BBC News reports:
Shibu Philip admits he knows what it’s like to “maybe waste a bit of time at work”.
Shibu is the founder of Transcend – a small London-based firm that buys beauty products wholesale and re-sells them online.
For the last year and a half he has used Hubstaff software to track his workers’ hours, keystrokes, mouse movements and websites visited.
With seven employees based in India, he says the software ensures “there is some level of accountability” and helps plug the time difference.
“I know myself. [You can] take an extra 10-minute break here or there. It’s good to have an automatic way of monitoring what [my employees] are up to,” says Shibu.
“By looking at screenshots and how much time everyone is taking on certain tasks, I know if they’re following procedures.
“And, if they’re doing better than I expected, I also study the photos and ask them to share that knowledge with the rest of the team so we can all improve,” he says.
Shibu Philip has done a great service. Now everyone knows to steer well clear of working for him or his company Transcend.
I just feel sorry for the people who already work for him, and may not have the opportunity to move to employers who trust them to act professionally and respect their privacy.
Surely it’s better to judge people by whether the job gets done to a good standard rather than minute-by-minute recording of everything they do on their PC. Not to mention the risk that sensitive screenshots and surveillance data may not be transmitted and stored securely.
Of course, Shibu’s Transcend firm isn’t the only one which deploys spyware to snoop upon its employees, as we discussed in a past episode of the “Smashing Security” podcast with special guest Mikko Hyppönen.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Look, look, I'm very uncomfortable about this, right?
Well, you should be.
I am be— it's just—
Do you really need a camera tracking your mother-in-law's face at every opportunity?
Smashing Security, Episode 172: Uncle Fuckface with Carole Theriault and Graham Cluley. Hello. Hello, and welcome to Smashing Security Episode 172. My name's Graham Cluley.
And I'm Carole Theriault.
Hey, Carole.
Hey, Graham.
We are joined by a returning guest. He hasn't been on the show for a while, but he's known to many of our listeners is Mikko Hypponen. Hello, Mikko.
Well, hello there. It's really great to see both of you, and it's always great to hear how well Graham is able to pronounce my name. That's exactly how it's said.
Success!
Hey, how are you seeing me exactly?
Well, virtually. Obviously, this is a time of social or physical distancing, so there's no way we would be in the same room, right?
That's right.
So Mikko, I imagine you, all of us, are trapped in your home right now.
Yeah.
Your life has been messed around a bit by all this nonsense that's going on. What are you up to?
Well, it's really great to be in one place because my normal life is so different. I'm on the road every week.
Now I haven't taken a single flight for a month and I'm still grounded for many more weeks. So yeah, in a way I it. Is this what normal people live their lives?
Now I haven't taken a single flight for a month and I'm still grounded for many more weeks. So yeah, in a way I it. Is this what normal people live their lives?
So this is why you're able to focus on your podcast because you've been grounded for a month.
Yes, I have. And before I speak about my podcast, I just want to say something really great about traveling a lot, which is that my company How do you say it?
They cover the CO2 emissions that I create.
They cover the CO2 emissions that I create.
Oh, brilliant. Good.
Yeah. So I'm not destroying the world by doing all this traveling. And that's really great.
And that enables me to do the things I, which includes the worst competitor for Smashing Security podcast. We have now our own podcast.
Me and my old friend Tomi Tuominen started the podcast late last year. We're going to kick your ass.
And that enables me to do the things I, which includes the worst competitor for Smashing Security podcast. We have now our own podcast.
Me and my old friend Tomi Tuominen started the podcast late last year. We're going to kick your ass.
I think I may have tuned into it. It's in Finnish, isn't it?
Well, yes, it's in Finnish, which does limit the audience a little bit.
It's called "Härräsmies hakkerit." "Härräsmies hakkerit" is the best podcast about security in Finnish you've ever heard, I guarantee it.
It's called "Härräsmies hakkerit." "Härräsmies hakkerit" is the best podcast about security in Finnish you've ever heard, I guarantee it.
That's the kind of competitor we, to be honest.
Do you know, Graham, I was thinking earlier today that maybe we misnamed our podcast because I was listening to a Radio 4 podcast and the woman was going in to interview someone.
She goes, "Hi, Sue Miller from Radio 4." And I was thinking, if we walked to someone's door and knocked on it and said, "Hi, Carole Theriault, Smashing Security," they may, they may not want me to come in.
She goes, "Hi, Sue Miller from Radio 4." And I was thinking, if we walked to someone's door and knocked on it and said, "Hi, Carole Theriault, Smashing Security," they may, they may not want me to come in.
Oh, right. So maybe we should call ourselves Radio Security or something, or what do you suggest?
I don't know, I'll have to think about that. Maybe our listeners can help.
All right, okay. A bit late for a brand name change, but all right. Carole, tell us what's coming up on the show this week.
Well, first, thanks to this week's sponsors, LastPass and Domain Tools. Their support helps us give you this show for free.
Now, on today's Stuck at Home special, Graham shares the rumors about video chat app Houseparty.
Mikko tries to figure out how to deal with security and privacy in our pandemic reality.
And I'll be looking to answer this question: is it okay for your boss to spy on you if you're working from home?
All this and much more coming up on this episode of Smashing Security.
Now, on today's Stuck at Home special, Graham shares the rumors about video chat app Houseparty.
Mikko tries to figure out how to deal with security and privacy in our pandemic reality.
And I'll be looking to answer this question: is it okay for your boss to spy on you if you're working from home?
All this and much more coming up on this episode of Smashing Security.
Now, chums, coronavirus of course has, well, it's sort of changed the whole way we're living, hasn't it?
It's changed the world and people aren't able to move around, people aren't able to socialise, and many companies have been struggling as a result.
But actually, for some firms, it's been a real boon. It's been an opportunity for them to actually get loads more users.
I'm talking, of course, about video chat apps like Zoom, like Houseparty. Millions of people have downloaded these apps, perhaps for the first time in the last couple of weeks.
So, whereas they used to be the province of people working in business, typically, now everyone's kind of jumping on them, aren't they, in order to chat with their pals.
It's changed the world and people aren't able to move around, people aren't able to socialise, and many companies have been struggling as a result.
But actually, for some firms, it's been a real boon. It's been an opportunity for them to actually get loads more users.
I'm talking, of course, about video chat apps like Zoom, like Houseparty. Millions of people have downloaded these apps, perhaps for the first time in the last couple of weeks.
So, whereas they used to be the province of people working in business, typically, now everyone's kind of jumping on them, aren't they, in order to chat with their pals.
And to keep their jobs, right?
Well, keep their jobs, but also to keep in touch with relatives who they may not be able to go and visit any longer.
Totally, totally, because we're all isolated and it's the only virtual hugs these days, right?
Yeah, I've got a kind of embarrassing admission to make at this point.
Okay.
Which may well get edited out of the podcast, but because I'm quite embarrassed by it, especially with Mikko on the line. So—
Go ahead.
I've got in-laws who are quite technically non-savvy and really struggle, and my wife wanted to keep in touch with them while they're all locked down.
And we were trying to work out the easiest way to do this. And it's well, we know there's FaceTime and there's Skype or whatever, but needed it to be easier than that.
And so we invested in a couple of devices which make it very, very easy to video chat, even if you're into your 70s, 80s, and 90s and know nothing about technology.
I don't have a Facebook account. I don't have a WhatsApp account, but our household now has a Facebook Portal.
And we were trying to work out the easiest way to do this. And it's well, we know there's FaceTime and there's Skype or whatever, but needed it to be easier than that.
