Deepfakes are being used for good (perhaps), common usernames could pose a security threat, and someone has paid a $500,000 fee… just to send $1,865.
Oh, and our guest mentions Mr Blobby (to the horror of the show’s hosts…)
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And you think, well, hang on, even though we're booking online, and surely this is more cost-effective for you than having a real person take my order over in person on the telephone, I'm gonna have to pay several pounds more per ticket to go and see some god-awful superhero movie.
Graham, you realize that we're on the show right now. This is not just a conversation of you calling me up and having a whinge.
You know that. Smashing Security, Episode 339: Bitcoin Boo-Boo, Deepfakes for Good, and Time to Say Goodbye to Usernames with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 339. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 339. My name's Graham Cluley.
And I'm Carole Theriault.
And I'm delighted to say that we are joined today in the hot seat by someone whose reputation stands before him.
What does that mean?
Someone whose long, long career in the world of security podcasting knows no equal. It is, of course, the CyberWire's Dave Bittner. Hello, Dave.
Well, I don't know how to follow up an introduction that, so I'll just say thank you for having me.
It's a pleasure to have you, Dave.
It's nice to be back.
Because we had a quiet summer. It was just Graham and Kroll Show during August, wasn't it?
It was.
Drove the listeners mad. When are they going to get a guest back on?
But before we kick off this show, let's thank this week's wonderful sponsors: Kolide, Moonlock by MacPaw, and Gigamon. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about paying unnecessary additional fees.
Okay. And what about you, Dave?
I'm going to say you'll catch more flies with honeypots than vinegar.
And I'm going to examine whether deepfakes can be good. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I don't know about you, Dave. I don't know about you, Kroll, but I hate paying a little bit extra. I like a good deal.
I shoving it to the man and thinking that I have got a way ahead.
I shoving it to the man and thinking that I have got a way ahead.
Okay.
Agreed? Sure.
Yeah.
You're thrifty.
Because—
Well, cheap. There's two words here, Graham, right? There's frugal and there's cheap, right?
I just don't wanna pay any additional expense.
Right, you don't wanna give anyone anything extra, just the exact requirement.
Let me tell you what happened to me.
So how do you tip people?
Let's not get into that.
I know how you tip people.
Very generously, very generously. Let me give you an example. The other day I picked up someone from the airport, right? I went to Gatwick Airport. Oh my God, what a drive.
Anyway, you eventually get to Gatwick Airport. Now, all I want to do is just pick them up, right? They're there. So, I think, where do I go?
And I haven't been to Gatwick Airport in a car for a while. And so, I think, well, I can just go to the drop-off place and pick them up there.
I'll just tell them, come, arrive there. And I get there, and they're there, and they jump in the car, and off we drive. You think that's the end of it.
Two months later, I get the bill come through, which says that I have to pay £100.
Because I went into this particular zone where apparently you can't drive unless you've pre-booked in advance or you pay within 24 hours or something like that. I didn't see a sign.
And because I lease my car, the original bill went to my car agent and then they forwarded it on to me.
But that arrives at my desk more than 14 days after the time limit, which means I don't get the cheapo fee of just £30. I have to pay the full £100. Right? I was a bit annoyed.
Anyway, you eventually get to Gatwick Airport. Now, all I want to do is just pick them up, right? They're there. So, I think, where do I go?
And I haven't been to Gatwick Airport in a car for a while. And so, I think, well, I can just go to the drop-off place and pick them up there.
I'll just tell them, come, arrive there. And I get there, and they're there, and they jump in the car, and off we drive. You think that's the end of it.
Two months later, I get the bill come through, which says that I have to pay £100.
Because I went into this particular zone where apparently you can't drive unless you've pre-booked in advance or you pay within 24 hours or something like that. I didn't see a sign.
And because I lease my car, the original bill went to my car agent and then they forwarded it on to me.
But that arrives at my desk more than 14 days after the time limit, which means I don't get the cheapo fee of just £30. I have to pay the full £100. Right? I was a bit annoyed.
Right?
Would you feel a bit annoyed? £100 picking up someone from the airport? I would feel a bit annoyed.
You see, I'd be thinking, if I haven't got in the right place, they're probably going to charge me.
Maybe it wasn't very clearly signed.
Yes.
Okay.
Maybe it wasn't very—
You have small eyes. We've established that before.
I'm sure it was their fault.
Yeah, it was definitely their fault.
Another example. Another example. I decided— I've moved house recently. I decided that the current washing machine is rubbish. And so I need a new washing machine.
So I go on the review sites, I found a shortlist of good washing machines. I found what I wanted. And then I tried to find the best price for it online.
Oh, hello, I found one with £50 less than other people are selling for. Great, I think I'll buy it from them. So I went through the process of buying it online.
And it turns out the price I'm paying isn't actually what I imagined it was going to be.
Because it turns out that what I'd quite like is for them to take away and recycle my old washing machine as well, right?
So while I'm going through the checkout process, oh, that's an extra 20 quid. Fair enough, I think. That's an extra service that they're offering.
And then they say, well, would you like the washing machine delivered to a particular room? Yes, I would. I'd like it delivered to the kitchen. No, I don't want it in the bedroom.
So yeah, that'll be an extra 20 quid.
So I go on the review sites, I found a shortlist of good washing machines. I found what I wanted. And then I tried to find the best price for it online.
Oh, hello, I found one with £50 less than other people are selling for. Great, I think I'll buy it from them. So I went through the process of buying it online.
And it turns out the price I'm paying isn't actually what I imagined it was going to be.
Because it turns out that what I'd quite like is for them to take away and recycle my old washing machine as well, right?
So while I'm going through the checkout process, oh, that's an extra 20 quid. Fair enough, I think. That's an extra service that they're offering.
And then they say, well, would you like the washing machine delivered to a particular room? Yes, I would. I'd like it delivered to the kitchen. No, I don't want it in the bedroom.
So yeah, that'll be an extra 20 quid.
Oh, they were offering to take it upstairs, were they? And you had to redirect them.
Would I like it unpacked? It says. Yes, I would like it unpacked. And silly old me, despite requesting all of these things, when I was going through the checkout—
You didn't see that it added money to your end number?
No, I did. I thought, okay, begrudgingly, I will tick those boxes.
Begrudgingly is the word.
Well, and one of the things which I forgot, which didn't appear to me when I was checking out, but only when they called me up afterwards to find out, well, why are you changing your washing machine?
What was wrong with the past washing machine? All these questions, none of their business. Right?
They said, "So, you know, you want your washing machine delivered?" "Well, yes, I want my washing machine delivered.
I'm not going to travel to the Outer Hebrides to pick it up." Oh, you didn't want to give them your address though? No, I gave them my address when I was booked and everything else.
Turned out I hadn't ticked the box for delivery. So that's an extra £30. Not for quick delivery, that's just for any kind of delivery.
What was wrong with the past washing machine? All these questions, none of their business. Right?
They said, "So, you know, you want your washing machine delivered?" "Well, yes, I want my washing machine delivered.
I'm not going to travel to the Outer Hebrides to pick it up." Oh, you didn't want to give them your address though? No, I gave them my address when I was booked and everything else.
