With online criminals becoming more adept at covering up their digital tracks it’s not much surprise to hear that law enforcement agencies are using some novel techniques to help them reveal crooks’ true identities.
As Joseph Cox of Motherboard reports, recently revealed court documents reveal the FBI is using tricks that you might normally see being deployed by the very people they are trying to catch.
In one case dating from mid-2017, Gorbel, a New York-based crane manufacturing company’s finance team, received an email pretending to be from the company’s CEO Brian Reh, and asking for US $82,570 to be paid to a new supplier.
Margaret,
Can we set up a payment to a new vendor today? Thanks, Brian
Margaret Belt, the member of Gorbel’s finance team who had received the email, replied saying that she could assist but needed more information. The fake CEO responded:
Margaret,
See attached W9 and invoice for vendor details, Please have check made out to HOLDINGS for $82,570.00 and have it sent by overnight mail. Payment is for professional service, Charge this to Admin Dept and email me with tracking# once check is mailed out.
Thanks, Brian
Believing nothing was amiss, a cashier’s check was duly issued and cashed out.
The following month the company’s CFO identified that a fraudulent transaction had taken place and informed the FBI, who examined the email correspondence.
Just days later, Margaret Belt received another email posing as the company CEO, this time asking for US $138,580 to be paid to a new vendor.
By now, of course, Margaret knew that she was dealing with a scammer – and kept the fraudster waiting for days claiming that the printer used to produce the checks was broken, and that a new part had been ordered.
The fraudster was understandably feeling frustrated:
Margaret,
Do you have an update regarding payment? I believe the printer should be fixed by now. Please advise.
Brian.
The truth was, of course, that the printer wasn’t broken. But behind the scenes the FBI had bought the domain name www.fedextrackingportal.com, and created a website designed to capture visiting computers’ IP addresses, and other basic information about the browser being used to access it.
Margaret duly responded to the fake CEO, saying that the payment had been made and providing what appeared to be a FedEx tracking link.
Sneakily, the fake FedEx website built by the FBI displayed a message designed to discourage any visitor from covering their tracks:
“Access Denied, This website does not allow proxy connections”
What was clever about that is that it didn’t need to actually detect the usage of a VPN or proxy, it just needed to make whoever was visiting that they really should disable any such cloaking if they wanted to visit the webpage.
The fake FedEx tracking link created by the FBI was visited by six unique IP addresses within a 24 hour period, resolving to multiple countries and domestic areas and ISPs, with one resolving to a known VPN service.
The FBI’s conclusion was that sadly the fraudster had not been duped into revealing their computer’s true IP address and that they were only likely to open links and emails after accessing a proxy or VPN service.
The FBI was going to need a different technique to catch their fraudster.
The answer was to create a Word document containing a embedded image hosted on a server under the FBI’s control. Anyone trying to view the image in the Word document would be revealing their originating IP address and browser user string to the server’s logs as the document ‘phoned home.’
The technique would only work if the target turned off “protected mode”, a Microsoft Word setting that prevents documents from accessing the internet – and even then they would still need to have disabled any VPN they might be using to mask themselves online.
Unfortunately we don’t know if this attempt to identify the fraudster worked, but what is clear is that law enforcement are prepared to use techniques normally adopted by scammers to identify online criminals.
What also isn’t clear is quite what the FedEx feels about its brand being used to create yet more fake websites.
Brands that often find themselves at the centre of phishing scams often try to keep a close eye on fraudulent domains that pop up using variations of their name, in the hope of shutting them down before they do too much damage.
I wonder how complicated things might get when it’s the FBI rather than the fraudsters making the fake FedEx website.
To hear more discussion of this issue, be sure to check out this episode of the “Smashing Security” podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Okay, how did they do it? I want to know how they did it.
Well, in the old days, Carole, the technique you could use is you could burgle people's houses and replace their telephone directories.
Oh, so simple! Print it up.
With one ad on page 396 having a different phone number.
The spine of the book correctly bends so that page just falls open. Hint hint!
Smashing Security, Episode 106: Google Maps, Fed Phishing, and Grinch Bots with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 106.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Mr. Cluley.
And by popular demand, we are joined by a frequent guest of the show, Maria Varmazis. Hello, Maria.
Konnichiwa, Maria.
Konnichiwa.
Hi. You've just returned, haven't you, from Japan?
Yes, I was in Japan for two weeks and then dealing with toddler jet lag fallout for the week after, so I'm just emerging from all that.
The worst.
Yeah.
You had too much fun.
Too much fun, so now we're gonna deal with screaming toddler for a week straight.
Well, don't worry, we will save you from that for at least an hour.
Oh yeah, just screaming adults now. Exactly.
Now we have a glut of fab stories for you today, from how scammers are using Google Maps to steal money, how you nab phishers, and we'll even explain what the heck Grinch Bots are.
Mm.
But that's not all. We also have some brand new bonus content.
You can listen to Graham and I get the lowdown on digital password safes in a fun tête-à-tête with Rachael from LastPass, this week's Smashing Security sponsor.
Check them out at lastpass.com/smashing.
You can listen to Graham and I get the lowdown on digital password safes in a fun tête-à-tête with Rachael from LastPass, this week's Smashing Security sponsor.
Check them out at lastpass.com/smashing.
Tête-à-tête. Are you showing off again that you know French?
Oh, well, at least you recognized it was French.
Now, chaps, I want you to imagine that you are a bad guy.
Not hard.
Or a bad gal. And you want to trick people into giving you their bank account details, their PIN codes, their secret CVV codes, their inside leg measurement.
Normally you just say, can I have— can I see your card for a second?
I want to buy you something on Amazon. Give me your card for a second. Done.
Well, you might find that a little bit suspicious if a complete stranger did it, wouldn't you? I mean, how would you do it? How would you get those kind of details from a stranger?
I totally know how I'd do that.
Oh, do you?
I would pretend to be a server in a restaurant and I'd be like, oh, here's your bill. I see that you've left your card. Thank you very much. I'll come back with the card machine.
That's more creative. I had something actually happen to me where the whole time I thought they were doing this to me where they're trying to steal my info.
It was somebody, not a busker, but those charity folks that are always on the sidewalks that are asking for, you know, they're trying to flag you down and go, hey, do you have a second for Oxfam or whatever?
And I had one of them flag me down because I was, I guess I look nice and approachable and it was for Heifer International.
It was somebody, not a busker, but those charity folks that are always on the sidewalks that are asking for, you know, they're trying to flag you down and go, hey, do you have a second for Oxfam or whatever?
And I had one of them flag me down because I was, I guess I look nice and approachable and it was for Heifer International.
What's Heifer International?
Oh, you give them money and they give people in developing countries like oxen or sheep or goats or stuff so they can sustain themselves and make money and that kind of thing.
Okay, charity. Yeah. So the whole time I'm just like, I don't know if this person actually works for this charity. I'm not really sure.
Okay, charity. Yeah. So the whole time I'm just like, I don't know if this person actually works for this charity. I'm not really sure.
Are you a genuine heifer? You're thinking, are you a real heifer? Are you really a heifer?
You don't look like a cow to me. And then at the end they're like, please give us money, I need your info, your financial info.
And I'm just like, oh, that could be getting really hurt right now. Yeah, yeah, just please 'Give us money for charity, I promise it's legit.
You have no way of knowing whether I am or not.
And I'm just like, oh, that could be getting really hurt right now. Yeah, yeah, just please 'Give us money for charity, I promise it's legit.
You have no way of knowing whether I am or not.
I'm just a total stranger on the street asking for your info.' Well, they normally have ID in the UK at least, but at the same time, like, how would I know that's valid?
Yes, of course, anyone can print out some ID.
Just hold a clipboard and you look really official, right?
Well, look, this is all very interesting, but what you are describing are tricks where you come into physical contact with your target.
Yes.
And I would imagine many criminals are a little bit nervous about doing that because of the chances of getting punched on the nose or having the police come and grab them.
So like to do it over the internet. And there's a variety of ways in which you could try and scam someone remotely.
You could call them up pretending to be their bank, for instance, but they might get suspicious about that.
It would be so much better and easier if you were a bad guy if the victim called you up.
So you could email your intended victim pretending to be the bank and ask them very politely to call you. But again, there's so many scams out there.
Some folks are likely to find that a little bit fishy as well, aren't they? You know, if you get an email out of the blue saying, oh, can you give us a phone call?
There's a problem with your account. Call us on this number. You might be suspicious.
So wouldn't it be great if it was the victim's idea to call you up in the first place, thinking that your phone number was the real number for the bank? Wouldn't that be ideal?
So like to do it over the internet. And there's a variety of ways in which you could try and scam someone remotely.
You could call them up pretending to be their bank, for instance, but they might get suspicious about that.
It would be so much better and easier if you were a bad guy if the victim called you up.
So you could email your intended victim pretending to be the bank and ask them very politely to call you. But again, there's so many scams out there.
Some folks are likely to find that a little bit fishy as well, aren't they? You know, if you get an email out of the blue saying, oh, can you give us a phone call?
There's a problem with your account. Call us on this number. You might be suspicious.