And so we invested in a couple of devices which make it very, very easy to video chat, even if you're into your 70s, 80s, and 90s and know nothing about technology.
I don't have a Facebook account. I don't have a WhatsApp account, but our household now has a Facebook Portal.
In your house?
In our bloody house.
Congratulations.
Well, congratulations to Facebook, maybe.
They knew they'd get you in the end.
So we now have this video feed and audio feed.
Shame on you for not even fighting the corner.
Well, it was a restless night. It was a struggle. I have to say there was lots of tossing and turning about this.
And I have to say, pragmatically, it's a great way of keeping in contact with relatives and loved ones.
But of course, it comes from ruddy Facebook, which makes me extremely nervous.
And I have to say, pragmatically, it's a great way of keeping in contact with relatives and loved ones.
But of course, it comes from ruddy Facebook, which makes me extremely nervous.
Have you heard of a house phone?
Yes, a house phone, but you kind of want to see them. And actually, they never even hear the phone when it rings.
So we do need something which sort of bloop, bloop, bloop up on the TV screen and announces that they're getting a call.
So we do need something which sort of bloop, bloop, bloop up on the TV screen and announces that they're getting a call.
Graham, what does a Facebook Portal actually look like? It has a screen on it, doesn't it?
There are two kinds of variations of it. There's one which is basically like an iPad-like screen with a camera built in as well.
And what it does with the camera is very, very clever because it's tracking faces, and so it will focus on the relevant part of the room so it keeps you in shot, which is what we need with the in-laws, for instance.
The other version plugs into your television, and in all of them there is a hardware little what's-it, which will cover over the camera, should you want to, and you can turn off the audio.
And they claim that it doesn't upload any of your data and any of this to Facebook.
And what it does with the camera is very, very clever because it's tracking faces, and so it will focus on the relevant part of the room so it keeps you in shot, which is what we need with the in-laws, for instance.
The other version plugs into your television, and in all of them there is a hardware little what's-it, which will cover over the camera, should you want to, and you can turn off the audio.
And they claim that it doesn't upload any of your data and any of this to Facebook.
Oh, we know we can trust them 100%, so that's cool.
I know, look, you know I hate Facebook, right?
No, no, I just think we know who wears the trousers in your house, and it's fine.
Graham, I am revoking your privacy expert rights.
Thank you, I agree.
I think these are extraordinary times. I haven't got one in my office, it's in one particular room in our house.
What's it called?
It's called a Facebook Portal. I'm not completely comfortable with how that's used.
So you're basically advocating that listeners get one?
I'm not advocating, I'm saying it's an option there.
If you have relatives who you can't go and visit and you need to keep an eye on and you need to communicate with because you're worried about them.
If you have relatives who you can't go and visit and you need to keep an eye on and you need to communicate with because you're worried about them.
Influencer surveillance in your house?
Then this is one potential option. I haven't enabled any of the Alexa stuff which is built into it as well.
So I've tried to lock it down as much as possible, but it is ultimately Mark Zuckerberg's camera looking at us.
So I've tried to lock it down as much as possible, but it is ultimately Mark Zuckerberg's camera looking at us.
Maybe you could provide our readers or listeners with an affiliate link which gives you a cut of the sales of Portals.
Well, the thing was they were actually sold out on Amazon UK when I tried.
So I ended up having to order it from Amazon in France, because at the moment, at least, we're part of the EU still.
So I ended up having to order it from Amazon in France, because at the moment, at least, we're part of the EU still.
You bought a black market Facebook.
No, no, it's not black market.
I know.
I didn't have to pay any tax.
This keeps getting worse.
Yeah, yeah. You digress. Is this your story?
No. Anyway, but the point is that lots of people are beginning to use these sort of video chat apps, whether they feel comfortable with them or not.
One of those apps is Houseparty, which is somewhat different from Zoom, which many of us have used in a business environment.
One of those apps is Houseparty, which is somewhat different from Zoom, which many of us have used in a business environment.
I have friends that use this. I haven't used it myself, but I do have friends that are using it to keep in touch with all their family.
Right. My understanding is basically you set up a house party room or something like that, and you can just drop in on it at any time.
And if anyone else from your collective is also part of that room at that time, they can see you and chat to you.
So you don't have to go through the effort of setting up, oh, at 7 PM, we're going to have a Zoom call. Here's the invite.
It's like a pub you can just drop in on without an appointment.
And if anyone else from your collective is also part of that room at that time, they can see you and chat to you.
So you don't have to go through the effort of setting up, oh, at 7 PM, we're going to have a Zoom call. Here's the invite.
It's like a pub you can just drop in on without an appointment.
I was going to say coffee bar, but then you would never go. So that may be a really good way of going.
Don't go to a pub either.
No, but you know, the kitchen and the staff room. It seems to have that kind of idea.
Right.
It's kind of less formal, and I think it's more attractive.
It's proven more attractive to some people who are understandably keen to keep in touch right now, maybe, but don't want to go the full caboodle of buying a Facebook Portal.
It's proven more attractive to some people who are understandably keen to keep in touch right now, maybe, but don't want to go the full caboodle of buying a Facebook Portal.
So if I had this app, right?
Yes.
I could, and I was connected to all my family, all my family had the app.
If I happened to log in and see that my mum was there, I'd go, "Hey, Mum, how's it going?" and connect immediately and start chatting.
If I happened to log in and see that my mum was there, I'd go, "Hey, Mum, how's it going?" and connect immediately and start chatting.
Yeah, yes, exactly. So whoever's currently on can chat to each other.
And the comparison to a pub is actually a good one, because I understand there's also games you can play with whoever happens to be online in Houseparty.
You could play Monopoly in a way, couldn't you? There's all sorts of things which you could do.
But I think Mikko's saying there's built-in games.
That's what I understood.
I haven't actually played them, but yeah, I understand there's some simple games you can play together with everyone who happens to be online at the same time in the same room.
I haven't actually played them, but yeah, I understand there's some simple games you can play together with everyone who happens to be online at the same time in the same room.
Cool.
Well, in recent days, rumors have been spreading about Houseparty, and the rumor has it that Houseparty is unsafe and that it has suffered some kind of security breach or that it is doing something naughty.
If you go on Twitter or Facebook, you will see plenty of folks sharing warnings about the Houseparty app, claiming that after installing the app, they found that other online accounts were being compromised, like Spotify or their email account, or even in some cases, their bank account.
Well, in recent days, rumors have been spreading about Houseparty, and the rumor has it that Houseparty is unsafe and that it has suffered some kind of security breach or that it is doing something naughty.
If you go on Twitter or Facebook, you will see plenty of folks sharing warnings about the Houseparty app, claiming that after installing the app, they found that other online accounts were being compromised, like Spotify or their email account, or even in some cases, their bank account.
I think that showed up in my feed on Reddit, actually. I didn't read the article, but I saw it pass by saying they happen to be breached.
Yeah, there is a lot of these stories going around, and I'm going to emphasize stories because no one is actually presenting any evidence.
People are saying, I installed Houseparty, and then someone from Israel or wherever, logged into my Spotify account, and they've made the connection.
They've assumed that the two things are connected.
Maybe they don't normally install apps, but right now, millions of people are installing Houseparty, and then when something else suspicious happens, they're assuming it's Houseparty's fault.
People are saying, I installed Houseparty, and then someone from Israel or wherever, logged into my Spotify account, and they've made the connection.
They've assumed that the two things are connected.
Maybe they don't normally install apps, but right now, millions of people are installing Houseparty, and then when something else suspicious happens, they're assuming it's Houseparty's fault.
This is really hard for users though, right? Because on one hand, we're saying, oh, look, you need to work remotely. Here are some good apps, right?
