In this week’s episode your hosts practice standing on one leg, Carole gives Graham a deepfake quiz, and we investigate how Strava may be exposing the movements of world leaders.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I'm afraid of crocodiles.
You should be.
And you know what? I should be because their jaws are nothing else. They could just cut you in half.
And they're just down the road from you, Carole Theriault.
They have very little legs. It'll take them a while. If they— oh, they could swim.
Yes, yes.
I'm going to have nightmares tonight. Could they climb stairs?
Smashing Security, episode 390. 391. The secret Strava service, deepfakes, and crocodiles. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 391. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 391. My name's Graham Cluley.
And I'm Carole Theriault.
Carole?
Yes?
Hello.
Uh-oh. Are you leaving the show?
No, no, no, no. The AI Fix isn't quite that popular yet. So nope, still—
Can we bleep out the name?
Why would you want to bleep out the name?
I don't know. You get a lot of mentions.
Well, I don't know that we do. Not as many as Sticky Pickles gets.
What?
Would you the AI Fix?
No, but I'd to kick off this show and thank this week's wonderful sponsors, 1Password, BlackBerry, and Vanta. It's their support that helps us give you the show for free.
Now, coming up in today's show, Graham, what do you got?
Now, coming up in today's show, Graham, what do you got?
I'm gonna be talking about striving for security.
Okay, and I'm gonna be asking whether we are deepfaking our way into a hole. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, it may well have escaped your notice because it's been hidden under a bushel a little bit, this particular news, but there are some elections just around the corner, in particular in the United States.
Are you aware of these, Carole?
Are you aware of these, Carole?
Oh, yes. My story touches upon them as well. Because it's big, big news, and it has a global impact on whatever happens. So, I think everyone's watching it and paying attention to it.
So, apologies if you're bored up to your eyeballs of hearing about the election, but it's a big deal.
So, apologies if you're bored up to your eyeballs of hearing about the election, but it's a big deal.
So, Kamala Harris and Donald Trump, they're oiling themselves up in readiness for their tussle, which is going to be occurring on November 5th.
It's not WWE, dude.
Well, maybe it is. As we know, it's very, very close. The two candidates, very close in the polls. It's hard to predict the result of the election at this point.
One thing we can be absolutely certain of is that Donald Trump will be announcing that he won within hours of the polls closing.
So, Joe Biden, Donald Trump, Kamala Harris, these are the very, very, very important people protected by the Secret Service, as are as well their partners, Melania Trump, Jill Biden, and whoever Kamala's married to.
They're all protected because they're important people. We don't want them being bopped off. And it's just the data at the heart of your company.
You don't want your country's leaders or the potential next president to be deleted. And similarly, you don't want your data wiped, do you? You don't want it to be wiped out.
Now, it looks Donald Trump has survived. I think we're pretty clear about that, at least. And to have one assassination attempt against you could be considered misfortune.
But to have two begins to look carelessness by your security team, particularly so close to each other.
So I think the question we have to ask ourselves is how well are these individuals actually being protected? Well—
One thing we can be absolutely certain of is that Donald Trump will be announcing that he won within hours of the polls closing.
So, Joe Biden, Donald Trump, Kamala Harris, these are the very, very, very important people protected by the Secret Service, as are as well their partners, Melania Trump, Jill Biden, and whoever Kamala's married to.
They're all protected because they're important people. We don't want them being bopped off. And it's just the data at the heart of your company.
You don't want your country's leaders or the potential next president to be deleted. And similarly, you don't want your data wiped, do you? You don't want it to be wiped out.
Now, it looks Donald Trump has survived. I think we're pretty clear about that, at least. And to have one assassination attempt against you could be considered misfortune.
But to have two begins to look carelessness by your security team, particularly so close to each other.
So I think the question we have to ask ourselves is how well are these individuals actually being protected? Well—
Okay. I have no idea where you're going with this. It's fascinating.
Well, according to a report in French newspaper Le Monde, the state of security is less than so-so. You know, it's a bit comme ci, comme ça.
Okay.
It is not brilliant or fantastique. Brilliant? Yes, that is a new French word.
Magnifique?
Magnifique, indeed.
Yeah.
Because Le Monde says that bodyguards of world-leading political figures are carelessly leaking their location.
These are the people unwittingly—
Yes.
Okay.
Unwittingly, carelessly leaking this information. Of course, they are shadowing these top bods.
It turns out highly confidential movements of the US President, Joe Biden, the two people campaigning to be the next president, Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through the Strava—
It turns out highly confidential movements of the US President, Joe Biden, the two people campaigning to be the next president, Donald Trump and Kamala Harris, and other world leaders can be easily tracked online through the Strava—
I knew it was going to be Strava.