So wouldn't it be great if it was the victim's idea to call you up in the first place, thinking that your phone number was the real number for the bank? Wouldn't that be ideal?
That's a long con. You got to admire that.
That's okay. How did they do it? I want to know how they did it.
Well, in the old days, Carole, the technique you could use is you could burgle people's houses and replace their telephone directories. And so in the telephone directory—
Oh, so simple! Print it up. Okay. You gotta be really comfortable with publishing software.
With one ad on page 396 having a different phone number.
The spine of the book correctly bends so that page just falls open. Hint, hint!
Very clever.
So you could produce fake telephone directories. But today, of course, no one uses a telephone directory today, do they?
Oh, I do.
Do you?
As a doorstop to put my monitor on. I get them every year. They don't stop coming. What am I supposed to do with them?
They've stopped producing them over here, I think, because the trees were beginning to complain about it.
Oh, we don't care about trees in America, have we?
Newsflash.
Yep.
Yeah.
Well, today, the technique you could use is you could edit Google Maps.
You see, a lot of people use Google to find out a bank's phone number rather than going to the bank's own website or, you know, I don't know, looking—
You see, a lot of people use Google to find out a bank's phone number rather than going to the bank's own website or, you know, I don't know, looking—
What, they use Google Maps instead of Google Search?
Well, the thing is, Carole, when you search for something on Google, you don't just get your regular search results.
If you look for, for instance, a bank branch, it's quite likely that you will also get a result from Google Maps as one of your search results, which may give the opening times of that bank or restaurant or whatever it is, and the phone number as well.
If you look for, for instance, a bank branch, it's quite likely that you will also get a result from Google Maps as one of your search results, which may give the opening times of that bank or restaurant or whatever it is, and the phone number as well.
Okay, I'm going in. All right, so I'm seeing your page at the moment.
On the right-hand screen of your search result, you have a bunch of information about a bank, including a Google Map location finder.
On the right-hand screen of your search result, you have a bunch of information about a bank, including a Google Map location finder.
Yeah. And including, I mean, it's got these little bit of metadata. So it's got the address, hours open, and the phone number as well.
And an option to suggest an edit should any of that information be wrong. Now that's the thing. Google Maps in its wisdom allows folks to edit an organization's contact details.
Now, presumably they're allowing users to generate their own content to try and make the information provided by Google search better.
And an option to suggest an edit should any of that information be wrong. Now that's the thing. Google Maps in its wisdom allows folks to edit an organization's contact details.
Now, presumably they're allowing users to generate their own content to try and make the information provided by Google search better.
Right.
But if the organization's phone number has been changed to that of a scammer, then the scammer is going to start getting phone calls which people intended to go to the real bank, aren't they?
And so don't be surprised if you think you're ringing up your bank and you're being asked to confirm your password, your bank account, your credit card numbers, your birthday, your PIN, your CVV code.
And so don't be surprised if you think you're ringing up your bank and you're being asked to confirm your password, your bank account, your credit card numbers, your birthday, your PIN, your CVV code.
Oh, come on. I think most people would be wise to the fact that you don't share your PIN number with anyone.
You would hope so, wouldn't you? But social engineers can be awfully crafty. And there will be some people, maybe more vulnerable members of society, who might fall for exactly that.
Oh, yes. Let's just blame people, shall we?
Oh, yes. Let's just blame people, shall we?
No, no, it's interesting.
No, no brains as well as people that are vulnerable could be duped by this.
Only stupid people get phished, right? Only stupid people.
Normally, Carole, you're the one who sticks up for the dolt heads, and I'm the mean guy.
And yeah, everything is topsy-turvy now after episode 100. I really don't know what's going on. What has happened?
Now, police in India, in Maharashtra. Oh my goodness.
Maharashtra.
Maharashtra.
Hello. Maharashtra, absolutely right. They say they've had 3 complaints of exactly this happening in relation to the Bank of India in the last month alone.
And so there's no real reason to believe it's hardly an epidemic.
And so there's no real reason to believe it's hardly an epidemic.
Oh, Carole, this is poo poo to you too.
Just wait till your story comes round. All right.
I'm not saying all over that.
This is 3 complaints. How many people might have rung up and may have given information and may still not realize they weren't talking to the real bank?
How many people may have rung up and found it suspicious and just hung up and didn't think to go and contact the police? But 3 people—
How many people may have rung up and found it suspicious and just hung up and didn't think to go and contact the police? But 3 people—
Standing down, buddy, standing down.
And there's no reason to believe it might not be happening in other parts of the world too. It's unlikely to be purely an Indian problem, right?
Yeah.
So what should you do about this?
Well, you can use the bank's official website to find the contact details of your local branch rather than necessarily relying on what your search engine gives you.
And Google, for its part, says, well, you know, we allow people to suggest edits in order to keep the information up to date, but we do recognize there may occasionally be inaccuracies or naughty malicious edits suggested by them.
And we do our best to fix these as soon as we're informed. So frankly, they're not doing anything. Now, this isn't the only problem we've seen with Google Maps.
Do you remember there was this thing which used to exist called Map Maker, where you could plot your own paths around the world and walkways and things like that?
I think it doesn't exist anymore, but one of the ways in which we saw that abused, if you remember, is people sort of painted paths onto Google.
There was a famous one of the Android robot peeing onto the Apple logo.
Well, you can use the bank's official website to find the contact details of your local branch rather than necessarily relying on what your search engine gives you.
And Google, for its part, says, well, you know, we allow people to suggest edits in order to keep the information up to date, but we do recognize there may occasionally be inaccuracies or naughty malicious edits suggested by them.
And we do our best to fix these as soon as we're informed. So frankly, they're not doing anything. Now, this isn't the only problem we've seen with Google Maps.
Do you remember there was this thing which used to exist called Map Maker, where you could plot your own paths around the world and walkways and things like that?
I think it doesn't exist anymore, but one of the ways in which we saw that abused, if you remember, is people sort of painted paths onto Google.
There was a famous one of the Android robot peeing onto the Apple logo.
Yes. So they were doing, yeah, they were doing kind of sketches. They were doing sketches.
They were doing sketches. So it was miles wide of this thing pissing on Steve Jobs's apple.
There was a big penis as well.
Well, I didn't spot that one at all, but—
The important details, the important details.
And there was once, someone actually claimed to have opened a snowboarding shop at, in Pennsylvania Avenue, home of the White House, actually right in the middle of the White House.
And they called it Edward's Snow Den.
And they called it Edward's Snow Den.
Oh, get it?
Get it?
Get it?
That's so clever.
Oh my God.
How did they come up with that?
Edward's Snow Den.
So, so I think, I think what we're really saying here is user-generated content can be a fantastic way to create obviously lots and lots of content, but you can't always rely upon it.
And of course, Google's business relies so much upon information that other people are giving them. So be careful out there, folks.
So, so I think, I think what we're really saying here is user-generated content can be a fantastic way to create obviously lots and lots of content, but you can't always rely upon it.
And of course, Google's business relies so much upon information that other people are giving them. So be careful out there, folks.
It's frustrating if the map is legitimately wrong, though. Have you ever had to try and fix Google Maps when it lists something incorrectly, legitimately wrong?
Oh, really hard.
It's super hard to get them to fix it.
What sort of mistake did they make in your experience?
So my parents' house is incorrectly listed. The address and the actual house are incorrect. So unfortunately, even emergency services nowadays seems to rely on Google Maps.
So when an ambulance was called to my parents' house years ago, they couldn't find my parents' house. It was— and this was two years ago.
So when an ambulance was called to my parents' house years ago, they couldn't find my parents' house. It was— and this was two years ago.
It's not that they have an entry. It's not says Maria's parents' house.
No, but you type in the address and then street address and the number does not align with the actual physical.
Yeah, it's a real problem.
Yeah. And I know that there's a problem for a lot of people saying their home is listed incorrectly.
People can't find them or businesses listed incorrectly, the physical space and the map are not aligned. And trying to get Google to fix that is freaking impossible.
People can't find them or businesses listed incorrectly, the physical space and the map are not aligned. And trying to get Google to fix that is freaking impossible.
You know what they need? You know what they need?
A guy in India.
They need past pick of the week. What3words.
Yes, that actually would be pretty, pretty helpful.
If only the world was using What3words.
Then there'd be no problems whatsoever.
They'd be able to find anything in the world, wouldn't they?
Next story, please.
Maria, what have you got for us this week?
I read a really interesting story in Motherboard just a few days ago about what the FBI has been up to. And they're always doing interesting things, aren't they?
So who fishes the phishers? The FBI does, apparently. So Motherboard did a little digging.
They uncovered some search warrants from 2017 and they found out that the FBI has started to create their own fake versions of websites to try and trap cybercriminals.
So specifically in 2017, the FBI created their own version of a FedEx website to track down the origin and identity of cybercriminals that were basically phishing legitimate companies for huge sums of cash.
So who fishes the phishers? The FBI does, apparently. So Motherboard did a little digging.
They uncovered some search warrants from 2017 and they found out that the FBI has started to create their own fake versions of websites to try and trap cybercriminals.
So specifically in 2017, the FBI created their own version of a FedEx website to track down the origin and identity of cybercriminals that were basically phishing legitimate companies for huge sums of cash.
