Smashing Security podcast #343: Four-legged girlfriends, LoveGPT, and a military intelligence failure

Can I just underline for any incels who are listening to this and may have access to weaponry that these are the opinions of Thom Langford and not of the hosts of the Smashing Security podcast just before anyone tracks us down? Yeah, that's right, that's right. Good. Smashing Security episode 343: Four-legged Girlfriends, Love GPT, and a Military Intelligence Failure with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 343. My name's Graham Cluley. And I'm Carole Theriault.

Hello, hello, hello. Thank you very much for having me. It's always a pleasure to be on this podcast.

You know, your voice sounds remarkably good, considering you've just recovered from another bout of COVID.

Well, you know, unlike those other Muppets on the Host Unknown podcast, I'm the consummate professional. So I've been gargling with salt water and drinking honey and just trying to sound incredibly soft and velvety for your gorgeous listeners.

Your tones are mellifluous. Well done. That's excellent.

What a wonderful word. I was going to say sonorific, but there you go. Soporific. That's what it is.

You don't sound like a sonar, no.

Three pings off the starboard bow.

Before we kick off, let's thank this week's wonderful sponsors, Collide, Devo and Moonlock by MacPaw. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be telling a story of military intelligence.

Okay. What about you, Thom?

I've got a story about surprisingly familiar looking four-legged girlfriends.

Okay, and my story is about, whoa, don't swipe right just yet. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want to take you to the streets of San Francisco, or rather the airport. At the end of last week, the authorities were lurking at San Francisco Airport. They were hiding behind the potted plants, waiting to leap out, lying in wait for the arrival of a plane from Hong Kong. And the reason why they were doing that was that on board this particular plane was one Joseph Daniel Schmidt, a 29-year-old former U.S. Army sergeant. Now, let me tell you about this chap Schmidt and what he'd been up to. Okay. A while ago, he left the US Army and he upped sticks and moved to mainland China and Hong Kong, which was an unusual thing to do probably in early 2020, I suspect, to do something like that, you know, in the midst of a...

Yeah, that's when the COVID virus had already launched. So, yeah. Was he looking for a place in Wuhan and had trouble getting in? He's going to mainline it from the source. Anyway, so he went off to China. And he's been mostly hanging out there ever since, out of reach of US law enforcement. Yeah. Yeah. I've been to China. There you go. Anyway, he wrote on his visa, I plan to travel to China every new year to learn about Chinese culture. He said, I'd like to travel to China many times over the course of the next 10 years. And he planned a couple of trips. Fair enough. Annually, I go to Croatia, right? See my butts? Yeah. Thom, I mean, you've got a very, very important CISO job, but occasionally you like to take a little break, don't you, and put your feet up at home and relax or, you know, get up to all kinds of mischief, I'm sure.

And it does explain why he's learnt Mandarin and why he's got an interest in China. You know, you get engrossed in these things, right? So it's no surprise that he flew in January 2020 to Beijing for a few days. He hung out there. Then he went on a short break to Istanbul. As you do. As you do.

The old don't think Google doesn't have a log of your searches.

Innocent things. Innocent things. Can you be extradited for treason? Is this story sponsored by DuckDuckGo by any chance? So he was looking for all kinds of information. Countries with the most negative relations with the United States was one thing he looked for. Top ten countries that hate America the most. He was looking for countries which weren't very keen on America while he was out of the country. Right. He even went on Reddit. He's probably writing a novel.

He is probably writing a novel. Probably doing research. And that's why he's doing these searches. That's right.

He was looking for a subreddit about spying.

Exactly. Where else are you going to get your information, right?

And then he created, allegedly, a Word document entitled Important Information to Share with Chinese Government. And I guess that would be information about this is how you could market your beautiful locations, your tourist traps a little bit better, that kind of helpful stuff. And why not? That's all good. And roundabout then, he also emailed his sister, Mary. And he said, hey, Mary, there's something I need to tell you. The reason I left America is because of disagreement with American policy. I don't talk about it often, but I learned some really terrible things about the American government, as if there are terrible things about the American government. Come, come. Exactly. While I was working in the army, I learned these things. I no longer feel safe living in America and I don't want to support the American government anymore. He says, I don't plan on coming back anytime except maybe once to sell my house.

This sounds so weird. That sounds bait. So I don't know. Well, OK.

He said to her, I'm going off the map for a long time, but I'll communicate occasionally. Don't worry.

He's dead. Well, I'm just trying to guess what's going on. Okay, carry on.

