Smashing Security podcast #340: Heated seats, car privacy, and Graham’s porn video

And every time I felt like I had a tropical disease or malaria, and then suddenly I realized, oh, fuck, fuck, fuck, you've turned it back on, haven't you? And I hate heated seats.

Me too, they're gross.

But you can control— these days you can control them, you know, you can set how hot you want.

I just want it off. I just want to have it off. That's all I want.

Smashing Security, episode 340. Heated Seats, Car Privacy, and Graham's Porn Video with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 340. My name's Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, we are joined by a special guest. It is Host Unknown's very own Andy Agnès. Hello, Andy.

Hello, how's everyone doing?

Great, how are you, Andy? Thanks for coming on the show.

I'm good, you know what, I love it. And it's just, we just go straight into it there, don't we? It's bam, one second. It was okay, so, right, not even, is everyone ready? It's just, hello and welcome.

There's not even time to get a cup of tea around here.

I've already got one, thank you.

If you were on the Host Unknown podcast, you'd probably wander off, start making beef Wellington or something, or, you know, sorting out the drains.

We take a much more relaxed approach to recording. We're quite flexible with time.

Well, we are not, so we should get this show on the road. But before we kick off, let's thank this week's wonderful sponsors: Collide, Data and Gigamon. It's their support that helps us give you this show for free. Now coming up in today's show, Graham, what do you got?

I'm going to be talking about my new video on YouPorn.

Oh God, what about you, Andy?

If you tolerate this, then your chilled air will be next.

I can see why you do the job you do and not the headline guy. And cars with smart tech plus privacy equals what? Plus we have a super informative featured interview with Mark Jow, a technical evangelist at Gigamon, where he will share everything you need to know about using and securing the cloud. All this and much more coming up on this episode of Smashing Security.

Now, chums, I received something rather unusual in my inbox in the last few days.

Was it an email?

Yes, yes, an email. Yes.

Yeah.

Okay.

So yes, not a cat or anything.

No, it wasn't a poop in a plastic container or anything like that.

Nothing like that.

Yes, an email.

Why did you go to poop and not glitter bomb?

Anyway, I'm going to share a screenshot of it with you, and I'll also put in a link in the show notes so other people can look at it as well. It's a very professional-looking email, and it looks like it comes from a corporation. It looks very legitimate. And the corporation it comes from is YouPorn. It's an urgent message from YouPorn. Are you familiar with YouPorn at all, Andy?

I've heard of it. And so, this obviously got through, 'cause they're in your safe senders list, right? You've already whitelisted them.

Honestly, is YouPorn a big, big porn site, or?

It turns out it is, yes. It's a free pornographic video sharing website. It's owned by the same company that owns Pornhub.

Right.

Porn on the internet.

Yeah, I know.

No, I know of Pornhub, but I've just never heard of YouPorn, or I don't think I have.

Yeah, it turns out there's more than just a few porn sites out there.

Unbelievable.

So they not only own YouPorn and Pornhub, they also own a Luxembourg-based site called SpankWire, which I've never frequented, obviously. But anyway, so a number of websites that this company owns. So I received this email and I thought, well, this is unusual. Why have I received an email from YouPorn? So I thought I'd take a look. So what I'll do is I'll just take you through the email and we'll see what happens.

Okay.

Greetings, they say. Greetings. Our AI-powered tools have detected that you are featured in sexually explicit content that was uploaded to our platform.

So I know this is not what you should do, but don't you want to just reply and go prove it?

Well, you know, that was one of my thoughts. But I thought, you know, I'm racking my brain trying to remember, was I in a sex video? Could there be a sex video? Have I uploaded a sex video to YouPorn lately?

And forgot about it?

Has someone else got hold of a video of me?

God, you're having a lot of sex. Jeez.

And also, I'm impressed by YouPorn's AI tools because somehow they've identified me in this content.

Based on your backside.

There's something very unique. You've got something very unique about you, Graham.

Is it my bottom print? You know, what is it that they've— I hate to think because—

I'm sure it's very unique.

Yeah.

Is it going to— I mean, fingerprints. Yeah, they identify you. A retina scan. But they, you know, my eyes—

Well, they may have got fingerprint. What, do you always wear gloves?

Well, yeah, but would you pick up people's fingerprints from a sex video? I mean, it's not what they're focusing on normally, is it?

But is it because you've got your initials on your Prince Albert? Could it have been that?

He probably has a picture of himself on his back, a bit like what's-his-name did. Who's that guy? Trump's friend. White-haired guy, went to jail for a bit.

Roger Stone.

Roger Stone.

Roger Stone.

But he has a picture of Nixon on his back, not himself. But yeah, big Facebook.

Does that mean if a Roger Stone video gets uploaded to YouPorn, they try and contact the deceased ex-president?

Richard Nixon.

Thinking it's Richard Nixon in the video. Anyway, so I'm thinking, you know, what is going on here? You know, is my face even on screen in the sex video? And as Andy says, could it be another part of my body that has some unique characteristic or a barcode or serial number on it that allowed them to narrow it down to little old me. Anyway, so I'm wondering what's going on here. So I carry on reading and YouPorn say, "At our company, we take security and privacy of our users very seriously." Very good.

I think we should get that tattooed across our arms.

Very good.

Right.

Yeah.

Now, I mean, and that's true. They do take it seriously. I mean, 10 years ago when they had a data breach which exposed over a million of their users, on YouPorn. They took that quite seriously, and I remember the press did as well. They made lots of puns about it, talking about having to clean up the mess afterwards. Anyway, but moving on, they said, and we use advanced technology to help detect and prevent the distribution of non-consensual intimate images and videos. And I'm wondering, how can they tell?

