Apple is furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by web security journalist John Leyden.
Visit https://www.smashingsecurity.com/145 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: John Leyden.
Sponsored By:
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
Links:
- A very deep dive into iOS Exploit chains found in the wild — Google Project Zero.
- Google finds 'indiscriminate iPhone attack lasting years' — BBC News.
- A message about iOS security — Apple.
- Mobile & Tablet Operating System Market Share in China — Statcounter.
- Apple Disputes Google’s Claims of a Devastating iPhone Hack — Motherboard.
- What’s next in making Encrypted DNS-over-HTTPS the Default — Mozilla.
- Firefox DNS-over-HTTPS rollout starts later this month — The Daily Swig.
- ISP trade association backtracks on Mozilla ‘internet villain’ nomination — The Daily Swig.
- Apple apologises for allowing workers to listen to Siri recordings — The Guardian.
- Apple contractors 'regularly hear confidential details' on Siri recordings — The Guardian.
- Almost a quarter of Britons now own one or more smart home devices — YouGov.
- The Bright Side of Humans Eavesdropping on Your Alexa Recordings — Gizmodo.
- Smart Speakers That Listen When They Shouldn't — Consumer Reports.
- BetterTouchTool for Mac.
- The SwigCast — A security podcast from The Daily Swig, featuring John Leyden.
- The Wii — Wikipedia.
- Just Dance 4: Rock Lobster - The B-52's — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. You know how you always point out my flaws all the time, Graham, right? And like, I don't see them, but you're very, very hyper-aware and you see them and you call them out.
GRAHAM CLULEY. And it's a better world because of that, Carole. Yes, right. No one ever mentioned these things.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. We'd never progress, would we?
CAROLE THERIAULT. Thank God for you. So yeah, I agree.
JOHN LEYDEN. Thank God for both of you. Good grief, I'm having to mediate already.
UNKNOWN. Smashing Security Episode 145: Dapple and Google Willy Wave While Home Assistant Spy. Do with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 145. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined this week by returning guest, it's web security journalist John Leyden. Hello, John, how are you?
JOHN LEYDEN. I'm very good. How are you, Graham?
GRAHAM CLULEY. Oh, you know, I've been better, but no, I'm serious, I'm fine. I'm fine.
CAROLE THERIAULT. You're not fine. What's wrong?
GRAHAM CLULEY. This has been going on for a week, everybody.
CAROLE THERIAULT. Seriously, I've talked to him a number of times, and this is the tone. I'm like, hey, Crawl. And he's upset with me. He blames me. And Graham, tell them.
GRAHAM CLULEY. Not completely.
CAROLE THERIAULT. Tell them what happened.
GRAHAM CLULEY. Well, I was in the shower, and as you know, I listen to podcasts in the shower. Not with earphones. I put my phone up on a little ledge out of the way of the water.
CAROLE THERIAULT. In the steam.
GRAHAM CLULEY. And yes, in the hot, hot steam of my shower. And let's not paint too much of a picture. And then suddenly my phone sort of went, "Brrr, brrr, brrr." A phone call? Right, a phone call, but specifically the noise of someone FaceTiming me.
CAROLE THERIAULT. With video?
JOHN LEYDEN. This has happened before.
GRAHAM CLULEY. Well, we have had problems before with my phone in the shower randomly FaceTiming Graham.
CAROLE THERIAULT. This is still your phone in the shower?
GRAHAM CLULEY. Yes, but on this occasion it was you FaceTime videoing Not FaceTime audio. Why you would ever, Carole?
CAROLE THERIAULT. Okay, let me give my side. So, uh, the day before, I've made friends with a robin. I wanted to show Graham my little— I wanted to show Graham my little friend robin, right? And I put it on FaceTime and called him so he could see my robin friend.
GRAHAM CLULEY. I think you should make clear that you're talking about robin as in a bird rather than something else, right?
CAROLE THERIAULT. Yes, not, not a bird woman, like a little, a little, a little fly thing, because it's not some imaginary human.
GRAHAM CLULEY. It's a really tiny little cute bird that we're making friends with.
CAROLE THERIAULT. Anyway, and whatever, it didn't work out, forgot about it. Next day when I'm calling him just about podcast stuff, I press the FaceTime because that's at the top of the list, it's the last phone call I made on FaceTime. Normally I call FaceTime audio, but no, goes into video mode. So there I am about to call Graham and it's like 9— I don't want to be on video either, assure you, okay? I did not want to be on video. So I try and cancel the call, but no, my phone goes into freeze mode. And there was no exit button. So then I'm pressing dramatically, very quickly, trying to turn the whole phone off, the system off, by keeping the shut-off button on for 5 seconds and then to swipe off.
GRAHAM CLULEY. But meanwhile, I'm trying to cancel the call as well with my wet fingers all covered in soap in the shower, whereupon the phone slips out of my hand, falls down into the tray of the shower with the camera facing upwards at my body.
CAROLE THERIAULT. I love that you thought I would look at that.
GRAHAM CLULEY. And I was thinking, well, What do I do now? What exactly am I broadcasting to Carole at this point?
CAROLE THERIAULT. Graham, pinky swear I would always avert my eyes in that situation.