But we also warn of apps that have dangerous components. So how are they supposed to tell the difference between— you're saying this is rumors, but without any proof.
But we also warn of apps that have dangerous components. So how are they supposed to tell the difference between— you're saying this is rumors, but without any proof.
I think what's going on here is rather interesting. I think it's telling us something actually about the way the human mind works and how it loves to make connections.
Well, this is pretty deep, Graham.
When?
I mean, for you.
Even when a real link doesn't exist, right?
So they're connecting the dots and thinking, it must be because of this new thing I did on my phone, rather than be the result of a phishing attack or password reuse or credential stuffing or somewhere where the hackers have grabbed passwords from a past data breach, maybe years before.
They assume it's connected to Houseparty.
And some of the advice which has been spread around, which is saying, delete Houseparty from your phone, if it had been the source of the breach, that doesn't actually fix the problem, does it?
Because your details have already been grabbed.
So they're connecting the dots and thinking, it must be because of this new thing I did on my phone, rather than be the result of a phishing attack or password reuse or credential stuffing or somewhere where the hackers have grabbed passwords from a past data breach, maybe years before.
They assume it's connected to Houseparty.
And some of the advice which has been spread around, which is saying, delete Houseparty from your phone, if it had been the source of the breach, that doesn't actually fix the problem, does it?
Because your details have already been grabbed.
It might be the Zoom dudes doing it. That's my conspiracy theory.
Well, interesting, because of course it is kind of Zoom versus Houseparty at the moment.
We used to have a word for things like these. We used to call these hoaxes. And it's interesting, during uncertain times we see much more hoaxes than otherwise.
And just last week there were really widespread hoaxes about WhatsApp and people were warning about specific messages about the death of the Pope or whatever, which was a complete old-school hoax.
And for some reason, right now in the middle of this pandemic, these things start going around again.
And just last week there were really widespread hoaxes about WhatsApp and people were warning about specific messages about the death of the Pope or whatever, which was a complete old-school hoax.
And for some reason, right now in the middle of this pandemic, these things start going around again.
I wonder if because so many people are at home and maybe aren't working quite as hard or distracted or spending longer on their social networks, they're sort of resorting to sharing warnings with other people as a way of keeping connected with people, just saying, oh, watch out for this.
As we suffer this zombie apocalypse or whatever is going on at the moment through this pandemic, there are other things you should be fearful of.
And people think they're being helpful passing these things on, but of course, there's no actual evidence.
In the warnings about Houseparty, there are no links to legitimate security researchers.
As we suffer this zombie apocalypse or whatever is going on at the moment through this pandemic, there are other things you should be fearful of.
And people think they're being helpful passing these things on, but of course, there's no actual evidence.
In the warnings about Houseparty, there are no links to legitimate security researchers.
OK, so what would happen if I were a user? If I saw this in my feed and read it and thought, oh, I'm a user, I know users, this is concerning.
I would then go look for a news article from a reputable source to back it up.
I would then go look for a news article from a reputable source to back it up.
Right.
Did you go and look and has anyone been able to validate? Has anyone said this is happening?
No, there is no evidence of an actual breach.
Security researchers have looked at the Houseparty app and they say, I mean, any complicated app is gonna have bugs and vulnerabilities in it, but they say they've found no evidence that it is doing anything like this, which might cause the Spotify login attacks.
And again, Spotify is something which is used by millions. Many, many, many people, a vast number of people.
Security researchers have looked at the Houseparty app and they say, I mean, any complicated app is gonna have bugs and vulnerabilities in it, but they say they've found no evidence that it is doing anything like this, which might cause the Spotify login attacks.
And again, Spotify is something which is used by millions. Many, many, many people, a vast number of people.
Millions and millions and millions. Exactly.
And so if there's just a regular credential stuffing attack against Spotify, people might only make the link if they've only just installed Houseparty and assume it is somehow connected.
Now, Carole, you made this really interesting point. Was it Zoom who did it?
The owners of Houseparty are, and this is so weird, in some ways it's not weird, the owners of Houseparty are Epic Games. The makers of Fortnite and other popular video games.
Now, Carole, you made this really interesting point. Was it Zoom who did it?
The owners of Houseparty are, and this is so weird, in some ways it's not weird, the owners of Houseparty are Epic Games. The makers of Fortnite and other popular video games.
So you would think Houseparty would have built-in games, wouldn't you?
Right, right. Exactly. And they're obviously interested in the social element because there's such a big social element with video games as well.
They have not only said all Houseparty accounts are safe, we haven't had any kind of compromise, we don't collect passwords for other sites, but they've also offered a $1 million reward.
And what they want people to do is come up with evidence as to who has been spreading these hacking rumours, because they suspect it might be part of a commercial smear campaign to harm Houseparty.
They have not only said all Houseparty accounts are safe, we haven't had any kind of compromise, we don't collect passwords for other sites, but they've also offered a $1 million reward.
And what they want people to do is come up with evidence as to who has been spreading these hacking rumours, because they suspect it might be part of a commercial smear campaign to harm Houseparty.
It sounds a bit like, you know, reward, like a— what's it, you know, like in the Westerns, they, you know, they wanted—
A bounty.
A bounty.
Yeah.
But not in a good way, in a kind of— I don't know if I— I don't think that's a good thing, actually.
My feeling is it probably isn't something that someone is paying for to smear the name of Houseparty. I think that was unlikely and would probably backfire.
Some people have been saying that Twitter bots have been posting messages about Houseparty being unsafe. Again, I think it's hard—
Some people have been saying that Twitter bots have been posting messages about Houseparty being unsafe. Again, I think it's hard—
So effectively, they're asking for an internal person to come forward and say, actually, yeah, I have proof that it was this company that started the rumor, for example.
That's what they're looking for.
That's what they're looking for.
Yes, because I work for rival service.
And you'll get $1 million.
$1 million, yes.
I have a question. So next time when we are recording this, the three of us, can we try recording this instead of using some boring podcast recording app?
Can we record this on Houseparty? Or even better, can we record this inside Fortnite?
Can we record this on Houseparty? Or even better, can we record this inside Fortnite?
And what, because it's too boring, so you want to play a game while you're chatting with us?
Well, you know, if you're saying something stupid, I can shoot you.
So if you've installed Houseparty, don't necessarily panic if your Spotify account was then breached. Doesn't necessarily mean it's connected.
Protect yourself with two-factor authentication on any online accounts that support it.
So if your password is stolen or breached, it alone won't actually give the hackers access to your accounts.
And obviously follow standard best practices about not reusing your passwords.
Protect yourself with two-factor authentication on any online accounts that support it.
So if your password is stolen or breached, it alone won't actually give the hackers access to your accounts.
And obviously follow standard best practices about not reusing your passwords.
So they think, okay, so is it corporate sabotage? Graham, your thoughts are?
I think most likely not. I think like most hoaxes, it's probably some bored kids.
Well, either kids or just people who just didn't understand what was going on and they joined the dots themselves and came to the wrong conclusion.
Well, either kids or just people who just didn't understand what was going on and they joined the dots themselves and came to the wrong conclusion.
This is the second time you say that. I think you think people aren't very smart. That's what it sounds like.
I think some people are very smart, Carole.
Oh, I bet you do, Graham.
Thank you very much.
Let me actually touch upon something Graham said.
You just said that people are sitting in their homes and they might not be working as hard as usual, so they have time to come up with all these conspiracy theories or whatever.
I think that's actually an important point to discuss because the fact is the whole world is sitting in their homes right now and feeling scared and useless and addictively reloading news every 15 minutes, which is what we're all doing.