His internet searches apparently continued. He's visiting Reddit boards with titles what do real spies do? How are they recruited?

How do they spend their day all day? Because I'm eating corn flakes, you know. Now, I suspect real spies

don't go on Reddit and don't search in Google and create Word documents saying, here's the information I want to share with the Chinese government or how do I get recruited?

I would also imagine real spies don't defect to China in Istanbul having just come back from China.

Yeah, neither of you are spies. You don't know anything about double bluffing or triple bluffing or quadruple bluffing. I think I know the basic principles of defection, though.

Yeah, if anyone's an expert on defects, it's Thom. Yeah, absolutely. Absolutely. So many. So, you know, I mean, well, I mean, maybe the first time he arrived in Beijing, he found it difficult to get around the city. Couldn't find, you know, because what do you do? Do you knock on the door? Are they going to take you seriously? He needed to convince them he was serious. So another Word document he created, according to the U.S. authorities, discussed aspects of U.S. Army intelligence collection, dissemination training, intelligence reports, methods of conducting interrogations, human intelligence, all kinds of things, because this is what he was doing. Apparently, he was involved in the interrogation of people from the region for the U.S. authorities. And the US authorities went into his iCloud account and they found Google Maps screenshots revealing he'd been just around the corner from China's Ministry of State Security. What? So I would argue that he hasn't been very successful at hiding his tracks. It wasn't a very good idea. No, but it's all weird.

Who is this guy? Well, he's

a top secret clearance. He's creating word documents called high level secrets he's sending emails saying if you read this please make sure the chinese state security bureau receive it because this is really important for the chinese people he even created a 28 slide powerpoint presentation that's not that impressive i've seen you know i'm not saying it's impressive the number of slides carole and we've all sat through and i regularly do presentations which are half an hour long with about 98 slides so we've so we've done we've all done that but this was called use of technology in military source operations and interrogations so he was allegedly because he's now been arrested it's all going to appear in court the u.s authorities got all this evidence which they claim suggested being up to no good and that's why he got nabbed at san francisco airport it's unclear if schmidt ever managed to meet up with chinese spy masters or not or whether he failed whether they couldn't take him seriously. But as we know, there was a recent president of the United States. They've found out as well, there are laws against the retention of national defence material, whether you then give them to other countries or not. There are so

many questions. Well, shoot, shoot. Graham has all the answers. He's done some deep, deep research. One,

this is either the worst stitch up or the dumbest member of military intelligence, which I know is an oxymoron in of itself anyway, this sounds like a 14-year-old's school essay about someone defecting. This is dreadful on every level. It's either a dire comment on the state of America's educational system, a dire comment on the state of American intelligence, a dire comment on some countries' abilities to stitch up a US citizen. Overall, nobody looks good in this at all.

Oh, I think they do. Oh, really? I think the Chinese look really smart. Because if you had someone who was this much of a muppet contacting them, offering to be a spy, you'd keep them at arm's length, wouldn't you? Well, true. You'd just think, no, we're not going to let you in the building. Yeah. We're not going to trust any information you give us because you're clearly highly unreliable. You're probably a complete fantasist.

You're clearly paddling at the shallow end of the gene pool. Yeah.

Yeah, it makes you wonder how many, borderline nut jobs are outside embassies going,

I can help you! I know! It's also a very poor indictment of America's mental health care capabilities. Well, we all know about that. Do you really think he's been stitched up, Thom? Well, it's just so incompetent that it makes me think he is. That is a great defence, isn't it? Do you think I am that incompetent that I would make all of these mistakes, I think is a fair defence in this? In your case, Thom... Well, yeah, probably not the best defence for me.

No, no, it's a brilliant defence, I'll tell you. Yeah, absolutely. Yep. I've heard your podcast. Anyway, Thom, what have you got for us this week?

All right, so I've got a particularly weird story. Now, the other day, in fact, I think it was while we were on our podcast with you, Graham, I think it was either you or Javad called me an incel. Wow. Do you remember that? I vaguely remember. I'm pretty

sure that was Javad. It was almost certainly Javad. I would not have said that, no.

