Graham wonders what would happen if his bouncing buttocks were captured on camera by a Tesla employee, and we take a look at canny scams connected to China’s Operation Fox Hunt.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
(Oh, and when Carole mentioned Colin the Accountant as her “Pick of the Week” she really meant “Colin from Accounts”. Sorry!)
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
If my bare buttocks are protruding high up in the air because I'm up to some shenanigans in the back of a Tesla, I don't want some oily, horrible Tesla bloke.
But let's say that image gets uploaded to some kid who's working at Tesla.
Imagine the trauma it would cause them. I'm worried about them, not me.
If I got the image of your, you know, moon bouncing up and down the back backseat of a Tesla, having no idea it was you.
You'd know it was me. You'd know it was me. Smashing Security, Episode 318: Tesla Workers Spy on Drivers and Operation Foxhunt Scams with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 318. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 318. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, it's a bit lonely, isn't it, here in the studio today because, well, there's no one else here.
I'm not enough?
Well, just no guests this week. I mean, we did warn people in April we might not have as many guests. You're off on a top secret mission somewhere.
Yes, called R&R. Cannot wait. Cannot wait.
We're recording this episode a little bit earlier than usual, but lots of good stuff to come today.
Yes, as you will see. But before we kick off, let's thank this week's sponsors Bitwarden, Kolide, and Drata. It's their support that helps us give you this show for free.
Now coming up in today's show, Graham, what do you got?
Now coming up in today's show, Graham, what do you got?
I'm going on a fox hunt.
And I'm going to discuss, is it okay for employees to share certain types of information? All this and much more coming up on this episode of Smashing Security.
Now, chum, fox hunting. Have you ever been on a fox hunt?
What? I live in England. I have actually seen fox hunts on a number of different occasions.
Not because I have chosen to go and watch these things, but because I have rented a house in the countryside and suddenly all these guys come tripping up on horses with lots of dogs.
Not because I have chosen to go and watch these things, but because I have rented a house in the countryside and suddenly all these guys come tripping up on horses with lots of dogs.
Exactly.
Yeah, it's not cool.
It's not nice, is it? It's not very cool.
To picture the scene, people who aren't aware of this, how we have fox hunts in the UK is you get a whole bunch of chinless toffs on horseback.
To picture the scene, people who aren't aware of this, how we have fox hunts in the UK is you get a whole bunch of chinless toffs on horseback.
I don't think I'd call them that.
Okay, well, I would.
They're engaging in an entirely fair fight between on one side, 20 hounds, and on the other, a wild fox scared out of its wits that it's going to be ripped to shreds.
And yeah, anyway, they're on horses and it's unpleasant.
They're engaging in an entirely fair fight between on one side, 20 hounds, and on the other, a wild fox scared out of its wits that it's going to be ripped to shreds.
And yeah, anyway, they're on horses and it's unpleasant.
And they often have guns. Right? Just in case.
Machine guns? What sort of guns do they have? They don't have guns, do they?
Well, they used to. I don't know if they are allowed anymore, actually.
I wouldn't think that they— Maybe one person has a mallet in case the fox isn't completely killed by the— Anyway.
I'm looking it up.
They're not supposed to chase foxes anymore. It's supposed to be all done with scents and smells.
Yeah, it's illegal to hunt foxes with packs of dogs.
At the moment. But who knows when the government might change this. This because it's the sort of thing that they care a great deal about.
Anyway, that's what we picture here in England. But to Chinese people, a fox hunt can mean something quite different.
Anyway, that's what we picture here in England. But to Chinese people, a fox hunt can mean something quite different.
OK.
Since 2014, Chinese authorities have been running what they describe as an anti-corruption operation around the world, and they have named it Operation Fox Hunt.
Okay.
And what this involves is Chinese agents who've been sent out into the rest of the world by Beijing, hunting down Chinese nationals who the Chinese authorities say have committed financial crimes or fled abroad with billions in public money, and their aim is to bring them back to China to face justice.
I imagine most governments do that. If someone got away with billions or millions, they may want to try and get them to face justice. Yeah, it makes sense to me.
Well, there is a little bit of controversy associated with Operation Fox Hunt.
No.
Yeah.
Okay.
So a couple of years ago, FBI Director Chris Wray, for instance, he was describing Operation Fox Hunt and he said it isn't actually about fighting corruption at all.
He said instead what it is, is Beijing targeting Chinese nationals who are viewed as threats. And of course, Chinese nationals who live outside China.
So it's political rivals, dissidents, critics of China's human rights record are being targeted according to Wray.
And they're trying to force those people under the pretext of they've committed some kind of financial crime to come back to China, and who knows what might happen to them.