This is claiming to come from YouPorn directly.

Look at the email, Carole.

Look at the email.

No, I didn't see the sender address. You didn't send me all the metadata.

.

. And they got the little YouPorn logo.

Oh, I see it now. Sorry, sorry, I didn't see it. Yeah, yeah, okay, yeah.

And it's in a pretty font. It all looks very, very professional. And they say, look, you know, our tools are very powerful, but we also rely on some human oversight to ensure that everything remains safe for everybody. So what we've done, this video has been uploaded. They say it will be published on YouPorn within the next 7 days. And you've got an opportunity to review the content and, you know, and say you don't want it published, right? Which I thought was very kind of them. So they provided me with a link to check it out.

Right.

So what do you think I did?

You obviously clicked on the link right away.

Yes. Or the expedited publish option, because you don't want to wait 7 days. You've got—

Yeah, you've got some likes to make. Yeah.

So I check out the link and the link, it turns out, is broken. The link, at least in the email I received, just says https:// and then nothing else. Right. So it doesn't go anywhere, which is really disappointing as a link. So I've got to work. I mean, I imagine it's going to be youporn.com/something. So I don't know what to do at this point because I don't have a link. To check out the video, I'm thinking, should I just start trawling through YouPorn to see if I can find videos of myself?

That's pretty shitty work if you have to do it, eh?

Great excuse there.

Is there a cybersecurity podcast genre on YouPorn to try and narrow it down? I mean, should I be looking for certain scenarios?

It never occurred to you it could be a deepfake of you?

Well, I haven't seen anything yet. I know I'm trying to say it could be. It could be. They could have faked all manner of things, couldn't they? It does happen in videos, I've heard. So I'm sort of thinking I can't do anything. It says, if you didn't approve the upload, we kindly ask that you follow the instructions below to take immediate action. And of course, because I haven't seen the link, I'm panicking at this point. I'm thinking, oh my goodness, there's a sex video. I didn't know I was in it. Apparently, I was in this video. It's been uploaded. It's going to be released to everybody. It could be embarrassing. It could be highly impressive. I don't know. I just simply do not know at this moment.

I have a bet. I have a guess what it would be.

You do? You do?

I think you're probably right, Carole.

I think. I think.

I just, I don't know.

I don't know. Anyway, they give me some options and they say, look, we've got a basic removal service, an express removal service, which not only will block it from our side, but will also prevent it from being re-uploaded on our network of 20 other websites. That's only gonna cost you $199.

See, this is the opposite of what you want there. You want it out there as much as possible there. If you're going for exposure, you want full affiliation across all the networks. I love the social engineering method though they used of giving you a broken link, thinking that maybe you'd think, oh my God, I broke the link, or I can't access it. What are people seeing?

Maybe it's my firewall. Maybe it's my company's, you know.

Try Bozos. Nice try.

Then they say, well, look, 20 websites, that's not very many. There are more than 20 pornographic websites.

What?

They say we can prevent it from being reuploaded for a 1-year period to our vast network of over 300 partner websites using our digital fingerprinting of your content. And all that's gonna cost me is $699.

Oh, this is an annual fee as well.

They're gonna keep on paying you. Yes, that's an annual fee. Well, they're gonna have to keep on working at it, looking at these images and working out if they're me or not.

And can they invoice Smashing Security directly, or does it have to be a personal card?

And then they say, for the Platinum Edition protection, which is gonna have digital protection by MediaWise and Safeguard, "Facial recognition data for 3 years, blah, blah, blah." Look, I'm not worried about my face here, okay? "We're going to look at your biometrics." Lord knows what part of my body they're doing biometrics on. I hate to think of that fingerprint. "That's going to cost me $1,399. And all I have to do," they say, "is pay via bitcoin," and they provide a wallet address. So, I don't know what to do. I'm not sure. The links don't work.

I think, Graham, go for Platinum. Go for Platinum.

Go for Platinum?

Yeah, just see what happens next, yeah.

If they could possibly just make this that slightly bit better. So yeah, the whole broken link thing, you know, you can't get to address it quickly. But if they said that you had to upload a photo to prove it was you along with the payment, then they've got a bit more longevity.

Maybe a passport fixture.

Because maybe if they had a description of the plot of the video, if they ask me to reenact it to prove that I am authorized.

Maybe you could get a sketch artist to sketch the image that they see that you think is me and send that over.

So I'm not sure whether to send this to YouPorn support and ask them for some help because of the broken link. I'm not— maybe this really is from YouPorn and they're just trying to drive more traffic to their site.

Isn't there a support button at the bottom of the email there, Graham?

There are some links there. So I haven't passed it over to them yet. I'm not sure, but I've done some searching online. There are other people who apparently have received similar emails, which could be because they are legitimately in these videos or not. I'm imagining though that this is some kind of scam, but it's an interesting twist because just a couple of days before I got those emails, and I'm sure both of you will have received these ones where we say, oh dear, oh dear, haven't you been a naughty boy because we've hacked into your computer and we know that you've been going to porn websites and we've recorded you and we're going to release this to the world, blah, blah, blah, blah, blah.

Who would care?

Who would care?

Well, I don't know. Someone might care, but maybe me. But this is an interesting twist of pretending that we're really genuinely helping you. We haven't been hacked. Someone has uploaded a video. And I imagine because young people do take video footage of themselves and older people as well, some people might be concerned. And maybe some people sometimes pay up. I don't know. Andy, have you ever starred in a sex video with a—

Oh, I have. Many.

Oh.

Yeah.

His previous career.

Is that with Thom?

No, I've only ever been behind the camera for Thom. But—

I think maybe we should move on. Maybe we should move on. Andy, what's your topic for us this week?

