An attacker can easily use three pieces of publicly available information to pwn anybody’s Myspace account.
Security researcher Leigh-Anne Galloway came across this security oversight back in April when she stumbled across an old Myspace account of hers. The researcher decided she wanted to delete her account, but she needed to sign in first. To do that, she went to Myspace’s account recovery page.
As you can see in the above screenshot, Myspace asks for several pieces of personal information before it will restore access to a lost account. There’s just one problem: notwithstanding the “field required” asterisk affixed to the email address text field, Myspace doesn’t validate a registered user’s email address. That means a user can recover their account with just their name, username, and date of birth.
Easy, right? A little too easy.
As it turns out, it’s nowhere near impossible to find these three pieces of data online.
Attackers can use a Google search to find a Myspace user’s name and username online. (A certain breach confirmed by Myspace in 2016 lessens the load of discovering these two bits of information.) Attackers might have a more difficult time finding someone’s birth date, but you’d be surprised how many people list their special days on Facebook or other social media platforms.
Whoever enters in that information receives from Myspace instantaneous access to the registered user’s account.
Galloway couldn’t believe her eyes. As she explains in a blog post:
“Myspace may no longer be relevant as a social media site, but its treatment of security is as relevant as ever.”
In support of this viewpoint, the security researcher wrote to Myspace about the vulnerability on 23 April. She had not heard anything as of 17 July, the date on which she decided to disclose the vulnerability.
Without any word from Myspace indicating it intends to fix the flaw anytime soon, users who are concerned that someone could access their account, read through their old messages, and abuse their information don’t have many options. There’s really only one course of action: users should leverage Myspace’s account recovery to regain access to and subsequently delete their accounts. It’s not the optimal course of action, but when a company doesn’t care about their customers’ data security, there’s nothing left to do.
Shame on you, Myspace, for such a disreputable end…
For further discussion of this incident take a listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, Graham.
Hi. Hi.
Do you think we should have a warning on this episode because it does get a little risqué in story number 2?
Oh, yeah. Well, it wasn't really our fault. It was our special guest on this episode.
Okay, so we don't need to have a warning. It was his fault.
He kind of lowered the tone.
He lowered the tone.
To such an extent that some people might not want to hear it, particularly young people, maybe.
Yeah, but you do want to hear it, so listen to it.
But don't say we didn't warn you.
We didn't warn you. We decided not to warn them, right?
Yeah, yeah, yeah. Anyway, it wasn't us. That's the important thing. On with the show.
Smashing Security is supported by Recorded Future, the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for the free daily threat intelligence update at recordedfuture.com/intel. That's recordedfuture.com/intel.
Sign up for the free daily threat intelligence update at recordedfuture.com/intel. That's recordedfuture.com/intel.
Smashing Security, Episode 34: The Pen is Mightier Than the Password with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 34 of Smashing Security for the 20th of July, 2017. Tremendous to be here. And I'm joined as always by my good buddy, Carole Theriault.
Hello, Carole.
Hello, Carole.
How are you?
Are you having trouble speaking? T-mendous?
What did I say?
T-mendous. I kind of like it. Yes, I am t-mendous. I'm tremendous as well.
And we are joined by a very special guest, technology writer and broadcaster David McClelland. Hello, David. Welcome to the show.
Hello. Hello, Graham. And hello, Carole as well. Lovely to kind of not e-meet you, kind of podcast meet you, I suppose.
Yes.
Well, it's great to have you on here as well. Now, David, I know you from the Frakulous podcast, but of course you do much more than that.
For people who don't know or people who don't live in the UK, tell us about yourself and why are you here?
For people who don't know or people who don't live in the UK, tell us about yourself and why are you here?
Why am I here? Because you asked me last week, I think, and I promised that I would turn up. That's the main thing, I think.
Oh gosh, I hate this question about who are you, what do you do? And I really should have this down to a T by now, but I started off in the IT industry about 22 years ago now.
Doing actual IT, and then I got a bit bored of doing it. So about 10 years ago, I started to write about it and talk about it as well.
In fact, one of my first jobs, Graham, was to interview you. No. Yes.
Oh gosh, I hate this question about who are you, what do you do? And I really should have this down to a T by now, but I started off in the IT industry about 22 years ago now.
Doing actual IT, and then I got a bit bored of doing it. So about 10 years ago, I started to write about it and talk about it as well.
In fact, one of my first jobs, Graham, was to interview you. No. Yes.
I'm so sorry.
No, you were very good. I was very poor because I was still learning the ropes, actually. But yeah, you were great.
We're talking about Facebook terms and conditions and about how they were longer than the US Constitution.
We're talking about Facebook terms and conditions and about how they were longer than the US Constitution.
Oh, I forgot about that.
Yeah.
But anyway, so now I am a broadcaster. I do a lot of work with BBC, so shows, consumer affairs shows like Rip Off Britain.
I've been their sort of tech expert and tech consumer champion for the last 6 or 7 seasons or so, and Watchdog.
And I'm actually on telly this Friday night, which will be the 21st, with a show in Wales on the BBC called X-Ray.
And it's a photography special where I'm going to be talking about ownership of photos once you've uploaded them to social networks, how to use cloud storage safely.
So sort of consumer stuff on safe use of the cloud.
I've been their sort of tech expert and tech consumer champion for the last 6 or 7 seasons or so, and Watchdog.
And I'm actually on telly this Friday night, which will be the 21st, with a show in Wales on the BBC called X-Ray.
And it's a photography special where I'm going to be talking about ownership of photos once you've uploaded them to social networks, how to use cloud storage safely.
So sort of consumer stuff on safe use of the cloud.
Oh, that's cool. That's a really great topic, actually. Great that you did that.
If we don't get BBC Wales, can we get that on iPlayer or something like that instead?
You certainly can. And I will give you a link to the BBC iPlayer, which you can get, obviously, if you're in the UK and a licence fee payer.
If you aren't in the UK, then there may be other ways to view it, but I couldn't possibly comment on those.
If you aren't in the UK, then there may be other ways to view it, but I couldn't possibly comment on those.
Who can say? Who can say? Carole, have you been having a good week? Anything fun?
Have I done anything fun? I've done loads of fun things. I can't think of any at the moment.
Getting ready to go off to Estonia next week is one of them, so I'll be away, but hopefully we'll be recording from there.
Getting ready to go off to Estonia next week is one of them, so I'll be away, but hopefully we'll be recording from there.
Oh, cool. Well, I watched that movie. You remember last week we had Michael Hucks on the show and he recommended that documentary.
Yes, I watched it too.
Okay, okay. We haven't talked about this yet.
About the men's rights movement. Yeah. And I watched it too.
I can't wait to hear what you thought. What did you think?
I didn't think very much of that documentary, to be honest. Sorry for the recommendation. I just felt it sort of didn't go anywhere. And it's just, it didn't ask the right questions.
There was a very, very odd woman on it with bright red hair.
There was a very, very odd woman on it with bright red hair.
How dare you? How dare you?
Reminded me of somebody, but—
Oh, really?
No, she didn't remind me.
She reminded you of me?
No, not really. But if you do get to see The Red Pill, it is thought-provoking, but ultimately—
Bleh.
It wasn't quite there, was it?
No, I had trouble feeling sorry for them. I had trouble. I had trouble.
Anyway, enough wiffle waffle. It's time to get to the meat of today's podcast.
What we do every week is we look back over the last week's security news and we, well, talk about things which caught our attention.
You know, there can be just a little story which caught our attention. We have a chat about it. I'm going to go first this week and—
What we do every week is we look back over the last week's security news and we, well, talk about things which caught our attention.
You know, there can be just a little story which caught our attention. We have a chat about it. I'm going to go first this week and—
Like the first time ever.
