We head to Hong Kong to look at how technology has helped anti-government protesters (and how China has tried to disrupt it), Samsung is skittish over whether to tell TV owners to virus-scan their devices, and you won't believe whose website is not GDPR-compliant.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.
Visit https://www.smashingsecurity.com/133 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language. "Chickens!"
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: James Thomson.
Sponsored By:
- Edgewise Networks: Edgewise is the industry's first zero-trust segmentation platform. It’s simple to use interface lets you stops data breaches by allowing only verified software to communicate within your cloud or data centre. Edgewise's data-centric approach makes micro-segmentation simpler and more secure.
- Learn more and get a free trial at edgewise.net.
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
Links:
- Information about Cookies — ICO.
- All About Do Not Track.
- Apple is removing the Do Not Track toggle from Safari, but for a good reason — Macworld.
- Google Chrome privacy extension hasn't been updated for years — Graham Cluley.
- Tweet by Adam Rose — Twitter.
- Cookie Control plugin — Civic.
- China social media: WeChat and the Surveillance State — Stephen McDonell, BBC News.
- DDoS attack that knocked Telegram secure messaging service offline — Tripwire.
- Inside China's 'thought transformation' camps — BBC News.
- Scan your TV to prevent malware — Samsung.
- Samsung Deletes Frightening Tweet Warning That Its Smart TVs Can Get Viruses — Gizmodo.
- Samsung: Here's how we're securing your smart TV — ZDNet.
- Is the CIA's Weeping Angel spying on TV viewers? — Graham Cluley.
- Samsung's Android Replacement Is a Hacker's Dream — Motherboard.
- All of the Mueller report’s major findings in less than 30 minutes — PBS NewsHour, YouTube.
- СтопХам - Урок географии — YouTube.
- Where Mimes Patrolled the Streets and the Mayor Was Superman — New York Times.
- Documentaries - watch free online documentaries — IHaveNoTV.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Say, for example, you decide to buy a smart fridge. You might find out after a while that you can't update it anymore.
JAMES THOMSON. Why would anyone buy a smart fridge?
ROBOT. Thank you, Jack. Thank you. I'm so pleased you're on the show. I was holding back. I thought, no, I can't say it. What's she talking about? Why would anyone want a bloody smart fridge? What is the point? Smashing Security, episode 133: Cookie Ransomware mockups, Hong Kong protests, and smart TV virus scans with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 133. My name is Graham Cluley.
CAROLE THERIAULT. You sound bored, Graham. My name is Carole Theriault.
GRAHAM CLULEY. Bored? Yeah. This early on?
CAROLE THERIAULT. It's 133 and now you've hit your limit. This is it. I'm just, I'm, I just, I don't know.
GRAHAM CLULEY. And we're joined by a very special guest this week, aren't we, Carole?
CAROLE THERIAULT. Yes, my very good friend, James Thomson.
JAMES THOMSON. Greetings.
CAROLE THERIAULT. Greetings. You're not feeling too hot, are you?
JAMES THOMSON. I'm feeling wonderful.
CAROLE THERIAULT. Are you?
JAMES THOMSON. Yeah, I mean, mainly because I'm currently in rehab.
GRAHAM CLULEY. I heard the rumors.
JAMES THOMSON. For an addiction? No, not that one. Something else.
CAROLE THERIAULT. What happened?
JAMES THOMSON. Me and a psychopath had a rather violent coming together recently. Tell me, there couldn't have been a pothole in the road or anything? No, it was more of a kind of BMX track style bunny hop, which they helpfully inserted on what was otherwise a flat cycle track in some woodland. So I couldn't see it very clearly and I hit it at quite a high speed and my bike kangarooed off the road and I bounced off in the other direction.
CAROLE THERIAULT. Are you likely to start seeping blood or anything during this?
JAMES THOMSON. No, I've already seeping blood. That's not going to start.
GRAHAM CLULEY. No more than a typical guest on this show, I suspect. That's right. Carole Theriault, what's coming up on this week's episode?
CAROLE THERIAULT. Thanks to this week's sponsors, MetaCompliance and Edgewise. Their support helps us give you this show for free. Now, this week, Graham goes after a cookie cock-up whilst James heads to Hong Kong. And I ask a very important question: are IoT TVs all that smart? All this and noodles more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Cookies, cookie, cookie, yum, yum. Hi guys. Yeah, well, what's wrong with that? Everybody loves cookies, don't they? They're fantastic.
CAROLE THERIAULT. I do like a cookie.
GRAHAM CLULEY. But in the world of security, there's something a little less nibble-worthy. A cookie is a small text file downloaded onto your computer or smartphone when you access a website, and it lets the website recognize your device and store information about your preferences or past activity on the site. And to be honest, they're pretty darn useful. It's hard to build a website which is flexible and able to do the cool things it needs to do without sometimes using some cookies. But as I think you've probably heard, they're not always a good thing because they can be abused and they can be used to track people's behavior online and where they may have gone to and maybe provide adverts which may be customized depending on your past website viewing.
CAROLE THERIAULT. Right, and kind of take advantage of your interests without you being in the know that that's what's happening. Although most people now seem to, you know, be aware that cookies do that, don't you think?
GRAHAM CLULEY. I don't know if the typical user— I mean, I think maybe you're inside your own little bubble there, Carole, imagining that everyone's as good.
CAROLE THERIAULT. You know what girls are like.
GRAHAM CLULEY. James, you're not, you're not particularly security— you're not working in the world of, well, at least not computer security. I don't know what you get up to. Not I seem to remember there's some— No, no, no.
JAMES THOMSON. Not directly. No, my technical knowledge is limited. I mean, I suffer from extreme paranoia, but I can't mate that with sort of extreme knowledge. But I have heard of cookies, but if you ask me to explain exactly what they do, I'd be a bit hazy. Right.
GRAHAM CLULEY. Well, not all cookies are used in a way that could identify you, but many are, and that's why they fall under the European Union's General Data Protection Regulation, GDPR.
JAMES THOMSON. Oh my God.
CAROLE THERIAULT. Whoa, hold the front page. Page, are you actually talking about GDPR?
GRAHAM CLULEY. Well, I'm really trying not to, if at all possible.
CAROLE THERIAULT. Oh, so third paragraph. One minute in, you decide, I can't hold back anymore.
GRAHAM CLULEY. Well, under GDPR and the ePrivacy Directive, which sort of runs alongside it, there are strict rules on how website owners can use cookies and track online visitors from the European Union. For instance, and this is something which I'm sure most people have seen, They go to a website and a little banner pops up, doesn't it? And it says, "Oh, you know, this website uses cookies and you have to agree to this." And you go, "Yeah, yeah, whatever, whatever, agree, agree." Sometimes you might have an option to customize how it's using cookies, but many people will just simply hit that button.
CAROLE THERIAULT. Do you know, I don't.
GRAHAM CLULEY. Well, you're a very strange person. You're a very deviant sort of person. You're not conforming to the norm.
JAMES THOMSON. Deviant?