He said instead what it is, is Beijing targeting Chinese nationals who are viewed as threats. And of course, Chinese nationals who live outside China.
So it's political rivals, dissidents, critics of China's human rights record are being targeted according to Wray.
And they're trying to force those people under the pretext of they've committed some kind of financial crime to come back to China, and who knows what might happen to them.
Hmm.
I just would assume that if, say, there was someone who lived in Canada that the Chinese government was saying, hey, they've done all this awful stuff, the Canadian government would go, prove it, show us.
I just would assume that if, say, there was someone who lived in Canada that the Chinese government was saying, hey, they've done all this awful stuff, the Canadian government would go, prove it, show us.
Right.
You know, and discuss extradition based on what is shared. Not so much, you know, I don't know, if they have no information, just say, give us this guy.
I don't know why anyone would play.
I don't know why anyone would play.
Well, often this is occurring with the help of foreign governments and international law enforcement like Interpol, where the Chinese will come to them and say, look, we need this person, they've committed this crime, we need you to issue an arrest warrant and bring them back.
That's one way in which it can occur. But of course, is that information delivered by the Chinese authorities, is that legitimate or not, is one of the questions.
Or is it being made up in order to bring people of interest back to Chinese soil?
According to FBI Director Wray, when the Chinese aren't able to locate some individuals, they can actually go round to their families' homes in the United States and give them a message to pass on.
So, this is one of the messages which Chris Wray said the Chinese were passing on, which is that, oh, your dad, yeah, your dad, he's got two options.
He can either return to China right now, or he can commit suicide. Which isn't—
That's one way in which it can occur. But of course, is that information delivered by the Chinese authorities, is that legitimate or not, is one of the questions.
Or is it being made up in order to bring people of interest back to Chinese soil?
According to FBI Director Wray, when the Chinese aren't able to locate some individuals, they can actually go round to their families' homes in the United States and give them a message to pass on.
So, this is one of the messages which Chris Wray said the Chinese were passing on, which is that, oh, your dad, yeah, your dad, he's got two options.
He can either return to China right now, or he can commit suicide. Which isn't—
What?
Yeah.
So they're able to, this is a face-to-face interaction?
Face-to-face. They show up on your door or on your family's door and begin to threaten you, surveil you, stalk you.
And people are saying that they've been coerced into leaving the United States and other countries around the world and go back to China.
And there's a great deal of pressure being put on people to do this.
And furthermore, if you have any family members who are back home in China, it's been claimed that there's been a lot of pressure being put back on them.
Some cases they've been arrested in order to create leverage for you to return to China. And it sounds, I mean, it's not very jolly really. It sounds about—
And people are saying that they've been coerced into leaving the United States and other countries around the world and go back to China.
And there's a great deal of pressure being put on people to do this.
And furthermore, if you have any family members who are back home in China, it's been claimed that there's been a lot of pressure being put back on them.
Some cases they've been arrested in order to create leverage for you to return to China. And it sounds, I mean, it's not very jolly really. It sounds about—
Yeah, I'm trying to come up with something funny to say here.
Yeah. Yeah, it's pretty serious. So it sounds a bit like a visit from the heavies or the mob or some sort of organized crime syndicate, doesn't it, rather than the police?
And also that your loved ones are being, you know, threatened, victimized, you know, incarcerated.
Hundreds, if not thousands of people are said to have been repatriated back to China as part of Operation Fox Hunt. And often with the help of foreign governments.
Now, what's happened now is the FBI has issued a warning.
So this has been known about for some years and people like Obama and others have said, you know, this is outrageous what's going on.
You know, there are some people maybe are being brought back legitimately who may have committed some sort of corruption, but maybe there's not sufficient evidence, or maybe they're sort of stretching things too far.
The FBI has just issued a warning related to Operation Fox Hunt, and that's why I'm talking about it today.
According to the FBI, there are now criminals who are posing as Chinese law enforcement officials in the United States.
Now, what's happened now is the FBI has issued a warning.
So this has been known about for some years and people like Obama and others have said, you know, this is outrageous what's going on.
You know, there are some people maybe are being brought back legitimately who may have committed some sort of corruption, but maybe there's not sufficient evidence, or maybe they're sort of stretching things too far.
The FBI has just issued a warning related to Operation Fox Hunt, and that's why I'm talking about it today.
According to the FBI, there are now criminals who are posing as Chinese law enforcement officials in the United States.
No.
And what they're trying to do is they're trying to defraud members of the US-based Chinese community.
Pretending.
Pretending they are part of Operation Fox Hunt. They are saying, "Oi, you're suspected of committing these crimes.