Okay, so I'm going to talk about subscription services, you know, so there's still a link from where you're coming from, Graham. And I don't know whether I'm entering my old man era, sort of grumpy old man era.

Right.

Oh no, another one.

Yeah, I know. And you know what? So it's with this, okay, so Graham, obviously you've just taken us through this whole email and I think the scam is quite obvious, right? With the whole bitcoin scheme. So I got an email this morning, I checked my emails this morning and I had something from PayPal. Which actually said, you know, you've just created a new PayPal account, please confirm your email, which I hadn't created a new PayPal account, but it was my email address, just not one that I use for PayPal. And then 2 hours later, I got another email from PayPal saying you've opened a PayPal account, and I have analysed it. I've checked all the links are legit PayPal links. It's genuinely from PayPal, is genuinely my email address. And I clicked the forgot password. You know, I actually went to the website, put in that username, then I click the forgot password and it's got my actual phone number in there as well to receive a text on it. And so I don't know what the scam is. Okay, so that's put me in quite a bad mood all day because it's not been me that's done this.

I'm sorry, Andy. This is better than a hob with no knobs. You know, I hear you. This is a big deal.

But yeah, so I assume it's going to be either Thom or Jab messing with me. And so, I saw this story and it just annoyed me out the bat. And so, BMW have finally given up on charging people for their heated seats.

People pay for that?

Well, so I don't know if you remember this story. So, it actually started in 2020.

Right.

Okay.

So, BMW introduced it into selected markets, and those selected markets were South Korea and the UK. The option for people to either pay $18 per month—

Per month?

Yeah, per month, or a one-time fee of $406 in order to be able to heat your seat. So that is, the seats that you already have in your car, the heated seats that are already installed, but if you want them to work, you have to pay $18 a month. That's— And this happened. I know, this actually happened after they had already backed down from a prior backlash where they wanted to charge for the use of Apple CarPlay, you know, so people could sync their phones with the hands-free and stuff like that.

All right. Far be it from me to be devil's advocate, right? But isn't this rather sensible of them? Because then they just produce one kind of car hardware-wise, you know what I mean, rather than lots of different versions. So they're going to save money and maybe that's good for the environment or whatever, that they're just making one kind of thing rather than lots of other things. And then they can turn them on if you opt for them.

Yeah. And who wants a heated seat, honestly?

Yes.

Like, you have heating in the car already, right? You already have heating in the car.

I was— I'm a big fan of the heated seats. Oh, it does. Yeah.

I once went on a long car journey with Carole Theriault from Boston. Where do we go? Montreal or something? And she would sit next to me. And every now and then, I mean, it's like 8 hours, 9 hours in the car. Every now and then she'd flip a little switch and turn on my heated seat. And every time I felt like I had a tropical disease or malaria. And then suddenly I'd realise, oh, fuck, fuck, fuck, you've turned it back on, haven't you? And I hate heated seats. I hate them.

Me too.

They're gross. But you can control— these days you can control them. Like, you know, you can set how hot you want it. Or certainly in my car, you can.

I just want it off. I just want to have it off.

You can have it off.

That's all I want.

And so, yeah, each person's got their own control as well. So you don't necessarily have to have it on for everyone.

They used to go on for everybody, like Dad wants it, so everyone's sweltering in the car. God, no.

But yeah, I mean, this is the problem. So this, you know, and that's the great thing, right? Back in the day, if you wanted something, you just like— especially optional extras in a BMW or something, you know, if you wanted the top range, you'd get an M3, you know, and everyone knew that it had all the optional extras and it was fast and all that. But now it's exactly what you just said, Graham. They're building one thing and then they're giving you this option. It's like the whole digitization model, right? Where they're just giving you that optional extra that you can pay for. But all you do is just unlocking, you know, options and software, but it costs BMW nothing to enable it, right? You've already paid, the equipment's already in there. They're not paying for the heat.

Yeah, but they had to put it in there and engineer it and beta test it and blah, blah, blah.

They had to pay for it. Who do you think?

Of course they paid for it. And you've paid for that already.

Yeah, this is like someone coming to me going, it's just a bit of paint and a piece of paper. What's your, why are you charging?

Oh, okay. Well, do you know what? This is like, it goes back to that whole subscription stuff. Remember like back in the day, like Adobe, you could just buy it. If you didn't use it much, you just get one copy of Photoshop and you'd use it, you know, for like 3 years. And then they went to like a monthly subscription fee. And they're saying, oh, but you get the latest version every time. It's like, well, if I use it twice a year, it's not worth it.

Let's let all the programmers go hungry, shall we? Just because they've only got one chance to make some money from their software product. I think this is, I think a monthly charge for a heated seat is quite reasonable because you probably only want it for 2 months a year.

Okay, right, okay, let's go there.

All right, so you turn it off, I see. That's a lot of pressure though for the person who's bought it. Like, think of how many things you're actually subscribed to right now outside. Yeah. Everything. And how are you managing that really? And how many of them have, are you still paying for, but you're not actually using as a service anymore? So, I'm hoping the subscription model, I wouldn't mind if they said, okay, you want that, 500 extra quid, or whatever they want to charge for it.

A one-off fee.

But it's the subscription model that irks me as well. So, I'm with you, Andy.

So, Graham, if you only had the heating twice a year, would you pay for air con in the summer months?

I don't want heating, full stop. I don't want heated seat ever. Even if it's the ice age. I don't want it.

It's horrible. Or if the radio came with Kiss FM playing, and if you wanted Magic '60s, you had to pay for a subscription to get that. Would you then pay to subscribe or would you just leave the default? I'm happy with Kiss FM.

That's a good point.