GRAHAM CLULEY. Anyway.
CAROLE THERIAULT. You can count on me.
GRAHAM CLULEY. My phone has not been the same since. In fact, I've not been the same since either. And the phone is no longer working. And so anyway, I'm not completely blaming you, Carole.
JOHN LEYDEN. Did you put it in with some dried rice to—
GRAHAM CLULEY. To be honest, John, it's not so much— I don't actually think it's a water issue.
CAROLE THERIAULT. He's talking about your phone, Graham.
GRAHAM CLULEY. Right.
JOHN LEYDEN. Yes, thank you for that, Carole.
GRAHAM CLULEY. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Thanks to this week's sponsors, LastPass, Recorded Future, and MetaCompliance. Their support helps us give you this show for free. Now, on today's show, Graham talks about Apple vulnerabilities. John will be making sense of the following acronyms, DNS over HTTPS or DoH. And I will be revisiting the land of smart assistants. Is it time for Graham and I am I to give in and get one? All this and loads more on this epic show of Smashing Security. Just wait.
GRAHAM CLULEY. Now, fellows, fellows, I want to talk to you today about, well, there's been a bit of a ding dong going on. You may remember last month, Google security researchers, the security wonks at Project Zero, they warned of a hacking group that had made a sustained effort to hack the users of iPhones.
CAROLE THERIAULT. Cybersecurity experts at Google discovered a plot to hack a massive number of iPhones over a two-year period. Researchers found a group of hacked websites that exploited vulnerabilities in Apple software that would have given hackers access to users' contacts, photos, and location data. And Google says that the group that were behind this were there for about two years, a minimum of two years, they believe. And we just don't know what the scope of it is at this stage. But what's quite scary is how we're only finding about it now.
GRAHAM CLULEY. Now, in what could be one of the biggest attacks on iPhone users ever, Google has warned malicious hackers have been monitoring data of iPhone users for years without being discovered.
JOHN LEYDEN. We don't know who did it, what they took, or who was infected. But for two years, this attack had the potential to take, well, everything.
GRAHAM CLULEY. So Google, they thought it was right to warn people, warn iPhone users about this, because it'd be really bad if some organization knew what you were doing on your phones, what websites you were visiting, who you were chatting to, uh, all that information. If that ended up in someone else's hands—
CAROLE THERIAULT. Oh really, Google would have a problem with that, right? Is that— is that okay? Yeah, no, no, you're right, absolutely.
GRAHAM CLULEY. That's right. I mean, Google would say, hey, that's our job, right? Hands off, right? That's for us. For us to collect, not for some state intelligence agency to gather instead. But seriously, according to Google, the unnamed hacked sites received thousands of visits per week. So it's no wonder the media went crazy about it. Everyone was talking about new iPhone hacking danger. So Apple released a rather snotty statement, which really made them sound rather pissed off with Google. They said, first of all, you know, Google's post, which was issued 6 months after we patched iOS against this problem, creates the false impression of mass exploitation to monitor the private activities of entire populations in real time. And Apple even said that Google was stoking fear amongst all iPhone users that their devices had been compromised. This was never the case, said Apple.
CAROLE THERIAULT. I don't think that's an unfair statement from their point of view, but I also understand from Google's point of view, whose researchers found these vulnerabilities, right? They want to get their 15 minutes of fame. And they waited for those patches to be put in place. And then they want to do a little tap dance to say, hey, we found this, we helped. So Apple shouldn't be kicking them in the shins for that.
GRAHAM CLULEY. Like I said, I think Apple's being a little bit snotty here and they're response perhaps isn't great. Apple went on, they said the attack affected fewer than a dozen websites that focused on information related to the Uyghur Muslim community. Now they're a group of people, if people don't know, in East Turkestan. That's a province which was occupied by China back in the late 1940s and is still occupied by China. And they obviously feel persecuted by China about their religion. They're obviously not very keen about China still occupying their country 60 years on. Now, Apple went on. They said, all evidence indicates that these websites were only operational for a brief period, roughly two months, not, they said, two years as Google implied. So there's quite a big disagreement here, isn't there, between Apple and Google?
CAROLE THERIAULT. They're the two big boys and they're having a little bit of a beef, really.
JOHN LEYDEN. I just think that, you know, Apple's trying to set up a bit of straw man by saying not all iPhone owners were hacked. Which is not really what Google was saying in the first place. They were talking about a highly targeted attack. And to say, oh, it wasn't two years, it was only two months or whatever, neither of them can be trusted because they're both arch rivals in the very marketplace and discussing the security risks existing. That's the problem.
GRAHAM CLULEY. I think that's part of the problem. And when I compared what Apple said in their statement to Google's original blog post, Apple does appear to take some statements from Google's blog post, and it's almost as though they've recharacterized them? Because you certainly can read Google's blog post to suggest that they're not saying these websites were hacked for two years, that they're saying that the group who were behind the hack may have been exploiting a variety of vulnerabilities for the last two years instead.
CAROLE THERIAULT. Okay, but we can totally imagine that some journalists misinterpreted what Google said in a way that made Apple look bad, and Apple retaliated based on that misinterpretation.
