Going for a jog can be bad for your privacy (but even worse for your health), and Britain’s consumer finance champion finds his face is being faked.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You're not allowed to put live people on a stamp.
Is that true?
Yeah, because otherwise if you put a live person on, they might do something naughty later.
Exactly.
Yeah, exactly.
Yeah.
You don't want to be licking the backside of— Smashing Security, episode 330, deepfake Martin Lewis and a deadly jog in the park with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security. Episode 330. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security. Episode 330. My name's Graham Cluley.
And I'm Carole Theriault.
Hi, Carole. How are you doing?
I'm great. More to the point, how are you?
Well, it's been a crazy few days. A number of things have occurred. The first is that I've moved house.
I'm literally surrounded by boxes full of leads, as if my life isn't always surrounded by boxes full of leads and technology.
I'm literally surrounded by boxes full of leads, as if my life isn't always surrounded by boxes full of leads and technology.
I was going to say.
Yes, things I don't understand, things that— why have I kept that? What am I doing with this?
And also I've had huge, huge internet problems because I thought I'd organized for the internet to be here, but it turned out I hadn't.
And also I've had huge, huge internet problems because I thought I'd organized for the internet to be here, but it turned out I hadn't.
And that is why we are recording just mere hours before we go live.
Just hours.
And we had to say no to our guest this week because you had to change the times from the recording because of your internet woes.
Don't remind me. Sorry, guest. Sorry, guest. We'll have you back on another time.
Very soon, because she's great. How do you feel about getting the show on the road?
Let's do it.
But before we kick off, let's thank this week's wonderful sponsors. We have Collide, Sysdig, and Drata. It's their support that helps us give you this show for free.
Now coming up in today's show, Graham, what do you got?
Now coming up in today's show, Graham, what do you got?
Well, going for a jog can be bad for your privacy, but even worse for your health. Okay.
And I'm gonna look at the bamboozling and deeply convincing deepfakes. All of this and much more coming up on this episode of Smashing Security.
Now, Chum Chum, I am indebted this week to one of our friends on Reddit. Frightenstein is his or her name.
And they pointed me towards this story, which comes from the Kyiv Post all the way in Ukraine. And interesting story.
So there is this chap, his name is— and I apologise to anyone listening who has a better understanding of names from that sort of general part of the world than myself— Stanislav Ryzitskiy.
And Stanislav Ryzitskiy, he likes to keep fit. I mean, don't we all?
And they pointed me towards this story, which comes from the Kyiv Post all the way in Ukraine. And interesting story.
So there is this chap, his name is— and I apologise to anyone listening who has a better understanding of names from that sort of general part of the world than myself— Stanislav Ryzitskiy.
And Stanislav Ryzitskiy, he likes to keep fit. I mean, don't we all?
Maybe we could just call him Stan. We can call him Stan. Or Slav. Stanislav.
Stanislav. Stanislav. Anyway, so he likes to keep fit, right? Stanislav, he likes to keep fit. And on Monday, Monday of this week, in fact, he went out for a jog as normal.
Just went out for a jog. Likes to keep fit. You and I, Carole, we know we love a bit of fitness, love running around the park, you know, improving our PB, our personal best.
You get on your rowing machine.
Just went out for a jog. Likes to keep fit. You and I, Carole, we know we love a bit of fitness, love running around the park, you know, improving our PB, our personal best.
You get on your rowing machine.
I'm very fit, Graham.
I know you are. You are— Oh, you're a piece of pink steel, aren't you? You are just all sinew and— aren't you? That's all you are.
So rude. One would think you're jealous.
Stanislav. He went out for a jog as normal around his local park in the city of Krasnodar, which is in southern Russia.
Okay.
Have you ever been into jogging?
Yes.
Yes.
We had a little stint of jogging, you and I, once long ago.
We did, didn't we? We did pretty well. And it wasn't just once, was it? We used to go out every lunchtime, going for a little jog. Hurts the knees eventually, I found, but—
Oh, you're a little older than I am, though.
Now, Stanislav, he won't be going out jogging anymore. He's not going to be doing that. Not because he hated the jog, not because his knees hurt or something like that.
What happened?
Because someone shot him dead.
Well, I was wondering, is he— it's kind of a war area. I didn't know if people would go jogging. I don't know. I don't know anything about war.
So, well, he's in Krasnodar, which is in Russia.
Right.
He's not in Ukraine. But it is true to say that he is the deputy chief. He is a military man. He's the deputy chief of the Department for Mobilisation in Krasnodar.
And he has commanded a submarine in Russia's Black Sea Fleet. A submarine which is said to have been used to launch deadly missile attacks against Ukrainian cities.
So he is involved in the conflict out there.
And he has commanded a submarine in Russia's Black Sea Fleet. A submarine which is said to have been used to launch deadly missile attacks against Ukrainian cities.
So he is involved in the conflict out there.
Yeah, I would call that involved.
Yes, absolutely. Quite involved.
Understatement of the year, but yeah.
But presumably he felt safe jogging around Krasnodar in Russia.
And according to TASS, which is the Russian state news agency, they say that local police are reporting that he was shot 4 times while he was out jogging.