But our industry is pretty naughty with this though. A lot of the stuff in this hybrid world is subscription-based, you know?

Yeah. But we need to get away from that.

Oh, I'm not so sure. I think sometimes it's justified if you want the continuing R&D, which admittedly maybe doesn't have to happen for heated seats. But there are things where it is required.

We've just adopted the Ryanair model though. But you know, if you're paying for a high-end BMW, and obviously all the jokes about the indicators are optional extras as well that no one pays for. But it's just the subscription models, I get it, they're all the rage, but it's a laughably stupid idea. I don't know why they persisted for so long as well.

So, Andy, tell me, are you going to jailbreak your BMW so it gives you heated seats without paying?

Do you know what? My wife is absolutely against BMWs, full stop. It's a given I will never be able to own one whilst I'm married with her. But some guys actually did it at Black Hat this year.

Ah!

They hacked the Tesla, who has also locked the heated seats. And so they had one of the guys had his own and they hacked it to release the heating option for the heated seats.

That's good value.

To save $300. Yeah. Which is what Tesla charge.

Fantastic.

But can I just say, BMW USA spokesman did clarify that in the US market, heated seats and steering wheels were either a standard or factory option and not a subscription.

At the moment.

Yeah, well, they're steering away from that.

Yeah. Just the numpties in the UK that tried to pay for it.

Yeah.

Carole, what's your story for us this week?

Well, I was gonna open this saying, have either of you been car shopping recently? But I'm guessing, Andy, maybe you have.

We have been looking to upgrade our car, yeah.

Well, this, my story, is in perfect timing for you. 'Cause I haven't car shopped in a long time. I have an old, old car, and it's doing just fine. And it seems cars have come a long way since I was on the market looking for one. Literally airbags were all the rage when I got my car, and it still even has a CD player, but there's no cup holder. That is the most irritating thing about my car, the lack of cup holder. I think that was an optional extra. So irritating. But you have cool stuff now. Now, Graham, I know you have some of this stuff in your car. Do you have advanced driver assist controls? So it monitors blind spots and keeps you in your lane and all that kind of stuff?

Yeah, it warns me if I'm about to cross into a lane where a car is about to hit me, and it can actually drive to some extent. So, if I'm on the motorway, I don't have to steer. I can put it sort of in cruise control and it will drive along. I have to touch the steering wheel occasionally, but—

What are you doing with your hands then?

Well, you know, making use of his YouPorn subscription. That's it.

Yeah, so my car does do some things. It has a few beeps. It will occasionally beep.

Yeah, it's not like it's saying, "Hey, Graham, pay attention." It's going, "Errr, errr." Beep, beep, beep, beep, beep.

Yeah. Lane departure warning. Is that what it's called?

That's one of them, yes. And if I'm about to hit a car, it will warn me with some beeps and then put the brakes on and things like that. It's all good stuff.

If you had to rent a car now without those things, would you find that a bit stressful because you've become reliant on those to help you drive?

Well, actually, I had to hire a removal van recently and take a few long trips. And that didn't have any of these gizmos and I managed to cope with it. So I do seem to be able to jump between the two different types of vehicle fairly easily.

Okay. What about a 360-degree parking camera? Do you have one of those?

I don't in my current car. I did have in a past car. And actually, there was a button, although I could never remember how to work it. There was a button where it could actually parallel park or reverse park into a gap.

Right. So it would show you on your infotainment screen, and then you'd get this bird's-eye view.

Yeah. It was something like that. It was very complicated to set up. Frankly, I only did it 2 or 3 times to show off to people. But no, it wasn't an impressive car.

But in researching this story, I even found out that there's remote control parking. So you can get out of the car at a car spot that's maybe too tight for you to get out.

If you're a bit porky.

And you can park it using this kind of display key, or I think an app on your phone.

Amazing.

It's insane. And there's also an intelligent rearview mirror. This is Nissan in collaboration with Panasonic. So the driver's rear view comes from a rear-mounted camera. So you don't have an obstructed view of all the road or the luggage, your passengers behind you.

Yeah, yeah, yeah.

And apparently there's a big bonus because there's no glare from the sun. They can handle all that stuff. So it eliminates all that.

But what if you get dead pixels? Dead pixels on the screen? And the whole objects in the mirror are closer than they appear. Does it replicate that?

There's even teen driver technology, which places certain restrictions on your teenager if they're not practicing safe driving protocols. So for instance, some vehicles will not allow the radio or audio system to play until all occupants have fastened their seatbelt.

What? Hang on, hang on, hang on. If you've got a really expensive car which has all these gizmos, the last thing you should be doing is handing the car keys to your teenager. Shouldn't they be having the really cheap, bashed-up car instead?

Well, it's there as you're probably paying for the heated seats, and it won't turn them on until they do certain things. They even get report cards sent to the teen driver's guardian or parent to show how well they've been adhering to driving laws.

Oh, this is ridiculous. It's ridiculous.

Oh my God.

So all this stuff, right? This is all powered by the world of computers and code and logins and services and all that stuff. And who's making sure everything is up to scratch for the actual buyer of the vehicle? You know, the customer. I mean, sure, there's all these bells and whistles. They're sweet, but at what cost? So I was thrilled to see that the folks at Mozilla's Privacy Not Included camp, this is where a team of researchers look closely at IoT gizmos, like from watches to toys to cars, and they check out the fine print.

They've done really good stuff in the past, haven't they?

Yeah, we've covered them a few times. I'm a big fan, and they basically provide a creepiness rating based on what they find. And some are surprisingly good gizmos, and they're not creepy at all, while others beggar belief, and you can't help but wonder how selling this stuff could even be legal. So is the gizmo stealthily helping itself to personal details? That's the thing that they're probably looking at. If so, what? What are they taking from you? And also, what is the company doing with that personal details they've taken from you once they've hoovered it up?