So they kind of created this fake online merchant system that fooled phishers into thinking they could legitimately—
I don't think it was as complicated as a merchant system. They didn't go down the entire rabbit hole. But let me give you the setup here.
Sorry.
So basically the FBI was alerted to some criminals that were extorting a crane company in New York State.
And apparently this crane company paid $82,000 to criminals and didn't realize it. And it's a little later for a bunch of birds. No, no, no, no, no. Construction cranes. Oh, man.
Oh, I give that groaner one chuckle.
And apparently this crane company paid $82,000 to criminals and didn't realize it. And it's a little later for a bunch of birds. No, no, no, no, no. Construction cranes. Oh, man.
Oh, I give that groaner one chuckle.
It's hashtag terrible jokes.
Yes, they make cranes. They make birds. It's a thing.
So when the bird guys figured out they'd been extorted out of money, they called in the FBI, and the FBI just needed to figure out where these cybercriminals were located.
And in order to do that, they used some sort of phishy, P-H-I-S-H-Y, phishy-esque, sorry, I thought that was funny.
Phishy-esque means to get a useful IP address out of the criminals. So what they did was they created an entirely fake FedEx website to scam the scammers.
They sent it to the scammy guys, and they even had the website resolve as access denied.
This website does not allow proxy connections to try and get the criminals to drop their proxy.
So when the bird guys figured out they'd been extorted out of money, they called in the FBI, and the FBI just needed to figure out where these cybercriminals were located.
And in order to do that, they used some sort of phishy, P-H-I-S-H-Y, phishy-esque, sorry, I thought that was funny.
Phishy-esque means to get a useful IP address out of the criminals. So what they did was they created an entirely fake FedEx website to scam the scammers.
They sent it to the scammy guys, and they even had the website resolve as access denied.
This website does not allow proxy connections to try and get the criminals to drop their proxy.
I thought that bit was really clever.
Yeah.
I thought that was— so of course you can imagine how a website might say, oh, you're running a VPN or you're coming through a proxy. You can't access us for whatever reasons.
Yep.
Right, right.
But in this case, this website always said that.
Yep.
And so—
No matter what, you got to drop your proxy. It's okay, well—
In the hope that the criminal would keep on trying and think eventually, oh, for goodness sake, I just want to access this page to find out when my payment is coming through.
Indeed.
That's the message they got. And of course, the web server logs were grabbing their information as they did that.
They were. But there were two search warrants for this specific case. So I'm guessing that that first tactic didn't work. But kudos to the FBI for trying. That's pretty clever.
The second thing the FBI did to these same cybercriminals was send the crooks a malicious Word doc. Doesn't that sound familiar?
The second thing the FBI did to these same cybercriminals was send the crooks a malicious Word doc. Doesn't that sound familiar?
What are we, 1995?
And yet, so this malicious Word doc had an image in it. So again, doesn't this all sound very, very familiar? It was a screenshot of a FedEx tracking payment for a sent payment.
So the idea is you open up the Word doc, the image loads. I think we all know the yada, yada, yada.
And then the image phones home saying, this is where I'm located, and the FBI nabs crooks. This is 1997 tactics, but I'm guessing that it actually worked. I'm kind of amazed.
So the idea is you open up the Word doc, the image loads. I think we all know the yada, yada, yada.
And then the image phones home saying, this is where I'm located, and the FBI nabs crooks. This is 1997 tactics, but I'm guessing that it actually worked. I'm kind of amazed.
I guess you wouldn't even expect it because it's so old.
Well, do you think the criminals are expecting to get this kind of thing their way? I mean, they're the ones usually lobbying it out, but they're not expecting to get it, right?
The thing is, the criminal might be very careful when accessing a web page. So obviously this fake FedEx page didn't manage to fool them.
Yeah.
But they may be less careful when they've been emailed maybe a Word document and they subsequently, maybe hours and hours later, after they've done their surfing, they access the Word document and it tries to drag down an image at that point.
Yeah, I think that's quite a sneaky trick for the feds to try.
But I read the document which has been unearthed, the FBI search warrant, and there's some fascinating details in there as to what was going on.
For instance, once the crane manufacturing company realized that they'd been defrauded and they brought the FBI in, and the scammers came back.
So they initially took $82,000, and then they came back asking for a little more, please. Yes, an additional $138,000.
Yeah, I think that's quite a sneaky trick for the feds to try.
But I read the document which has been unearthed, the FBI search warrant, and there's some fascinating details in there as to what was going on.
For instance, once the crane manufacturing company realized that they'd been defrauded and they brought the FBI in, and the scammers came back.
So they initially took $82,000, and then they came back asking for a little more, please. Yes, an additional $138,000.
We hand out one tiny little payment, just a little bit.
Obviously, the company was now onto it. And so the FBI said to them, we'll stall them, stall them.
And so do a dance or something.
And so Margaret, her name was Margaret, who worked in the accounts department, she said, well, look, well, what she wrote back to the scammer was, oh, you know, there's been a bit of a delay sorting out your check because the printer we use to print out checks which we send people is broken.
And that's very plausible. That's so plausible though.
And there's a part missing and we have to have it delivered. And the fraudster kept on emailing, still posing as the CEO. Surely this payment must be made by now.
The printer should have been fixed. Please advise.
The printer should have been fixed. Please advise.
And then he was saying, please advise.
And then he was saying, I'm having trouble with the web link, you know, he didn't go into details as he explained it was the VPN proxy problem, but he said, "Oh, just give me the information.
I don't need to go and visit the dark web." Oh, that's great. And poor old Margaret was saying, "Well, it works for me. I've tried it from my home computer." Oh, this is so great.
I don't need to go and visit the dark web." Oh, that's great. And poor old Margaret was saying, "Well, it works for me. I've tried it from my home computer." Oh, this is so great.
Good Margaret.
Good for you, Margaret. She's got a future in law enforcement.
So good for her for trying. But there are other fascinating details regarding this case.
Oh, I'm gonna have to do some deeper digging in that. That sounds pretty interesting.
Well, one of the things is that the checks, apparently, some of them were being mailed to this woman who, on behalf of a guy who she met on Match.com, was having some kind of relationship with, who claimed to be in Afghanistan a lot working for the army, but also had business interests in Australia.
She was kind of getting the money, transferring it into his bank account, and then moving it into an Australian bank account.
She was kind of getting the money, transferring it into his bank account, and then moving it into an Australian bank account.
There's a whole soap opera angle to the story. I had no idea. What?
And I think, I think that whole relationship had basically been set up by this guy who probably wasn't in Afghanistan. You've got to be kidding me.
I wonder if he had multiple women around the place.
I wonder if he had multiple women around the place.
Oh my God, there's a whole catfishing thing. Some really bored crook. This is, I'm on the computer all day, might as well catfish some ladies. Wow.
Okay, but I have a question.
I have a question.
Yes.
What do you guys think about the feds using dodgy tactics? Should they try and stay within the realms of—
Is it dodgy?
Yeah, that's the thing. It wasn't a booby trap. Well, the Word document, for instance, it didn't contain malware.
I think if it had contained some malicious code which had run on people's computers, and they were quite careful in the search warrant to say it's not going to do that, and we're not going to take screenshots of the computer or anything like that, we're simply gonna get the IP details and the browser details.
I think if it had contained some malicious code which had run on people's computers, and they were quite careful in the search warrant to say it's not going to do that, and we're not going to take screenshots of the computer or anything like that, we're simply gonna get the IP details and the browser details.
Yeah, the whole thing is that the feds don't want to accidentally entrap an innocent party while doing this kind of thing.
They set up a phishing website.
Yeah, but all it did was grab someone's IP address.
They also made it a phishing website.
It's fishy, but not phishing.
Yes.
Okay, fair, fair.
If anyone's going to complain, actually, I wondered what FedEx might have felt about it.
They have no comment. Yeah.
That means they are pissed off.
That or they are actually involved and they can't comment because it's a law investigation and they're not allowed to. It could be either or.
I would think there's a security team at FedEx and one of their jobs will be looking out for phishy domains which get created and getting them shut down because it obviously damages their brand.
But when there's a legitimate law enforcement reason to create one, presumably they have to be involved so that they turn a blind eye to the cause.
But when there's a legitimate law enforcement reason to create one, presumably they have to be involved so that they turn a blind eye to the cause.
It would feel quite gross if they were not involved.
I imagine that would be a problem if they weren't. I would love to hear the war stories from them on that, if that was ever leaked. That is interesting, isn't it?
To divulge, that is neat.
Well, the sort of key thing I wanted to convey after all, we went down that fascinating path though, I'm kind of amazed, was that this is kind of new for the FBI to be doing stuff like this for crooks that are basically just taking money, 'cause they've been doing stuff like this for child pornographers and violent guys for quite a while.
So there was a story I covered a while ago about a guy who was sending bomb threats in the town I lived in, and the FBI did all sorts of cool stuff to track him down.
But basically, as of the end of 2016, the US Justice Department amended what's called Rule 41, not Rule 34, Rule 41, which lets judges sign warrants for computers outside of their district.