Turned out I hadn't ticked the box for delivery. So that's an extra £30. Not for quick delivery, that's just for any kind of delivery.
Oh, so that—
So now I'm getting close to the price than the other people were going to charge me who weren't going to add all these on at the end.
And so I thought, I've now got it all sorted, right? I've got the new washing machine unpacked. It's been— the old one can be removed and recycled.
And yes, I've even dared to ask for it to actually be delivered to my place of residence.
But what I've forgotten to do is say to them, oh, would you also mind uninstalling the old washing machine and plumbing in the new one?
Because it's an integrated washing machine, right? Extra cost of that, £130. And so I've got the hump now, right?
And so I thought, I've now got it all sorted, right? I've got the new washing machine unpacked. It's been— the old one can be removed and recycled.
And yes, I've even dared to ask for it to actually be delivered to my place of residence.
But what I've forgotten to do is say to them, oh, would you also mind uninstalling the old washing machine and plumbing in the new one?
Because it's an integrated washing machine, right? Extra cost of that, £130. And so I've got the hump now, right?
Did you meet up with any other adult in this process? Because all you do is get yourself in a big tizzy thinking everyone's ripping you off and you just sound like a whiner.
And we've been going for 8 minutes so far.
And we've been going for 8 minutes so far.
I got the hump. I canceled my order, right? And so I ended up going online to go to my usual retailer.
And I actually ended up buying a much more expensive washing machine than I'd originally planned. But I felt vindicated that I'd got everything I wanted.
And what about when you get an air ticket for a budget airline, you find out there's additional booking fees, or if—
And I actually ended up buying a much more expensive washing machine than I'd originally planned. But I felt vindicated that I'd got everything I wanted.
And what about when you get an air ticket for a budget airline, you find out there's additional booking fees, or if—
Yeah, if you've been living under a rock for the last decade and haven't encountered these.
This is what I'm fed up with. Or that you want to take luggage which is larger than a bum bag with you.
Don't go on a budget airline then.
Well, yes, exactly. But you've been lured in, haven't you? Been lured in by the low cost.
You didn't realize that if you wanted to use the lavatory, or you want oxygen on this plane at 30,000 feet, that's going to cost you extra as well.
So, all the time, or booking theater tickets, okay?
And you think, well, hang on, even though we're booking online, and surely this is more cost-effective for you than having a real person take my order over in person on the telephone.
I'm going to have to pay several pounds more per ticket to go and see some god-awful superhero movie.
You didn't realize that if you wanted to use the lavatory, or you want oxygen on this plane at 30,000 feet, that's going to cost you extra as well.
So, all the time, or booking theater tickets, okay?
And you think, well, hang on, even though we're booking online, and surely this is more cost-effective for you than having a real person take my order over in person on the telephone.
I'm going to have to pay several pounds more per ticket to go and see some god-awful superhero movie.
Graham, you realize that we're on the show right now. This is not just a conversation of you calling me up and having a whinge. You know that.
Forgive me. Do you— forgive my across-the-pond ignorance here, but do you all have Ticketmaster in your neck of the woods?
Yes.
Exactly. Ticketmaster, they're the worst, aren't they? Yes. Finally, Dave, you agree with me.
They're the poster child for this sort of thing.
Yes.
So their grasp has extended globally.
Awful. They're awful. So sometimes, though, additional fees have a purpose. For instance, and we're coming back to the security angle of this podcast here.
Thank God.
Bitcoin fees. So when the Bitcoin blockchain was all dreamed up, part of the plan was to include transaction fees.
So these weren't just designed to fill someone's pockets with lots of bitcoin, but rather to deter people from flooding the network with transactions and spam and also incentivize miners to validate transactions and add it to the next block of the blockchain.
So this is part of the process. You put a little bit of Bitcoin there along with it. So Bitcoin transactions require a small fee, which is paid to the miners that confirm them.
And if you are in a rush to get your Bitcoin transaction processed, you might pay a higher fee. So imagine you want it to be processed in 20 minutes rather than an hour and a half.
So these weren't just designed to fill someone's pockets with lots of bitcoin, but rather to deter people from flooding the network with transactions and spam and also incentivize miners to validate transactions and add it to the next block of the blockchain.
So this is part of the process. You put a little bit of Bitcoin there along with it. So Bitcoin transactions require a small fee, which is paid to the miners that confirm them.
And if you are in a rush to get your Bitcoin transaction processed, you might pay a higher fee. So imagine you want it to be processed in 20 minutes rather than an hour and a half.
Because I need that money right now.
Right. Some people do. But generally speaking, not always, the higher the transaction value, the higher the transaction fee.
It's a percentage, I'm guessing.
Yeah. Many cryptocurrency exchanges, they won't allow you to choose how much you pay, because you can choose how much you pay.
Instead, they will have a predetermined fee, and that's how they make their millions and millions, is scraping off the top and then using the rest to make payments.
Instead, they will have a predetermined fee, and that's how they make their millions and millions, is scraping off the top and then using the rest to make payments.
Well, we've seen it with banks for millennia, so, well, maybe not millennia, but you know, banks have been doing it for a long time.
The thing is this, if you are a more experienced cryptocurrency dealer, it's quite possible that you choose what you want to pay rather than using a cryptocurrency exchange.
And that brings me to today's story because someone has just paid a fee to transfer $1,865 worth of bitcoin. So $1,865 worth of bitcoin.
And that brings me to today's story because someone has just paid a fee to transfer $1,865 worth of bitcoin. So $1,865 worth of bitcoin.
Okay.
What kind of fee do you think they paid?
Hmm.
What would seem plausible to transfer that sort of amount of money? $10, maybe?
Sure.
Well, yeah.
A couple— 1%, something like that. Yeah.
Right. What about $500,000?
Seems excessive.
I'm guessing you choose not to do it at that time.
Well, this particular person, they chose what their fee was. They chose to pay $500,000 to transfer $1,865 worth of Bitcoin. So they paid 19.82 Bitcoin to transfer 0.074 Bitcoin.
In other words, they spent 270 times more than the transaction value to pay the fee.
In other words, they spent 270 times more than the transaction value to pay the fee.
Why?
Well, yeah, I'm guessing we're going to find out about the scam now.
Well, Ticketmaster aren't involved. That's your initial thought, is they must be somehow involved in this.
Right.
So it does seem a little excessive. So how on earth did this happen?
Well, on Twitter, a bitcoiner called Jameson Lopp, which I think is a really cool name, it sounds a bit like Mobius strip.
Well, on Twitter, a bitcoiner called Jameson Lopp, which I think is a really cool name, it sounds a bit like Mobius strip.
Right. Or a street on the Apple campus.
He speculates that some buggy software might be to blame, either in the payment process or the cryptocurrency exchange. Or maybe someone put a decimal point in the wrong place.
How do you do that?
I'm not sure.
You have a heart attack and fall on your keyboard on the zero. You know, your nose tip.
Maybe.
Yeah.
Or maybe they mixed up the fields. Maybe they were planning to transfer $500,000 and pay an $18.65 fee, and they put the wrong numbers in the wrong fields.
Well, then no problem.