Yeah, absolutely. And, you know, for those of you who don't know what an incel is, it's effective. I don't even, it's short for something. I don't even know what it. involuntarily celibate that's it that's it and

it's all involuntarily oh people who

want to have sex but opportunities never arise yeah otherwise known

as recently divorced men but the sort of key attributes of it is that they all they effectively do is they sit behind their computer and moan about the feminism and blah blah blah blah blah and And then, you know, watch copious amounts of porn or get involved in all sorts of dubious crypto schemes or whatever. It sounds so fun. It does. It does. I mean, I put it as a hobby on my recent CV. Can I just

underline for any incels who are listening to this and may have access to weaponry that these are the opinions of Thom Langford and not of the hosts of the Smashing Security podcast. Just before anyone tracks us down. Yeah, that's right.

That's right. Now, the thing with this is there are many, many services out there that help said people. One of them being a website called DreamGF, which is an AI service that offers a artificially intelligent generated girlfriend for you. You are able to look at and chat to, presumably one-handed, whilst you're engaging in other activities.

I was wondering what country.gf was, but then you said girlfriend, and it all happened. Yeah, yeah. I think it's probably dreamgf

.ai. I've just visited the site, and it's an 18-plus site. Oh, yes. Absolutely. Yes. Oh, I see. There's lots of, well, they look young women. They look

young women. They actually are pure figments of the AI's imagination. They are artificially generated. And there's also a chat function as well. So not only when you join and hand over your hard-earned cash to these people, in inverted commas, a girlfriend is generated for you, and you are then able to chat to them. And I know, I know, right? it's it's it's weird science remember that old 80s film with kelly is it kelly lebrock i think it is it was wonderful movie yeah it is a very good movie but so you know all well and good you know everybody's got to have a hobby and if this is your hobby well fine there's a number of concerning facts going on here so firstly it found or people you know researchers found that it was creating a disproportionate number of girlfriends based upon the images of people like Margot Robbie, Jennifer Lopez, Taylor Swift, etc. So it was gathering lots and lots of pictures of people and a lot of these girlfriends looked like these famous folks. Now, obviously, in many, many countries, the use and the gathering of images like this, so countries like UK, France and Germany, this is almost non-consensual image-based abuse. And it's a crime, you know. So what he's saying is it's gathering these images of people and generating them in sexually provocative poses, clothing, if clothing is even involved at all. So there's that. That's one concern straight away. The other concern was the chat feature as well was not the best. One guy said, I get a good chat going. The AI is set up properly. Very good start. 10 messages in or so. But then suddenly the AI decides I should just come and then end it all. Which seems a little harsh, right? Oh, you mean...

Right. Sorry, I misunderstood what you meant there. But okay. Yeah. When you say end it all, you didn't mean commit suicide or something? Well, maybe

That's what it was suggesting. Who knows? Maybe the relationship, though. Well, exactly. Well, I mean, you'd think a little bit of post-nut clarity would stop you from doing that anyway, but nonetheless. But this person's biggest complaint was, the thing is that the sex part hasn't even started yet. So it's kind of like, you know, chatting away. We didn't even get to the sexy time, and then it just told me to come. So there's apparently this Dream GF site has a team of about 20 to 25 developers in Bulgaria. They previously worked at an NFT company which kind of tells you everything you need to know right? And you know they're involved in a whole bunch of these things and their CEO is saying look we're still a new company so I think that's a challenge of any new tech we're working these things out blah blah blah. Perhaps the most disturbing part of this though and you know we've talked about this 2023 in the past being the year the inflection point of AI and chat and artificial image generation is the number of grotesqueries that are generated. And so if he link in the show notes some of the lovely ladies that are presented might at very cursory glance look you know as you'd imagine except their bodies are the wrong way around or their arms suddenly turn into feet or their legs actually split into two underneath the knee or there are no legs at all and a very odd looking tongue or it's kind of a giveaway isn't it? It's just kind of a giveaway that something's going on. It is, exactly. And you just kind of think, wow, I know this is the inflection point. I know this is all very early. It's just a little bit low quality, low rent, and yet they're still making enough money to stay in business and hire 25 developers.

So, Thom, is your issue that you've paid for a subscription of this and you're just not satisfied with the quality you're receiving?

You didn't like the four-legged supermodel that you chose?

When I asked for a hand job, I didn't expect there to be four hands I guess was probably what it was. But nonetheless, it was just... When we say explicit...

We've got the tag turned on, I think. Sorry, sponsors.

Oh dear. It's, you know... Well, I think my issue here is technology can do such wonderful things and we're just wasting our time on stuff like this. It's really, really quite simple. Like love and scams? Love and scams. Love is good. Scams are not good. I agree, Thom. And I think this skirting on the illegal side of things and the gathering of real people's images and reusing them, even if it's a mistake in coding, but the fact that it's reusing them to generate money, it's just horrible, frankly. I really, yeah, it's not nice at all. It's quite funny to look at as well, don't get me wrong, because some of them really are quite scary. Can you imagine, though, if it were your face?