GRAHAM CLULEY. Well, you know, from what I've heard. It's just, you're not someone who necessarily conforms, are you?
CAROLE THERIAULT. I just, I guess I get a kick out of seeing how everyone tries to apply the GDPR rule their website, and of course every single site, they're not all completely individually different, but there is a lot of different approaches, which has made the whole environment of consenting or not consenting super hard for average users. So you're right, it is a bit of a minefield.
GRAHAM CLULEY. All I can say, Carole, is you must be a lot of fun at parties. You know what?
CAROLE THERIAULT. I'm excellent at parties, aren't I, James?
JAMES THOMSON. Yeah, very good at pouring drinks.
GRAHAM CLULEY. Anyway, so these cookie popups, they're used by websites and they give visitors the opportunity to give their informed consent. The problem is often they won't actually read the small print, they just click through it. And according to the ICO, which is the UK's data regulation body, the Information Commissioner's Office, you must tell people if you set cookies and clearly explain what the cookies do and why, and you must get consent and consent must be actively and clearly given, right? That's one of the things, I've got that straight from their website. And they also say you need to be confident that your users have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website, and the consent has to be freely given. Okay, so it's all fairly straightforward, but there's a problem with these pop-up cookie banners, as I've already described. They're really, really fracking irritating, and often users will feel that they've got no choice but just to click past them in order to access the website. It's like, whatever, I've got stuff to do, I'm just going to click, click, click, go past.
CAROLE THERIAULT. I'm a busy man, I don't drink coffee, click, click, click.
GRAHAM CLULEY. Exactly. That's what happens to me.
CAROLE THERIAULT. Mind you, anyone listeners.
GRAHAM CLULEY. That's what happens to me. All of the time. And I suspect many people, I expect few people—
CAROLE THERIAULT. Oh yeah, they're all like you.
JAMES THOMSON. Everyone's like you.
GRAHAM CLULEY. Only weirdos are likely to read the information behind about what the cookies are actually going to be set and what purpose, et cetera. 'Cause we've all got better things to do, haven't we, Carole? So what are the ways in which you can stop these cookies actually tracking you and your online behavior? Well, there is a setting in some of the browsers out there called Do Not Track. And that sends a request to websites asking them very politely to not track you.
CAROLE THERIAULT. Yeah, there's a number of plugins that do that for a variety of different browsers as well.
GRAHAM CLULEY. There are plugins which do it, and there are also browsers which do it as well.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And the outcome of that is if you have Do Not Track enabled, some websites won't respond by showing you ads which are related to you and the other websites you've visited. But most websites don't change their behavior whatsoever, even if you've enabled that. It's purely up to them whether they actually honor do not track. In short—
CAROLE THERIAULT. Oh, is that true?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. I didn't know that.
GRAHAM CLULEY. Yeah, yeah. So they can carry on collecting and using your data regardless.
CAROLE THERIAULT. So it's like a request saying do not track. It sounds like it's an imperative, but it's actually a please, would you mind leaving me off the list? And they go, yeah, no, we'll just put you on.
GRAHAM CLULEY. Would you mind awfully, awfully, you know, just ignoring me on this occasion and not collecting my data?
CAROLE THERIAULT. They're like, yeah, no.
GRAHAM CLULEY. Do not track, pretty toothless.
JAMES THOMSON. May I ask a question? Graham, why would anyone want to be tracked?
GRAHAM CLULEY. Well, there might be— I remember actually meeting someone who was, I think she was buying shoes or something like that. And she'd been to a website where she'd looked at these shoes. And then weeks later, she was on other websites and these ads kept on popping up. And her argument was that she quite liked this because it reminded her of the shoes that she'd previously shown an interest in.
JAMES THOMSON. So she wants to use the entire Google Display Network to give her random reminders to buy shoes. I have to say, that seems like a pretty narrow reason to have tracking. I mean, I can see what the benefit is from the company's point of view. They want to be able to see what you're doing on the internet to decide whether you might buy stuff.
GRAHAM CLULEY. But well, if you, if you had the choice, I said, this is their argument. If you had the choice between getting a completely random advert or one which is actually designed for you and is about things which you might be interested in, many people would—
CAROLE THERIAULT. Like some Band-Aids.
GRAHAM CLULEY. Many people—
CAROLE THERIAULT. Savon.
JAMES THOMSON. Gonna need more than that.
GRAHAM CLULEY. A bike helmet.
JAMES THOMSON. Some proper drugs.
GRAHAM CLULEY. That's kind of cool in a way, isn't it?
JAMES THOMSON. Well, I don't know. I mean, maybe I'm the only person on the internet who just doesn't look at adverts, but—
CAROLE THERIAULT. I'm with you 100%.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Yeah. So this fact that Do Not Track is pretty toothless has not gone unnoticed by browser manufacturers. For instance, Apple has now removed the Do Not Track option from the Safari browser, as it didn't actually really do anything. And they said that it was in order to prevent potential use as a fingerprinting variable. In other words, actually having Do Not Track enabled might make it easier for you to be tracked and for it to identify your computer rather than somebody else's. And in its place, Apple are introducing some new technology called Intelligent Tracking Prevention, which they believe will be better. And Firefox— yeah, yeah, Firefox is similarly keen to adopt a similar smarter way to reduce this sort of cross-site tracking. So that's all, that's all good news. Google, meanwhile, they're not really emphasizing all this anti-tracking quite as much. Now, why would that be, Graham? I don't I don't know. It's a mystery to me why the world's biggest advertising company—
CAROLE THERIAULT. Don't they have enough money? I mean, just, gosh!
GRAHAM CLULEY. Anyway, listen, back to these cookie opt-in pop-ups, which I started with. Websites around the world have been petrified and scared into implementing them by the introduction of GDPR and dire warnings from the likes of the Information Commissioner's Office. Just last year, the Washington Post, they were told off by the ICO because they failed to meet the required standards when it came to their cookie pop-up. A recent inspection of 10 major EU institutions and public bodies found that 7 had data protection issues and were either non-compliant with the ePrivacy Directive or failed to follow guidelines. So many firms have been uncertain about the proper way to implement these cookie pop-ups without breaking the rules. And many consultants, as a result, have said to firms, well, why don't you do what the ICO does on its own website and copy them? Right? Because if you copy the guys who are laying down the law, then you're going to be compliant, right? What could possibly go wrong with that?
CAROLE THERIAULT. I think I know where we're going. Okay, carry on, maybe I'm wrong, maybe I'm wrong, maybe I'm wrong, probably wrong. Of course I'm wrong. What would I know?
GRAHAM CLULEY. This week, Krow, brace yourselves, put your seatbelt on, particularly you. James, you actually don't have a seatbelt on a bike, do you? But anyway, I need one. But yeah, helmet, knee pads, because it has been revealed that the ICO itself has been in breach of its very own cookie privacy guidelines.
JAMES THOMSON. Oh my goodness. Goodness.
CAROLE THERIAULT. So didn't the Dutch have to report themselves to themselves for not handling data properly?
