A CEO is arrested for turning satellite receivers into DDoS attack weapons, and we journey into the world of bossware and “affective computing” and explore how AI is learning to read our emotions – is this the future of work, or a recipe for dystopia?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This is actually appalling behaviour, both by your friend and mine. I mean, it is absolutely diabolical. And listeners, do not do this.
No, no, this was 30 years ago when everyone was idiots.
Right. And of course, people are so much more sensible now. Yes.
Smashing Security, Episode 396: Dishy DDoS Dramas and Mining Our Minds for Data with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 396.
My name's Graham Cluley.
Smashing Security, Episode 396: Dishy DDoS Dramas and Mining Our Minds for Data with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 396.
My name's Graham Cluley.
And I'm Carole Theriault.
Carole, no guest today, just the two of us.
I know, and I'm very sorry for those listeners that love when we are a threesome on the show, but as we're nearing Christmas, people's schedules are getting busy.
But you have us, we're here.
But you have us, we're here.
Yeah, we're still here.
Yeah. How about we kick this off? Let's thank this week's wonderful sponsors, 1Password, BlackBerry, and ThreatLocker. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
Well, you've heard of risky business. I'm going to tell you about dishy business instead.
And employees the world over are changing how we work, and it's not all rosy. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, 30-odd years ago, I had a friend.
Just one.
Well, yeah, just the one. That's pretty true actually. He was about 10 years older than me and I'd go and visit him in South London.
He'd drive me around the town, you know, we'd get up to our antics.
He'd drive me around the town, you know, we'd get up to our antics.
He wasn't grooming you or anything?
No, no, no, no, no. Very nice guy. Very nice guy. Ayman, his name was. And he'd be chuckling away. He'd be laughing away and everything.
And I'd, you know, I was in the passenger seat and I'd think, what's he listening to on the radio?
Because I could hear some sort of sitcom he was listening to, some sort of radio show. And I realised it was Dad's Army that he was listening to.
And I'd, you know, I was in the passenger seat and I'd think, what's he listening to on the radio?
Because I could hear some sort of sitcom he was listening to, some sort of radio show. And I realised it was Dad's Army that he was listening to.
You couldn't hear it on the radio?
I was working out what it was. Dad's Army, as people will know, is an old vintage TV show from the UK, which did have a radio incarnation as well, but was mostly known for the TV.
And I looked across at him and I saw he was balancing a tiny portable TV on his steering wheel. While he was driving me around.
And just chuckling away because he loved Dad's Army so much. And I obviously, I made representations. So I explained to him that maybe this wasn't a good thing to do.
Maybe he should stop doing that. But he loved TV. He absolutely adored it. This was before the days of smartphones and things like this. This was a TV with an aerial.
And I looked across at him and I saw he was balancing a tiny portable TV on his steering wheel. While he was driving me around.
And just chuckling away because he loved Dad's Army so much. And I obviously, I made representations. So I explained to him that maybe this wasn't a good thing to do.
Maybe he should stop doing that. But he loved TV. He absolutely adored it. This was before the days of smartphones and things like this. This was a TV with an aerial.
You did say 30 years. I think we worked it out.
Yeah, 30 years. All right.
Okay. Is that better or worse? I had a teacher friend who regularly drove me home from where we taught English.
Yeah.
And, but he then told me that when I wasn't in the car, when he drove, he would make cigarettes on his lap. Oh. Right?
Like roll them up?
He had this little weird mechanical machine that you'd kind of flip the lid, turn this, da da da, lick it, done. And so he would do this.
And one day he literally went through someone's front window, like the bay window.
And one day he literally went through someone's front window, like the bay window.
Oh my God.
He just, 'cause he lost control and he went over the front garden and into the house.
I mean, this is actually appalling behaviour, both by your friend and mine. I mean, it is absolutely diabolical. And listeners, do not do this, please.
No, no, this was 30 years ago when everyone was idiots.
Right. And of course, people are so much more sensible now.
Yes, very sensible.
But my friend Eamon, he loved TV. He adored it. He had this garden office, bottom of the garden.
You'd go down the path and he had hundreds and hundreds of videotapes of all kinds of shows that he'd recorded.
And because he was Syrian, he loved to know what was going on in the Middle East. And it was round about the time that Iraq invaded Kuwait. It was the Gulf War.
It was all kicking off. And he'd be up all night and he'd be recording all the news broadcasts. He'd be watching Middle Eastern comedy shows.
And he did this via this enormous satellite dish.
You'd go down the path and he had hundreds and hundreds of videotapes of all kinds of shows that he'd recorded.
And because he was Syrian, he loved to know what was going on in the Middle East. And it was round about the time that Iraq invaded Kuwait. It was the Gulf War.
It was all kicking off. And he'd be up all night and he'd be recording all the news broadcasts. He'd be watching Middle Eastern comedy shows.
