Many thanks to… well, Smashing Security, for sponsoring my writing for the last month.
It was August, which meant it’s slow news season and vacation season. I didn’t write as much as normal so I could hang out with the family a bit more.
As such I thought it was unfair to ask any of the lovely firms that sponsor my website to support me during August, so I switched over sponsorship until the end of the month to promote the weekly podcast I produce.
If you haven’t listened before, “Smashing Security” is a weekly podcast where I, Carole Theriault, and a special guest discuss some of the quirky stories from the last week’s cybersecurity news headlines, and anything else that takes our fancy.
It’s a great way to spend 45 minutes as you’re commuting to and from work, lazing on the beach, walking the dog, or having a bath. Plus – we promise not to make it boring! Yes, it really is the security podcast for people who don’t like security podcasts.
But don’t just take my word for it…
My favourite security podcast ★ ★ ★ ★ ★
“You guys are the best!” – Grumpy old goth girl, Canada.Hilarious and informative ★ ★ ★ ★ ★
“Funny, engaging and informative. Love the banter , love the info , suggestions and especially the “pi pi pick of the week” !” – Huddo58, Australia.Avid listener ★ ★ ★ ★ ★
“A while ago when I started listening I assumed the podcast was another IT security-related podcast. Far from it. Witty, light hearted fun with charismatic guests every week.” – tkpodrev, USA.Making cyber security, well, sexy!! ★ ★ ★ ★ ★
“This podcast is just hilarious. Not only because the hosts are funny but the topics they talk about are unbelievably crazy to think they actually happen! Trust me, I’ve seen it! I’m putting a link to this on our intranet and so should all IT bods.” – wi7bit, Great Britain.
You can find “Smashing Security” in your favourite podcast app, or on our website at https://www.smashingsecurity.com. Some listeners have even been kind enough to support the show via Patreon, which gets them special goodies.
Here is our latest episode, where we were joined by Mark Stockley, if you want to get a flavour for things:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The Apollo astronauts, right, they left an awful lot of mess lying around up there, didn't they? Left it laying— They may have broken the bylaws.
Crimes as serious as littering may have occurred.
Or speeding. What about the moon rover?
There's no speed limit up there, dude.
Smashing Security, episode 143: Hacking from Outer Space. Ransomware, Ukrainian Cryptomining, and Deepfaked Canadians with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 143. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 143. My name is Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Mr. Cluley.
And we are joined by a special guest, a returning guest. We have here with us today Mr. Mark Stockley from Naked Security. Hello, Mark.
Hi.
A very special guest, actually.
Oh, thank you.
You know, in a way, you're special.
You're special because when I used to be editor at Naked Security, I got you in on the team from my hospital bed half an hour after coming out of an operation.
Off my tits on drugs and—
You're special because when I used to be editor at Naked Security, I got you in on the team from my hospital bed half an hour after coming out of an operation.
Off my tits on drugs and—
Yeah, good days, good days. Happy times.
So basically you're saying to Mark, everything good that's ever happened to you, it's all down to you.
Oh, no, no, no, no. Is that what you're claiming?
That's the gist. I'm not disagreeing.
So, Carole, what stories have we got this week?
First, hands up, unless you're driving, for this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free.
Now, on today's show, Graham goes to space to check out a cyberattack. Don't hurry back, Graham. Mark dons his mining hat and tells us of a recent cryptojack.
And this week, we will see how a controversial internet shrink deals with deepfakes. All this and loads more coming up on this episode of Smashing Security.
Now, on today's show, Graham goes to space to check out a cyberattack. Don't hurry back, Graham. Mark dons his mining hat and tells us of a recent cryptojack.
And this week, we will see how a controversial internet shrink deals with deepfakes. All this and loads more coming up on this episode of Smashing Security.
Now, chaps, the internet has brought some incredible advantages to criminals. One of those is that you can now commit a crime from the other side of the planet.
In the old days, if you wanted to rob a building society—
In the old days, if you wanted to rob a building society—
Bank for a normal person, right?
Or something— what?
Anyway, but after you've robbed something, you'd jump in your Ford Cortina, you'd leg it off as fast as you can, zooming around the roundabouts hoping the police weren't on your tail.
Maybe you would even skip the country, flee to sunnier climes to enjoy your ill-gotten wealth.
Anyway, but after you've robbed something, you'd jump in your Ford Cortina, you'd leg it off as fast as you can, zooming around the roundabouts hoping the police weren't on your tail.
Maybe you would even skip the country, flee to sunnier climes to enjoy your ill-gotten wealth.
Spain. Isn't that where everyone went?
Australia. Brazil, of course. The Great Train Robber, Ronnie Biggs, ended up there.
But with the internet, you could, in theory, do that getaway before the crime is actually committed.
But with the internet, you could, in theory, do that getaway before the crime is actually committed.
Why do you think in theory? I think it's been proven many times over that you can steal.
Yeah. You could literally be on Copacabana Beach.
Yeah, literally.
Accessing a Wi-Fi hotspot while you break into someone's bank account, right? Which means that you're far, far away, out of reach of the long arm of the law.
And the fact that the criminals who committed a crime can be thousands of miles away in a different country, that's gonna be a big headache to PC Plod, isn't it?
Because they have, well, think of all the coordination they have to do between international police forces, different time zones, paperwork, language differences, it's become more complicated and more expensive, of course.
And the fact that the criminals who committed a crime can be thousands of miles away in a different country, that's gonna be a big headache to PC Plod, isn't it?
Because they have, well, think of all the coordination they have to do between international police forces, different time zones, paperwork, language differences, it's become more complicated and more expensive, of course.
Well, I think actually that is part of the wonderfulness of being in a different country because of all the coordination.
But you could rob people in other countries.
Well, no, but if you're a little, you know, even small-time robber, thief, whatever, if you are in a different jurisdiction, potentially with a different language, different country codes.
All that, it's much easier, right? How many prosecutors are going to go, yeah, let's take on this international crime?