GRAHAM CLULEY. Absolutely.
CAROLE THERIAULT. It happens all the time, right?
GRAHAM CLULEY. I think fundamentally Google hyped this up a bit. A bit, and Apple tried to play it down a bit.
CAROLE THERIAULT. By making noise.
GRAHAM CLULEY. The truth may be, you know, somewhere in between. So neither of them really come out of this smelling of roses. Now, another thing which I thought was, if you were, for instance, the Chinese government and you wanted to monitor the Uyghur Muslim community, would you really target iPhones? In China, Android has about 77% of the mobile and tablet market share. iOS, only around about 1 in 5 mobile owners are using that. So it doesn't really make sense to only target iOS. Chances are that there are also attacks going on right now against Android devices in that community too.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And we know from past research that iPhone users tend to patch their devices more frequently than Android users. You know, sometimes it's quite hard to get an update for Android, isn't it?
JOHN LEYDEN. That's true.
GRAHAM CLULEY. Often you're very dependent upon the carriers or the manufacturer in order to get an update for Android, and so it can be more difficult to do, whereas because Apple owned the whole infrastructure, it's easier to push out the updates to them. So I think when we look at this case, Apple and Google both screwed up. Google initially, in their blog, should have shared more details of what had actually been seen and who had been targeted to reduce the chances of media hysteria. And sure, you know, the fact that it was being used against Uyghur Muslims doesn't mean it can't be used against anyone else. But even so, they should perhaps have said, this is the community that has been targeted. We haven't seen it anywhere else. But of course, the media just went crazy because they just saw iPhone vulnerability. But I think there's also this real problem, and I don't know if you've encountered this as well, John, this really curious situation where Google are regularly reporting on vulnerabilities in the products of their biggest competitor.
JOHN LEYDEN. Yes, that is one of the questions I had from what you've been saying, Graham, which is, did Google privately disclose this to Apple? I mean, what, what is its motives in putting together this research?
GRAHAM CLULEY. So Google did tell Apple and Apple patched it about 10 days later, and that was months and months ago, but they've now gone public and that's what created this latest media storm, even though anyone who's kept up to date with iOS is protected. From these vulnerabilities.
CAROLE THERIAULT. So what you're saying, there was a responsible disclosure. Apple did the right thing and made, put the patches in place rather than ignore it or put their head in the sand like an ostrich. And then Google went out and tap danced and said, hey, we helped fix this and Apple be better.
GRAHAM CLULEY. Yes. But you know, there's so many shades of gray in between this, isn't there? Because suddenly Google—
CAROLE THERIAULT. How many, about 50?
GRAHAM CLULEY. Google did, suddenly Google did produce some very technical blog posts with all kinds of details. You know, they do do excellent research and you can argue that Apple should have found its own vulnerabilities in the first place, right? It shouldn't have to rely or wait for a competitor to do it on their own dime.
JOHN LEYDEN. No, no, no, no, no. Yeah, that happens all the time. That's a problem is discovered by a third party and—
GRAHAM CLULEY. Well, yeah, it does.
CAROLE THERIAULT. You always point out my flaws all the time, Graham, right? And like, I don't see them, but you're very, very hyperaware and you see them and you call them out.
GRAHAM CLULEY. And it's a better world because of that, Carole. No one ever mentions these things.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. We'd never progress, would we?
CAROLE THERIAULT. Thank God for you. So yeah, I agree.
JOHN LEYDEN. Thank God for both of you. Good grief. I'm having to mediate already, listeners.
GRAHAM CLULEY. Anyway, I think Apple could have been politer. They could have thanked Google, even if it had been through gritted teeth. They didn't thank them for finding the vulnerability. They sh— in an ideal world, they wouldn't have had the bug in the first place. And I think also they could have expressed a bit of grumpiness towards China for targeting the Uyghurs. You know, that doesn't—
CAROLE THERIAULT. that sounds a bit odd, charging the Uyghurs. It just does, you know what I'm saying? It's just funny.
JOHN LEYDEN. They've also hacked the Tibetans, if that makes you feel any better. Yeah.
CAROLE THERIAULT. Did you look up how to say it properly?
GRAHAM CLULEY. Goodness, yes, multiple times. And no one agreed. So I hope I've got it right.
CAROLE THERIAULT. So you chose the most—
JOHN LEYDEN. so you—
CAROLE THERIAULT. okay, great.
GRAHAM CLULEY. Look, I—
CAROLE THERIAULT. great.
GRAHAM CLULEY. I think Apple could have done more to bash China for doing this kind of thing. So, but if you have to wonder, you know, that Apple doesn't want to rock the boat when it comes to China either, 'cause that's obviously a huge market for them and maybe they don't want to be too outspoken about this. Anyway, I don't know. I do think there's a little bit of willy-waving going on on both sides between Apple and Google. And I'm not sure we all benefit because of it. I think if someone else finds a vulnerability in your software, even though you may be grumpy about how they've expressed it, you should at the very least say, thank you. For fixing this vulnerability and making our software more secure for our users. Now maybe Google, you can go and look at some of your own software and try and fix some of the bugs in that as well. Mm-hmm. I'm just really saying, can't all these tech companies get along with each other? Wouldn't that be marvelous?