So now law enforcement in the United States can basically, and I use hack lightly here, hack a criminal's computer wherever they're located.
It does not have to be in their jurisdiction.
So we're going to see a lot more of this kind of stuff from now on, and that's probably the reason why Motherboard went after this 2017 story.
We're going to be seeing a lot of this, so keep your ears tuned for that.
To divulge, that is neat.
Well, the sort of key thing I wanted to convey after all, we went down that fascinating path though, I'm kind of amazed, was that this is kind of new for the FBI to be doing stuff like this for crooks that are basically just taking money, 'cause they've been doing stuff like this for child pornographers and violent guys for quite a while.
So there was a story I covered a while ago about a guy who was sending bomb threats in the town I lived in, and the FBI did all sorts of cool stuff to track him down.
But basically, as of the end of 2016, the US Justice Department amended what's called Rule 41, not Rule 34, Rule 41, which lets judges sign warrants for computers outside of their district.
So now law enforcement in the United States can basically, and I use hack lightly here, hack a criminal's computer wherever they're located.
It does not have to be in their jurisdiction.
So we're going to see a lot more of this kind of stuff from now on, and that's probably the reason why Motherboard went after this 2017 story.
We're going to be seeing a lot of this, so keep your ears tuned for that.
I know nothing of this, okay? I'll do some digging after the show.
Yeah, especially if there's a little catfishy angle. It's salacious.
It's fun.
All right, well.
It was right. I know, I was just reading this thing and I thought, "Cool, crap. There's all this stuff that Motherboard hasn't written about here.
I'm really interested in this bit." The juicy bits.
I'm really interested in this bit." The juicy bits.
Yeah, come on.
Buy the Daily Mail. Oh my goodness. Oh my.
Didn't want to go down there, did we? Carole, what's your story?
Well, now that the freight trains that are Thanksgiving and Black Friday have rumbled past, I say thank God, sayonara.
I'm very sorry to say this, we have entered the realm of Christmas time.
I'm very sorry to say this, we have entered the realm of Christmas time.
Yay!
Yes, welcome, welcome, welcome Christmas time.
Do you know it's Christmas time at all?
But it seems to have turned into this expensive, stressful, and maniacally retail-esque time of the year, isn't it? And I feel for you parents out there.
I mean, I sometimes find it a bit overwhelming and tedious, but you guys have it so much worse.
I mean, the list of stuff you guys have to do to feel like Christmas is successful is mind-blowing.
I mean, I sometimes find it a bit overwhelming and tedious, but you guys have it so much worse.
I mean, the list of stuff you guys have to do to feel like Christmas is successful is mind-blowing.
Just get over yourself.
Festivities, the cooking, the baking, school plays, festooning house with lights and trees and all this stuff.
People even put up blow-up Christmas and Santas in their front gardens.
People even put up blow-up Christmas and Santas in their front gardens.
Oh, for goodness' sake.
And then there's the present buying, right? You parents are literally crazy in stores. And I'm— no offense, but OMG, right?
Especially when there's a particular toy that everyone needs to get their hands on. Now, the toy earmarked this year for— to incite the Christmas crazies is this Fingerling.
Have you guys seen this?
Especially when there's a particular toy that everyone needs to get their hands on. Now, the toy earmarked this year for— to incite the Christmas crazies is this Fingerling.
Have you guys seen this?
No, no, that sounds terrible. That's a kind of potato, isn't it? Okay, it is. That's what it is. It's a fingerling potato.
I remember the days when you would be given a potato for Christmas and you'd be told to be happy about it.
In the old country.
Exactly.
In your shoe, right? A potato in your shoe.
So this year is this Fingerling. This is a plastic 5-inch tall baby monkey.
Okay?
Made by the company called WowWee.
And these are not the words I would use to describe this grotesque, plasticky, interactive concoction that retails for about a tenner, and that's its sale price.
And these are not the words I would use to describe this grotesque, plasticky, interactive concoction that retails for about a tenner, and that's its sale price.
Oh, it's only a tenner for a 5-inch wriggling. Okay, that's—
Do I sound like a Grinch here?
A Grinch? Yes. Carole, I can't believe— what's your problem with Christmas?
What's your problem with kids having a little bit of fun with a 5-inch piece of plastic in the shape of a monkey? Well, I mean, really, Christmas is fantastic.
You should love Christmas. I wish Christmas was every— It'd be fun. We should do it more often because, you know, spread a little bit of joy.
There's enough misery in the world, isn't there? Okay, come on.
What's your problem with kids having a little bit of fun with a 5-inch piece of plastic in the shape of a monkey? Well, I mean, really, Christmas is fantastic.
You should love Christmas. I wish Christmas was every— It'd be fun. We should do it more often because, you know, spread a little bit of joy.
There's enough misery in the world, isn't there? Okay, come on.
Yeah, I just did all that to intro my topic of Grinch Bots. Smooth, see?
Oh, what's a Grinch?
Ah, I thought you might ask. Well, let me tell you, it is definitely not in the spirit of Christmas unless your name is Scrooge.
Grinch Bots, also known as Toy Bots, made headlines last Christmas.
Now, these are bots that are used by resellers to hoover up all the inventory of hot ticket items like the Fingerling thingamajig, and then they try and resell them at extraordinarily inflated prices.
Grinch Bots, also known as Toy Bots, made headlines last Christmas.
Now, these are bots that are used by resellers to hoover up all the inventory of hot ticket items like the Fingerling thingamajig, and then they try and resell them at extraordinarily inflated prices.
Oh, fuck those guys. That sucks, right?
So in other words, these resellers are using cyber Grinches to game the online.
Are these the guys that buy the consoles every year, the NES or the Super NES thing?
Exactly, isn't it the spirit of Christmas?
High five!
Now, the thing is, these bots are super fast, way, way faster than a person on a computer buying a present.
You know, you peruse, you read a review, you shop around, then you put it in the cart. And when you finally get to buy it, the 100 or so they had in stock is poof, all gone.
You know, you peruse, you read a review, you shop around, then you put it in the cart. And when you finally get to buy it, the 100 or so they had in stock is poof, all gone.
Happy Christmas.
Yeah, exactly right. So a few senators in the states are trying to stamp down on this shitty practice.
This past Black Friday, you know, well-timed release from Senators Thom Udall, Richard Blumenthal, and Chuck Schumer, and U.S. Rep.
Paul Tonko, they announced the introduction of the Stopping Grinch Bots Act of 2018. That's a bit of a mouthful. You try and say it.
This past Black Friday, you know, well-timed release from Senators Thom Udall, Richard Blumenthal, and Chuck Schumer, and U.S. Rep.
Paul Tonko, they announced the introduction of the Stopping Grinch Bots Act of 2018. That's a bit of a mouthful. You try and say it.
What?
Stopping Grinch Bots Act of 2018.
The Stopping Grinch Bots Act, the SGBA. That's not a very good acronym.
It's a pretty descriptive title, right? Seeing as it's all about cracking down on Grinch Bots and stamping out the practice. So the U.S. Rep.
Tonko said in a statement, the American people should be able to spend the holidays with their loved ones, not be forced to camp out at store openings and race against an automated buying algorithm just to get an affordable gift for their kids.
Tonko said in a statement, the American people should be able to spend the holidays with their loved ones, not be forced to camp out at store openings and race against an automated buying algorithm just to get an affordable gift for their kids.
And, well, no one's forcing them to camp out, are they? You don't have to do that. You can just give your children a potato.
Or one of my preferred methods, particularly if your child is quite young, maybe not going to school yet, is just lie about when Christmas is.
Or one of my preferred methods, particularly if your child is quite young, maybe not going to school yet, is just lie about when Christmas is.
Because they don't know what day it is. Yeah, that's true.
If you think your average 6, 7, 8-year-old doesn't know it's Christmas.
Well, maybe 6 or 7, but under about 5, I think they haven't got a clue what even months or weeks are.
Yeah, but are you buying a 5-inch Fingerling for a 3-year-old? No.
No, probably not.
Now it's funny, Graham, you say the whole thing about a potato because that was my idea.
Why don't you parents get off the crazy buy buy buy Christmas train and make gifts instead for your little ones, right?
A little felt book cover, or sew them some pants, or knit them some socks, or build them a birdhouse.
Why don't you parents get off the crazy buy buy buy Christmas train and make gifts instead for your little ones, right?
A little felt book cover, or sew them some pants, or knit them some socks, or build them a birdhouse.
Spoken like a true non-parent who doesn't understand the look they would get from their child of, how did I end up with this parent? What a load of rubbish this family is.
So then we come back to the fact that you guys are insane and you are going to be going crazy this Christmas time yet again and lining up to buy things like this Fingerling, Bobby.
We are insane. We bred. We've been taken to insanity by our children not letting us sleep, or through toddler jet lag on the way back from Japan, or whatever.
Yes, of course we're insane. Just let us spend some money, right? And they will get 3 minutes amusement, at least out of the packaging of the box, if not the contents of the box.
And that'll be it. But stop being such a Grinch at Christmas.
Yes, of course we're insane. Just let us spend some money, right? And they will get 3 minutes amusement, at least out of the packaging of the box, if not the contents of the box.