All that, it's much easier, right? How many prosecutors are going to go, yeah, let's take on this international crime?
Sorry, I've lost you. Are you saying that this is a good thing, that this problem exists?
No, I'm saying that's why it's much more likely that someone's going to get away with crime if they're in a different jurisdiction or a different country than where the crime is committed.
And they have a much larger pool of victims to inflict themselves upon, don't they, compared to just being in their local area?
Enormous.
But what if you could get even further away than Brazil or the Arctic Circle when you initiated your hack? What if you could be in outer space?
It's lawless out there. Who's going to go after you up there?
The thing about space though, I don't know if you've noticed that space itself is quite big, but the amount of space with Wi-Fi coverage is still quite small. And so I feel like—
My back garden has trouble.
There aren't that many places you could hide in space.
Are there?
Are there?
Maybe not, but who's going to go up and catch them?
You don't need to go up and catch them.
Yeah, you just leave them there.
Exactly. Okay, let me tell you why I'm talking about space. Because our story is going to begin in a fairly down-to-earth kind of way. A romance between someone called Summer Worden.
Summer Worden.
She was a former Air Force intelligence officer.
And she met Lieutenant Colonel Anne McClain, who'd flown combat missions in Iraq and has an accomplished military career and is an astronaut.
Anyway, you can imagine it's all roses, it's petals, it's wonderful, gorgeous, gorgeous romance blossoms, and Summer and Anne got married in 2014. Ah, yippee!
But sadly, disagreements and rot began to permeate the relationship, and one of the problems was that Anne McClain, the astronaut, wanted really to adopt Summer's young son.
They were having disagreements about this.
And she met Lieutenant Colonel Anne McClain, who'd flown combat missions in Iraq and has an accomplished military career and is an astronaut.
Anyway, you can imagine it's all roses, it's petals, it's wonderful, gorgeous, gorgeous romance blossoms, and Summer and Anne got married in 2014. Ah, yippee!
But sadly, disagreements and rot began to permeate the relationship, and one of the problems was that Anne McClain, the astronaut, wanted really to adopt Summer's young son.
They were having disagreements about this.
They're married. That makes sense, right? I can see that.
Well, exactly. And she's had a relationship with the young boy since he's about 8 months old. And, you know, has been with him for years and years.
So she wanted to legally adopt Summer's son. And the couple sadly weren't able to resolve their problems. And in 2018, they got divorced.
And they've been disputing ever since how they carve up their little family.
So she wanted to legally adopt Summer's son. And the couple sadly weren't able to resolve their problems. And in 2018, they got divorced.
And they've been disputing ever since how they carve up their little family.
Oh, awful.
It is horrible. And two weeks ago, Anne McClain, the astronaut, was awarded rights to visit the 6-year-old boy as he is now.
Okay.
And that's what spurred her ex-partner Summer Worden into making this out-of-this-world allegation.
As the New York Times reports, Summer Worden was suspicious as to how her ex, the astronaut, seemed to know so much about her spending. Had she bought a car?
How could she afford this? How could she afford that?
As the New York Times reports, Summer Worden was suspicious as to how her ex, the astronaut, seemed to know so much about her spending. Had she bought a car?
How could she afford this? How could she afford that?
It seems like she had one of those little apps that makes a clinking sound when somebody spends some money.
Well, hey, because digital banks these days, sometimes they do that, don't they?
So she went to her bank and she asked them to cough up the IP addresses of the computers that had accessed her bank account. And one of them—
So she went to her bank and she asked them to cough up the IP addresses of the computers that had accessed her bank account. And one of them—
You can do that?
Well, I think with some online banks you certainly can, just like you can with your email. You can find out where people are connecting to your account from, or the location of it.
And one of these IP addresses pointed to a computer network registered at none other than NASA.
So the outcome of all this: Summer Worden believes that her ex-partner, the astronaut Anne McClain, has accessed her bank account while she was on the International Space Station.
And one of these IP addresses pointed to a computer network registered at none other than NASA.
So the outcome of all this: Summer Worden believes that her ex-partner, the astronaut Anne McClain, has accessed her bank account while she was on the International Space Station.
So the NASA IP address—
Yeah.
Is the IP address of the ISS?
No, no. I've got some very interesting and exciting information about how the connectivity works between the space station and planet Earth.
Is it an Ethernet cable?
No, no, and it's not a piece of string and a couple of yogurt pots either. It's actually kind of interesting.
Just recently, NASA doubled the data transmission rate between the International Space Station and Earth. So the rate at which data can transfer.
They updated some modem software and some routers on the space station, and it now supports— now get this— it now supports a 600 megabit per second connection.
Just recently, NASA doubled the data transmission rate between the International Space Station and Earth. So the rate at which data can transfer.
They updated some modem software and some routers on the space station, and it now supports— now get this— it now supports a 600 megabit per second connection.
Oh gosh.
The space station communicates through radio signals. There's a network of satellites in high orbit above the Earth, so there's always one which is over the right kind of place.
They always have connection with them, and those are relaying the data back to the ground.
And then there are landlines which send the data to various NASA data centers spotted around the world, and the radio signals are converted back into this sort of readable data.
The whole process apparently takes less than 1 second. So it's not trying to load a copy of Manic Miner from a cassette tape or something. You know, it happens.
They always have connection with them, and those are relaying the data back to the ground.
And then there are landlines which send the data to various NASA data centers spotted around the world, and the radio signals are converted back into this sort of readable data.
The whole process apparently takes less than 1 second. So it's not trying to load a copy of Manic Miner from a cassette tape or something. You know, it happens.
I didn't think that's where you were going to go.
Right.
You said they doubled the connectivity. I was thinking two 56K modems in parallel. The future's arrived.
So it's pretty impressive.
NASA are quite good, aren't they? They get some stuff done.
Anyway, this explains why when she got the IP address, it was related to a network registered at NASA.
So the outcome of all this: Summer Worden believes that her ex-partner, the astronaut Anne McClain, has accessed her bank account while she was on the International Space Station.