And I think it's just fair to say out loud to everybody that it's okay if you're not working as hard as you usually are. It's okay if you're not as productive as you'd like to be.
It's okay if you're not doing the projects you would be able to do now that you have all the time in the world. These are unusual times. This is a pandemic.
And when you look at it from a bit more perspective, this is going to be the biggest news item of the decade. This is going to be one of these defining moments of the century.
And this is like, what was the last time we had something which really affected the whole world at the very same time? I think it's the first time.
You just said that people are sitting in their homes and they might not be working as hard as usual, so they have time to come up with all these conspiracy theories or whatever.
I think that's actually an important point to discuss because the fact is the whole world is sitting in their homes right now and feeling scared and useless and addictively reloading news every 15 minutes, which is what we're all doing.
And I think it's just fair to say out loud to everybody that it's okay if you're not working as hard as you usually are. It's okay if you're not as productive as you'd like to be.
It's okay if you're not doing the projects you would be able to do now that you have all the time in the world. These are unusual times. This is a pandemic.
And when you look at it from a bit more perspective, this is going to be the biggest news item of the decade. This is going to be one of these defining moments of the century.
And this is like, what was the last time we had something which really affected the whole world at the very same time? I think it's the first time.
Yeah. And we can all talk about it at the same time.
Yeah. It's really, really, really unusual. Nobody would have predicted this. I mean, even the world wars we had, they really were not in every country at the same time.
It didn't affect the whole world. This does affect every single country. Everybody, the whole world is in quarantine.
And this is so different as a quarantine from anything we've seen because we do have this online connectivity. And I think it's an important thing to consider for our audience.
I mean, security people, we spend our time trying to secure people and trying to help people who fight with problems they have no hope trying to figure out by themselves.
And while the whole world is sitting in their homes feeling useless because we are not medical experts, well, security people can sort of participate. We can try to help.
Of course, we can't find a cure and we can't help people in hospitals, but we can help secure these hospitals, we can fight off the attacks which are targeting medical organizations or targeting people trying to find the cure.
There are bad people out there right now. We've seen multiple attacks against medical organizations during this pandemic, which really, really sucks.
And yes, the more we can do to help fight off these problems, the better it is for everybody. And it makes us feel we can help, we can do something.
It didn't affect the whole world. This does affect every single country. Everybody, the whole world is in quarantine.
And this is so different as a quarantine from anything we've seen because we do have this online connectivity. And I think it's an important thing to consider for our audience.
I mean, security people, we spend our time trying to secure people and trying to help people who fight with problems they have no hope trying to figure out by themselves.
And while the whole world is sitting in their homes feeling useless because we are not medical experts, well, security people can sort of participate. We can try to help.
Of course, we can't find a cure and we can't help people in hospitals, but we can help secure these hospitals, we can fight off the attacks which are targeting medical organizations or targeting people trying to find the cure.
There are bad people out there right now. We've seen multiple attacks against medical organizations during this pandemic, which really, really sucks.
And yes, the more we can do to help fight off these problems, the better it is for everybody. And it makes us feel we can help, we can do something.
Yeah, people will feel better, won't they, if they feel they're providing some use and bringing some benefit when we feel so helpless.
Sure, because we do have skills and right now our service is needed. It's now needed maybe more than ever.
So one thing which strikes me is some people have set up organizations now to volunteer their expertise, their IT security expertise, to health services.
There's an organization called Cyber Volunteers 19, CV19, I will put a link into them in the show notes.
Friend of the show, Lisa Forte, she's one of the forces behind Cyber Volunteers 19. So people may want to go there and find out how they can offer their expertise.
So, you know, don't feel too helpless. But I agree with you, Mikko. I think we all need to give ourselves a bit of a break as well and not stress out too much.
There's enough stress in the world right now that if we're staying at home, you know, don't feel that everything has to be perfect.
There's an organization called Cyber Volunteers 19, CV19, I will put a link into them in the show notes.
Friend of the show, Lisa Forte, she's one of the forces behind Cyber Volunteers 19. So people may want to go there and find out how they can offer their expertise.
So, you know, don't feel too helpless. But I agree with you, Mikko. I think we all need to give ourselves a bit of a break as well and not stress out too much.
There's enough stress in the world right now that if we're staying at home, you know, don't feel that everything has to be perfect.
Yeah, we're going to have to talk about this a bit more in my section, because I think there's a few bosses out there that don't feel the same way you guys do.
Oh, interesting.
Yeah, that's a very good point. But it's not just being productive at work.
I mean, I was just speaking to a friend of mine who said that he thought he would read through all these great books, and he confessed that he didn't even open the first one yet.
It's just hard to concentrate. It's hard to get anything done.
I mean, I was just speaking to a friend of mine who said that he thought he would read through all these great books, and he confessed that he didn't even open the first one yet.
It's just hard to concentrate. It's hard to get anything done.
And to sleep.
Yeah, even that. So you're exactly right, Graham. We should be giving a break to ourselves.
Do you need a break from the podcast now? Do you need a tea break or anything?
Oh, I'd quite like that, actually, if that's possible.
We'll be back in 20 minutes, everyone.
So Mikko, what have you got to talk to us about this week?
Well, let me actually continue on what you were saying about Houseparty and Zoom, because Zoom has had their own problems as well.
They've been accused of really dodgy privacy policies and about sending information to Facebook and all kinds of things which really emphasize the point that when you have a product like this, which is growing faster than pretty much any product ever in the recent history, they might cut some corners.
And in this case, the corners might be privacy corners.
They've been accused of really dodgy privacy policies and about sending information to Facebook and all kinds of things which really emphasize the point that when you have a product like this, which is growing faster than pretty much any product ever in the recent history, they might cut some corners.
And in this case, the corners might be privacy corners.
Well, all eyes are on them now, right?
So true, true. And of course, Zoom is a company which just went public last year. We'll actually put a link to show notes about the great podcast on Zoom.
One of my favorite podcasts outside of Smashing Security.
One of my favorite podcasts outside of Smashing Security.
Is it in Finnish?
No, it's English. It's called Acquired, which is a really good podcast, which talks about companies which either were acquired by another company or which went public.
And they had an hour-long show about the history of Zoom, where it came and who are the guys behind it, who are the girls behind it and how exactly they did the IPO.
Really interesting stuff worth listening.
But when we think about the idea that there's these new products which become so successful despite privacy problems, Zoom is not the only example.
We can think about things like Huawei, the Chinese manufacturer.
Their phones, I just checked this, their phones are in top 10 most common, most sold handsets in dozens of countries around the world, despite the fact that they've had all these reputation problems regarding privacy and nation-state access to their devices or to their gateways.
Zoom has this problem. Telegram, WhatsApp has been accused of lousy encryption, at least by default. It doesn't slow them down at all.
So as long as the product is good, and obviously Zoom is a good product, Telegram is a good product. Clearly Huawei phones are good phones because people buy them.
TikTok is growing like crazy because it's, you know, apparently it's a good product. But so—
And they had an hour-long show about the history of Zoom, where it came and who are the guys behind it, who are the girls behind it and how exactly they did the IPO.
Really interesting stuff worth listening.
But when we think about the idea that there's these new products which become so successful despite privacy problems, Zoom is not the only example.
We can think about things like Huawei, the Chinese manufacturer.
Their phones, I just checked this, their phones are in top 10 most common, most sold handsets in dozens of countries around the world, despite the fact that they've had all these reputation problems regarding privacy and nation-state access to their devices or to their gateways.
Zoom has this problem. Telegram, WhatsApp has been accused of lousy encryption, at least by default. It doesn't slow them down at all.