And he did this via this enormous satellite dish.
I was just gonna ask, did he have one of those massive, massive satellite dishes?
Yeah. He did. And it was motorised.
Huge, those things were.
It was absolutely huge.
Yeah, I'm going to say 6 feet across. They're big things back then.
Yeah, it was really big. And in the UK, this was not something you normally saw in people's backyards.
No.
And so we'd tune into these shows, we'd watch news reports, we'd be videotaping everything that was going on. And it must have cost a small fortune, this dish.
And you don't really see satellite dishes around anymore, do you? You don't really— I mean, they're still attached to the side of buildings here in the UK.
Many people will have one which they had put up in the '90s, maybe. But a lot of people don't use satellite TV any longer, do they? Because they're on broadband instead.
And you don't really see satellite dishes around anymore, do you? You don't really— I mean, they're still attached to the side of buildings here in the UK.
Many people will have one which they had put up in the '90s, maybe. But a lot of people don't use satellite TV any longer, do they? Because they're on broadband instead.
I don't know. Yeah, no idea.
I think that's the case. I think maybe your gran may have a telly dish attached to the side of a roof or down the bottom of the garden.
But most people are probably now streaming instead, rather than having TV beamed down from a satellite.
What I didn't know was that South Korea, which is the home of K-pop and kimchi and things, is also apparently a hotbed for satellite receiver manufacturing till this day.
And there are companies out there still doing it, and they have been doing it for years. So this is the story of two companies.
But most people are probably now streaming instead, rather than having TV beamed down from a satellite.
What I didn't know was that South Korea, which is the home of K-pop and kimchi and things, is also apparently a hotbed for satellite receiver manufacturing till this day.
And there are companies out there still doing it, and they have been doing it for years. So this is the story of two companies.
Okay.
One was called Company A.
Imaginative.
And the other one, Company B. I agree. These aren't the best names. These are the names which have been released by the police. I don't know what their real names are.
Let's call them Agatha and Barry. All right? And Agatha is a corporation which is known for illegal broadcasting. Okay?
So, there are companies now who are beaming out, either via satellite dishes or via the internet, streams of TV channels and things which you normally would have to pay a subscription for.
Let's call them Agatha and Barry. All right? And Agatha is a corporation which is known for illegal broadcasting. Okay?
So, there are companies now who are beaming out, either via satellite dishes or via the internet, streams of TV channels and things which you normally would have to pay a subscription for.
You mean pirated TV type of thing?
Type stuff, right?
Yeah, that kind of thing. Okay, okay.
They're not licensed to do what they're doing, right? And the other company, Company B, or Barry as we call it, that is a South Korean firm that manufactures satellite dishes.
And according to Korean police, they are a mid-sized player in the global satellite dish market. Who knew Barry was such a big player?
And this week, South Korean police have arrested 5 key individuals from Barry. By the way, it's not Barry in South Wales. This is, but Barry's just the code name for Company B. Yeah.
And according to Korean police, they are a mid-sized player in the global satellite dish market. Who knew Barry was such a big player?
And this week, South Korean police have arrested 5 key individuals from Barry. By the way, it's not Barry in South Wales. This is, but Barry's just the code name for Company B. Yeah.
Yeah.
And they've issued, you got that, have you? They've issued, I dunno if you've ever been to Barry in South Wales. There's a little funfair there.
No.
It's all right. They've issued an international warrant for someone linked to Company A, Agatha, as well. And they've frozen £6 billion Korean dollars belonging to Company Barry.
Right. So Barry's assets are all seized up, and Barry's saying, we need someone from Company A to chat about this, correct?
Well, what actually it turns out is that this money, 6 billion Korean dollars—I don't know how much that is, I think it's about £3 million—it said that these are the proceeds of illegal exports which Barry made to Agatha, selling the satellite dishes to Agatha.
Now, what's wrong with exporting satellite dishes, you may ask? Even if Agatha does end up using them illegally, you would think the sale of those satellite dishes is legal.
I would think so.
Now, what's wrong with exporting satellite dishes, you may ask? Even if Agatha does end up using them illegally, you would think the sale of those satellite dishes is legal.
I would think so.
Mm-hmm.
So it's up to the companies who buy them what they end up doing with them. I would think so. That's my hunch. I'm not a lawyer. I don't know for sure.
You know very little about these things.
I know extremely little about anything, really. These satellite dishes were being shipped for almost 6 years.
And it turns out that back in November 2018, Agatha, the illegal broadcast company I told you about, they believed they were being targeted by some of their business rivals.
And so they made a special request of Barry, the Korean satellite dish manufacturer. And they said, "Here, Barry, can you build us a special satellite dish?"
And it turns out that back in November 2018, Agatha, the illegal broadcast company I told you about, they believed they were being targeted by some of their business rivals.
And so they made a special request of Barry, the Korean satellite dish manufacturer. And they said, "Here, Barry, can you build us a special satellite dish?"
