Smashing Security podcast #384: A room with a view, AI music shenanigans, and a cocaine bear

Is it really very wise to cover an electricity plant with tinfoil or whatever it is?

Look, I'm leaving it to the experts. It's just an idea. I'm just spitballing.

Smashing Security, episode 384. A room with a view, AI music shenanigans, and a cocaine bear with Carole Theriault and Graham Cluley. Hello hello and welcome to Smashing Security episode 384. My name's Graham Cluley. And I'm Carole Theriault. The excitement continues.

Before we kick off let's thank this week's wonderful sponsors 1Password Vanta and Cystic. Now coming up on today's show Graham what do you got?

I'm going to be taking a look through the lens of property hunting in Ukraine.

Okay, and I'm going to be talking about zygotic wash stands. All this and much more coming up on this episode of Smashing Security.

Now, Carole, do you ever find yourself watching property programs on TV? Do you enjoy those? Are there any particular ones you really love?

No, I like lots of them over time, right? I loved when, you know, you had that one where the neighbours would come over and do up your living room for 300 bucks.

Changing rooms. Love that one. Back in the 90s with Carole Smiley. Location, location, location. Grand designs.

Yep. Oh, yeah. Grand designs. Very good. Selling sunset. You know them. Yeah, yeah, yeah. I like all that. I think that's my favourite type of porn is property porn.

Oh, okay. Yes, right. Yes. Lovely worktops, that sort of thing. Well, many of us can only dream, can't we, about one day escaping to the country or buying a little place in the sun or a bijou hideaway in the bright lights of the city. What would be your dream pad or what would you really desire property wise one day? What sort of property would you have?

I would probably have a small cabin in a big wood and it would have a lake and maybe a waterfall somewhere, all overgrown and beautiful and mine with lots of animals running around.

It sounds a little bit remote to me though, Carole. Are you going to have broadband? Are you going to have all the amenities which you may want?

I don't need a lot of amenities, right? I do yoga, I paint, I do podcasts. As long as I get those things done, I'm all right.

You need a supermarket as well. Don't forget that. You need some facilities. There's deliveries. There's drones. Well they may not deliver to the middle of your phone by drone. Well perhaps I suppose. I think there's things which people look for when they're buying a property. I mean price is obviously a big factor right? Jobs, yeah. Size can be an issue. You've got a big yeti who you live with. Can you fit your grand piano in if you were buying a penthouse apartment? Sounds like you're not but I'm guessing you'd care about the views as well, if you've got something like that. So maybe you'd be after a city skyline that could be spectacular or a lovely waterfront to look at or a historical landmark or perhaps a Ukrainian energy plant.

Well, I have looked at an old waterworks building that had gone up for sale as a domestic residence. I was very swoony about it. So I can understand that whole industrial chic.

I think Victorian waterworks, that's really another term for disused sewage centre, isn't it? Yes. I mean, that's, yeah, right.

Very well built, turns out. They really wanted to keep the shit in.

Certainly could have a certain ambience. But anyway, so I think a view of a Ukrainian energy plant, that could be interesting. It seems some people are indeed snapping up high-rise apartments with views of critical infrastructure in that particular war-torn country, which seems to me a bit of an odd choice. Do you really want to be near critical infrastructure if Vladimir Putin is lobbing a whole load of missiles and drones towards it?

I'm trying to figure out why they would want to do it. Yeah. Maybe to make sure they have energy, you know, they're closest served.

Oh, if the power cuts out, you can just get a USB cable. Yeah, a really long extension lead. Just go plug in. Well, we've just seen a man arrested by Ukraine's secret service, the SBU, because he was renting several apartments in high-rise buildings with glamorous views over local energy facilities. According to intelligence agencies authorities in Ukraine, the man decided to rent out the apartments after being offered, what was euphemistically called, easy money via Telegram. What does that mean, easy money? It means here's a way you can make a bit of money here. Here I am on this sort of slightly dodgy messaging app. Would you like to earn some money? All you've got to do for us is a little bit of a... No, OK. OK, whoa, whoa, whoa.

Most people who buy apartments, in the view of renting them out, will go on some site and say, hey, do you want it?