Police are investigating, blah, blah, blah. Now, it hasn't been confirmed who actually killed Stanislav Ryzhitsky.
But what happened as well on Monday was that Ukraine's Defence Intelligence Agency, who are called HUR, the H-U-R, they say, well, they seem to know quite a bit about the shooting.
And they filled in some of the details when they posted on Telegram about it. According to them, Stanislav, he loved to have a little run early in the morning.
They say he was out jogging in the Krasnodar Park of Culture and Recreation. Have you ever heard a more Russian name for a park than the Park of Culture and Recreation?
Anyway, he was out at roundabout 6 AM. And they say that 7 shots fired out at Stanislav from a Makarov pistol. Now, I find that it's how would they know what kind of pistol was used?
Peculiar, doesn't it? How would they know? Anyway, they say it was from a Makarov pistol. And as a result, Ryzhitsky, they say, died on the spot.
And they share some other information as well about the weather. Which is always important. Everyone's interested.
They say, "Due to heavy rain, the park was deserted, so there were no witnesses who could provide details or identify the attacker." And this is Ukraine.
And according to TASS, which is the Russian state news agency, they say that local police are reporting that he was shot 4 times while he was out jogging.
Police are investigating, blah, blah, blah. Now, it hasn't been confirmed who actually killed Stanislav Ryzhitsky.
But what happened as well on Monday was that Ukraine's Defence Intelligence Agency, who are called HUR, the H-U-R, they say, well, they seem to know quite a bit about the shooting.
And they filled in some of the details when they posted on Telegram about it. According to them, Stanislav, he loved to have a little run early in the morning.
They say he was out jogging in the Krasnodar Park of Culture and Recreation. Have you ever heard a more Russian name for a park than the Park of Culture and Recreation?
Anyway, he was out at roundabout 6 AM. And they say that 7 shots fired out at Stanislav from a Makarov pistol. Now, I find that it's how would they know what kind of pistol was used?
Peculiar, doesn't it? How would they know? Anyway, they say it was from a Makarov pistol. And as a result, Ryzhitsky, they say, died on the spot.
And they share some other information as well about the weather. Which is always important. Everyone's interested.
They say, "Due to heavy rain, the park was deserted, so there were no witnesses who could provide details or identify the attacker." And this is Ukraine.
Because no one was around except for the guy who decided to go for a run in the rain.
At 6 AM.
At 6 AM. He's hardcore, yeah.
Yeah, he's hardcore. He's taking this seriously. So they were fairly confident the shooter had got away unseen. That was their opinion, was that, you know, been mentioned.
Now, the FSB, Russia's secret service, they later issued a press release saying that a 64-year-old man had been arrested in relation to the killing.
So the question— well, there's a few questions here.
First of all, how did Ukraine's Defence Intelligence Agency appear to know so much about this if they weren't involved themselves?
But also, how did the shooter know that Ryzhitsky— if he was being specifically targeted, how did they know where he was going to be and when.
Now, the FSB, Russia's secret service, they later issued a press release saying that a 64-year-old man had been arrested in relation to the killing.
So the question— well, there's a few questions here.
First of all, how did Ukraine's Defence Intelligence Agency appear to know so much about this if they weren't involved themselves?
But also, how did the shooter know that Ryzhitsky— if he was being specifically targeted, how did they know where he was going to be and when.
Well, okay, often I would say runners would normally take the similar route. So if you were spying on this person, you might go, oh, he runs every day at this time in this place.
Yeah, yeah, that sounds possible.
But I'm guessing, because this is Smashing Security, there is going to be some smart tech involved.
There is. Or maybe not so smart tech. Perhaps.
Yeah, dumb tech, asshole tech.
Just tech. I mean, Miko says if it's smart, it's stupid, doesn't he? So anything which is called smart is normally dumb or dangerous.
Well, we don't know for sure, but what we do know is that there is a Strava profile for someone calling themselves Stanislav Ryzitskiy.
And that, of course, Strava, of course, is the app which records runs, shares them with other online users.
And we've spoken before about the privacy risks associated with Strava even including military and information about military bases, which has been seemingly spilt online via Strava.
But I don't think we've ever heard about blood being spilt before as a result of maybe things being posted on Strava.
Well, we don't know for sure, but what we do know is that there is a Strava profile for someone calling themselves Stanislav Ryzitskiy.
And that, of course, Strava, of course, is the app which records runs, shares them with other online users.
And we've spoken before about the privacy risks associated with Strava even including military and information about military bases, which has been seemingly spilt online via Strava.
But I don't think we've ever heard about blood being spilt before as a result of maybe things being posted on Strava.
It's interesting because people on YouTube or whatever, or commenters and that kind of ilk, will often have a username that doesn't necessarily identify them to their real identity.
And yet with Strava, because probably there's a show-off element to it, like, hey, look what I did today. I actually exercised. You know, I'm top of the leaderboard. I'm the best.
You know, I do run every day. Here's proof. So maybe there's that weird show-offy thing that makes people put in their real names because, why wouldn't you just have a username?
And yet with Strava, because probably there's a show-off element to it, like, hey, look what I did today. I actually exercised. You know, I'm top of the leaderboard. I'm the best.