One that can launch DDoS attacks, one that can retaliate against our business rivals. And because Agatha is such a valued customer, who is company Barry to say no?
Exactly. Barry said, "Yes, of course, sir." Yeah, you're gonna give us millions of pounds? Of course we'll do this. Billions of Korean dollars? Yeah, absolutely.
We're on it.
And they went ahead and integrated into the satellite dishes malicious functionality, which could launch DDoS attacks, which as you know, can bombard a system, can clog it up with so much traffic.
You could do it against a website, you can do it with other things which are connected to the internet as well.
And it not only shipped satellite dishes which had this hidden DDoS attack functionality, but it also pushed out to other users, other customers of its devices, firmware updates, which added the DDoS functionality.
I guess, my guess is that it's easier for a satellite device manufacturer to give everybody the same functionality. You just don't necessarily have to tell everyone about it.
So it's there hidden away, but it doesn't necessarily have to be used. You don't have to advertise the fact that, oh, now it does DDoS too.
You could do it against a website, you can do it with other things which are connected to the internet as well.
And it not only shipped satellite dishes which had this hidden DDoS attack functionality, but it also pushed out to other users, other customers of its devices, firmware updates, which added the DDoS functionality.
I guess, my guess is that it's easier for a satellite device manufacturer to give everybody the same functionality. You just don't necessarily have to tell everyone about it.
So it's there hidden away, but it doesn't necessarily have to be used. You don't have to advertise the fact that, oh, now it does DDoS too.
Sure, and what if customer Cecilia doesn't pay her bill? You know?
Oh yes.
Right?
Maybe. You could do something else. Maybe you could turn off the devices remotely. Maybe you could zonk them out.
So now the Korean police, they uncovered this scheme after—well, they received some intelligence from Interpol.
And apparently one of the suspects was placed on an international wanted list. And so Korean police are all over this. They've arrested people.
It turns out that between January 2019 to September 2024—
So now the Korean police, they uncovered this scheme after—well, they received some intelligence from Interpol.
And apparently one of the suspects was placed on an international wanted list. And so Korean police are all over this. They've arrested people.
It turns out that between January 2019 to September 2024—
5 years.
A bit more than 5 years, almost 6 years, the manufacturer shipped a quarter of a million satellite receivers.
Okay, well, I'm going to guess it's in all their satellites.
Yes. The ones which didn't have it built in, didn't have it pre-installed, they were updated, as it were, with a firmware update to include this DDoS functionality.
I would imagine many of these devices are connected to the internet because that's an easier way to update the firmware, but if they're not, it may be that the owners of these devices toddle out with a USB stick occasionally and install the latest firmware update and aren't aware of everything that it's doing.
I would imagine many of these devices are connected to the internet because that's an easier way to update the firmware, but if they're not, it may be that the owners of these devices toddle out with a USB stick occasionally and install the latest firmware update and aren't aware of everything that it's doing.
But it was Company Agatha that is streaming all the non-paid-for stuff.
Yeah.
Or whatever.
That's right. And Interpol are now after some of these remaining suspects connected with Company Agatha. I hope there's not a real Company Agatha, by the way.
That's why you don't know anything about this. Okay, good cover.
Yeah, they're still working on it. So I think the thing generally is most listeners to the show know that you need to be really careful about the software that you install.
But I think most of us probably don't think so much about malware that can be brought in via hardware that you purchase.
I remember years and years ago working for a data recovery company where we bought a new hard drive.
And the drivers which came with the hard drive were already infected with malware, whether accidentally or not.
I imagine it was accidental, but in this case it was deliberate, it was intentional, and to launch these criminal attacks.
And I think often people just think, oh, I'm not even gonna worry about what the hardware brings in because it's so hard to manage and control that particular problem.
I'm gonna worry more about traditional attack vectors instead.
But I think most of us probably don't think so much about malware that can be brought in via hardware that you purchase.
I remember years and years ago working for a data recovery company where we bought a new hard drive.
And the drivers which came with the hard drive were already infected with malware, whether accidentally or not.
I imagine it was accidental, but in this case it was deliberate, it was intentional, and to launch these criminal attacks.
And I think often people just think, oh, I'm not even gonna worry about what the hardware brings in because it's so hard to manage and control that particular problem.
I'm gonna worry more about traditional attack vectors instead.
Yeah, you wouldn't think about satellite, but then I haven't thought about satellite dishes strapped to the side of a house in years. Right.
I think if you've got any friends who are out there in the Canadian outback, Carole, I think it's called the outback, isn't it?
The boondocks or whatever you call it, out in the hinterland, who don't have a decent internet connection, they might have a satellite dish.
Mind you, if they don't have an internet connection, how are they launching the DDoS attack? Is it being beamed up to the satellite? There's so many questions here.
I want to know more.
