Ransom acts of kindness are top of our mind, as we also explore how bad bots are hogging more and more of the internet’s activity, and look at how deepfakes could be a good thing after all.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Ray [REDACTED].
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So here's what I'm thinking. I think I would find it quite hard to round up 5 poor kids.
So you would just dress up the rich kids as poor people? That's what you would do?
This is what I'm wondering.
Oh my God.
If I was desperate to get my files back, would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless?
Would I be able to do that?
Would I be able to do that?
Poor little Timmy.
Tiny Tim. Tiny Tim on his crutches.
That's right.
Smashing Security, Episode 277: Bad Bots, Cheeky Ransoms, and Good Deepfakes with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 277.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined by a special guest, somebody who's been on the show before. It's our great pleasure, drum roll please, to announce the return of Ray [REDACTED].
Hello, Ray. RAY [REDACTED]. Hello, hello. It is good to be back.
Hello, Ray. RAY [REDACTED]. Hello, hello. It is good to be back.
Welcome, Ray. The crowd goes wild. How you doing? RAY [REDACTED]. Thank you very much. It's good to be back. It's been too long, but I have been listening, so I am up to speed.
Good, because we would have tested you, obviously, just to make sure. In what episode did Carole call Graham a dingbat? RAY [REDACTED]. 261 through 269. That was an 8-episode arc.
Oh yeah, it was, wasn't it? It was a bumper season, that one.
We have a lot to cover today. Should we get this show on the road, boys?
Sure thing.
Let's thank this week's sponsors, Bitwarden and Kolide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
Oh, I'm going to be talking about ransom acts of kindness. Okay.
What about you, Ray? RAY [REDACTED]. I'm going to be talking about bad, bad bots. What you gonna do?
And I'm going to be looking at some deepfake dramas. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, ransomware.
Dun dun dun.
Yeah, I know it's in the news all the time. We can't stop talking about it. How many times have we talked about this?
There's been all kinds of weird ransomware, unusual things which ransomware has done. I remember a piece of ransomware called Popcorn Time.
Sometimes I talk about it in presentations because it's quite unusual. It gives you an option when it asks you to pay the money. It says, look, you can pay us the old-fashioned way.
You can go and get yourself some bitcoin and you can transfer the bitcoin to us.
There's been all kinds of weird ransomware, unusual things which ransomware has done. I remember a piece of ransomware called Popcorn Time.
Sometimes I talk about it in presentations because it's quite unusual. It gives you an option when it asks you to pay the money. It says, look, you can pay us the old-fashioned way.
You can go and get yourself some bitcoin and you can transfer the bitcoin to us.
That's old-fashioned.
That's old-fashioned. That's old hat.
Okay.
That's what we're learning.
Jeez.
Or if that's a bit too complicated to work out how to get hold of some bitcoin, you can do it the nasty way. What you can do, they say, is here is a link.
If you send this link to enough of your friends or family or work colleagues, God.
And you manage to trick them into infecting their own computers with the Popcorn Time ransomware, and they end up paying, then you will get your data back for free. Oh my God.
If you send this link to enough of your friends or family or work colleagues, God.
And you manage to trick them into infecting their own computers with the Popcorn Time ransomware, and they end up paying, then you will get your data back for free. Oh my God.
So don't worry. RAY [REDACTED]. It's a pyramid scheme.
Yeah. You've become an affiliate. You now have a second job. You're working now as part of the ransomware gang.
And everyone now has a sullied reputation, a little bit, that they keep private.
So that was a good one, Popcorn Time. There's also one called N Ransom. What that did was it displayed pictures of Thomas the Tank Engine. Not a euphemism.
And what it did was it demanded you send 10 nude pictures of yourself as payment. Or if you're particularly keen to get the decryption key, maybe only send 5 nude pictures.
They might prefer that. I don't know. But yeah, a rather unusual piece of ransomware that. And there was Rensenware.
Rensenware was one which actually came with an embedded video arcade game, like an old-style arcade game.
And you had to reach a certain high score inside the game to decrypt your files.
So there's been all kinds of madness in the ransomware world, as well as the actual traditional infections demanding cryptocurrency.
And there's now another strange oddity in the world of ransomware. And it has been discovered by a security firm called CloudSec. And they have called it the Goodwill ransomware.
And what it did was it demanded you send 10 nude pictures of yourself as payment. Or if you're particularly keen to get the decryption key, maybe only send 5 nude pictures.
They might prefer that. I don't know. But yeah, a rather unusual piece of ransomware that. And there was Rensenware.
Rensenware was one which actually came with an embedded video arcade game, like an old-style arcade game.
And you had to reach a certain high score inside the game to decrypt your files.
So there's been all kinds of madness in the ransomware world, as well as the actual traditional infections demanding cryptocurrency.
And there's now another strange oddity in the world of ransomware. And it has been discovered by a security firm called CloudSec. And they have called it the Goodwill ransomware.
Goodwill ransomware. RAY [REDACTED]. Yeah.
Okay.
Not like Good Will Hunting or something like that.
Educate me.
Well, in many ways it's pretty normal, right? It infects your Windows PCs.
It encrypts your documents, your photographs, your videos, your databases, all of the data that you actually want.
It encrypts your documents, your photographs, your videos, your databases, all of the data that you actually want.
Mm-hmm.
But rather than demanding thousands of dollars worth of cryptocurrency in exchange for the decryption key, the Goodwill ransomware wants you to do something else.
It wants you to perform 3 acts of kindness and provide—
It wants you to perform 3 acts of kindness and provide—
Can you give me a list of what that is? Or—
Yes, they do.
Okay, fantastic. Tell me.
They don't only ask for 3 acts of kindness, they also ask you to record them on video and share the proof online as well as with the ransomware organizers in order to get your decryption key.
Okay, can I— I've done a few acts of kindness just today.
Oh, have you?
Can I just name some and you tell me if they'd fit in? RAY [REDACTED]. Now, Carole, it's not the humblebrag virus. It's not the humblebrag ransomware.
It is pretty— this is pretty low bar here, I gotta say. I emptied the dishwasher. Right, it doesn't just benefit me. There are other people living in this house.
I made my coworker a sandwich for lunch. RAY [REDACTED]. Wow, that's actually very kind. That's a good one too. Right?
I made my coworker a sandwich for lunch. RAY [REDACTED]. Wow, that's actually very kind. That's a good one too. Right?
What kind of sandwich did you make?
Tuna and organic cucumber.
Oh, that sounds good actually.
Yeah. So that doesn't count? RAY [REDACTED]. That counts as 2 actually. I think we'll decrypt your files now.
Well, no, no, no, hang on. Ray, Ray, what kind of criminal enterprise are you running? RAY [REDACTED]. The sandwich is a very, very exceptional act of kindness.
It's not that big a deal, really.
It's not that big a deal, really.
Well, I'll remember that. I think you've basically decrypted one GIF file.
As an artist, that probably would matter, you know.
I don't think that's very good. Now, the Goodwill ransomware displays a message. In fact, it displays a multi-page message in its manifesto when it infects you.
It says, "We're not hungry for money or wealth, but kindness.
We want to make every person on the planet to be kind and want to give them a hard lesson to always help poor and needy people." So Carole, I'm afraid your coworker emptying the dishwasher isn't good enough for them.
They want you to take a deep breath, look around for all of those who need help. So they give you some examples.
The first request they make is for you to donate new clothes and blankets to the homeless.
It says, "We're not hungry for money or wealth, but kindness.
We want to make every person on the planet to be kind and want to give them a hard lesson to always help poor and needy people." So Carole, I'm afraid your coworker emptying the dishwasher isn't good enough for them.
They want you to take a deep breath, look around for all of those who need help. So they give you some examples.
The first request they make is for you to donate new clothes and blankets to the homeless.
Okay.
And they say, not only donate these clothes and blankets—
But why do they have to be new?
Well, they don't want your soiled underpants, Carole, do they?