Perhaps so. I don't know if you'd necessarily go on Telegram and accept easy money. You'd think maybe there'd be some sort of strings attached because apparently the people contacting him via Telegram were Russia's military intelligence service, the GRU, and they recruited the man to install cameras in his apartment. Do you remember the early days of the internet when there wasn't much to look at? I was very young, you probably weren't even existing in the early days. I remember when there was a main list about cryogenic suspension. There was a coffee pot at the University of Cambridge you could check on to see what it was up to, and after a few years you began to hear about sites like JennyCam. Jenny was the world's first cam girl. She had a webcam, which was quite an unusual thing to own in those days, in her dormitory at Dickinson College, and it automatically took a photograph of whatever was going on in her room every few minutes and broadcast it. I seem—

To remember you, when I was a bit hard up for cash in the early days of our friendship, you kept saying to me, quote, "webcam your house," as though that was the best solution I could do.

I thought there was a market for it.

I'm sure there was a market for it. I wasn't suggesting you do anything sexy. You're basically saying sell your soul to the internet if you want to pay rent easily.

I thought some good passive income. Don't make me sound like some kind of Andrew Tate character.

I'm not making you sound—did you or did you not say that?

Right, I did, but I wasn't saying do anything sexy. That's the thing. These days, if you hear about webcam girls, you imagine it's something else entirely. But in those days, I think people were just looking for anything on the internet. It was a bit, I imagine, like watching Big Brother. You watch the TV show and you would watch them 24 hours a day as they were scratching their bottom or whatever or organizing dinner.

You're really, really down some weird rabbit hole right now. I just want you to know that.

Anyway, this JennyCam girl, she became an internet sensation. She was even famous enough to appear on David Letterman in 1998 alongside Samuel L. Jackson. Now, no one else ever subsequently ever had the thought again of live streaming cameras in women's bedrooms. That definitely isn't a thing, and it wasn't something I suggested to you. At least it wasn't suggested to you in a pervy way or anything like that. I just simply thought—anyway, the thing is, it hasn't become a phenomenon. But if you were approached by Russian military intelligence and they asked you if you could put some cameras in your apartment, you might think it was maybe to boost the morale of their troops on the front lines.

No, I think 99.99% of the people who would ever be approached by the GRU in this situation would be bricking it. This is not a very fun situation for anyone to find themselves in.

It wasn't because the Russian military wanted to watch this particular chap, of course. The cameras—they weren't pointing inwards, as you've guessed, Carole, because—right, yeah, yeah, that's because you're smart, Carole. That's because you have worked it out.

So are all our listeners. We all understand that the Russians were interested in the energy facilities nearby. I think we're all with you, Graham.

That's right, from the high-rise apartments, that's what they were looking at. And in a statement posted on Telegram, Ukrainian law enforcement have announced they've arrested this alleged Russian spy in Kiev and that he had installed video cameras with remote access software, allowing Russia to monitor Ukraine's critical infrastructure in real time. And the reason for this, of course, is that the Russian forces wanted to be able to assess the impact of recent airstrikes by accessing the footage and identify anti-aircraft defense systems put in place by Ukraine.

Not good stuff for Ukraine, you know, ultimately.

Well, I think there's a lot of not good stuff happening for Ukraine right now.

I'm not arguing that point. I'm just saying I can understand why the Ukrainian authorities decide to detain this guy. And when they got him, they actually caught him in the act of allegedly setting up one of these new CCTV cameras to record an airstrike on the city. They also seized his phones and video cameras, which contained evidence of what they called intelligence and subversive activities from Russia. If convicted—let's face it, it's quite likely he will be—if convicted, he faces life imprisonment and his cameras and phone being confiscated. Now, I think I've got a good idea as to which one's going to bother him more. Yes, everyone should worry now about geopolitical terrorism information that'd be taken from your webcams and your Ring outside your door.

Well, maybe not my Ring doorbell. I'm not sure that's pointing at anything too critical. But clearly, sometimes these surveillance cameras are being installed intentionally close to places where there is critical infrastructure. I mean, that's the point, right? If you've got critical infrastructure to protect, you're probably going to have security cameras. So you better darn well make sure that they can't be hacked, they can't be accessed remotely, that you've got them properly locked down. And sometimes these things can actually be technology which has been made in other countries, maybe has vulnerabilities. Maybe your government has cut a few corners when it's budgeted for this and hasn't got them properly locked down and hasn't got them properly secured. I have a solution. I've got a solution. Is it really very wise to cover an electricity plant with tinfoil or whatever it is?