We're going to duff you up or arrest you or take you back to China unless you pay up." So give us some money and we'll go away, but otherwise we're going to take you back to Beijing.
We're going to duff you up or arrest you or take you back to China unless you pay up." So give us some money and we'll go away, but otherwise we're going to take you back to Beijing.
Holy shit, right? The risk is that you have to go back or they tell the Chinese authorities where you are and what you're doing.
Maybe they could do that, but maybe you're not on the list anyway of people who are actually of interest.
So they're just targeting anybody who is US-based Chinese community. That's the—
They certainly could, couldn't they? Because people might think, well, I haven't done anything wrong, but they read so many stories about others.
These criminals who are posing as members of the Chinese authorities are often phoning up their victims using spoofed numbers to appear as though they come from the Chinese ministry or a US-based Chinese consulate as well.
They're showing their victims fraudulent documents as proof of the accusations.
These criminals who are posing as members of the Chinese authorities are often phoning up their victims using spoofed numbers to appear as though they come from the Chinese ministry or a US-based Chinese consulate as well.
They're showing their victims fraudulent documents as proof of the accusations.
Thanks, ChatGPT.
Yeah, realistic-looking arrest warrants. Thank you very much, Photoshop. And intricate details about the lead schemes.
And of course, they will show basic knowledge of their victims to appear more legitimate. Oh yeah, say, oh yeah, we know about Uncle Frank.
You know, whatever they've managed to pick up from social media as well.
And of course, they will show basic knowledge of their victims to appear more legitimate. Oh yeah, say, oh yeah, we know about Uncle Frank.
You know, whatever they've managed to pick up from social media as well.
Oh my God.
So people are obviously petrified.
Right, yeah.
Because, 'Whoa, if I resist, what's going to happen to me?
I don't want to go back to China because it's a fairly serious charge.' This is a little different from, you know, being on the Ashley Madison leak list.
Right.
Yeah.
So one of the thoughts I actually had is, who are the people who are actually committing this crime?
Who are the people who are going around contacting members of the Chinese community pretending to be investigators for China, rounding up criminals? And I thought, well—
Who are the people who are going around contacting members of the Chinese community pretending to be investigators for China, rounding up criminals? And I thought, well—
Good question, yeah.
Surely one group of people who have to be considered as possible suspects could be the actual Chinese agents.
Because the actual Chinese agents would have a list of these are the people we want to bring back to China.
They could show up on their door because they presumably have got the means to find out where these people live in some cases.
And say to them, well, look, pay up, otherwise we really will be taking you back to Beijing.
Because the actual Chinese agents would have a list of these are the people we want to bring back to China.
They could show up on their door because they presumably have got the means to find out where these people live in some cases.
And say to them, well, look, pay up, otherwise we really will be taking you back to Beijing.
Oh, so they're just making a little extra. They're just padding their—
Well, maybe.
Pretty risky considering the Chinese government may not look very kindly on that should they get caught out.
Well, exactly, because you are actually defrauding then Beijing, aren't you? Because you're getting paid to bring people in and then you're trying to skimp the money.
It's a dangerous game to play.
It's a dangerous game to play.
You're skimming the money and not dobbing them in.
Right?
Presumably, because you'd want to hit them up again saying, you know, this is an annual donation you're making.
Right. Yeah, this is your protection fee.
It's a little bit like being a crooked cop who might know who the local drug dealers are and saying, well, you know, I'm not going to bring you down to the station, but, you know, can you give me some of your proceeds?
It's a little bit like being a crooked cop who might know who the local drug dealers are and saying, well, you know, I'm not going to bring you down to the station, but, you know, can you give me some of your proceeds?
This is so outrageous.
Pretty terrifying stuff. So the FBI has some advice you'll be pleased to hear.
So, if you believe that you've been contacted by individuals claiming to be a Chinese authority, they say contact your local FBI field office instead.
Don't just trust them, obviously.
Whether they're a criminal or whether they are legitimate Chinese investigators, speak to the FBI because foreign government officials who are conducting legitimate investigations in the United States have to act in coordination with the US federal authorities.
So call the FBI.
What I'd suggest you don't do is don't call your local Chinese consulate, because just in case you are in the list and they say, oh, oh, thank you for this report, where, where exactly are you calling from today?
Where, where, where you— because you might get— you might find yourself on the next slow boat to China.
So, if you believe that you've been contacted by individuals claiming to be a Chinese authority, they say contact your local FBI field office instead.
Don't just trust them, obviously.