—fitness app.
I knew it was going to be Strava. I was going to say Strava 30 seconds ago. So the bodyguards are using Strava.
Le Monde says that the whereabouts not only of those people, but also Melania Trump and Jill Biden, can be easily pinpointed by tracking their bodyguards' Strava profiles.
We have talked about this before with the military. And why aren't they listening to the show?
Back in episode 63, almost 7 years ago, we explained how Strava was revealing the movement patterns of soldiers at military bases.
About a year ago, we described how a Russian commander was shot dead while out for a jog, seemingly by Ukraine, because he was posting his runs on Strava.
About a year ago, we described how a Russian commander was shot dead while out for a jog, seemingly by Ukraine, because he was posting his runs on Strava.
You think if you're going to be protecting and being a bodyguard for a VVVIP, as you said, you would think, "Oh, maybe I'll leave my IoT watch at home." No, they want to get their steps in.
They want to get their steps in. They're at the Pentagon, maybe. There's a lot of steps they have to do. They don't want to waste it.
They want to get their steps in. They're at the Pentagon, maybe. There's a lot of steps they have to do. They don't want to waste it.
And if you're a bodyguard, you want to be fit. You're probably into fitness and running around. Of course you're into fitness.
And you're proving, you're probably showing your mates, right? Your other security guard buddies. "I did more than you did.
I'm smarter, I'm cooler, I'm stronger." Do you think they do special exercises to strengthen their ears?
I'm smarter, I'm cooler, I'm stronger." Do you think they do special exercises to strengthen their ears?
Because they have those earpieces in all the time, don't they? Yeah.
You know what? I bet they do, because earpieces fall out of my ears all the time. When I had earbuds, they just fall to the floor constantly because my ears are the wrong shape.
So, I bet I could probably build muscle in my cartilage somehow.
So, I bet I could probably build muscle in my cartilage somehow.
So, it's not just the presidents and world leaders, as I said. It's also their partners, so Melania Trump, as I said.
Normally, of course, that's not a problem with Melania Trump because she's highly unlikely to be in the same place as her husband.
But it's still a risk that she could be kidnapped, which could be very unpleasant for her, especially if a ransom is paid and she's returned to Mar-a-Lago.
So, you know, you don't—
Normally, of course, that's not a problem with Melania Trump because she's highly unlikely to be in the same place as her husband.
But it's still a risk that she could be kidnapped, which could be very unpleasant for her, especially if a ransom is paid and she's returned to Mar-a-Lago.
So, you know, you don't—
I was just going to say, I'm sure she has security, but then yeah, there's a catch-22 there.
Yeah, they're probably quite hunky, I would expect. Yeah, with their Strava watches. So Strava, for anyone who doesn't know, it's the athletic social network.
So rather than showing off your perfect life and your cronuts that you're eating, you upload details of your workouts and exercise regimes and compete against others, see who can do a circuit the fastest.
And yes, it can be handy to find out other people in your city, where they're running, where a good run or a track might be.
But of course, if you're sharing this information a little bit carelessly, if you haven't got your privacy locked down, along come journalists from Le Monde and they find out what you're up to.
And it's not just Americans. Le Monde found out the bodyguards of French President Emmanuel Macron. Mm-hmm. What they're up to.
So rather than showing off your perfect life and your cronuts that you're eating, you upload details of your workouts and exercise regimes and compete against others, see who can do a circuit the fastest.
And yes, it can be handy to find out other people in your city, where they're running, where a good run or a track might be.
But of course, if you're sharing this information a little bit carelessly, if you haven't got your privacy locked down, along come journalists from Le Monde and they find out what you're up to.
And it's not just Americans. Le Monde found out the bodyguards of French President Emmanuel Macron. Mm-hmm. What they're up to.
Is he having long lunches? With a glass of wine? At some bistro?
Oh, that'd be nice. In Paris. Maybe some cheesy French onion soup. It'd be wonderful, wouldn't it? And also Vladimir Putin. Wow. Now, I don't think it's his Strava, as far as I know.
Le Monde says it has traced the Strava movements of Emmanuel Macron's bodyguards to determine that the French president spent a weekend in a Normandy Sea resort in 2021.
The trip was meant to be private, wasn't listed on his official agenda. They knew he was there because his bodyguards were there.
In another example, they used an agent's Strava profile to reveal the location of a hotel where Joe Biden stayed in San Francisco for talks with the Chinese president last year.
Mm-hmm. A few hours before Biden's arrival, the agent went jogging from the hotel. And used Strava to trace his route.
