No, but there would. I mean, you could argue that there should be, right? That would have been maybe illegal. He doesn't remember ever signing up for this domain brokering service, which maybe he did do years and years and years ago, just out of curiosity to see what people would offer him. Apparently, Carl Sagan's estate once inquired about the domain as well. And he offered to give it to them for free because he loves Carl Sagan. And then they decided they didn't want it after all. They wanted to use it for a particular project.

I think it was they were on the phone or in person, right? Did he sign his name to something saying yes, an agreement was reached?

This would all have been on the internet. Well, then, yeah. If he put on his electronic signature, I don't know. Really, really great story, Graham. Yes, that's my problem. Well, I've noticed some things. I just don't you occasionally. It's different.

You might remember, Graham, we discussed in the past facial recognition company Clearview AI.

Yes.

Yeah. For our listeners, this is the software database company of more than 3 billion plus images of faces scraped from websites Facebook, Instagram, LinkedIn, Twitter, that sort of thing.

As I recall from past episodes, they had some kind of app, which you could buy at a vast price or had special access to, where you could go to a bar, scan someone's face from across the room, and it would give you their name and all their social networking. You'd know lots of information about people. It was horrible. Yeah, yeah. Literally, you can present a picture of anybody, and presto, it identifies the right person. In fact, the company claims that it's 100% accurate, although some reporters have witnessed the software misidentify some people. Oh, that's a good point. And I once used one of those things where you upload your photograph and it says, "We will find your celebrity twin." So I was interested in that and I uploaded it myself. And it told me Henry Kissinger.

Oh, really?

Yes.

Oh, my God. I wouldn't want to know what it would give me. Yeah, it's terrifying, isn't it? Terrifying! Yeah. So, other people thought like us and thought this isn't great, like the ACLU of Illinois and friends. And many of these, the friends representing people who've been face-printed by Clearview without their consent. Oh, thank goodness. I thought you were going to say we have to talk about Piers Morgan or something. No, no, no. That was the first thought I had. No, no, no. Just so people understand. So, you know, we have an international audience. How does, not living in the United States, I don't, I mean, I find it hard to get my head around these sort of two levels of laws and things. How does it happen? How does it work out with things like data? I totally see what you mean. I think it's a complete nightmare. I think it is really a complete nightmare because every single state. So the police and co, they will be able to access this data still for law enforcement purposes. Is that right? Yes. So the wording is very interesting, right, on who is going to have access. So it's certain businesses, most businesses, but they're not detailing which ones. But we do know that Clearview AI certainly boasts that they represent or they have 3,100 U.S. agencies using their software, including FBI and the DOJ or the Department of Homeland Security. Yes, but if you're American, you probably think there's a lot of things you're allowed to do in Canada and Australia and the UK which are illegal back in the good old US of A, and they probably can't believe that we allow certain things. I don't know what, you know, things like stretching owls or something or juggling yogurts.

Yeah. I mean, I know there are some countries that are very, very excited about having this software, right? But it's kind of cool that some countries are banning it. And I don't know. I mean, what's good about this? I can see identifying bodies that you can identify might be a useful use. That's the only thing I can... Finding family... I've got

bits of my body I'd love to identify. I can't work out what they might be.

Well, my pick of the week will help with that.

Oh, okay. Curious. I'll stay tuned. Do you know what assets are connected to your network? Most organisations don't. For your security programme to be effective, you need an inventory of all your devices so you can make critical decisions fast. Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems. Quickly find systems affected by the latest security news. Just think of Log4J, SolarWinds and Kaspersky. It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud. Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.