Whether they're a criminal or whether they are legitimate Chinese investigators, speak to the FBI because foreign government officials who are conducting legitimate investigations in the United States have to act in coordination with the US federal authorities.
So call the FBI.
What I'd suggest you don't do is don't call your local Chinese consulate, because just in case you are in the list and they say, oh, oh, thank you for this report, where, where exactly are you calling from today?
Where, where, where you— because you might get— you might find yourself on the next slow boat to China.
Yeah, I think that advice is great if you're legal. Right? And if everything's tickety-boo with your residency in country of choice, yeah, this is a real pickle, man.
Now, Carole, you are originally a Canadian.
Still am, through and through.
And now you're a British citizen as well, aren't you? You went through the whole process.
Do you ever worry that a, you know, member of the Mounted Police Force may show up on his moose?
Do you ever worry that a, you know, member of the Mounted Police Force may show up on his moose?
One could only hope. I did meet a man of police once. I think you were there, and I wound like a weirdo. I just, yeah, it was ridiculous.
Crow, what have you got for us this week?
Ah, well, we are talking Tesla. On April 6th, Reuters issued a special report about Tesla, right? This is the company famously co-founded by that idiot savant Elon Musk.
And the story thankfully does not revolve around Elon, but more about his staff, who according to plaintiffs, severely jeopardized the privacy of their customers, Tesla car owners.
And this has all to do with Tesla cars and their cameras. So I first decided to go check out, I don't own a Tesla, right?
So I went to the Tesla website to just see how many cameras there are on the car. And there's quite a few.
And the story thankfully does not revolve around Elon, but more about his staff, who according to plaintiffs, severely jeopardized the privacy of their customers, Tesla car owners.
And this has all to do with Tesla cars and their cameras. So I first decided to go check out, I don't own a Tesla, right?
So I went to the Tesla website to just see how many cameras there are on the car. And there's quite a few.
Hang on, these are cameras on the inside of the car? Are they?
And on the outside, yes.
Okay.
So you've got cameras on the outside of the car. There's one mounted above the rear license plate. There's a camera mounted in each door pillar.
And there's a camera mounted on each front fender. A lot of cameras on the outside of the car. And there's 3 cameras mounted on the windshield above the rearview mirror.
And there's a camera mounted on each front fender. A lot of cameras on the outside of the car. And there's 3 cameras mounted on the windshield above the rearview mirror.
Right.
And the point of these is to help you with lane assist, collision avoidance assist, speed assist.
There's also the cabin camera, which is available, and this helps alert the driver in case they're not paying enough attention, right?
It might provide you an audible alert to remind you to keep your eyes on the road and stop looking at your Tinder account or something.
There's also the cabin camera, which is available, and this helps alert the driver in case they're not paying enough attention, right?
It might provide you an audible alert to remind you to keep your eyes on the road and stop looking at your Tinder account or something.
Because Teslas, I mean, the eventual aim, and maybe some Teslas already do this, they drive themselves, or that's what they're all working on.
So I suppose there's something to say, you know, occasionally maybe, 'Pay some attention to what's going on. Stop reading a book. Stop playing Scrabble.' Right.
So I suppose there's something to say, you know, occasionally maybe, 'Pay some attention to what's going on. Stop reading a book. Stop playing Scrabble.' Right.
And I mean, the whole point is to grab the images around that perhaps maybe it can't understand, right? So maybe, maybe the car has no idea what that is in front of it.
And so it sends it back to base to get some information, right?
And so it sends it back to base to get some information, right?
Yeah. Yeah. Yeah. Makes sense.
You know, it's a learning model. So here's a statement I've just put in the show notes. Maybe you can read it for us.
This is a statement from Tesla explaining how these images and videos that they collect work.
This is a statement from Tesla explaining how these images and videos that they collect work.
Okay, so it says, by default, images and video from the camera do not leave the vehicle itself and are not transmitted to anyone, including Tesla, unless you enable data sharing.
If you enable data sharing and a safety-critical event occurs, such as a collision— I love that, safety-critical event.
If you enable data sharing and a safety-critical event occurs, such as a collision— I love that, safety-critical event.
Crash, bang, boom.
Yeah.
The Model 3 shares short cabin camera video clips with Tesla to help us develop future safety enhancements and continuously improve the intelligence of features that rely on the cabin camera.
The Model 3 shares short cabin camera video clips with Tesla to help us develop future safety enhancements and continuously improve the intelligence of features that rely on the cabin camera.
Sounds pretty legit, right? So these cameras are there for our protection if we're a Tesla driver, to improve services diagnostics, right?