Well, that's the thing.

They're not just training it on Margot Robbie and Jennifer Aniston, are they? It's everybody out there.

Why can't we use just people that have been dead for like... Diana Rigg. Diana Rigg. No, no, they're too soon. I was thinking like you'd need at least a 50-year buffer or something. Well, they'd all be black and white for a start. Like copyright. Like copyright, basically. You copyright your face and your everything until... 70 years after death. There you go.

So we could have Queen Victoria up there.

Beau Desia. We, one day, we will be doing some great stuff in 70 years. I mean, it's quite a professional-looking website, isn't it?

Yeah, yeah, yeah. I mean, they've obviously put a bit of effort into it. But... Yep, that's just like a really good web developer. What does that mean? Well, it's just professionally presented. There are so many websites you go to, Carole, which are a complete mess and don't work on your mobile phone properly.

Yeah, that doesn't mean that they're scammy websites either. It just means maybe... No, no. But I'm just saying that it's... They know what they're doing. They were in the NFT world. They're going to be... They must be making some money.

They've got to be making coin. Well, I mean, let's face it. So I started, while you were talking, I tried to create my AI girlfriend via the interface. Oh, yeah. You've probably been a bronze plan for that. Yeah, true. Or a gold plan for if you don't really.

Gold plan, yeah...

Platinum for... It's so ridiculous. Like AI-generated stuff, right?

There was another comment. One user said, actually, I quite like this, the fact that they've got all these mistakes in because it proves that they are not real. They are artificially generated. Isn't there still a huge amount of objectification involved in this, which is really not healthy for anybody's psyche, let alone the person who's actively reaching into their wallet to pay for this sort of stuff? Okay, moral police. Yeah, damn straight. Someone...

Has to bring this podcast out of the gutter. Thom, we always appreciate you investigating these dark corners of the internet, the places we fear to tread, so thank you once again for doing that. Well done, Carole, what's your story for us this week?

Well, you know, I was just listening to Thom and I'm thinking, okay, so some people are obviously going down the route of maybe perhaps building their own girlfriend using images of live people like Graham just did. Yeah, yeah, right. But you guys, actually, I happen to know that you both have online dated in the past, right? And I've been with my yeti so long, you know, I never had that experience.

Isn't a yeti like a thermos mug?

Yeah, or a husband or a beautiful hairy one. But when you're sitting there, you know, you have launched a dating profile into the world and you're getting your first hit, you know, your first match with another profile, like what do you do first? Like do you look through the pics that they provide, read the bio, check the requirements match yours, politics?

Oh my God, you can very quickly sift through and say no way or did they vote for Brexit or not. Again, it's just an instant never going to happen.

I could appreciate that. I look at the photos and if I can't see their nose, then it's a no, right, because that means they've just put a really severe filter on. So no non-pictures then? You don't even... or no pictures that have been so heavily filtered that you can't make out actual features. So there's that. If there's only one picture, then I tend to say no, because chances are that's also a scammer as well.

Wow, okay. So you ever suspected that you were chatting online with a bot and not a person at all?

I don't know about a bot, but certainly scammers. I have, I've had conversations with scammers definitely. My goodness, absolutely. They follow the same kind of rule book. They get to sex very quickly and also when you meet up, you know, confirm your identity, can you just check in on this website and it asks for 25 quid to confirm your identity, you know, that sort of thing.

Okay, wow. I'm back in 2021, right here, right, because you know I've seen accounts that bots compromise about half of web traffic, and not all bots are malicious, but you know a good proportion are, yeah. And in 2021, the dating world on Tinder wanted to know whether a photo they swiped right on was legit or, you know, was it a bot. And then, you know, there were a few telltale signs, and as you said, you know, they would start talking immediately, a nanosecond after you swipe, they're on. Ah, right, yeah. And I mean, obviously Thom would think they understand I'm a, you know, I'm all that.

But maybe it was a bot, right? Well, they know in Thom's case they've got to move quickly because if they don't get in there, he'll have moved on. These goods don't stay on the shelf for long. In my case, I just look for women who've got guide dogs. That's, yeah, that's right, increases the chances immensely. And a low self-esteem as well is also something I look for in her girlfriend, you know, someone who would just be prepared to put up with something quite rubbish. That's the kind of woman I'm looking for.