The boondocks or whatever you call it, out in the hinterland, who don't have a decent internet connection, they might have a satellite dish.
Mind you, if they don't have an internet connection, how are they launching the DDoS attack? Is it being beamed up to the satellite? There's so many questions here.
I want to know more.
We wish you knew.
I don't read Korean, Carole.
Have you heard of Google Translate?
Yeah, it's a bloody PDF. It's a PDF in Korean. Trying to get that into Google Translate has been a nightmare. So I've done the best I can.
This is what we have to do to get the show to you each week. Carole, what have you got for us this week?
This is what we have to do to get the show to you each week. Carole, what have you got for us this week?
So, work, working life. Yes. And I would say I've not seen such a rapid change in such a short period of time in terms of the work ethic in the work environment.
The number of people I speak to now who should be at the top of their game because they are talented and good at what they do—
The number of people I speak to now who should be at the top of their game because they are talented and good at what they do—
Thank you—
They are dead nervous about losing their jobs.
Yes.
One was offered voluntary redundancy with a two-week severance, and on this side of the pond, that's considered pretty measly.
Yeah. No, you're not good at all.
Yeah.
So the Institute for the Future of Work, so the IFOW, they have issued a very interesting report published this week, and it talks about the advancement in digital profiling thanks to algorithms and datasets.
And by digital profiling, they're talking about collating a glut of data on you and your activities for all manner of reasons.
So the Institute for the Future of Work, so the IFOW, they have issued a very interesting report published this week, and it talks about the advancement in digital profiling thanks to algorithms and datasets.
And by digital profiling, they're talking about collating a glut of data on you and your activities for all manner of reasons.
Right.
So I want to talk about bossware. Now, Graham, you and I left work, you know, to work for ourselves before bossware became a thing or was very sophisticated.
I'm sure there were some ways they were monitoring us, but it was pretty rudimentary compared to what there is today.
I'm sure there were some ways they were monitoring us, but it was pretty rudimentary compared to what there is today.
They would have had to employ so many people to monitor us, Carole. Can you imagine how busy they would have been?
We did work hard.
Probably there were other people who were made redundant because they no longer had to employ people to keep an eye on us.
Well, the thing is, buzzword has been around, what, 5 years or more than that even?
A bit more, yeah, I think.
Yeah, you're right, because in 2019, Gartner surveyed hundreds of big corporations and more than half were using some form of non-traditional monitoring.
Such as analyzing the text of workers' emails and social media use and even gathering some biometric data. But of course, things accelerated, right?
The rise of remote working and a reduction in human contact during COVID lockdown— God, I don't miss those days at all.
But anyway, so this was a big growth period for bossware, and presumably because bosses were panicking that their workers were going to take the mickey.
They wanted to know who was working, what they were working on, how long they were working on it, et cetera, et cetera.
And why not use this wonderful bossware stuff to monitor all of this for you? So we have the obvious here of why they do this, right?
Keep tabs on worker productivity and work behaviors. But there are other rationales for bossware that have been made. So there's health and safety, monitoring wellness and fitness.
Protecting trade secrets, so make sure someone's not cutting and pasting something that they shouldn't be. Spotting deviant offsite behavior.
So I guess that's someone not showing up, not doing any work.
Such as analyzing the text of workers' emails and social media use and even gathering some biometric data. But of course, things accelerated, right?
The rise of remote working and a reduction in human contact during COVID lockdown— God, I don't miss those days at all.
But anyway, so this was a big growth period for bossware, and presumably because bosses were panicking that their workers were going to take the mickey.
They wanted to know who was working, what they were working on, how long they were working on it, et cetera, et cetera.
And why not use this wonderful bossware stuff to monitor all of this for you? So we have the obvious here of why they do this, right?
Keep tabs on worker productivity and work behaviors. But there are other rationales for bossware that have been made. So there's health and safety, monitoring wellness and fitness.
Protecting trade secrets, so make sure someone's not cutting and pasting something that they shouldn't be. Spotting deviant offsite behavior.
So I guess that's someone not showing up, not doing any work.
I don't like this phrasing, deviant offsite behavior.
The deviant. I know, I didn't like it either. Yeah. Improving team performance. And of course, security, right? Cybersecurity.
So remember earlier I mentioned the concern over advancement in digital profiling thanks to algorithms and datasets.
So remember earlier I mentioned the concern over advancement in digital profiling thanks to algorithms and datasets.
Yeah.
So the paper raises concerns about this recent addition of affective algorithmic management, AAM. And AAM introduces new types of tracking.
So I'll list out a few that the paper outlines, and you tell me how uncomfortable you are with this, maybe from a scale of 1 to 5.
So I'll list out a few that the paper outlines, and you tell me how uncomfortable you are with this, maybe from a scale of 1 to 5.
Okay.
5 being the creepiest.
Yeah.
Creepy, creepy.