So as long as the product is good, and obviously Zoom is a good product, Telegram is a good product. Clearly Huawei phones are good phones because people buy them.
TikTok is growing like crazy because it's, you know, apparently it's a good product. But so—
Say the kids, yeah.
Well, yeah, there you go. But this proves the point. People don't really care about the privacy as long as the product is good. That's what they want.
If it's free and it's a good product, they will use it regardless of the problems behind it.
If it's free and it's a good product, they will use it regardless of the problems behind it.
Even Graham, even Graham using Facebook Portal.
Facebook Portal wasn't free, I'm afraid, but—
You're paying for the privilege, if you like.
I pay for the— look, I'm very uncomfortable about this, right? Well, you should be.
Why? Maybe have a house meeting.
It's a family meeting.
Skype is fine. Do you really need a camera tracking your mother-in-law's face?
But I think this tells something very concrete about the users around the world.
I mean, if it's free and it's a good product, it could do pretty much anything behind the scenes and people just don't care. And we saw this very, very well ourselves.
At F-Secure, we were in the middle of releasing a cloud storage product 5 years ago when the Snowden leaks came out.
We did a pretty extensive study in different European countries asking consumers, and you know, in the middle of all these Snowden revelations, would you be interested in a European cloud provider instead of these American cloud providers where you would be guaranteed that your information is within EU or even within your own country?
And the result was an overwhelming yes. Everybody, of course, said yes, that I would absolutely prefer a local European provider.
Then when we actually released the product, nobody cared.
Everybody went with the free product from, you know, the thing which was built into the device or built into the operations. And of course, those are all from USA.
So there's one thing that people say and another thing that people do.
I mean, if it's free and it's a good product, it could do pretty much anything behind the scenes and people just don't care. And we saw this very, very well ourselves.
At F-Secure, we were in the middle of releasing a cloud storage product 5 years ago when the Snowden leaks came out.
We did a pretty extensive study in different European countries asking consumers, and you know, in the middle of all these Snowden revelations, would you be interested in a European cloud provider instead of these American cloud providers where you would be guaranteed that your information is within EU or even within your own country?
And the result was an overwhelming yes. Everybody, of course, said yes, that I would absolutely prefer a local European provider.
Then when we actually released the product, nobody cared.
Everybody went with the free product from, you know, the thing which was built into the device or built into the operations. And of course, those are all from USA.
So there's one thing that people say and another thing that people do.
I don't know if it's a question of caring so much as maybe not having the time to do the research required, especially if it's not your niche.
Niche, or niche for our American audience. You know, how do you do that?
I mean, I know, you know, but you know, if my mom was told, hey, go use this particular app, she would just trust because the person who told her, she trusted them.
Niche, or niche for our American audience. You know, how do you do that?
I mean, I know, you know, but you know, if my mom was told, hey, go use this particular app, she would just trust because the person who told her, she trusted them.
And, you know, it's no fault of hers, but a lot of people will take recommendations from their friends and their friends don't have to be security and privacy experts, right?
Yeah. And if I told her, oh, actually, Mom, that app isn't good, you know, maybe to get rid of it, she would.
But she would also feel flustered that she was told two different sets of information. And I get that. I get that.
But she would also feel flustered that she was told two different sets of information. And I get that. I get that.
So maybe it puts the power in the hand of the regulators. I mean, say what you want about GDPR, it actually gets results.
And I'm a big fan of GDPR, as many Smashing Security knows. I think it's great. And California has followed suit now.
And I think there's another few states that are fast on the heels as well. But I think also caring for these things is a luxury as well.
Especially right now during a pandemic, people are thinking, oh my gosh, I need to stay in touch with my family.
And people, they hear from someone, oh, use this app, Houseparty, or use Zoom.
And so everyone just jumps on the bandwagon, and no one really looked to see what exactly the privacy things were.
And I think there's another few states that are fast on the heels as well. But I think also caring for these things is a luxury as well.
Especially right now during a pandemic, people are thinking, oh my gosh, I need to stay in touch with my family.
And people, they hear from someone, oh, use this app, Houseparty, or use Zoom.
And so everyone just jumps on the bandwagon, and no one really looked to see what exactly the privacy things were.
I heard Facebook Portal was good enough for Graham Cluley.
That's right. That's what you've done.
See, that's what—
You better— I hope you have a different song to sing next week, mister. Yeah.
But to summarize, it just emphasizes the responsibility we security people have.
Quite. Yeah.
So we really should, you know, do our work right. So then the consumers can make the right decisions.
Yes, Graham. Yeah, because it's not do as I say, it's do as I do, right?
What's so funny, Graham?
I'm just being picked on by my co-host. It's the usual story. This is what happens every week, Mikko.
Yeah.
Carole, what have you got for us this week?
Okay, so we've been talking about companies dealing with managing a remote staff. And many of these companies are doing it for the first time.
You mentioned that, Graham, in your story.
You mentioned that, Graham, in your story.
Yes.
Now, of course, places that have been doing it for a while probably have a much better, a more robust work-from-home policy.
And this is probably giving them a bit of edge over the competition, you know, the ones that are coming to the table late.
Now, I guess it's not a surprise that we're seeing remote working tools and a number of users.
So we're seeing more people use cloud shares and client firewalls and VPNs and video conferencing tools like Skype and Zoom. Zoom, we've talked about.
And I've always hated video conferencing. I don't know about you guys. Do you feel it connects you better with the people that you're conferencing with?
Because I'll tell you, I remember every time I video conference, to me, there's this one American lady that I worked with. Graham, you worked with her too. I'm gonna call her Dolly.
And this is probably giving them a bit of edge over the competition, you know, the ones that are coming to the table late.
Now, I guess it's not a surprise that we're seeing remote working tools and a number of users.
So we're seeing more people use cloud shares and client firewalls and VPNs and video conferencing tools like Skype and Zoom. Zoom, we've talked about.
And I've always hated video conferencing. I don't know about you guys. Do you feel it connects you better with the people that you're conferencing with?
Because I'll tell you, I remember every time I video conference, to me, there's this one American lady that I worked with. Graham, you worked with her too. I'm gonna call her Dolly.
I know who you mean.
Yes, Dolly Parton.
Okay, we were all having this meeting and she decided to eat an apple. But you know when you make a noise, it's louder than everybody else.
And she was sitting really close to her camera chewing on this apple and the camera kept going to her face. It was just a horrific scene. And I just don't know why people need video.
Maybe that's why I do radio. So maybe I'm more into audio than—
And she was sitting really close to her camera chewing on this apple and the camera kept going to her face. It was just a horrific scene. And I just don't know why people need video.
Maybe that's why I do radio. So maybe I'm more into audio than—
I'm not a big fan of video chat at all. I find it very distracting.
I definitely don't video chatting with you, Graham. That's for sure. Number one.
But on a personal level, I think it does have some benefits.
I mean, in the current situation, as we've been saying, in the current situation, I think there are some pluses, uses which can be got from it.
But generally, I would agree with you that it's actually a bit of a distraction. It gets in the way of the communication.
I mean, in the current situation, as we've been saying, in the current situation, I think there are some pluses, uses which can be got from it.
But generally, I would agree with you that it's actually a bit of a distraction. It gets in the way of the communication.
I don't even comb my hair. I don't want someone calling me on video as a surprise right now. I need some warning. Anyway, so there are all these tools, these remote tools.
But for some people, all these remote tools that make life easier are not enough because some, Mikko, are worried that their employees are going to slack off.
And the bosses are very concerned about maintaining or at least protecting the company's productivity.