I just to get it over and done with, and then I can relax for the rest of the podcast. You know how it works. I saw a couple of things actually.
First of all, I just saw, just before the podcast started, I saw a story on The Hollywood Reporter, which claims that Russian President Vladimir Putin is being written out of new movies because the studios are worried that they might get hacked.
What?
First of all, I just saw, just before the podcast started, I saw a story on The Hollywood Reporter, which claims that Russian President Vladimir Putin is being written out of new movies because the studios are worried that they might get hacked.
What?
So his character is being removed from scripts is what you're saying?
Yes, exactly. So there's a novel written by a former CIA officer. There's one called Red Sparrow, for instance, about a Russian spy being wooed by the CIA to be a double agent.
And they've got Jennifer Lawrence, who's the hot young thing, to play the Russian spy. And there is a part in it which is Vladimir Putin's part, right, in the book.
But it appears that they're not— they don't want Vladimir in the story because, of course, you remember what happened with Sony.
With Sony being hacked, and many people thought it was North Korea doing it because they had a movie out which was making fun of their glorious leader.
And they've got Jennifer Lawrence, who's the hot young thing, to play the Russian spy. And there is a part in it which is Vladimir Putin's part, right, in the book.
But it appears that they're not— they don't want Vladimir in the story because, of course, you remember what happened with Sony.
With Sony being hacked, and many people thought it was North Korea doing it because they had a movie out which was making fun of their glorious leader.
I wonder if it's the legal teams that are actually nervous, so they're forcing people to change the script.
Yeah, I wonder. I don't know. It's interesting, isn't it? Because so many people at the moment are talking about Russia as though that might be a little bit of a hotbed of hacking.
I can't imagine why people would think such a thing, but that isn't what I want to talk about. What I actually wanted to talk about was this. MySpace has had another security snafu.
I can't imagine why people would think such a thing, but that isn't what I want to talk about. What I actually wanted to talk about was this. MySpace has had another security snafu.
Who uses MySpace?
You might be surprised, actually. I mean, a lot of people make that joke, like, oh, MySpace, you know, welcome to 2007 and all the rest of it.
But actually, I think MySpace does continue. And there may, of course, be many people out there who might have created their accounts on MySpace back in its heyday.
And it may be long forgotten about it. You know, they may no longer have the email address which was associated when they created that account.
But what's come to light this time has not been a breach as such. It's not been like when they lost data, which has happened in the past and they've had big snafus like that.
What's happened here is a security researcher found a shocking security hole, which meant that anyone could seize control of somebody else's account just by knowing their name, their username, and their date of birth.
So if you went to that account recovery page, the page where you'd normally go if you couldn't remember your password, you know how normally you have to jump through lots of hoops?
But actually, I think MySpace does continue. And there may, of course, be many people out there who might have created their accounts on MySpace back in its heyday.
And it may be long forgotten about it. You know, they may no longer have the email address which was associated when they created that account.
But what's come to light this time has not been a breach as such. It's not been like when they lost data, which has happened in the past and they've had big snafus like that.
What's happened here is a security researcher found a shocking security hole, which meant that anyone could seize control of somebody else's account just by knowing their name, their username, and their date of birth.
So if you went to that account recovery page, the page where you'd normally go if you couldn't remember your password, you know how normally you have to jump through lots of hoops?
Yes.
Well, in this particular case, they just asked you— the only required fields were name, username, and date of birth.
Shut the front door.
And username, obviously, is something you know purely by going to the MySpace profile. The name probably isn't going to be that much of a challenge either.
Date of birth, well, anyone who's a dab hand at Google might well be able to find out your date of birth. And bam, you've gained access and control of the account.
Date of birth, well, anyone who's a dab hand at Google might well be able to find out your date of birth. And bam, you've gained access and control of the account.
Holy moly.
Diabolical, right?
Bad MySpace. Very bad.
Bad MySpace compounded by their response to it. So they were told about this in April by a researcher called Leanne Galloway.
Okay.
And we'll put a link into her latest blog post in the show notes.
So she privately informed them, said, "Guys, what about this?" Responsibly disclosed it to them, saying, "Look, yeah, okay." And what she heard back was a, "Thanks for contacting MySpace.
This is an automated response. We'll take a look at this and get back to you if we have any questions." And she waited and waited and waited.
And she thought after 3 months, this is a bit of a joke, isn't it? It's still there. People's accounts could still be being abused.
So she privately informed them, said, "Guys, what about this?" Responsibly disclosed it to them, saying, "Look, yeah, okay." And what she heard back was a, "Thanks for contacting MySpace.
This is an automated response. We'll take a look at this and get back to you if we have any questions." And she waited and waited and waited.
And she thought after 3 months, this is a bit of a joke, isn't it? It's still there. People's accounts could still be being abused.
That's awful.
And so she posts a blog about it. And that, of course, suddenly focused everybody's attention on it. And MySpace thought, oh yeah, maybe she's got a point here.
Maybe we should fix this. And sure enough, they've now taken down that recovery page and, you know, they put a proper process in place.
But my feeling about this is, okay, that's appalling. And that's sort of ghastly in many ways.
But maybe what we need to do is think about all of the websites where we might have created accounts way back in the Iron Age.
Maybe we should fix this. And sure enough, they've now taken down that recovery page and, you know, they put a proper process in place.
But my feeling about this is, okay, that's appalling. And that's sort of ghastly in many ways.
But maybe what we need to do is think about all of the websites where we might have created accounts way back in the Iron Age.
Yeah, the 300 or 400, maybe 1,000. Yeah, carry on.
That we may no longer be using. And simply, if you're not using them, delete it.
Everybody who's making that joke about MySpace should try and work out if they have a MySpace account and delete it. Just wipe it because you don't need it. You don't use MySpace.
Come on, let's be serious. And ensure you're not using the same passwords anywhere else on the net.
Everybody who's making that joke about MySpace should try and work out if they have a MySpace account and delete it. Just wipe it because you don't need it. You don't use MySpace.
Come on, let's be serious. And ensure you're not using the same passwords anywhere else on the net.
Yeah, I 100% agree with you. I just think it isn't as easy as you make it sound.
I've actually recommended that people try and do it once every Friday, go in and try and delete five accounts, and if you can do that, you'll probably get through within three or four months.
I've actually recommended that people try and do it once every Friday, go in and try and delete five accounts, and if you can do that, you'll probably get through within three or four months.
Yeah.
And the other problem is people don't even remember where they've given their username and password. Think of all the apps people download and yeah, you're right.
I mean, it is horrendous.
But better to try, I agree.
And if there's anything where you do have an opportunity to do it, do it.
I realize over time you're going to forget things or no longer have access to email accounts or simply may forget.
The other thing you should do, of course, is sign up for services like Have I Been Pwned, the service run by Troy Hunt, which will inform you when a big data breach happens and whether your details have been included in it.
That's a good idea as well. But I just think, this really is horrendous, and there are too many websites making appalling mistakes like this.
I realize over time you're going to forget things or no longer have access to email accounts or simply may forget.
The other thing you should do, of course, is sign up for services like Have I Been Pwned, the service run by Troy Hunt, which will inform you when a big data breach happens and whether your details have been included in it.
That's a good idea as well. But I just think, this really is horrendous, and there are too many websites making appalling mistakes like this.
I worked at a company before at which people were trying to contact them via the web administrator email address that was provided on the website, and no one was monitoring that website.
So basically it was going into the ether.
So a good reminder for companies is to make sure the email address you have available on your pages for any problems or disclosures is up to date and monitored.
So basically it was going into the ether.
So a good reminder for companies is to make sure the email address you have available on your pages for any problems or disclosures is up to date and monitored.
Absolutely.