All right, okay, or I'll make a bing or a bong depending on whether I'm happy.
Okay, so there's technology such as RFID tags and eye movement monitoring that can be used to check workplace practices and how specific procedures are undertaken.
So, SenTrack and SwipeSense— that's a really bad name, SwipeSense— both have systems that can be deployed in hospitals to aid hygiene management.
So, SenTrack and SwipeSense— that's a really bad name, SwipeSense— both have systems that can be deployed in hospitals to aid hygiene management.
Ooh, hence the swipe.
And staff's time management by monitoring how long nurses spend with patients or whether they're washing their hands enough.
Oh, or other parts of the body. Oh, dear me.
Can you imagine if there's a microphone sending little gentle reminders publicly, employee 839, wash your hands. Or maybe it's sing-song to keep spirits light.
Remember, you gotta wash your hands. What do you reckon?
Remember, you gotta wash your hands. What do you reckon?
Well, I guess that's more important in a health facility than maybe it is if you're working remotely at home.
Sure. Yes. I think a lot of these things we have to think about in terms of this is maybe why it was intended to exist. This was the use case.
But if we take it out of that use case, there's nothing stopping another company using these kind of stuff, right?
But if we take it out of that use case, there's nothing stopping another company using these kind of stuff, right?
I suppose not. Yeah, it's— I don't really like this. Yeah.
OK, well, what about fatigue monitoring technologies?
This is used as a safety measure to prevent crashes or poor usage of heavy machinery by alerting workers that they're getting drowsy.
This is used as a safety measure to prevent crashes or poor usage of heavy machinery by alerting workers that they're getting drowsy.
Oh, I thought it was going to be people sat at desks and are they looking tired enough? And if they're not—
That's what I thought too.
If they're not looking tired, then clearly they're not working hard enough.
But however, most of this fatigue monitoring technology comes with a connected cloud-based platform for managers to track workers in real time.
And gain analytics on fatigue management initiatives and productivity optimisation. George has yawned 10 times in the last 5 minutes.
And gain analytics on fatigue management initiatives and productivity optimisation. George has yawned 10 times in the last 5 minutes.
I'm thinking if you get called to a Zoom call at 9 o'clock in the morning and you arrive there looking unshaven, slightly—
Bit of drool on the side of your face.
And you're yawning and all the rest of it.
Shirt untucked.
Yeah. Right. Are they going to be thinking, I think he's—I'm not even sure he's got out of bed.
And when you're saying they thinking, it's not anybody thinking. It's an algorithm assessing. Right. This is part of AAM. So out of 5, fatigue monitoring?
Yeah, I'm not keen on that.
Not keen?
I'm going to give that a slight bong.
Okay. What about tech that collects biometric data that can be deployed to enhance wellness programs or aid worker safety?
What?
So there's a company called Emotiv, with a V, offers a workplace wellness, safety, and productivity neurotech solution.
When you say Emotiv with a V, I can't think how else you would spell emotive. Do you mean there's no E on the end?
Yes.
Oh, well, I'm okay. I'm against this then.
Yeah, well, you've got to get SEO somehow, Graham.
Well, purely, purely the domain name wasn't available. I'm not—I'm not—Yeah, I'm not having any of that.
Okay, I want you to check this little product out. You could buy this, Graham. You could buy this.
All right.
I'll put it into the show notes. So for our listeners, basically looks like very normal little earbuds, right?
Expensive though, $400.
Well, see what it does. And the idea is you wear these throughout the day. And what does it tell you can do if you buy these for yourself?
Get real-time brain data and insights regarding your cognitive fitness, stress balance, mental—Hang on.
So you have to wear this and it's monitoring how hard your brain is working.
So you have to wear this and it's monitoring how hard your brain is working.
Yes. But people use the Apple Watches and being able to look at their data. But okay, now, now I've put another link in the show notes, right?
This is what they tell enterprises because of course this is available for companies as well to buy for their employees.
They say our team of PhD neuroscientists, data scientists, and EEG technologists are dedicated to accelerating your research and product development.
Offering you a bridge to the untapped potential of the human mind. And guess who your guinea pigs are, Mr. Enterprise? Your workers.
This is what they tell enterprises because of course this is available for companies as well to buy for their employees.
They say our team of PhD neuroscientists, data scientists, and EEG technologists are dedicated to accelerating your research and product development.
Offering you a bridge to the untapped potential of the human mind. And guess who your guinea pigs are, Mr. Enterprise? Your workers.
So this is a little bit like wearing a headset.
Little earbuds. If you got them from an employer saying, oh, by the way, wear these. Yeah, they also have some with transistors across the head. The more advanced model.
It's wrapped all around the head. It's like a giant spider. It's scary.
Apparently, Graham, SAP, that German business process management platform.
They've collaborated with Emotiv, with a V, no E, to integrate a computing interface to analyze workers' brain states and give real-time feedback on stress levels to employees and their managers.