So I started looking around and there's a veritable huge world of online productivity services out there. So I compiled a selection for you guys to look at.
And I wanted you just to take your take on them because they're all a little bit different and the way they market is fascinating. So number one, I started easy, right?
So number one on the list here is Active Track. So if you check the link in the show notes.
But for some people, all these remote tools that make life easier are not enough because some, Mikko, are worried that their employees are going to slack off.
And the bosses are very concerned about maintaining or at least protecting the company's productivity.
So I started looking around and there's a veritable huge world of online productivity services out there. So I compiled a selection for you guys to look at.
And I wanted you just to take your take on them because they're all a little bit different and the way they market is fascinating. So number one, I started easy, right?
So number one on the list here is Active Track. So if you check the link in the show notes.
So I'm already a little bit against them because it's ActiveTrack without an E and without a C. So they— I don't like it when companies do this. So ActiveTrck.
I think these days you've got to make a choice between .com or having a crazy word, right?
Oh yeah, probably. So this is analysing your employees' activity.
Yeah, you see that bulleted list there? I read this. So they say, we want to protect employee privacy to ensure it's not violated, communicate new intent of the data collected.
So it's very transparent and making sure it's not intrusive and it's also following the legal legislations in your geography.
So it's very transparent and making sure it's not intrusive and it's also following the legal legislations in your geography.
Yeah, my favorite part is avoid creating a culture of distrust.
As we spy on you. But, okay, you know, that doesn't sound so bad. You know, I'm not sure why everyone's talking about this. So let's go to number two, Sneak.
The product is called Sneak.
And they've actually made a joke in the press, I'm paraphrasing, but something like, "If we were really into spying, do you think we would've called ourselves Sneak?" Something along those lines.
So I thought, hmm.
So if you check this out— This basically—
Oh my goodness.
So this software interface lets people set their webcam to automatically photograph them every one to five minutes.
To make sure they're in front of their desk and looking like they're being— Well, this is bloody awful.
To make sure they are working. Yes.
Now look, it says even here, it says, see all your teammates' pretty faces and you get to choose the pictures because yes, we all pick our noses. There's no shame.
Oh, so if you are an employee, your picture is taken at a regular interval and you can choose which one gets sent to your boss.
Sent to everyone in the group.
That's not going to be disruptive of your work, is it, if that happens every five minutes?
Well, it's also to see how often you're at your desk, right?
Oh, hold on, hold on. Does this apply to the managers and the leadership team as well?
That was a question that was asked of one of these companies. I can't remember which one. And they failed to answer.
They didn't want to tell them whether the CEO was under the same treatment. Sneak is pretty interesting, right?
Because who wants their teammates' pretty faces all on one screen whilst you're working? I mean, where do you actually work?
They didn't want to tell them whether the CEO was under the same treatment. Sneak is pretty interesting, right?
Because who wants their teammates' pretty faces all on one screen whilst you're working? I mean, where do you actually work?
I would want to get my cardboard cutout out of the basement, I think, and set that up because—
You'd have to get one with different facial expressions. Otherwise, we'd be worrying about you. Okay, the next one. Interguard. Check this out.
Right.
Interguard.
Well, they spelt guard correctly, so that's a bonus. What else are they doing? So it looks like the same kind of deal, isn't it, as the first one?
Employee cell phone monitoring?
Oh, right. Yeah. Hey, check your phone as well.
Yep.
We will view what apps are used, texts, websites visited, web searches, call logs, GPS, and more. No jailbreaking or rooting required to set up monitoring.
Also, they have real-time geolocation.
They know where you are if you say you're at home.
Shouldn't all these firms actually be measuring you by your output and whether you're getting the job done rather than how many hours it took you or whether you sat in front of— because being sat in front of a monitor, for instance, doesn't mean you're not playing solitaire or chess.
Nosy is picked today, 17.
Let me show you something really fascinating here. If you guys go to the Interguard pricing page.
Oh, the top, yeah.
Mm-hmm. The Interguard pricing page. All right.
So you can see you can get a free cloud trial, right? But you can also get one that's paid.
And if you look at the difference between the two options, there's a stealth mode available.
And if you look at the difference between the two options, there's a stealth mode available.
Huh. Right. You have to pay for stealth mode.
You have to pay to spy on your users. So this is the question I have for you. Why would bosses want to do it without telling people?
Yes, because it's cheating.
Yeah.
Because I can understand if your boss said to you, look, this is what we're going to do. And then you as an employee can go, not cool with that or cool with that.
And sometimes you get people to change their minds. Graham now has Facebook Portal. Who would have ever guessed that he would have done that? Please don't talk about that.
And sometimes you get people to change their minds. Graham now has Facebook Portal. Who would have ever guessed that he would have done that? Please don't talk about that.
Well, it's to stop the employees revolting, because once the employees realize they've been spied upon, they're going to try and work somewhere else instead, right?
They're not going to be terribly happy and they'll try and subvert it in some fashion with a cardboard cutout or whatever.
They're not going to be terribly happy and they'll try and subvert it in some fashion with a cardboard cutout or whatever.
Yeah. So there's two more here. We've got TerraMind that does screen recording and live use app tracking. There's one called Hubstaff, which is employee monitoring software.
So you can see work in progress as it happens by taking screen captures customized to each user.
So you can see work in progress as it happens by taking screen captures customized to each user.
So I imagine all of these are only legal if the employee agrees to this, right? They have to knowingly say yes.
I think it depends on where you are from. I know that some states, for example, operate in a one-party listening law.
So one party has to know that they're recording versus both parties.
So one party has to know that they're recording versus both parties.
Right, or zero parties, which would be—
I suppose zero parties. So it all depends on the state, on the state law. Some of them, both parties have to know that there's recording going on.
And I believe that's what is the case in the UK, although things change slightly because you're using a computer provided by your company.
Now, this is where it gets tricky for us all because these computers now are effectively 24/7 in our personal homes.
So if you're taking video snapshots of the user, and their screen, you're capturing information that has nothing to do with work. And where is that information being stored?
So for example, if you were in a smaller house, which many people are trapped in, and you have to work from home and you have your kids running around, pictures of your kids and your family can be easily snapped in the background.
And I believe that's what is the case in the UK, although things change slightly because you're using a computer provided by your company.
Now, this is where it gets tricky for us all because these computers now are effectively 24/7 in our personal homes.
So if you're taking video snapshots of the user, and their screen, you're capturing information that has nothing to do with work. And where is that information being stored?
So for example, if you were in a smaller house, which many people are trapped in, and you have to work from home and you have your kids running around, pictures of your kids and your family can be easily snapped in the background.
Or what happens when I'm trying to find a pair of underpants in the morning and I go past my computer, right? Trying to find a clean pair, that might get beamed up to my boss.
That's where I draw the line.
I was way ahead of you there. I was I'd left the room already. So yeah, so I see there's 4 options, right?
You have a boss that doesn't spy or monitor, and I think all of us would say, yeah, that's obviously a better way because if you don't trust your employees, that does, you know, morality kind of goes top down.
You have a boss that doesn't spy or monitor, and I think all of us would say, yeah, that's obviously a better way because if you don't trust your employees, that does, you know, morality kind of goes top down.
A lovely boss, the best kind of boss.
There's also bosses that tell you, that inform you that you are being spied upon and what would be, or being monitored.
So I think it's important to ask because I'm not sure how not telling the truth in that situation would work for your employees.
So getting it in writing that they are not monitoring you might be a good idea if you're concerned.
So I think it's important to ask because I'm not sure how not telling the truth in that situation would work for your employees.
So getting it in writing that they are not monitoring you might be a good idea if you're concerned.