No, but it's not helping the planet much by just buying stuff and then— I just think a lot of people have a lot of stuff that's in pretty good nick that they don't use.
RAY [REDACTED]. Okay, okay.
RAY [REDACTED]. Okay, okay.
Well, maybe if you washed it beforehand.
Of course.
Okay, all right. RAY [REDACTED]. Another act of kindness, by the way, on the scoreboard.
Thanks. Thank you, Kroll, for demonstrating human cleanliness and for washing before we're recording this podcast.
And reducing waste, right?
They want you to post the evidence of this on Facebook, Instagram, and WhatsApp to encourage others. Yeah, spread the word. Spread the word of goodness.
Spread the word. Spread the word.
So that's the first thing. Okay, so Ray, what clothes would you donate? RAY [REDACTED]. What clothes? Well, I was actually gonna go buy new clothes.
I was following the instructions to the letter. I did not know that you got to bend the rules.
I was following the instructions to the letter. I did not know that you got to bend the rules.
Okay. RAY [REDACTED]. But certainly jackets, socks, I believe are very, very popular, or very in demand, socks.
In demand, yeah. RAY [REDACTED]. And certainly clean new underwear, I think. I would think there would be a demand for that as well.
Not the T-back thongs that you're envisioning with the jewels.
Not the T-back thongs that you're envisioning with the jewels.
Okay, let's move on to act number 2.
So, once you've done that, and you've shared it online with the appropriate hashtags, and shared it with the criminal masterminds as well, we need to go on to the second act.
And what this involves is finding 5 poor children under the age of 13, and taking them to Domino's, Pizza Hut, or Kentucky Fried Chicken, and allow them to order any food that they wish.
What do we think of that?
So, once you've done that, and you've shared it online with the appropriate hashtags, and shared it with the criminal masterminds as well, we need to go on to the second act.
And what this involves is finding 5 poor children under the age of 13, and taking them to Domino's, Pizza Hut, or Kentucky Fried Chicken, and allow them to order any food that they wish.
What do we think of that?
I wonder how the parents are gonna feel about that.
Well, right.
It's where's little Ricky? Where's little Ricky? Where'd Susie go? Oh, they're all down at the Mickey D's. RAY [REDACTED]. Kidnap 5 children and take them to the restaurant.
It's a bit odd, isn't it?
Yeah, it's a bit odd.
Random children. RAY [REDACTED]. The brand placement seems a little bit conspicuous. They actually have mentioned the actual specific brands there.
Yes.
I bet there's PR meetings going on right now going, can we make sure we are not involved in this in any way? Why were we named? Oh, see?
Do you think maybe Domino's Pizza are thinking, could someone in marketing be behind this ransomware? Are we doing this to drive sales? RAY [REDACTED].
Well, you know, it's really funny that you would say that because when the invasion in Ukraine happened, all those Conti ransomware group files leaked.
First of all, it turned out that their inner workings was a bad corporation.
I mean, they had layers of hierarchy of management and they were using tools like EDR, but a lot of the employees thought they were working for a marketing company, an ad company.
That's what they were told. So maybe it was for Pepsi, KFC or Domino's.
Well, you know, it's really funny that you would say that because when the invasion in Ukraine happened, all those Conti ransomware group files leaked.
First of all, it turned out that their inner workings was a bad corporation.
I mean, they had layers of hierarchy of management and they were using tools like EDR, but a lot of the employees thought they were working for a marketing company, an ad company.
That's what they were told. So maybe it was for Pepsi, KFC or Domino's.
Thank goodness I'm no longer working for Disney. I'm working for the Conti ransomware gang. I can sleep soundly at night now. So—
Okay, so I've kidnapped 5 kids.
Kidnapped 5 kids.
I've gone shopping for people in the city that need it.
And they want you to take selfies of you and the kids full of smiles, happy faces, build a beautiful Instagram story with these pictures.
Screenshot the bill, send an email to us, they say, with the link to get your files back.
So, and the final one, the final one involves providing financial assistance to those who need urgent medical help. Who can't afford to pay for it themselves.
I imagine, by the way, that this is in America where I believe you have to pay to, if you get hit by a car or something, whereas most of the civilised world, if you're badly injured, you can just get treatment.
But anyway, they are saying visit a nearby hospital, look around the crowd, and you should be able to find some people who need money urgently for their treatment.
And you have to go up to them and talk to them and say, hey, look, I'd like to help.
Screenshot the bill, send an email to us, they say, with the link to get your files back.
So, and the final one, the final one involves providing financial assistance to those who need urgent medical help. Who can't afford to pay for it themselves.
I imagine, by the way, that this is in America where I believe you have to pay to, if you get hit by a car or something, whereas most of the civilised world, if you're badly injured, you can just get treatment.
But anyway, they are saying visit a nearby hospital, look around the crowd, and you should be able to find some people who need money urgently for their treatment.
And you have to go up to them and talk to them and say, hey, look, I'd like to help.
I'll take on the $300,000 hit.
I'll take this on.
Yeah. RAY [REDACTED]. You.
Yeah.
Again. Get my files back.
Take lots of selfies of them full of smiles and happy faces. Record audio while the whole conversation between you and them takes place. And send it to the ransomware gang.
You see, I've got two issues here.
I think, come on, come on, let's hear it.
Because I'm a bit of a do-gooder, so I think in principle all their stuff is good, you know?
Yeah, look after the homeless, help people that need it, all that, you know, feed the people that need it. Absolutely.
I worry about their tactics to force me to do it, on one, because it doesn't seem a very nice thing to put ransomware on my machine.
So it doesn't feel they're eating their own cereal, right? They're not eating their own Cheerios. RAY [REDACTED]. Are you a Good Samaritan if you have a gun pointed at your head?
Yeah, look after the homeless, help people that need it, all that, you know, feed the people that need it. Absolutely.
I worry about their tactics to force me to do it, on one, because it doesn't seem a very nice thing to put ransomware on my machine.
So it doesn't feel they're eating their own cereal, right? They're not eating their own Cheerios. RAY [REDACTED]. Are you a Good Samaritan if you have a gun pointed at your head?
Right, right.
And what, are they good Samaritans by pointing the gun?
Okay.
And number two, it also feels they've offloaded a lot of the responsibility to me, because if they are typical ransomware users, they would just take my money and then they could do all that stuff themselves.
And number two, it also feels they've offloaded a lot of the responsibility to me, because if they are typical ransomware users, they would just take my money and then they could do all that stuff themselves.
Yes, with the money. RAY [REDACTED]. But Carole, I guarantee you that's probably an option.
They probably want you to look at this list of things that you have to do and go, okay, never mind, here's 20 bitcoins, just go away. I don't hate you now.
You gave me, you gave me an opportunity.
They probably want you to look at this list of things that you have to do and go, okay, never mind, here's 20 bitcoins, just go away. I don't hate you now.
You gave me, you gave me an opportunity.
You gave me a choice that I didn't even want in the first place. Yeah.
It is peculiar, isn't it? So here's what I'm thinking. I think I would find it quite hard to round up 5 poor kids. RAY [REDACTED]. Why?
Because you live in a rich neighbourhood?
Well, no, it's just— I don't have many people who live near me, right? I would have the proud—
So you would just dress up the rich kids as poor people? That's what you would do.
This is what I'm wondering.
Oh my God.
If I was desperate to get my files back, would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless?
You know, would I be able to do that? Or maybe Photoshop—
You know, would I be able to do that? Or maybe Photoshop—
Or little Timmy. Was it Timmy?
Tiny Tim. Tiny Tim on his crutches.
That's right. RAY [REDACTED].
And then right when you're negotiating with him, he whips out a Screen Actors Guild card and says, "I need scale." Why isn't one of the things there, can you give to one of these 5 recognized charities?
And then right when you're negotiating with him, he whips out a Screen Actors Guild card and says, "I need scale." Why isn't one of the things there, can you give to one of these 5 recognized charities?
Right.
But maybe that's too easy. Maybe they're saying giving charity just by clicking a button is too easy and they want you to actually go and do something.