So from outer space, she has connected and basically hacked into the account.
So the outcome of all this: Summer Worden believes that her ex-partner, the astronaut Anne McClain, has accessed her bank account while she was on the International Space Station.
So from outer space, she has connected and basically hacked into the account.
Or had the password. So, okay, no, but this is a legitimate question. I'm sorry. I'm just— let me— so Graham, let's say you say to me, my password is sausage dog. Right?
To your email.
To your email.
Don't say that out loud on the podcast.
I then go to your email address and put in SAUSAGEDOG.
Yes.
Right? With caps.
Yes.
Right? Get in. Does— is that— am I wrong?
I think the O in dog is a zero, just in case anyone's listening. Are you wrong? No, you're not wrong.
But that, of course, if I haven't authorized that access, then that does still constitute hacking.
But that, of course, if I haven't authorized that access, then that does still constitute hacking.
You gave me the password. Well—
But it's computer misuse.
Yes, it's computer misuse, but you didn't have my authorization. And that's what the big argument is about here, right?
They at some point did both have access to this account, and that was fine and dandy, and passwords were shared.
And at some point later on, Summer Warden says that she no longer was giving authorization to her ex-partner to connect to the bank account.
Now, the astronaut's lawyer, who goes by the wonderful name of Rusty Hardin— just one letter different and that would have been even better, wouldn't it?
Could have been a porn name.
They at some point did both have access to this account, and that was fine and dandy, and passwords were shared.
And at some point later on, Summer Warden says that she no longer was giving authorization to her ex-partner to connect to the bank account.
Now, the astronaut's lawyer, who goes by the wonderful name of Rusty Hardin— just one letter different and that would have been even better, wouldn't it?
Could have been a porn name.
What, Roasty?
Something like that. Never mind, never mind.
He said that she accessed the bank account to provide financial support for the young boy without knowing that her ex-partner had requested that she no longer do so.
So there's this big furore going on. But one of the claims which is being made in the press is, is this the first ever space crime? And some people are touting it as that.
I'm not sure whether it's true or not that an actual crime was committed here. I'm not sure whether it is necessarily the first.
I think there have probably been other dodgy things which have gone on in space in the past.
He said that she accessed the bank account to provide financial support for the young boy without knowing that her ex-partner had requested that she no longer do so.
So there's this big furore going on. But one of the claims which is being made in the press is, is this the first ever space crime? And some people are touting it as that.
I'm not sure whether it's true or not that an actual crime was committed here. I'm not sure whether it is necessarily the first.
I think there have probably been other dodgy things which have gone on in space in the past.
Do you have specifics?
Well—
That would demand research.
Are you bound by confidentiality? Because of your previous secret work that you can't talk about for NASA? There are just things I can't say, but just, you know, take it from me.
Certainly the Apollo astronauts, right? They left an awful lot of mess lying around up there, didn't they? Left it late. They may have broken bylaws.
Crimes as serious as littering may have occurred.
Or speeding. What about the moon rover? They were going up there.
There's no speed limit up there, dude.
They were going at least 17 miles per hour, I think, up there, which is pretty racy if you ask me. And I'm pretty sure they weren't wearing seatbelts either.
So there certainly have been crimes committed in the past.
So there certainly have been crimes committed in the past.
You know, I think this is a bit weak.
I think that if an ex-partner, if you are getting divorced and you do not want your ex-partner to access the ex-family bank account, you change the fricking password.
Everyone knows that. Maybe 10% of people, but not someone as intelligent as this woman who is Air Force intelligence officer. She doesn't know to change her passwords.
I think that if an ex-partner, if you are getting divorced and you do not want your ex-partner to access the ex-family bank account, you change the fricking password.
Everyone knows that. Maybe 10% of people, but not someone as intelligent as this woman who is Air Force intelligence officer. She doesn't know to change her passwords.
So if I plug my computer into the internet, but I forget to password protect it, and then you find it and you go and look at all my data and then steal it, is that my fault?
I don't think that's comparable. I think it's more like you and me are married, Mark. Okay? What? We share a bank account.
Is this how we got on the show?
We divorce, right? You don't change the bank account address. I don't steal from you.
I just go in to make sure that you have the money you said you'd use to pay for our beautiful little house.
I just go in to make sure that you have the money you said you'd use to pay for our beautiful little house.
Victim blaming, Crow. Victim blaming. That's what you're doing.
It's like—
You would change the password is my point.
If we're married and we both use my car and then we get divorced and you still have a key to my car even though it's parked at my house.
Yeah, and I don't change the locks on my car. It's fine for you to come and borrow it.
Yeah, and I don't change the locks on my car. It's fine for you to come and borrow it.
Well, let's see what happens.
Is that what— no, that wasn't an offer. That was a thought experiment.
Getting married to try this out to see what the reaction is, I think, would probably be going to science. It's science.
I guess the investigation which is going to happen right now into exactly what happened will be trying to sort this out.
Certainly the astronaut is claiming she didn't know she no longer had access to it. She is arguing that she had legitimate reason to access it and hadn't been informed.
Of course, the password should probably have been changed. With our security wonk hats on, that is the piece of advice we would give.
But I don't think it's necessarily right to blame someone.
I guess the investigation which is going to happen right now into exactly what happened will be trying to sort this out.
Certainly the astronaut is claiming she didn't know she no longer had access to it. She is arguing that she had legitimate reason to access it and hadn't been informed.
Of course, the password should probably have been changed. With our security wonk hats on, that is the piece of advice we would give.
But I don't think it's necessarily right to blame someone.
I'm not blaming anybody. I'm saying change your freaking passwords.
It sounds like you're blaming them to me, Carole.
I'm not thinking this is, you know, I think that the press went a bit crazy here saying this is the first cyber attack from space, because it isn't.
It's not a cyber attack, in my view.
It's not a cyber attack, in my view.
I think it's a slightly different story here.
Okay.
So what this says to me is, you know that you've made progress when you're exploring new worlds and people start doing really mundane stuff.