Look, I'm leaving it to the experts. It's just an idea. I'm just spitballing.

So Russia is also aware of this threat. Last month, it warned people living in areas at risk from Ukraine's counteroffensive to stop using surveillance cameras altogether. They said, turn them all off, cover them up, as they feared they could be exploited to gather information by Ukraine's forces. And earlier this year in Ukraine, they found surveillance cameras on residential buildings in Kyiv. They took them down because they had allegedly been hacked by Russia to spy on air defense forces, critical infrastructure.

That's very interesting, though, because you have a lot of people who are like, oh, authorities want you to film everything, because it makes everyone's job easier. You know exactly who was where, what they did. Yeah, police love them, don't they? Yeah, police love them. And it's great within a geography until that geography is at war or having fights with someone else, because then obviously it could be hacked. It's just an interesting weakness I've never thought of, actually. Even if you're just watching the road, I mean you may be able to monitor troop movements. In this case at these residential buildings in Kyiv, the cameras had initially been put there to monitor the surrounding area, the parking lot, but the hackers after gaining access changed the viewing angles and set them up to stream footage live to YouTube, again probably trying to help direct drone attacks and missiles en route to Kyiv. So, there you go, Carole. Are you going to get a video camera on your doorbell? Are you going to put one up in your bedroom? I know I suggested it 30 years ago, but...

Okay, zygotic washstands. Doesn't that sound beautiful?

Is that still happening? I know that used to be huge, didn't it? Of course it's still happening. People learn how to play music all the time, right? You get an instrument and then you go get like, I want to play Paul Simon's best song or whatever, right? So basically, the more downloads or more streams or plays or sales or whatever, the more moolah the royalty holder gets. And Graham, remember, we used to talk, this is ages ago, but we used to talk about writing a Christmas hit. Because our thinking was, you know, if it gets picked up and becomes a classic, we can rest on our rich asses for the rest of our days. I actually remember my song, which I wrote for that purpose. Oh, okay. Do you want to sing it now? I could sing it now, but I'm a little bit worried it might get ripped off. Don't worry. It was called Sausage Dog. If anyone encounters me, I will sing it to them in person, but I'm not sure I should put it on the podcast. So this was your Christmas song? It was a Christmas novelty song called Sausage Dog. I remember it. Don't worry, Graham. No one's going to steal that from me because I don't think either of us had enough musical talent to do any crooning. And everyone on the planet has the idea of oh, if we only wrote a Christmas song. But it seems as if you do have the talent, and maybe a dash of luck and a sprinkling of magic, you can make some serious cash in the music industry, like our man of the moment here, Michael Smith. His name is Michael Smith. Should I know him? I don't recognize his name. Is he famous?

See, I don't recognize his name either. But get this, right? Why would you? Loads of people put music out and we never hear of them. But this guy, this guy, he's not just getting a tiny bit of royalty. This guy is making it to the tune of 10 million bucks.

Well, that's doing very well.

Mon dieu, you know? I mean, you've got to get a lot of listens to get that much money in royalties.

Yeah, it's not like selling records. I mean, the number of listens you'd have to get on Spotify, for instance, to earn that sort of money would be astronomical, I'd expect.

I mean, that's enough to buy you a McMansion or a belt with a gold buckle. Your own podcast.

I can see your priorities lie. So how come we haven't heard of this guy, Michael Smith, right? Because you think even the mainstream press would be piqued by a guy with such musical talent and business acumen as to make that much cash. Okay, I'm making notes. This sounds good. I think you'll like this. So in 2018, Smith, he begins working with a CEO of an AI music company. Okay, this is early days, AI world. And a music promoter to create a lot of songs using AI. Loving your imagination there, Carole.

How Will I Know, that kind of thing. No, they're more like N underscore 7A 2B 2D 74 dash, yeah, blah blah blah.