GRAHAM CLULEY. Yes. So the Dutch Data Protection Regulation, the UK has joined forces. They suffered a data breach. It appears to be spreading like a virus across Europe. Data protection organizations basically cocking up on a massive scale. A chap called Adam Rose, he is a lawyer at Mishcon de Reya law firm, and he discovered that users of mobile phones visiting the ICO's website did not give explicit informed consent for cookies to be planted on their mobile devices. Instead, the ICO website used implied consent. It just assumed you were happy with it. And according to Rose, the ICO website has probably been failing to reach the required standards since 2011.
CAROLE THERIAULT. Avril Lavigne, anyone?
JAMES THOMSON. Avril Lavigne?
GRAHAM CLULEY. What? I think Avril Lavigne was probably longer ago than 2011.
CAROLE THERIAULT. I was just saying, isn't it ironic?
GRAHAM CLULEY. No. Oh dear, not this again. Cruel, cruel.
CAROLE THERIAULT. It's not her.
GRAHAM CLULEY. It's not her. How many times?
CAROLE THERIAULT. Seriously. They're all the same to me. What does it remind you of, James?
GRAHAM CLULEY. I'm trusting you to actually—
JAMES THOMSON. Someone was talking to me about TikTok, you know, the Chinese short video app. I don't even know what it does, but kids apparently are into it.
GRAHAM CLULEY. Right.
JAMES THOMSON. If you go to the Wikipedia page, somebody is regularly changing it to say that the entire app was designed and created by Keisha, who is an American pop singer who had a hit called TikTok, but is otherwise completely unrelated to the Chinese video app. But I imagine it's created quite a lot of confusion illusion for people who check on these facts on Wikipedia. It's one of those— somebody's obviously decided to take the piss and it's got into people's heads in the same way that Avril Lavigne and Alanis Morissette have somehow become confused in Krule's mind.
CAROLE THERIAULT. They're not the only two. Oh, the stories Graham could tell you.
GRAHAM CLULEY. It's certainly ironic, isn't it, when it's the ISO themselves. Is it? Like rain? Your wedding day? So James, what's your story for us this week?
JAMES THOMSON. As Carole says, we're going to Hong Kong and in particular to ask what all those people there are getting so upset about. Now I know China a little bit, but not very well, but I know Hong Kong a little bit better. I've been there a lot of times and more particularly this last semester, this term just finished, I was teaching an undergraduate exchange student from from Hong Kong. And I was interested that she wasn't very politically engaged, at least compared to some of the other students. But the one thing she did know was that she did not want to live under Chinese rules. Now Hong Kong is part of China. I'll go on and explain this a bit later. But on June 4th, a couple of weeks ago, she actually came up to me and reminded me that it was the 30th anniversary of the Tiananmen Square massacre, even though that was an event that occurred before she was born. She's a 21-year-old, I guess, undergraduate. And Hong Kong is the only place in China where events of '89 in Tiananmen Square can even be mentioned, let alone commemorated. And my student knows this because she lives just a few minutes from the border with so-called mainland China. In fact, a lot of Hong Kong is part of the mainland, but there's a border between the two with a passport check. So you need a visa to cross if you're not from Hong Kong or China. Now, over the border, most people her age are barely aware that hundreds or possibly thousands— there's never been a proper investigation of of these Chinese pro-democracy campaigners in '89 were killed by their own government. And the Chinese Communist Party has since suppressed all mention of the '89 massacre. Now the interesting thing is that technology, and China is now, as you might know, a very wired place, allows them to do that even more effectively than they could under the old school censorship that was employed before the internet and apps and smartphones came along. And it's a terrific cost. I mean, the communist system is believed to employ tens, possibly hundreds of thousands of internet censors, but it's achieved near total control over what can be written and posted online, at least within China. And the recent experience of a BBC employee gives a glimpse of how it works from the tech point of view. It's a blog I saw read by Stephen McDonnell, who works for the BBC in China, and he uses an app called WeChat, which I'm sure you've heard of. It's the kind of Chinese version of Facebook. I mean, as with Google, Facebook, Twitter, most of these things aren't allowed in China. We can talk about that a little bit later, about how people get around that or try to in China, but in general they're not allowed you can't use them in China. And so there are equivalents. And in fact, WeChat in many respects is superior to Facebook, at least from the way it's described in this post. I've never used it myself, but I know people who have and they say it's kind of, it's all-embracing. He describes it as Twitter, Facebook, Google Maps, Tinder, and Apple Pay all rolled into one.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. Sounds hideous.
CAROLE THERIAULT. Yes.
JAMES THOMSON. I mean, it doesn't to me, it sounds appalling.
CAROLE THERIAULT. You know what? I think Graham so far would love this because I'm sure there's no consent consent forms or anything. So it hasn't been great.
JAMES THOMSON. Well, we're about to learn about that because it's more, it's more that they have to consent to you using it rather than the other way around. So, uh, so this guy Stephen McDonald, he, uh, he went down to Hong Kong for the 30th anniversary commemoration in the beginning of June, and he posted some photos from the ceremonies that were held there. And there were about 180,000 people took part in a kind of candlelit ceremony in Hong Kong, and he posted them on WeChat. Back in China, but he didn't caption them. He didn't describe where they were. He just put pictures up. And he says that several people in China messaged him to say, "Oh, where were you? What was this?" Because you could see clearly the scale of the commemoration and also roughly where it was. And he says, you know, that kind of illustrates to him how few people in China know what June 4th represents. But very quickly, his WeChat account account got shut down. And at this point, he entered this kind of Orwellian wormhole, if I can mix my metaphors, in his attempts to get back onto WeChat. And the first message that he got said, "Your login has been declined due to account exceptions. Try to log in again and proceed as instructed," which sounds very much like the kind of chatbot kind of language that you get.
CAROLE THERIAULT. "Your social credit score is down -20." That's right, yeah, yeah.
JAMES THOMSON. "Prepare to be liquidated." But then after that, he says that he got a new message saying, "This WeChat account has been suspected of spreading malicious rumors and has been temporarily blocked." Oh boy. As he said, it seems posting photos of an actual event taking place without commentary amounts to, quote, "spreading malicious rumors" in China. So he says that he was given time to try and log in again the next day, and he said that he was told that he had to agree and unblock under the stated reason of spread malicious rumors. So he basically had to admit that he'd spread malicious rumors in order to to get his account unblocked. And then came a stage he wasn't prepared for, and it said, "Face print is required for security purposes." Oh boy. And at that point, he had to hold his phone up, face directly in front of it, so that it could—
CAROLE THERIAULT. Map his face.
JAMES THOMSON. Do a face scan. And then read numbers aloud in Mandarin Chinese, which I guess he can working in China.
GRAHAM CLULEY. And that presumably is to avoid you using a photograph of someone rather than yourself. So it's actually capturing— So you can't just I mean, what I would have thought instantly was print out a picture of Piers Morgan and hold it in front of the camera. But having to actually do that—
JAMES THOMSON. Yeah, unless you've got very sophisticated deepfake technology, yeah, you're going to struggle to spoof it.