Yeah, I guess the exchange could give it back to you, say, "That's a ridiculous transfer fee." They've made the commitment by then.
And the fee has been lodged.
And it ain't regulated, as we've discussed many times.
So this is something of a mystery.
What we do know is it isn't a newbie, because this particular cryptocurrency wallet, although we don't know who they are, they've made over 120,000 other transactions in the past.
Nothing quite as bad as this. So it looks automated. It looks like this is something which is done as a process. So it doesn't seem like it's simple finger fumbling which has gone on.
But clearly someone has somewhere written some software which doesn't do a sanity check about the amount of the fee being paid being so much larger than the amount they want to transfer.
What we do know is it isn't a newbie, because this particular cryptocurrency wallet, although we don't know who they are, they've made over 120,000 other transactions in the past.
Nothing quite as bad as this. So it looks automated. It looks like this is something which is done as a process. So it doesn't seem like it's simple finger fumbling which has gone on.
But clearly someone has somewhere written some software which doesn't do a sanity check about the amount of the fee being paid being so much larger than the amount they want to transfer.
I think you're missing it. I think they were actually going to be collecting the transfer fee somehow. You don't know what this person is or what their job is or—
I don't think that's how it works. So the transfer fee gets sent ultimately to other people mining on the blockchain.
Right, so it gets dispersed.
And it's split between them.
Oh, right.
Yes, it gets dispersed. So this transaction happened on September 10th, 2023 at 5:10 PM UTC. So it's 10 past 6 in the evening UK time.
The mining pool that was used to process the transaction, they're called F2Pool, and they've said that they are giving the sender 3 days.
So until Wednesday, September 13th at 5:10 PM UTC. Unfortunately, just before this podcast is released. So my attempts to warn someone is going to fail.
I'm sorry if this is bad news that you're hearing this.
The mining pool that was used to process the transaction, they're called F2Pool, and they've said that they are giving the sender 3 days.
So until Wednesday, September 13th at 5:10 PM UTC. Unfortunately, just before this podcast is released. So my attempts to warn someone is going to fail.
I'm sorry if this is bad news that you're hearing this.
Right.
And after then, it's just gonna be transferred and distributed amongst miners on F2Pool. So this is quite an expensive lesson for some people.
Maybe it's a Robin Hood moment. Maybe they're like, hey, give it to the people, give them the money.
It's a charitable act.
Yes, and some people are, Graham. Some people, right? Don't sit there trying to save $2 every time they're trying to buy something—
Wow.
It's true.
How did this come to light? Are there folks out there who are just keeping an eye on the blockchain for unusual transactions?
Exactly.
That's exactly what's going on. People with even less of a life than people who appear on security podcasts.
Less than a life than, you know, trying to fill in a washing machine form and missing the, can you do the plumbing, please?
Dave, what's your story for us this week?
My story comes from a website called GovInfo Security, and this is written by Matthew Schwartz, and it's about usernames being a potential security issue here.
Now, before we dig in here, let me, I'll ask each of you this question. What do you suppose, and we're talking about usernames and passwords, right?
The way to log into a system from about as far back as certainly I remember, right? BBS days, right? Username and password, username and password. We still use it today.
What do you suppose the most common username is? You have to guess.
Now, before we dig in here, let me, I'll ask each of you this question. What do you suppose, and we're talking about usernames and passwords, right?
The way to log into a system from about as far back as certainly I remember, right? BBS days, right? Username and password, username and password. We still use it today.
What do you suppose the most common username is? You have to guess.
Admin.
Admin, excellent guess.
It could be something like John Smith, I suppose, or a common name.
Not as good a guess.
E.g., John Smith, you know? They have the example thing.
Actually, Graham, I'm surprised that you're not acing this—
Your email address.
Oh, I know what it is.
No, no, no, no. It's username. What's username?
Oh, username. Enter username and password. Yes. Root.
Oh, good one.
Ding, ding, ding, ding, ding, ding, ding.
Ah, right.
Graham got it.
Yeah.
Root is it.
So this story centers around a gentleman named Jesse LeGroux, who is the chief information security officer at Madison College in Wisconsin, and he also helps out the folks at the SANS Institute with their Internet Storm Center.
He runs a honeypot. And over the past 16 months, he's collected over 3.7 million usernames via attacks that targeted his honeypot.
And the most popular is root, accounting for 48% of all the login attempts. Graham, why do you suppose root is so popular? Any guesses?
So this story centers around a gentleman named Jesse LeGroux, who is the chief information security officer at Madison College in Wisconsin, and he also helps out the folks at the SANS Institute with their Internet Storm Center.
He runs a honeypot. And over the past 16 months, he's collected over 3.7 million usernames via attacks that targeted his honeypot.
And the most popular is root, accounting for 48% of all the login attempts. Graham, why do you suppose root is so popular? Any guesses?
Well, because the root account is a powerful one to have.
Yeah.
If you manage to break into it.
And it's the default username in Linux.
Yeah.
For SSH. Yep, yeah. Logging in. So 48% of all login attempts used the name root. Wow. This honeypot also was logging the password attempts. Let's guess again.
What do we suppose the most common password attempts were here?
What do we suppose the most common password attempts were here?
Password 12345.
Yeah, yeah.
Root.
Root also, yes.
Yes.
Yes, root. Carole Theriault, you are correct, 123. But there is an odd thing here. The most popular password tested by attackers was 345GS5662D34. I have to look at my keyboard now.
Oh.
And nobody knows why. So there's— it's 345GS5662D34.
Is that perhaps the default password used by a particular piece of software or hardware if people don't change it?
Could be.
Could this be some sort of targeted attack against one particular device, which is his honeypots are picking up time and time again?
Right. Well, the strongest suggestion so far is that it might be the foreign equivalent of a phrase "my password" being entered into a non-English keyboard.
So in other words, if you're using, oh, I don't know, let's just choose a random part of the world, Russia.
If you're using a Cyrillic keyboard, perhaps that's the equivalent of that. Yeah, I don't know, but for whatever reason, that is the thing.
So in other words, if you're using, oh, I don't know, let's just choose a random part of the world, Russia.
If you're using a Cyrillic keyboard, perhaps that's the equivalent of that. Yeah, I don't know, but for whatever reason, that is the thing.
Listeners, get in touch if you've got any theories.
I'll give my theory. I think it might be something visual. If you drew it out, it makes probably a penis or something.
Of course.
Pair of boobs.
Of course.
Always.
What a surprise, Carole, that that's your theory.
I didn't count on you, Carole.
Oh yeah, that I would do that.
Yes, she's always going for the smutty answer, isn't she, Graham? So my question here is, should we be restricting default account names?
Does it matter that we have an easy-to-guess username if our password is strong? That's my question for the two of you. Does it matter?
Does it matter that we have an easy-to-guess username if our password is strong? That's my question for the two of you. Does it matter?
It matters. Well, from my point of view, you have two shots, right? You got to get both right.
And if one's a giveaway, 50% of the time, it's kind of, you know, you're making it way easier.
And if one's a giveaway, 50% of the time, it's kind of, you know, you're making it way easier.
No, certainly I've read best practices before with particular pieces of software I've run on servers where they've said, look, this is how you log in. This is the username.