Okay, you do that and also say online that you've done it. You know, I don't know. Okay, anyway, I don't know why I'm helping the ransomware guys.
I just don't agree with the ransomware in the first place.
I just don't agree with the ransomware in the first place.
Yeah, but again, it's a bit of a humblebrag, like Ray was saying earlier, isn't it?
To go online and say, "I have just very generously given $100." You're not saying I'm generous, you're saying I was forced by a ransomware gang.
Normally, I would never donate the money. But in this exceptional circumstance, I am prepared to. So I wonder if this might be the beginning of something. RAY [REDACTED].
Well, you'll know if you watch LinkedIn, because LinkedIn would become overrun with all these pictures and everyone would have 5 kids in their photo. Exactly 5.
To go online and say, "I have just very generously given $100." You're not saying I'm generous, you're saying I was forced by a ransomware gang.
Normally, I would never donate the money. But in this exceptional circumstance, I am prepared to. So I wonder if this might be the beginning of something. RAY [REDACTED].
Well, you'll know if you watch LinkedIn, because LinkedIn would become overrun with all these pictures and everyone would have 5 kids in their photo. Exactly 5.
Well, that's possible. But I'm also imagining some future Michael Douglas movie. Where there he is in the office. Ah, I got hit by ransomware, right?
He's an evil sort of trader or something.
He's an evil sort of trader or something.
Is he still alive?
Yes, of course Michael Douglas is still alive.
I'm going to look.
He did have an ailment, but which he said he got— RAY [REDACTED]. Never mind.
Yes, never mind.
And, you know, he is alive. He seems like 77.
Anyway, so Michael Douglas, I can imagine him in a movie getting requested to do various— What I'm picturing is some evil, crazy guy sending different commands to people who've been hit by the ransomware, and he's getting them to do more and more insane things.
You know, custard pie Bill Gates.
You know, custard pie Bill Gates.
You thought of this when you were having a poop or something, right?
Tie Piers Morgan's shoelaces together. Something like that. I can imagine this happening.
Okay, well, good. You're perfectly sane.
Well, no, the world of cybersecurity is not sane, Carole, I'm just— Here I am predicting the future. I'm like a soothsayer and I am warning.
Let the record show I am warning that this kind of ransom kindness madness could get out of hand and could become a big problem. RAY [REDACTED]. But why KFC?
Let the record show I am warning that this kind of ransom kindness madness could get out of hand and could become a big problem. RAY [REDACTED]. But why KFC?
Why? RAY [REDACTED]. It just seems like such a random list. You know, it's not Chuck E. Cheese or someplace that's friendly for kids.
What is Chuck E. Cheese?
It must be a kid-run thing because not everywhere has it. Maybe they were just thinking of international restaurants.
Yeah, we don't have Chuck E. Cheese here.
Yeah.
Whatever that is.
We have a Chubby Chicken though in Oxford. RAY [REDACTED]. Oh, Graham, Chuck E.
Cheese is this child horror show with animatronic puppets that sing to the children and they play arcade games.
And it definitely should be one of your stories one of these days because— Oh.
Cheese is this child horror show with animatronic puppets that sing to the children and they play arcade games.
And it definitely should be one of your stories one of these days because— Oh.
Well, that sounds certainly more attractive than Carole's chicken with a chubby. That's who he's talking about. Anyway, Ray, what have you got to talk to us about this week?
RAY [REDACTED]. Well, Graham, Carole, when you were children, were you taught that there were good bugs and bad bugs? Did anyone ever try to classify bugs for you?
RAY [REDACTED]. Well, Graham, Carole, when you were children, were you taught that there were good bugs and bad bugs? Did anyone ever try to classify bugs for you?
No, bugs were fine.
Oh no, I think so. Yeah, some bugs were pretty mean. Yeah, pretty evil. RAY [REDACTED].
So here in deep in the heart of Texas, we were taught that certain bugs were good bugs and certain bugs were bad bugs.
You didn't kill certain spiders because they would eat mosquitoes and you wouldn't kill certain snakes because they would do this or that.
Everything was classified as either a good bug or a bad bug.
And then it was only much later in life that you kind of realized that in an ecosystem, there's not really necessarily good and bad.
It's just that everything is kind of interreliant. So, well, I don't know if you've been following the news lately.
But there's this chap named Elon Musk that has been in the news with his takeover attempts of Twitter.
And one of the things that he said, among the less bizarre things that he has said, was that he believes that there are many more bots on Twitter—
So here in deep in the heart of Texas, we were taught that certain bugs were good bugs and certain bugs were bad bugs.
You didn't kill certain spiders because they would eat mosquitoes and you wouldn't kill certain snakes because they would do this or that.
Everything was classified as either a good bug or a bad bug.
And then it was only much later in life that you kind of realized that in an ecosystem, there's not really necessarily good and bad.
It's just that everything is kind of interreliant. So, well, I don't know if you've been following the news lately.
But there's this chap named Elon Musk that has been in the news with his takeover attempts of Twitter.
And one of the things that he said, among the less bizarre things that he has said, was that he believes that there are many more bots on Twitter—
Oh yes— RAY [REDACTED]. Than Twitter has been willing to estimate and to say, right? And it really got me thinking. I started thinking, well, I wonder how you could count those.
How could you count those? How could you see those? I know there's a lot of tools out there that do that.
Well, it turns out there's a company on the internet that has been counting what they call bad bots and good bots for almost 10 years now.
They have bot catchers all over the world and they're counting up bad bot activity. Now, your first question's got to be, well, what makes a bot a bad bot, right?
We have bots from Google that crawl websites. We have bots that do things like price indexing for travel search engines, et cetera.
Well, they define bad bots as bots that are evasive, deceptive, or malicious. Okay.
And believe it or not, according to Imperva, about 42% of internet traffic in the last year wasn't human. And that's up from 40.8% in 2020.
And human activities decreased by 2.5% to 57.7%.
Now, the reason that that's extremely unusual is because of the fact that we still have a hybrid workplace COVID kind of quarantine situation, and internet traffic has generally been going up significantly year over year, primarily because of video.
So the bad bot traffic is outpacing the good human Netflix, Pornhub traffic, or whatever traffic that is.
How could you count those? How could you see those? I know there's a lot of tools out there that do that.
Well, it turns out there's a company on the internet that has been counting what they call bad bots and good bots for almost 10 years now.
They have bot catchers all over the world and they're counting up bad bot activity. Now, your first question's got to be, well, what makes a bot a bad bot, right?
We have bots from Google that crawl websites. We have bots that do things like price indexing for travel search engines, et cetera.
Well, they define bad bots as bots that are evasive, deceptive, or malicious. Okay.
And believe it or not, according to Imperva, about 42% of internet traffic in the last year wasn't human. And that's up from 40.8% in 2020.
And human activities decreased by 2.5% to 57.7%.
Now, the reason that that's extremely unusual is because of the fact that we still have a hybrid workplace COVID kind of quarantine situation, and internet traffic has generally been going up significantly year over year, primarily because of video.
So the bad bot traffic is outpacing the good human Netflix, Pornhub traffic, or whatever traffic that is.
And this is the case even though there's been a marked increase in the number of people playing Wordle and things on that. RAY [REDACTED]. Absolutely. For sure.
Well, there may be bots playing that. There may be bots playing that at this point.
Well, there may be bots playing that. There may be bots playing that at this point.
Oh, goodness. RAY [REDACTED]. So this is why we always have to deal with all those CAPTCHAs that say, you know, identify which shoe is a clown shoe or whatever that is.
And they show you a bunch of pictures of feet or whatever. I don't know. Maybe I'm on different websites than you are.
But anyway, so OWASP, OWASP, who's kind of the authority when it comes to things like this, has defined 21 different bad bot use cases in their Automated Threat Handbook, which we will link in the notes.
But Imperva has got these great statistics over time. And we've seen certain trends that have happened specifically because more and more legitimate traffic is mobile.