In all, they identified 26 US agents, 12 members of the president's security group, 6 members of the Russian Federal Protection Service, all with public profiles on Strava, all sharing their locations online even during official trips.
You know— What do you make of it, Carole?
Le Monde says it has traced the Strava movements of Emmanuel Macron's bodyguards to determine that the French president spent a weekend in a Normandy Sea resort in 2021.
The trip was meant to be private, wasn't listed on his official agenda. They knew he was there because his bodyguards were there.
In another example, they used an agent's Strava profile to reveal the location of a hotel where Joe Biden stayed in San Francisco for talks with the Chinese president last year.
Mm-hmm. A few hours before Biden's arrival, the agent went jogging from the hotel. And used Strava to trace his route.
In all, they identified 26 US agents, 12 members of the president's security group, 6 members of the Russian Federal Protection Service, all with public profiles on Strava, all sharing their locations online even during official trips.
You know— What do you make of it, Carole?
Two things. One, wow, in this day and age. Other side of me, yeah, totally can see that happening, 100%.
Even though it's years after this was first revealed. And here's the thing, right? Here's the thing.
If Le Monde is able to work out and able to track where these people are, this must surely be known about by intelligence agencies of other countries.
So I'm sure other countries are tracking.
If Le Monde is able to work out and able to track where these people are, this must surely be known about by intelligence agencies of other countries.
So I'm sure other countries are tracking.
You've got to find out which countries don't have Strava-leaking bodyguards. Yeah. And they're the ones that have been told.
But seeing as intelligence agencies must know about this, why aren't they ensuring that their own leaders are better defended by their security teams and are not allowing this to happen?
The US Secret Service says its staff aren't allowed to use these kind of devices while on duty. But they don't prohibit them for personal use while off duty.
So, of course, you're not on duty 24 hours a day. You'll be doing shifts.
So you may go out for a bit of exercise after looking after the president for a bit, and you go for a run round the block.
The US Secret Service says its staff aren't allowed to use these kind of devices while on duty. But they don't prohibit them for personal use while off duty.
So, of course, you're not on duty 24 hours a day. You'll be doing shifts.
So you may go out for a bit of exercise after looking after the president for a bit, and you go for a run round the block.
And these were open profiles, completely open, not shared with my contacts that use Strava too?
Apparently completely open.
And I wonder if that is actually not done on purpose, but actually just because a lot of these things, the config options are difficult to set up, right?
I was wondering whether this is actually a crafty scheme by the bodyguards to send attackers off the scent.
Are they actually attaching their Stravas to a dog or something, or a kid on a skateboard?
Are they actually attaching their Stravas to a dog or something, or a kid on a skateboard?
God, he's moving fast. Yeah. Is this a greyhound?
Wow. What's he doing going round that lamppost so much? Carole, what's your story for us this week?
I decided, for better or for worse, to cover deepfakes this week.
Part of the reason is because the topic is rife in the news at the moment, guessing because of the upcoming elections in the US of A. Deepfakes are a big effing deal.
Deepfakes are ranked as a top global risk in 2024. You know, this is all according to the World Economic Forum.
So I was happy to see some nonpartisan public service announcements in the US this week warning people about deepfakes trying to dupe you into not voting.
Part of the reason is because the topic is rife in the news at the moment, guessing because of the upcoming elections in the US of A. Deepfakes are a big effing deal.
Deepfakes are ranked as a top global risk in 2024. You know, this is all according to the World Economic Forum.
So I was happy to see some nonpartisan public service announcements in the US this week warning people about deepfakes trying to dupe you into not voting.
So we've got a series of celebrities here sat at a desk telling us to watch out for AI. On occasion, their faces go bzzz there's a bit of interference or something.
Artificial intelligence has gotten so advanced.
Artificial intelligence has gotten so advanced.
You probably can't tell that some of us aren't real. I'm definitely real. That's a problem.
Because this election, bad actors are going to use AI to trick you into not voting.
Not voting. Luckily, we already know what they're going to do. They'll use fake phone calls, videos, or messages to try to change when, how, or where you vote.
For example, a fake message saying voting has been extended or your polling location has closed or changed due to an emergency, or you need new documentation to vote.
These are all scams designed to trick you into not voting. Don't fall for it. What do you think? What do you make of it, Clew?
For example, a fake message saying voting has been extended or your polling location has closed or changed due to an emergency, or you need new documentation to vote.
These are all scams designed to trick you into not voting. Don't fall for it. What do you think? What do you make of it, Clew?
The first thing is, is that what Michael Douglas looks these days? I wouldn't have recognized Michael Douglas.
He's an older gentleman.
Well, no, I know he is. But I wouldn't recognise a lot of these people, even when they put their names up. I'm not actually sure they are, but I guess—
You're not in the States though.