Obviously change the password, but when you read the best practices, it says also change the administrator username. You know, why use the same administrator username?
It makes sense. And so on my website, for instance, I don't use the standard administrator username.
Obviously change the password, but when you read the best practices, it says also change the administrator username. You know, why use the same administrator username?
It makes sense. And so on my website, for instance, I don't use the standard administrator username.
But not everybody reads everything. Remember Graham, the airport story, right?
Right. But this leads me to, should these systems require that you change the default? Should you be allowed to leave the default as the default? Or not.
Yeah, I'm thinking of the other way around. Why would they have it as a default? You know, why would they even give a default?
Well, I mean, I guess you got to ship with something.
Okay.
Yeah.
Yeah.
You got to start somewhere.
I mean, the first thing that happens when you power the device up is it says, choose your login name and your password and doesn't even have a default entered in the system at all.
That's, that would be an option.
I mean, the first thing that happens when you power the device up is it says, choose your login name and your password and doesn't even have a default entered in the system at all.
That's, that would be an option.
Yeah, maybe.
But of course you also have to have something to fall back on. So if someone does a hard system reset, there should be some way to establish the system as if it were new.
And so perhaps that's part of the motivation here as well. You have something that you can use.
And so perhaps that's part of the motivation here as well. You have something that you can use.
Another thing here is so many websites, they require your username to be your email address.
And so there is the potential for privacy breaches to occur because people can see that you're a member of one particular website or a forum and they can see where else you may have accounts.
And that can, you know, there is an attraction in being able to choose your own usernames to remain a little bit more private.
And so there is the potential for privacy breaches to occur because people can see that you're a member of one particular website or a forum and they can see where else you may have accounts.
And that can, you know, there is an attraction in being able to choose your own usernames to remain a little bit more private.
Sure. Again, thinking back to the old BBS days when everybody used handles instead of their real names.
And now there are privacy services built into things like iOS.
So on modern iPhones now, it will actually say you don't have to use your actual email address if you're worried about spam or whatever else.
You know, they will give you an email address which will then forward to your real email address.
So there is some more privacy there, which I don't know how many people use that, but it seems like it could be a good idea.
So on modern iPhones now, it will actually say you don't have to use your actual email address if you're worried about spam or whatever else.
You know, they will give you an email address which will then forward to your real email address.
So there is some more privacy there, which I don't know how many people use that, but it seems like it could be a good idea.
Yeah. So in this article, they also talked to Johannes Ullrich, who's the Dean of Research at SANS, and he also founded the Internet Storm Center.
He's host of their daily podcast, also regular guest on the CyberWire podcast and personal friend of mine. Plug, plug, plug.
He's host of their daily podcast, also regular guest on the CyberWire podcast and personal friend of mine. Plug, plug, plug.
Yeah.
Johannes makes the point that this all comes down to strong passwords and multifactor authentication, that you shouldn't really worry about your username as being something secure as long as your password is secure, but then also it's backed up by some form of multifactor.
He also makes the point that nobody should be using FTP anymore.
But this article points out that Rapid7, back in 2018, they found that there were 21 million FTP servers still running out there.
And I think, you know, I think it's one of those things that if it ain't broke, don't fix it, and people don't often consider something that's been in use for a long time.
He also makes the point that nobody should be using FTP anymore.
But this article points out that Rapid7, back in 2018, they found that there were 21 million FTP servers still running out there.
And I think, you know, I think it's one of those things that if it ain't broke, don't fix it, and people don't often consider something that's been in use for a long time.
Or they forget.
They just keep on using it.
How much digital stuff have people just left online somewhere without no one, the person who was in charge got fired, left, forgot about it. No one knows about it.
It's just sitting there humming away.
It's just sitting there humming away.
Right. So I wanted to pivot though, then to passkeys.
And I was curious if either of you had any familiarity with passkeys, if you've experimented with them, if you added them with any of the accounts that you have.
I guess I should back up and say, if you even know what they are.
And I was curious if either of you had any familiarity with passkeys, if you've experimented with them, if you added them with any of the accounts that you have.
I guess I should back up and say, if you even know what they are.
So Passkeys are pretty cool, aren't they?
They're the new development on the sort of password front, trying to make it a more seamless experience to log into sites without having to scrabble around.
I must admit, I've played with it. I haven't actually set any of them up yet, so I'm not trusting them yet.
And that's partly because some of the technology which I use isn't completely compatible yet with the Passkey experience.
And I'm worried about being maybe locked out from some of my devices, from some of my accounts.
They're the new development on the sort of password front, trying to make it a more seamless experience to log into sites without having to scrabble around.
I must admit, I've played with it. I haven't actually set any of them up yet, so I'm not trusting them yet.
And that's partly because some of the technology which I use isn't completely compatible yet with the Passkey experience.
And I'm worried about being maybe locked out from some of my devices, from some of my accounts.
So I don't know if I'm familiar.
Is a Passkey something like your iPhone might say to you, I'll save that for you, I'll create it, and then you can just go in and go out and your phone manages it for you?
Or is it something different?
Is a Passkey something like your iPhone might say to you, I'll save that for you, I'll create it, and then you can just go in and go out and your phone manages it for you?
Or is it something different?
Yes. So rather than having a username and password that you would enter, it takes care of everything behind the scenes and you would just use something like Face ID to log in.
So the combination of Face ID and you being in physical possession of your phone, the key exchange happens behind the scenes. You don't even see it, but it is quite secure.
This all comes through the FIDO Alliance. So it's good stuff. The big players have all jumped on board. I think it's probably being mostly led by Apple.
It's built into iOS now, but Google and Microsoft, they're on board also. I think what's going to have to happen is the password managers are going to have to adopt it.
And I know a couple of them have, but not all of them have yet. So I think once they get on board, boy, that'll be convenient to be able to do that.
Graham, just like you, I've been Passkey curious, but I have not jumped in with both feet. And I actually found it hard to wrap my head around some of the details.
So I sought out someone to talk to, and I actually interviewed a guy named Chris Sherwood. He's from a company called Crosstalk Solutions.
If people are interested, we'll have a link to that interview in the show notes.
And then also I included a link to the Wikipedia page and the page from the FIDO Alliance on passkeys.
So I'm hoping that passkeys catch on and they become the future here because it seems to me like jettisoning this whole username password dance could ultimately be a good thing for folks.
But like you, Graham, I've just, it's hard. It's hard to trust it so far.
I know it has all of this pedigree behind it, all these good organizations, but I'm still not quite there emotionally. And I don't know, and I should be, but I think I trust it.
So the combination of Face ID and you being in physical possession of your phone, the key exchange happens behind the scenes. You don't even see it, but it is quite secure.
This all comes through the FIDO Alliance. So it's good stuff. The big players have all jumped on board. I think it's probably being mostly led by Apple.
It's built into iOS now, but Google and Microsoft, they're on board also. I think what's going to have to happen is the password managers are going to have to adopt it.
And I know a couple of them have, but not all of them have yet. So I think once they get on board, boy, that'll be convenient to be able to do that.
Graham, just like you, I've been Passkey curious, but I have not jumped in with both feet. And I actually found it hard to wrap my head around some of the details.