Not going to some personal address of some guy or girl who's left the company.
And maybe list an address which is security-specific. If you find a vulnerability or security problem with our company, this is how to contact us.
Right, so in ransomware, in April they were told, and they haven't done anything till now.
Well, I'm going to go on mute now because my dog's barking, which means probably my child and wife are coming home. But before I do that, I'm going to say, David, over to you.
What have you got to tell us?
What have you got to tell us?
Well, I don't want to give your podcast an explicit or an adult content rating, but I thought it might be a good idea to talk about sex because there have been, I guess, three stories that have risen to the top over the last week or so.
The first one that's hit this week is that the UK government is going to attempt to introduce age verification so that only those who are 18 and above can access websites that are hosting adult content.
Now, this is really complicated. I mean, there's a number of angles on this. On the one hand, look, I'm a parent.
The first one that's hit this week is that the UK government is going to attempt to introduce age verification so that only those who are 18 and above can access websites that are hosting adult content.
Now, this is really complicated. I mean, there's a number of angles on this. On the one hand, look, I'm a parent.
Yes.
I think many of us will agree that attempting to safeguard children from accessing either deliberately or accidentally adult content while they're online, that's only going to be a good thing.
Yeah.
However, however, what the government, what the UK government is trying to do is it's set a deadline for April next year, April 2018, and by then any websites that are offering adult content have to enforce this age verification.
Now, what they're proposing—
Now, what they're proposing—
But don't they have that already? Don't they have to say, are you 18? Are you 18 or above before you go into these sites?
Yeah, it's like the terms and conditions. You can just tick a box and go, yep, I'm over 18.
Yeah, yeah.
With my squeaky voice.
Right, right, right. Yeah, oh, I am, yep.
So what they're looking at doing is using credit cards as a means of identification, because in general, credit cards are only available to those who are 18 and above.
So you're thinking, okay, yep, that kind of works, I suppose.
Now, you don't need to tell me that there are a number of issues with this because let's face it, companies as a whole, but particularly those firms that host adult content, do not have a good track record of keeping people's details safe.
And we'll come on to one of those in a moment. But the fact is, if teenagers are determined to get hold of adult content, to browse it online, they will find a way to do it.
And there are any number of places that they will be able to go through, whether they're going through a VPN and going through a different country or whatever.
But it means that I don't see this actually being particularly effective for those who are most determined to look at stuff online.
So you're thinking, okay, yep, that kind of works, I suppose.
Now, you don't need to tell me that there are a number of issues with this because let's face it, companies as a whole, but particularly those firms that host adult content, do not have a good track record of keeping people's details safe.
And we'll come on to one of those in a moment. But the fact is, if teenagers are determined to get hold of adult content, to browse it online, they will find a way to do it.
And there are any number of places that they will be able to go through, whether they're going through a VPN and going through a different country or whatever.
But it means that I don't see this actually being particularly effective for those who are most determined to look at stuff online.
And also, there's all kinds of tools as well, though.
There's lots of tools that parents— parental control tools that they can use on computers and devices and stuff, which can seem to me a better idea.
There's lots of tools that parents— parental control tools that they can use on computers and devices and stuff, which can seem to me a better idea.
Absolutely.
But if someone's determined, these things can always be subverted, can't they, and got round. I mean, you're right, obviously the VPN.
So this would affect all websites around the world, presumably, if they don't want to be fined. It's not just British porno websites.
So this would affect all websites around the world, presumably, if they don't want to be fined. It's not just British porno websites.
Exactly. And the impetus would be on the internet service provider.
So whoever my internet service provider is, yours, whatever, to then block the content from those websites if they are found to be in contravention of this age validation.
And UK's only got a number of months in order to do this. What is that, 9 months or so? There isn't a regulatory body in place for this yet.
So what is being mooted is the BBFC, the British Board of Film Classification.
That's the body that looks at cinema releases and film releases and so on and says, yep, that's a 15, yep, that's an 18. And it looks at pornographic content as part of that.
And it sounds as though it is going to be the body that has to enforce this, at least in some way.
So whoever my internet service provider is, yours, whatever, to then block the content from those websites if they are found to be in contravention of this age validation.
And UK's only got a number of months in order to do this. What is that, 9 months or so? There isn't a regulatory body in place for this yet.
So what is being mooted is the BBFC, the British Board of Film Classification.
That's the body that looks at cinema releases and film releases and so on and says, yep, that's a 15, yep, that's an 18. And it looks at pornographic content as part of that.
And it sounds as though it is going to be the body that has to enforce this, at least in some way.
Are you saying on any website though? That's crazy. How are they going to do that?
It's a big job.
I don't even think it's even feasible.
I know.
Wow. So the method of authentication they're proposing is credit cards.
So if I was little Timmy, for instance— well, not so little Timmy, but teenage Timmy— I would go and grab my mum's credit card from her purse, write down the number, and give it to all my mates, right?
And then—
So if I was little Timmy, for instance— well, not so little Timmy, but teenage Timmy— I would go and grab my mum's credit card from her purse, write down the number, and give it to all my mates, right?
And then—
Yeah, okay, you're gonna— Yeah, but you're not gonna be the majority of teenagers, right? There's gonna— I think you're gonna fall— That's gonna—
I don't know.
Really?
Really?
I don't know.
If you are determined to see this stuff, then I'd say that's a bit of a no-brainer.
Yeah. It's not as though these websites hopefully are going to charge your credit card unless you want the sort of premium service or something. This is purely for access.
So are they going to be stored? Is the idea that they wouldn't be storing these credit card details?
Or maybe they would be temporarily while they're looking at them to see if they're valid?
So are they going to be stored? Is the idea that they wouldn't be storing these credit card details?
Or maybe they would be temporarily while they're looking at them to see if they're valid?
Yeah. I mean, I've— Obviously, the i's haven't been dotted and the t's haven't been crossed on this yet.
There's a lot that still needs to be sorted out, but there will have to be a record of a name and presumably an email address and a credit card number that is stored online.
And so those details will then be associated with accesses pornographic content. And that sort of data is, I would say, pretty hot stuff.
There's a lot that still needs to be sorted out, but there will have to be a record of a name and presumably an email address and a credit card number that is stored online.
And so those details will then be associated with accesses pornographic content. And that sort of data is, I would say, pretty hot stuff.
Yes.
You know what? This is just going to bring back— if this actually works, it's just going to bring back magazines. I mean, that's how we all first saw porn, right?
Finding some adult, you know, stash.
Finding some adult, you know, stash.
Tell us more, tell us more.
I'm just saying, I'm sure it's true for all of us. That is certainly how I came across this stuff. Jaw dropped.
Oh my God. But let's move very swiftly on.
Speaking of large stores of personal information and credit card details and so on, almost exactly two years ago, many of us were very, very busy indeed covering the Ashley Madison data breach, which landed, I guess, first of all at the end of July and then at the end of August or so.
Two years later, Ashley Madison's owners are laying down what's looking like being an $11 million settlement to those who are suing the online purveyor of extramarital nookie.
Speaking of large stores of personal information and credit card details and so on, almost exactly two years ago, many of us were very, very busy indeed covering the Ashley Madison data breach, which landed, I guess, first of all at the end of July and then at the end of August or so.
Two years later, Ashley Madison's owners are laying down what's looking like being an $11 million settlement to those who are suing the online purveyor of extramarital nookie.
That seems pretty small to me for this kind of breach.
Yeah, exactly. I think about a third of that is set aside in legal fees. And in order to claim your slice of this cash pie, you need to be able to claim some material loss.
They need to prove rather some material loss. And they're estimating that those who can may get as much as $3,500. But the fact is, I mean—
They need to prove rather some material loss. And they're estimating that those who can may get as much as $3,500. But the fact is, I mean—
Some people killed themselves over this. And don't worry, here's $3,000.