I'm not American. That's true. That is Orlando Bloom. I don't recognise him without a bow and arrow.
So celebs aside, do you think it's a good ad that educates people about AI and deepfakes?
It's a very simple message. What it's basically saying is AI can be pretty convincing, doesn't it?
Yeah, and it's gonna maybe try to convince you not to vote or—
Because you think all these famous people are talking to you, but in fact, it turns out at the end that they're, I don't know, some cheap actor or something.
Well, you see, that was my kind of problem with it. So a lot of people have lauded this as a really great ad. And I guess, okay, I think it's great that we're educating people.
But it's a long ad. It's 1 minute 37. It's too long. Listeners, you didn't hear it all.
And I worry that people will lose interest halfway through because people's attention spans are those of gnats.
And it's only at the end of the ad that they kind of explain how deepfakes work and how someone can appear to be someone else, et cetera, et cetera.
But for the first minute or so, the deepfake effects are a bit Max Headroom-y to my mind.
And I wonder if people are going to look at that and go, oh, so if I see something glitch, it means it's not real.
But it's a long ad. It's 1 minute 37. It's too long. Listeners, you didn't hear it all.
And I worry that people will lose interest halfway through because people's attention spans are those of gnats.
And it's only at the end of the ad that they kind of explain how deepfakes work and how someone can appear to be someone else, et cetera, et cetera.
But for the first minute or so, the deepfake effects are a bit Max Headroom-y to my mind.
And I wonder if people are going to look at that and go, oh, so if I see something glitch, it means it's not real.
Oh, I see. And of course, yeah, chances are deepfake isn't going to be that obvious.
But I get the problem though. How do you show how effective deepfakes are by showing a person that looks so real?
And the thing is, we are pretty crap at telling what a deepfake is and what a deepfake is not, or what a real person is.
According to a new study by Utah Valley University, 56%, so more than half of US test subjects couldn't tell the difference between deepfake and real content.
And that's something that the senior project analyst said was a bit of a surprise.
Quote, "One of the questions we've been asking is when deepfakes are going to get good enough that they're actually convincing.
The day is today." Now, I heard this, but I'm thinking, I remember research in 2021 that found that as humans, we're biased towards mistaking deepfakes for real people.
Because typically when we see a person on the screen, we think it's a real person. And we also overestimate our ability to tell whether something is deepfake from real.
And the thing is, we are pretty crap at telling what a deepfake is and what a deepfake is not, or what a real person is.
According to a new study by Utah Valley University, 56%, so more than half of US test subjects couldn't tell the difference between deepfake and real content.
And that's something that the senior project analyst said was a bit of a surprise.
Quote, "One of the questions we've been asking is when deepfakes are going to get good enough that they're actually convincing.
The day is today." Now, I heard this, but I'm thinking, I remember research in 2021 that found that as humans, we're biased towards mistaking deepfakes for real people.
Because typically when we see a person on the screen, we think it's a real person. And we also overestimate our ability to tell whether something is deepfake from real.
And I think when something's moving as well, video, you're less likely to think it's fake than a photograph, aren't you? Because we're used to things being Photoshopped. But okay.
The truth is that deepfake now, when you have a deepfake video, if there aren't any obvious glitches, you do kind of believe it, don't you?
The truth is that deepfake now, when you have a deepfake video, if there aren't any obvious glitches, you do kind of believe it, don't you?
Okay, let's see how good you actually are. Why don't we go and visit the Northwestern AI-generated or real experiment? They're gonna show you a series of images.
You have to guess whether it's real or fake, and they'll tell you whether you're right or wrong. Listeners, this is in the show notes if you want to try it for yourselves.
You have to guess whether it's real or fake, and they'll tell you whether you're right or wrong. Listeners, this is in the show notes if you want to try it for yourselves.
All right, so I've got to this page where it's showing me a photograph and it's asking me, is this a real image? So I've got a picture here of 6 people, far too attractive.
Well, I can tell they're not English, first of all, because their teeth are too good. These are probably Americans, I'm expecting. In fact, they're all far too beautiful.
So I'm going to say this is fake.
Well, I can tell they're not English, first of all, because their teeth are too good. These are probably Americans, I'm expecting. In fact, they're all far too beautiful.
So I'm going to say this is fake.
This is because he looks in the mirror every day and can't imagine that people would be that good-looking. Were you right or wrong?
Okay, I'm going to say fake. I'm going to click next. Oh, I was right. Okay, next. Alright, here's a chap who's sort of doing some kind of exercise on some stone steps.