So I sought out someone to talk to, and I actually interviewed a guy named Chris Sherwood. He's from a company called Crosstalk Solutions.
If people are interested, we'll have a link to that interview in the show notes.
And then also I included a link to the Wikipedia page and the page from the FIDO Alliance on passkeys.
So I'm hoping that passkeys catch on and they become the future here because it seems to me like jettisoning this whole username password dance could ultimately be a good thing for folks.
But like you, Graham, I've just, it's hard. It's hard to trust it so far.
I know it has all of this pedigree behind it, all these good organizations, but I'm still not quite there emotionally. And I don't know, and I should be, but I think I trust it.
I think it hasn't been completely integrated into all of the browsers yet on all of the different platforms. And that's what makes me a little bit nervous.
LastPass, the password manager I support, appears to be making a big push in this area.
They're making a lot of noise about this, and they view this as their future, and I have confidence in them.
LastPass, the password manager I support, appears to be making a big push in this area.
They're making a lot of noise about this, and they view this as their future, and I have confidence in them.
But why wouldn't you use it though, on your phone with apps that you care less about, right? But you could just trial it out on that, on the iOS.
Yeah, you can.
Because I'm doing that, and it works for me brilliantly, because you can just delete the app and come back and it'll remember. Which is useful.
Yeah. You're more adventurous than either of us, Carole.
She is. We're just curious. She just leaps in. That's right.
She just jumps in, dives in headfirst. You go first, Carole. Tell us how it goes.
Carole, what have you got for us this week?
Deepfakes. So when I say deepfakes, when I say that word, what comes to mind? Just give me a little brainstorm. Dave, maybe you go first.
I would say images of celebrities doing things that celebrities usually don't do publicly.
That's good. Graham, anything to add?
Like they deepfaked Thom Cruise to appear like he's a human being. That kind of thing.
Yeah, it's tied to all things crappy, isn't it? Do you know its origins are in the porn world? As the entire internet, I'm led to understand. Is that right, guys?
Every major technological breakthrough has started or at least been popularized— I knew that you'd know more about that than I would. Or so I've heard.
So the worst of deepfake world is deepfakes used for child sex exploitation, right? So even actually Australia is proposing a new industry code that would require big tech firms.
So the Googles, Microsofts, Microsoft Bing, DuckDuckGo to eliminate child abuse material from their search results and take steps to ensure generative AI products can't be used to generate deepfake versions of the material.
But equally crappy is sex exploitation of any person, you know, either to cyberbully or decimate someone's reputation or shame.
Or the conversation last year said that the majority of deepfakes on the internet were assaults on women, grabbing facial images without consent, inserting them into pornographic content.
A deepfake expert found that 96% of deepfakes found online were pornographic, and 100% of those were video images of women. It's crazy, right?
Plus, we have deepfakes designed to spread disinformation, misinformation, and to undermine. Apparently, this is called the liar's dividend. Did you know this term?
So the Googles, Microsofts, Microsoft Bing, DuckDuckGo to eliminate child abuse material from their search results and take steps to ensure generative AI products can't be used to generate deepfake versions of the material.
But equally crappy is sex exploitation of any person, you know, either to cyberbully or decimate someone's reputation or shame.
Or the conversation last year said that the majority of deepfakes on the internet were assaults on women, grabbing facial images without consent, inserting them into pornographic content.
A deepfake expert found that 96% of deepfakes found online were pornographic, and 100% of those were video images of women. It's crazy, right?
Plus, we have deepfakes designed to spread disinformation, misinformation, and to undermine. Apparently, this is called the liar's dividend. Did you know this term?
No.
Yeah.
So the liar dividend, the liar's dividend, is the idea that when anything can be faked, people who are lying, so claiming that something true is actually false, have the power because they benefit from the undermining of our trust in all images in this case.
So the liar dividend, the liar's dividend, is the idea that when anything can be faked, people who are lying, so claiming that something true is actually false, have the power because they benefit from the undermining of our trust in all images in this case.
Ah, exactly. It wasn't a video of me groping that woman. It must have been a deepfake.
Right, fake news. Fake news.
It's like Trump saying that he never met alone and hung out with Jeffrey Epstein ever in his life, right?
The message is ultimately you can't trust what you see, but you can trust me because I'm calling out the liars who took— who deepfaked the pictures.
The message is ultimately you can't trust what you see, but you can trust me because I'm calling out the liars who took— who deepfaked the pictures.
Who are you going to trust, me or your lying eyes?
Exactly. Exactly. But what about deepfakes for good? So as synthetic media and deepfakes take off, there's potential in various fields coming to roost.
So one of them, for example, would be healthcare.
So one of them, for example, would be healthcare.
Yes.
So an example is a Ukrainian company called Respeecher is developing deepfake voice technology for patients who are unable to speak.
So they're creating more expressive, realistic voices to replace the robotic-sounding prototypes we had during the '90s and noughties. And there's also cultural implications.
Graham, I think you went to an art show where there was some AI stuff.
I don't know if it was deepfake, but at the Dalí Museum in Florida, they have a deepfake Salvador Dalí welcoming visitors, telling them about himself and his art.
And the idea is that it gives visitors a sense of immediacy and closeness and personalization. You know, deepfake Dalí even offers you a chance to take a selfie with him.
So they're creating more expressive, realistic voices to replace the robotic-sounding prototypes we had during the '90s and noughties. And there's also cultural implications.
Graham, I think you went to an art show where there was some AI stuff.
I don't know if it was deepfake, but at the Dalí Museum in Florida, they have a deepfake Salvador Dalí welcoming visitors, telling them about himself and his art.
And the idea is that it gives visitors a sense of immediacy and closeness and personalization. You know, deepfake Dalí even offers you a chance to take a selfie with him.
Oh my goodness. You see, I find those things a little bit irritating. It's a little bit like there are adverts on the—
No, you don't find something irritating.
I do. I do. I have to admit it. There's adverts on British TV where Albert Einstein is in the bath recommending we all get a smart meter installed for our electricity.
And I think, well, that isn't Albert Einstein. How can they pretend that this is Albert Einstein in the bath telling me this? This is outrageous, I think.
And it's all been done with deepfake technology.
And I think, well, that isn't Albert Einstein. How can they pretend that this is Albert Einstein in the bath telling me this? This is outrageous, I think.
And it's all been done with deepfake technology.
Yeah, they've done that as well with Marilyn Monroe with the chocolate bar. I think it was Galaxy that gives—
Audrey Hepburn.
Oh yes, Audrey Hepburn, yeah. And this, in terms of deepfakes for good, this one's close to my heart.
So there's research engineers Kate Glasgow and Wee Wei Jiang are using deepfakes to help people with aphantasia, the inability to create mental images in your mind.
And I'm super keen on that because I recently learned of my own aphantasia. I have zero visual mental ability, zero. And apparently it's 2 to 3% of the population.
So there's research engineers Kate Glasgow and Wee Wei Jiang are using deepfakes to help people with aphantasia, the inability to create mental images in your mind.
And I'm super keen on that because I recently learned of my own aphantasia. I have zero visual mental ability, zero. And apparently it's 2 to 3% of the population.