Here's $3,000. That'll make it all better. Or marriages broke up. If a marriage broke up, is that a material loss?
I mean, would you— for $3,500?
This is where the lawyers earn their money in terms of quantifying some of this. Yeah, exactly.
I mean, Ashley Madison is still going. It's had a lot of changes and its parent company has changed how it works as well.
But Ashley Madison is still there if you want to do that stuff.
But Ashley Madison is still there if you want to do that stuff.
But I'm sure they don't use female bots anymore to chat up their members. I'm sure that never happens.
And I certainly hope that they delete accounts when you tell them to do so.
Oh, I'm sure they do, 100%.
But onto my final piece now. If Ashley Madison left its members wanting when it came to security, another provider of online services is trying a little bit harder. Alert, alert.
The following segment may be unsuitable for young ears. We did warn you earlier. I hope you were listening. Anyway, it's David McClelland's fault.
That's the important thing to remember. Not Carole or Graham. Thanks, and good luck. So on to my final piece now.
If Ashley Madison left its members wanting when it came to security, another provider of online services is trying a little bit harder. So a porn website—
The following segment may be unsuitable for young ears. We did warn you earlier. I hope you were listening. Anyway, it's David McClelland's fault.
That's the important thing to remember. Not Carole or Graham. Thanks, and good luck. So on to my final piece now.
If Ashley Madison left its members wanting when it came to security, another provider of online services is trying a little bit harder. So a porn website—
I see what you did there.
Yes, thank you.
You're quick, Graham. You're quick. You're quick.
Yeah. And there's more. A pornography website, which I'm not going to name, but it is looking to introduce biometric authentication for its male members, if you catch my drift.
Are you talking dick pics?
We are talking dick pics. There we go. You went there. I wasn't going to go there, but now you've opened the floodgates. Yeah, there we go. Okay, so you—
What actually are they going to do?
They are— So it claims—
It's gonna be like a passport picture. Put up your—
No smiling.
It claims that the male member has— that the male reproductive organ has many characteristics that allow for unique identification. And yeah, get this.
It has the added benefit of not being on public show to the same extent that your fingers and fingerprints and that your iris, your eyes are as well.
But in the first instance, from what I could tell, it's actually just asking you to take a picture of it. There's no special sort of scanner or any special sort of technology.
It has the added benefit of not being on public show to the same extent that your fingers and fingerprints and that your iris, your eyes are as well.
But in the first instance, from what I could tell, it's actually just asking you to take a picture of it. There's no special sort of scanner or any special sort of technology.
Right, you don't have to stick it in anything to get a scan?
Not yet, but they want you to send a picture of your dick to them in order to authenticate who you are. This is absolutely ridiculous.
Is it possible they're actually just working on a different website, which is going to have pictures of men's penises on it? And they just need to collect some.
Oh yeah, 'cause that's what women want to look up a lot. Yeah, exactly.
Yeah, definitely. Again, this is another website that I certainly would not trust with any of my personal details, particularly not that one.
This is a publicity stunt, right? This isn't actually happening.
This is totally a stunt.
Please tell me this is nonsense. Do you know what?
I did click through to the website, to the link that it gave me.
For research purposes.
For research purposes. And I think it stayed on my browser for about 5 seconds before I'm like, no, I'm not having this in my history. Goodbye. So I closed it down straight away.
Does it give you advice on how to actually take your dick pic? You know, to be side-on or to be—
How to crop it? Yeah.
It wants an erect dick pic.
Oh, shut up!
Hang on, this is before you get onto the site?
Yes.
This is to authenticate you.
Yeah, they give you some fluffer pics first.
Do you have to go to another website first of all in order to get ready to get to this one?
So, you're probably thinking that wasn't that bad. Well, it's about to get worse. Remember, it wasn't Graham or Carole's fault.
Do you have to go to another website first of all in order to get ready to get to this one?
All right, if we're going there, in the press release that I've— we have gone there.
In the press release, it talks about the fact that one of the identifying features of the male member is vein size. Oh God.
In the press release, it talks about the fact that one of the identifying features of the male member is vein size. Oh God.
Okay.
Exactly. We've probably crossed the line. There was a line. We've crossed it and we've crossed it again.
They've crossed it. We didn't cross it. We're just telling the good folks out there not to fall for this.
To think we had complaints when we talked about Donald Trump.
Yeah.
Now this has happened. Carole.
Yes.
Can you save us from all? Thank you, David, very much. I'm so glad you came on.
You are welcome.
I am going to yank you both out of this murky, murky water. So I'm going to talk about surveillance. And I'm going to call this segment, the S in IoT stands for security.
So this is all about surveillance cameras. And can you guess how many are around estimated in the UK or the US?
So this is all about surveillance cameras. And can you guess how many are around estimated in the UK or the US?
There's a lot in the— isn't the UK meant to have more per square mile than anywhere else in the world or something?
So I found 4 to 6 million CCTV surveillance cameras in the UK. That's 40 per square mile or 1 for every 10 people. I did my little math.
Sorry. Across the whole of the UK. I mean, we've got a lot of empty space in the UK when you get to people's houses.
Exactly, there are— When you get to central London, that's gonna be super intense, isn't it?
Exactly, there are— When you get to central London, that's gonna be super intense, isn't it?
Exactly, exactly. And there's 60 million estimated in the US. So that's 1 in 20 people or 16 per square mile. So there's a lot, a lot, a lot of security cameras out there.
So how frigging scary is it when we learned this week that a serious vulnerability in hundreds, if not thousands, of security camera models let alone any other IoT device, was uncovered by security researchers.
So let me tell you how this vulnerability came to light.
It's from a security firm called Senrio, and they found a stack buffer overflow vulnerability in the security camera model from Axis Communications, a manufacturer of these security cameras.
And they've dubbed this vulnerability Devil's Ivy.
So these security guys found that if attackers managed to access the vulnerable camera, they could take remote control of this video feed.
They could deny the admin or owner access to the video feed and they could prevent the admin from making any setting changes.
So how frigging scary is it when we learned this week that a serious vulnerability in hundreds, if not thousands, of security camera models let alone any other IoT device, was uncovered by security researchers.
So let me tell you how this vulnerability came to light.
It's from a security firm called Senrio, and they found a stack buffer overflow vulnerability in the security camera model from Axis Communications, a manufacturer of these security cameras.
And they've dubbed this vulnerability Devil's Ivy.
So these security guys found that if attackers managed to access the vulnerable camera, they could take remote control of this video feed.
They could deny the admin or owner access to the video feed and they could prevent the admin from making any setting changes.
So they can see what the camera's doing, but they can also prevent the true owner of the camera seeing what it is seeing.
Yes.
So this is a bit sort of Hollywood heist, isn't it?
Yes. They could take control of the camera and change where it looks, see what it's seeing. Exactly.
How cool is that?
Oh yeah, it's really cool. Yeah, it's really cool. Let me tell you how cool it is.
So this company, right, who produced this particular camera that Senrio tested confirmed that this Devil's Ivy vulnerability was present in 249 distinct camera models that they sell.
Only 3 old models are unaffected.
So this company, right, who produced this particular camera that Senrio tested confirmed that this Devil's Ivy vulnerability was present in 249 distinct camera models that they sell.
Only 3 old models are unaffected.
Right.
And Axis are likely to have sold millions of these devices, right?
So we're still— this buffer overflow vulnerability is not Axis Communications code, but part of an open source code library, and it's called GSOP.
Now this is managed by another company called Genevia. So why I'm saying all this?
So just as a background, many developers, rather than writing code from scratch, will use trusted open source code libraries to speed up their coding.