GRAHAM CLULEY. And the Mandarin might be tough.
JAMES THOMSON. Well, except that he then publishes in his blog an image of the screenshot that he got, which is in perfect English. So even though WeChat caters mainly for the Chinese market, they are pushing this abroad a bit. And so all of these warnings are written in English saying tapping the button means you authorize you authorize Tencent, which is the company that owns WeChat, to collect, store, use, and transfer the information you've submitted. So that's your face scan, your voice recording, presumably.
CAROLE THERIAULT. Your messages.
JAMES THOMSON. Well, yeah, I mean, all of that, obviously, all of that's going to God knows who already. And McDonald says, "No doubt I've now joined some list of suspicious individuals in the hands of goodness knows which Chinese government agencies." But then he says, a lot of people said to him, "Why do you go through this? Why did you agree to do all this?" And he says, "Well, everyone has WeChat in China." He says, "I don't know a single person without it. When you meet somebody in a work context, they don't give you a name card anymore. They share their WeChat. If you play for a football team, training details are on WeChat. Children's school arrangements, WeChat. Tinder-style dates, WeChat. Movie tickets, WeChat. News stream, WeChat.
CAROLE THERIAULT. Everything." Banks, getting your bank numbers.
JAMES THOMSON. You pay for everything on this app too. And even though it's regarded as being pretty insecure from a technical point of view, at least he says so. Because all of the data under Chinese law can be sent directly to the Chinese government. Everybody uses it, and if you want to have a normal life in China, then you have to use it too.
CAROLE THERIAULT. Yeah, I've heard the same thing. It's absolutely ubiquitous. It's kind of, if you want to be a functioning part of society, you need to have access to WeChat.
GRAHAM CLULEY. That's what I've been doing wrong.
JAMES THOMSON. Now, going back to Hong Kong, where quite a lot of people have WeChat too, especially if they cross the border regularly. Hong Kong's still got the same legal, financial, and political protections or political freedoms from the days when it was a British colony before '97. And this is the sort of so-called one country, two systems arrangement that was part of the handover agreement. But a lot of people in Hong Kong, and we saw at the weekend around 2 million people came out to demonstrate against a new law on extradition to China, which the government there were trying to introduce. They really worry that they are in danger of losing these freedoms. And that wasn't helped by the fact that during the protests last week, there were violent protests after the police started tear gassing people. The Chinese government appeared to have attempted to take down Telegram, which is a messaging app that the organizers were using to coordinate movement. I mean, it was a pretty impressive achievement to coordinate the movement of half a million people in a fast-moving demonstration. But afterwards Telegram came out and said, "We had a huge denial of service attack on our servers and most of the IP addresses for that attack were Chinese." I actually, I don't know if you saw, I actually loved how they described described how the attack happened.
GRAHAM CLULEY. They compared it to an army of lemmings jumping in front of you in the queue at McDonald's, and each of them is ordering a Whopper. And they said the server is busy telling the Whopper lemmings that they've come to the wrong place, but there are so many of them that the server can't see you to try and take your order. And that's how they described a denial of service attack.
JAMES THOMSON. Okay, well, that's a pretty good metaphor, I guess. I've never been attacked by lemmings in a McDonald's, but if that happens, I'll bear it in mind. How do you launch anyway a denial of service attack on a messaging app? And wouldn't Telegram have recognized that if they had a huge number of requests from China, they would be bogus because there can't be that many people in China who have access to Telegram?
GRAHAM CLULEY. Well, it may be. I mean, what happened was Telegram was able to actually prevent the denial of service attack after a relatively short amount of time. It's just a couple of hours. So I'm sure they did respond to it and managed to divert it. Telegram, like any of these online services, will have have infrastructure online which has been bombarded with requests, or maybe requests which it's trying to process and which clog it up and thus make the service difficult. And this denial of service, it affected users around the world, didn't it? There were many people who couldn't access Telegram systems while it was going on. I was also very interested to see that the protesters in Hong Kong weren't just using Telegram, they were using another app called FireChat. And FireChat's very interesting because you can use it even if you don't have internet access or even a cell phone connection. Because—
CAROLE THERIAULT. What?
GRAHAM CLULEY. Yeah, I know. It's a— It uses magic. Yeah, well, it uses—
JAMES THOMSON. That's the whole internet, Carole.
GRAHAM CLULEY. So if you are organizing a demonstration and you don't want any risk of people spotting what you're up to and maybe intercepting your communications because they're going sent off to some internet server via chat, FireChat is a system which will communicate with nearby devices also running FireChat using Bluetooth and also will create a peer-to-peer Wi-Fi network. So it's helpful if you've got a lot of people in the same kind of place to communicate with each other.
JAMES THOMSON. Which tends to overwhelm the data through the cell towers as well. So, so if they can reduce dependency on that.
CAROLE THERIAULT. That sounds very cool.
GRAHAM CLULEY. The other thing which I heard the Chinese authorities were doing to try and spot people who were up to no good was that they were actually going to hospitals. Hospitals in Hong Kong and accessing the database of people who had entered with the feeling that if people had been hurt in the trouble, then that is how they would be able to identify people who were in the protest area. Awful. And they had apparently a backdoor into this database, which the hospitals only found out about when the police were using it.
JAMES THOMSON. Well, I also heard that they targeted some of the— I don't know how they know this, but obviously China's got some pretty advanced hacking abilities. They identified some of the people involved in organizing the protest. And picked one or two of those guys up. And basically, once you're inside someone's phone, if you can get into their phone, then you can access the groups that they're messaging to.
GRAHAM CLULEY. Yes, that's right.
JAMES THOMSON. And that's effectively like rounding up a cell or a gang. But apparently on Telegram, you can have groups with hundreds of thousands of people in them. It's not like WhatsApp, which has been limited after it was misused. Just finally, if you want a real life Orwellian fright about where this absurd conclusion that this reaches, there was a report that's also on the BBC website by John Sudworth there, one of their China correspondents, about Xinjiang province in western China where he managed to get into one of these— well, the Chinese call them reeducation centers. Everyone else calls them concentration camps, which they think might hold a million people in this region in western China at the moment. And he gets to talk to some of the people there, but obviously surrounded by minders the whole time. But the quotes from that report, which you can find on the BBC website, are kind of mind-blowing. Chinese officials saying, "Well, we can now tell whether someone's going to commit a crime in advance and so we put them in a reeducation center in order to deter this from happening." It's basically, it is literally 1984. It's basically, yeah, they've worked out that people commit thought crimes and if they can intercept them first, then that's a good reason to lock them up. And that's precisely what people in Hong Kong in the long run are afraid about.
GRAHAM CLULEY. I have to say, James, this is all rather chilling, but I wonder, have you actually thought of the consequences of what you're discussing here because you could I mean, bad as this is, is it not worse that you may have just got our podcast banned in mainland China?
JAMES THOMSON. My God.
GRAHAM CLULEY. Have you thought about that?