Like, all the phishing.
I mean, I feel sorry for everybody involved in this because divorces are just messy and everybody involved gets hurt.
Everyone's a victim one way or another, but it's not Ebola behind— but behind all of this, it's not Ebola. I see where you are today, Carole.
Everyone's a victim one way or another, but it's not Ebola behind— but behind all of this, it's not Ebola. I see where you are today, Carole.
Just saying.
Yeah, no, you're right. Anything less bad than Ebola.
Yeah, no, Carole, get some mugs made up for the store.
We should.
It's a new catchphrase.
So what— I'm slightly, I'm slightly scared now. So what I'm trying to say is, so there's a divorce happening, but they're just bad news, right?
But somebody's doing online banking in space. How boring is that?
But somebody's doing online banking in space. How boring is that?
Well, it's pretty boring being in space, I imagine. But that's amazing.
It's amazing that we can do boring things in space.
That's how cool NASA is. People poo in space too, Mark, you know. That's pretty mundane. Yes?
Yes. I don't think it's in space, Carole. I think it's into little bags. Right, let's try and just raise the tone a little bit now. Mark, what's your story for us this week?
Oh, well, my story begins with a question. Shout out if you know the answer. What do nuclear power stations and Windows XP have in common?
They're being phased out.
Oh, good try.
Neither are still receiving updates from, I don't know what.
Oh, that's not a bad shout.
Is that close?
Close-ish. So the answer to my question will become clear in a second.
Okay, well, we're waiting with— We're on tenterhooks.
We're on tenterhooks, but only for 3 minutes, Mark. Come on. It's not Ebola.
So according to ZDNet, Ukrainian authorities are currently investigating a potential security breach at one of the country's nuclear power plants.
It seems that the employees connected parts of the power plant's internal network to the internet. And in case it's not obvious, that's a big deal.
So according to ZDNet, Ukrainian authorities are currently investigating a potential security breach at one of the country's nuclear power plants.
It seems that the employees connected parts of the power plant's internal network to the internet. And in case it's not obvious, that's a big deal.
Yeah.
Well, parts would be all right, if they had a library or something, or if they had a kitchen where they were downloading recipes for making—
Yes.
I mean, parts, parts, it would be all right to be connected to the internet. It would only matter surely if it was some sort of important part.
I think that's the thin end of a wedge. Okay, so the computer systems used to run things like power plants and other utilities come under the broad definition of ICS or SCADA.
That's industrial control systems and supervisory control and data acquisition systems.
That's industrial control systems and supervisory control and data acquisition systems.
See, sometimes acronyms are very useful.
Yeah, do you feel better informed now than you were 30 seconds ago?
If you weren't already married to Carole, I think I'd be quite tempted to propose to you after those acronyms. Well, we have to have a look at your car first and see.
So anyway, if those acronyms sound familiar to you and you don't work in the field, then it's probably because they feature fairly regularly in the computer security press and not in a good way.
So the thrust of those stories is normally that SCADA security is basically a dumpster fire and that some, perhaps many, of the systems that power critical utilities and all the other giant industrial things that you really, really, really don't want to break have all been programmed without any regard for security at all.
Now I'm using broad brushstrokes here, but that's the general thrust. So you might ask, if SCADA security is so bad, what is keeping us from Armageddon?
So the thrust of those stories is normally that SCADA security is basically a dumpster fire and that some, perhaps many, of the systems that power critical utilities and all the other giant industrial things that you really, really, really don't want to break have all been programmed without any regard for security at all.
Now I'm using broad brushstrokes here, but that's the general thrust. So you might ask, if SCADA security is so bad, what is keeping us from Armageddon?
Yeah, good. Yes, I am wondering that.
Yeah.
And what it is, is the great unwashed hordes of hackers and probes and script kiddies and everything else that's out there on the internet can't get to you because your Windows XP machine, they aren't supposed to be connected to the internet.
And what it is, is the great unwashed hordes of hackers and probes and script kiddies and everything else that's out there on the internet can't get to you because your Windows XP machine, they aren't supposed to be connected to the internet.
They're air-gapped. They're air-gapped.
Oh, that's the connection. Neither of them are connected to the internet.
Well, neither of them are supposed to be connected to the internet.
Don't put your Windows XP machine on the internet because it hasn't received any updates for 6 years and there's lots of stuff for the hackers to get into.
Similarly, if you own a nuclear power plant, please don't connect it to the internet because it also hasn't received any updates.
Don't put your Windows XP machine on the internet because it hasn't received any updates for 6 years and there's lots of stuff for the hackers to get into.
Similarly, if you own a nuclear power plant, please don't connect it to the internet because it also hasn't received any updates.
For obvious reasons.
Yes, thank you very much.
So why have these Ukrainian chaps connected their nuclear power plant to the internet?
Well, there was only one reason.
Gaming.
There are only two possible reasons.
Porn.
Porn and gaming.
There are three possible reasons.
What have the Romans ever done for us, by the way?
There is only one reason why a bunch of people who work in a nuclear power plant would willfully connect their engine of death to the internet. Okay? And that is cryptocurrency.
So the theory goes that they were mining cryptocurrency in order to take advantage of the recent spike in bitcoin prices. Well, that's what the article says.
I've got a slightly different theory.
So given bitcoin's ludicrously inefficient power consumption, I reckon they were probably just trying to buy a packet of bubble gum or something.
So the theory goes that they were mining cryptocurrency in order to take advantage of the recent spike in bitcoin prices. Well, that's what the article says.
I've got a slightly different theory.
So given bitcoin's ludicrously inefficient power consumption, I reckon they were probably just trying to buy a packet of bubble gum or something.
So they're using all the computer power of—
and a nuclear power station—
this Ukrainian nuclear power station to buy a packet of Hubba Bubba.
I think that's about the going rate.
Company training needs to come into this, don't you think?
Someone needs to train them not to plug— you think the woman who was married to someone and has her account hacked and it's her fault, but people who connect a bitcoin mining rig to a nuclear power station need training?