And then when Apple put out their privacy changes a couple years ago that affected companies like Meta and a lot of the companies that were trying to do some malvertising or advertising on that side, there was a big movement of that.
And then of course, if you think about it, if there's a thing online where they do shoe drops, right, Kanye or somebody announces a new shoe, and the only way you can get it is to use a bot, right?
So all of that bot activity is out there and it's kind of swelling up and down, primarily used for things like DDoS attacks and often is a precursor to more sophisticated attacks.
And they show you a bunch of pictures of feet or whatever. I don't know. Maybe I'm on different websites than you are.
But anyway, so OWASP, OWASP, who's kind of the authority when it comes to things like this, has defined 21 different bad bot use cases in their Automated Threat Handbook, which we will link in the notes.
But Imperva has got these great statistics over time. And we've seen certain trends that have happened specifically because more and more legitimate traffic is mobile.
And then when Apple put out their privacy changes a couple years ago that affected companies like Meta and a lot of the companies that were trying to do some malvertising or advertising on that side, there was a big movement of that.
And then of course, if you think about it, if there's a thing online where they do shoe drops, right, Kanye or somebody announces a new shoe, and the only way you can get it is to use a bot, right?
So all of that bot activity is out there and it's kind of swelling up and down, primarily used for things like DDoS attacks and often is a precursor to more sophisticated attacks.
Sorry, Ray, Ray, you're gonna have to backtrack a little bit 'cause you're getting very technical for me. Kanye West does a shoe drop. RAY [REDACTED]. Correct.
And that's largely a bot. Did you mean it's largely a boot? RAY [REDACTED]. No. So when these—
What does this mean? RAY [REDACTED]. When items are extremely scarce, people have written programs to try to defeat the limitations of that thing.
So ticket scalping was the first killer app, right?
So ticket scalping was the first killer app, right?
Yeah. RAY [REDACTED]. They would set up these bots so that when the tickets went on sale at 9:01 AM, the bots would grab up all the best seats and they would pretend to be humans.
And then basically the scalpers would resell those. Well, they do that with shoes now too. Because Kanye will drop a shoe that's MSRP is maybe like $169 and they'll go for thousands.
So people can actually rent bots to try to get shoes, to try to get tickets, or they can just simply outsource that.
And so that's a difficult type of bot is for being able to defeat retail services. There's a lot of that with regards to travel.
And notice the market increase in the number of mobile devices.
And if you look on the internet and you type in "bot farm," you will see pictures of people in certain countries where they'll have 128 mobile phones bolted together, all running a single program that basically are impersonating users.
And it's just another indicator of the type of activity that is kind of out there.
Interestingly enough, just like happens all the time on internet research, there really wasn't anything in the Imperva reports or the OWASP report about social media bots, which is kind of when I got started interested in that side.
And so there's kind of a raging debate. Is 20% are 20% of Twitter users inauthentic? Is it 50%? Does it matter how often they're used?
We all know there's definitely a bot problem on social media, but for the folks at Imperva, they actually point out that there's a lot more serious problems related to bad bots, right?
And then basically the scalpers would resell those. Well, they do that with shoes now too. Because Kanye will drop a shoe that's MSRP is maybe like $169 and they'll go for thousands.
So people can actually rent bots to try to get shoes, to try to get tickets, or they can just simply outsource that.
And so that's a difficult type of bot is for being able to defeat retail services. There's a lot of that with regards to travel.
And notice the market increase in the number of mobile devices.
And if you look on the internet and you type in "bot farm," you will see pictures of people in certain countries where they'll have 128 mobile phones bolted together, all running a single program that basically are impersonating users.
And it's just another indicator of the type of activity that is kind of out there.
Interestingly enough, just like happens all the time on internet research, there really wasn't anything in the Imperva reports or the OWASP report about social media bots, which is kind of when I got started interested in that side.
And so there's kind of a raging debate. Is 20% are 20% of Twitter users inauthentic? Is it 50%? Does it matter how often they're used?
We all know there's definitely a bot problem on social media, but for the folks at Imperva, they actually point out that there's a lot more serious problems related to bad bots, right?
So basically, one in two times you're on the internet, you're talking to a bot, probably. RAY [REDACTED].
Well, and certain social dating websites, it would be much, much higher than that.
Well, and certain social dating websites, it would be much, much higher than that.
Yeah, right. RAY [REDACTED]. If we think back to Ashley Madison, Ashley Madison was almost all bots. It was almost 100% users that were there to try to get more money from you.
FemBots. Yes, all the women were actually robots, weren't they? RAY [REDACTED]. Correct.
All the men were not. They were cracking a look at.
My goodness.
Yeah, but what do you think can be done? Do you think that we need to be more attentive, being aware that there's bots out there?
Does it change our behavior in any way, do you think? RAY [REDACTED]. Well, I think that the folks from Imperva really talk about kind of the level of severity of types of things.
So obviously things that are data scraping or stealing credentials, that's a very serious issue that needs to not only be monitored but also mitigated.
And they make recommendations for certain types of mitigation, you know, around proxies and things like that. But also they just think that awareness will drive a lot more.
You know, awareness is sort of the very first kind of step for that side, and especially with regards to account takeovers.
And, you know, we talk a lot about multifactor authentication circumvention.
And a lot of these bots are now being designed specifically to look like they are the telecommunications company asking for those tokens.
And so just always remember, never give out your MFA token unsolicited. No company will ever ask you that without you requesting it first, right?
Does it change our behavior in any way, do you think? RAY [REDACTED]. Well, I think that the folks from Imperva really talk about kind of the level of severity of types of things.
So obviously things that are data scraping or stealing credentials, that's a very serious issue that needs to not only be monitored but also mitigated.
And they make recommendations for certain types of mitigation, you know, around proxies and things like that. But also they just think that awareness will drive a lot more.
You know, awareness is sort of the very first kind of step for that side, and especially with regards to account takeovers.
And, you know, we talk a lot about multifactor authentication circumvention.
And a lot of these bots are now being designed specifically to look like they are the telecommunications company asking for those tokens.
And so just always remember, never give out your MFA token unsolicited. No company will ever ask you that without you requesting it first, right?
Yeah. RAY [REDACTED]. RAY [REDACTED].
And then they also talk about the fact that when it comes to account takeovers, just like dwell time is extremely important in cyber breaches, detection of account takeovers is extremely important so you can shut it down.
And then they also talk about the fact that when it comes to account takeovers, just like dwell time is extremely important in cyber breaches, detection of account takeovers is extremely important so you can shut it down.
So we'd really be looking for websites and services to do a better job at determining inauthentic behavior, I think, wouldn't we?
I mean, the simplest way to do that is with things like CAPTCHAs, but of course CAPTCHAs are quite irritating for the humans and they're not—
I mean, the simplest way to do that is with things like CAPTCHAs, but of course CAPTCHAs are quite irritating for the humans and they're not—
Yeah, but people are used to them now. I mean, Google does them all the time.
Sometimes I have to reload, reload, 'cause I can't work out what's what. And you know, is that bit of the traffic light up? RAY [REDACTED].
Is the pole, does the pole count as the traffic light? I've always wondered that. Is it the actual light or is it the pole too?
Is the pole, does the pole count as the traffic light? I've always wondered that. Is it the actual light or is it the pole too?
Well, I always worry that am I feeding all this information, am I making it easier for some evil artificial intelligence inside Google to identify the difference between a yacht or a zebra crossing or a traffic light?
Such that they will then ultimately be able to invade our cities.
Such that they will then ultimately be able to invade our cities.
That's a really good point. I think you should start acting like some kind of animal or something. Like, just mimic. There's a guy actually in Japan who's paid like, what?
Oh, the Collie dog man. Yes. Yes.
He decided he didn't want to be part of humanity anymore, and he's now got himself a lifelike dog outfit. I think we should put it in the show notes for people.
It's really, really odd and weird.
It's really, really odd and weird.
It's quite convincing.
He's an authentic dog though. So he's, you know, he's a deepfake dog, which brings me to my topic. RAY [REDACTED]. Oh boy.