JAMES THOMSON. I'm sorry.
CAROLE THERIAULT. Should he be censored too? Is that what you're advocating, that you're worried about your numbers?
JAMES THOMSON. Is that going to put your sponsorship by the People's Liberation Army at risk?
CAROLE THERIAULT. Ignore him. I don't know what he's smoking.
GRAHAM CLULEY. Oh gosh. Carole, cheer us up. It's all been too serious so far. What have you got for us?
CAROLE THERIAULT. I will. I think I will. Okay, so IoT disasters.
GRAHAM CLULEY. Marvelous.
JAMES THOMSON. I've got rogue fridges.
CAROLE THERIAULT. Now, we've gassed about this baby a lot. We've talked about IoT hoovers that break privacy expectations. This was episode 35 and 127. We've talked about smart alarms that fell over due to server issues, episode 100. And we've even mentioned smart baby monitors and smart thermostats.
JAMES THOMSON. But who wants smart babies, honestly?
CAROLE THERIAULT. And even privacy-blundering sex toys has been talked about, episode 52.
GRAHAM CLULEY. I think just about every episode actually, sex toys got a mention, but yes.
JAMES THOMSON. Episode 69, I think was it.
CAROLE THERIAULT. Now the typical sting in the tail when it comes to IoT devices is pretty straightforward. It's crappy security on the device, right? Often there's no way even to update the firmware or even the software on these IoT gizmos. Say, for example, after reading all the research that says it's perhaps not the cleverest idea, you decide to buy a smart fridge. You might find out after a while that you can't update it anymore. Maybe it's not, you know, maybe it's out of date, or maybe they want you to buy a new one.
JAMES THOMSON. Why would anyone buy a smart fridge?
GRAHAM CLULEY. Thank you, James. Thank you. I'm so pleased you're on the show. I was holding back. I thought, no, I can't say it. What's she talking about?
CAROLE THERIAULT. Why would anyone buy a smart fridge?
GRAHAM CLULEY. What a bloody smart fridge. What is the point?
CAROLE THERIAULT. I couldn't agree more, but you know what? Sales are rocketing. So you either, you either try and sell the fridge just to pass on the future vulnerabilities to someone else, neighborly style.
GRAHAM CLULEY. Like Listeria.
CAROLE THERIAULT. Or maybe you try and disconnect the smart features from the fridge and then you find out you've actually bricked the fridge and it doesn't work at all. Or you decide to keep the fridge, which is connected to your Amazon Pantry or whatever, and then it gets hacked and you only find out when the Amazon delivery guy hands you 100 pounds of bleeding tofu burgers. Okay.
GRAHAM CLULEY. I hear all these words and I'm just bamboozled. Where are they all coming from? What does all this mean? Why has the world got so confusing? It's just insane.
CAROLE THERIAULT. I think we can all agree that it's smarter to buy a dumb fridge, right? And I want to look into whether that would be true for TVs as well. And we're going to talk about smart TVs, specifically Samsung smart TVs, because something a little weird happened on Monday this week. And I thought we could noodle on it.
JAMES THOMSON. I beg your pardon.
CAROLE THERIAULT. And speculate to what actually happened.
JAMES THOMSON. Keep my noodle out of this, please.
CAROLE THERIAULT. But first, gentlemen, climb into my time machine. We're heading back to 2015. This is when Samsung got into hot water.
JAMES THOMSON. I've got news for you. It's not even 2010 here yet.
CAROLE THERIAULT. This is when Samsung got into hot water because a Reddit spotted a rather concerning set of words in the then-privacy statement for the Samsung Smart TV. I remember, and according to a Gizmodo article, it said, quote, please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of voice recognition. So let me translate Basically, whatever you say, we can record and we'll share with any other company or entity we like.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. Then two years later in 2017, there was a big Samsung scandal where WikiLeaks released documents on CIA malware and hacking tools. And the documents included a scary Samsung TV attack called Weeping Angel.
JAMES THOMSON. Yes.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Weeping Angel was purportedly, Well, was created by the CIA, and its job was to infest smart Samsung TVs and basically transform them into covert microphones. Now, I'm guessing the CIA had to create this smart TV spyware because Samsung two years ago was probably forced to take the wording out of their privacy agreement that anyone could get any recording they wanted. They were basically already microphones back then. You're not with me. Have I lost everyone? Is James there?
GRAHAM CLULEY. No, no, I'm here. Hello? Hello?
CAROLE THERIAULT. Hello? Hello?
GRAHAM CLULEY. I didn't want to say anything because there's a TV in the corner of the room.
JAMES THOMSON. Yeah, very wise.
CAROLE THERIAULT. So if things are not bad enough for this, for Samsung, a month after the WikiLeaks scandal in 2017, an Israeli researcher uncovered 40, that's 4-0, zero-day vulnerabilities, each of which would allow a hacker to take control of a Samsung device remotely. Totally. So yeesh, that is what I call being in the soup, right?
GRAHAM CLULEY. For the purpose, for the, why would they take, they'd take this over in order to monitor what you're saying in front of the TV, I imagine, rather than to change channels to watch Bargains in the Attic or something.
CAROLE THERIAULT. Sorry? The CIA, what?
GRAHAM CLULEY. I'm with you, Graham. You said that some Israeli guy found a whole load of vulnerabilities in Samsung TVs.
CAROLE THERIAULT. Yeah, well, because they're built on this, this kind of their own open source. I can't remember what it's called now. Tizen?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Is it Tizen? Yes. And at the time, especially in 2017, basically this was like the nail in the coffin, many people thought, for Samsung from a security standpoint, because there had been all these snafus in the press. And no surprise, after a shitstorm like this, Samsung needed to pull its finger out if it didn't want to, you know, hemorrhage customer loyalty or lose business and all all that. So it started— this is back in 2017— running social and marketing campaigns to design, basically to reassure the customer that the company Samsung was taking security very, very seriously. For example, in one of the articles from 2017, it said Samsung is now offering smart TVs not one but two antivirus engines to detect and contain malware for its platform. Um, so Samsung has what is called the anti-malware vaccine engine, basically a McAfee product that they work worked with. So they've been dealing with security for quite a long time. Now fast forward to this past Monday, Samsung Support tweets out this tweet, right? Right.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Now I'll read it to you. Scanning your computer for malware viruses is important to keep it running smoothly. This is also true for your QLED TV if it's connected to Wi-Fi. Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here's how. And there's a link to a video, right, on the issue. Right now the press are going a little bit nuts over this tweet, and the reason is because the tweet was deleted. Dum dum dum. So my issue with it is a little bit different. Okay, like, is this 1994? What is with the weekly manual scans of a TV system?
GRAHAM CLULEY. Why couldn't this be automated? If—
CAROLE THERIAULT. why can't it be automated?
GRAHAM CLULEY. Why can't it automatically occasionally say, I'm now going to scan?
CAROLE THERIAULT. Or it could choose to do it at 3 o'clock in the morning when you're not Or maybe if it's on standby, but while you're making dinner, you could silently update then. I mean, for the love of everything, I didn't understand.