It's a cut and paste job, right? Just speeds everything up.
One of the problems with coding libraries is it kind of, if they're popular, it can act like a homogeneous environment, right?
If the library is found vulnerable, the impact can be huge, impact lots of people. And that's exactly what's happening here with these security cameras, right?
There's an estimated 34 different companies that have developed IoT products with this vulnerable GSOP code. So how many IoT devices are impacted? We don't even know.
So we're still— this buffer overflow vulnerability is not Axis Communications code, but part of an open source code library, and it's called GSOP.
Now this is managed by another company called Genevia. So why I'm saying all this?
So just as a background, many developers, rather than writing code from scratch, will use trusted open source code libraries to speed up their coding.
It's a cut and paste job, right? Just speeds everything up.
One of the problems with coding libraries is it kind of, if they're popular, it can act like a homogeneous environment, right?
If the library is found vulnerable, the impact can be huge, impact lots of people. And that's exactly what's happening here with these security cameras, right?
There's an estimated 34 different companies that have developed IoT products with this vulnerable GSOP code. So how many IoT devices are impacted? We don't even know.
So it's not just Axis's security cameras, it's all manner of other IoT devices using this particular piece of code. So the programmers were lazy basically.
They thought, has someone already written this code?
They thought, has someone already written this code?
Or they, well, no, no, lots of people use these things, right? It's a kind of way to kind of also simplify things. You may not be a particular expert in area, right?
So you might go grab, you know, it's a bit like themes for websites. I think it's just kind of, you know, it's a cut and paste, helps you just get on with the job.
So you might go grab, you know, it's a bit like themes for websites. I think it's just kind of, you know, it's a cut and paste, helps you just get on with the job.
Yeah. But if there's a vulnerability in there, then—
Yeah, big problem.
Suddenly there's a vulnerability everywhere.
The good news is, Genevia have released an update to resolve the issue, and that happened on the 21st of June.
And that Axis Communications immediately pushed out a firmware update to fix their security camera software.
It's a firmware update, and they pushed it out for all their models, all their vulnerable models.
And I have to give them a hat tip actually, because I love that they were really honest in the press about how they were vulnerable, that they immediately issued a fix, and they've been trying to push it out to all their users.
And also, the other good news is that often, security cameras— not all IoT devices, but security cameras are often behind firewalls and other security measures that make it more difficult for hackers to get access to.
So what you want to make sure is that your IoT device is not public-facing.
So if you can't access it from the outside world, you've made it harder for others to access from the outside world. However, there is some bad news here.
Because this vulnerability requires a firmware update, the fear is that a lot of manufacturers aren't going to bother pushing out an update.
One of the reasons is because you don't even know if the IoT device you possess is vulnerable or not, right? Unless your manufacturer tells you, you're not going to be aware.
And that Axis Communications immediately pushed out a firmware update to fix their security camera software.
It's a firmware update, and they pushed it out for all their models, all their vulnerable models.
And I have to give them a hat tip actually, because I love that they were really honest in the press about how they were vulnerable, that they immediately issued a fix, and they've been trying to push it out to all their users.
And also, the other good news is that often, security cameras— not all IoT devices, but security cameras are often behind firewalls and other security measures that make it more difficult for hackers to get access to.
So what you want to make sure is that your IoT device is not public-facing.
So if you can't access it from the outside world, you've made it harder for others to access from the outside world. However, there is some bad news here.
Because this vulnerability requires a firmware update, the fear is that a lot of manufacturers aren't going to bother pushing out an update.
One of the reasons is because you don't even know if the IoT device you possess is vulnerable or not, right? Unless your manufacturer tells you, you're not going to be aware.
The manufacturer might know, but the consumer doesn't know, do they? If there's GSAP code in there.
Exactly. And the other problem is it's not always straightforward to do updates to firmware.
So you can imagine how much information you might have to give to someone who's not technically very savvy on how they have to go about doing this.
So you can imagine how much information you might have to give to someone who's not technically very savvy on how they have to go about doing this.
And manufacturers may have gone bust or they may have little interest in spending the money.
It's— they may not have the infrastructure for sending out updates to different products.
I mean, it's appalling to hear, but there's still lots of IoT devices which you simply cannot update, right?
It's— they may not have the infrastructure for sending out updates to different products.
I mean, it's appalling to hear, but there's still lots of IoT devices which you simply cannot update, right?
Right? Well, exactly. That's a big problem.
So I think if you are concerned, you should maybe contact the manufacturer with the model number of the IoT device you have and request to find out whether the vulnerable GSOP code is being used in this device.
You may or may not get an answer. Let's hope they do answer you because this is, I just find this really scary because I don't think anyone's going to be aware.
And these things are looking at us everywhere. I mean, they're everywhere.
Even cops, I just read this week, cops are going to be wearing body cams that now can do facial recognition. So that's good.
So I think if you are concerned, you should maybe contact the manufacturer with the model number of the IoT device you have and request to find out whether the vulnerable GSOP code is being used in this device.
You may or may not get an answer. Let's hope they do answer you because this is, I just find this really scary because I don't think anyone's going to be aware.
And these things are looking at us everywhere. I mean, they're everywhere.
Even cops, I just read this week, cops are going to be wearing body cams that now can do facial recognition. So that's good.
David, you're a technology journalist. You're obviously encountering a lot of this cool new tech and the internet of things. Do you have a Dingus in your house?
Would you allow these things into your house? Do you feel comfortable with them? Are we being old curmudgeons? Where do you stand on this kind of thing?
Would you allow these things into your house? Do you feel comfortable with them? Are we being old curmudgeons? Where do you stand on this kind of thing?
Well, two things. First of all, the fact that this all stems from an open source library, a vulnerability found there.
That makes me think straight away of probably open source's worst day, which was Heartbleed, which was the OpenSSL library, I think. And that of course is still an issue.
So there is some case history there, and I wonder how many of those devices that were affected there still remain unpatched, still haven't had the updated version of that library pushed down to them.
But in terms of devices lying around my house now, I'm not going to lie, I do have quite a few and I've got many more sitting on a shelf behind me.
I have a Nest Cam looking at me right now, one of those Google home security cameras. I've got a Ring doorbell downstairs, which I know has had people have cried out at that before.
And I've got some Amazon Echo and Echo Dot devices around the house.
So, I mean, it's kind of my job to live the life, to feel, to get a sense as to whether this technology can actually help us.
And as part of that, I guess it's to experience the ups and the downs with that.
So yeah, I think—okay, so at InfoSec Europe a couple of weeks ago, I was having conversations with some security vendors and particularly when it comes to IoT security, I was saying, well, look, why is there not a traffic light system we have on food?
When we go to the supermarket, we can see from a little symbol on the front whether it's high in sugar, whether it's high in salt, and so on.
Why is there not the equivalent for home webcams, for home microphones or home whatever else that gives us a sense, an independent sense as to how secure these devices are, whether they have had some independent testing against them, which means that they don't ship with default passwords that are well publicized and so on.
I think that'd be a great idea.
It's just struck home to me the obvious flaw there is that many of these, we don't know about the vulnerabilities until one, two, three years later when someone finds that vulnerability in a bit of code.
So we might be lured into a false sense of security saying, yep, this saw's green all around, I'm going to buy this webcam and stick it in my bedroom.
That makes me think straight away of probably open source's worst day, which was Heartbleed, which was the OpenSSL library, I think. And that of course is still an issue.
So there is some case history there, and I wonder how many of those devices that were affected there still remain unpatched, still haven't had the updated version of that library pushed down to them.
But in terms of devices lying around my house now, I'm not going to lie, I do have quite a few and I've got many more sitting on a shelf behind me.
I have a Nest Cam looking at me right now, one of those Google home security cameras. I've got a Ring doorbell downstairs, which I know has had people have cried out at that before.