Looks very uncomfortable. His legs look a bit weird. I'm— hang on, those arms, I'm not sure, but I'm gonna say fake. Okay, fake. It was a real image. I've gone wrong already.
So I've got a 50% hit rate.
Looks very uncomfortable. His legs look a bit weird. I'm— hang on, those arms, I'm not sure, but I'm gonna say fake. Okay, fake. It was a real image. I've gone wrong already.
So I've got a 50% hit rate.
It's the same as me. That's exactly what I got. The second image I got, I was thinking, this is definitely real. I really looked at it. I was wrong. Okay.
So misleading deepfakes are, I think you and I agree, a seriously big problem. So, what do you think a particular wing of the Pentagon might want to do with them? With deepfakes?
Why would a counter-terrorism group within the US Department of Defense, the DOD, have on its wish list the ability to create deepfakes?
So misleading deepfakes are, I think you and I agree, a seriously big problem. So, what do you think a particular wing of the Pentagon might want to do with them? With deepfakes?
Why would a counter-terrorism group within the US Department of Defense, the DOD, have on its wish list the ability to create deepfakes?
Well, I imagine they might want to use them for misinformation purposes. It's a weapon which you could use against other countries.
That's one reason why the military would want deepfakes, just as they may be worried about them being used against them.
That's one reason why the military would want deepfakes, just as they may be worried about them being used against them.
They don't say that in those words.
Well, no, they never do, do they?
I think what they said is pretty interesting in itself, though.
So what they say is in this wish list, they are reportedly seeking, quote, technologies that can generate convincing online personas for use on social media platforms, social networking sites, and other online content for use by special operation forces.
This solution, they add, should include facial and background imagery, facial and background video, and audio layers. The point?
Use this capability to gather information from public online forums.
So what they say is in this wish list, they are reportedly seeking, quote, technologies that can generate convincing online personas for use on social media platforms, social networking sites, and other online content for use by special operation forces.
This solution, they add, should include facial and background imagery, facial and background video, and audio layers. The point?
Use this capability to gather information from public online forums.
To create sort of like sock puppets or things, or fake accounts.
To flood social media with these AI bots to interact, I imagine, with people to try and get real information from real people.
But how are they going to know they're not talking to another bot?
But how are they going to know they're not talking to another bot?
Yeah, and aren't they a bit late to the game here? Have they been on Twitter lately? I mean, that's— it's mostly populated by bots, isn't it?
So why are you still there?
But I'm clinging on by my fingernails. To the bots' numbers. Yeah. No, I am. I am still there at the moment, but oh my goodness, using it less and less.
I was thinking, what would social media companies say to this, right? To have their media platforms flooded with bots.
But then it suddenly occurred to me, huh, maybe they don't care at all because they can just say, oh, well, that person or that account viewed this many ads, pay me.
But then it suddenly occurred to me, huh, maybe they don't care at all because they can just say, oh, well, that person or that account viewed this many ads, pay me.
Absolutely. If the bot goes about attempting to appear authentic as a user, exactly, it will be clicking on ads or it will be interacting with them or it will be replying.
And so the advertisers, they're going to find it more and more difficult to tell if someone's a human or not.
And so the advertisers, they're going to find it more and more difficult to tell if someone's a human or not.
Exactly. They're going to have all these profiles of beautiful people.
Yes.
Between the ages of 19 and 29. Okay, so what is the solution here? What is the solution? So I went around looking around the internet and I found a few cute things.
So one was from WeForum. WeForum? WeForum, yeah. That's a community for people who enjoy, okay, carry on.
I didn't even see that. Can I honestly say I didn't even? So they list four things. So number one, they say technology, that's really important, right?
So basically detection systems to help identify whether something is real or not. The problem with anti-deepfake tech, if I can call it that, is, you know, the false positive thing.
So if they get one wrong, a user might get duped.
So basically detection systems to help identify whether something is real or not. The problem with anti-deepfake tech, if I can call it that, is, you know, the false positive thing.
So if they get one wrong, a user might get duped.
Yeah, it's going to make mistakes in both directions. It will incorrectly say legitimate photos and legitimate videos are faked and vice versa, I would expect.
Of course. Number two, policy efforts. So regulation, right? And they're talking about needing a global stance because obviously deepfakes don't respect geographical borders.
Yeah, but everyone's going to respect regulations. I mean, that's how the internet works, isn't it?
Everyone play by the rules. No, but I, for example, would like it if an artist is selling a piece of work, they can say AI generated versus not. You know, it'd be nice.
Or if a company was saying, hey, look at all this imagery, it could be AI generated or not. Or is that crazy of me?
Or if a company was saying, hey, look at all this imagery, it could be AI generated or not. Or is that crazy of me?