So how does that exhibit itself, Carole? What does that actually mean? You've got—
Well, I will put it— I'll put a little test in the show notes if anyone wants to have a play.
But effectively, things I'd say, close your eyes and imagine either a color or a shape or a face that you know very well. And then you build a mental image of that, I guess.
And then you would then say, oh, it's super clear super vivid. I can see all the lines, the colors. I can see movement.
Some people can see actual, you know, have movies play, you know, play a scene. I just never understood that when they said picture this in your head, that people actually—
But effectively, things I'd say, close your eyes and imagine either a color or a shape or a face that you know very well. And then you build a mental image of that, I guess.
And then you would then say, oh, it's super clear super vivid. I can see all the lines, the colors. I can see movement.
Some people can see actual, you know, have movies play, you know, play a scene. I just never understood that when they said picture this in your head, that people actually—
That's really weird because you're an artist. I mean, you— I know you have your paintings exhibited. How are you managing to do this? It's fascinating.
Well, don't worry, I'm going to get in touch with Kate and Wee Wei and say, guys, guys, guys, guys, help me out.
It'd be amazing to be able to close my eyes and see color and shapes and stuff. I just, it's nuts.
Anyway, but my big question for you two today is whether the following use of deepfake is for good, because they're definitely trying to advertise it as for good.
So synthetic avatars can be used in advertising and internal communications. So this limits the cost of producing and filming and translating videos, right? That's the idea.
And there are a smattering of companies that are popping up trying to sell this service. So basically trying to say, have a deepfake.
But because deepfakes have such a bad reputation in what they are on the internet, a lot of them are straplining their websites with deepfake for good on their homepage.
So Synthesia do this and DeepBrain AI do this.
It'd be amazing to be able to close my eyes and see color and shapes and stuff. I just, it's nuts.
Anyway, but my big question for you two today is whether the following use of deepfake is for good, because they're definitely trying to advertise it as for good.
So synthetic avatars can be used in advertising and internal communications. So this limits the cost of producing and filming and translating videos, right? That's the idea.
And there are a smattering of companies that are popping up trying to sell this service. So basically trying to say, have a deepfake.
But because deepfakes have such a bad reputation in what they are on the internet, a lot of them are straplining their websites with deepfake for good on their homepage.
So Synthesia do this and DeepBrain AI do this.
Why even use that word? I guess for SEO. I don't know.
Yeah, I guess people don't know synthetic avatars as well. You know, it's more commonplace.
So Axios recently published a story about a company which is granting access to its deepfake tech to the public.
So the idea is to provide a quicker, cheaper, easier alternative to recording everything from customized marketing to instructional videos.
And you go to the website, the company is called HeyGen, and it says, no camera, no crew, no problem. Create videos from text in minutes with AI-generated avatars and voices.
So Axios recently published a story about a company which is granting access to its deepfake tech to the public.
So the idea is to provide a quicker, cheaper, easier alternative to recording everything from customized marketing to instructional videos.
And you go to the website, the company is called HeyGen, and it says, no camera, no crew, no problem. Create videos from text in minutes with AI-generated avatars and voices.
Hmm.
Isn't this going to put actors and voice artists out of work?
Sure it is, absolutely. It's going to have a huge impact.
So the way it works is to create a personalized avatar, you would send HeyGen a 2-minute video of yourself speaking into a camera.
Your smartphone's fine, along with another video giving consent for the company to do its thing.
Then HeyGen returns a digital avatar that you can use to generate videos by typing the words you want to speak into a text box.
And there is a content filter apparently that blocks explicit or violent content.
So is it just me, or I don't know, I don't like the idea of an AI-generated something selling me or training me without me knowing that they are a generated AI?
So the way it works is to create a personalized avatar, you would send HeyGen a 2-minute video of yourself speaking into a camera.
Your smartphone's fine, along with another video giving consent for the company to do its thing.
Then HeyGen returns a digital avatar that you can use to generate videos by typing the words you want to speak into a text box.
And there is a content filter apparently that blocks explicit or violent content.
So is it just me, or I don't know, I don't like the idea of an AI-generated something selling me or training me without me knowing that they are a generated AI?
Well, this is an issue with the writers' strike right now, the actors' strike, where the studios were saying that they wanted to do 3D scans of all of the extras in movie production and then be able to use those scans forevermore.
So pay you for one day of work and then we'll use your body, your image in the background of all of our movies at our discretion.
So pay you for one day of work and then we'll use your body, your image in the background of all of our movies at our discretion.
Yeah, I can understand why people are upset by that. I was going to say a swear word there.
I'm conflicted over this because on one hand, I want to fight my curmudgeonly natural— Do you?
You?
Well, no, I'm not sure I do actually. But you know what? On the one hand, I kind of think, well, technology moves on.
We need to use technology to do clever things which aren't criminal and all the rest. At the same time, I remember when the wheel was invented and we stopped— Oh, do you?
People who used to make a living giving people piggybacks were suddenly out of business because now there were carts and wagons and things like that which could be pulled instead.
We need to use technology to do clever things which aren't criminal and all the rest. At the same time, I remember when the wheel was invented and we stopped— Oh, do you?
People who used to make a living giving people piggybacks were suddenly out of business because now there were carts and wagons and things like that which could be pulled instead.
That's an excellent analogy, Graham. I think we're all with you on that one.
And similarly, with deepfake, it's inevitable that this is coming along. So I can understand why people are striking and really upset about this. And I'm very sympathetic with that.
Yeah, it gives me a queasy feeling too, Carole.
Yeah, it gives me a queasy feeling too, Carole.
The thing I was thinking about is so the rules say, you know, no explicit, nothing violent, but that doesn't rule out misinformation, does it?
So what if your deepfake account gets hacked by an unauthorized third party? I mean, of course, I know this will never happen to any of them.
So what if your deepfake account gets hacked by an unauthorized third party? I mean, of course, I know this will never happen to any of them.
No, definitely not. Definitely not.
But humor me for a second, right? Let's imagine, Graham, you had this service on your device and I got access 'cause I came over for a cup of tea, and you never logged out.
And I put in the text box saying, "Dave Bittner is a boob. Let me tell you why." And I insert a few fat lies in there.
And then I fire that over to Dave, and it's your face, your gob, spouting out all this stuff that I put in the text box.
And, you know, Dave might find out it's a deepfake, but he'll also, I don't know if he'll trust you the same way again. I don't know if he would.
And I put in the text box saying, "Dave Bittner is a boob. Let me tell you why." And I insert a few fat lies in there.
And then I fire that over to Dave, and it's your face, your gob, spouting out all this stuff that I put in the text box.
And, you know, Dave might find out it's a deepfake, but he'll also, I don't know if he'll trust you the same way again. I don't know if he would.
No, it all sounds very plausible to me that Graham would say those things about me. So, oh, that's our Graham. There he goes.
You see, Graham, everyone wants to forgive you all the time. Even if you call them a boob. Even if you call them a boob.
In a world where technology and human life are intertwined, cybersecurity is just, well, security. Keeping your memories and conversations safe shouldn't require cyber expertise.
Technology is for everyone. Cybersecurity should be too.