So we all know that users these days sometimes have to connect from an unsecured network using any device they have at hand. And companies have no control over the device, applications, clouds, and the infrastructure that connects it all together. This rapid shift in online work created security gaps that bad actors use to the full. And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out Good Access. This is a global company based in the Czech Republic with a proven 10-year track record. They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access for small and medium sized businesses worldwide. And this begins with a free Good Access starter product for unlimited usage by up to 100 employees. Yes, you heard right. 100 employees. Learn more at smashingsecurity.com forward slash Good Access. And big thank yous to Good Access for sponsoring the show. Collide sends employees important timely and relevant security recommendations to their Linux Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide. That's smashingsecurity.com slash K-O-L-I-D-E. Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com slash collide. That's smashingsecurity.com slash K-O-L-I-D-E. And thanks to Collide for supporting the show. Adorable. Very cleverly managed to integrate his cat into famous movie sequences presumably using some kind of green screen. I would watch this film.

Right. So what are you seeing, Carole? What are you seeing?

I'm just watching a parody of Jurassic Park. So literally it's you've got this monstrous Jurassic Park size cat. I'm going to go look, see if there's another.

Yeah. So regular movies, but with this person's cat. And I also saw some behind the scenes videos of how they make these because obviously cats do not perform on demand. And it may take quite a few takes and some very clever techniques.

I love claws. Claws for jaws. Oh, very good. You keep them coming. Graham did a whole year of board games once, so we need you.

There's a Fifty Shades of Grey. Oh, my God. Titanic, all sorts, The Shining. Anyway, lots of fun. Owl Kitty is my pick of the week. Excellent. Carole, what's your pick of the week?

Oh, Graham. Okay. I have to ask you a sensitive question. It's about your danglers. Do you think about them?

I beg your pardon. Do you think about them regularly? Are you talking about a medallion or something? I don't wear a medallion. Is that what you mean by a dangler?

Between your legs. Danglers. Do you have hopes and dreams for them?

Yes, yes. What are they? Big plans. I've always had big dreams, I tell you, as to what their future might be. Often not achieved, but it would be. What?

What role do they play?

What role do they play? Well, they have a very important role. I use them every day in a variety of ways, mostly. What? Are we talking about the same thing? I don't think so. What are you talking about? What is your problem here? What are you talking about? Put me out of my misery. Your ball sack? Oh, for God's sake, Carole. Really? Yes. I said I was being polite with the word. Well, what do you mean hopes and dreams for it?

Well, exactly. I think it's a very weird thing to say about that as well, right? I'm with you on that. What a weird question. Well, it turns out some people do. It seems that some people perhaps wonder if their danglers feel left out of the whole, you know, deep penetration testing activity that might go on north of their location. That's a bit security related. Is this a sex thing? Is this what you're talking about? Yes, yes. Well, you tell me once you see it. And someone decided that, you know, maybe they too could get in on some of that deep penetration testing activity. So I'm going to introduce you, let me introduce you to what must be the most fantastical piece of erotic paraphernalia I've ever seen, the ball-do. The ball-do. Okay, so check the link in the show notes. Let's have a look. And you can describe it to our listeners.

The world's first ball-dildo. So, how does this work? So, I'm really confused.

So, you have a piece of silicone shaped kind of like a torpedo. Yes. With two circular holes on either side of the shaft so you can smoosh in your orbs.

Yes. Wouldn't that be rather painful?

Well, yes, it turns out that yes, because journalist Eric Ravenscroft road tested this and his findings were less than satisfactory. Let me give you a few quotes here from his road test. Oh, I can see he scored it two out of ten.

I wonder why he got two.

Yes, two out of ten. This is from Wired. It's apparently, quote, it was challenging with an uncomfortably large girth, requires lubrication which impedes the application process because, you know, the things slip out, and very awkward angles.

Can I just... Journalists used to be Woodward and Bernstein right? They would investigate Watergate. They would bring down presidents. And Wired have hired someone to put his cock and balls into a bit of pink silicon, smooshing them in.

Okay, this is not what I think happened. What I think happened, he gets to work dum-da-dum-da-dum going through the press releases dum-da-dum-da-dum. Ball-do! The world's first ball dildo. And he was hello. And then asked his editor if he could do it. Wrote a great story that I actually really giggled at. I found it very fun. So if you want to read it, it's in Wired by Eric R. Ravenscroft and the world's first ball dildo. And that is my pick of the week. He calls it a Dadaist interrogation of the very concept of pleasure.