No, that would be great. Good luck with that would be my response. Yeah, sure.
But even if 80% follow it, it's going to be way better than now.
Number 3, public awareness, which is basically why I'm talking about it now and why we're seeing public service ads warning people, because the more you can look at these people and realize how easy it is to fall over like you saw Graham and I do, the more careful you might be.
And number 4 is having a zero trust mindset, Graham.
So they write that the zero trust approach in cybersecurity means not trusting anything by default and instead verifying everything.
When applied to humans consuming information online, it calls for a healthy dose of skepticism and constant verification.
And they go on and they say, zero trust mindset will become an essential tool to distinguish between what is authentic and what is synthetic in increasingly immersive online environments.
So, okay, wow. Right? Basically, they're saying trust no one, right? And that's great for society. Super cool. You know, actually, Graham, I'm not even sure you are who you say you are.
I know I've met you 1,000 times, but I think healthy skepticism and with zero trust mindset maybe you can fire over two pieces of official ID so I can verify your identity.
And how do I double-check every email, every comment that I read? Do I fact-check everything? I read an article every single time to make sure it's from a trusted source?
Number 3, public awareness, which is basically why I'm talking about it now and why we're seeing public service ads warning people, because the more you can look at these people and realize how easy it is to fall over like you saw Graham and I do, the more careful you might be.
And number 4 is having a zero trust mindset, Graham.
So they write that the zero trust approach in cybersecurity means not trusting anything by default and instead verifying everything.
When applied to humans consuming information online, it calls for a healthy dose of skepticism and constant verification.
And they go on and they say, zero trust mindset will become an essential tool to distinguish between what is authentic and what is synthetic in increasingly immersive online environments.
So, okay, wow. Right? Basically, they're saying trust no one, right? And that's great for society. Super cool. You know, actually, Graham, I'm not even sure you are who you say you are.
I know I've met you 1,000 times, but I think healthy skepticism and with zero trust mindset maybe you can fire over two pieces of official ID so I can verify your identity.
And how do I double-check every email, every comment that I read? Do I fact-check everything? I read an article every single time to make sure it's from a trusted source?
Are we really thinking people who are browsing TikTok or scrolling on Instagram are going to, oh, well, I don't believe this video. I don't believe this video.
I'm going to spend— No, they're just going to laugh at the cats doing somersaults.
I'm going to spend— No, they're just going to laugh at the cats doing somersaults.
You see, I have no problem people looking at cats doing somersaults on socials. That's probably what they're for. I do want to say be cautious about getting news from those areas.
Yeah, because maybe getting news from nonpartisan news organizations that are held accountable when they get facts wrong and may have to face litigation if they are libelous or don't admit to their mistakes means they have a requirement to try and present the news as most honestly as they can.
And it's just depressing. MIT Lab says, "Look, this is how you can actually do this. Look at the face. Look at the cheeks and forehead. Look for moles and eyes and eyebrows.
And do shadows work?" You and I got fooled on the second one. Yeah. Look, it says pay attention to blinking. You know? Aren't you gonna look a weirdo if the person's actually real?
Right? So the person's on the screen, and you're sitting there scrutinizing their moles and looking at their teeth and their hairline.
Yeah, because maybe getting news from nonpartisan news organizations that are held accountable when they get facts wrong and may have to face litigation if they are libelous or don't admit to their mistakes means they have a requirement to try and present the news as most honestly as they can.
And it's just depressing. MIT Lab says, "Look, this is how you can actually do this. Look at the face. Look at the cheeks and forehead. Look for moles and eyes and eyebrows.
And do shadows work?" You and I got fooled on the second one. Yeah. Look, it says pay attention to blinking. You know? Aren't you gonna look a weirdo if the person's actually real?
Right? So the person's on the screen, and you're sitting there scrutinizing their moles and looking at their teeth and their hairline.
You know, we're on Mission Impossible. They wear those masks and you sort of grab them by the neck, don't you, and try and rip it off. That's what's gonna be happening.
We'll be going up to people in real life thinking, "Oh, you can't not be real." It's Santa's beard.
We'll be going up to people in real life thinking, "Oh, you can't not be real." It's Santa's beard.
Yeah, you gotta pull it just to see if it's actually Santa. Yes. Wouldn't it be nice to have secure communications through a critical event?
Be it a cyberattack, an extreme weather event, or even civil unrest.
Wouldn't it be nice to know that you are communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes. Yes, it would.
Say hello to BlackBerry's SecuSuite, certified to meet the highest security requirements.
SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Be it a cyberattack, an extreme weather event, or even civil unrest.
Wouldn't it be nice to know that you are communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes. Yes, it would.