They've collaborated with Emotiv, with a V, no E, to integrate a computing interface to analyze workers' brain states and give real-time feedback on stress levels to employees and their managers.
Surely it's going to be quite stressful knowing that your employer is monitoring your—Oh, interesting.
Interesting you think that. There's just a few more. Microsoft's Copilot can be configured to allow employers to monitor workers' health with an integrated wellbeing function.
Zoom has added a feature that detects emotional states via Emotion AI, which involves machine learning to detect and analyze human emotions, typically through facial expressions, voice tones, and body language in virtual communication.
I'm sure they never get it wrong.
Zoom has added a feature that detects emotional states via Emotion AI, which involves machine learning to detect and analyze human emotions, typically through facial expressions, voice tones, and body language in virtual communication.
I'm sure they never get it wrong.
Am I just old-fashioned? Am I just a bit of a curmudgeon that I kind of think there's no real need for this?
I was going to ask you if you were a bit jealous that you couldn't work in one of these environments now. You could go back to the office, have a young boss, a whippersnapper boss.
Oh, can you imagine?
Giving you a little headset. Oh, Graham, God, you're huffing and puffing a lot over there. You seem really grumpy.
Here's your cubicle, Graham. Go and sit over there. Put this on your head.
But that's the truth.
Leap on the treadmill while you're working.
Millions and millions of people are having to do this kind of shit.
And the thing, as you say, right, as you say, you can guess and listeners have guessed that all this monitoring and prompting and analyzing is not necessarily very good for the well-being of the worker.
And the report states as much.
It seems that most employees believe that AAM has forced them to work faster, to do more than they can handle, and to meet tighter deadlines, and to change their work habits.
Slightly more than half of the respondents believe their personal life is invaded by work technologies.
And the thing, as you say, right, as you say, you can guess and listeners have guessed that all this monitoring and prompting and analyzing is not necessarily very good for the well-being of the worker.
And the report states as much.
It seems that most employees believe that AAM has forced them to work faster, to do more than they can handle, and to meet tighter deadlines, and to change their work habits.
Slightly more than half of the respondents believe their personal life is invaded by work technologies.
I expect the other half are too nervous to actually think such a thing in case it gets picked up by the device they're wearing.
Right? But isn't that a weird catch-22?
So the surveillance tech stresses you out and then they measure that you're stressed out and they gather that information, process it to tell you you're stressed out and that you're not performing.
Like, you know, there's the loop of it.
So the surveillance tech stresses you out and then they measure that you're stressed out and they gather that information, process it to tell you you're stressed out and that you're not performing.
Like, you know, there's the loop of it.
It's been like, don't panic, don't panic, don't panic anybody, or don't get stressed. Don't worry, shh, shh, shh, stop stressing, calm down, calm down.
Because that's how you get people de-stressed, calm down.
Because that's how you get people de-stressed, calm down.
And just before the show, we were talking about that Apple employee who is basically suing Apple for its effective bossware stuff, saying it's breaking California law by, you know, preventing me from doing things.
I think they stopped him from putting information on LinkedIn that he actually worked at Apple.
I think they stopped him from putting information on LinkedIn that he actually worked at Apple.
Wow. Because they installed this on his personal device, I believe. And, you know, that I presume that's their condition of employment.
Yeah, you're going to have to install this on your devices.
Yeah, you're going to have to install this on your devices.
Exactly. And that seems to be true for a lot of companies. It's like, look, we're not going to ship you a computer, but here, can you just install this stuff?
Right.
And there are many questions about the legality of it all. Some people were questioning it very strongly.
Some people were saying there are already laws in place that people could be using. There's actually a fab long-form blog from our friends at 1Password that's worth checking out.
Links in the show notes. All about this and legality of it. But in short, I'm not a fan. I think bossware might be an AKA spyware. I mean, let's be honest.
Some people were saying there are already laws in place that people could be using. There's actually a fab long-form blog from our friends at 1Password that's worth checking out.
Links in the show notes. All about this and legality of it. But in short, I'm not a fan. I think bossware might be an AKA spyware. I mean, let's be honest.
Oh, yeah. Yeah, yeah.
It's spyware. They just gave it a gentler name. And why are orgs doing it? Because data is a gold mine.
And right now, whether or not there are laws in place, no one seems serious about stopping it yet. I haven't seen any big kind of we're going after the bossware dude.
And right now, whether or not there are laws in place, no one seems serious about stopping it yet. I haven't seen any big kind of we're going after the bossware dude.
I mean, you can argue that there are legitimate uses for this.
Sure.
It could be helpful in some circumstances, but unfortunately, there will be pressure upon employees to go along with it and agree to do this because they think otherwise they won't have a job.
I wonder how many employees have explicitly given their consent for the myriad of surveillance technologies the company has imposed upon them.