And I checked out its privacy notice and it opens its privacy notice with, "Your privacy is and will always be enormously important to us." And it also says in it, "Even if you choose to opt in," and this is to data sharing, "unless we receive the data as a result of a safety event," you know, vehicle collision, airbag deployment, "camera recordings remain anonymous and are not linked to you or your vehicle." Right.
Okay?
And I checked out its privacy notice and it opens its privacy notice with, "Your privacy is and will always be enormously important to us." And it also says in it, "Even if you choose to opt in," and this is to data sharing, "unless we receive the data as a result of a safety event," you know, vehicle collision, airbag deployment, "camera recordings remain anonymous and are not linked to you or your vehicle." Right.
Okay?
Right, yes.
So we got a lot of, you know, privacy is really important to you and us messaging. Here to assuage people's fears that they might be being watched.
Yeah, and you have to enable data sharing. So you have to opt into this from the sound of things.
Yes, but I think in this situation, I would be more compelled to opt into this kind of data sharing because it's a freaking car and I could die if it didn't understand something.
And we all know it's crowdsourced in that way. So I don't know.
And yet, Graham, and yet, and yet, and yet, between 2019 and 2022, according to interviews by Reuters with 9 former employees, groups of Tesla employees used internal messaging systems to share videos and images recorded by customer car cameras.
And we all know it's crowdsourced in that way. So I don't know.
And yet, Graham, and yet, and yet, and yet, between 2019 and 2022, according to interviews by Reuters with 9 former employees, groups of Tesla employees used internal messaging systems to share videos and images recorded by customer car cameras.
This is the Roomba thing all over again. Do you remember when the—
Yes.
Yes. When the vacuum cleaners—
Maybe that's what set it off. Maybe Tesla were like, oh, we could do that too.
They took videos of people on the loo and stuff like that. And there were Roomba employees who were having a good old laugh about that. So Tesla workers are doing this as well. Great.
Well, not all Tesla workers, right?
Presumably they're not sitting on the loo inside the Tesla either. I mean, God, I hope not. That would cause an accident.
Two former employees said that in their normal work duties, they were sometimes asked to view images of customers in and around their homes, including inside their garages.
One person recalled seeing embarrassing objects such as certain pieces of laundry, certain sexual wellness items, which I love that word. This is a quote.
One person recalled seeing embarrassing objects such as certain pieces of laundry, certain sexual wellness items, which I love that word. This is a quote.
So I'm just— so hang on. It sounds like they are collecting video footage and pictures even when the vehicle isn't moving.
So if it's in a, for instance, in a garage, it's not moving.
So if it's in a, for instance, in a garage, it's not moving.
If you—
If I were in a lay-by with my partner and, you know, I mean, this wouldn't happen to me, obviously, because I'm of a certain age.
But if I were a young man and I thought, oh, maybe we could just have a little a little, you know, a little chat, a little fumble around on the back seat.
Could that potentially be uploaded? Yes.
But if I were a young man and I thought, oh, maybe we could just have a little a little, you know, a little chat, a little fumble around on the back seat.
Could that potentially be uploaded? Yes.
Yes.
Oh no.
Especially if your car is plugged in, right? And getting battery charging, as you get your batteries recharged in the back seat. So it—
I'd be lucky to be plugged in.
But anyway, yes.
With the less sensationalist stuff, some of these employees at Tesla would create memes and post them to the internal messaging system in order to get kudos from other employees.
Some said basically those that were considered funny and getting high fives around the coffee machine afterwards saying, "Oh, that was a really funny one," tended to get promoted.
With the less sensationalist stuff, some of these employees at Tesla would create memes and post them to the internal messaging system in order to get kudos from other employees.
Some said basically those that were considered funny and getting high fives around the coffee machine afterwards saying, "Oh, that was a really funny one," tended to get promoted.
What?
Because they got popular. They were funny. They were liked. They're a bunch of 20 and 30-year-olds, right?
A lot of them have to basically look at images all day and explain in a database, this is what it is to teach the algorithm. There's still some manual processes through that.
So I can imagine it could be a mundane task.
A lot of them have to basically look at images all day and explain in a database, this is what it is to teach the algorithm. There's still some manual processes through that.
So I can imagine it could be a mundane task.
And we do know that the boss of Tesla, Elon Musk, he loves a meme, doesn't he? He loves posting up juvenile—
Yeah, I'm not convinced that he wouldn't have a chuckle at these things, right? Of course.
But then there was one clip of someone being dragged into a car seemingly against their will.
An ex-employee told Reuters, one ex-employee described a video of a man approaching the vehicle completely in the nude.
But then there was one clip of someone being dragged into a car seemingly against their will.
An ex-employee told Reuters, one ex-employee described a video of a man approaching the vehicle completely in the nude.