You know, I do run every day. Here's proof. So maybe there's that weird show-offy thing that makes people put in their real names because, why wouldn't you just have a username?
I think that's very true. You don't call yourself sort of, you know, Sausage Dog or something like that. You call yourself—
Well, you could, Graham. I think maybe, you know.
Yeah, maybe I should be a sausage dog.
No, not only is there an account on Strava in Stanislav Razitsky's name, there are also photos posted on the account which do apparently bear more than a passing resemblance to the Russian commander as well.
And there's a cycle ride which was recorded on the hills outside the city of Krasnodar in the weekend before he was shot dead.
And indeed, the last run which was taken shows him at the location of the shooting.
So it appears that this guy had recorded on Strava, because that's the way it works, Carole, is if you have something on Strava, it doesn't sort of livestream it to Strava.
At the end of your run, you then say, oh yeah, send that to Strava, please. That's one I'm proud of.
No, not only is there an account on Strava in Stanislav Razitsky's name, there are also photos posted on the account which do apparently bear more than a passing resemblance to the Russian commander as well.
And there's a cycle ride which was recorded on the hills outside the city of Krasnodar in the weekend before he was shot dead.
And indeed, the last run which was taken shows him at the location of the shooting.
So it appears that this guy had recorded on Strava, because that's the way it works, Carole, is if you have something on Strava, it doesn't sort of livestream it to Strava.
At the end of your run, you then say, oh yeah, send that to Strava, please. That's one I'm proud of.
And then it uploads it and says, this is the time, here's the route you took, this is how long.
Right. So it wouldn't necessarily be the case that the run he did, which he, you know, obviously came to a sticky end on, that one was uploaded, but his previous run is there.
So was someone watching his runs? Well, we don't know for sure, but here's the really weird thing.
If you look him up on Strava, if you look at his last recorded run, which was at the location where the shooting took place, it has been liked by other people.
4 other people have liked his run. And one of the people who has liked his previous last run is a guy called Kirillov Budanov. And he is a major general.
Major General Kirillov Budanov, head of Ukraine's military intelligence. Now, I put it to you that possibly they are not running buddies. These two guys.
So was someone watching his runs? Well, we don't know for sure, but here's the really weird thing.
If you look him up on Strava, if you look at his last recorded run, which was at the location where the shooting took place, it has been liked by other people.
4 other people have liked his run. And one of the people who has liked his previous last run is a guy called Kirillov Budanov. And he is a major general.
Major General Kirillov Budanov, head of Ukraine's military intelligence. Now, I put it to you that possibly they are not running buddies. These two guys.
Or I put it to you, I put it to you that maybe one or both of these—
I put it to you.
There's a lot of conjecture here, right?
Yes, yes.
And as we've just said, maybe Major General Kirillov Budanov is actually not Major General Kirillov Budanov, but a fake Strava username. It could be in someone else's name.
To mix everything else.
To mix everything else.
Yeah, that'd be an interesting thing to do actually, wouldn't it?
If you wanted Russian assassins to go after the wrong people, you could hack other people's Strava accounts and use the names of senior Ukrainian military intelligence.
If you wanted Russian assassins to go after the wrong people, you could hack other people's Strava accounts and use the names of senior Ukrainian military intelligence.
Graham, I never knew what a military strategist you were.
Or maybe just tie a Fitbit to a dog and have it run round the clock.
Yeah, that would not be— he spent a lot of time in this hall. He spent a lot of time here.
Anyway, Ukraine say these reports have no basis.
Budanov himself says, "I don't know what they're talking about," although he has previously admitted that Ukraine has successfully targeted prominent Russian propagandists who've been killed or wounded on Russian territory.
But once again, guys and gals, if you are using Strava, be really careful. Either don't use your real name.
Budanov himself says, "I don't know what they're talking about," although he has previously admitted that Ukraine has successfully targeted prominent Russian propagandists who've been killed or wounded on Russian territory.
But once again, guys and gals, if you are using Strava, be really careful. Either don't use your real name.
It's a pretty extreme case.
Well, it is.
Yeah, I know. But it sounds a bit like we're scaring the poop out of everybody that has Strava.
So I would say if you use Strava, maybe check your settings to make sure you're not broadcasting more than you want to be, right?
And know that these things change their settings with all, you know, the times you have to update your Strava.
A lot of the times they're changing settings and they may default them to something that they think is easiest for you or most likely to be wanted by most, but it might be leaking more data than you wish it were.
Is that fair?
So I would say if you use Strava, maybe check your settings to make sure you're not broadcasting more than you want to be, right?
And know that these things change their settings with all, you know, the times you have to update your Strava.
A lot of the times they're changing settings and they may default them to something that they think is easiest for you or most likely to be wanted by most, but it might be leaking more data than you wish it were.
Is that fair?
Yes, and you certainly can also sort of slightly anonymise your start and end points on your run to hide where your home might be, things you can do like that.
But I think also be very careful about who you friend on the app. Don't automatically accept friend requests because then you might be revealing details of your life.