JOHN LEYDEN. It would be great.
GRAHAM CLULEY. When we had problems in the 1980s, Stevie Wonder and Paul McCartney sat down at a piano and played Ebony and Ivory, and we've not had any trouble.
CAROLE THERIAULT. Oh good. Let's bring race into this.
GRAHAM CLULEY. I'm just saying, if it was possible to fix that problem—
JOHN LEYDEN. Race is already in it. That's the whole issue with handshakes. Chinese and wieners.
GRAHAM CLULEY. Yes.
JOHN LEYDEN. Good.
GRAHAM CLULEY. We're spotted.
CAROLE THERIAULT. Thank you for giving credibility.
GRAHAM CLULEY. And Carole Theriault.
JOHN LEYDEN. Oh my goodness.
GRAHAM CLULEY. Together on our podcast. Okay, please go to your sleep. John, what's your topic for us this week?
JOHN LEYDEN. Okay, I'm going to change the subject entirely. I want to talk about an emerging internet technology which we're all going to be hearing a bit more of over time. And it's called DNS over HTTPS, or do— or do— DNS is the technology that's used to resolve the names of websites that people understand, like google.com or Smashing Security, to numbers that computers and routers can understand. And it's a vital technology that was used by web browsers to allow people to surf the web web, but also to allow email to be properly directed.
CAROLE THERIAULT. Right.
JOHN LEYDEN. So what's coming along is DOH, which is nothing to do with Homer Simpson's famous catchphrase.
CAROLE THERIAULT. I was waiting for it.
JOHN LEYDEN. Yeah. Neither. I know.
GRAHAM CLULEY. Are we really being expected to call it DOH? Is that— do you know what the official pronunciation is? Because we don't say H-T-O-O-P-S instead of HTTPS, do we? So I'm just wondering, is it really expected that we have to call it DOH rather than D-O-H or something.
JOHN LEYDEN. I, I argue that as a name, I mean, there is no accepted pronunciation, so why not just go for the funniest possible one and have a joke about it?
GRAHAM CLULEY. Fair point. Yep.
JOHN LEYDEN. Okay, so dough, as I'm going to call it at least, neither is anything to do with baking bread, right? Although you might have been said that it's been proofing for a while. And I'll tell you why we can say that.
GRAHAM CLULEY. This podcast is obsessed with bread baking. I can't believe it.
CAROLE THERIAULT. Oh yeah, not Doctor Who or chess or anything like that. You're right, those are normal.
JOHN LEYDEN. So back to my story.
CAROLE THERIAULT. He's like our dad. He's like our dad. Shut up, kids.
JOHN LEYDEN. Okay, so I'm gonna have to call it DNS over HTTPS. It's been available as experimental opt-in feature for Mozilla's Firefox web browser since June last year. Now what's happened was that last Friday Mozilla said we're going to make it the default selection, initially only to people in the US, from later this month, late September. And it's also saying that surfers can choose to opt out of it. Now what does it do?
GRAHAM CLULEY. Yes, I was about to say, can you explain what it does?
JOHN LEYDEN. How do you pronounce— we've got, we've got into how do you pronounce it and Homer Simpson or whatever.
GRAHAM CLULEY. The most important stuff Yeah, let's find out what it does.
JOHN LEYDEN. Yes, you have to make these jokes before you get into the meat and bread of the topic. Okay.
CAROLE THERIAULT. Yeah, Graham, calm down. God, cheer up.
JOHN LEYDEN. So DNS over HTTPS, it hides DNS queries inside regular HTTPS encrypted traffic, so that makes it difficult for third parties to either manipulate this traffic, which as I said before redirects people around the web, or to snoop on users.
CAROLE THERIAULT. Right. Gotcha.
JOHN LEYDEN. Okay.
GRAHAM CLULEY. So if you don't have this in place, it's possible for someone naughty to intercept your DNS request and see what sort of websites your computer is looking up.
CAROLE THERIAULT. Yeah, exactly.
JOHN LEYDEN. And the most obvious party that would see what you're looking at would be an ISP.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Yeah. The service provider.
JOHN LEYDEN. And they're actually one group that was none too happy about this technology. In fact, this summer, the UK's Internet Service Provider Association went so far as to nominate Mozilla as an internet villain because of its support for DNS over HTTPS. Really? The ISP was upset because they argued that the technology would impede default filtering of adult content and mandatory court-ordered filtering of copyright violations.
CAROLE THERIAULT. Okay, so basically Mozilla is saying, hey, we will help keep everything you want to do private.
JOHN LEYDEN. Yes.
CAROLE THERIAULT. And the Internet Service Providers Association, or ISPA, were like, whoa, whoa, whoa, how are we supposed to filter for porn and things like that? Like, you're making our jobs so much more difficult. Okay, got you. I'm with you. Carry on.
GRAHAM CLULEY. And I guess some of these ISPs may charge people more money, um, to filter out adult content, or maybe to filter out non-adult content. So you only get a pure 100% filth feed. I don't know what they offer, but, you know, something like that. But I wouldn't even be surprised.