Say hello to BlackBerry's SecuSuite, certified to meet the highest security requirements.
SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. My pick of the week this week isn't security related. I had some children come to visit me.
A friend popped round with some children over the half-term holidays, and I thought, what shall I do with these children?
It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. Better not be. My pick of the week this week isn't security related. I had some children come to visit me.
A friend popped round with some children over the half-term holidays, and I thought, what shall I do with these children?
First, how old are these kids?
Oh, they're about 10 and 8, I think they were.
Right. Okay. Yep.
And so I thought, okay, I know what to do. I'm going to take them to see the crocodiles.
And so off we went to this place near where I live in Oxfordshire called Crocodiles of the World.
And so off we went to this place near where I live in Oxfordshire called Crocodiles of the World.
I have seen that sign every single time I've driven that road.
Have you never been?
I've never been. Have you been before this?
Yes, this is my second trip to Crocodiles of the World. They have an extraordinary number of crocodiles and they feed crocodiles.
I'm not quite sure what they're feeding them, probably not human-legged Graham Cluley or 8-year-old children.
But they basically dangle food above a huge swimming pool full of crocodiles and these crocodiles leap into the air.
Jesus, they probably leap about 2 or 3 metres into the air and go with a great big clack.
I'm not quite sure what they're feeding them, probably not human-legged Graham Cluley or 8-year-old children.
But they basically dangle food above a huge swimming pool full of crocodiles and these crocodiles leap into the air.
Jesus, they probably leap about 2 or 3 metres into the air and go with a great big clack.
You know how people say, "Oh, I'm afraid of spiders" or "I'm afraid of bees"? I'm afraid of crocodiles and you know what, I should be because their jaws are nothing else.
They could just cut you in half.
They could just cut you in half.
And they're just down the road from you, Carole.
They have very little legs, it'll take them a while. Oh, they could swim, yes, yes.
I'm gonna have nightmares tonight, Grok.
Could they climb stairs?
So the average strength of a human bite, right? Imagine you're venturing off into the bush, right? 162 pounds per square inch, 162 PSI, right.
Crocodiles have a bite of over 5,000 pounds per square inch.
Crocodiles have a bite of over 5,000 pounds per square inch.
Yeah, I know, they can cut you in half with their little mouths.
They've possibly got the strongest bite of any animal, much more than hyenas, much more than sharks. Some people say killer whales... sorry, I shouldn't call them that.
Orcas, I believe is the politically correct term.
Orcas, I believe is the politically correct term.
Yeah, they've been pretty angry recently.
They've been pretty moody, I don't blame them. Some people say they've got a PSI of 19,000, which is about 4 times what the crocodile has.
People or AI? No, no, no.
This is a BBC News report I was reading, I was investigating, so I trust them. Now, I don't know how you measure the bites of an orca killer whale, or indeed a crocodile.
Jump in next time and see if it hurts.
I can tell you, the crocodiles have got a loud clack on them. I don't know if it's cruel, maybe it's cruel to keep them in captivity.
To be honest, I don't think these crocodiles would survive in England if they weren't in this particular environment and it seems they're fed quite well.
Anyway, if you're on half-term holiday with your kids, go check out Crocodiles of the World in Oxfordshire.
To be honest, I don't think these crocodiles would survive in England if they weren't in this particular environment and it seems they're fed quite well.
Anyway, if you're on half-term holiday with your kids, go check out Crocodiles of the World in Oxfordshire.
I went there and the kids loved it.
They did, they'll probably have nightmares tonight though. Krow, what's your Pick of the Week?
Okay, for this week's Pick of the Week, I would you all, grim, darling listeners, all of you to stand up if you can.
Obviously don't do this if you're driving or up a ladder or having sexy times. If you're having sexy times and you're listening to this show, all I can say is wow.
Obviously don't do this if you're driving or up a ladder or having sexy times. If you're having sexy times and you're listening to this show, all I can say is wow.
Geez. Now if I stand up, I'm going to be further away from the microphone. That's okay, we can still hear you.
We can still hear you.
You can still hear me.
Okay, so I'm going to count you in. 3, 2, 1, go and I'm going to explain first what you're going to do, okay?
I want you to put your hands on your hips and I want you to stand on one leg for as long as you can.
Kind of a flamingo, but the other way, so you're bending your knee the normal way, not the backward way flamingos do.
I want you to put your hands on your hips and I want you to stand on one leg for as long as you can.
Kind of a flamingo, but the other way, so you're bending your knee the normal way, not the backward way flamingos do.
Oh, oh, yes. Okay, yes.
And there's no cheating. Do you want to put your video on so I can see you? Because then I'll know if you're cheating or not. Yeah, okay, I see you perfectly. Yes, hi.