Carole, what have you got for us?
Deepfakes. Deepfakes. So back in 2019, Google published a blog piece called Contributing Data to Deepfake Detection Research.
And in it, they talk about innovation and tech and how they've paid loads of actors and people to create a database for researchers to work from in terms of finding out about deepfakes and detecting deepfakes.
And a quote from that is, since the field is moving quickly, we'll add to this dataset as deepfake technology evolves over time. And we'll work with partners.
We firmly believe in supporting a thriving research community, yada, yada, yada.
So it came as a surprise to some of us that Google recently quietly banned deepfake projects on its Collaboratory or Colab service, putting an end to the large-scale utilization of the platform's resources for this purpose.
Now, for those who don't know about Colab, it's basically an online computing resource that allows researchers to run Python code directly through the browser.
So they can use free computing resources, right? Including GPUs to power their projects.
And it's meant to be used by researchers who need power that costs several thousands of dollars to help them reach their scientific goals, right?
And in it, they talk about innovation and tech and how they've paid loads of actors and people to create a database for researchers to work from in terms of finding out about deepfakes and detecting deepfakes.
And a quote from that is, since the field is moving quickly, we'll add to this dataset as deepfake technology evolves over time. And we'll work with partners.
We firmly believe in supporting a thriving research community, yada, yada, yada.
So it came as a surprise to some of us that Google recently quietly banned deepfake projects on its Collaboratory or Colab service, putting an end to the large-scale utilization of the platform's resources for this purpose.
Now, for those who don't know about Colab, it's basically an online computing resource that allows researchers to run Python code directly through the browser.
So they can use free computing resources, right? Including GPUs to power their projects.
And it's meant to be used by researchers who need power that costs several thousands of dollars to help them reach their scientific goals, right?
Yes. It's probably been used actually to run hordes and hordes of bots, isn't it? This is probably exactly how it's all happening.
Well, interesting, interesting. 'Cause Colab has a not allowed here list.
Oh, okay. RAY [REDACTED]. Yeah.
Okay. And it includes things like using a remote desktop or SSH.
Mm-hmm.
Connecting to remote proxies, mining crypto, running DDoS or DoS attacks, password cracking, and using multiple accounts to work around access or resource usage restrictions.
And they've added to that creating deepfakes. So it's not known if Google performed this policy due to new ethical concerns or rampant abuse of its free computing resources.
But says Bleeping Computer, there are reports that some users are exploiting the platform's free tier to create deepfake models at scale.
And they've added to that creating deepfakes. So it's not known if Google performed this policy due to new ethical concerns or rampant abuse of its free computing resources.
But says Bleeping Computer, there are reports that some users are exploiting the platform's free tier to create deepfake models at scale.
OK, I'm not surprised by that, or any of you.
No.
And this captured a significant amount of Colab's available resources for extended periods.
Now, of course, all of us know of the bad things that deepfake— it's known as synthetic media, right? We all know about the bad deepfakes out there.
But I thought we could switch it up and look at some of the positive things that I've seen listed and see what we think of them.
Now, of course, all of us know of the bad things that deepfake— it's known as synthetic media, right? We all know about the bad deepfakes out there.
But I thought we could switch it up and look at some of the positive things that I've seen listed and see what we think of them.
OK. So I'll start with this one. What about people with speech impediments or motor skill difficulties?
Imagine being able to talk in your own voice to loved ones or colleagues even after losing your ability to speak.
Imagine being able to talk in your own voice to loved ones or colleagues even after losing your ability to speak.
Hmm.
Or if you're suffering from certain physical or mental disabilities, you could use synthetic avatars of you for online expression, you know, to be able to go, oh, here, this is what I want to say to you.
Why do you always feed me this stupid, disgusting stuff?
Why do you always feed me this stupid, disgusting stuff?
Well, we saw this actually a few weeks ago when I had a Pick of the Week, which was that Gerry Anderson documentary. And Gerry Anderson, of course, has been dead for a few years.
And his family, they had an audio recording of him being interviewed, but for the purposes of the movie, they wanted Gerry Anderson talking.
And they did a remarkable job through deepfake technology.
And his family, they had an audio recording of him being interviewed, but for the purposes of the movie, they wanted Gerry Anderson talking.
And they did a remarkable job through deepfake technology.
And you were watching this thing and you completely forgot that it was synthetic media.
I mean, that's a good point.
Better than animating him in the old Thunderbirds way with bits of string and sort of Weekend at Bernie's style.
Yeah, think of Forrest Gump, where he meets JFK and other historical figures. The creation of that scenario cost millions of dollars, right?
Whereas deepfakes could democratize the cost of this VFX tech. And to make it at a fraction of cost, which means that people can do cute deepfake videos.
Whereas deepfakes could democratize the cost of this VFX tech. And to make it at a fraction of cost, which means that people can do cute deepfake videos.
I saw one which was adorable called Home Stallone, right? So it's they've somehow superimposed Stallone's face into Home Alone's. I put the video in the show notes.
Yeah.
But you know, and it's labeled as a deepfake and it's there for a contribution to the arts, which I say would be actually, I think quite valuable. RAY [REDACTED].
That use case kind of reminds me of when BitTorrent took off and there was a group of people that screamed and yelled that it was really just being used for Linux distributions.
I'm sure that there is a few people that would use deepfakes for that, but my concern is the percentage of positive use is probably a little bit outweighed by the percentage of negative and malicious use.
That use case kind of reminds me of when BitTorrent took off and there was a group of people that screamed and yelled that it was really just being used for Linux distributions.
I'm sure that there is a few people that would use deepfakes for that, but my concern is the percentage of positive use is probably a little bit outweighed by the percentage of negative and malicious use.
I'm feeling sorry for Sylvester Stallone's career, actually. I mean, there was a perfectly good job that he could have been hired to do, and instead they deepfaked it.
Maybe that's quite bad news for actors, maybe not just for Stallone, but other actors as well.
Maybe that's quite bad news for actors, maybe not just for Stallone, but other actors as well.
And Google's the one who's making the most money out of it, right? RAY [REDACTED]. RAY [REDACTED].
So out of everything, that's another interesting question I had, is when they say we can't use these resources for these things, and these are GPUs, right?
These are big farms of GPUs. How can they tell the difference between password cracking and positive use of deepfakes?
Or I mean, how would Google be able to monitor and tell what that is?
So out of everything, that's another interesting question I had, is when they say we can't use these resources for these things, and these are GPUs, right?
These are big farms of GPUs. How can they tell the difference between password cracking and positive use of deepfakes?
Or I mean, how would Google be able to monitor and tell what that is?
That is an excellent question, and I have attached the FAQ for Google's Colab and explaining why it has restrictions and how it works, and maybe the answer will be in there.
They probably can't tell, but if they find out later, that's a good reason for kicking you out.
Yeah, maybe if someone reports you or something.
Yeah.
What about helping the bereaved? Like, say if I died, Graham, right? Wouldn't you like to have me— yeah, yeah, that's what I sound like. RAY [REDACTED].
Carole, we already have a mop and it has your name on it and your photo, and now all we need is recordings to go with the mop because, you know, the mop is a great dancing partner, doesn't— not very good at dinner, but that's our virtual Carole.
We just need the voiceovers for it.
Carole, we already have a mop and it has your name on it and your photo, and now all we need is recordings to go with the mop because, you know, the mop is a great dancing partner, doesn't— not very good at dinner, but that's our virtual Carole.
We just need the voiceovers for it.
And what about solving police investigations? So last week, actually, Dutch police created a deepfake video to appeal for info over a 2003 murder of a teenage boy.
And it's a world's first investigation using artificially manipulated footage.
And it's this 13-year-old footballer who was shot dead in 2003 while throwing snowballs at his friends in a car park near a Rotterdam metro station.
And at the time, they just thought, oh, wrong place, wrong time.
But now they think there was an organized criminal fraud gang hanging out there, and they're hoping the deepfake video recreation of the boy's image and everything will help solve this cold case.