Call me Dada. All right. Well, I have questions, none of which I want to ask on the podcast.

I have not tested it. So you may want to email Eric.

I imagine, Carole, you would find it hard to test. I would hope. Well, thank goodness, at the very least, that there are vendors out there who to sponsor our podcast.

I had this really interesting chat all about VPNs with Artur Kane of GoodAccess. Check it out. Shall we crack on and see how we do? Let's do this. So, Artur Kane is a chief marketing officer at GoodAccess. This is a global company based in the Czech Republic with 10 plus years on the market. And this team at GoodAccess is made up of 50 security enthusiasts dedicating themselves to delivering anytime, anywhere, secure remote access. Very warm welcome to you, Artur. Thanks for coming on the show.

My pleasure. Great to talk to you finally, Carole. How are you today?

I'm great, thank you. I think you're the first interviewee that's ever asked me that. So thank you very much.

Well, let's make sure that we're all comfortable in our seats here.

Now, we are going to chat about all things VPNs. But first, maybe we should start with the work landscape and how it's changed from your perspective.

Well, it's changed tremendously over the past few years, obviously, since the pandemic kicked in. Most of the workers left the office and started working from home. And immediately, companies had to respond and sort of become more digital than ever and make sure all these workers and consultants can access their systems from remote and at the same time be protected. And if the company wasn't ready for that, they had to do quite a lot to, from day one, be able to operate as usual. And so what we see a lot is most of these workers and remote consultants, they tend to use whichever device is at their hand. And suddenly companies lost control over the endpoints and devices that workers use to access critical systems, which increases the potential of data loss, data breach, and other risks.

You're totally right, because you've got workers working from home. They're maybe using their own machines. They're tunneling in God knows how into the network. They're plugging in their own IoT devices and plugging into their own home network. So it's kind of a nightmare for the IT guy in charge.

And, you know, not all companies have IT guys and girls, right? So smaller companies, especially, you know, software developers and marketing consultancy firms, they don't always have IT department to take care of these things. So it's often, you know, business, C-level owner, co-founder who suddenly needs to, you know, step into the role of IT guy and do this stuff.

Exactly. Okay, so you've got these smaller companies with maybe less IT savviness available. What does this whole new landscape mean for privacy and security at the company?

I would actually start to explain the VPN-led landscape, if you allow me.

Please do.

Most of us know VPNs from the ads on YouTube, telling us that we should protect ourselves and anonymize what we do on the internet and evade surveillance. But VPN has been here for decades and bigger companies with their IT departments, with their systems hosted in data centers or more recently clouds, had to find a way how to create a secure tunnel which is encrypted to access these systems remotely. And VPNs, they served this way for many years, for decades now. The main problem with traditional VPNs, while they establish the point to site secure remote access, they usually tend to give free access to whichever site the user is connecting to. So once they get access to the VPN, to the tunnel, they can go to the data center and exploit anything that's in there. So in modern approach to VPNs and modern approach to how do we secure network traffic, privacy and data over the public internet, the concept of zero trust emerged. And zero trust essentially means not providing access to everyone everywhere, but do a use case or role-based access to whichever specific data and systems they need for their work, crucially, and lowering the potential of the business breach, if that makes sense.

Right. So what you're saying is, as well, zero trust means do not trust that the network is safe.

That's right. And do not trust the user unless they authenticate, unless they provide their identity, unless you provide sufficient rights to do whichever job they need to do necessarily, but not more than that. We can layer the security into, I would say, network, application, data, and users. So on the data side, definitely we need to check changes. We need to log access to the data for post-compromise analysis. We also need to check for malicious code. But then at the same time, when we don't have the pattern or the database of known codes, which antiviruses and IDP IPS systems use, we check for anomalies in the traffic and strange patterns that may indicate a potential security breach or an attacker trying to get in.