Oof.
And there's crash and road rage incidents.
So one crash video in 2021 showed a Tesla driving at high speed in a residential area, hitting a child riding a bike, according to an employee.
The child flew in one direction, the bike in the other.
The video spread around the Tesla office in San Mateo, California, via private one-to-one chats like wildfire, the employee told Reuters.
So one crash video in 2021 showed a Tesla driving at high speed in a residential area, hitting a child riding a bike, according to an employee.
The child flew in one direction, the bike in the other.
The video spread around the Tesla office in San Mateo, California, via private one-to-one chats like wildfire, the employee told Reuters.
It sounds like sharing a snuff movie or something. How unpleasant. Who'd want to see a crash?
Yeah, no, no, it's crazy stuff. And about 3 years ago, some employees stumbled upon and shared a video of a unique submersible vehicle parked inside a garage.
And this is according to two ex-employees who viewed it. Nicknamed Wet Nelly, the White Lotus Esprit sub had been featured in the 1977 James Bond film The Spy Who Loved Me.
Who owned this car?
And this is according to two ex-employees who viewed it. Nicknamed Wet Nelly, the White Lotus Esprit sub had been featured in the 1977 James Bond film The Spy Who Loved Me.
Who owned this car?
I'm going to think it would have to be someone with a lot of disposable income.
About $968,000.
Who also owns a Tesla. I wonder who would be very rich to buy such a piece of movie memorabilia. Hmm. Who could that be?
Tesla Chief Executive Elon Musk bought it at auction in 2013. It's not clear that Musk was aware of the video that had been shared. So maybe even he is not safe from his employees.
So okay, so how do you feel about this? I know there's something distasteful here, right?
But I'm going to argue for the other side for, you know, for our listeners' interest's sake, right? These are employees who work at hip and cool Tesla office where memes are cool.
Most of them are 20 to 30 years old doing mundane work like labelling images to improve the car's understanding of what is around them and you land upon something unusual, like maybe it's scary, hilarious, salacious, and you share it.
You kind of nudge your employee next to you, "Hey, check this out, check this out." It's not like the information went outside the company, right?
So okay, so how do you feel about this? I know there's something distasteful here, right?
But I'm going to argue for the other side for, you know, for our listeners' interest's sake, right? These are employees who work at hip and cool Tesla office where memes are cool.
Most of them are 20 to 30 years old doing mundane work like labelling images to improve the car's understanding of what is around them and you land upon something unusual, like maybe it's scary, hilarious, salacious, and you share it.
You kind of nudge your employee next to you, "Hey, check this out, check this out." It's not like the information went outside the company, right?
If my bare buttocks are protruding high up in the air because I'm up to some shenanigans in the back of a Tesla, I don't want some oily, horrible Tesla bloke.
Sure, I completely understand that.
But let's say, because you had the data sharing that you did, or there was a fault or whatever, that image gets uploaded to some kid who's working at Tesla.
But let's say, because you had the data sharing that you did, or there was a fault or whatever, that image gets uploaded to some kid who's working at Tesla.
Imagine the trauma it would cause them. I'm worried about them, not me.
If I got the image of your, you know, moon bouncing up and down the back seat of a Tesla, okay. Having no idea it was you.
You'd know it was me. You'd know it was me.
Would I nudge someone next door and go "check this out"? I probably would. And that's what these guys have done. And it's seriously bad.
So it's very good that I don't work in a very serious job like this, right?
So it's very good that I don't work in a very serious job like this, right?
Yes. Very, very good. You'd be an awful employee.
Well, yes. And also Tesla is now facing a lawsuit because of this.
Of course. Of course it is.
So last week, plaintiff Henry Yeh, a California resident who owns a Model Y, sued Tesla on behalf of himself and all the other people in the US who owned at least a Tesla any time in the past four years.
He says, quote: "Tesla captures recordings of people vulnerable on their own property, in their own garages, and even in their own homes, including at least one instance where Tesla cameras were captured a video of a man naked in his home.
Tesla has also captured and disseminated videos and images of customers' pets and even their children, a group that society has long recognised as vulnerable to exploitation and manipulation.
Parents' interest in their child's privacy is one of the most fundamental liberty interests society recognises." So yet this is a serious sticky pickle for this idiot savant, Musky Musk, to crawl out of.
I know, at least you can run on Twitter, right?
He says, quote: "Tesla captures recordings of people vulnerable on their own property, in their own garages, and even in their own homes, including at least one instance where Tesla cameras were captured a video of a man naked in his home.