No, I just think in a nuclear power rig you need some checks and balances. Right?
Why isn't there someone kind of going, oh, I'm responsible for these two dudes that are supposed to man this 40 hours a week every day of their lives.
How are they not supposed to get... It's definitely not their fault.
Why isn't there someone kind of going, oh, I'm responsible for these two dudes that are supposed to man this 40 hours a week every day of their lives.
How are they not supposed to get... It's definitely not their fault.
Yeah, they could play Pong. You don't need to be connected to the internet.
You know what I was thinking? I was thinking Tetris, actually. Oh yes, solitaire. Both very fun.
Bitcoin is not the future. I'm here to tell you. I've come from the future and I'm here to tell you. I've seen it. Bitcoin is not the future, just in case you were wondering.
If you are from the future, can you also tell us if John McAfee is now president?
I don't think you need to be from the future for that, do you? I think it's absolutely nailed on. McAfee 2024, it's going to happen.
Carole, what's your story for us this week?
Well, I would like you guys first, as Brits, to describe what you feel is a typical Canadian university professor.
I'm a Brit, so I don't have feel.
Graham, I know these academic institutions were a little bit mainstream for you.
Oh, for goodness' sake.
But you're switched on, right? So—
There's certainly going to be elbow patches. Yeah, right? I think there's going to be a lumberjack shirt and a sort of hat made out of some sort of muskrat or something.
Beaver?
There's going to be a beard. There's going to be a beard. And there's gonna be half-moon glasses. And there's gonna be a voice a bit like this, talking a bit slowly in a kind of—
You're saying it's Columbo.
Just one more sec, Mark.
You're the furthest from the truth.
Am I?
My guy in my story used to be a Canadian university professor. And in fact, you know, to be fair, he did look a lot like you said. He wore the cardigans.
I'm sure he had elbow patches, right? He was a clinical psychologist.
I'm sure he had elbow patches, right? He was a clinical psychologist.
We need to know about the hat.
Right? But this guy—
What kind of animal was the hat made of?
You have to pay attention, Mark, because I think you can identify this person. I'm not sure Graham can, but I think you can.
So this guy poo-pooed academia to become a rather controversial internet sensation. He may not have the following of the PewDiePies of the world.
So this guy poo-pooed academia to become a rather controversial internet sensation. He may not have the following of the PewDiePies of the world.
Is it Jordan Peterson?
Yes, it is.
How do I do?
Very good.
Who's Jordan Peterson?
He doesn't have an animal hat at all.
Are you serious, Graham?
Jordan Peterson sounds like the kind of name of someone who'd be on Celebrity Love Island.
We have completely different echo chambers. It's amazing.
Well, I don't have Love Island in my echo chamber, but it just sounds like the sort of person, it's just that kind of name. First name Jordan.
I mean, that's instantly a sort of negative mark.
I mean, that's instantly a sort of negative mark.
Totally Canadian though.
It's a bit like being called Randy, right? It's just what? Seriously? Or having an I in your name rather than a Y at some point, you know, people who spell Brandi with an I.
So just to give you a bit of context, Graham.
Yes, because I don't know who this is.
An irrelevant academic, right? Because he broke through the nebulous influence barrier that is YouTube. Channel, 2.2 million subscribers. Not bad, right? And 2018, he had a Patreon.
Okay, we've just got a new Patreon, don't we?
Okay, we've just got a new Patreon, don't we?
We do.
But he was earning a cool million a year in 2018, last year, comparable to us.
And he put out a book in 2018 called The 12 Rules for Life and claims he sold 3 million copies, or rather Wikipedia claims it sold 3 million copies in the first year.
So that is Jordan Peterson, someone you should know about, you know.
And he put out a book in 2018 called The 12 Rules for Life and claims he sold 3 million copies, or rather Wikipedia claims it sold 3 million copies in the first year.
So that is Jordan Peterson, someone you should know about, you know.
So he's someone, he has opinions about things, he uses social media to spread the word. He's probably got a podcast.
So full disclosure, he sold one of those 3 million copies to me. I'm not saying I've read it, but I've bought it.
Tell us who he is! I still don't understand who he is or why we should care about him. So he's got a popular YouTube channel.
I don't know at the moment whether he's demoing video games or what. What's going on? What does he do?
I don't know at the moment whether he's demoing video games or what. What's going on? What does he do?
Anyway, after his book came out, he must have got a stylist or something because he totally changed his look, right?
So he was this kind of caricature of a Canadian, you know, university prof.
And suddenly, as soon as his book is out there, he's channeling Jeremy Irons beneath an incredibly clipped beard.
It's hard to say, but it was one of those immaculate beards, a bit like someone has their front gardens just—
So he was this kind of caricature of a Canadian, you know, university prof.
And suddenly, as soon as his book is out there, he's channeling Jeremy Irons beneath an incredibly clipped beard.
It's hard to say, but it was one of those immaculate beards, a bit like someone has their front gardens just—
I've just Googled image Tim.
Uh-huh. And doesn't he wear a mentalist three-piece mid-blue suit most of the time? He always looks like this.
He has got a jumper on under his suit as well, so that is slightly academic.
Academic.
Yes.
So I first heard about him in 2016 because in 2016, there was an anti-discrimination bill in Canada about gender identity becoming part of the human rights, Canadian Human Rights Code, right?
So the idea would be that it wouldn't matter if you were he, she, or anything in between, you weren't allowed to not get a job or be discriminated against based on your gender.
And he made a big stink about the fact that he would refuse to say any other pronoun other than he or she, which caused a huge stink.
He also says things that white privilege is a myth. He tends to fight for the marginalized man, right?
And he does have a lot of concern over leftist politics, so a lot of maybe more right-leaning people tend to identify with him.
So the idea would be that it wouldn't matter if you were he, she, or anything in between, you weren't allowed to not get a job or be discriminated against based on your gender.
And he made a big stink about the fact that he would refuse to say any other pronoun other than he or she, which caused a huge stink.