I thought that was called daddy issues, right?

As you're talking, right, the answers come back almost instantaneously because they're already prescripted and triggered off by your response. According to LifeWork, once it's dispensed a few flirty small talk remarks, as you said Thom, it delivers its payload, right, usually asking you to visit a link that's either...

To deliver yours, yeah, absolutely, right.

To deliver either a payload or, you know, get you to part with sensitive information. Yeah, DNA. And the trick was that bots were kind of incapable of keeping up with real conversations. That's what I'm getting from all this because the responses are pre-scripted. So I'm guessing you could ask off the wall questions, right? Yes, you know, so you might be, what do you look like riding a unicycle? Uncomfortable.

I can't think of a quicker way of being sort of, you know, left for dead.

Yes, very good for weeding out the bots, but also weeding out any other human. You don't think I'd succeed on the online dating world? It's going to be everyone's going to be delete. Yeah, I was thinking about, you know, if you were a French fry, what would you wear? Vinegar. But this is all in 2021, right, in the days before ChatGPT and the like were a thing. Well, welcome to the new world where the language models are creeping into every corner of our online life, including that of dating.

All right, yeah, it sounds accurate.

They say the tool itself is not new, it's been around for about a decade, but they keep introducing new functionality and improving it over time. And they think that the ChatGPT functionality was added around March 2023. It seems to be used in order to create fake profile descriptions. Read the inbox on the dating platform and reply to a message, ask for a phone number, write a first contact message and chat from a template. The main goal of the tool is to scrape data from the interactions with the users, including profile pictures, profile body text, dates of communications, everything. But in order to do that, the tool needs to feel real looking, and it also needs to get through account creation. So it has to fake request fingerprints to reliably access the dating platforms. Otherwise, the platforms could detect such weird activity. It has to build all these fake profiles. So how does it do it? LoveGPT seems to have the capability to handle CAPTCHAs quietly, verify phone numbers, create fake email addresses, usernames and passwords. And all this is obviously performed by the tool seeking the most automated process. And of course, if any of the automations fail, they also have built in browsers that allow an operator to come in and do the steps manually. But they're probably more successful at creating a dating account than the typical user who might be struggling. Or as I found earlier when I tried to create my Dream AI girlfriend and I didn't fill in the boxes properly and I was getting error messages.

Well, it's only so many times you want to type in the same stuff, right?

So basically the rules of what we relied on way back in 2021 may not be the same in six months time.

Here's my thought. If the guys that have asked have found this tool for doing this, chances are there are other tools doing something similar as well. Is it possible that a lot of these dating sites are actually using them themselves? Well, no, they're hosting conversations which are going on between two bots without either side realizing. They could be neutralizing each other, having these pointless little conversations, age, sex, location conversation, trying to lure the other one.

But how are they creating these accounts? They're doing it with stolen credentials, presumably to pay for the accounts and whatnot.

I see. No, no, many of them are free. So the sort of financial model of this is if you go on there and you don't pay for your stuff, what it means is that you can't see likes, you can't message somebody, etc. But if you are, let's face it, many of these are pretended to be women looking for lonely men, etc. The men will be in there having paid for a full account and then will make a connection with this person. The financial onus is on the receiving end, if you see what I mean.

Yeah, so it's a bit like nightclubs where they let the women in for free and men have to pay.

That's a really good analogy. That's exactly it. That is exactly it. The world's going crazy, that's all I'm saying. It's a minefield. But seriously, any gentleman out there looking at this, trust me, if she sounds too good to be true, chances are she is. It's unfortunate. There are a few cool cats like me out there, there are many. But you're not on the websites and I know, I've looked. But thanks for verifying for me. Exactly. In a world where technology and human life are intertwined, cybersecurity is just security. Keeping your memories and conversations safe shouldn't require cyber expertise. American spelling isn't going to work, given that Thom Hanks is also American.

Yeah, but if it's English spelling, then, you know. Oh, I see what you mean. I see what you're saying, yeah. I'm going to post a link to it in the show notes, so listeners can read it for themselves and do an analysis. We want to dox this person.

We want to know where they live. We're going to swat them.

Jeez, I know you didn't like Thom Hanks, but this is taking him one step too far. Leave the man alone.

Don't like Thom Hanks? What's wrong with you, man? Oh, don't start this, Thom.

Has all your joy been sucked out of your life? I'm turning us off.

Bye, everybody. Bye. Love you. Bye.