But I think also be very careful about who you friend on the app. Don't automatically accept friend requests because then you might be revealing details of your life.
But do you think Stanislav and Budanov, they did that?
Well, I don't know what the security was on Stanislav's account, but I would to think that he had some measures in place. But yeah, maybe they weren't actually running buddies.
But yeah, so Strava security appears to have resulted in someone's death. Am I saying too much saying that?
But yeah, so Strava security appears to have resulted in someone's death. Am I saying too much saying that?
Well—
Yes.
I think this is a completely inappropriate story for us at Smashing Security. A little bit too serious, but thank you very much. Told very well, I hope.
Oh, thank you very much. Fingers crossed. Carole, what have you got for us this week?
Well, we are gonna talk about Martin Lewis.
I'm not talking about an irritating chap I worked with yonks ago, but the very popular journo— I think I can say, unless you've spent significant time in the UK, I doubt you would know him, but in the UK he's pretty well known.
I'm not talking about an irritating chap I worked with yonks ago, but the very popular journo— I think I can say, unless you've spent significant time in the UK, I doubt you would know him, but in the UK he's pretty well known.
Yeah, he's the money-saving expert guy, isn't he?
That's right, that's right.
He's often on TV and I have recently seen him. He's actually been sort of anchoring TV shows as well.
You know, he's taken the place of Piers Morgan on Good Morning Britain or whatever it's called. He sometimes does sort of general news now, such is his celebrity.
You know, he's taken the place of Piers Morgan on Good Morning Britain or whatever it's called. He sometimes does sort of general news now, such is his celebrity.
Yeah, he's quite interesting. I did a little mild research on Wikipedia on him, right?
And it says Lewis created and ran the website Money Saving Expert back in February 2003 when he launched it. And apparently he created the site for just £100.
Nine years later, sold the website to moneysupermarket.com for $87 million, but remained editor-in-chief.
The deal saw Lewis receive $35 million in cash upfront, in addition to some $20 million in shares in the moneysupermarket.com and $27 million in future payments.
But he simultaneously announced his intention to give $10 million to charity and $1 million would go to Citizens Advice.
And it says Lewis created and ran the website Money Saving Expert back in February 2003 when he launched it. And apparently he created the site for just £100.
Nine years later, sold the website to moneysupermarket.com for $87 million, but remained editor-in-chief.
The deal saw Lewis receive $35 million in cash upfront, in addition to some $20 million in shares in the moneysupermarket.com and $27 million in future payments.
But he simultaneously announced his intention to give $10 million to charity and $1 million would go to Citizens Advice.
He seems like a good guy. He seems like a champion for people who are hard up.
He often is out there having a go at the government or lobbying for things to improve and helping people get money off their energy bills. And yeah, he seems like a decent chap.
He often is out there having a go at the government or lobbying for things to improve and helping people get money off their energy bills. And yeah, he seems like a decent chap.
Yeah, maybe he should be on a stamp or something because, you know, he's trusted. People like him. He seems to be doing the right things. He always seems above board and trustworthy.
You're not allowed to put live people on a stamp.
Is that true? You only put dead people? Why? Because if you put a live person, they do something crappy.
The only live people allowed on stamps are the Queen or the King, you know, or it's like the Regent. Otherwise, yeah.
Because otherwise, if you put a live person on, they might do something naughty later.
Because otherwise, if you put a live person on, they might do something naughty later.
Exactly. Yeah, exactly.
And you don't want to be licking the backside of—
You do give all kinds of royal awards to people that are still alive, like CBEs and all these kind of things.
That's an interesting idea. Maybe we should only do posthumous awards.
Exactly. That way, just make sure we get the whole story before we decide, here you go.
Right. Don't reward them in their lifetime for what they've done. Just say, you'll be rewarded once you're dead.
Just a little bit more here on Martin Lewis that's worth mentioning here for this story is in 2018, Lewis started legal action against Facebook for defamation over fake adverts using his face and name.
Yes.
Mostly promoting things like bitcoin and investment, investing.
Yeah.
And he actually ended up later dropping the action after Facebook agreed to fund an anti-scam project.
That's right. I think because Martin Lewis is someone in the UK that people trust, they use him in some bitcoin scams and his image and things.
Whereas the rest of the world gets Elon Musk as someone you don't trust.
Whereas the rest of the world gets Elon Musk as someone you don't trust.
Very interesting you bring him up. Oh, okay. Yes. Right? Okay. Because this whole legal action was in 2018. That's five years ago.
And what do you know, the scammers never let up using his credibility to dupe, mostly on social media ads.
And now they're at it once again, but this time they upped their game and deepfaked a video featuring a deepfake of Martin Lewis.
And what do you know, the scammers never let up using his credibility to dupe, mostly on social media ads.
And now they're at it once again, but this time they upped their game and deepfaked a video featuring a deepfake of Martin Lewis.
They didn't do the Mission: Impossible thing of just wearing a mask and pretending to be Martin Lewis. They've actually deepfaked him.
I guess because there's lots of video and audio of him in existence.
I guess because there's lots of video and audio of him in existence.
Exactly. So go take a look, Graham. Take a look. I've just put it in the show notes.