It's a really good AI system if it's coming up with song names like that. So these files are being delivered to Smith and Smith, you know, he's not an idiot. He's no one's gonna listen to N dash 5 7A 7B. So he randomly generated song titles and artist names for the audio files. So they wouldn't look like they'd been created by AI, but by maybe a real artist with perhaps poor taste. You be the judge.

Has he possibly only downloaded one letter from the alphabet when generating these names?

This was an example given to us by the wonderful FBI that put out a little press release a few days ago.

Oh, the FBI are onto this. They're fans. Well, actually, no, I'm really good friends with this Michael Smith. He's told me it all on the down low.

And he's been doing this since 2018, did you say? And all this was to avoid detection by the authorities. Because if he'd put out one song and had all the bots listen to that one song, people would be who is this new Taylor Swift? But no. Yeah, I think it's probably all right to put out music that's AI generated.

Sure. As long as you say this is AI. Do you really have to? I

Don't know. Well, we've got an AI generated tune on the AI Fix podcast. I haven't heard of that. Cheeky. I can understand why it would be fraud to have a bot listening to the music, because obviously that's taking money from someone. That's taking money from the music companies, isn't it? Or the streaming service.

Well, sure, it's taking money from somebody, and it's real money he's getting, not like fake digital bot money. Yeah, yeah, that's naughty. But as we said, his plan has been foiled. So Smith, aged 52, has just been charged with all kinds of wire fraud and money laundering conspiracies and is looking at decades in the clink. Of course, these are all allegations at this point and Smith is presumed innocent until proven guilty. The biggest question for me, I think, is what's going to happen to Zygotic Wash Stans as a name? Like, does he own the TM for that?

Are they still out there? Have you managed to find any of their music? Is it still lurking somewhere online? No,

I would love one of our listeners to maybe put something up on YouTube. This is the channel name, Zygotic Wash Stands. Show us what you got and we may play it on an upcoming show.

It reminds me of a scam I heard about. Now, I don't know if this is apocryphal. I don't know if this really happened or not. But I heard there was a group who called themselves Local Radio. That was their name. And they managed to generate money for themselves because whenever people would say to their Alexa, play the local radio it would play that band instead and so they got all these accidental plays and it helped them make money. Isn't it? I think it's a really lovely idea.

See I knew you'd like this you like little sneaky things like this says a lot about your character.

Quick question do your end users always and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every signing for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com slash smashing. That's 1password.com slash smashing. And thanks to the folks at 1Password for supporting the show. Modern threat actors have weaponized cloud automation to accelerate taking only 10 minutes to fully execute an attack in the cloud as organizations continue to shift into larger and more complex cloud estates legacy detection and response frameworks are no longer sufficient at stopping cloud attacks well Sysdig delivers fast and effective multi-cloud detection and Response capabilities to empower analysts against these accelerated and complex cloud threats. Powered by Falco, analysts gain the visibility, context and real-time security capabilities traditional EDR and on-prem tooling fail to deliver. Learn more about how to stop advanced attacks at cloud speed. Visit smashingsecurity.com slash sysdig for more information. That's smashingsecurity.com slash sysdig. And thanks to Sysdig for supporting the show. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001 and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust centre, all powered by Vanta AI. Over 7,000 global companies like Atlassian, Flow Health and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com slash smashing. That's vanta.com slash smashing for $1,000 off and welcome back and you join us at our favorite part of the show the part of the show that we like to call pick of the week pick of the week pick of the week is the part of the show where everyone chooses saying like could be a funny story a book that they've read a TV show a movie a record a podcast a website or an app whatever they like it doesn't have to be security related necessarily better not be well Carole my pick of the week this week is not security related my pick of the week actually owes some thanks to you. Oh. Because back in episode 358, February 2024, you recommended libraries. Yes, I did. Which wasn't that novel in itself. I mean, that wasn't, oh, I've never heard of a library before. But you also mentioned an app. The Libby app. The Libby app. Exactly. Which

I still love and use every day. Love it, love it, love it.