Yeah.
They may just say, do you mind if we watch you a bit? You know, check here. Great.
Thank goodness we left industry when we did Carole to work for ourselves because we would be in so much trouble.
Wouldn't it be nice to have secure communications through a critical event, be it a cyberattack, an extreme weather event, or even civil unrest?
Wouldn't it be nice to know that you were communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes, yes it would.
Say hello to BlackBerry's SecuSuite.
Certified to meet the highest security requirements, SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry's SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Wouldn't it be nice to know that you were communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes, yes it would.
Say hello to BlackBerry's SecuSuite.
Certified to meet the highest security requirements, SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry's SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Quick question. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
Do zero-day exploits and supply chain attacks keep you up at night? Worry no more. You can harden your security with ThreatLocker.
Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance.
Onboarding and operation is fully supported by their US-based support team.
Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely.
Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.
To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/threatlocker.
That's smashingsecurity.com/threatlocker. And thank you to ThreatLocker for sponsoring the show.
Imagine taking a proactive deny-by-default approach to cybersecurity, blocking every action, process, and user unless specifically authorized by your team.
ThreatLocker helps you do this and provides a full audit of every action for risk management and compliance.
Onboarding and operation is fully supported by their US-based support team.
Stop the exploitation of trusted applications within your organization to keep you running efficiently and securely.
Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high.
To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, visit smashingsecurity.com/threatlocker.
That's smashingsecurity.com/threatlocker. And thank you to ThreatLocker for sponsoring the show.
And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related.
Good.
My pick of the week this week is a documentary, a couple of documentaries actually.
I think I was on Blue Sky checking out the feed, loving Blue Sky, and someone posted a link to a documentary all about a retail department store in the United States.
Now, most retail stores are pretty bland, aren't they, these days? Corporate and dull, you know, if you've been to one Tesco's or Walmart, you've been to them all.
Turns out, doesn't have to be that way.
There was, between the mid-'70s and the 1990s, a company which had over 200 stores across America, and its feature stores were quite unique in terms of their bizarre architecture.
I think I was on Blue Sky checking out the feed, loving Blue Sky, and someone posted a link to a documentary all about a retail department store in the United States.
Now, most retail stores are pretty bland, aren't they, these days? Corporate and dull, you know, if you've been to one Tesco's or Walmart, you've been to them all.
Turns out, doesn't have to be that way.
There was, between the mid-'70s and the 1990s, a company which had over 200 stores across America, and its feature stores were quite unique in terms of their bizarre architecture.
I want to know what it is, because I might have been there.
Have you ever been to—
McDonald's?
No. Okay.
They have a weird architecture, back then anyway.
Best Products Company. Have you heard of Best Products?
That's the name that they would have outside there.
Would have been terrible for SEO, wouldn't it? I mean, you'd never have been able to find it.
No, I don't know them. I don't know them.
They went bankrupt in the 1990s. And sadly, the buildings were not preserved, which is a shame because the buildings were extraordinary.
And there are a few documentaries up on YouTube about these buildings.
And Carole, what I've done is I'm sharing a few photographs of some of these buildings with you so you can check them out. And— Oh, wow. Yeah. Yeah, yeah.
So, you are looking, for instance, right now at an image of a big concrete store, right? You can imagine that great big cube or rectangle, you know, cuboid kind of thing.
And it's like a piece of Lego. There's a corner of it which has been sort of ripped out. You can see all the jagged pieces, right?
You're actually looking at a photograph there of the opening day when they let off loads of balloons.
And there are a few documentaries up on YouTube about these buildings.
And Carole, what I've done is I'm sharing a few photographs of some of these buildings with you so you can check them out. And— Oh, wow. Yeah. Yeah, yeah.
So, you are looking, for instance, right now at an image of a big concrete store, right? You can imagine that great big cube or rectangle, you know, cuboid kind of thing.
And it's like a piece of Lego. There's a corner of it which has been sort of ripped out. You can see all the jagged pieces, right?
You're actually looking at a photograph there of the opening day when they let off loads of balloons.
Can I just say, really, really wonderful pic of the week. And this is basically Graham trying to get you to follow him on Blue Sky, 'cause I'm sure he'll share the images.
But one of the interesting things was the guy who was in charge of the stores said, if I want to protect my store from people breaking in at night, what better way than to have concrete walls all the way around the building rather than doors?
So that bit you can see of the corner used to come out on tracks at the opening of the store and then would close to make a perfect—
So that bit you can see of the corner used to come out on tracks at the opening of the store and then would close to make a perfect—
Oh, that's quite cool.
Yeah, isn't it? There was another building where everything's all slanty on the outside. There was another one where it looks like the building's fallen apart.
There was another one I saw, which was actually sort of built in a forest. So you have the front of the store, and behind it is the forest.