CAROLE THERIAULT. I'm sure that's true. Isn't that sad? I'm sure you're right.
GRAHAM CLULEY. I don't want any clean websites. I just want the really mucky ones. Don't waste my time with the— anyway, sorry, please carry on before I dig this ditch even deeper.
JOHN LEYDEN. So this provoked a bit of a backlash because the internet security community by and large sees, uh, HTTPS, DNS over HTTPS as something that boosts privacy. And he's also good for security. Yeah. So they said, guys, where— what are you coming from describing Mozilla as an internet villain? You know, this is David Blunkett and all the rest of it. These kind of people are normally put in this category of internet villain, and here you are putting Mozilla in this for backing this technology, which everybody thinks is, you know, on the balance of things, quite good.
GRAHAM CLULEY. I don't think anyone is suggesting that David Blunkett, the former MP, former Home Secretary, who of course is blind, Yes, former Home Secretary in the UK. I don't think anyone's suggesting that he's going to visit porn websites or anything like that.
JOHN LEYDEN. Who knows?
GRAHAM CLULEY. Okay.
JOHN LEYDEN. Do they have them in Braille?
GRAHAM CLULEY. So what are other people's beef with this? Is there any sort of downside to encrypting DNS?
JOHN LEYDEN. One thing to say about it is that if DNS is encrypted as a standard, it would mean all the traffic would go straight to a central server under the control of of Mozilla or Google or one of its peers rather than the locally held DNS name server. That means that a lot of control over search information and interactivity— it won't be completely hidden, but you'll just be trusted to fewer people in the chain. And one of those people in the chain would be Google or Mozilla.
GRAHAM CLULEY. So, right, and do we trust them? Do we feel comfortable having them all in charge of it? So yes, so we're gaining in some ways in privacy from this, but there are other potential pitfalls as well. I don't know, I feel overall I'd quite like to embrace dough. Feels like a step in the right direction.
JOHN LEYDEN. And you need it, Graham, you need dough.
GRAHAM CLULEY. Carole, what's your topic for us this week?
CAROLE THERIAULT. Well, this weekend, the hubs and I were looking after two little people.
JOHN LEYDEN. Oh, sweet.
GRAHAM CLULEY. Sleepy and bashful.
CAROLE THERIAULT. No children, Graham. Now, this was at their new house, and we had a crazy weekend of gaming and eating and bopping around. More on that later. But anyway, this morning we're running around getting them ready for school, and we suddenly hear this AI voice say, sorry, I didn't quite catch that. And we had no idea that there was a device in the house.
GRAHAM CLULEY. Oh boy.
CAROLE THERIAULT. Right. Because normally people keep them in their kitchens, in my experience, or you see them in the kitchens, and then you, you know, to ask about them. I don't know, you just say, oh, okay, there is one. But anyway, I had no idea.
JOHN LEYDEN. And so you go to people's kitchens and check out if they've got a personal assistant?
CAROLE THERIAULT. Yeah, I do.
JOHN LEYDEN. And do you say that I'm just checking to see if you've got a slow cooker oven or something like this?
CAROLE THERIAULT. No, I just say—
JOHN LEYDEN. And then you actually spy for one of these?
CAROLE THERIAULT. No, I just say that my type of conversation may depend on whether one of one of these devices is active, and I just don't want to bring it up unless I see one.
JOHN LEYDEN. All right, I think it's quite a sensible precaution.
CAROLE THERIAULT. Thank you very much.
JOHN LEYDEN. I never thought of myself.
CAROLE THERIAULT. Well, yeah, well, it turns out it's not stupid because apparently— well, no, you guys guess. How many households do you think have a voice-controlled digital device in the UK? In the US is about the same in proportion.
GRAHAM CLULEY. I mean, they're getting more— maybe 5%, something like that.
JOHN LEYDEN. I think a lot more than that. I'm gonna go, I have to go higher. I'm gonna go 15.
CAROLE THERIAULT. You're wrong. It's 1 in 4, right? So 25%.
GRAHAM CLULEY. 25%.
CAROLE THERIAULT. You know, to think of how long they've been around, really, in my view, about a few years. I'd say less than 5, right? Bloody hell. And they are now in 1 in 4 households in the UK and the US.
GRAHAM CLULEY. What are people actually doing with these things?
CAROLE THERIAULT. They're going, oh, you know, I want to buy something on Amazon, or I want to know what the weather is, or tell me the news, or play this song.
GRAHAM CLULEY. 'or play this audiobook for my kid.' Do you think people use them for about a week and then the thrill—
CAROLE THERIAULT. No, people use them constantly. In my experience with my, in my huge circle of friends who love these devices.
GRAHAM CLULEY. Yes. Okay.
CAROLE THERIAULT. Now we all know who the three market leaders are, right? Apple, Google, Amazon. While Amazon is definitely the market leader and Apple is trailing behind, they all have different strengths and weaknesses. So one of the big issues that's coming up is these devices recording us when we don't want them to record us. And recently, The Guardian reported that Apple apologized for allowing workers to listen on Siri recordings. And this was all according to a whistleblower. The Guardian wrote, Apple contractors regularly hear confidential medical information, drug deals, and recordings of couples having sex as part of their job providing quality control. That would just be mortifying. Or grading the company's Siri voice assistant.