But who wants to kick up a fuss, Carole, really?
I mean, at the moment when so many people are being laid off, unemployment's on the rise, a lot of people will be very nervous, won't they, of doing this.
I imagine more and more people will be, they won't it, but they may think they have no option but to accept it.
I mean, at the moment when so many people are being laid off, unemployment's on the rise, a lot of people will be very nervous, won't they, of doing this.
I imagine more and more people will be, they won't it, but they may think they have no option but to accept it.
Think of how many people right now who are being forced to use their own devices at home because, you know, as we talked about last week, and they may have been asked to install a covert employee monitoring software as part of the work package, right?
Which has been downloaded as a zip.
Which has been downloaded as a zip.
It's yucky, isn't it?
Yeah, I think the whole idea of monitoring people in this way is a bit awful. There's this guy on Reddit, and I agree with him, so Uncle Fuckface.
Yeah, I know him.
Sorry.
Uncle Fuckface said, he said, give me a task to do and I'll tell you when I'm finished because you can shove the webcam up your arse.
So I agree. Good old Uncle Fuckface, yeah.
Exactly.
This week's Smashing Security podcast is sponsored by Domain Tools. They help security analysts turn threat data into threat intelligence. Very cool too.
Now they've got something that I think you're going to, a capture the flag competition, which can win you a $100 Amazon gift card.
If you want to join in all the fun, visit domaintools.com/smashing to enter the competition before it closes on the 16th of April. And may the most geeky listener win.
Now they've got something that I think you're going to, a capture the flag competition, which can win you a $100 Amazon gift card.
If you want to join in all the fun, visit domaintools.com/smashing to enter the competition before it closes on the 16th of April. And may the most geeky listener win.
VPN.
So many of us now are realizing that moving to a fully work-from-home environment isn't always easy, but LastPass is here to make that transition easier, all without decreasing security.
LastPass ensures your employees have secure access to their work applications and provides remote employees the ability to securely share passwords across teams in order to stay on top of critical projects.
If you want to learn more visit lastpass.com/smashing. On with the show.
So many of us now are realizing that moving to a fully work-from-home environment isn't always easy, but LastPass is here to make that transition easier, all without decreasing security.
LastPass ensures your employees have secure access to their work applications and provides remote employees the ability to securely share passwords across teams in order to stay on top of critical projects.
If you want to learn more visit lastpass.com/smashing. On with the show.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
It should not be.
Well, my pick of the week this week is not security-related.
Instead, it is a podcast which has nothing to do with security, or indeed, I'm afraid it isn't in the Finnish language either. It is a podcast called Something Rhymes with Purple.
And Something Rhymes with Purple is a lovely little podcast hosted by Giles Brandreth, who is a former British MP and TV celebrity and famous jumper wearer, and Ms.
Susie Dent, who has appeared in Dictionary Corner of Channel 4 TV's Countdown show since 1992.
Instead, it is a podcast which has nothing to do with security, or indeed, I'm afraid it isn't in the Finnish language either. It is a podcast called Something Rhymes with Purple.
And Something Rhymes with Purple is a lovely little podcast hosted by Giles Brandreth, who is a former British MP and TV celebrity and famous jumper wearer, and Ms.
Susie Dent, who has appeared in Dictionary Corner of Channel 4 TV's Countdown show since 1992.
A national treasure.
She is a lexicographer, which means that she knows all about words and dictionaries and things like that.
And what they do on this podcast basically is they talk about unusual words, or sometimes not so unusual words, and they talk about the origins of these words.
So, for instance, by the way, you can also follow Susie Dent on Twitter where she will have a word of the day quite often. For instance, she just tweeted about the word freelancer.
Timely.
And she explained that freelancers— get this, get this, right— freelancers were originally knights who weren't attached to any single lord or master, and so were free to use their lances, weapons, to anyone who paid them.
And that's why we have freelancers.
And what they do on this podcast basically is they talk about unusual words, or sometimes not so unusual words, and they talk about the origins of these words.
So, for instance, by the way, you can also follow Susie Dent on Twitter where she will have a word of the day quite often. For instance, she just tweeted about the word freelancer.
Timely.
And she explained that freelancers— get this, get this, right— freelancers were originally knights who weren't attached to any single lord or master, and so were free to use their lances, weapons, to anyone who paid them.
And that's why we have freelancers.
Love it.
How brilliant is that? You will get scores of these kind of explanations.
If you ever wanted to know what namby-pamby, where that comes from, or grockles, or why Alexander Graham Bell recommended that people answer the telephone with ahoy rather than hello, then Something Rhymes with Purple is the podcast for you.
And that is why it's my Pick of the Week.
If you ever wanted to know what namby-pamby, where that comes from, or grockles, or why Alexander Graham Bell recommended that people answer the telephone with ahoy rather than hello, then Something Rhymes with Purple is the podcast for you.
And that is why it's my Pick of the Week.
I'm not a native, but does turtle rhyme with purple?
Turtle?
Purple turtle, yeah.
No, well, no, not really.
It does in America. Purple turtle.
Well, that's not in English then, is it? That would be turple, wouldn't it? Not turtle. Yeah, you're right.
Okay, so what rhymes with purple? Give me one.
Well, I don't know. You'd have to listen to the— I haven't heard that episode.
I imagine.
But you're recommending it.
I'm recommending— I haven't heard every single thing I've said.
Purple.
Turtle does not rhyme with purple.
Okay.
I'm not sure. We'll ask Susie.
You could ask me.
I'm right.
You're not English.
Okay.
And Mikko, what's your pick of the week?
Oh, thank you. My pick of the week is Pelottomien riemulaulu. And yes, that's Finnish for... that's the name of the song.
My pick of the week is a song, or even better, it's a video of a song.
This is a song composed by a Finnish composer called Jussi Chydenius, who actually is a pretty well-known a cappella singer in Finland.
The lyrics were written by Julia Junttila, and this was made for the Väski-Vuori Upper Secondary School Chamber chorus.
And they've actually recorded the particular song that we are linking to in their homes during the pandemic.
So this is all being recorded with like teenagers on their phones or from Zoom or from Skype. And when you combine it together, you end up with something amazing.
Just listen to this.
My pick of the week is a song, or even better, it's a video of a song.
This is a song composed by a Finnish composer called Jussi Chydenius, who actually is a pretty well-known a cappella singer in Finland.
The lyrics were written by Julia Junttila, and this was made for the Väski-Vuori Upper Secondary School Chamber chorus.
And they've actually recorded the particular song that we are linking to in their homes during the pandemic.
So this is all being recorded with like teenagers on their phones or from Zoom or from Skype. And when you combine it together, you end up with something amazing.
Just listen to this.
So what we're seeing is this montage really of lots of people on their screens, and sometimes it will flip between them.
It's amazing.
It's great. And the technical execution is flawless. There's actually a write-up about how they did it.
The basic idea is that the teacher did a basic skeleton of the song as an MP3, sent that to every kid, and then they were listening to it and singing their part on top of it.
And then they would have put in quite a bit of effort to cut it all together. But the end result is worth listening to.
The basic idea is that the teacher did a basic skeleton of the song as an MP3, sent that to every kid, and then they were listening to it and singing their part on top of it.
And then they would have put in quite a bit of effort to cut it all together. But the end result is worth listening to.
It's really good. This is a true work of art, I think, and much better than Gal Gadot and her celebrity friends singing Imagine.
Yeah, and this probably would have never happened without the pandemic. So yeah, this is what we do.
Something good. Lovely. So that is Pelottomien riemulaulu.
Go to our webpage for the link.