And I've got some Amazon Echo and Echo Dot devices around the house.
So, I mean, it's kind of my job to live the life, to feel, to get a sense as to whether this technology can actually help us.
And as part of that, I guess it's to experience the ups and the downs with that.
So yeah, I think—okay, so at InfoSec Europe a couple of weeks ago, I was having conversations with some security vendors and particularly when it comes to IoT security, I was saying, well, look, why is there not a traffic light system we have on food?
When we go to the supermarket, we can see from a little symbol on the front whether it's high in sugar, whether it's high in salt, and so on.
Why is there not the equivalent for home webcams, for home microphones or home whatever else that gives us a sense, an independent sense as to how secure these devices are, whether they have had some independent testing against them, which means that they don't ship with default passwords that are well publicized and so on.
I think that'd be a great idea.
It's just struck home to me the obvious flaw there is that many of these, we don't know about the vulnerabilities until one, two, three years later when someone finds that vulnerability in a bit of code.
So we might be lured into a false sense of security saying, yep, this saw's green all around, I'm going to buy this webcam and stick it in my bedroom.
You know what?
It also gives me—it made me think that maybe this is a reason to register warranties or whatever with manufacturers when you buy specific devices, if only to get the security informational update.
Because otherwise, you may not even know that this is the case, and your TV could be sitting there recording you the whole time through its little camera.
It also gives me—it made me think that maybe this is a reason to register warranties or whatever with manufacturers when you buy specific devices, if only to get the security informational update.
Because otherwise, you may not even know that this is the case, and your TV could be sitting there recording you the whole time through its little camera.
I think you have to have a high degree of confidence in the manufacturer for whom you're buying this in the first place, that they will be proactive and they will be responsive.
Maybe some of the manufacturers that you buy stuff, if you buy cheap, you may end up buying twice at the end of the day from a security point of view.
If it comes from a no-name Chinese device manufacturer, then the chances are they're not going to be as eager to get in touch with you as if you're buying from a big name.
Maybe some of the manufacturers that you buy stuff, if you buy cheap, you may end up buying twice at the end of the day from a security point of view.
If it comes from a no-name Chinese device manufacturer, then the chances are they're not going to be as eager to get in touch with you as if you're buying from a big name.
And there ends our weekly rant about the security of the Internet of Things. I'm sure we'll be back next week for more grumbling and moaning about it, but it does good things too.
I know there are security loopholes, but you know, there are lots of great things that these devices do too.
I mean, my kids love some of the things that Alexa is able to do for them, and it makes my whole life a lot easier as well.
So I think it's important—I know this is a technology security podcast, but I think it's important to try and get a sense of balance as well, which I know you do.
I mean, my kids love some of the things that Alexa is able to do for them, and it makes my whole life a lot easier as well.
So I think it's important—I know this is a technology security podcast, but I think it's important to try and get a sense of balance as well, which I know you do.
I know you do that. He's basically calling us curmudgeonly. I hear it.
I get that. He would be right. Okay, it's time to hear who might have sponsored our podcast this week. Let's find out. Who is going to be our sponsor this week? Sponsors.
Yeah, we love sponsors. Are you going to interrupt me?
Yeah, we love sponsors. Are you going to interrupt me?
I thought you were going to interrupt me.
Say, Graham, who's the sponsor? Graham. Let me guess. Hi. Hi. Hi.
Graham, who's our sponsor this week?
Our sponsor is Recorded Future. Sophos, you know them. They're cool. They do all kinds of cool things. Like? They look on the web. They look on the darkweb.
They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email.
They peruse the internet in its darkest corners and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity.
And then they bundle it all up. They wrap it up in a beautiful ribbon and send it to you in a free email.
If you want to be ahead of the game, I guess you get their free daily email. Of course you do.
But first of all, you've got to sign up for it. Otherwise, they won't know to send it to you. They're not that clever. Go to recordedfuture.com/intel.
And thanks to Recorded Future for supporting the show. Welcome back to the show. And before we wrap up today, we are going to— Pick of the week.
Yeah, we're going to have a little pick of the week. Don't make it like that dreadful documentary, The Red Pill, please. Let's have some better. What?
And thanks to Recorded Future for supporting the show. Welcome back to the show. And before we wrap up today, we are going to— Pick of the week.
Yeah, we're going to have a little pick of the week. Don't make it like that dreadful documentary, The Red Pill, please. Let's have some better. What?
Well, no, it's all right.
I'm sure some people liked it.
I'm going to find out if Michael Hucks actually listens to this podcast.
Yeah, he won't be impressed I've slagged off his pick of the week, will he?
Maybe he'll slag off the one I'm about to recommend because having watched The Red Pill, I thought, oh, I need to see something good now.
And now I might have mentioned before, I'm a bit of a Doctor Who fan.
And there's been a bit of a to-do going on because of course there was the unveiling of the new Doctor Who, who is a woman. Yes, finally.
An alien time traveller can apparently be a woman as well as a man, which is fantastic news. I think it's terrific. And Jodie Whittaker won the job, which is super duper.
But one of the other people who was in the running was an actress called Phoebe Waller-Bridge. Oh, I love her.
And I was reading this, I was on the Doctor Who forums online, because everyone was trying to work out who's it going to be? Who's it going to be? Please don't be Chris Marshall.
Maybe he'll slag off the one I'm about to recommend because having watched The Red Pill, I thought, oh, I need to see something good now.
And now I might have mentioned before, I'm a bit of a Doctor Who fan.
And there's been a bit of a to-do going on because of course there was the unveiling of the new Doctor Who, who is a woman. Yes, finally.
An alien time traveller can apparently be a woman as well as a man, which is fantastic news. I think it's terrific. And Jodie Whittaker won the job, which is super duper.
But one of the other people who was in the running was an actress called Phoebe Waller-Bridge. Oh, I love her.
And I was reading this, I was on the Doctor Who forums online, because everyone was trying to work out who's it going to be? Who's it going to be? Please don't be Chris Marshall.
Do you guys bet on it? Do you have like—
I didn't bet, but there was a lot of betting at the booking stage. Oh, really?
And you kind of always know with Doctor Who, in the last few Doctor Whos, about 24 hours before the announcement, there is a sudden rush of betting for the person who ultimately gets it.
There must be a leak in Cardiff or something like that.
So we all kind of guessed, you know, although there was this female element, which was as to whether that would really, really happen, but we all kind of knew it was going to be Jodie.
But anyway, Phoebe Waller-Bridge, and I was curious, I thought, oh, what is she in? And it turns out she's been in this show, which I'm rather late to.
I'm sorry about this, but I've been catching it up on iPlayer, and I think it's also maybe streaming on Amazon Prime. It's called Fleabag.
And you kind of always know with Doctor Who, in the last few Doctor Whos, about 24 hours before the announcement, there is a sudden rush of betting for the person who ultimately gets it.
There must be a leak in Cardiff or something like that.
So we all kind of guessed, you know, although there was this female element, which was as to whether that would really, really happen, but we all kind of knew it was going to be Jodie.
But anyway, Phoebe Waller-Bridge, and I was curious, I thought, oh, what is she in? And it turns out she's been in this show, which I'm rather late to.
I'm sorry about this, but I've been catching it up on iPlayer, and I think it's also maybe streaming on Amazon Prime. It's called Fleabag.
Oh yeah, that came out last year. Yeah, okay, all right.
But anyway, I've just watched it, and I binge-watched it. There's about 6 episodes, You liked it, right? Oh, it's so wonderful. Yes. Okay, good.
I loved it too. It is. She's great.
Have you seen this, David?
I watched it last night. I watched the first episode last night. I had a bit of an inside line that you would be talking about this.