GRAHAM CLULEY. Imagine doing quality control over someone's sex recording.
CAROLE THERIAULT. It's just— right? It turns out that Apple hired people to grade the quality and accuracy of the Siri requests, and these graders were getting access to some hot information not designed for their ears.
JOHN LEYDEN. Good Lord.
CAROLE THERIAULT. It is disturbing to think that you'd be getting the dirty on with your partner and a Siri-enabled device case, which is grading your performance.
GRAHAM CLULEY. At least, at least the contractor hearing it can't give you real-time feedback.
CAROLE THERIAULT. Maybe they probably can. They just, it's pressing a big red button.
GRAHAM CLULEY. Like, it's a big red button. But you can imagine them saying, left a bit, right a bit. Oh, for goodness' sake, do you want me to come round and do it?
JOHN LEYDEN. Okay.
CAROLE THERIAULT. How, so according to multiple former Siri graders, 'accidental activations were regularly sent for review.' And we know what these include: illegal acts, Siri users having sex, blah, blah, blah.
GRAHAM CLULEY. So this is when someone hasn't said, 'Okay Google, do my command,' or Alexa, or whatever.
CAROLE THERIAULT. It's really interesting because from what I read, it activates after you say those words.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. But who can prove when you say those words? Right?
GRAHAM CLULEY. Oh yeah, you love a conspiracy theory.
CAROLE THERIAULT. I know, I know, I'm gonna be so fun when I'm 90. I'm gonna be full of them. Okay, um, and what they heard is moot, right? They could have heard someone preparing for an alien landing. They could have heard someone indulging in a kink or eating too many pies. Whatever it was, they shouldn't have listened, right?
GRAHAM CLULEY. Sometimes those things can be combined, Carole. But yes, okay, let's carry on. Let's, let's keep it clean.
CAROLE THERIAULT. Apple apologized and said it will no longer keep audio recordings of Siri users by default, which is a good thing. I think that's good that they've made that decision. Though it does hope that people will opt into sharing recordings with Apple to help improve the system. And as they are not market leader, I can understand that they want to get their skates on and use crowdsourcing to do it.
GRAHAM CLULEY. Yeah, because if it's not the default, most people won't turn on that feature. Well, and from what I understand, Apple's—
CAROLE THERIAULT. I'm freaking not turning it on.
GRAHAM CLULEY. Apple's voice recognition.
CAROLE THERIAULT. No offense, but let me do my job.
GRAHAM CLULEY. They're not as good at it, are they, as Google and Amazon? Siri's not quite there.
CAROLE THERIAULT. But their speaker is hand over— what do you say?
GRAHAM CLULEY. Head over heels?
CAROLE THERIAULT. What is it?
GRAHAM CLULEY. Hand over fist? Oh no, that's another sex. Oh dear.
CAROLE THERIAULT. There's an idiom I want to use, but I don't remember what it is. But they're like so way, way better better the speakers on Apple than on the others.
GRAHAM CLULEY. Oh, are they?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Oh, okay. You've been checking them out?
CAROLE THERIAULT. Yeah, I checked them out at the John Lewis, uh, you know, shop. All right, check them all out against each other. And I was a big fan of the Apple speakers. Now, I know it sounds like I'm picking on Apple here, but they are de facto not alone, right? All of them— Amazon, Apple, and Google— have all been exposed for having humans review the audio recordings.
GRAHAM CLULEY. Yes, yes.
CAROLE THERIAULT. And, you know, thank you whistleblowers for making people realize that of course that has to happen because the technology isn't in there Some people would argue that it's a good thing that humans have to look after this stuff, because it means the machines haven't taken control. But people are trying to test whether or not these devices are actually making too many mistakes, or recording, or kind of sneaking recording, snarfling our secret information. And one of these tests was from Consumer Reports, and it involved 4 differently named Amazon speakers, which were each exposed to super-talky TV show Gilmore Girls. And the results is that during the Gilmore Girls marathon, the speaker started recording snippets of dialogue 10 times without hearing the correct wake word. And during the audiobook test, 63 false positives happened in 21 hours. So doing the math there, is that a good result? That's like 3 an hour, isn't it?
GRAHAM CLULEY. Oh, I'm sorry. I thought you said the Golden Girls. Oh, how disappointing. I think the Golden Girls would have been much better. Much better. I've never had— actually, you know what, girls?
CAROLE THERIAULT. Oh, it's really— I think you'd really love it, Graham. The softer side of you would love it.
GRAHAM CLULEY. Yeah, not as much as the Golden Girls.
CAROLE THERIAULT. No, Golden Girls is great. You're right, that is a classic. She's still going, you know, Betty.
GRAHAM CLULEY. Good for her.
CAROLE THERIAULT. Now, the, the test showed that Amazon does delete the snippets once it realized the recording was happening in errors, they said. But I still find it a little bit kind of creepy, or maybe it's just modern and I need to get with the times. It's hard for me to decide, and you guys are older than I am, so I don't think you guys can really help me on this one.