That was perfect pronunciation. Thank you, Graham.
Link's in the show notes. Carole, what is your pick of the week?
Okay, so my pick of the week is for Minecraft lovers who have found themselves to have a bit more time on their hands.
Because it turns out this guy called PippinFTS, that's his handle, claims to have made a 1-to-1 Minecraft version of Earth for the very first time.
Because it turns out this guy called PippinFTS, that's his handle, claims to have made a 1-to-1 Minecraft version of Earth for the very first time.
Sorry, 1-to-1?
1-to-1 scale.
So that is actually, in normal Minecraft, that's kind of impossible because there's a height limit in Minecraft, which is limited at something like 250 metres or something.
So it makes—
So that is actually, in normal Minecraft, that's kind of impossible because there's a height limit in Minecraft, which is limited at something like 250 metres or something.
So it makes—
250-odd blocks, yes.
Yeah, so it makes a full-scale Earth terrain impossible to create.
But this PippinFTS guy claims to have used cubic chunks, which somehow helped him change the shape of the Minecraft chunks to 16 by 16 by 16, which gives you infinite depth to build in all directions.
So I've put a video—
But this PippinFTS guy claims to have used cubic chunks, which somehow helped him change the shape of the Minecraft chunks to 16 by 16 by 16, which gives you infinite depth to build in all directions.
So I've put a video—
Can you explain the science a bit more to us, Carole? This sounds absurd.
No, I'm just saying, you have to go look at the video, but basically imagine a to-scale model of the Earth made in Minecraft.
So if I— so he's created this Minecraft—
With mountains and oceans and all the terraformas.
If I joined his Minecraft server, would I be able to zoom in on my podcast pleasure palace here in Oxford and see myself?
Well, no, that's actually why this has come out. So apparently, one of the problems is the human-generated structures are not part of the landscapes at the moment.
So things like you'd expect to see Egypt's pyramids if you went looking for them, but actually at the moment they're just big piles of mud.
So apparently, this PippinFTS guy has gone out to start a collective project called Build the Earth to get other Minecraft players to decorate the Earth with well-known manmade structures.
So things like you'd expect to see Egypt's pyramids if you went looking for them, but actually at the moment they're just big piles of mud.
So apparently, this PippinFTS guy has gone out to start a collective project called Build the Earth to get other Minecraft players to decorate the Earth with well-known manmade structures.
Right.
Just sounds a bit like he's slacked off, to be honest. I mean, he could have put a bit more effort in. I mean, we do have a pandemic on.
He could get— Has anyone actually checked whether the pyramids are still there? Because with everybody locked down, maybe they're not. Maybe it's like Schrödinger's cat.
He could get— Has anyone actually checked whether the pyramids are still there? Because with everybody locked down, maybe they're not. Maybe it's like Schrödinger's cat.
There's people giving him models of universities and Manhattan skyscrapers, and are helping to build their own streets. So if you want to contribute, you can watch the video.
Although I have to say, I would do it maybe with sound on low, so it's a very, very inspirational kind of opening conversation.
Although I have to say, I would do it maybe with sound on low, so it's a very, very inspirational kind of opening conversation.
The last thing we want is inspiration.
Whereas Mikko sounded truly inspirational, it just has a different feel to it. But I think it's a very cool kind of project, one that people could get involved with.
So take a look, see what you think. All the links are in the show notes for you.
So take a look, see what you think. All the links are in the show notes for you.
I've always been a big fan of— I've never really played Minecraft. I always liked the idea. But I've also found that there's a very close link between Minecraft and LEGO.
Oh, yes.
Yeah.
I mean, Minecraft is from Sweden. LEGO is from Denmark. They both consist of building stuff out of cubes.
So the real question is, when are we going to get a model of Earth in LEGO in scale?
So the real question is, when are we going to get a model of Earth in LEGO in scale?
Oh, in all the LEGO colors too. It would be very pretty.
Brilliant. Well, Carole, that's great. So as the whole world goes to shit, build a new one in Minecraft. We just have to port ourselves over to Minecraft to enjoy it.
Well, that just about wraps up the show for this week. Mikko, thank you so much for joining us. I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
Well, that just about wraps up the show for this week. Mikko, thank you so much for joining us. I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
The easiest way to follow me online is to follow me on Twitter, where my account is called Mikko, M-I-K-K-O.
Would you have died if he said Facebook Portal?
And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And you can also join the discussion on our subreddit.
So if you're on Reddit, go and look for Smashing Security up there.
So if you're on Reddit, go and look for Smashing Security up there.
A gazillion thank yous for supporting us during this pandemic. Here's hoping that we provide you a few giggles during this shit show.
Also, a huge thank you to this week's Smashing Security sponsors, LastPass and Domain Tools. Their continued support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, a huge thank you to this week's Smashing Security sponsors, LastPass and Domain Tools. Their continued support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye, stay safe, bye-bye, and don't forget to follow Uncle Fuckface.
Stay safe. I can't believe you have to say that all the time. Maybe we just say take care. That's what you used to say. Why is that not good?
Well, yeah, that's alright.
Take care.
Mind how you go.
Yeah.
Easy on the onion.
Don't get sicko, this is Mikko. Oh God.
This must be so cool having a name like Mikko.
Right?
Graham. I mean, what rhymes with Graham?
Boring.
Chances are that this is a technology that is being increasingly used by different companies to keep tabs on employees as more and more people are working at home due to the Coronavirus pandemic.
That kind of monitoring is extreme! Great point of what and where items are being stored. I would assume different counties have different laws. But also wonder, if the employees contact states they are being monitored? And like most EULAs, people don’t read the fine print! I like the part about sharing what works well but not by spying on someone. I can’t imagine what extra stress that creates.
Just crazy! And likely illegal surely. How does this square with article 8 of the ECHR? I assume that still applies to the UK for now. There’s loads of case law around this and the right to personal privacy in the workplace.
Security folks in an organization are often asked to produce evidence as to whether a particular employee is "working" all day, every work day. Without spyware, trying to produce meaningful data based on logins, web activity, etc. is a quixotic quest. But the dystopian approach of using spyware is not the solution either, unless the goal is to produce drones whose goal is simply to meet minimum standards in order to not get fired. (The Office Space interview with "the Bobs" was brilliant satire of this kind of work environment.)
A wise security group will respond to those requests with advice that employee productivity is a potential management issue, then point the requester to HR. A good manager provides clear guidance for job responsibilities and clear measurement of how those responsibilities are fulfilled, while granting leeway for creativity and flexibility so long as it doesn't impact overall goals. A great manager can even make dull, repetitive tasks a little bit fun through creative approaches. Organizations that resort to "solutions" like spyware are the worst of the worst and fully deserve the management and employees that will at best limit their success and at worst drive them to ruin.
This boils down to a very simple question. "What is more important? Achieving the role or doing the hours."
It seems to me that the most efficient workers are to be penalised for not being inefficient.
Not trying to defend this type of behavior AT ALL, but an argument for the keystroke recording could also be that if a data breach does occur, it would be relatively easy to narrow down where it happened.
I've worked in a team where it was blatantly obvious that half the staff simply turned up each day and did sweet stuff all, it drove the other half near screaming mad but nothing ever came of it. If monitoring staff helps show that they don't actually do the work they're paid to do then bring it on
This is probably quite common. At least in the US, any company that wants to do this, can. Anything you do at work (email, work laptop, key card swipe) is logged. In IT, when users need their laptop repaired or replaced, we find that they are storing their own personal data on it. While this is not prohibited, the laptop is company property, and as such, the data stored on it becomes company property. Not all users have this in their minds when they are at work.