And I thought, well, maybe I should watch it too, because my wife was going nuts about this last year as well. So I kind of felt as though I had a bit of catching up to do.
And I quite agree. I think she's fantastic. And not only does she play the lead in there, but she also, I think, executive produces. That's right.
She had a lot at stake with this show, and it seems to have paid off.
And I thought, well, maybe I should watch it too, because my wife was going nuts about this last year as well. So I kind of felt as though I had a bit of catching up to do.
And I quite agree. I think she's fantastic. And not only does she play the lead in there, but she also, I think, executive produces. That's right.
She had a lot at stake with this show, and it seems to have paid off.
I think it used to be a one-woman show. I think she did it on stage, and now it's become a TV show. She is tremendous.
Can I say I would have really liked her to be in Doctor Who, even though I'm not a big avid fan of Doctor Who?
I have to say I would have started watching.
But I think maybe the fact that she isn't Doctor Who might mean that we get a second series of Fleabag one day, which I think I'd be very happy about. But it is — it's adult.
Let's point this out. It's possibly even more adult than David's segment on the show today.
But I think maybe the fact that she isn't Doctor Who might mean that we get a second series of Fleabag one day, which I think I'd be very happy about. But it is — it's adult.
Let's point this out. It's possibly even more adult than David's segment on the show today.
I don't think anything could be more adult than that.
I didn't drop any F-bombs or any other kind of four-letter word bombs, unlike Phoebe in Fleabag.
It is funny, but it's also bleak.
And I have to say, there is a bit of darkness in my heart, which really was attracted to the bleak, grim nature of this show, because David, you're going to have to watch all six episodes because, oh my word, it just gets better and better.
So there's my recommendation. Go and check out Fleabag. Don't show it to your kids, but you might well enjoy it yourself. It was phenomenal, I thought. Yeah. David, what have you got?
And I have to say, there is a bit of darkness in my heart, which really was attracted to the bleak, grim nature of this show, because David, you're going to have to watch all six episodes because, oh my word, it just gets better and better.
So there's my recommendation. Go and check out Fleabag. Don't show it to your kids, but you might well enjoy it yourself. It was phenomenal, I thought. Yeah. David, what have you got?
My pick of the week. Pick of the week is — oh, I didn't do that. Oh, sorry. Sorry. We have to always do that.
Do it now. Do it now.
So that was my pick of the week. Pick of the week. Pick of the week. It's good that David listens to the show so he knows.
Yeah, he knows all our in-jokes.
He knows what we're meant to do better than us. Right, David, over to you for your pick of the week.
My pick of the week is also a podcast, but it's not a security podcast. Well, at least not immediately.
So Mozilla, who we all know as veterans of the World Wide Web, have released a new podcast called IRL, In Real Life, in net speak, because online life is real life.
It's only launched a few weeks ago and it's two episodes in so far, but it's great.
And the two episodes have been, first of all, about how our data moves around online and the roles that so-called data brokers play in buying it, aggregating it, selling it, what happens when it goes wrong as well.
And that's, I mean, even for those of us who work in the industry, have various lenses onto the industry, it was fairly eye-opening.
And the other topic that they talked about was net neutrality. Massive topic that I know you guys discussed only a couple of weeks ago. And it's really good to listen to.
It's very energetic and it's produced very much like a kind of NPR radio feature, not the kind of conversational thing that we have. It feels a little bit faster paced than that.
Slicker. More professional. Less swearing. Perhaps less swearing. But yeah, so I think that's definitely worth a listen to.
And Veronica Belmont is again very much of an internet citizen. And yeah, I think it's great. And I think you will think it's great too. IRLpodcast.org.
And it's also on Spotify as well.
So Mozilla, who we all know as veterans of the World Wide Web, have released a new podcast called IRL, In Real Life, in net speak, because online life is real life.
It's only launched a few weeks ago and it's two episodes in so far, but it's great.
And the two episodes have been, first of all, about how our data moves around online and the roles that so-called data brokers play in buying it, aggregating it, selling it, what happens when it goes wrong as well.
And that's, I mean, even for those of us who work in the industry, have various lenses onto the industry, it was fairly eye-opening.
And the other topic that they talked about was net neutrality. Massive topic that I know you guys discussed only a couple of weeks ago. And it's really good to listen to.
It's very energetic and it's produced very much like a kind of NPR radio feature, not the kind of conversational thing that we have. It feels a little bit faster paced than that.
Slicker. More professional. Less swearing. Perhaps less swearing. But yeah, so I think that's definitely worth a listen to.
And Veronica Belmont is again very much of an internet citizen. And yeah, I think it's great. And I think you will think it's great too. IRLpodcast.org.
And it's also on Spotify as well.
I listened to it actually this morning in the shower and it was great. It was a really good podcast, I thought. And I've subscribed for future episodes. So I would recommend it.
I agree with you, David. Great choice.
I agree with you, David. Great choice.
Super. Okay, I'm going to put it on my list.
So that was David's pick of the week. Carole, what have you got for us?
Well, for my pick of the week, I wanted to point you to Engadget's big fat piece on Google Glass being officially back. So we'll all remember.
Because we were all missing it, weren't we? So I'm glad that's back.
I thought it completely died in 2015, but it turned out they just put it on ice. Well, actually not even on ice.
They just took it out of public view and they've been secretly working on it, squirreling away, working with other companies to try a brand new market.
So instead of focusing on individuals and selling it to us consumer types, they're going after industry.
Now that's kind of cool because you can think, I can think healthcare, think production floors, logistics, retail.
There are so many huge advantages to being able to use it in a work environment, getting information when you're very busy, just right there through your voice and being able to see it immediately while you're carrying on doing a task.
So what they're doing is they're using third parties to optimize the Google Glass for specific tasks or industries, and then it'll be sold by specialist companies.
So effectively, Google partners to specific industries or specific companies. Forrester say by 2025, there's going to be like 14.4 million US workers wearing smart glasses.
And I suspect actually that's underplaying it. I think if Google launched this correctly, I think it could be way higher than that.
The other cool thing I about this, even though I actually am not a big fan of the whole Google Glass on the street thing at all, because I'm curmudgeonly, David.
I don't know what you're talking about, Carole. I the idea that it's being touted as a business tool, right?
So apparently in test environments, they've had companies, lots of big companies testing this DHL, and they've been working on it, but then they and leave it in the office at the end of the day.
Now, yes, I know right now it's still a prototype, so maybe they weren't even allowed to take it out of the office, but maybe it'll just be left in the office, you know, in the ways that actually none of our devices today are, right?
They just took it out of public view and they've been secretly working on it, squirreling away, working with other companies to try a brand new market.
So instead of focusing on individuals and selling it to us consumer types, they're going after industry.
Now that's kind of cool because you can think, I can think healthcare, think production floors, logistics, retail.
There are so many huge advantages to being able to use it in a work environment, getting information when you're very busy, just right there through your voice and being able to see it immediately while you're carrying on doing a task.
So what they're doing is they're using third parties to optimize the Google Glass for specific tasks or industries, and then it'll be sold by specialist companies.
So effectively, Google partners to specific industries or specific companies. Forrester say by 2025, there's going to be like 14.4 million US workers wearing smart glasses.
And I suspect actually that's underplaying it. I think if Google launched this correctly, I think it could be way higher than that.
The other cool thing I about this, even though I actually am not a big fan of the whole Google Glass on the street thing at all, because I'm curmudgeonly, David.
I don't know what you're talking about, Carole. I the idea that it's being touted as a business tool, right?
So apparently in test environments, they've had companies, lots of big companies testing this DHL, and they've been working on it, but then they and leave it in the office at the end of the day.