So you go through the front of the store, and then you're in a forest, and you carry on, and then you walk into the store. And it's all open up to the elements.
There was another one I saw, which was actually sort of built in a forest. So you have the front of the store, and behind it is the forest.
So you go through the front of the store, and then you're in a forest, and you carry on, and then you walk into the store. And it's all open up to the elements.
It is disgusting that these weren't preserved in any way. There must have been some legal quagmire as to why, but—
I don't know. I don't know. They are works of art.
And they're— in the documentaries, you hear about people who used to go to the fire brigade, because they'd have driven past, they'd be a stranger to the town, and say, oh my God, I think this building is falling down.
It's sort of peeling away from itself. And they'd say, oh no, hang on. No, no, no, you don't have to worry.
And they're— in the documentaries, you hear about people who used to go to the fire brigade, because they'd have driven past, they'd be a stranger to the town, and say, oh my God, I think this building is falling down.
It's sort of peeling away from itself. And they'd say, oh no, hang on. No, no, no, you don't have to worry.
Wow.
That's how the building looks. It's been built like that. And I think it's fantastic. I didn't know about this before.
No, me neither.
Loved watching the documentaries.
Super creative.
I'll put the links in the show notes where people can learn more. Carole, what's your pick of the week?
So my pick of the week was inspired by one of our listeners, one of you out there. A shout out to Mark O from BC, a fellow Canuck.
And fellow cribbage lover who wrote in about a recent pick of the week of mine, the card game cribbage, which I still play very regularly.
And he also recently learned about the game during COVID lockdown and is pretty enthusiastic, just like me.
And Mark O recommends a book called Play Winning Cribbage by Delynn Colvert. So link in the show notes. And he's advising me to read this so I can kick my husband's butt at the game.
So love that strategy. Because we're planning a mini tournament over the Crimbo Halls.
And fellow cribbage lover who wrote in about a recent pick of the week of mine, the card game cribbage, which I still play very regularly.
And he also recently learned about the game during COVID lockdown and is pretty enthusiastic, just like me.
And Mark O recommends a book called Play Winning Cribbage by Delynn Colvert. So link in the show notes. And he's advising me to read this so I can kick my husband's butt at the game.
So love that strategy. Because we're planning a mini tournament over the Crimbo Halls.
Don't let your husband know that you've got the book.
He doesn't listen to the show anymore. He's much too busy, so I don't have to worry. But I can let you guys all know, and you guys can do the same.
And as an extra pick of the week, I have found a much better cribbage app than the one I recommended about, I don't know, two months ago, where you can play with hints or with muggins.
Muggins is where you get penalized if you can't count properly, which turns out that happens to me all the time. But the app is called Cribbage Classic by Games by Post LLC.
So link in the show notes for that too.
And as an extra pick of the week, I have found a much better cribbage app than the one I recommended about, I don't know, two months ago, where you can play with hints or with muggins.
Muggins is where you get penalized if you can't count properly, which turns out that happens to me all the time. But the app is called Cribbage Classic by Games by Post LLC.
So link in the show notes for that too.
And that's on smartphones, is it?
Yeah, that's on smartphones. You can get it for Android and Apple for sure. So cool. The Cribbage Classic app and Play Winning Cribbage by Delynn Colvert. Thank you very much, Mark.
Oh, that's my pick of weeks.
Oh, that's my pick of weeks.
Lovely stuff. And that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And shout out to our episode sponsors, ThreatLocker, BlackBerry, and 1Password. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 394 episodes, check out smashingsecurity.com. Smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest list, and the entire back catalog, more than 394 episodes, check out smashingsecurity.com. Smashingsecurity.com.
Until next time. Cheerio. Bye-bye.
Bye-bye. Oh, shit. I got that wrong. 395 episodes.
Is it too many episodes, Graham?
There's too many. There's too many.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Korea arrests CEO for adding DDoS feature to satellite receivers – Bleeping Computer.
- Data on our minds: affective computing at work – IFOW.
- How Much Does ‘Bossware’ Really Curb Remote Work Slacking? – Inc.
- MN8 – 2 Channel EEG Headphones – Emotiv.
- Commercial EEG Headsets for Enterprises – Emotiv.
- ‘Bossware’ computer tracking devices harm workers’ wellbeing, says report – The Times.
- Your Company’s Bossware Could Get You in Legal Trouble – 1Password.
- The Abandoned, Apocalyptic Architecture of One Bold 1970s Retail Chain – Atlas Obscura.
- Bankrupt – BEST Products Co. – YouTube.
- Defunct BEST Products Store Architecture Documentary – YouTube.
- Play Winning Cribbage – Amazon.
- Cribbage Classic – iOS App Store.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- BlackBerry – Tune in and empower your team with the knowledge to stay connected, no matter what crisis. Learn more about BlackBerry’s critical event management solutions.
- ThreatLocker – the Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. Start your 30-day free trial today!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