Oh, okay. Let's have a look. Elon Musk presented his new project, in which he has already invested more than $3 billion.
Musk's new project opens up great investment opportunities for British citizens. No project has ever given such opportunities to residents of the UK. It's pretty good, isn't it?
It is actually. At first, I thought this seems a little bit stilted. It looks a little bit like he's on a Zoom call or something.
Musk's new project opens up great investment opportunities for British citizens. No project has ever given such opportunities to residents of the UK. It's pretty good, isn't it?
It is actually. At first, I thought this seems a little bit stilted. It looks a little bit like he's on a Zoom call or something.
Lots of people do Zoom calls.
You can believe he's just doing this down his webcam. And it does sound like him, and it looks like him. It's the sort of way he may well speak. It's wow.
Exactly. And isn't it funny that you brought up Elon Musk?
Because this fake likeness of Lewis is encouraging people to sign up for what is claimed to be an Elon Musk-backed project, calling it legit and a great investment.
Because this fake likeness of Lewis is encouraging people to sign up for what is claimed to be an Elon Musk-backed project, calling it legit and a great investment.
Yeah.
And if you were looking at this on your phone as you're scrolling through social media and you see this guy you trusted, right? And you weren't as familiar about these scams.
This is scandalous.
It's scandalous. Now, of course, this is not the first time that synthetic media has been used. That's another word for deepfakes.
Synthetic media has been used both to entertain and to bamboozle.
But it's interesting to hear from those whose identities have been nabbed by miscreants because Martin Lewis did not take this sitting down.
Synthetic media has been used both to entertain and to bamboozle.
But it's interesting to hear from those whose identities have been nabbed by miscreants because Martin Lewis did not take this sitting down.
My face and name have been the subject of scam adverts for the last 6 or 7 years. I get countless reports every day.
Now they have video and audio technology that is absolutely replicating my face and my voice. These people are trying to pervert and destroy my reputation.
In order to steal people off, steal money off vulnerable people.
And frankly, it is disgraceful, and people are going to lose money, and people's mental health is going to be affected.
Now they have video and audio technology that is absolutely replicating my face and my voice. These people are trying to pervert and destroy my reputation.
In order to steal people off, steal money off vulnerable people.
And frankly, it is disgraceful, and people are going to lose money, and people's mental health is going to be affected.
And he says, I have had friends of mine get in touch with me saying, hey, I've just put some money into that investment scheme you're advertising. Oh, come on, advertise, he says.
Come on, have they really? Friends of his, he says, have actually got the money.
I thought that too, but then I thought, you know what, he's such a nice guy, he probably has people who he's helped with in the past, right, who are in his email list, you know, all these people with different skills, perhaps not techies.
Yeah, yeah, yeah. Okay, okay, all right.
He's not alone, of course. There's even stars. Now, I'd be interested in seeing if you think this is a star being taken advantage of or not.
So months ago, ITVX put out a show called Deepfake Neighbor Wars. Have you heard of this?
So months ago, ITVX put out a show called Deepfake Neighbor Wars. Have you heard of this?
I think I've seen a bit this.
Yes. Okay, good, good, good, because I didn't know about this until research. So it features the celebrities, or deepfake celebrities, as roommates. Okay.
And it spoofs the long-running New Zealand TV format Neighbours at War, and that's still going strong.
And it spoofs the long-running New Zealand TV format Neighbours at War, and that's still going strong.
Oh, it's totally a joke. Yes.
Because it sort of puts them in sort of suburban settings and things and has them say that the main thing about that show is it's really astonishingly non-amusing.
It's like they've got all the tech, but they haven't got any jokes. But so it's clever deepfakery, but it's just, oh, this is so dull.
Because it sort of puts them in sort of suburban settings and things and has them say that the main thing about that show is it's really astonishingly non-amusing.
It's like they've got all the tech, but they haven't got any jokes. But so it's clever deepfakery, but it's just, oh, this is so dull.
And right now in the UK, we have a bit of a little media storm about a BBC presenter that may or may not have gotten up to shenanigans. And there's a whole war going on.
But I shared with you a potentially deepfake image that kind of suggested who the BBC presenter might have been in a compromising position.
But I shared with you a potentially deepfake image that kind of suggested who the BBC presenter might have been in a compromising position.
Oh, yes. Oh, thank you. Yes. Thank you for sending that to me, Carole, by the way. You know, not that I'd asked for it. But actually sending me that image.
What was my question? I sent it to you to say, is this, do you think this is a deepfake? Because I was asked by somebody.
Right.
So I think absolutely it was. And I sent it to you thinking, what do you think? And really, you know, neither of us are sure.
What were you expecting me to do? I couldn't take a fingerprint of it, maybe a bum print. There was a picture of a man with his trousers around his ankles.
I wasn't sure how you expected me to identify whether it was well known.
I wasn't sure how you expected me to identify whether it was well known.
The person's face was in it as well, Graham.
Just did the beloved BBC news anchor.
But I'm just saying these things make the rounds and go to convince certain people one way or another as to what to believe. And it's pretty fricking scary.
Well, it is. This is the whole problem, isn't it, with deepfakes, is that so much fake stuff can be made.