Now, yes, I know right now it's still a prototype, so maybe they weren't even allowed to take it out of the office, but maybe it'll just be left in the office, you know, in the ways that actually none of our devices today are, right?
The truth is, if you wear one of these things, you don't just look a dork, you feel a dork. But if you—
Okay, everyone said that to my dad back in the '80s when he was going around with his mobile phone with a battery pack the size of France to make sure he would be, when he was on call as a doctor.
Right.
But you see, the difference in what you're now suggesting, the Google Glasses, is it's oh, I'm doing this for my job, or I'm a dentist and that's why I have to wear these special glasses.
Whereas if you wear them yourself socially, people are going to snigger behind your back or punch you on the nose.
But you see, the difference in what you're now suggesting, the Google Glasses, is it's oh, I'm doing this for my job, or I'm a dentist and that's why I have to wear these special glasses.
Whereas if you wear them yourself socially, people are going to snigger behind your back or punch you on the nose.
I'm going to chuck another couple of angles into this, all right. So the first thing was that when Google Glass did launch to begin with, I think many people bought into it.
There was a massive hype, massive buzz around it, and a lot of latent desire until they finally did release it to developers.
And then it was a case of right, well, what does it actually do? And there were very few apps released for it.
So yeah, I think it was good technology, but it was released at a time before I think societally we were, and culturally, we were able to cope with it.
However, look at what Snap Inc. has done with its Snapchat Spectacles. They are a fashion device. They do one thing and they do it really quite well.
And a new line over the last day or so is that Snap is now selling its Snapchat Spectacles on Amazon. So they're likely to go mainstream.
Now, at the moment, if you're walking down the street or at the pub with some friends or something and you see someone wearing some Snapchat Spectacles, actually they get a lot of positive interest.
And I've been in this situation myself, that they are a little bit cool. And when someone is recording with the little LEDs on the front sort of spin around.
So you can tell, but they look quite cool, but they aren't trying to do everything. They're not trying to replace the whole mobile phone experience.
So I think that we will start to see smart glasses reappear not only into the enterprise and business, but also into more consumer applications.
But it's going to be a little bit more slowly, slowly, baby steps.
The other thing I urge you to have a look at is a Bloomberg report that they put out only a couple of days ago, I think, on Meta, which is an augmented reality set of spectacles.
And it was an interview with its boss there. And also, it showed how basically no one in the office is allowed to use a computer screen anymore.
They all have to wear these glasses for their work, even for their desktop work, for doing their emails and for doing their word processing and whatever else.
They have to wear these glasses. It looks a bit foolish to me.
I think that actually keyboards and mice are a pretty reasonable user interface rather than waving your hands about in thin air with no tactile feedback.
But I'll send you a link, Graham.
I think it's really interesting to look at it about we're seeing these glasses as being some sort of nirvana, but actually I think we have a middle ground to find with them.
There was a massive hype, massive buzz around it, and a lot of latent desire until they finally did release it to developers.
And then it was a case of right, well, what does it actually do? And there were very few apps released for it.
So yeah, I think it was good technology, but it was released at a time before I think societally we were, and culturally, we were able to cope with it.
However, look at what Snap Inc. has done with its Snapchat Spectacles. They are a fashion device. They do one thing and they do it really quite well.
And a new line over the last day or so is that Snap is now selling its Snapchat Spectacles on Amazon. So they're likely to go mainstream.
Now, at the moment, if you're walking down the street or at the pub with some friends or something and you see someone wearing some Snapchat Spectacles, actually they get a lot of positive interest.
And I've been in this situation myself, that they are a little bit cool. And when someone is recording with the little LEDs on the front sort of spin around.
So you can tell, but they look quite cool, but they aren't trying to do everything. They're not trying to replace the whole mobile phone experience.
So I think that we will start to see smart glasses reappear not only into the enterprise and business, but also into more consumer applications.
But it's going to be a little bit more slowly, slowly, baby steps.
The other thing I urge you to have a look at is a Bloomberg report that they put out only a couple of days ago, I think, on Meta, which is an augmented reality set of spectacles.
And it was an interview with its boss there. And also, it showed how basically no one in the office is allowed to use a computer screen anymore.
They all have to wear these glasses for their work, even for their desktop work, for doing their emails and for doing their word processing and whatever else.
They have to wear these glasses. It looks a bit foolish to me.
I think that actually keyboards and mice are a pretty reasonable user interface rather than waving your hands about in thin air with no tactile feedback.
But I'll send you a link, Graham.
I think it's really interesting to look at it about we're seeing these glasses as being some sort of nirvana, but actually I think we have a middle ground to find with them.
We should put them in the show notes.
We should put a link. Yeah, yeah, we will do that.
Thank you, David. That's very interesting.
This whole thing though, doesn't it remind you of Black Mirror, that episode? It was "The History of You" or "The Entire History of You".
And it was where people had implants that recorded everything that they see and said. And it allowed you to play back situations. They were called redos, I think.
So you could actually replay a situation. And then of course, it was Black Mirror, so it just seems—
And it was where people had implants that recorded everything that they see and said. And it allowed you to play back situations. They were called redos, I think.
So you could actually replay a situation. And then of course, it was Black Mirror, so it just seems—
So if I was having an argument with my wife over what I'd said an hour before and exactly what words I had used, this is a hypothetical scenario, I'd be able to rewind and play it and say, "Look, this is what really happened."
Exactly. Or she could say, "Hey, I don't believe you did this last Thursday. Show me."
Well, Carole, you were the one who was concerned that the US was lagging behind Britain in terms of the coverage of CCTV cameras. Maybe if this takes off—
Oh yeah, I was very concerned about that, yes.
Will it increase the intensity of that as well? That'd be fantastic, won't it?
I just don't think we're built for having recordings. I don't think we're built to be able to say this is exactly what happened.
I think that's why memory is selectively— It selects what you should remember and what will actually destroy you in the end if you remember it all the time.
I think that's why memory is selectively— It selects what you should remember and what will actually destroy you in the end if you remember it all the time.
Well, on that cheery note, once again, I don't know why people listen to this podcast, to be honest. Shouldn't we be a bit more cheerful and upbeat?
David, where can people find out more about you or listen to your podcast? We know you're going to be on the TV on Friday and people can catch up on iPlayer as well.
Is there anywhere else where they should follow you online?
David, where can people find out more about you or listen to your podcast? We know you're going to be on the TV on Friday and people can catch up on iPlayer as well.
Is there anywhere else where they should follow you online?
Well, certainly me on Twitter @DavidMcClelland. That's probably the best place to get hold of me.
And just do a Google or your favorite search engine, others are available, for Fraculous Podcast, and you'll find us in all of the places there.
And just do a Google or your favorite search engine, others are available, for Fraculous Podcast, and you'll find us in all of the places there.
Tremendous. Well, thank you for joining us today. Really appreciate it. Thank you, Carole, as well for joining us.
If you like the show, what should people do, Carole, if they like the podcast?
If you like the show, what should people do, Carole, if they like the podcast?
Well, if people like the show, they should tell us what they like, and they can do that in the form of a review.
That's what they should do. Oh, okay. And you can go to the Smashing Security website and drop us a line at .
Email us if you're too shy to leave a public review, telling us what you like and what you don't like, and maybe we'll have a feedback episode soon as well. That could be fun.
Until next time then, cheerio, bye-bye. Bye. Bye-bye.
Email us if you're too shy to leave a public review, telling us what you like and what you don't like, and maybe we'll have a feedback episode soon as well. That could be fun.
Until next time then, cheerio, bye-bye. Bye. Bye-bye.
Sorry about that. Remember that if you have any complaints, you have been listening to Security Now with Steve Gibson.
Further reading: Myspace fixes account security hole – but delete your account anyway.