So can I answer that? So the first one, yes. And two, everything. And three, whatever they want.

Well, very interesting. Because a few weeks ago, a research team of three at Privacy Not Included at Mozilla Foundation, Jen Colreider, Mikael Ryckhoff, and Zoe MacDonald looked at 25 car brands. Okay, so this is Subaru, BMW, Mercedes, Jeep, Chrysler, Ford, Dodge, all of them. They even had Tesla in there. And they spent over 600 hours researching the car brand's privacy practices. So in terms of a category of products, so if we talk things like vacuums or Hoovers in your country, or phones or whatever, I don't even know how to say this. You know what I mean by a category of product?

Yeah, yeah.

There's all kinds of different smart IoT devices. So cars is one of those categories. How do you think it was benchmarked, better or worse than the average IoT gizmo category? Do you think they were safer or more privacy aware because they're an established business and a model?

The way you're building this up, Carole, I was gonna say, it's gotta be a no, isn't it? I'm doing a shit job. They're basically smartphones on wheels these days. It's not a car anymore. There's no joy in it. They're soulless devices.

It's a mobile computer.

They say, I'll save you time. They say all 25 car brands they researched earned our privacy not included warning label, making cars the official worst category of products for privacy that they had ever reviewed. And these guys have reviewed a lot of gizmos over the years.

Yeah.

Now, I'd say cars are complicated beasts. As you say, Andy, right? It's not like a toy for a kid. There's a lot of different functionalities in a car, and there's a lot of tech. And you have a lot of lawyers that are involved in the car business, right? So the paperwork is going to be CYA, a lot of that in the legal terms and conditions.

The legal team's bigger than the engineering team.

Exactly, right? But think about it. Every car brand, all 25, the team looked at, they say, quote, "collects more personal data than necessary" and uses that information for a reason other than to operate your vehicle and manage the relationship with you.

You make it sound like it's about time Facebook released their own car, that they're missing a trick here. They're letting someone else do a better job than they are.

So just a few cute numbers here, a few highlights. So 21 out of 25 of the car brands they researched say that they can share your personal data with service providers, data brokers, and other businesses. 19 out of 25 say they can sell your personal data to whomever they choose. And more specific examples, they report that Subaru's privacy policy says that passengers of a car that use connected services have, quote, consented, unquote, to allow them to use and maybe even sell their personal information just by being inside the car.

Unbelievable.

And they say that Nissan say that they can collect and share your sexual activity, health diagnoses data, and genetic information and other sensitive personal information for targeted marketing purposes in their Nissan USA privacy notice.

So this is—

So, well, now I see why Graham got that email. So whatever he was doing in his car, hands-free, he gets— oh, it all makes sense.

It gets even worse though with Nissan. Nissan also say they can share, and even sell inferences drawn from any personal data collected to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes for targeted marketing purposes.

It is true that you could infer quite a lot from my driving.

No, but think about it. You're having a fight with your loved one, right? For example, on the phone, you pick up someone and they start an intimate story about their life that's horrible. This is all being hoovered up by your car. It's insane.

So how are they finding out about my sex life and my sexual activity? Is this condensation on the inside of the windows?

I have not been able to look at all the research because they've done quite a deep dive. They've done an overall report and then they've done little mini reports for each of the 25 cars. So I have provided links in the show notes to the main article, and literally you can just go search your car brand on the website and it's very easy to find. But I have had the pleasure of speaking with Jan Kallreiter before, and what they do is do a fine search through the terms and conditions and the privacy notices. And that's how they're able to see what the company is basically giving itself allowances for. Or not.

And you're an expert on this sort of thing. I mean, not obviously having sex in cars. I imagine you do it in lay-bys instead, outside of the car. But is it the case that it's the legal team saying we need to put all of this into our privacy policy just in case we accidentally share any of this information?

I think there's certainly an element of that, just in case. But until it gets fleshed out, like this research has done, right? You know the NCAP safety rating where there's those very dramatic videos of cars crashing into walls and the dummies flying forwards? And we learned from that that Volvo have the safest cars. And so there's this whole NCAP rating across Europe where it's we know how safe each car is. I think we need something like that for privacy. For any sort of connected devices, you need to have that score. Much like the food hygiene scores, if you go to a dodgy takeaway, if it's got a 1, it's not a good place. But, you know, we need something transparent that people can just see as they walk in the door, 1 to 5, you know, where does it sit?

100%. And actually, so Mozilla and the Privacy Not Included Foundation are saying, if you don't like this, Mozilla community is asking car companies to stop their huge data collection programs, and you can join them by adding your name to the list.

So we've got to give our information to say we're fed up with having our information taken.

Yeah, yep, that's the catch-22 of our times, Graham.

Compliance isn't fun, but neither is a data breach or losing a customer. That's why Drata automated it. With Drata, you don't have to spend hours collecting evidence, manually testing controls, managing spreadsheets and screenshots, and pestering other teams with requests. With automated evidence collection, over 85 integrations, and 24-hour monitoring, Drata automates the compliance process and keeps you audit-ready all year round. Drata supports over 16 frameworks including SOC 2, ISO 27001, GDPR, and HIPAA. And with an open API and plenty of customization, you can build your compliance program your way. With over 475 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner. Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/d-r-a-t-a. And thanks to Drata for supporting the show.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic. Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations. Find out more, gigamon.com/smashing. That's G-I-G-A-M-O-N.com/smashing. And thanks to Gigamon for supporting the show. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

I've just clicked into it now. When you say they've got lots of games, is this the modern-day version of Newgrounds? You know, they used to host all those Flash games. Oh, I don't know that. No, it died when Flash did, but—

Oh. Yeah. So, it says, can you tell a Norman Bates from a Bill Gates? Can you tell a coder from a cannibal? A mathematician from a murderer?