RAY [REDACTED].
Goodness, prosecuting crimes on synthetic evidence sounds like a lawyer's nightmare for me because they're actually making things up that aren't real and showing that video and saying, does this— is this what happened, right?
And it's a world's first investigation using artificially manipulated footage.
And it's this 13-year-old footballer who was shot dead in 2003 while throwing snowballs at his friends in a car park near a Rotterdam metro station.
And at the time, they just thought, oh, wrong place, wrong time.
But now they think there was an organized criminal fraud gang hanging out there, and they're hoping the deepfake video recreation of the boy's image and everything will help solve this cold case.
RAY [REDACTED].
Goodness, prosecuting crimes on synthetic evidence sounds like a lawyer's nightmare for me because they're actually making things up that aren't real and showing that video and saying, does this— is this what happened, right?
Yeah.
I mean, our— this podcast, Graham, we could have synthesized media be able to translate us into different languages to make us more accessible internationally.
I'd love to translate some of the sessions into English. That'd be helpful.
[LAUGHTER] So most things, it's complicated, right?
Because as you say, Ray, deepfakes are maybe not inherently bad as a tech, but I agree that right now we seem to have a lot more yucky examples than good examples out there.
I mean, we know this tech has been used for revenge, for political gain, for disruption, to induce shame, obedience.
I mean, even the EU put out a report to authorities, advised them to get on the deepfake bus because it is ripe to become a stable tool in organized crime.
So how do you control this stuff?
Because as you say, Ray, deepfakes are maybe not inherently bad as a tech, but I agree that right now we seem to have a lot more yucky examples than good examples out there.
I mean, we know this tech has been used for revenge, for political gain, for disruption, to induce shame, obedience.
I mean, even the EU put out a report to authorities, advised them to get on the deepfake bus because it is ripe to become a stable tool in organized crime.
So how do you control this stuff?
Yeah, how do you? How do you?
How do you? Well, it's the same as really all things tech. Legislation and regulation, right?
Corporate policies saying you can't do this and voluntary action from people on reporting it or making people aware of it.
Education and training, what we do, if we can call this any of that.
Corporate policies saying you can't do this and voluntary action from people on reporting it or making people aware of it.
Education and training, what we do, if we can call this any of that.
Oh God, we're doomed then.
And probably the most important is anti-deepfake tech, right? Which includes deepfake detection, content authentication, deepfake prevention.
Except now, without Google's Colab, anti-deepfake tech might take a hit. Oh. So I don't know. It also says something to me that Google kind of kept stepping out of this little mess.
Like, does it smell something that we don't smell? Like, why is it pulled out of this completely? Because surely this is a really exciting, innovative time.
And I understand it's very controversial, but we need to have anti-deepfake tech as well, don't we?
Except now, without Google's Colab, anti-deepfake tech might take a hit. Oh. So I don't know. It also says something to me that Google kind of kept stepping out of this little mess.
Like, does it smell something that we don't smell? Like, why is it pulled out of this completely? Because surely this is a really exciting, innovative time.
And I understand it's very controversial, but we need to have anti-deepfake tech as well, don't we?
Yeah.
So if they're pulling out, I think maybe we're in for a rocky deepfake ride. Is that— that sounds a bit dirty, actually. RAY [REDACTED].
Now, do you think that Matt Damon, when he made that crypto.com Super Bowl commercial, do you think he could go back now and say, nope, that wasn't me, that was a deepfake?
You get plausible deniability around that?
Now, do you think that Matt Damon, when he made that crypto.com Super Bowl commercial, do you think he could go back now and say, nope, that wasn't me, that was a deepfake?
You get plausible deniability around that?
Yeah, I wonder if actors are going to have to sign contracts saying, oh, and if you die right during the making of this film, you let us use deepfake to continue the script.
Mm-hmm.
Exciting times.
Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account.
Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.
Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized.
Now you can go to bitwarden.com/smashing and try it for free across devices as an individual user, or you can start a free trial of a Teams Enterprise plan.
And the thing I like about this, a good password manager is robust and cost-effective as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise.
Go to bitwarden.com/smashing. Start your free password manager trial today.
Kolide sends employees important, timely, and relevant security recommendations to their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag.
After your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required.
Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag.
After your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required.
Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. RAY [REDACTED]. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. My Pick of the Week involves a certain situation which has arisen in my home. My young son, he is— he's 11 years old.
I was just going to say, yeah.
I'm not sure. He's 11 years old, round about that. RAY [REDACTED]. RAY [REDACTED]. Is this the Father's Day episode by any chance?
He has started playing Minecraft with some rather special friends of his from school. And he wants to chat to them at the same time.
And he was saying to me, "Dad, Dad, can you set up Discord for me? Discord's cool. I've heard about Discord. I've watched YouTube videos about Discord."
And he was saying to me, "Dad, Dad, can you set up Discord for me? Discord's cool. I've heard about Discord. I've watched YouTube videos about Discord."
Does he talk like that?
Yes, he does.
And I said, "Well, I could, but then I'd have to get the other kids to set up Discord." And speaking to their parents is a nightmare because I'm not that nerdy and they're even less nerdy.
And rather than setting up Discord or coordinating mobile phones with the parents and making a call, oh, it's just all a big pain in the neck.
I thought there has to be a simpler way for these kids to talk to each other, which ideally doesn't cost me any money and is zero effort.
And I said, "Well, I could, but then I'd have to get the other kids to set up Discord." And speaking to their parents is a nightmare because I'm not that nerdy and they're even less nerdy.
And rather than setting up Discord or coordinating mobile phones with the parents and making a call, oh, it's just all a big pain in the neck.
I thought there has to be a simpler way for these kids to talk to each other, which ideally doesn't cost me any money and is zero effort.
And does not invade their privacy ridiculously, probably.
That would be helpful as well. That was a smaller consideration, but yes, that would be good as well. So I found a service called Talky.io, talk with a Y on the end, .io.
And it's free. You can do audio and video chat. There's nothing to download. You don't have to sign up. There's no payments required. They don't have any ads.
They don't resell your information. At least they say they don't. They don't keep track of anything you're doing online. They say they encrypt everything possible.
And it's really easy.
And what's the best thing about it from my son's point of view is while you're waiting for other people to join your room, you get to play a little video game of a lunar lander kind of game where you have a spacecraft and go, "Pfft, pfft," applying thrust.
So while you're waiting for people, you can sort of move it around the screen and try and land it properly. And it's really easy to use and has so far worked for them.
And it's free. You can do audio and video chat. There's nothing to download. You don't have to sign up. There's no payments required. They don't have any ads.
They don't resell your information. At least they say they don't. They don't keep track of anything you're doing online. They say they encrypt everything possible.
And it's really easy.
And what's the best thing about it from my son's point of view is while you're waiting for other people to join your room, you get to play a little video game of a lunar lander kind of game where you have a spacecraft and go, "Pfft, pfft," applying thrust.
So while you're waiting for people, you can sort of move it around the screen and try and land it properly. And it's really easy to use and has so far worked for them.
Cool. I've just read the privacy policy and it looks good.
Oh wow, that's quick.
All they grab is— yeah, well, just the privacy policy. But yeah, it's quite tightly written, actually.
I think that they're doing it because there's some sort of web development team and they're doing this basically as an advert for their services.
So if you wanted to have maybe a corporate chat video thing, they would be able to roll you out one and all the rest of it. So I think that's the reason why they've done this.
But it worked very well. RAY [REDACTED].
It's always a good question whenever you come across a domain name that ends in .io and has kind of catchy name and declares that they don't advertise or keep any logs.
It's always one you always wonder, how do they monetize? Am I the product?
So if you wanted to have maybe a corporate chat video thing, they would be able to roll you out one and all the rest of it. So I think that's the reason why they've done this.
But it worked very well. RAY [REDACTED].
It's always a good question whenever you come across a domain name that ends in .io and has kind of catchy name and declares that they don't advertise or keep any logs.