He also says things that white privilege is a myth. He tends to fight for the marginalized man, right?
And he does have a lot of concern over leftist politics, so a lot of maybe more right-leaning people tend to identify with him.
Yeah, I disagree with you slightly there.
Okay.
I think that the marginalized man finds him very interesting.
I bet he does.
Yes, I do. I don't think he's specifically talking to the marginalized man. I think he attracts enormous audiences of marginalized men.
And I don't know what kind of man I am, but I've just found an image of him with Kermit the Frog.
He is fearless in terms of what he'll wade himself into. So religion, politics, policies, philosophy, ideology, psychology, you name it, nothing is too big for this guy.
He will have an opinion on it. So New Yorker said way back in 2018, he was, and I say still remains, both revered by some and reviled by others.
And the New York Times once referred to him as the custodian of patriarchy. So put that to you, Mr. Mark Stockley. Now, pray tell, why am I talking about the Jords?
So according to Motherboard, Jordan Peterson now has a voice simulator that was slapped up on the web by an unauthorized third party, although I don't think you need to be authorized in these situations yet.
The makers apparently created a neural network which they had trained on hours and hours of Peterson's real voice because he is very prolific in the YouTubes and in the podcast world.
He will have an opinion on it. So New Yorker said way back in 2018, he was, and I say still remains, both revered by some and reviled by others.
And the New York Times once referred to him as the custodian of patriarchy. So put that to you, Mr. Mark Stockley. Now, pray tell, why am I talking about the Jords?
So according to Motherboard, Jordan Peterson now has a voice simulator that was slapped up on the web by an unauthorized third party, although I don't think you need to be authorized in these situations yet.
The makers apparently created a neural network which they had trained on hours and hours of Peterson's real voice because he is very prolific in the YouTubes and in the podcast world.
He's got a very distinct voice as well, and he's very—
Does he—
Very obvious vocal mannerisms and things that.
It's very condescending. He's a mansplainer.
Now, on the website, you— if you went to this website, right, there'd be a 21-second recording that we should greet you as a visitor, and it would be in Peterson's voice.
And in Peterson's voice it would say, "This is not Jordan Peterson. In fact, I'm a neural network designed to sound like Dr.
Peterson." Then the visitor is invited to type in some text in a box, and you then press go and it will read out the text in the box in Peterson's voice.
Now, of course, you know that people only did this for good, right? They stuck closely to Jordan's beliefs. And here is a Twitter user Beanie or Benny.
Here is a link you guys can check. I don't think I'm going to include this in the pod, but I think you guys might want to hear it to get a—
Now, on the website, you— if you went to this website, right, there'd be a 21-second recording that we should greet you as a visitor, and it would be in Peterson's voice.
And in Peterson's voice it would say, "This is not Jordan Peterson. In fact, I'm a neural network designed to sound like Dr.
Peterson." Then the visitor is invited to type in some text in a box, and you then press go and it will read out the text in the box in Peterson's voice.
Now, of course, you know that people only did this for good, right? They stuck closely to Jordan's beliefs. And here is a Twitter user Beanie or Benny.
Here is a link you guys can check. I don't think I'm going to include this in the pod, but I think you guys might want to hear it to get a—
Okay, so we've got a picture of Jordan Peterson, appears to be a furry. He's wearing some—
So this is a rather rude furry, dirty, something, something, right? So basically some kid—
Who could possibly have imagined that that was going to happen?
Now you guys probably want to see this Jordan simulator, right? Just try it out for yourself. Yeah, you can't because it's taken offline.
What?
After only one week, because Jordan Peterson made a huge stink about it on his blog.
So he posted this long piece entitled "I Didn't Say That." Okay, this is on his website, and he says, quote, "It's hard to imagine a technology with more power to disrupt," unquote.
And I was thinking weapons, right? There's quite a few.
So he posted this long piece entitled "I Didn't Say That." Okay, this is on his website, and he says, quote, "It's hard to imagine a technology with more power to disrupt," unquote.
And I was thinking weapons, right? There's quite a few.
It's not Ebola, is it?
Right.
So he also writes, wake up, the sanctity of your voice and your image is at serious risk.
It's hard to imagine a more serious challenge to the sense of shared reliable reality that keeps us linked together in relative peace.
The deepfake artists need to be stopped using whatever legal means are necessary as soon as possible. Pretty strong words. So I wanted to hand over to you guys.
Do you guys think deepfakes should be treated as an absolute priority in the cyber world? Do you think it's tearing apart our social fabric in some way?
It's hard to imagine a more serious challenge to the sense of shared reliable reality that keeps us linked together in relative peace.
The deepfake artists need to be stopped using whatever legal means are necessary as soon as possible. Pretty strong words. So I wanted to hand over to you guys.
Do you guys think deepfakes should be treated as an absolute priority in the cyber world? Do you think it's tearing apart our social fabric in some way?
I think it's very easy to see how it could be enormously disruptive. I don't think it's tearing apart our social fabric now.
But I think if you just forget deepfakes for a second and just say, imagine if it's possible to perfectly replicate a politician or an important person saying the absolute opposite of what they believe, or inciting people to violence, or declaring war, or saying something outrageous, that the machinery is already in place, the outrage machinery is already there to take that information and just go crazy with it.
I mean, it happens every day. It happens all the time already that people take things that people say out of context, that everything is 280 characters or less.
And there's a— it's just a giant outrage machine primed and ready to go. So dropping deepfakes into that, yes, I think I agree that that's a potentially hugely disruptive thing.
Whether or not we can actually do anything about it, I think, is another story.
But I think if you just forget deepfakes for a second and just say, imagine if it's possible to perfectly replicate a politician or an important person saying the absolute opposite of what they believe, or inciting people to violence, or declaring war, or saying something outrageous, that the machinery is already in place, the outrage machinery is already there to take that information and just go crazy with it.
I mean, it happens every day. It happens all the time already that people take things that people say out of context, that everything is 280 characters or less.