All right, so hands on hips, eyes open. Timer starts when I say go, and it's going to stop if I see, Graham, your hands move from your hips or you lower your foot.
Okay, ready, Spaghetti? Fascinating radio. 3, 2, 1, go. 1 Mississippi, 2 Mississippi, 3 Mississippi, 4 Mississippi, 5 Mississippi. How's it feeling?
All right, so hands on hips, eyes open. Timer starts when I say go, and it's going to stop if I see, Graham, your hands move from your hips or you lower your foot.
Okay, ready, Spaghetti? Fascinating radio. 3, 2, 1, go. 1 Mississippi, 2 Mississippi, 3 Mississippi, 4 Mississippi, 5 Mississippi. How's it feeling?
Well, a little bit wobbly. It's a lot scarier with you doing the countdown like this. 11 Mississippi, 12 Mississippi.
You're doing very well, 13, 14. Are you— is your foot up? I can't see your foot. Yes, it's up! Is it just above the ground though? No, no, it's like perpendicular.
Okay, good! I look like a number 4. Yeah, you're doing amazing. Okay, still standing. How long do you think you can go?
You think you can go all day?
Well, I'd rather not, if that's all right.
So you don't have an issue. This is very excellent, Graham.
I'm really impressed. I'm still doing it.
Okay, and I'm just checking your age. Okay, you're fine, you're fine. Graham, you've passed. You have passed, congratulations.
Okay, all right. Putting my foot down.
Well done. So what we were doing, everybody, is according to the NHS, apparently balance more than any other activity changes with age.
And scientists have reportedly said that it might be because it uses so many different parts of the brain and the body at once. You've really gotta focus.
So you held it for many seconds. What should you be aiming for?
And scientists have reportedly said that it might be because it uses so many different parts of the brain and the body at once. You've really gotta focus.
So you held it for many seconds. What should you be aiming for?
Right.
So if you're 18 to 40, you should be aiming for 43 seconds. Yes, that's me. 40 to 49, 40 seconds. Right, 50 to 59, 37 seconds, which you did, Graham, easily.
Easily, I could have done longer. 60 to 69, 30 seconds. Yes, 70 to 79, 19 seconds, and over 80, a little over 5 seconds. So it really drops between 70 and 80, doesn't it?
So if you didn't perform well, listener, don't worry, you can improve your balance. And my tip is practice while you brush your teeth. Right?
Because you'll see a huge difference in a mere week or two. That's how I got my balance going.
Easily, I could have done longer. 60 to 69, 30 seconds. Yes, 70 to 79, 19 seconds, and over 80, a little over 5 seconds. So it really drops between 70 and 80, doesn't it?
So if you didn't perform well, listener, don't worry, you can improve your balance. And my tip is practice while you brush your teeth. Right?
Because you'll see a huge difference in a mere week or two. That's how I got my balance going.
And chances are people have one stronger leg than the other as well, don't they? So you need to switch it up a bit.
I didn't tell you to use your left leg, 'cause I know that would've been much harder.
Well, actually, I did use my left leg.
Oh, did you? Yes. Oh yeah, it was mirrored. Okay, anyway, that's my pick of the week, standing on one leg. No, I am not desperate for pick of the weeks.
Please, nobody send me any good ideas ever, please. Thank you.
Please, nobody send me any good ideas ever, please. Thank you.
And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And ginormous thank yous to our episode sponsors, Fanta, BlackBerry, and 1Password. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 390 episodes, check out smashingsecurity.com. Until next time, cheerio.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 390 episodes, check out smashingsecurity.com. Until next time, cheerio.
Bye-bye. Bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Smashing Security #063: Carole’s back.
- Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online – We Live Security.
- Smashing Security #330: Deepfake Martin Lewis, and a deadly jog in the park.
- How Emmanuel Macron can be tracked – Le Monde.
- How Emmanuel Macron can be tracked – YouTube.
- The Pentagon Wants to Use AI to Create Deepfake Internet Users – Intercept.
- Is AI eroding democracy ahead of the US election? – BBC News.
- Fooled twice: People cannot detect deepfakes but think they can – PMC.
- Detect Fakes – Kellogg Northwestern.
- DON’T LET AI STEAL YOUR VOTE! – YouTube.
- Deepfakes fool more than half of Americans, UVU study shows – KLS News radio.
- Crocodiles Of The World.
- Here’s How Long You Should Be Able To Stand On 1 Leg By Age – Huffington Post.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- BlackBerry – Tune in and empower your team with the knowledge to stay connected, no matter what crisis. Learn more about BlackBerry’s critical event management solutions.
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