So if you're concerned that your iPhone is listening to you, want to know how to defend yourself from WhatsApp scams, or keep track of the latest Atomic macOS stealers, visit smashingsecurity.com/moonlock.
At Moonlock, you'll find useful tips on how to stay safe and protect your loved ones in the technology-powered world. Moonlock by MacPaw, cybersecurity tech for humans.
So go visit smashingsecurity.com/moonlock right now, and thanks to them for supporting the show.
Technology is for everyone. Cybersecurity should be too.
So if you're concerned that your iPhone is listening to you, want to know how to defend yourself from WhatsApp scams, or keep track of the latest Atomic macOS stealers, visit smashingsecurity.com/moonlock.
At Moonlock, you'll find useful tips on how to stay safe and protect your loved ones in the technology-powered world. Moonlock by MacPaw, cybersecurity tech for humans.
So go visit smashingsecurity.com/moonlock right now, and thanks to them for supporting the show.
If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic.
Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations.
Find out more. Download the report today at gigamon.com/smashing. That's G-I-G-A-M-O-N.com/smashing. And thanks to Gigamon for supporting the show. And welcome back.
Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations.
Find out more. Download the report today at gigamon.com/smashing. That's G-I-G-A-M-O-N.com/smashing. And thanks to Gigamon for supporting the show. And welcome back.
Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Last week I had a nitpick of the week, which was all about induction hobs with knobs and why don't they have knobs. It was fascinating. I got feedback.
Thank you to the listeners who sent me photographs of their induction hobs, claiming that they loved the touch controls on them and that they didn't need knobs.
Thank you to the listeners who sent me photographs of their induction hobs, claiming that they loved the touch controls on them and that they didn't need knobs.
Because they're human and normal and know how to use them.
You are just Mr. Major Appliance lately, aren't you?
As I am. As promised. I'm going to give you feedback because I've now got myself an induction hob with a knob on it rather than touch interface, and it's great.
I would like to make my pick of the week the Cookology induction hob with knobs. It's an induction hob with knobs. What's not to like? £179. A lot cheaper than the Smeg version.
There aren't many of them out there, but I'm very happy with it. And that is why it is my pick of the week.
I would like to make my pick of the week the Cookology induction hob with knobs. It's an induction hob with knobs. What's not to like? £179. A lot cheaper than the Smeg version.
There aren't many of them out there, but I'm very happy with it. And that is why it is my pick of the week.
Can I ask a question?
You may.
What's a hob?
Oh.
It's a stovetop.
Ah, okay.
Yes. Yes. Where were you last week?
Can you put in your calendar an annual reminder that this is the day that you plugged in your hob? Presumably they brought it in and plugged it into everything.
And that's all happened?
And that's all happened?
Yes. Yeah, that's all happened.
It's all plugged in.
Good.
You managed that one okay.
Well done. Yes. Yep.
Yep. Just because of the cost and everything, just why don't you just put in, we'll just check how it's going a year from now.
All right. Okay. We can make this a regular annual feature.
An annual feature. Hob with a bucket. I do not want to hear about your hob until then, though.
Okay.
All right.
Well, once a year, Graham checks in, tells us about his hob. So is this where the phrase hobnobbing comes from?
Could be onto something, Dave. Dave, what's your pick of the week?
Well, you know, I love British humor.
I have a great appreciation for the comedy that comes from your side of the world, be it Monty Python, Fawlty Towers, even I've been known to enjoy The Benny Hill Show. Wow.
That's good. Wow.
I have a great appreciation for the comedy that comes from your side of the world, be it Monty Python, Fawlty Towers, even I've been known to enjoy The Benny Hill Show. Wow.
That's good. Wow.
I thought you were going to say something Blackadder or The Thick of It.
Sure, yeah. Oh, Mr. Bean. Fabulous, fabulous, fabulous. Good stuff.
Somehow, I don't know why, and I can only guess it's because of my appreciation for British humor, that YouTube decided that it was time for me to learn all about this thing that I did not know existed, and I wonder how my life was satisfactory without knowing it, and that is Mr.
Blobby.
Somehow, I don't know why, and I can only guess it's because of my appreciation for British humor, that YouTube decided that it was time for me to learn all about this thing that I did not know existed, and I wonder how my life was satisfactory without knowing it, and that is Mr.
Blobby.
Oh my goodness. So how are we going to explain Mr. Blobby to people who don't live in the United Kingdom? I'm not sure.
Well, he's a ripoff of Barbapapa.
Oh, he doesn't look that.
That doesn't help. That doesn't help as an explanation.
It's a man in a sort of polyurethane costume who's bumbling around. He's pink. He looks like a—
Well, it's a kind of flesh-tone pink with yellow polka dots.
Yes.
And it's one of those sort of inflatable outfits.
It looks there's a fan. It looks you could punch him and he would just rock back and put the forward, one of those—
You don't see his face, so you don't know who's inside the Mr. Blobby costume, but you know it's Mr. Blobby because he's crashing into everything and causing mayhem and destruction.
That's right. He is an agent of chaos.
And he was popular about 30 years ago, maybe 35 years ago on British TV.
Oh, is that right? Well, it takes a while for things to come over here. And he only says the word blobby. That's all he says. But he stumbles around and destroys things.
And what I've gathered is part of the fun of Mr. Blobby is that he shows up when you least expect him on the TV shows where you would least expect him.
Is that an accurate description, Graham?
And what I've gathered is part of the fun of Mr. Blobby is that he shows up when you least expect him on the TV shows where you would least expect him.
Is that an accurate description, Graham?
That has happened. He used to be a fixture on a show called Noel's House Party. That's where he first became famous.
There were a lot of stunts involving celebrities where the celebrities didn't know, but this was before Mr.
Blobby became extremely well known, where this Blobby character would appear and chaos would ensue and the celebrity would be thinking, what's going on?
It's a candid camera kind of thing. But then Blobby, his fame became absolutely enormous.
There were a lot of stunts involving celebrities where the celebrities didn't know, but this was before Mr.
Blobby became extremely well known, where this Blobby character would appear and chaos would ensue and the celebrity would be thinking, what's going on?
It's a candid camera kind of thing. But then Blobby, his fame became absolutely enormous.
As big as his belly.
Yeah.
All right. So for my American friends who have no idea what Mr. Blobby is, I'll include a link here for the top 10 WTF Mr. Blobby moments. Wow.
It is very odd humor. It's kind of, it almost feels very '60s in terms of its psychedelic everything.
Yeah, it's the pinnacle of British achievement, I think, right here.
Mr. Blobby.
So that is why Mr. Blobby is my pick of the week.
Do you have anything to whinge about with Mr. Blobby, Graham?
I think I'm all blobbied out, to be honest.
Finally.
One thing for maybe Dave to explore is that Mr.
Blobby, who came from a place called Crinkly Bottom, there was a theme park and maybe a couple of theme parks which involved Blobby-type antics.
Oh yeah, they're now derelict and overgrown. It was all a sort of financial disaster, but there's plenty for Dave to explore more if he's interested in Blobbyland.
Blobby, who came from a place called Crinkly Bottom, there was a theme park and maybe a couple of theme parks which involved Blobby-type antics.