GRAHAM CLULEY. Well, I wonder.
CAROLE THERIAULT. Good grief.
GRAHAM CLULEY. Well, no, I do question why people need these devices. I can't understand what they actually do with them. I mean, I find it hard to— I think people just buy them.
CAROLE THERIAULT. Imagine you have a young, young baby.
JOHN LEYDEN. Yes.
CAROLE THERIAULT. You're elbow deep in poop and you realize that you really would love to listen to the latest cricket match.
GRAHAM CLULEY. If you're elbow deep in poop, call the fire brigade. Don't call Google.
CAROLE THERIAULT. Now, stories. That have, like these, the ones that I've been sharing with you about Amazon and Google and Apple, have sparked some legislation, including a new bill introduced by a Massachusetts rep, and it is called the Automatic Listening Exploitation Act. And it suggests that a company should be fined $40,000 for each recording made without a user's permission.
GRAHAM CLULEY. Hang on a moment.
CAROLE THERIAULT. Yeah. Okay.
GRAHAM CLULEY. The Assistant Learning Exploitation Act.
CAROLE THERIAULT. Automatic listening.
GRAHAM CLULEY. Automatic listening.
CAROLE THERIAULT. A-L-E-A.
GRAHAM CLULEY. I see what it spells out.
CAROLE THERIAULT. I don't.
GRAHAM CLULEY. E-X-A, A-L-E-X-A, Exploitation. I hate it when people do that. What? It says Alexa. That is what his bill is called.
CAROLE THERIAULT. Oh no. I didn't spot that at all. You're so clever.
GRAHAM CLULEY. You're back!
CAROLE THERIAULT. You're back!
JOHN LEYDEN. You're so depressed earlier.
CAROLE THERIAULT. Well done, Bill!
JOHN LEYDEN. Your cosplay skills have come in.
GRAHAM CLULEY. Yes!
JOHN LEYDEN. Genius!
CAROLE THERIAULT. Now, there's a lot of problems with this bill, isn't there? Because one of the things he says in it is exceptions would be made if it was for service improvements, right? So you can just imagine that all the lobbyists for the big three will simply say that everything is for service improvements. Now I'm laughing at this stage, but I think this is one of the first bills on this point. So well done for getting out of the door. Now I don't think this is going to stand, but it's a step in the right direction because I do think we need legislation or legislators at least looking in this area and looking after the services that they're giving to their people that they're supposed to be protecting. So there's a very serious endpoint.
GRAHAM CLULEY. Oh, very good.
CAROLE THERIAULT. Yes. Frown and go, yes, very intelligent.
GRAHAM CLULEY. Yes, very, no, very, very, very good point, Carole. Very good point. I'm glad to have you on the show. I think it's time for our sponsors. They'll be impressed by this sort of deep thinking, won't they? Yeah, very good.
CAROLE THERIAULT. Very good. Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique. I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you. Because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashingsecurity.
GRAHAM CLULEY. Recorded Future provides deep, detailed insight into emerging threats by automatically collecting and analyzing billions of data points from the web. Every security team can benefit from that kind of threat intelligence. Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks. Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.
CAROLE THERIAULT. MetaCompliance, the security e-learning experts, make learning best practice engaging and fun. Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
GRAHAM CLULEY. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
JOHN LEYDEN. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessary.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. And my Pick of the Week is not security-related this week. It is an app. Now, do you remember a few weeks ago we had as a guest Mr. Jack Rosider from the Darknet Diaries podcast? And there he was.
CAROLE THERIAULT. I got a new mouse because of him.
GRAHAM CLULEY. Oh, interesting, did you? Because there he was crowing about his mouse. So you've actually got that mouse?
CAROLE THERIAULT. No, I use my touchpad. I didn't get one of those, but I took it on the chin that I was making too much noise.
GRAHAM CLULEY. Oh, okay, okay, I see. So he was crowing about his mouse and saying how wonderful it was and how it could do all these incredible things. And I I felt a little bit of pang of jealousy and I thought, I wish my mouse could do all these things. But I didn't want to go and buy a new mouse because I quite like my existing mouse apart from that. So I found a tool. I found a fantastic tool called BetterTouchTool, which I am able to run on the Mac operating system.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And I'll put a link in the show notes. And Carole, you might be interested in this because you have, you have one of those MacBooks which has a touch bar, don't you?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. And do you ever think, oh, I wish I still had a physical Escape key?
CAROLE THERIAULT. No, I wish I had my old MacBook, which I loved.
GRAHAM CLULEY. Well, with BetterTouchTool, you can not only reprogram just about everything on your mouse, you can also reprogram your keyboard, you can reprogram your Touch Bar and your touchpad to do all manner of things. So I've got, I've got ways now, I've got like a hyper key on my keyboard, so it's like the equivalent of a different like Command or Alt key. I can get it to run different commands. I can press a button on my mouse and it can do screenshots and and automatically import it into graphic software for editing. It's—
JOHN LEYDEN. Cool.
GRAHAM CLULEY. It is very, very cool and very powerful. The people who seem to particularly like it are people who have re-engineered their Touch Bar on the MacBook. I don't have one of those types of MacBooks, I'm pleased to say, but it does look like you're able to make your Mac a real power Mac, if you want to reuse that term.