And there's a— it's just a giant outrage machine primed and ready to go. So dropping deepfakes into that, yes, I think I agree that that's a potentially hugely disruptive thing.
Whether or not we can actually do anything about it, I think, is another story.
Okay. But on an individual level, say, right? Are deepfakes worse than a phishing scam that wipes out your livelihood or a ransomware attack that cripples emergency services?
Well, it rather depends on where your status is already, I imagine.
If you have your reputation destroyed by some deepfake material, people no longer trust you or they believe that you did something bad, which you never did, then that's just as bad as having your bank account emptied, isn't it?
If you have your reputation destroyed by some deepfake material, people no longer trust you or they believe that you did something bad, which you never did, then that's just as bad as having your bank account emptied, isn't it?
Exactly. So I don't think it's a priority over other cyber attacks, right? I think it's as bad as all the others.
The fact that Jordan Peterson makes his living, like I do, on putting his voice out there— he's better at it, it's a lot more money than I do, and, right?
And he wants to protect that world. Doesn't mean it's the worst problem we're facing.
The fact that Jordan Peterson makes his living, like I do, on putting his voice out there— he's better at it, it's a lot more money than I do, and, right?
And he wants to protect that world. Doesn't mean it's the worst problem we're facing.
But do you only get to solve the absolute worst problems?
No, no, I'm just thinking it's not Ebola. That's all I'm saying. Okay, another thing that's interesting, who should be punished? You touched on that earlier, Mark.
That's an interesting one, right? So who do you punish in this situation? Do you punish the people that create the voice simulating software?
Do you punish the site that's making it available to the public? Do you punish the user that decides to visit the site, play with it, and post a creation in the social sphere?
Or is it us for just talking about it?
That's an interesting one, right? So who do you punish in this situation? Do you punish the people that create the voice simulating software?
Do you punish the site that's making it available to the public? Do you punish the user that decides to visit the site, play with it, and post a creation in the social sphere?
Or is it us for just talking about it?
And should we punish us? Absolutely not.
No, definitely not us.
And that's me saying that. That's not a deepfake.
I have one more point to make, and I'm only bringing this up because, Mark, you're on the show. If it was just Graham, I wouldn't bring this up because he would breathe. Okay, so—
But I know it's actually—
No, no, I just think you'd roll your eyes. You'd roll your eyes. I think it's interesting how both mass surveillance and deepfakes seem to be kind of developing at a similar rate.
So one technology is promising to identify us, identify what we're doing, where we're doing it, what time, and then tie that to online posts to find out why we're doing such a thing.
And then on the other side, you've got these deepfakes and cheapfakes that threaten to disrupt the whole digital ecosystem of identity, surveillance and it chips away at the trust that we might otherwise have had in surveillance because you're thinking, what could be a deepfake?
Is that really Trump saying that? Oh no, it is. It is.
So one technology is promising to identify us, identify what we're doing, where we're doing it, what time, and then tie that to online posts to find out why we're doing such a thing.
And then on the other side, you've got these deepfakes and cheapfakes that threaten to disrupt the whole digital ecosystem of identity, surveillance and it chips away at the trust that we might otherwise have had in surveillance because you're thinking, what could be a deepfake?
Is that really Trump saying that? Oh no, it is. It is.
Yeah. Yeah. Yeah.
Hey Graham.
Yes.
There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashingsecurity.
We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
Yeah, they do online training, they've gamified it, it's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
And best thing, it's not boring.
No, not boring at all. You learn everything: GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
On with the show.
And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Oh, Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. It is something called the Portsmouth Sinfonia.
Is that an instrument?
And the Portsmouth Sinfonia? No, it is an orchestra. And it's an orchestra which was first formed in 1970. They're no longer in operation.
They sort of quit, they sort of disappeared around about 1979, but they are rather unusual because it was an orchestra which had an ethos.
Their feeling was that anyone could join their orchestra regardless of talent, ability, or experience.
They sort of quit, they sort of disappeared around about 1979, but they are rather unusual because it was an orchestra which had an ethos.
Their feeling was that anyone could join their orchestra regardless of talent, ability, or experience.
It sounds very modern, actually.
It was quite modern.
That's a very sort of YouTube generation orchestra.
Well, they, you can go and check them out on YouTube. There is an album of theirs which is out there online, but we can hear them doing some of the popular classics.
I would particularly point you towards their version of Also Sprach Zarathustra, which you may remember was best known for its use in 2001: A Space Odyssey.
I would particularly point you towards their version of Also Sprach Zarathustra, which you may remember was best known for its use in 2001: A Space Odyssey.
Oh, whoa. Oh my God, it's so bad.
Anyone, anyone can join, Carole. Anyone, anyone can join.
So, yeah, so this orchestra existed. We'll put links in the show notes. It's not accidentally terrible, but there's something rather wonderful about it.
So they did exist for some time.
So they did exist for some time.
There was a lot of drugs in the '70s.
They tickled me quite a lot, and I've really enjoyed listening to them.
Oh my.
But anyway, the Portsmouth Sinfonia, check them out on YouTube.
No, don't check them out.
No, go on, you'll love it.
But two seconds of it.
Yeah, no, it's much better than that, she cried. So that is my pick of the week and it made me have a little chuckle. Had a little chuckle.
I know it's a little bit lowbrow compared to you guys talking about Jordan Peterson.
I know it's a little bit lowbrow compared to you guys talking about Jordan Peterson.
I think you misunderstand me. I'm not saying it's not gorgeous in its own right. It's just, it's very hard on the ears.
Yeah, no, don't misunderstand me. It's terrible.
Mark, what's your pick of the week?
So my pick of the week is a place. It's my favourite place in the world. I was in Cornwall last week, which gave me the opportunity to visit the Eden Project.
Oh yes.
Which is, I don't even know how to describe it. It might be a theme park. It might be a greenhouse.
It's a bit like a biosphere.
It might be both of those things. So it is a place and it was created by a man called Tim Smit in the millennium.