And that'll be it. But stop being such a Grinch at Christmas.
So, Graham, you remember you were talking about ticket bots earlier?
Well, that was signed into law by Obama, a law called the Better Online Ticket Sales Act, or the BOTS Act, Maria, in 2016.
Well, that was signed into law by Obama, a law called the Better Online Ticket Sales Act, or the BOTS Act, Maria, in 2016.
Oh, see, you got to have a good acronym. House of Cards taught me that, it's important.
Exactly.
Obama was brilliant at the acronym. So I think that one we like.
So the SGBA—
Tremendous—
would apply the structure of the BOTS Act to e-commerce sites.
So basically it would take advantage of what they've already been able to do with that act, which is actually they seem to have stamped out on a lot of tickets.
So basically it would take advantage of what they've already been able to do with that act, which is actually they seem to have stamped out on a lot of tickets.
What's next, though? Are they going to start disabling eBay sniping going back to 1997 again? I mean, come on.
eBay sniping is a proud tradition that I look forward to passing on to my daughter. I mean, come on, if eBay even exists when she starts using the internet.
eBay sniping is a proud tradition that I look forward to passing on to my daughter. I mean, come on, if eBay even exists when she starts using the internet.
So guys, if you find the present that your kids want is disappearing off the shelves, think about these Grinch bots and support acts like this that are going to try and stop these greedy efforts from getting away.
No, no, no, no, no, don't think that.
Instead, think about how miserable your childhood could have been if Carole was your mother and all she'd given you was a pair of sewn-up trousers or a raw potato and said, get on with it.
There you go, happy solstice, enjoy your potato. Fantastic. Well, nice one, Carole. Nice one. You're—
Instead, think about how miserable your childhood could have been if Carole was your mother and all she'd given you was a pair of sewn-up trousers or a raw potato and said, get on with it.
There you go, happy solstice, enjoy your potato. Fantastic. Well, nice one, Carole. Nice one. You're—
So me wanting to make something with love and care, you're turning into—
It's not going to be appreciated, Carole. It's not going to be appreciated. You're in cloud cuckoo land right now. It's absurd. And welcome back.
And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. Doesn't have to be security-related necessarily.
Please don't be this week.
And mine is not security-related necessarily this week.
Necessarily.
Mine is, it is, it is not even celery, which is another gift which Carole would probably give people.
I would gladly take some celery.
As a present. Here's a piece of celery.
I need celery. I'm making a lot of soup lately and I need celery.
It's true.
Well, instead of celery, my pick of the week is the Internet Arcade. Which is run by our good friends at the archive.org, and they have a gallery of over 1,700 retro arcade games.
Some of them for your computer, some of them might be for arcade, and you can play them online inside an emulator. And it's wonderful.
This is what people need, Carole, not a potato or a stick of celery. They need something like this. And it also includes the greatest game ever written for Microsoft DOS.
I'm sure you know what one I'm talking about.
Some of them for your computer, some of them might be for arcade, and you can play them online inside an emulator. And it's wonderful.
This is what people need, Carole, not a potato or a stick of celery. They need something like this. And it also includes the greatest game ever written for Microsoft DOS.
I'm sure you know what one I'm talking about.
Maybe Mavis Beacon Teaches Typing?
No, not Mavis Beacon Teaches Typing. I am referring to Alley Cat.
Oh, come on.
Do you remember Alley Cat? Yes!
It's not a great game.
I'm sorry, Alley Cat is a great game. It is a great game, and it also has the greatest theme tune of any game ever. I love the theme tune of Alley Cat. It's a very entertaining game.
I will give you the theme tune. The game, entertaining?
Yes, I've spent many a long hour playing Alley Cat.
Well, that explains a lot.
Anyway, my pick of the week is the Internet Arcade. You don't have to play Alley Cat.
There are other fine games there, including some maybe which yours truly may have written as well. But go and check out The Internet Arcade.
There are other fine games there, including some maybe which yours truly may have written as well. But go and check out The Internet Arcade.
Productivity is gonna go to zero.
Nice curve ball promo there.
Yeah.
Maria, what's your pick of the week?
So my pick of the week is primarily a shout out to the team at NASA because they just landed something on Mars this week, which I think is just amazing.
Freaking awesome.
They haven't done that for a little while, and it's harder than the moon landing, and yet nobody tunes into it anymore.
Everyone's like, yeah, we're just on a different planet, no big deal. So they landed the InSight earlier this week on Mars, flawlessly. And I quite enjoyed watching the process.
Everyone's like, yeah, we're just on a different planet, no big deal. So they landed the InSight earlier this week on Mars, flawlessly. And I quite enjoyed watching the process.
I was watching the landing coverage with my mother, but of course there's no cameras following the InSight as it lands. So it's just people in Jet Propulsion Laboratory cheering.
My mom's like, oh, this is really boring. When do we see it actually land on Mars?
My mom's like, oh, this is really boring. When do we see it actually land on Mars?
I'm like, we don't. There's no cameras. There's no cameras following it around.
But yeah, so what my specific pick of the week pick is, is this awesome comic done by The Oatmeal, who you probably have heard of.
I thought it was a fantastic example of how to get the world interested in the cool things that we're doing in space.
So The Oatmeal did this great comic about what the InSight mission does, how it works, why it's important, why we're doing it, and it got a lot of people hyped about it.
I thought it was a fantastic example of how to get the world interested in the cool things that we're doing in space.
So The Oatmeal did this great comic about what the InSight mission does, how it works, why it's important, why we're doing it, and it got a lot of people hyped about it.
Frankly, it's got me hyped about it. I forgot it was even happening. So it's a really cool comic.
It's very entertaining, extremely easy to understand why InSight was gonna and did land on Mars and what we're gonna learn from it.
It's very entertaining, extremely easy to understand why InSight was gonna and did land on Mars and what we're gonna learn from it.
So it's a really fun thing, and I hope people enjoy it.
It's very beautiful. I'm just looking at it right now.
And honestly, if you go to the InSight Twitter account, it's twitter.com/NASAInSight right now, and I'm sure for a while there's a photo that Insight took from the surface of Mars that is just breathtaking.
It's so—
It's so—
Wow.
We'll put that—
Oh, I love it. It's amazing to think that's on another planet. I'm just so nerdy. It's so cool.
It's a great comic strip, and you know, which is right that it's great, isn't it?
Because what an incredible achievement to get something like that all the way to another planet and land it safely and then begin to have it send in information.
Because what an incredible achievement to get something like that all the way to another planet and land it safely and then begin to have it send in information.
Complicated. It's super complicated. Imagine—
Oh, I can't— that's the problem, I think. I think it's even too big for me to marvel at because it's just too crazy.
Like, Carole, you've done an Excel pivot table before, haven't you? You've done a pivot table.
You can read this comic and it explains it beautifully.
I got this.
Seriously, the comic will explain it really well. It's really easy to understand.
No, I'm not— yeah, I can read the comic. I was talking more about actually getting to Mars.
It's a marvel of human engineering, and I think there, kudos to NASA, right? I would agree with you there.
Definitely, definitely.
From that tremendous human achievement to Carole's suggestion of all of the things which she's seen in the last week, all of the things which she's encountered, everything she's read about.
You had a sneaky peek at my idea.
What have you got, Carole? What have you got for us?
Well, clue.
This morning, yes, I messaged you with this Fast Company link about how someone was lamenting the loss of the iPhone head jack.
And so on board with that article. Yes. Yes. Right. Sorry. I'm really passionate about that too.
Yes, many of us, I was going to say, including me, can't get over it. And I think you voiced exactly my feelings inside, Maria. That's exactly how I feel.
And so I therefore cater my little baby, my old headphone jack-sporting iPhone, right?
Hoping it stays alive long enough for Apple to wake up and go, oh, wow, people do want a headphone jack.
Anyway, I'm looking at Reddit and this poster, RushATGC, writes that they're a student and they had to come up with a cheap idea to be able to use headphones.
And so I therefore cater my little baby, my old headphone jack-sporting iPhone, right?
Hoping it stays alive long enough for Apple to wake up and go, oh, wow, people do want a headphone jack.
Anyway, I'm looking at Reddit and this poster, RushATGC, writes that they're a student and they had to come up with a cheap idea to be able to use headphones.
Nice.
Because the dual adapters are really expensive, right? They're heavy to carry and they're not that reliable, he says, or she says, we're not sure.
So simple and cheap and very reliable solutions for phones without a headphone jack. You need your old wired headphones. You need a Bluetooth receiver.
Okay, they go, they run for about $10, $15, and you need a 6-inch USB-C male to micro USB male cable. In other words, a USB cable, and that's it.
So simple and cheap and very reliable solutions for phones without a headphone jack. You need your old wired headphones. You need a Bluetooth receiver.
Okay, they go, they run for about $10, $15, and you need a 6-inch USB-C male to micro USB male cable. In other words, a USB cable, and that's it.
And that's it.
Okay, well, think about it though. You never run out of battery on Bluetooth receiver because you can charge it from the phone itself, right?
Battery lasts 3 to 4 days in the receiver. That's a lot better than most Bluetooth headsets. Yeah, I know, I know.