Tesla has also captured and disseminated videos and images of customers' pets and even their children, a group that society has long recognised as vulnerable to exploitation and manipulation.
Parents' interest in their child's privacy is one of the most fundamental liberty interests society recognises." So yet this is a serious sticky pickle for this idiot savant, Musky Musk, to crawl out of.
I know, at least you can run on Twitter, right?
There's a bit—
Keep his pecker up. There's what?
There's a bit of me which thinks bloody Americans suing everyone left, right, and centre and trying to make a million bucks out of—yeah, this company's stupidity.
But then I think well, no, why shouldn't he? Because what the bloody hell are Tesla doing allowing their employees to do this and act in this inappropriate way?
But then I think well, no, why shouldn't he? Because what the bloody hell are Tesla doing allowing their employees to do this and act in this inappropriate way?
But to your point earlier, if you spent gazillions on one of these new flashy, flash, flash cars and all over their website is privacy is important, privacy number one, privacy, privacy, and then you hear about this.
Yeah, you'd be pissed. I'd want my money back. So I understand.
Yeah, you'd be pissed. I'd want my money back. So I understand.
Yeah.
Yeah.
I wonder if Elon wants his money back from buying that James Bond submarine car.
He might want to sell it just to help prop Twitter up.
Twitter up? Twitter up? It's not that kind of show.
No, definitely not.
Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.
How?
If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero-trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Kolide patches one of the major holes in zero-trust architecture: device compliance.
Without Kolide, IT struggles to solve basic problems keeping everyone's OS and browser up to date.
Insecure devices are logging into your company's apps, but there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.
Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Wanna learn more? Of course you do. Visit kolide.com/smashing.
That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.
Our friends at Bitwarden have been busy this month adding some fab new features to their open-source password management solution.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do.
Logging in with a device is a passwordless approach to authentication.
It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.
With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden.
Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default.
And of course, existing accounts can also update themselves to the same level.
These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers.
Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. It is musical. Musical? It's musical and videographical. It's visual as well. So that's the word I'm looking for.
It's both musical and visual. It comes to you in the form of a YouTube channel. And this YouTube channel is called the Device Orchestra. Have you heard of Device Orchestra?
There is a guy out there who plays music covers, but not using musical instruments. He uses electric toothbrushes, credit card machines, typewriters, all kinds of gizmos which go.
He's given them googly eyes. Some have got wigs and pipe cleaner arms.
It's both musical and visual. It comes to you in the form of a YouTube channel. And this YouTube channel is called the Device Orchestra. Have you heard of Device Orchestra?
There is a guy out there who plays music covers, but not using musical instruments. He uses electric toothbrushes, credit card machines, typewriters, all kinds of gizmos which go.
He's given them googly eyes. Some have got wigs and pipe cleaner arms.
I was just listening to Wannabe.
Some of them are pretty good. So maybe we can check out a little bit. Here's that Deep Purple song, Smoke on the Water, as played on two electric toothbrushes and a steam iron.
Oh my God, it's so beautiful.
It is beautiful. The creations remind me a little bit of some of your cartoons, actually, Kryll.
Oh, look at the iron.
Yes.
Oh, I might have to leave my husband. Is this a man?
Is he available?
I don't even mind. I'm into women too.
Anyway, so there are scores of these videos covering different songs and Thom Langford, I hope you're listening.
Check it out. This is right up his alley.
There's lots of songs. Eye of the Tiger.
Total Eclipse of the Heart. Hello from Lionel Richie.
Oh, now you're pulling out the big guns. Don't know about those, but you can make requests.
Yeah, I've just made them on air, live. Okay.
Anyway, my recommendation, I think you'll probably also find him on Instagram and other places as well, but the main place to go is YouTube. YouTube and check out Device Orchestra.
And very entertaining and creative it is too. And that is why it is my pick of the week.
And very entertaining and creative it is too. And that is why it is my pick of the week.
Brilliant.
Carole, what's your pick of the week?
Graham, I just want to pat you on the back for that one. That's an excellent one.
Oh, thank you very much.
Yeah, that's very good.
Are you saying that because you want me to be appreciative of whatever your pick of the week is?
No, I don't need you at all for mine.
No?
You can just stay.
All right.
I'm okay.
Fuck you.
I'm very confident in mine.
Fine.
I have a fresh and fun romantic comedy, which I'm not normally into, right? It's a TV series. It's called Colin the Accountant. It's an Aussie comedy.
And it starts off with a car accident and an injured dog, which bring our two protagonists, Ashley, a student doctor, and Gordon, a microbrewery owner together.
And it starts off with a car accident and an injured dog, which bring our two protagonists, Ashley, a student doctor, and Gordon, a microbrewery owner together.