It's an old clay pit in Cornwall that was a sort of terrible derelict giant hole in the ground and he's converted it into this oasis and put these two giant biomes, which are enormous greenhouses, and they're large enough, they're designed to be large enough to have full-size rainforest trees inside them.
It's an old clay pit in Cornwall that was a sort of terrible derelict giant hole in the ground and he's converted it into this oasis and put these two giant biomes, which are enormous greenhouses, and they're large enough, they're designed to be large enough to have full-size rainforest trees inside them.
So yeah, it's incredible.
Huge tropical biome and a Mediterranean biome and then the sort of external biome.
And I went there with my kids and I wasn't— they've been to Disneyland this year, so I wasn't sure what they were going to make of this because it's basically walking around looking at plants.
And they were— their eyes were like saucers. It was absolutely— it was everything I remembered it and more. So go to the Eden Project and support them, please.
And I went there with my kids and I wasn't— they've been to Disneyland this year, so I wasn't sure what they were going to make of this because it's basically walking around looking at plants.
And they were— their eyes were like saucers. It was absolutely— it was everything I remembered it and more. So go to the Eden Project and support them, please.
Fantastic. Gets pretty hot in there though, doesn't it? As I remember.
It is a tropical biome.
Yes, exactly.
It is kind of written—
It's humid and a little bit warm.
Surprisingly warm and humid in this.
I've been there too. I quite enjoyed it. I have to say it was good fun. Excellent. The Eden Project. Carole, what's your pick of the week?
Now, I have a number of hobbies. This is when I listen to podcasts, when I do my hobbies. And one of those hobbies is that I make bread.
And my gran made bread, my mom made bread her whole life, and I make bread, right? And I love bread and I make it almost every single day and I make all kinds of breads, right?
And Mark is new to the bread-making community.
And my gran made bread, my mom made bread her whole life, and I make bread, right? And I love bread and I make it almost every single day and I make all kinds of breads, right?
And Mark is new to the bread-making community.
Specifically, I mean, I have a bread maker and I have had for years, but the painstaking, agonizing kind of flapping and rolling and kneading and leaving and— You've just joined the sourdough community.
I have just joined the sourdough community.
I have just joined the sourdough community.
Lovely.
But I think that if one loves bread, one should make a loaf at least once in their lives. I really believe that because there's nothing eating a loaf that you've made yourself.
Well, there is something that's eating a loaf of bread that I've made. I don't know if you've ever tried to eat building materials.
No, but you're trying— you're gonna go for sourdough, right? You're taking on the biggest challenge there is, right? With wild yeast and all that stuff, right?
Now, I have curated a list of tried and tested recipes by me, right? That you can try your hands on a bread.
And there are recipes for easy flatbread recipes, and there's a crusty loaf. These are not hard.
There's also a Hokkaido dough, which is a Japanese crazy, crazy, the softest, softest little rolls you'll ever get.
And then there's a sourdough challenge, and I've put in a bunch of links. They'll be on our webpage. If you bread, go make a loaf. It can take a few hours. It can take 30 hours.
It could take 100 hours, but it can take a few hours.
Now, I have curated a list of tried and tested recipes by me, right? That you can try your hands on a bread.
And there are recipes for easy flatbread recipes, and there's a crusty loaf. These are not hard.
There's also a Hokkaido dough, which is a Japanese crazy, crazy, the softest, softest little rolls you'll ever get.
And then there's a sourdough challenge, and I've put in a bunch of links. They'll be on our webpage. If you bread, go make a loaf. It can take a few hours. It can take 30 hours.
It could take 100 hours, but it can take a few hours.
So are you saying that your pick of the week is you?
No, my pick of the week is bread and making it. Go make bread.
Yes.
No, I agree. Yes, it's a really beautiful thing, especially in the— everyone's sitting and looking at their phones all the time. Just unplug, put a podcast on or something, and go.
I've never made a proper— I mean, I've done it in a bread-making machine, obviously, but I've never made a proper, proper loaf of bread, but I think I'd quite to do that.
Yeah, I think, honestly, I do feel bread-making machines are cheating in my opinion, but I also know that I come from a weird line of people that, you know, do it.
So both of you have basically joined the cult of bread-making and you'll be making bread. Carole, would you say you'll be making bread until the rest of your life?
Yeah.
So you'll be, well, if it's sourdough, yes, it's probably one or two loaves.
My mum still makes bread.
So you'll be making bread until you're brown bread.
And on that bombshell, ladies and gentlemen, that just about wraps it up.
Mark, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?
You can follow me on Twitter @MarkStockley and @InternetOfHens, and you can hear me every week on the Naked Security podcast.
And you can follow us on Twitter @SmashingSecurity— no G, Twitter only allows to have a G.
You can also check out our online store if you want to buy a mug or a t-shirt or anything like that at smashingsecurity.com/store.
You can also check out our online store if you want to buy a mug or a t-shirt or anything like that at smashingsecurity.com/store.
We'll have some new winter soon.
Yes.
Once again, thanks to this week's Smashing Security sponsors, MetaCompliance and LastPass. And thanks to you bestest listeners out there.
Do you know, just by listening, you help make this show happen?
And all of you who donate directly or share our shows with newbies or take time to review us or write to us, you all get a special gold star.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Do you know, just by listening, you help make this show happen?
And all of you who donate directly or share our shows with newbies or take time to review us or write to us, you all get a special gold star.
Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
Until next time, cheerio, bye-bye.
Bye!
Goodbye.
Very noisy mouse.
I know. Well, I might have to go buy Jack Rhysider a 20-button.
It doesn't have— you know, he said it had 12 buttons. It doesn't, it has 5.
Yeah, he's—
Yeah.
Thanks to everyone who listens to the show, and who voted us “Best Security Podcast” earlier this year.
Currently we’re getting over 25,000 listeners to each episode in the first four weeks, and our audience has been growing steadily. It’s a really great feeling to have such loyal listeners and Carole and I get a real kick when we meet some of you in “real life” at conferences and events.
Stay tuned!
If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about cybersecurity, you can find more information here.