It's always one you always wonder, how do they monetize? Am I the product?
Mm-hmm.
They also say that they welcome anyone reporting any bugs and you will receive a detailed response within 48 hours, which is quite refreshing to see that in a privacy policy.
They also say that they welcome anyone reporting any bugs and you will receive a detailed response within 48 hours, which is quite refreshing to see that in a privacy policy.
Oh, there you go. Anyway, so far, so far, no problems with it.
And the kids are able to chat to each other while they're giving each other cornflowers or messing around with redstone or whatever it is that they do in Minecraft.
And so Talky.io is my pick of the week.
And the kids are able to chat to each other while they're giving each other cornflowers or messing around with redstone or whatever it is that they do in Minecraft.
And so Talky.io is my pick of the week.
Down and out.
Ray, what's your pick of the week? RAY [REDACTED]. Well, my pick of the week, Graham.
Yes. RAY [REDACTED]. Well, let me just ask you this question.
When you are— yes, at home alone, or maybe perhaps not alone, and you've got a nice glass of wine and some good music on—
When you are— yes, at home alone, or maybe perhaps not alone, and you've got a nice glass of wine and some good music on—
I'm uncomfortable. RAY [REDACTED]. Are you excited about the possibility that you might be experiencing piloerection?
I'm so uncomfortable.
I don't drink wine, so I think it's even less likely I'd have a piloerection if I was drinking wine.
So I'm not used to alcohol and things, but what's a piloerection, Ray, dare I ask? RAY [REDACTED].
So piloerection is actually a physiological and physical response that you probably know more by the term of goosebumps.
And humans often experience this as part of something that scientists call frisson, which is derived from the French term of a sudden feeling or sensation of excitement, emotion, or thrill.
Now, at Queen Mary University in London, a group of scientists set out— I'm going to try to say these names, but it was led by Rémy Deflorian and Marcus Pearce— and they set out to try to find what it is about certain types of music that give you that frisson or that piloerection.
And they found music from people like Johnny Cash, Metallica, Celine Dion, Mozart, and built out a list of songs that are likely to give you chills, like in certain parts of the song or some certain parts, you kind of always get goosebumps.
These are the songs that you typically turn up really loud in the car.
So I'm not used to alcohol and things, but what's a piloerection, Ray, dare I ask? RAY [REDACTED].
So piloerection is actually a physiological and physical response that you probably know more by the term of goosebumps.
And humans often experience this as part of something that scientists call frisson, which is derived from the French term of a sudden feeling or sensation of excitement, emotion, or thrill.
Now, at Queen Mary University in London, a group of scientists set out— I'm going to try to say these names, but it was led by Rémy Deflorian and Marcus Pearce— and they set out to try to find what it is about certain types of music that give you that frisson or that piloerection.
And they found music from people like Johnny Cash, Metallica, Celine Dion, Mozart, and built out a list of songs that are likely to give you chills, like in certain parts of the song or some certain parts, you kind of always get goosebumps.
These are the songs that you typically turn up really loud in the car.
Oh, so this is a playlist which doesn't include Michael Bublé, for instance. That sounds great. RAY [REDACTED].
No, I don't know that we need to take a cheap shot at Michael Bublé at this point in time, but certainly I will publish the list.
No, I don't know that we need to take a cheap shot at Michael Bublé at this point in time, but certainly I will publish the list.
I think we do.
No, we do.
I think we do. I think we do.
We do. RAY [REDACTED].
But what these scientists were interested in is they were interested in what's the difference between two songs that are back to back on the same album, and one of them gives you this frisson or this chills.
And it's almost universal, by the way. These are not highly individualized.
But what these scientists were interested in is they were interested in what's the difference between two songs that are back to back on the same album, and one of them gives you this frisson or this chills.
And it's almost universal, by the way. These are not highly individualized.
Really? RAY [REDACTED]. These have a very common set.
So they looked at a little bit less than 1,000 songs, and they identified 715 that are likely to give you chills, and they published it to Spotify.
So it's a Spotify playlist that actually has these songs on them.
So they looked at a little bit less than 1,000 songs, and they identified 715 that are likely to give you chills, and they published it to Spotify.
So it's a Spotify playlist that actually has these songs on them.
So, okay, so now we have to worry about freaking drivers listening to this playlist whilst driving along and going all the time. RAY [REDACTED].
Well, it is actually called a skin orgasm. That is actually called a skin orgasm, but I left that part out because I felt it was a little bit too racy for this.
Well, it is actually called a skin orgasm. That is actually called a skin orgasm, but I left that part out because I felt it was a little bit too racy for this.
Good job, good job.
Good that you didn't mention the skin orgasm. Well done on avoiding it. RAY [REDACTED]. Absolutely.
But it also includes parts of movie— if you think about speeches, I mean, the classic example for Americans is probably the Rocky theme, because you know that right when he starts to get up, that Rocky kind of, you kind of get behind it or whatever.
But it also includes parts of movie— if you think about speeches, I mean, the classic example for Americans is probably the Rocky theme, because you know that right when he starts to get up, that Rocky kind of, you kind of get behind it or whatever.
Queen as well, I'm sure, is up there. RAY [REDACTED]. But they're particularly fascinated in which songs are able to bring this and which aren't.
And if you look through this playlist, by the way, and someone was kind enough to convert it to Apple Music and other formats as well.
But if you look at this playlist, you're going to see a lot of songs you recognize and you'll know immediately, oh yes, I know that.
I even know the part of that song that gives everybody the piloerection, right?
And if you look through this playlist, by the way, and someone was kind enough to convert it to Apple Music and other formats as well.
But if you look at this playlist, you're going to see a lot of songs you recognize and you'll know immediately, oh yes, I know that.
I even know the part of that song that gives everybody the piloerection, right?
Are they trying to figure out the sonograph or the wavelength that does it? Is it— are they able to isolate it to certain beats? RAY [REDACTED].
Or so, Carole, they do look at tempo and they do look at cadence and they do look at— but one of the most interesting explanations is something that musicologist David Huron calls contrastive valence theory, in which your feelings are suddenly contrasted.
So you start off feeling really bad, and then you feel really good, and then you get stronger and stronger and stronger, and then there's really no peak to that, right?
There's a lot of that in Broadway show tunes, right? When they reach that type of these—
Or so, Carole, they do look at tempo and they do look at cadence and they do look at— but one of the most interesting explanations is something that musicologist David Huron calls contrastive valence theory, in which your feelings are suddenly contrasted.
So you start off feeling really bad, and then you feel really good, and then you get stronger and stronger and stronger, and then there's really no peak to that, right?
There's a lot of that in Broadway show tunes, right? When they reach that type of these—
So your brain can either be, life is shit, life is shit, oh, it's so miserable, life is shit, oh, it's wonderful, that kind of thing. RAY [REDACTED].
Is that your Auto-Tune plug-in there, or no?
Is that your Auto-Tune plug-in there, or no?
Did you get any chills at that moment? RAY [REDACTED]. Yeah, yeah, I did not. I'm having piloerectile dysfunction over here.
But anyway, so yes, they have this very fascinating scientific article. It has a lot of observations about anger and emotions.
Like, it has this playlist of 715 songs that you can drop into your MP3 player and listen to.
Now, it is very heavy on classical music, but even the pop songs from the '50s and '60s, you know, you'll recognize most of them and be able to identify why they were songs of the song.
But anyway, so yes, they have this very fascinating scientific article. It has a lot of observations about anger and emotions.
Like, it has this playlist of 715 songs that you can drop into your MP3 player and listen to.
Now, it is very heavy on classical music, but even the pop songs from the '50s and '60s, you know, you'll recognize most of them and be able to identify why they were songs of the song.
We should have a frisson off with our listeners to see whoever listens to it, how many frissons they've had, write down how many frissons they get for a session of 10 songs and see who can win.
You can't have too many frissons in a day. I think you'll be exhausted. I think people should, I think you have to be careful what we advise our listeners to do. Maybe, yeah.