And also when something genuinely dodgy does happen, that people will begin, I think this has already begun to happen.
I've heard reports of when politicians have been in a spot of bother in other countries and they've said, well, that must have been deepfaked.
And also when something genuinely dodgy does happen, that people will begin, I think this has already begun to happen.
I've heard reports of when politicians have been in a spot of bother in other countries and they've said, well, that must have been deepfaked.
Totally. There's even one of Boris Johnson. Yeah. And but, you know, it's even bigger than this.
Ars Technica says we all need to be careful because in large hacks, right, which maybe your details are somewhere in a third party, an insurer's or a cloud service.
And baddies get in and get away with a glut of personal information like your driver's license, social insurance, health, pension information.
Ars Technica says we all need to be careful because in large hacks, right, which maybe your details are somewhere in a third party, an insurer's or a cloud service.
And baddies get in and get away with a glut of personal information like your driver's license, social insurance, health, pension information.
Yes.
This was the case when Progress Corp got hacked. The Massachusetts-based maker of business software revealed that its file transfer system had been compromised.
Right. Yeah.
And the article goes on that the California Public Employees Retirement System, the— is it Clop or C-L-O-P hackers?
Clop, yes. Clop, yes.
Yeah. Clop, yeah. Clop made off with the personal data of about almost 1 million retired members and their survivors.
The data of recently deceased Americans is particularly valuable on the underground markets because you open a credit card in a dead man's or dead woman's name, take out the loans, redirect Social Security payments, sign up for food benefits.
Who's going to ring the alarm?
The data of recently deceased Americans is particularly valuable on the underground markets because you open a credit card in a dead man's or dead woman's name, take out the loans, redirect Social Security payments, sign up for food benefits.
Who's going to ring the alarm?
Yeah, good point. Yeah, you can't be protected from the scammers even after you're dead.
No, and of course the problem is, is many state and federal agencies use information stolen in hacks to verify identities of people.
So if you've got your date of birth and photographs and names and home address and Social Security numbers—
So if you've got your date of birth and photographs and names and home address and Social Security numbers—
It's horrendous, isn't it?
It is. So, you're a security boffin. You know everything. Yes, I do. Right? What would you do?
What would you do if suddenly on the social media rounds there was a deepfake Graham Cluley telling people to do incredibly stupid non-security stuff?
What would you do if suddenly on the social media rounds there was a deepfake Graham Cluley telling people to do incredibly stupid non-security stuff?
Well, like the things I spout on the podcast. Well, I don't know. I mean, what can you do?
I suppose you can tell people that if it's authorized and it's really from me, it will be on my real website, grahamcluley.com. You could do something like that, I suppose.
But even that obviously could be hacked one day.
I suppose you can tell people that if it's authorized and it's really from me, it will be on my real website, grahamcluley.com. You could do something like that, I suppose.
But even that obviously could be hacked one day.
Okay, well, what if you were on holiday, right?
I knew you were on holiday and I get a phone call from you, a deepfake you saying, "Oh my God, oh my God, help me, help me, I need help." Do I just laugh and say, "Hahaha, nice try"?
I knew you were on holiday and I get a phone call from you, a deepfake you saying, "Oh my God, oh my God, help me, help me, I need help." Do I just laugh and say, "Hahaha, nice try"?
Normally you would, yes. Would I?
That is the thing.
No, you wouldn't. You wouldn't. You wouldn't. You'd probably ask me a deeply embarrassing personal question, which only you and I knew the answer to.
And we never talked about in the podcast. You see, that's the problem. We talk about a lot of things in the podcast.
There's a couple of things we never have though, Carole.
That's true.
A couple of things which we reserve for those situations. There's not much we haven't discussed. By just a couple of little things.
Feeling like you have too many alerts, overwhelmed by vulnerabilities, and at the end of the day not deploying apps as quickly as you'd like?
Well, Sysdig delivers the industry's only complete consolidated cloud-native application protection platform, CNAPP, powered by Runtime Insights.
To prioritize critical risks and stay ahead of unknown threats.
With Runtime Insights, you can level up your cloud visibility, shift left the right way and start scanning for vulnerabilities earlier, shield right to protect your production environment, and keep dev teams innovating securely at cloud speed.
Now is the time to transform your cloud security. So visit sysdig.com/cloudsecurity sysdig.com/smashing to learn more. That's sysdig.com/smashing.
Feeling like you have too many alerts, overwhelmed by vulnerabilities, and at the end of the day not deploying apps as quickly as you'd like?
Well, Sysdig delivers the industry's only complete consolidated cloud-native application protection platform, CNAPP, powered by Runtime Insights.
To prioritize critical risks and stay ahead of unknown threats.
With Runtime Insights, you can level up your cloud visibility, shift left the right way and start scanning for vulnerabilities earlier, shield right to protect your production environment, and keep dev teams innovating securely at cloud speed.
Now is the time to transform your cloud security. So visit sysdig.com/cloudsecurity sysdig.com/smashing to learn more. That's sysdig.com/smashing.
If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide. Kolide is a device trust solution for companies with Okta.
And it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works.