JAMES THOMSON. Yeah, but they get the best conversations when you're having dinner, you see. That's what they want to listen to. If they listen to it while you're using the TV, all they get is some sort of bad version of Gogglebox, some unedited version of Gogglebox. I mean, how boring would that be?
GRAHAM CLULEY. I don't see why anyone needs a smart— First of all, I don't— This whole voice activation thing where you have to shout at the them and go, turn up the volume, turn up the volume, you know, turn it down, turn it down.
CAROLE THERIAULT. It's like, no, it's so funny. It's so funny. People with home assistants do that a lot.
GRAHAM CLULEY. Yeah. Yeah. So why, why would you do that?
JAMES THOMSON. But also you've got to, you've got to wait for that instruction to get all the way to, you know, kind of Heilongjiang province for the guy to turn the knob, haven't you? Isn't that how it works?
GRAHAM CLULEY. But why, why, why, why even would you want this integrated into it? It feels like the TV manufacturers and the boy, oh boy, they've made some huge goofs in the past, not just Samsung, but LG, for instance, and others. Others have spied upon what people are watching and doing things like that. It feels like they're making their TVs smart in order to sell them more easily, but I'm not certain that needs to be integrated into the TV because you can get these little sticks, can't you? Which plug into the back, which give you Netflix and Amazon Prime and, you know, look—
CAROLE THERIAULT. Graham, I hate to break it to you, but you know what?
JAMES THOMSON. What?
CAROLE THERIAULT. Apparently, particularly, well, I haven't bought a TV in a decade, obviously not having a— apparently it's really hard to buy dumb TVs now. And one guy I saw on Reddit was suggesting that if people wanted to try and get a dumb TV and were having trouble getting one, one of the ways, one of the ways to do it is to look for hospitality TVs, TVs that are like, say, in hospitals or in waiting rooms.
GRAHAM CLULEY. Break into old people's homes, steal their televisions.
CAROLE THERIAULT. You can still buy them new from manufacturers because it's big business, right? It's a B2B business. But they are, they tend to be a little bit more expensive than the smart TV, if you can imagine it. Now Now, why did Samsung delete the tweet? So that tweet went out and then suddenly it disappeared and the media went a bit nuts going, isn't this outrageous? And so when I dug into it, I'm thinking, hmm, they've been talking about this pretty openly since 2017 when shit hit the proverbial fan. So why the big deal? And I wanted to see if you had any ideas.
GRAHAM CLULEY. Do you have the answer or are we just guessing?
CAROLE THERIAULT. No, no, it's all speculation.
GRAHAM CLULEY. I'm guessing it got lots of attention and many people saw it during the time when it was online and they suddenly thought, shit, everyone's going to think that Samsung has a malware problem on its TVs and all the other TVs don't have this problem. And it's like, we didn't really need to do this. We could have just left it as a knowledge base article.
JAMES THOMSON. What, instead of issuing a tweet, which according to this image got 203,000 views, which isn't bad.
CAROLE THERIAULT. Bad.
GRAHAM CLULEY. No, they've done great.
JAMES THOMSON. I thought all publicity was good publicity.
GRAHAM CLULEY. Truly a viral tweet. Yeah.
JAMES THOMSON. Okay.
CAROLE THERIAULT. Do you want to hear it with my conspiracy hat on what I think happened?
GRAHAM CLULEY. Okay, go on. Put the tinfoil on.
CAROLE THERIAULT. I think they have a very expensive PR agency who came up with the tactic with the intention to pique the interest of press into covering the need for people to actually manually update and scan their TVs like it's the early 1990s.
GRAHAM CLULEY. Chinese. Oh, you think that they wanted this attention?
CAROLE THERIAULT. I think they— no, I think they want people to scan their TVs.
JAMES THOMSON. So why didn't they leave the tweet up?
GRAHAM CLULEY. So hang on, I just want to understand the full scale of your conspiracy theory here. Okay, over to Oliver Stone. So you're thinking that there's a problem with Samsung TVs and they are desperate for people to scan them, and so they tweeted about how to scan them, and then they decided, well, to get even more attention about the need to scan them, we will remove the message telling people to can them. Yeah, is that, is that what you're saying? I just want to be absolutely clear about this.
CAROLE THERIAULT. Okay, before you sound with your mocking tone, Mr. Cluley, I think we use that exact tactic a number of times in our PR days where you dribble a little thing out, you know, to the, to the press and make it look like a mistake and pull it back so that they kind of get all their attention. They think they're on to a big winner.
JAMES THOMSON. There you are, listeners. Victoria reveals the dark arts of the PR That was decades ago.
CAROLE THERIAULT. But yeah, I'm just saying.
JAMES THOMSON. Yeah.
GRAHAM CLULEY. Okay. Well, interesting. I will maintain that I much prefer the idea of adding internet connectivity by plugging something into the back because you can just unplug it if it's got a problem, whereas it's much harder to disable if it's built into the TV.
CAROLE THERIAULT. Yeah. So yes, if you have a smart Samsung Smart TV, you might want to put a little pressure on Samsung to pull its finger out. But until then, I think you need to do what they say. I think you need to manually scan for viruses every few weeks. Maybe my recommendation is to stick to dumb TVs.
GRAHAM CLULEY. Is that really that big a problem about TVs getting infected? I mean, I know it's happened from time to time, but it's very, very isolated instances, isn't it?
CAROLE THERIAULT. Well, I wonder— okay, speculation hat or whatever, conspiracy hat on once again— maybe they have been communicated, contacted by a responsible researcher who has found vulnerabilities inside this and they are actively working on them, but we're not going to know until it's actually fixed in the source code. And until then, they're telling us to—
GRAHAM CLULEY. Or so they should just roll out a firmware update to the affected TVs, because I imagine they are downloading updates from the internet occasionally, one which periodically scans for malware using the engines which it's built in, I'd think. Crazy. Anyway, crazy.
CAROLE THERIAULT. Just be aware that, I guess, the takeaway, you've got IoT devices in your house, make sure you keep them up to date. If you can't, get rid of them. That's basically That's basically it. Thank you.
JAMES THOMSON. Do you remember when there were only 4 channels on TV?
GRAHAM CLULEY. Yeah, I remember less.
JAMES THOMSON. Well. Fewer even. Boom!
GRAHAM CLULEY. So Kroll, imagine a hacker has gained access to one of the computers inside your organization.
CAROLE THERIAULT. Dun dun dun.
GRAHAM CLULEY. And of course they're going to take advantage of any flat networks and ineffective security controls controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects.
CAROLE THERIAULT. Gotcha. Yep.
GRAHAM CLULEY. Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software accessing that data and unapproved applications. Yeah.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Yeah, yeah, yeah. Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform. Platform.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center.
CAROLE THERIAULT. Clever.
GRAHAM CLULEY. Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes microsegmentation simpler and more secure.
CAROLE THERIAULT. Okay, I want to learn more.