I obviously am not allowed under the rules of Pick of the Week to recommend the Libby app again. But I have recently dug out my old Kindle and I've been reading e-books and enjoying them. And I remembered you talking about this Libby app because I'm a member of the library. And I thought, oh, I don't really want to spend loads of money. So I thought maybe there's some e-books I can read for free. Now, in America, I believe via Libby, you can send an e-book which you borrow from your library to your Kindle device. And what I found is that for some reason that doesn't work in the UK. You can't send your Libby borrowed book from the library to your UK based Kindle. So I went and bought myself another e-reader. So my old ageing e-reader has been consigned to someone else, and now I have the Kobo Clara BW, which is like a Kindle, really.

Very interesting user interface I've had to tangle with.

Oh, have you?

I have a parent who owns one.

Oh, right. Okay. I don't find it that different from the Amazon Kindle myself. But the beauty is that it's all integrated with the Libby app via something called Overdrive, which means that I can now take out from my local library from the comfort of my e-reader. And the wonderful thing about this e-reader for me compared to my old one is it has a night mode. So when I'm reading in bed and the lights are out, I can actually read. I don't have to have a great big bright screen in front of me.

Jesus Christ, you just discovered backlit Kindle?

No, no, not black. No, no, no, because my old one had a backlight, but it was black writing on a white background, right? It was very, very bright for me. Now I get white writing on a black background at night, you with me?

The crowd's so wild.

Yeah, the crowd's gone wild. It's cool. Anyway, I love it. It's cheap and affordable, does the job. Don't get the color version. Everything I've read says the color version is not as good as the black and white version. So I have got the Kobo Clara BW and that is my pick of the week. And thank you Carole for recommending the Libby app all those months ago.

Yeah, it's great. Love the Libby's.

Very nice. And yeah, I'm enjoying doing this thing called reading.

Yeah. Yeah, you should try audiobooks. There's no ads or anything. It's amazing.

That'll be the next step. That'll be the next step. Carole, what's your pick of the week? Okay, so it's earlier this week, and it's pissing down with rain, howling with wind, and it was evening, and I was chilling out with my cousin, and we didn't want to go out because it was too gross. So we do what we all do. Yes.

And we were just deciding together what we should watch. You know how sometimes two people together come up with something that neither individual party would have watched on their own?

Yes, I do. Right? You know what I'm talking about. That does happen. You don't know how, but it happens. No, I have heard of it, but I haven't seen it.

Okay, okay, great. Okay, so the premise of the story, for those who don't know about it, it's 1985. A drug smuggler wants to drop a shipment of cocaine by plane by parachuting out with a drug-filled duffel bag. That's his plan. Right. But somehow knocks himself out on the plane's doorframe on his exit and sadly falls to his death in Knoxville, Tennessee. A black bear finds the cocaine, munches on it, goes insane, chasing and mauling folks in a rather grisly manner, all in the desperate need to get more of his fix. Of course, the drug dealers that are connected with the guy who died are also trying to find where the hell their cocaine has gone. And did the guy do a runner and what's going on? And the cops are there and the rangers are there because they keep getting reports of missing people in the area. So it's fantastic. You've got TV stars like Kerry Russell from The Americans, Ziya Whitlock from The Wire, Margot Martindale from everything political in the world, and the late Ray Liotta is even in it. It's just ridiculous. It's wonderful, it's horrible, it's got a pinch of gore, it's wildly entertaining. We both totally loved it. And a weird factoid, it is loosely based on a true story. There was no murderous rampage by a bear in the true story, but investigators finally found the corpse of 175, 275 pound male bear and three to four grams of cocaine in his bloodstream. And can you guess what the world nicknamed him? This big bear.

I don't know.

Pablo Escobar.

Oh, very clever. Very clever. So this is Cocaine Bear. That's my pick of the week. And that just about wraps up the show for this week. You can follow us on Twitter at Smash Insecurity. No G, Twitter wouldn't allow us to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Cast. And huge, huge thank you to our episode sponsors, Sysdig, 1Password and Vanta. And of course, to our wonderful Patreon community.

Until next time, cheerio. Bye bye. Bye.

Cocaine bear. Seriously, I recommend it because you will laugh and you will get shocked.

Is it a TV series, is it? Or a movie?

No, no, no. It's just a movie. It's just a movie. Okay. Just a movie. 90 minutes of your life. Okay. You'll thank me. Oh, yeah. Sounds good.