Oh yeah, they're now derelict and overgrown. It was all a sort of financial disaster, but there's plenty for Dave to explore more if he's interested in Blobbyland.
Was there ever a Blobby Doctor Who crossover?
I'm sure there's been a comedy skit involving Doctor Who and Blobby. Yeah, that's almost— and he had a number one as well. He had a Christmas number one record, Mr. Blobby.
So of course he did.
So of course he did.
Yeah, there's so much.
There's a lot for you to dig into, Dave, if you're ready.
I have so much in front of me. What a world. What a life.
Just so much. Please restore some sanity. What's your pick of the week?
I will be restoring sanity with my pick of the week because it's a book, a book of fiction. Regular listeners know that I'm a fan of audiobooks. I've been plowing through them.
Apparently I— I use the word experience when it's an audiobook. I feel weird about saying read, but I've experienced 57 in the last 12 months. So it's not bad going. Yeah.
Apparently I— I use the word experience when it's an audiobook. I feel weird about saying read, but I've experienced 57 in the last 12 months. So it's not bad going. Yeah.
Wow.
I don't sleep a lot. So this one, this last one was a real gem. It's called Lessons in Chemistry by a former copywriter, Bonnie Garmus. Have either of you heard of it, read it?
No.
Oh, well, I'm surprised because there was a huge hoo-ha when the book came out. Everyone's saying, oh my God, and it got a big name TV deal really early on.
Everyone seemed to love it, and I in fact put off reading it because of the hype. You know, sometimes there's so much hype, you're just like, come on, come on.
So it was stupid of me because I've just now finally read it, and it's fabulous. Polished, funny, thought-provoking, beautifully knitted together.
So we've got a lead, which is a pioneering chemist named Elizabeth Zott, and her obvious talents mean that she should be at the top of her chem game, you know, getting huge research grants for all her cool explorations and discoveries.
She's this no-nonsense dedicated researcher, but she's a she, and this is the 1950s set in California.
And as we access her inner life and outer experiences for about a decade, the reader gains an amazing understanding in what was normal just a few generations ago for men and women and how far we've come since then.
And this isn't a men are shit and women are fab narrative. There are many characters with flaws, some unforgivably awful, on both sides of the sex divide.
But it's so, just so well done, and it's a real testament to copywriters becoming writers.
Because as a copywriter, you learn how to be tight, you learn how to get rid of the riffraff, you learn how to tell a story. And it really shows.
Everyone seemed to love it, and I in fact put off reading it because of the hype. You know, sometimes there's so much hype, you're just like, come on, come on.
So it was stupid of me because I've just now finally read it, and it's fabulous. Polished, funny, thought-provoking, beautifully knitted together.
So we've got a lead, which is a pioneering chemist named Elizabeth Zott, and her obvious talents mean that she should be at the top of her chem game, you know, getting huge research grants for all her cool explorations and discoveries.
She's this no-nonsense dedicated researcher, but she's a she, and this is the 1950s set in California.
And as we access her inner life and outer experiences for about a decade, the reader gains an amazing understanding in what was normal just a few generations ago for men and women and how far we've come since then.
And this isn't a men are shit and women are fab narrative. There are many characters with flaws, some unforgivably awful, on both sides of the sex divide.
But it's so, just so well done, and it's a real testament to copywriters becoming writers.
Because as a copywriter, you learn how to be tight, you learn how to get rid of the riffraff, you learn how to tell a story. And it really shows.
Dave, that's quite a cultural pick of the week from Carole Theriault, isn't it?
It surely is, yes. My father-in-law was a research chemist, so perhaps we'll check this out.
I was thinking, Dave, I would love for you to read it. Graham, I'd love for you to read it as well. But if nothing else, recommend it to readers in your life.
I think Dave should read it rather than watch Mr. Blobby. That's what I'm thinking.
I think it's much, much better than Mr. Blobby, though not maybe as a phenomenon, right?
Oh, I don't know. It's a lateral move at best.
Yeah. Anyway, it's a beautiful, non-confrontational, non-preachy, non-aggressive way in understanding the journey of how we've managed to get to where we are.
Lessons in Chemistry by Bonnie Garmus. It's my pick of the week.
Lessons in Chemistry by Bonnie Garmus. It's my pick of the week.
Fantastic. You came here for the Hobbes, and you end up with the chemistry. And other magic like that. This is the wonder of the Smashing Security podcast.
And that just about wraps it up for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What's the best way for folks to do that?
And that just about wraps it up for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What's the best way for folks to do that?
You can go to thecyberwire.com, and I am also on Mastodon.
Terrific. And you can follow us on Twitter or whatever it's called these days. Elon Musk's fun palace, if you prefer.
We are at @smashingsecurity, no G, Twitter doesn't allow us to have a G.
And you can also make sure that you never miss another episode by following Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.
We are at @smashingsecurity, no G, Twitter doesn't allow us to have a G.
And you can also make sure that you never miss another episode by following Smashing Security in your favorite podcast apps, such as Overcast, Spotify, and Apple Podcasts.
And massive thank you to this episode's sponsors, MoonLock by MacPaw, Kolide, and Gigamon.
And of course, to our wonderful Patreon community, it's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 338 episodes, check out smashingsecurity.com.
And of course, to our wonderful Patreon community, it's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 338 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye.
It doesn't make great audio.
You really need to see him for it to work.
Oh my goodness. You have opened up a can of worms here, Dave. The things you're going to— the Pandora's box you're about to uncover.
Yeah, I just the contrast between the stereotypical stiff upper lip of the Brits with Mr. Blobby coming in and just running through walls.
I don't know why it tickles me so, but it does.
I don't know why it tickles me so, but it does.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dave Bittner:
Episode links:
- Tweet by Jameson Lopp.
- Bitcoin user’s costly error leads to record transaction fee of $510,000 – Cryptoslate.
- Root Admin User: When Do Common Usernames Pose a Threat? – GovInfoSecurity.
- Dave’s conversation with Crosstalk’s Chris Sherwood – Hacking Humans podcast.
- Passkey authentication – Wikipedia.
- Passkeys: Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins – FIDO Alliance.
- Test your mental image ability – Aphantasia.
- How to create your own personal deepfake – Axios.
- Deepfakes are being used for good – here’s how – Connecting Research – University of Reading.
- Six things you need to know about deepfakes – BBC Radio 4.
- Mitigating Aphantasia with Generative Reality – Medium.
- Ethical Deepfake Maker – Synthesia.
- HeyGen deepfakes – HeyGen.
- Deepfakes are being used for good – here’s how – The Conversation.
- Search engines required to stamp out AI-generated images of child abuse under Australia’s new code – The Guardian.
- Induction Hob with Rotary Controls – Cookology.
- Top 10 WTF Mr Blobby Moments – YouTube.
- Lessons in Chemistry by Bonnie Garmus review – the right comic formula – The Guardian.
- “Lessons in Chemistry” – Book by Bonnie Garmus.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Moonlock — cybersecurity wing of MacPaw. Developers of the antimalware tech in CleanMyMac X — Moonlock Engine.
- Gigamon – Download the Gigamon Hybrid Cloud Security Survey to learn about the hidden dangers of encrypted traffic.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