Ration yourself, folks. Carole, what's your pick of the week?
Ration yourself, folks. Carole, what's your pick of the week?
We're ready for a trifecta of great picks of the week this week because I have a fab one. It's new to me, totally love it, Graham. I did send it to you to watch.
Have you watched a bit of it?
Have you watched a bit of it?
I have, yes.
Okay, so it's a short series called Zen Motoring, and it stars this PE teacher, Alkimiós, who also is a battle rap champ. And I have links in the show notes for you to check out.
And a battle rap is basically a rap roast where you tear a new one out of your opponent with, you know, spicy rhymes and stuff like that. Yeah, it's cool.
And a battle rap is basically a rap roast where you tear a new one out of your opponent with, you know, spicy rhymes and stuff like that. Yeah, it's cool.
Yeah.
And Ogmios here started doing a YouTube effort labeled Zen Motoring, and it makes this crazy cocktail. It's a cocktail of what, ASMR whisperings. There's definitely that.
And it's against this— I don't know, driving around London as viewed from the dash cam. Yeah. And you might think, oh wow, he's zooming through the town really fast.
But no, no, no, it's all chill. Zen. It's ASMR. RAY [REDACTED]. Wow.
And it's against this— I don't know, driving around London as viewed from the dash cam. Yeah. And you might think, oh wow, he's zooming through the town really fast.
But no, no, no, it's all chill. Zen. It's ASMR. RAY [REDACTED]. Wow.
It is. It's very chilled out. It's wonderful actually to watch. So it's dash cam footage, but rather than it being, oh, get out my way, none of that.
It's, oh, watch out for that cyclist there. Oh, maybe the blue van in front of me could have moved, but maybe I'll give him a little friendly beep.
It's, oh, watch out for that cyclist there. Oh, maybe the blue van in front of me could have moved, but maybe I'll give him a little friendly beep.
Yeah, every pause is narrated, right? Every single pause. Because in London, if you don't know, there is a lot of traffic. We have a ton of traffic here.
So every sight is absorbed, appreciated. I think he stops in a cul-de-sac to watch an Amazon delivery guy robots struggle with the high curb.
You slow to allow a pigeon cross the road. You congratulate yourself for noticing a pedestrian about to cross from behind a parked van.
And we celebrate this thing that actually has changed now my life.
So every sight is absorbed, appreciated. I think he stops in a cul-de-sac to watch an Amazon delivery guy robots struggle with the high curb.
You slow to allow a pigeon cross the road. You congratulate yourself for noticing a pedestrian about to cross from behind a parked van.
And we celebrate this thing that actually has changed now my life.
All right. Yeah.
Which is when he's driving with his dash cam, he's letting pedestrians walk across and they wave and he gets a kind of frisson for double or even the triple wave, which he says is the mecca because if you go to four waves, it starts looking a little sarcastic.
So three is the most you can get as an honest, authentic wave from someone passing a road. So I've been trying it because I've been on foot a lot in Oxford.
So I've been trying to do the triple wave. It's not easy to do, but it's making me, and people seem to like it.
So, you know, just adding a bit of Zen to the roads in England would not be a bad thing. I loved it. You loved it, Graham?
So three is the most you can get as an honest, authentic wave from someone passing a road. So I've been trying it because I've been on foot a lot in Oxford.
So I've been trying to do the triple wave. It's not easy to do, but it's making me, and people seem to like it.
So, you know, just adding a bit of Zen to the roads in England would not be a bad thing. I loved it. You loved it, Graham?
I loved it as well. And I love that he does compliment people when they do a double wave or you said, even a triple wave.
And I think that is a random act of kindness that we should encourage on this podcast.
And I think that is a random act of kindness that we should encourage on this podcast.
Absolutely. Exactly. RAY [REDACTED]. Well, it might fulfill one of your ransomware objectives there too as well, right?
Yeah. I was just going to say he doesn't need ransomware to do it. We could just do it on our own because we're good, lovely people.
So Carole, is this a TV show as well?
Yes, it's on YouTube. It started on YouTube, and there's a TV show on BBC. And the episodes are— I don't think they're identical, right?
I think just from looking on the YouTube ones, and I was going through them quickly because I've already watched them on the BBC, there were certain things that were missing that were on the BBC one.
So I think the fuller experience— I'd watch both. I'm gonna watch the YouTube ones. I want to see, right? So I would say check it out. It is a really fun, wonderful experience.
And it's comedy in a really fresh form. Zen Motoring, you can find it on YouTube and on BBC. We have the links in the show notes. And that is my pick of the week. RAY [REDACTED].
Now, Carole, do you think that if this was extremely successful, there might be an American version where we just drive all over the place, cut people off and give them the finger?
I think just from looking on the YouTube ones, and I was going through them quickly because I've already watched them on the BBC, there were certain things that were missing that were on the BBC one.
So I think the fuller experience— I'd watch both. I'm gonna watch the YouTube ones. I want to see, right? So I would say check it out. It is a really fun, wonderful experience.
And it's comedy in a really fresh form. Zen Motoring, you can find it on YouTube and on BBC. We have the links in the show notes. And that is my pick of the week. RAY [REDACTED].
Now, Carole, do you think that if this was extremely successful, there might be an American version where we just drive all over the place, cut people off and give them the finger?
Totally.
Marvelous. Well, that just about wraps it up for this week. Ray, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
RAY [REDACTED]. Oh, they can follow me at Ray [REDACTED].com. That's R-A-Y-R-E-D-A-C-T-E-D.com.
RAY [REDACTED]. Oh, they can follow me at Ray [REDACTED].com. That's R-A-Y-R-E-D-A-C-T-E-D.com.
Super duper. And you can follow us on Twitter @SmashInSecurity, no G. Twitter would be nice to have a G. And there's also a Smashing Security subreddit.
Don't forget to ensure you never miss another episode. You know how to do that. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
Don't forget to ensure you never miss another episode. You know how to do that. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And huge thank you to this episode's sponsors, Bitwarden and Kolide, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 276 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 276 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye!
I'm Ray. You may want to say bye. RAY [REDACTED]. Bye-bye!
There we go.
Perfect.
Oh, we're going to have a rainbow. It's raining and sunny. Woohoo!
Double rainbow all the way!
Yeah, that gives me frissons.
What can it mean?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Ray [REDACTED] – @RayRedacted
Show notes:
- Popcorn Time ransomware invites you to get ‘nasty’ to recover your files — Graham Cluley.
- Rensenware — Wikipedia.
- GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need — CloudSEK.
- Bad Bot Report — Imperva.
- Bad Bot Traffic Report: Almost Half of All 2021 Internet Traffic Was Not Human — CPO Magazine.
- Automated Threats – web applications — OWASP.
- Home Stallone [Deepfake] — YouTube.
- The Emergence of Deepfake Technology: A Review — ResearchGate.
- Positive Use Cases of Synthetic Media (aka Deepfakes) | — Towards Data Science.
- Deepfake pornography could become an 'epidemic', expert warns — BBC News.
- Europol report finds deepfake technology could become staple tool for organised crime — Europol.
- Google quietly bans deepfake training projects on Colab — Bleeping Computer.
- Japanese man spends £12,500 on ultra-realistic dog costume so he can live like an animal — Daily Mail.
- Google Colab FAQ.
- Talky.
- The Relationship Between Valence and Chills in Music: A Corpus Analysis.
- Frisson: This playlist is scientifically verified to give you chills — Big Think.
- A Spotify playlist with 715 songs known to give people chills — Quartz.
- Songs to give you chills — Spotify playlist.
- Zen Motoring — BBC iPlayer.
- Ogmios School of Zen Motoring Ep 1 — YouTube.
- Zen School of Motoring: TV that will cleanse your spirit like meditation — The Guardian.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Bitwarden
A password manager is an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Open source with published 3rd party security audits, Bitwarden is transparent and secure, utilizing end-to-end and zero knowledge encryption with source code that can be scrutinized by all.
Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today.
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