I'm not saying, I'm not saying this is better than having the old headphone jack back.
Battery lasts 3 to 4 days in the receiver. That's a lot better than most Bluetooth headsets. Yeah, I know, I know.
I'm not saying, I'm not saying this is better than having the old headphone jack back.
Sorry, Carole, I'm a bit confused. You got a bit technical for me, I'll be honest. So you've got regular headphones.
You've got regular earphones.
And they don't plug into the phone, they plug into—
Your Bluetooth receiver. So you would take your normal headphones, plug it into the Bluetooth receiver, the Bluetooth receiver interacts with your phone.
Oh, so the phone is sending the music or whatever, or hopefully a podcast, from your phone via Bluetooth to the Bluetooth receiver which is plugged into your earphones?
Yeah, now it's, it's kind of a workaround. It's a workaround. They're saying it's great because it's super cheap, it's super ultra lightweight.
If you look at the Bluetooth receiver, it's very small. It's an insane solution, but it costs just a few bucks, right?
If you look at the Bluetooth receiver, it's very small. It's an insane solution, but it costs just a few bucks, right?
It's not that insane. It sounds quite sensible to me.
And if you're a student, right, you don't have $150 lying around.
It's cheap.
And presumably if you are the owner of a car which still requires a 3.5-inch, you know, a little wire, a millimeter wire to plug your phone in and you've now got something which you can't, you could do the same thing, couldn't you?
So if you don't have a Bluetooth-enabled car, why don't you go and get one?
So if you don't have a Bluetooth-enabled car, why don't you go and get one?
I'm going to get one. I never even thought about that. Thank you very much for the idea. See, this was a great pick of the week.
Not bad.
Yeah, I'll let you know how I get on.
It's completely free for me to complain about the lack of a headphone jack though. It's free to complain.
Honey, I'm with you 100%. I think Graham's on this bus as well. I hate it.
Oh, I'm not buying a phone which doesn't have a headphone jack. Me too. I care more about the headphone jack than I do about the home button disappearing.
That might be because we're addicted to podcasts.
Possibly. But, you know, I'm pretty annoyed about the fact that Touch ID has disappeared from modern iPhones. You have to use Face ID. But the lack of a headphone jack is even worse.
What's going on at Apple? Why are they so obsessed with skinniness or whatever it is?
What's going on at Apple? Why are they so obsessed with skinniness or whatever it is?
I think we know what happened at Apple.
It's all since Steve Jobs died. Really? Is that where we're from?
Yeah, I think that's where she's going. Well, that just about wraps it up for another week.
Not quite, Mr. Cleverley. We have special bonus content this week. We did a little cheeky interview with Rachael from LastPass, and we're gonna slot that in right here.
She is hilarious. You'll see. Take a listen. And thank you once again to our wonderful sponsors, LastPass. This is a special interview with LastPass's Rachael Stockton.
Welcome to the show, Rachael.
She is hilarious. You'll see. Take a listen. And thank you once again to our wonderful sponsors, LastPass. This is a special interview with LastPass's Rachael Stockton.
Welcome to the show, Rachael.
Thank you so much for having me.
Now, we've brought you on board because LastPass, of course, are experts when it comes to subject of passwords. Are you an expert when it comes to passwords?
Do you find your friends and family are always asking you for password advice?
Do you find your friends and family are always asking you for password advice?
Yes. You know what? I think I am an expert on passwords. I've definitely moved on from my password years ago being my dog's name, which is a whole other podcast about my dog.
But also, you know, I've been using password managers now for years, and that's helped me up my password game.
But one of my favorite things to do though, guys, and if we're ever at a party, I'm totally doing it to you, is going in and asking people just small talk, you know, hey, what was your first pet's name?
What high school did you go to? And then turning around and guessing what their password is. So I'm also a little bit of a magician.
But also, you know, I've been using password managers now for years, and that's helped me up my password game.
But one of my favorite things to do though, guys, and if we're ever at a party, I'm totally doing it to you, is going in and asking people just small talk, you know, hey, what was your first pet's name?
What high school did you go to? And then turning around and guessing what their password is. So I'm also a little bit of a magician.
Has that worked? Have you ever actually caught people out doing that?
Oh, totally. Really? Yeah, people want simple passwords. It's a huge challenge.
And I think the thing is, even if people aren't using those as their passwords anymore, they might be using those as their password reminder questions.
You know, those security questions you get asked when you create accounts.
So if someone wanted to break into your account, they might pretend to be you and say, oh yes, of course I remember the name of my first pet, or the first road I lived on, or my mother's maiden name.
You know, those security questions you get asked when you create accounts.
So if someone wanted to break into your account, they might pretend to be you and say, oh yes, of course I remember the name of my first pet, or the first road I lived on, or my mother's maiden name.
Yeah, definitely. You know, you find out somebody's first pet and maybe the year they were born, boom, you're into so many things right now.
Now, maybe we should get Rachael to tell us what she actually does at LastPass, Graham.
Yeah, what do you actually do? I mean, come on, it's just passwords. What is there actually to do?
Oh my gosh, there's so much to do. So I focus on product marketing. And so what that means is really understanding what's happening out in the market.
You know, what are people doing when it comes to passwords? Why are they still reusing passwords?
Figuring out how we can move people to understand there are better solutions to keep them safer and trying to get that into their hands.
You know, what are people doing when it comes to passwords? Why are they still reusing passwords?
Figuring out how we can move people to understand there are better solutions to keep them safer and trying to get that into their hands.
Do you think that password managers, does everyone know that they exist, or do you think there's still a huge learning curve in actually introducing the whole concept to people?
Question nails it. There is definitely still a huge learning curve to understand that there's a solution to one of the problems that sort of plagues everybody. Security.
Everybody gets frustrated when they can't remember a password, so they write it down or they use something simple.
And I think the majority of people out there don't realize that there are solutions out there that literally will do this for them. They'll remove all of that pain.
Everybody gets frustrated when they can't remember a password, so they write it down or they use something simple.
And I think the majority of people out there don't realize that there are solutions out there that literally will do this for them. They'll remove all of that pain.
If you looked at a password, right? If someone gave you some password examples, would you be able to say that's a rubbish password or that's a great password?
So in a way, yes. So for example, you give me a simple dictionary word password, no, of course.
But you give me this really complex password, if you're still using that in all of your applications, then that's a rubbish password. So it's not just the word, it's how you use it.
But you give me this really complex password, if you're still using that in all of your applications, then that's a rubbish password. So it's not just the word, it's how you use it.
And how, of course, you reuse it. So you might have a really strong password, but if you're using it in more than one place.
Exactly.
Can you explain what the danger is there for those people who haven't quite cottoned onto that one yet?
Sure. So if you're using the same password in many different locations.
So in your personal life, so let's say it's on your Facebook and your LinkedIn and all of your different retail accounts and your bank.
When one of those gets breached, and I say when because we do know breaches are just going to happen, they're going to be able to get that information.
And then what those hackers end up doing is they try that username and password on all of these other sites and they're able to access that.
And I think thinking about it in your personal life and the impact of that is one thing. But what we have also found is that people are reusing the same password at home and work.
So people are able to find out more information about the passwords that they do have, and then they're actually able to take this to an enterprise level, right?
And so by reusing passwords in your daily life and in your business life, you're actually putting your business and company at risk too.
So in your personal life, so let's say it's on your Facebook and your LinkedIn and all of your different retail accounts and your bank.
When one of those gets breached, and I say when because we do know breaches are just going to happen, they're going to be able to get that information.
And then what those hackers end up doing is they try that username and password on all of these other sites and they're able to access that.
And I think thinking about it in your personal life and the impact of that is one thing. But what we have also found is that people are reusing the same password at home and work.
So people are able to find out more information about the passwords that they do have, and then they're actually able to take this to an enterprise level, right?
And so by reusing passwords in your daily life and in your business life, you're actually putting your business and company at risk too.
And do you think most people know that they should never reuse the same password? But they're probably thinking, okay, how am I supposed to remember unique passwords for each one?
So we did this survey. So I love psychology. I love the why behind stuff, what's the catalyst that makes people do things.
Okay.
And people are like, okay, 72% are saying, "I understand password best practices." All right, great. But almost 60% are still using the same password. So, it's kind of like flossing.
We know, we know we should be flossing. We know it. We've been told it.
We know, we know we should be flossing. We know it. We've been told it.
But it's so boring. Flossing is so tedious, isn't it?
Oh, it's so tedious. And this dental survey, okay, so I know this is a little off topic, you guys don't eat mango enough. That's all I'm saying.
But so then this dental survey comes out, right? And they find out that only 30% of people actually floss every day.
But so then this dental survey comes out, right? And they find out that only 30% of people actually floss every day.
Yeah.
And I mean, no surprise. I mean, I don't have a dentist appointment in a week, so I'm going to floss crazy for a week.
Make sure the gums stop bleeding.
Yeah, it's the same thing. And it goes back to your initial question, to be honest, about do people understand that there is something that can help them with this?
Being safe with your passwords can be really hard if you're trying to do it on your own. If you're trying to create that algorithm, if you're trying to keep track of it in Excel.