Right. OK, OK. So let's maybe we can pivot here. So imagine I'm a small company, right? And I'm listening to you and I'm going, yeah, I'm not I'm sure I'm a bit exposed in the stuff I do. You know, what would be my next steps? How would I go about establishing that and making this work? Is it complicated? Do I need IT guy? How does it work?

So what I suggest to smaller companies is to focus on technologies who cover most of their use case in a single dashboard. So instead of trying to deploy VPN for remote access and then working on firewall rules to restrict access and the network access control and then securing endpoints, what modern VPNs delivered from cloud as a service offer is that you sign in, create your team, you add users in there, they download client applications. With their client applications, they can get access to whichever systems they need based on zero trust principles. They're also protected from online threats, which means they carry their security, whichever device they use and wherever they connect from. It shouldn't be that hard. If it is, it's probably not the tool for you. Tell me, how is good access making an offer for helping people get started with VPN?

So some people I've heard say, oh, people only use VPNs if they're up to bad stuff, like streaming stuff they shouldn't be streaming and all this. What do you say to that? SPEAKER\_01. That they are right. Most of the VPN market is consumer VPNs. And many of those consumers are bad actors who are trying to evade surveillance, who are trying to anonymize their service, who are trying to access applications or services that are otherwise not allowed or operating in their country. And consumers, VPNs, they create encrypted connections that conceal their identity, location and information. They provide this sort of anonymity to individual users and they do use it to bypass content restrictions. This is not the use case for business VPNs. Business VPNs create private connections that complete data privacy and sort of conceal sensitive business data from online threats and unsecured public networks. So what we do is to check whether you are a company before we give you the free product. And then we also check for activities such as abuse. So I do recommend to use BitTorrents when connected to business VPN. It is a potential security threat to the company operating the VPN. So we help them in the way that we report them such activities.

Right. Okay. So this is definitely not for the home market. This is definitely for small and medium sized businesses and as well as enterprise businesses, depending on what requirements they have.

Is there anything else that you want to touch upon?

Wow, that's very kind. Now, listeners, as Artur told us, he does have this fab giveaway if you are a small business. So please visit smashingsecurity.com/goodaccess. That's smashingsecurity.com/goodaccess and try the Good Access VPN for free for up to 100 users, no limitations, no ads, no tracking. Artur Kane, thank you so much for coming on Smashing Security. It's been a pleasure. SPEAKER\_01. Thank you so much for having me. Likewise, and hopefully we'll talk soon.

Oh, that was really interesting. Well done, Carole. And thank you, Artur, for coming on the show as well. And it just about wraps up the show for this week. You can follow us on Twitter at Smashing Security. No G. Twitter wouldn't let us have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Google Podcasts.

And massive shout out to this episode's sponsors, Kolide, Good Access and Rumble. And of course, to our wonderful Patreon community. It's thanks to them all. This show is free for episode show notes, sponsorship information, guest list, and the entire back catalogue of more than 273 episodes. Check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye.

Do you want to redo the beginning of my pick of the week?

Why, what did I say?

Because you had no idea. Did you really not know what I was talking about?

No, I hadn't clicked on it. I couldn't understand. So with the bulldoze, you actually put your balls. You shove your testes into that hole. And that then goes into your sexual partner as well as your penis. Well, whatever order. No, not your penis. What?

Not your penis. Your penis is just lying around. What?

Yes. What, off the dining room table? Where have you left your penis? Have you ever had sex? You can't detach your penis. We're not octopuses or something. Or seahorses. What's the animal? Actually, I'm not sure any animal detaches its penis.

No, there is one. There is one. Does it have its own little outboard motor or something for getting around? It just breaks it off and goes, I'm bored now. Bye. You can keep it. Keep the change. Keep the tip.

Oh, my goodness. Let's just stop recording.