Yes.

Who liked hacking away at corpses rather than computers. And one of the things I discovered is there's a lot of serial killers who look programmers, and vice versa.

I'm playing it now, and I've basically failed on all of them so far. I've now got Dorothea Puente, and she's the Death House landlady. Yeah, she looks so sweet.

I would've happily sat down for a cup of tea with her.

Very cute game.

Anyway, I think our listeners will enjoy it. Go and tell the difference, if you can, between programming language inventors and serial killers. And that is my pick of the week. Andy, what's your pick of the week?

So my pick of the week is actually from a company called Rask AI. Although I couldn't— I wanted to work through them working today. It was advertised on TikTok a few days ago, and their website has been extremely busy ever since. What do they do? What do they do?

So imagine a show such as yourselves, obviously very popular across the UK, across Europe, across the US, whereas I think a show more myself at Host Unknown, we're very popular in India and Japan than some of the other sort of countries that maybe you guys aren't. So maybe you wanted to expand into those markets, speaking in their native language would help. But you don't want an AI-generated voice, you actually want your voice to be translated. But how well do you speak Korean or how well do you speak Japanese or Hindi? This site will allow you to upload video in your own voice and you can either get the audio extract only, or it will actually lip-sync your mouth and translate at the same time. Oh my gosh. It's actually, you know, if you're doing videos or TikToks or any sort of social medias, it's a fantastic tool, especially for deepfaking stuff as well, right?

So this is a universal translator, the sort of thing that they predicted in Star Trek.

It is, absolutely. Oh my gosh. I've uploaded mine. I did a little plug for Smashing Security. Oh, thank you very much. In English. So, you know, Graham can understand. And then I translated it to French. And so you can then sort of listen and say, actually, yeah, that's exactly what you said. Let's take a listen. Have you ever wondered how to protect yourself from hackers while keeping your sanity intact? Well, prepare to have your socks knocked off by the Smashing Security podcast with hosts Graham and Carole at the helm, this cyber-explosive duo will guide you through the hilarious world of cybersecurity, debunking myths, sharing heartwarming security fails, and uncovering the most bizarre tech headlines you won't believe are real.

Very complimentary. And well, now we're going to hear it in French.

Smashing Security Podcast. Avec les animateurs Graham et Carole Theriault à la barre, ce duo cyber-explosif vous guidera dans le monde hilarant de la cybersécurité. Le monde hilarant de la cybersécurité en déboulonnant des mythes, en partageant des échecs de sécurité qui font chaud au cœur et en découvrant les titres les plus bizarres sur la technologie dont vous ne croirez pas la véracité.

Okay, not bad, not bad. Crow, is this correct French? Two great lines, tomber les chaussettes, love that. Cyber-explosif.

It gets the message across, I guess.

And we are just hearing it now, but there's actually a video where your lips are sort of— Yeah, it looks pretty authentic. This— the world is getting so scary.

Yeah. And this is free to you at the moment as well. So you can get 1 minute for free. You know, just register whenever you want, get multiple single minutes, or else a very affordable subscription.

Oh, oh, oh yeah. You're comfortable with subscriptions, eh?

I have one or two coming out of an account somewhere.

Crow, what's your pick of the week? So mine's kind of security related, maybe a little bit.

I thought you said better not be.

I know, because, well, it's all about taking down a scammer. In a dark comic drama called The Following Events Are Based on a Pack of Lies. It came out on iPlayer last week. I have hoovered it all down already. It's from the creator of Better Call Saul and Breaking Bad, so Vince Gilligan. And this is his latest oeuvre. And we follow Alice, who, while getting across her hometown of Oxford, Graham— my home city— she spies her estranged husband crossing the road. And a decade earlier he told her he's popping out for chow mein and never returned. So a shit for sure, but when he left, he also stole all her cash and her parents' retirement fund. So basically what you'd call a super shit, I guess. And, uh, he's now presenting himself as a renowned eco-disruptor. How's that for a title? And has a kind of a bit of Tony Robbins feel, you know, I'm king. And he has a new victim in his sights, a very wealthy and newly widowed auteur. So, estranged wife is going to try and give it her all to save the day. But does she manage? So, very fun, full of twists and turns. You also get to see a baddie who's a master at gaslighting, right? Because you rarely see that on telly. You often see these kind of lame gaslighters, but this guy really does it well. So, it's worth checking out. You have to admire his gaslighting. Have you seen it, Andy? I've not seen it, no. But you sound quite impressed by him.

Well, I just was "Wow, wow." So, my pick of the week is The Following Events Are Based on a Pack of Lies. You will get to see loads of real places in Oxford, which is cool, except for the courthouse, which is much, much nicer in the show than the one I was stuck in for two weeks last year.

When you were on the jury, we should stress, rather than— rather than, yes, any other reason.

When I was a jury member, yes. Oh, sorry, yes. Rather than anything else.

And where can people watch this, Carole?

You can see it currently on iPlayer, and I'm sure you can get it wherever you buy or stream stuff. Look, I know it's on BBC at the moment in the UK.

Fantastic. Well, I'm going to check it out. Now, you've been busy this week. You've been chatting to the guys at Gigamon. Yes.

So we have a really informative featured interview with Mark Jow. He's the technical evangelist at Gigamon. And we talk about encrypted cloud threats and what you can do about them. Check it out. All right, let's kick this off. So listeners, I want to welcome Mark Jow. Is that how I say your name, Mark?