But if you have some kind of solution that can generate it for you, save it for you, and fill it for you, my God, that makes it so easy.
Being safe with your passwords can be really hard if you're trying to do it on your own. If you're trying to create that algorithm, if you're trying to keep track of it in Excel.
But if you have some kind of solution that can generate it for you, save it for you, and fill it for you, my God, that makes it so easy.
So this is a problem that impacts not just the at-home user, but also companies, right? It's on both sides.
Yeah, definitely. It impacts both.
And as I said, with password reuse, between business and personal, that really raises the bar to the impact your choices can be having on your organization.
And as I said, with password reuse, between business and personal, that really raises the bar to the impact your choices can be having on your organization.
So why would a company look for an enterprise password management solution rather than just rolling out a consumer version onto all of their computers?
The big one that I say is control.
When you're looking at an enterprise password management solution, really want to be able to set policies, ensure that people are managing passwords the way you want them to be able to do.
And so if you have an enterprise solution, you're able to access those policies and apply them. You're also able to gain visibility.
So you have a score that says this is how well my company is doing when it comes to their password.
And that takes into account things like password reuse, password complexity, security, the use of two-factor authentication, which is a whole episode in and of itself.
When you're looking at an enterprise password management solution, really want to be able to set policies, ensure that people are managing passwords the way you want them to be able to do.
And so if you have an enterprise solution, you're able to access those policies and apply them. You're also able to gain visibility.
So you have a score that says this is how well my company is doing when it comes to their password.
And that takes into account things like password reuse, password complexity, security, the use of two-factor authentication, which is a whole episode in and of itself.
Right.
Yeah.
And so you're able to see, okay, here are the areas for improvement, and then target the departments or even the individuals to do that.
Oh, so you would be able to drill down through some sort of dashboard and say, okay, I don't know, for instance, the finance department seem to be reusing a lot of passwords rather than—
Exactly.
Oh, right. And then you have to go there with a cricket bat, wallop them around the back of the head and give them some training.
Well, I mean, of course, depending on the country, we might use baseball bats here, and I am from Boston, so it is about the Red Sox, but I'll go with you, Graham.
I'll go with you with cricket.
I'll go with you with cricket.
I love the idea of password managers, and I think they're good for consumers and for businesses.
But one of the responses I often get is people saying, oh, but hang on, how can you trust the password manager? You know, aren't you putting all your eggs in one basket?
So you must hear that all the time. What's your response to that?
But one of the responses I often get is people saying, oh, but hang on, how can you trust the password manager? You know, aren't you putting all your eggs in one basket?
So you must hear that all the time. What's your response to that?
Yeah, I think—
Yeah, Rachel.
Yeah, Rachel. Yeah. Come on then. You think you're hard enough?
Yeah, it's true. I think that, you know, that we hear that all the time.
And the key piece for, you know, our password manager and for a lot of the other ones out there too is we take this really very seriously.
We have more than half a billion passwords that we have.
We encrypt it, wrap it in aluminum foil, you know, put all sorts of bubble wrap around it, you know, making sure people can't get at it.
But really the key there is that with a password manager, you're given a master password, something that you need to— only you need to have and you need to remember.
And that is actually the secret key that unlocks it. Even the company that has the password manager, in our case LastPass, we can't get access to any of that information.
It's just that master password.
And the key piece for, you know, our password manager and for a lot of the other ones out there too is we take this really very seriously.
We have more than half a billion passwords that we have.
We encrypt it, wrap it in aluminum foil, you know, put all sorts of bubble wrap around it, you know, making sure people can't get at it.
But really the key there is that with a password manager, you're given a master password, something that you need to— only you need to have and you need to remember.
And that is actually the secret key that unlocks it. Even the company that has the password manager, in our case LastPass, we can't get access to any of that information.
It's just that master password.
This was going to be my million-dollar question. What happens if you forget your master password?
You know what? In the enterprise, using those policies that I mentioned, that organization can help reset that.
And if you're using two-factor authentication, you know, if you're an individual, then we're able to help reset that as well.
But that's one of the biggest challenges still is you still have that one password that you need to remember. And you want it to be a good one.
And if you're using two-factor authentication, you know, if you're an individual, then we're able to help reset that as well.
But that's one of the biggest challenges still is you still have that one password that you need to remember. And you want it to be a good one.
Yeah, it's the kingdom.
It is. But you know what, Carole? That's a really good point though.
I think it's very important that when we're talking about password manager and we're talking about basically those keys to the kingdom that that one master password gives you is you have to be able to protect that with two-factor authentication.
I think it's very important that when we're talking about password manager and we're talking about basically those keys to the kingdom that that one master password gives you is you have to be able to protect that with two-factor authentication.
Right.
And there are, I mean, two-factor authentication has come a long way, baby.
You know, we're not talking that you have to have a key fob hardware thing that you're carrying around with you all the time.
You know, it can be, you can use our two-factor, you can use your Google Auth, you can use anything, but just use something.
You know, we're not talking that you have to have a key fob hardware thing that you're carrying around with you all the time.
You know, it can be, you can use our two-factor, you can use your Google Auth, you can use anything, but just use something.
Because everyone these days is carrying a mobile phone around with them anyway.
An authenticator.
Yeah.
Yeah. Which can obviously run an authentication app, whether it be yours or one of the other third-party ones out there, to do this kind of job.
Definitely. There's really no reason not to.
So why are you guys better than the competition? There's got to be something. Come on.
Is there any competition, Carole?
Yeah, I think it's— there are a few things that we hear from our end users, as well as businesses that separates us.
You know, I think the first thing really just comes down to it works. If you're using a password manager, you don't want it to— you go to a site and then it's not working.
So this is tried true, and we've been around for years. So when you're signing up to use LastPass, you know that it's going to work on all the different sites that you're going to.
So that's number one. I think number two is really the ease of which we're able to generate complex passwords for you.
And so we take even the complexity out of figuring out what's a good enough password out of that equation.
You know, I think the first thing really just comes down to it works. If you're using a password manager, you don't want it to— you go to a site and then it's not working.
So this is tried true, and we've been around for years. So when you're signing up to use LastPass, you know that it's going to work on all the different sites that you're going to.
So that's number one. I think number two is really the ease of which we're able to generate complex passwords for you.
And so we take even the complexity out of figuring out what's a good enough password out of that equation.
I love that feature.
I totally love that feature of being able to just choose a random password with lots of characters whether they're numbers or letters or even special characters and any length.
It's a really great little feature.
I totally love that feature of being able to just choose a random password with lots of characters whether they're numbers or letters or even special characters and any length.
It's a really great little feature.
Because if you had to rely on your imagination, Carole, or your puny human brain—
Was that my name that you tried to barf out there?
Sorry. Then you would struggle, wouldn't you? I mean, you would struggle if you had to come up with 15 different passwords or something for all those different accounts.
I would struggle coming up with them, let alone remembering them.
I've got some very good passwords, let me tell you.
On the days before I— I've actually found a piece of paper with some of my old passwords on it, because I very handily wrote them down back. Do you want to hear some of these?
Some of these are quite clever, actually. Okay, so, let me in, obviously.
On the days before I— I've actually found a piece of paper with some of my old passwords on it, because I very handily wrote them down back. Do you want to hear some of these?
Some of these are quite clever, actually. Okay, so, let me in, obviously.
That was your password?
Rachael, I'm sorry. I'm sorry.
There was not even a please there. I mean, what do you think you're going to get?
I'm English. It's just, you know, I feel like I have a God-given right to be allowed into the account. I am here. Let me in.
So password 3, which I thought was quite clever because it wasn't password 1, and I thought hackers would give up after password 2, they'd move on. Password 3.
Carole, have you got any— do you remember any of your old passwords?
So password 3, which I thought was quite clever because it wasn't password 1, and I thought hackers would give up after password 2, they'd move on. Password 3.
Carole, have you got any— do you remember any of your old passwords?
No, I bet you're gonna say one of yours was S3X, and how good is that?
Oh dear God.
Yeah, I now see what we're dealing with. Now, okay, so Rachael, Graham is getting on in years. I'm worried about a time when he actually has trouble even using a password manager.
Do you recommend for those that do have trouble even with the simplest computer tasks to write them down or never?
Do you recommend for those that do have trouble even with the simplest computer tasks to write them down or never?
You know, I think that you're at risk if you write them down.
Yeah, I agree. I know it's so hard.
I think it is really hard. And you know what I actually really do, and so I have my dad, he's awesome. Hey, Dad.
And also has thrown more than one computer out, you know, off the table, so he can get frustrated.
You know, I think the great thing about LastPass is it is intuitive, but sometimes, you know, it helps to have a helping hand.
So, we have a lot of different videos, all of that to help people do that.
And also has thrown more than one computer out, you know, off the table, so he can get frustrated.
You know, I think the great thing about LastPass is it is intuitive, but sometimes, you know, it helps to have a helping hand.
So, we have a lot of different videos, all of that to help people do that.
I'm imagining in the enterprise environment, there are occasions when you do need to share a password with different people. Does LastPass give you an ability to easily do that?
And is that something which could also be used to, for instance, look after elderly relatives who may have more difficulty handling different accounts and different passwords.