So did you say brewery? I wasn't quite sure.
How do you say— how do you say it? Brewery. And I watched the first episode and I was like, okay, I got it, right? Yeah, yeah, yeah. Cute, cute, meet cute.
But then there's extra reveals in store. The characters get complex and a little not perfectly— you know what I mean? They're not cookie cutouts.
They've got some dark patches as well. There's one character that has a big poo at the other's house when they're both only to discover that the water has been turned off.
But then there's extra reveals in store. The characters get complex and a little not perfectly— you know what I mean? They're not cookie cutouts.
They've got some dark patches as well. There's one character that has a big poo at the other's house when they're both only to discover that the water has been turned off.
We've all been there.
What do you do now? Right? I'm actually going to use that. I'm going to use that in my next Ticky Pickle, I think, literally.
Now, Colin the Accountant has a similar flair to When Harry Met Sally, Catastrophe. Right? Like smart, smart, comedic, meet cute.
And it's like, "Will they, won't they?" A pull between the characters. I think you'd love it, Graham.
Now, Colin the Accountant has a similar flair to When Harry Met Sally, Catastrophe. Right? Like smart, smart, comedic, meet cute.
And it's like, "Will they, won't they?" A pull between the characters. I think you'd love it, Graham.
And I think it's— It is on my radar because I have already seen the trailer.
And I read, I think it's on The Guardian website, they did a little review of it, and they raved about it and said how wonderful it was. You read that as well, did you?
And I read, I think it's on The Guardian website, they did a little review of it, and they raved about it and said how wonderful it was. You read that as well, did you?
I saw it today because I was just checking to see, to make sure that I wasn't alone. Because I'm happy to be alone. I'm happy to present that and say, "Everyone bitched about it.
I loved it." Happy to do that. But I just wanted to know. But it seems as though it's a crowd pleaser.
I loved it." Happy to do that. But I just wanted to know. But it seems as though it's a crowd pleaser.
It does. It does. So I definitely do want to check it out sometime. And it sounded quite amusing how the show starts.
Yeah, because I'd had guests in the house for the last week. And last night was the first night where me and the hubs were on our own. And he'd sourced this show.
And it was very cute to have a little kind of R&R time.
And it was very cute to have a little kind of R&R time.
Oh, I thought you were going to say you got in the back of a Tesla.
We didn't exactly Netflix and chill, but you know, put a smile on her face, the show.
Is that because it's on Amazon Prime rather than Netflix?
There are no real accountants, okay? But I'll just say that the actor who plays Colin the accountant works like a dog to deliver a paw-fect performance. Quote The Guardian.
It's streaming on Binge. Yeah, streaming on Binge, which is an Aussie streaming platform, and it has just been released on Amazon Prime. So enjoy Colin the Accountant.
It's streaming on Binge. Yeah, streaming on Binge, which is an Aussie streaming platform, and it has just been released on Amazon Prime. So enjoy Colin the Accountant.
Well, that sounds quite fun. Thank you for the recommendation, Carole.
You're very welcome.
And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. We also have an account on Mastodon.
Look for Smashing Security up there. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.
Look for Smashing Security up there. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.
And massive shout out to this episode's sponsors, Bitwarden, Kolide, and Drata, and to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 317 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 317 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye. I'll see you on the other side of a holiday.
Yeah, have fun.
Bloody hope so. It's gonna be hot. It's gonna be hot. I gotta get and find my summer clothing. Jesus. Gotta go.
Bye.
Warning: This podcast may contain nuts, adult themes, and rude language.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Countering Threats Posed by the Chinese Government Inside the US – Speech by the FBI’s Christopher Wray.
- Criminals Pose as Chinese Authorities to Target US-based Chinese Community – FBI.
- FBI: How fake Xi cops prey on Chinese nationals in the US – The Register.
- Special Report: Tesla workers shared sensitive images recorded by customer cars – Reuters.
- 303: Secret Roomba snaps, Christmas cab scams, and the future of AI – Smashing Security.
- Lawsuit: Tesla must be punished for “tasteless” sharing of car-camera images – Ars Technica.
- Customer Privacy Notice – Tesla.
- Tesla hit with class action lawsuit over alleged privacy intrusion – Reuters.
- Tesla About Autopilot – Tesla.
- “Wet Nellie” – Wikipedia.
- Device Orchestra – YouTube.
- “Smoke on the Water”, as performed by Device Orchestra – YouTube.
- “Eye of the Tiger”, as performed by Device Orchestra – YouTube.
- Cabin Camera – Tesla.
- Colin from Accounts – Amazon Prime.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