GRAHAM CLULEY. Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click microsegmentation Oh, awesome.
JAMES THOMSON. Boom.
CAROLE THERIAULT. We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
GRAHAM CLULEY. Yeah, they do online training. They've gamified it. It's animated e-learning. Teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
CAROLE THERIAULT. And best thing, it's not boring.
GRAHAM CLULEY. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
CAROLE THERIAULT. On with the show.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week? James.
JAMES THOMSON. Oh, am I supposed to say that? Pick of the Week.
CAROLE THERIAULT. Such a professional.
GRAHAM CLULEY. Every week, every week we have to wrap it. Okay. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. And my Pick of the Week this week, well, it is a little bit secure. It kind of is because it's about GDPR. No, it's about hacking and things. So, but it's also more than that. It's political because you may remember a couple of months ago that our good friend, Mr. Mueller, uh, released his report into the meddling by Russian hackers, uh, into the US elections. And, uh, have you read the report, Carole?
CAROLE THERIAULT. No, I have not. Have you?
JAMES THOMSON. I have.
GRAHAM CLULEY. Oh, James. Excellent.
CAROLE THERIAULT. Not, not all 448 pages, but I've, uh, Well, you can listen to it, can't you now?
GRAHAM CLULEY. You can download— I think you can download it as an—
CAROLE THERIAULT. I think a bunch of Democrats actually read it, and now you can actually go listen to it being read.
GRAHAM CLULEY. Get it as an audiobook. I do. I have downloaded it into my Kindle, but I haven't read it all. But I discovered today a video which is about 28 minutes long by the wonderful people at PBS, the American Public Broadcasting System. And they have basically condensed the report down to its key findings. It's less than half an hour, as I say.
CAROLE THERIAULT. We trust them.
GRAHAM CLULEY. Well, I do, because they're PBS. They're like—
CAROLE THERIAULT. I know, they're pretty good.
GRAHAM CLULEY. And it's done in a very straight, non-sensational way, and they get to the skinny of what the report did and did not say. So if you've been— if you're fed up with all the grandstanding by the left and by the right as to what it said and what it didn't say and blah, blah, blah, blah, blah, blah, blah, blah, I'd recommend going and watching this video. I thought it was a good way to spend half an hour, and you can be clued up as to what the main points are and the truth as to what was said and what was not said in that report.
JAMES THOMSON. I have a question.
GRAHAM CLULEY. Yes.
JAMES THOMSON. In the PDF of that report, the 448-page PDF, which is a searchable PDF, you cannot search for about President Trump's profanities. Is it possible to kind of selectively reference the text in a PDF? I guess it must be, because there's one bit where he famously says—
GRAHAM CLULEY. I'm fucked.
JAMES THOMSON. Exactly. I wasn't going to say that, but yes, he did. And of course, that was the first thing that I looked for, and it doesn't find it. You have to know where it is and find it on the page. But other text is searchable. So I don't know whether those guys at the FBI are extremely careful.
GRAHAM CLULEY. Well, I heard the initial release of the report wasn't wasn't searchable. It was something that had to be sort of rescanned in and the Washington Post and whoever else had to use OCR technology to try and make it searchable.
JAMES THOMSON. Because it was just a hard copy.
GRAHAM CLULEY. Something like that, wasn't it?
JAMES THOMSON. But it could have been. Yeah.
GRAHAM CLULEY. At least they've redacted it properly. There've been plenty of occasions where PDF documents haven't been properly redacted.
JAMES THOMSON. They used an old felt tip pen and you could read through it. Something like that.
GRAHAM CLULEY. Anyway, so that is my pick of the week. Good way to spend 20 minutes, and then he can appear terribly clued up without having to read all 448 pages. James, what's your pick of the week?
JAMES THOMSON. My pick is a YouTube rabbit hole, which is not your PBS video. I'm sure that's very good, but this is, you know, those videos of insane driving in Russia. I don't know if you've ever seen those on YouTube. I mean, it's an acquired taste, but it is truly—
GRAHAM CLULEY. So what are these? What do you mean insane driving? What's—
JAMES THOMSON. These are just video dashcam videos and, and kind of traffic camera video videos of people driving in—
CAROLE THERIAULT. Car crash TV, literally?
JAMES THOMSON. It is basically car crash TV. The Russian version of car crash TV is 1,000 times more baroque than anything you've seen on Lights, Camera, Action. So that's the insane driving. Well, check out the pavement— the action, I was going to say, on the pavements or sidewalks, because I know some of your listeners are in America, because that is equally hair-raising. For about 10 years now, there's a group of young people calling themselves Stop Ham, and ham means something like kind of asshole in Russian. And they've been literally—
GRAHAM CLULEY. Hang on, you're saying Graham means grey asshole? Is that what you're saying in Russian? My name?
JAMES THOMSON. Stop Ham, not Graham.
GRAHAM CLULEY. No, but half of my name is ham.
JAMES THOMSON. You're right. Yes, I'm afraid so.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So grey asshole.
JAMES THOMSON. But as long as you don't aspirate the H, I think you're okay. No, no, you're not.
CAROLE THERIAULT. I would never have tied those together either.
GRAHAM CLULEY. You did that all by yourself.
JAMES THOMSON. Yeah, no, I didn't even think of it. I may have thrown that in otherwise.
CAROLE THERIAULT. Yeah, no thanks, Ben.
JAMES THOMSON. So for almost 10 years, a group of young people calling themselves Stop Khum and Khum for gray asshole. Oh, gray khum. That means something like asshole in Russian. Have been literally laying themselves on the line to combat combat arrogant drivers and inconsiderate parking on public pavements. Now, in most places around the world, this wouldn't be considered massively controversial, but in Russia, this is enough to start a small war. I mean, and really, these guys— I won't go into the politics of this. I mean, the politics of cars in Russia is very complicated. And these guys apparently started off from a kind kind of pro-Kremlin youth movement called Nashi, which have got a very bad reputation. But that aside, the stuff they do in these videos, which is basically trying to get people not to use pavements as motorways, is— well, you wouldn't think that that was controversial, but in Russia it is, it turns out. And the tactics they use, I won't go into it now, but you'll get the idea when you watch a couple of these videos, but they're very, very smart. Art, nonviolent, but it requires enormous cojones. So they get abused by irate drivers in every episode. There are billions of episodes.
GRAHAM CLULEY. So what are they doing? What are these pedestrians doing to drive the drivers crazy?
JAMES THOMSON. Well, what they're doing is they're stopping the drivers from driving it down the pavement, because in Russian cities, this is a way that you— when there's traffic, you just drive on the pavement, basically. Or if you want to go and park outside your block, rather than driving around the block, you just drive straight across the garden run through it.
CAROLE THERIAULT. Yeah.
JAMES THOMSON. And so these guys basically put themselves in front of the cars. They just stand in front of the cars and dare these people to run them over, and they film it as well. And then of course there's an altercation, and these people get very irate about the fact that they've been stopped from just driving down the pavement.
GRAHAM CLULEY. And, um, you're recommending basically snuff movies?