It is short and very easy to say, and you said it perfectly first time.

Listeners, I want to welcome Mark Jow. He's the EMEA technical evangelist at Gigamon. Thanks so much for making time to come on the show.

And again, thanks for your time, Carole, and having us on the show.

First, maybe you could just tell all our listeners a little bit about Gigamon and their focus and what role you play in making that all happen.

Okay, so Gigamon is an organization that's been delivering deep network insight and deep observability solutions to enterprise customers now for about 19 years. And within their EMEA organization, I speak on behalf of the company in terms of how the organization addresses business challenges for the organizations that we serve, give updates on our product, our product strategy roadmap, and also ensure that the technical teams that we have creating solutions for our customers, giving them the compelling solution that delivers the outcome that we promise when they purchase that solution. So I guess sort of 3 elements to the role.

So you're a busy guy.

Mainly, yes. And certainly at this time of year, very busy, but busy in a very good way. And that's because largely because of the demand for the capability that we offer.

So let's dive into that a bit because I know you guys recently issued the Gigamon Hybrid Cloud Security Survey 2023, and this Gigamon report highlights a perception versus reality gap. Can you talk to us about that?

It's clear from the results that we got back and the results are pretty substantial in that we had responses from about 1,000 senior IT and security leaders. And what they're telling us is slightly paradoxical. On one hand, 94% of them tell us that they've got the required levels of visibility they need in their organization. Over half of them said that they're confident in their ability to repel attacks. But when we examine them further in terms of how confident they feel about things like encrypted data, how many of them have actually had breaches. Clearly, there are significant numbers involved there to the point where somewhere in the region of 50% of them have had breaches. The ones that have been breached, they don't even know how they were breached and how the data or the access was gained to their organization. So clearly, at one level they're confident. At another level, the realities paint a different picture.

Yeah, totally. So why are there so many breaches? Why are they happening so frequently?

I think it's fair to say that if you map the trend of the growth in encrypted data, not in terms of the traditional internet data volumes, I think 95% of the data today is encrypted traffic in terms of the internet. But increasingly organizations are using encrypted and generating encrypted traffic in their internal application environments, their cloud environments within their own organizations. And I think what they're seeing is 70% of the people we spoke to are letting that information flow freely across their organization. And they're not doing that because they want to. They're doing that because they currently have to, because there's no viable solutions out there to help them look into that encrypted data in a meaningful way. And as a result, those bad actors are effectively turning an encryption, which is primarily an asset there to assure security and safety of organizations and the people who bank and buy things from those organizations and give their data to those organizations. Effectively, that very security mechanism is being used against them because increasingly bad actors are hiding their attacks in that encrypted data. I think about over 90% is hidden with encrypted data. So if they're letting it flow freely and they can't see within it then it can't be surprising that that's where the actors are going to strike. And I think when you look at the fact that 30% of them say, look, we didn't even know we'd been attacked or how, it's probably the case that that threat was hidden in encrypted data, which is why they didn't see it. And they're only finding about the breach when they see either their data being offered for sale on the darkweb or someone's trying to extort money from them, or there's a news story hits. So I think encrypted data for us is the key of where a lot of those risks are actually starting to increase.

Do you see any kind of categorization or trends? Initially there's a breach and that's really just steal data to sell it on. Is that what's going on?

Yeah, I think it's fair to say that. I mean, there are still the ransomware attacks that we saw the last sort of 2 or 3 years. And there are the random acts of vandalism, people who just want to damage or corrupt things because they can and they get a kick from it. But I do think a lot of the encrypted attacks that we see now are perpetrated increasingly by nation-state or very experienced threat actors that have been commissioned by nation-states and others. And they're there to gain access to data within the organization, either as commercial value or strategic geopolitical value or even national security value. And so a lot of the attacks into encrypted data really are around phishing and, you know, getting access to data, getting data outside the organization, and also demonstrating to nation-states that they're vulnerable to attacks from other states. So that's a lot of what we see. Wow. Okay.

And so do you think that it's down to lack of visibility? So if all this stuff is hiding in encrypted form and you're not even aware it's there, is it that lack of visibility into these hybrid cloud infrastructures that's maybe basically a pipeline to security issues?

It is. I think visibility is absolutely critical. I mean, you know, they do say what you can't see, you can't protect against. And I think a lot of organizations have become in the past content with a certain amount of visibility that they get from various different observability tools and tools that look at logs and metrics and events and things. They've got pretty good visibility in terms of what's happening north-south within their organizations and their data centers. A lot of organizations don't realize the art of the possible that organizations like Gigamon can deliver to give them that deep network-level immutable data traffic visibility, right? Both east-west and north-south across their data centers into public clouds, within public clouds, within private clouds at that network level. And I think it's that level of visibility that organizations are starting to realize they need. Interestingly enough, when we did the survey, we asked some of the questions before we explained to the respondents what we meant by deep observability. And then once we'd done that, we said, okay, if you have this capability, this deep network-level insight, immutable data that you can feed to the different tools to be better informed, would this be of value to you? And would this close these visibility gaps you're telling us about? And universally, I think the vast majority, over 90%, said absolutely it would, and that they were looking to try and implement those types of solutions. Some of them already had to some extent. But even with that deep observability today, getting access to the information in the clear in encrypted traffic, particularly in cloud environments, is very difficult, even if you've got access to that network traffic. Right. Again, that's something that we're uniquely placed now to provide a solution for, unlike many organizations, other organizations out there.

Oh, we want to hear about that. Can you tell us a little bit about how Gigamon is addressing all this, the issue of decryption and inspection of traffic?