And is that something which could also be used to, for instance, look after elderly relatives who may have more difficulty handling different accounts and different passwords.
Sharing is, on the business side, one of the primary reasons people actually start to look at password management.
And when people think about sharing, they often think about sharing IT passwords or things along those lines, but it's happening all over—marketing departments sharing social media passwords, all sorts of tools.
And think about what happens if that password is shared over email, gets in the wrong hands, and then somebody's Twitter account gets hacked.
And so being able to share it ensures that number one, people have access. Number two, they still don't know what it is.
But let's say that somebody leaves, you don't even have to change that password. You can keep it going because they've never known what it is.
And when people think about sharing, they often think about sharing IT passwords or things along those lines, but it's happening all over—marketing departments sharing social media passwords, all sorts of tools.
And think about what happens if that password is shared over email, gets in the wrong hands, and then somebody's Twitter account gets hacked.
And so being able to share it ensures that number one, people have access. Number two, they still don't know what it is.
But let's say that somebody leaves, you don't even have to change that password. You can keep it going because they've never known what it is.
Ah, right. So it's— you're sharing access somehow, right?
Right, so it's the— it's LastPass itself running in, for instance, your browser on your desktop, which is filling in the password.
You don't get to see it when you log into accounts, which means that you can't take it with you when you leave the company.
And if you did want to reset the password, that would reset it for everybody.
Right, so it's the— it's LastPass itself running in, for instance, your browser on your desktop, which is filling in the password.
You don't get to see it when you log into accounts, which means that you can't take it with you when you leave the company.
And if you did want to reset the password, that would reset it for everybody.
Yes, it would. So you mentioned sharing it among your family and among those elderly relatives. I think that's another use case we really see, another way people are using this.
No offense, nobody get mad, but sharing that Netflix password. How many times are you getting that text or that phone call? Look how apt that was with that phone ringing.
No offense, nobody get mad, but sharing that Netflix password. How many times are you getting that text or that phone call? Look how apt that was with that phone ringing.
You've got your own sound effects. I'm so sorry. That was me. That's me. Was that you, Carole?
Yes. I thought it was Rachael.
No. I was doing my own sound effects, Graham. I'm good. I'm not that good, man.
She's got a cowbell. She's got all kinds of stuff. Wait, you just wait. You just wait.
All right, so you asked about sharing when it comes to real people, not businesses, and that's another huge thing.
I mean, first think about how many times you get texted or called for what is the Netflix password. And so you can share that now easily and don't have to get those calls.
And also, if you're going to be grounding your and you don't want them to have it anymore, then you just change it and don't share it. So you get a lot of power that way.
I mean, first think about how many times you get texted or called for what is the Netflix password. And so you can share that now easily and don't have to get those calls.
And also, if you're going to be grounding your and you don't want them to have it anymore, then you just change it and don't share it. So you get a lot of power that way.
I love that. Yeah. I've never thought about grounding in this day and age, but it must be really difficult, right? Just wait, Graham, a few years. We have to do that sort of stuff.
How are you going to— now that's the way you do it.
How are you going to— now that's the way you do it.
My wife already grounds me. What are you talking about? I don't have to wait for my child to grow up.
But being able to share the password and being able to revoke the sharing when you need to do so is quite cool.
All hell is going to break out if that happens.
Well, who wears the trousers in your place?
Oh yeah, thank you very much.
Let's not go there. Now, Rachael, do you think, can you even envision a time when passwords will no longer be necessary?
Yeah, you know, 'cause the fact is, in my heart, I would love that to happen because I am lazy. And I don't want to have to worry about passwords.
And I want to be able to get access before I even know I want access, right. So as an individual, that being said, we do need to be able to protect things that matter to us.
And I think what we're probably looking at more now is less the concept of passwords going away, but more of it being layered on.
So being replaced by some sort of biometric access, which really in a way is another password and also has its pros and cons. I mean, you can't change your fingerprint.
And I want to be able to get access before I even know I want access, right. So as an individual, that being said, we do need to be able to protect things that matter to us.
And I think what we're probably looking at more now is less the concept of passwords going away, but more of it being layered on.
So being replaced by some sort of biometric access, which really in a way is another password and also has its pros and cons. I mean, you can't change your fingerprint.
Do you feel that there's a preference for fingerprints or for facial ID?
Oh, ask me that a year ago, I would've definitely said fingerprints.
But I do think that, you know, as we look at those devices that we talked about, the phones that we literally will turn around if we have lost it and go back and be late to wherever we're going.
As more and more of them are incorporating facial ID, I think you're going to see a preference there.
The challenge is going to be ensuring that you have the same kind of ability to do that on your phone as you do your laptop, as you do your desktop, because what people want is they want consistency.
They don't want to have to do different things on different devices.
But I do think that, you know, as we look at those devices that we talked about, the phones that we literally will turn around if we have lost it and go back and be late to wherever we're going.
As more and more of them are incorporating facial ID, I think you're going to see a preference there.
The challenge is going to be ensuring that you have the same kind of ability to do that on your phone as you do your laptop, as you do your desktop, because what people want is they want consistency.
They don't want to have to do different things on different devices.
So you're not worried, you've got a job for life basically with passwords is what you think?
I think passwords and identity are going to be things that we are continually struggling with. So yeah, I'm pretty sure I have a job for life.
And you have a friend for life now. Did you enjoy being on the show?
Oh, this is, yeah, this has been great. Friend for life, is that?
Well, I just, I think we're buds now, don't you think?
Oh, that's lovely, isn't it?
Yeah, well, I was just thinking maybe Rachael would want to share her password now.
Yeah, you trust us, don't you?
Yep, I'll send that to you right away, Carole.
Pinky swear, I'll share it with no one.
Well, there we go. You're lovely, Rachael, you're very easy to speak to. Thank you so much.
This is so fun.
Well, hey, Maria, what did you think of that? Wasn't that interesting to listen to Carole Theriault and me there speaking to Rachael Stockton at LastPass?
Yes, that was fascinating.
You didn't actually hear it, did you?
No, I didn't.
Well, on that bombshell, we really have just about wrapped it up for this week.
If you want to follow us, you can follow us on Twitter @SmashingSecurity - Twitter wouldn't allow us to have a G. And Maria, folks, I'm sure would love to follow you as well.
What's the best way to do that?
If you want to follow us, you can follow us on Twitter @SmashingSecurity - Twitter wouldn't allow us to have a G. And Maria, folks, I'm sure would love to follow you as well.
What's the best way to do that?
Yeah, on Twitter. Twitter wouldn't allow me to have a reasonable last name, so it's M-V-A-R-M-A-Z-I-S, Maria Varmazis. Find me on Twitter, I'm on there, you'll find me.
And if you want merchandise things like t-shirts and Smashing Security mugs and stickers and things like that, go to smashingsecurity.com/store.
Thank you for listening each and every week.
We are thrilled if you like what you hear, and if you want to help us grow so we can deliver more content, all you need to do is help us get the word out.
So tell your friends, wax lyrical on social media, rate us in your podcast apps. All this stuff really, really helps.
We are thrilled if you like what you hear, and if you want to help us grow so we can deliver more content, all you need to do is help us get the word out.
So tell your friends, wax lyrical on social media, rate us in your podcast apps. All this stuff really, really helps.
Scroll the name Smashing Security in blood on your bedroom wall. Whatever you can do to get the name out there works for us. Please don't do that.
Okay. Tattoo? Maybe a Smashing Security tattoo?
No? Until next time, cheerio, bye-bye.
Bye everyone. Bye. Who's that from?
What's that from? Oh, it's a drag queen.
I'm thinking of a cartoon character. Oh, it reminds me of Frasier. Janice? Was it Janice from Frasier or something?
Oh my God, wasn't she on Friends? Wasn't that Chandler's ex-wife or something? Why do I know? If only we knew someone who knew a lot about Friends. They don't listen to the show.
It seems to me that this could also cause innocent people to be wrongly accused of crimes. Even if it's unlikely the fact it could theoretically happen is the problem. In my mind this is bordering on not following Blackstone's formulation. Nothing new for law enforcement of course but it's really a shame. But there's more to this.
It sets a precedent and if they're willing to do this what else will they be willing to do? It could cause even more problems in ways that we can't even predict and possibly even if we knew how far they would go. First they write laws about computer crime and then they do the same thing – quite hypocritically. But state sponsored has serious implications. And now this? What will they do next? Malware suspected strongly to be created by states, governments breaking into other government computers… I wouldn't say that it's the same thing as MAD but yet who knows? Could it ever become that or something similar? I'd rather not find out but when governments behave similarly to criminals it certainly is more perilous (in numerous ways). That governments don't seem to be bothered with this is maybe the scariest part of it – for if they're not bothered i.e. doing what they want for their own reasons (and in some cases 'agenda' might be a better word) they're less concerned with the implications in the future. That's dangerous. But I imagine this is all contentious too and that's all the more reason it shouldn't be done but if it has to be considered then discussed. But how do you bring that up without notifying the criminals, some might ask? Well the only difference here is that it's more dubious; it's not a new tactic totally.
And yes I imagine that FedEx might have some issues with this name. Understandably too.