That's k-o-l-i-d-e.com/smashing.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide. Kolide is a device trust solution for companies with Okta.
And it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works.
That's k-o-l-i-d-e.com/smashing.
Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business.
Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work.
And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website. Or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website. Or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security-related. I watched the other night a program on BBC iPlayer. Now, Carole, it is a documentary. You know I love documentaries.
I'm just— yeah, I know. You just mix it up a bit. Mix it up. Mix it up.
Hey, you quite often—
Okay, I'm doing a podcast as well, so you're fine.
Oh, you— right. Okay. So there you go then. So, this is a documentary called My Old School. And My Old School tells the tale of the curious case of Brandon Lee.
Have you heard of Brandon Lee?
Have you heard of Brandon Lee?
Yes, but remind me.
Well, the famous Brandon Lee is the son of Bruce Lee, who died on the set of The Crow. I think he got shot or something, didn't he?
'Kah kah, fuck, you're dead.' That was a line. That was a line from the movie.
What? Really?
I wrote a newspaper article on it in college. Yeah.
All right. I've never seen it. Is it a good movie? The Crow?
Yes, it is. I slated it at the time.
Right. This has nothing to do with that Brandon Lee. This is a different Brandon Lee.
And in 1993, so 30 years ago, a boy named Brandon Lee enrolled at the Beardsden Academy Secondary School in Glasgow.
And over time, it was revealed that Brandon Lee was not who he seemed. So this 16, 15-year-old, 16-year-old boy joined the school.
And in fact, the truth is he was actually a 30-year-old man who joined the school. No, no, it gets more bonkers than that.
And in 1993, so 30 years ago, a boy named Brandon Lee enrolled at the Beardsden Academy Secondary School in Glasgow.
And over time, it was revealed that Brandon Lee was not who he seemed. So this 16, 15-year-old, 16-year-old boy joined the school.
And in fact, the truth is he was actually a 30-year-old man who joined the school. No, no, it gets more bonkers than that.
Shut up! He was 30 pretending to be 16?
Correct.
But you know what's particularly extraordinary is that he had actually been a student at the same school years before, and he ended up having some of the same teachers teaching him who didn't—
But you know what's particularly extraordinary is that he had actually been a student at the same school years before, and he ended up having some of the same teachers teaching him who didn't—
And then no one noticed.
No one noticed. Now, some people said, you know, oh, he did look a bit older than the rest of us, and they thought it was just premature aging or something.
Once almost rumbled because he told a friend he remembered the day Elvis Presley had died, which was supposed to be in the year he was actually born.
Once almost rumbled because he told a friend he remembered the day Elvis Presley had died, which was supposed to be in the year he was actually born.
Yeah, so he wouldn't have remembered that anyway. In 1977.
No, no, exactly at that age. But also sometimes people wondered about him. And he posed as a Canadian. He claimed to be Canadian.
And of course he did.
The Scottish students said, "Well, maybe Canadian students mature more quickly than British students." And that way he seems more grown up and knows an awful lot more.
It's all that fresh air and trees and clean lakes.
But he wasn't Canadian at all. He completely fooled them. He went on to college because he passed his exams.
His high school exams.
Yeah, that's right. And he went on to go and study medicine. And the whole reason was that he had previously wanted to become a doctor, but he'd goofed up on his first time around.
And then he was too old to do the medical training. So what he decided to do was pretend to be a kid again and go through the process again. So it is an extraordinary documentary.
This chap, Brandon Lee, his real name was Brian MacKinnon. He doesn't appear in the documentary, but a lot of his fellow students at the time did, and they talk about it.
There's some cartoon imagery and things. But what they do is they have an audio interview with this guy, and they have Alan Cumming. You know the Scottish actor Alan Cumming?
He's a bit camp.
And then he was too old to do the medical training. So what he decided to do was pretend to be a kid again and go through the process again. So it is an extraordinary documentary.
This chap, Brandon Lee, his real name was Brian MacKinnon. He doesn't appear in the documentary, but a lot of his fellow students at the time did, and they talk about it.
There's some cartoon imagery and things. But what they do is they have an audio interview with this guy, and they have Alan Cumming. You know the Scottish actor Alan Cumming?
He's a bit camp.
Yeah, yeah, yeah.
Anyway, he is miming to Brandon Lee/Brian MacKinnon's words, so he plays the part. But other than that, it's just a regular kind of documentary.
Do you see pictures of him at 30?
Well, yes, you do, because he was actually even caught on video because they actually recruited him to play the lead in South Pacific in the musical.
So they have video of him singing, and also rather creepily, he kisses one of his fellow schoolgirls as part of the play.
So they have video of him singing, and also rather creepily, he kisses one of his fellow schoolgirls as part of the play.
Ew! Ew!
Yeah. Yeah. And she feels a bit ooh about that now as well.
I bet she does.
Anyway, My Old School, interesting documentary about an extraordinary story, which is why it is my pick of the week.
Okay, I'll give you that one. Sounds good.
Carole, what's your pick of the week this week?
I was going to do an audio podcast, a fiction one, but since it's just the two of us, I've changed it up and grabbed something from my bag of tricks that I thought you would enjoy.