JAMES THOMSON. No, no, no, occasionally it gets very heated, but no, they don't. And a couple of times these guys have had people pull guns on them, but, but there's none of that, none of the kind of the, the, the, um, kind of people getting or anything on this.
CAROLE THERIAULT. Was it Venezuela? Uh, somewhere in South America, and there were traffic issues. No one was paying attention to the laws, the traffic lights, or anything, and the city hired mime artists to, to basically poke fun at anyone who broke any of the standardized laws. And apparently it worked a treat.
GRAHAM CLULEY. Well, the irony being, if there's one person you do want to run over, it is a mime artist.
CAROLE THERIAULT. You get them all at once.
JAMES THOMSON. It's Marcel. Bloody Marcel.
CAROLE THERIAULT. Yeah, but my Hundreds of them, hundreds of them, right? And they would all mock you if you, you know, say they didn't stop at the red light properly.
JAMES THOMSON. Yeah, I don't think that would work.
CAROLE THERIAULT. I'll find a link and I'll put it in the show notes.
JAMES THOMSON. Well, that's a nice idea, but I just, I don't think that would work in Russia, I'm afraid.
CAROLE THERIAULT. Or do you think this would work?
JAMES THOMSON. Well, it does work, but you'll see why when you read, when you, because the bravest one stands in front of the vehicle, then another guy talks to the driver in a very polite way, and then they get a load of abuse or they jump out of the car and try and attack them. But then there's a bunch of others of them filming it. And then if they really refuse to back down or they try to drive through, they put one of those stickers, a huge sticker on the windscreen, one of those ones that's impossible to get off. Yeah. That basically says, "I'm an asshole." And then these guys have to then drive around, either spend an hour trying to remove the sticker or drive around town with this enormous sticker on their windscreen saying—
CAROLE THERIAULT. So, yeah, watch the video to learn about car vigilantes.
GRAHAM CLULEY. I'm watching one of these right now and they've they've put this enormous sticker on this woman's car and she's struggling to peel it off. It's like one of those, you know, when you get a sticker on a book and sometimes they come off nicely and sometimes, and these stickers don't come off easily, do they?
JAMES THOMSON. No. And when these guys do something, when these guys do something really kind of aggressive or angry or try to run one of these kids over, basically they go, right, that's it. And they paper the whole vehicle. And so basically You see these guys driving, I mean, but they do it on the window so they don't damage the car. That's the kind of the cute thing about it. Anyway, like I say, it's a YouTube rabbit hole, and once you start watching these, you'll end up kind of, yeah, watching more.
GRAHAM CLULEY. Thank you very much, James.
CAROLE THERIAULT. At your own risk, listeners.
JAMES THOMSON. Yes, you're welcome.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. Okay, heads or tails, James, because I have two Oh, and I'm gonna choose one in the interest of time.
JAMES THOMSON. Tails.
CAROLE THERIAULT. Tails. Okay, so I yacked about smart TVs earlier, and James, you don't have a TV. I don't think you've had a TV for the 20 years that I've known you.
JAMES THOMSON. No, probably not.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And so this one's for you.
JAMES THOMSON. Ironic considering I used to work for a TV station. But anyway, yeah.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So this one's for you. And Graham, I know this will be an earbag to. So welcome to ihavenotv.com. This is a curated list of documentaries. There's a list of categories and there's quite a lot of content, about 3,000 documentaries, um, lots of topics like from physics, environment, design, art history, history. So this morning I was watching one and, uh, this guy was talking about how if you want to get over anxiety, if you have anxiety over something you're going to do, like say next time you have to do a talk, Graham Right? And you're all nervous, right? Because you've only been doing them for 30 years, right? But you still get a little, little knee knocking, I'm sure. Okay, a way to get around that.
GRAHAM CLULEY. I try to avoid doing that just before a talk to conserve my energy.
JAMES THOMSON. No knee tremblers before the talks. You're like a boxer, right? Yeah, go on.
CAROLE THERIAULT. So apparently what you're supposed to do is rather than tell yourself that you're going to be great, pretend you've already completed the task and it was awesome.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So you kind of go, "Oh, it was the best talk ever. I rocked it. They were dying of laughter. That was awesome." And apparently, it tricks your brain into thinking that now it's okay, not scary anymore, and you perform much better.
JAMES THOMSON. Yeah, but by then, you'll be halfway through a bottle of Jack Daniel's.
GRAHAM CLULEY. Well, the danger is that I've convinced myself I've given the talk, and I'm actually now on a tube going home thinking I've done it.
CAROLE THERIAULT. Anyway, there's lots and lots of different shows and documentaries, a variety of lengths. You can go in and get something for about 3 minutes, or you get something for an hour and a half, more long form. Anyone who likes to learn, I'm sure will enjoy it. Check it out. IHaveNoTV.com. That's my pick of the week.
GRAHAM CLULEY. So these are like curated documentaries and things from YouTube or something?
CAROLE THERIAULT. A curated list of documentaries.
GRAHAM CLULEY. Very good.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Fantastic.
CAROLE THERIAULT. I think you'll enjoy it.
GRAHAM CLULEY. I like the sound of that.
CAROLE THERIAULT. I thought you would.
GRAHAM CLULEY. I think James would like that as well, as he doesn't have a TV. TV.
JAMES THOMSON. Yeah, I can, I can catch up on 20 years of whatever I've missed.
GRAHAM CLULEY. Well, I think we've just about wrapped it up for this week, haven't we? James, I'm sure lots of our listeners would love to follow you online or find out more. What's the best way they can get in contact with you or find out what you're up to or anything really? Are there any ways to do that?
JAMES THOMSON. No, I don't, I don't have any of that.
CAROLE THERIAULT. So Graham can't imagine that someone wouldn't want strangers to get in touch with them immediately.
JAMES THOMSON. They can read my column in the Slovak Spectator, but it's behind a paywall, and I don't suppose they're gonna subscribe to it just to read my musings on the state of Slovak cycle paths.
GRAHAM CLULEY. So once you've finished reading James's column in the Slovak newspapers, you can follow us on Twitter as well at Smashing Security, no G, Twitter won't allow us to have a G, and you can also join us on Reddit. Go and find us in the Smashing Security subreddit and you can discuss the show there with your fellow listeners.
CAROLE THERIAULT. And big thanks to our sponsors, MetaCompliance and Edgewise. Their support helps us give you this show for free. So be sure to check out their offers. And thank you, lovely listeners. We wouldn't have anyone to listen to us if you didn't exist.
GRAHAM CLULEY. Is that it? Is it? And on that bombshell, cheerio, bye-bye, farewell, do svidaniya. Right, I have a little boy at my door, so I'm going to hang up.
CAROLE THERIAULT. Okay, bye.
JAMES THOMSON. See you, Graham.
GRAHAM CLULEY. See you. Bye. Bye.
JAMES THOMSON. Chickens to you too.
GRAHAM CLULEY. Chickens. Chickens.
-- TRANSCRIPT ENDS --