Well, certainly. And again, it's fair to say, and again, I'm extremely proud. I think the company should be proud of what it's managed to achieve here because if you look at what Gigamon has done probably over the past 7, 8, 9 years, we've had solutions in place, leading solutions that operate securely at scale and robustly to help organizations decrypt and get access to encrypted SSL traffic in the physical network for some time. We've been doing that for some time, but clearly getting access to that traffic in the clear, encrypted SSL, TLS 1.2, 1.3 traffic in cloud environments, in VMware, AWS, Azure, OpenStack, that's been a little bit of a holy grail, and that's not really been possible. There have been organizations out there using data solutions, AI, machine learning, analysis of the sort of packet profiles, but they still can't see into the payload of the packet because it's encrypted, and they sort of do trend analysis. Well, the release of our pre-cryption solution on the 12th of September really helps customers now shine a clear light on that encrypted traffic within their cloud, their private public cloud environments, and actually their containerized environments. So what that solution is able to do is it's able to capture the traffic using tight integration with the Linux operating system and using eBPF to capture the traffic before it actually goes into the encryption engine, and then be able to channel that traffic through secure tunnels to the appropriate tools and observability platforms to make use of that decrypted traffic in the clear. So organizations that are using encrypted traffic in cloud will be able to reconcile what the network packet header says about where, what that traffic might be, where it's going to, where it's coming from, and actually what that traffic is. Because quite often what's in the payload, particularly with bad actors trying to conceal their attacks by things like port spoofing, doesn't reconcile with the port information that's in the header. And you can only really be certain of that if you can get access to the payload in the clear. And that's what we do. And then on the other way out, we're able to capture the traffic in the clear after it gets decrypted on the way out. So again, it's an elegant solution and it is one that requires very little CPU and machine resource to do because effectively we're piggybacking on existing both operating system and capability and capturing the data before it goes into encryption and after it comes out. So the CPU overhead is very low and it's very easy to install and configure that solution in an existing Gigamon environment.

And on top of that, I imagine it is completely invisible to the user, right? The user of the cloud, all your clients, your employees, everyone around who's doing what they need to do.

It's seamless. But also, I think a point that needs to be made is we do take data in the clear, decrypted data very, very seriously because it's very easy to do that and then have that data going off in directions that are uncontrolled and unmanaged. We're very keen to make sure that we're channeling that information in the clear either before it gets encrypted or after it gets decrypted, only using secure methods of transport to the tools that really need that data and that payload. And we can do that for pretty much any encryption standard 1.3, 1.2 TLS. We're also even able to support some of the legacy encryption platforms as well. So as you point out, it's very seamless to the user as well.

That's so cool. So it's like light on the feet for IT. So you don't need a bucketful more resources to run. It doesn't hammer the systems. The user is unaware of it, but actually the environment is much more secure through this game changer you're calling pre-cryption.

It's very cool, exactly, as well. And again, Gigamon has for some time had additional capability to take traffic in the clear and mask parts of the data that might be personally sensitive information, for example. So if once you've decrypted or gained access to the traffic before it goes into encryption, if there are things like credit card numbers or email addresses or addresses in there, the company says actually we don't want to send that data to the tool in the clear for a GDPR reason, for example, they can use the capability that we call masking to effectively mask that particular part of that traffic and then send that on. So the personal data is still preserved and is kept secure from a GDPR perspective.

It sounds amazing. I know there's going to be a glut of listeners who are going to want to learn more about this. Is there anything you want to add at this stage?

A lot of people over the last few years have almost given up on the fact that this capability would ever be possible to achieve. And so people assume it's not possible to do, and only when they see it happen before their very eyes — we've got a number of demonstrations that we've put in place. We're going to be recording some predefined clips for demos to share both socially in terms of the public launch activity that we've done for Pre-Cryption. But we'd certainly people to suddenly start to lift their heads and say, actually, no longer do I have to struggle to get access to my data in the clear if it's encrypted, and no longer do I have to tolerate that I'm going to have to let 70% of it flow around my organization if I'm going to keep my systems running and just accept the risk. No longer now do they have to accept the risk, and particularly in their public and private cloud environments where arguably increasingly data and workloads are moving cloudwards at a huge pace. That's again where most of the attackers are centering their activities. And so you think cloud, encrypted, and ransomware, that's where they're focusing. And with a pre-encryption solution, it runs on cloud, it enables access to that decrypted traffic, and no longer can the bad actors hide in those environments, certainly from solutions that are using Gigamon.

Listeners, you have heard Mark, and you can see for yourselves why everything is Not As It Seems for the State of Hybrid Cloud Security in 2023. You can learn about what keeps CISOs up at night, the most common and critical cloud blind spots, and the foundational elements of Zero Trust by going to gigamon.com/smashing. That's gigamon.com/smashing. And thank you so much, Mark Jow, EMEA Technical Evangelist at Gigamon, for talking with us. You're very welcome.

Thank you.

Terrific. Well, that just about wraps up the show for this week. Andy, I'm sure lots of our listeners love to follow you online or find out what you are up to. What's the best way for folks to do that?

So if you want to contact me, you can get me on Blue Sky. I am @SirJester on Blue Sky. But if you don't have access to that yet, then you can get me on Rumble or Truth Social or any of those right-wing networks as @Thom Graham Langford is my handle on those sites, so feel free to reach out.

And you can follow us on Twitter, at least at the moment, @SmashingSecurity, no G, Twitch won't allow us to have a G, and we also have a Mastodon presence. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And shout out to this week's episode sponsors, Kolide, Drata, and Giga Graham Cluley, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 339 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye-bye.

Bye.

I thought you were going to add your Youporn to how people get in touch with us.

Slash G.

Please send me links to any videos where you think I might be appearing so I can try and get them taken down.