So, Graham, my pick of the week this week is a podcast, not an audio drama, but a satirical news show called Non-Censored with Rosie Holt. Have you heard of it?
So, Graham, my pick of the week this week is a podcast, not an audio drama, but a satirical news show called Non-Censored with Rosie Holt. Have you heard of it?
I've been listening to it for months. No!
Oh, brilliant. Well, I didn't know that. And isn't that lovely? So, for our listeners, Rosie Holt is an emerging UK comedian.
She kind of rose to fame on YouTube during lockdown by playing a right-wing activist and conservative reacting to lockdown parliamentary shenanigans while people were locked in their houses and not being able to go to work or to funerals or to hospitals.
And she says she got angry during this whole fiasco with Parliament having parties. And she says when she gets angry, she likes to laugh at things that make her angry.
So she used existing footage with responses from actual parliamentarians from, you know, Good Morning Britain or all these kind of shows.
But she spliced herself in as the interviewer. And you guys can see these on YouTube, link in the show notes.
She kind of rose to fame on YouTube during lockdown by playing a right-wing activist and conservative reacting to lockdown parliamentary shenanigans while people were locked in their houses and not being able to go to work or to funerals or to hospitals.
And she says she got angry during this whole fiasco with Parliament having parties. And she says when she gets angry, she likes to laugh at things that make her angry.
So she used existing footage with responses from actual parliamentarians from, you know, Good Morning Britain or all these kind of shows.
But she spliced herself in as the interviewer. And you guys can see these on YouTube, link in the show notes.
That's how I first came to know her, is I saw her on Twitter and Instagram with these little videos, which were quite funny.
But then, of course, I found out about the Non-Censored podcast, which I really enjoy.
But then, of course, I found out about the Non-Censored podcast, which I really enjoy.
Yes. So this podcast, Non-Censored with Rosie Holt, okay, she plays a right-wing conservative MP called Hillary Langley Swindon, which I love that she used the name Swindon.
So perfect. And she's ably assisted by her long-suffering producer, Martin, and provocative comedian, Ahsan Akbar.
And it's a topical podcast battling what Hillary, the protagonist here, calls the Wokies. It's scathing. It's hilarious.
And she does not shy away from the most outrageous situations and questions and jokes. It's cringy, man.
I've had to rip the headphones off my head occasionally because I'm just like, "Oh my God, I can't, I can't, I can't."
So perfect. And she's ably assisted by her long-suffering producer, Martin, and provocative comedian, Ahsan Akbar.
And it's a topical podcast battling what Hillary, the protagonist here, calls the Wokies. It's scathing. It's hilarious.
And she does not shy away from the most outrageous situations and questions and jokes. It's cringy, man.
I've had to rip the headphones off my head occasionally because I'm just like, "Oh my God, I can't, I can't, I can't."
Yeah, I like it a lot. It's very fun.
So listeners, this is Non-Censored with Rosie Holt. It's a podcast. Find it wherever you get your podcasts. But warning, this is satire. Don't get your knickers all in a twist.
She's just being funny and being quite bravely funny. And that's my pick of the week.
She's just being funny and being quite bravely funny. And that's my pick of the week.
Good one. And that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter and Mastodon have G. And we also have a Mastodon account.
And you can look us up on the Smashing Security subreddit. Don't forget to make sure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Overcast, Apple Podcasts, and Spotify.
And you can look us up on the Smashing Security subreddit. Don't forget to make sure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Overcast, Apple Podcasts, and Spotify.
And massive shout out to this episode's sponsors, Drata, Kolide, and Sysdig. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog, of more than 329 episodes, check out smashingsecurity.com. 329. 329. Oh my God.
What have I been doing with my life?
For episode show notes, sponsorship info, guest lists, and the entire back catalog, of more than 329 episodes, check out smashingsecurity.com. 329. 329. Oh my God.
What have I been doing with my life?
Until next time, cheerio, bye-bye.
Bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Russian commander shot dead after posting runs on Strava running app – Kyiv Post.
- Martin Lewis felt ‘sick’ seeing deepfake scam ad on Facebook – BBC News.
- How synthetic media, or deepfakes, could soon change our worldeing deepfake scam ad on Facebook – 60 Minutes on YouTube.
- Nicki Minaj wants to delete the “whole internet” after viral AI deepfake video -Technology Inquirer.
- Fears grow of deepfake ID scams following Progress hack – Ars Technica.
- “Deep Fake Neighbour Wars”: ITV’s comedy shows how AI can transform popular culture -The Conversation.
- ”My Old School” – BBC Scotland.
- ”My Old School” trailer – YouTube.
- MP doesn’t know whether she attended Downing St Party – YouTube.
- ”Non-Censored” with Rosie Holt podcast – Audioboom.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Sysdig – Is your cloud secure? Not without runtime insights! Sysdig delivers the industry’s ONLY complete, consolidated Cloud-Native Application Protection Platform (CNAPP) – powered by runtime insights – to prioritize critical risks and stay ahead of unknown threats. Learn how runtime insights reduces fatigue so developers can focus on delivering software and your security teams can focus on other demands.
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