CAROLE THERIAULT. I would love someone to do that for me and then explain how everything worked and then made sure I memorized it all. And then called me once a week to make sure I still memorized it correctly.
GRAHAM CLULEY. Well, there are some very, very cool apps out there, Carole, and maybe sometime we should, we should discuss some of the things.
CAROLE THERIAULT. That's what friends are for. That's what I've been told.
GRAHAM CLULEY. That's what friends are for. Anyway, so that is my pick of the week, the BetterTouchTool, and very cool it is too.
CAROLE THERIAULT. Cool. I'll check it out.
GRAHAM CLULEY. Yeah. Jon, what's your pick of the week?
JOHN LEYDEN. Well, my pick of the week is a podcast, a podcast about technology. And it's a podcast in which an industry veteran with a somewhat curmudgeonly attitude co-hosts the show with a much more articulate, charming, witty Canadian female co-host. Now this is not a meta reference to Smashing Security.
GRAHAM CLULEY. Well, I realized it wasn't Smashing Security when you described the co-host, but anyway, yes, Carole Theriault. What?
CAROLE THERIAULT. See, it's outrageous.
GRAHAM CLULEY. What do you talk— what podcast is this? Is this a rival to Smashing Security, John?
JOHN LEYDEN. It's a complementary podcast. Okay, okay, so I'm talking about Swigcast. It's a new cybersecurity podcast and we're taking a deep, in-depth look at infosec topics.
GRAHAM CLULEY. Hang on a moment.
CAROLE THERIAULT. Who are the hosts, John?
JOHN LEYDEN. It's, it's myself Oh my goodness. At the Daily Swig.
GRAHAM CLULEY. Two weeks running.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. We've had guests shamelessly—
CAROLE THERIAULT. We opened Pandora's box, haven't we?
GRAHAM CLULEY. Of their own podcasts.
CAROLE THERIAULT. It was my fault. Good for you, John. Good for you. You work hard on your podcast. Good. Mention it.
JOHN LEYDEN. You would never hear any self-promotion by any of the co-hosts of Smashing Security.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. No, we would never stoop to this level. So John, the Swigcast. This is a podcast where you sort of look at a different topic each episode, don't you? Rather than the sort of rubbish look back at the week's news that we do.
CAROLE THERIAULT. Yep.
JOHN LEYDEN. We've, we've had two so far and we're, we, I will exclusively reveal the contents of the third one in a moment. The first two were, we, we looked at hacker culture, the representation of hackers in, in the media and what effect that has on, on recruitment and so on and so forth.
CAROLE THERIAULT. Cool.
JOHN LEYDEN. Second, uh, episode, we, we looked at the encryption policy and we had an interview with Bruce Schneier about that.
GRAHAM CLULEY. You had Bruce on?
CAROLE THERIAULT. I can— yeah, I can say I've known, uh, John Leyden for a long time, and the one thing I can say about John is you ask good questions.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. And sometimes I was on the bad side of those questions.
GRAHAM CLULEY. Yes, sometimes.
CAROLE THERIAULT. So I think it's great that you're doing a podcast. Welcome to the club. Club.
GRAHAM CLULEY. He's always been fair, but he's probing, isn't he? You can't get much past him. That Leyden chap.
JOHN LEYDEN. Gosh, I, I must blush.
CAROLE THERIAULT. I don't— I, I wouldn't say—
JOHN LEYDEN. I would say all the, all the, all the best questions on this particular podcast go with my co-host Katherine Chapman, also of the Daily Swig.
GRAHAM CLULEY. So, and, and she's Canadian as well, is she?
JOHN LEYDEN. She is Canadian.
GRAHAM CLULEY. What is it with these Canadians?
CAROLE THERIAULT. There's two women that are Canadian.
GRAHAM CLULEY. Two women that are Canadian. Extraordinary. And Joe Mitchell. Watch out, we're coming again. Does she do a security podcast too?
JOHN LEYDEN. Well, Taylor Swift does one. Oh, am I getting confused now?
GRAHAM CLULEY. So the Sweetcast is available in all good podcast apps, I imagine.
JOHN LEYDEN. Yeah. And there's upcoming one, we'll look at the serious issue of cybercrime legislation and policy.
CAROLE THERIAULT. Cool.
GRAHAM CLULEY. Wonderful. Okay. Fantastic. Uh, Carole, what's your pick of the week?
CAROLE THERIAULT. Very unsecurity related.
GRAHAM CLULEY. Good.
CAROLE THERIAULT. Did I mention I was babysitting this weekend?
GRAHAM CLULEY. You may have once or twice.
CAROLE THERIAULT. Well, okay, so these kids come over to my house pretty regularly, right? And we are not au fait with the consoles and all the latest gizmos, but somehow we have introduced them to our old Wii and made it look like a collector's item. And they love the Wii, right? So when we were going over to babysit, we collected all our Wii games, and I even went up to your house, didn't I? Mr. Cluley, to pick up some old games and stuff from you.
GRAHAM CLULEY. You ransacked some controllers and old games from my house.
CAROLE THERIAULT. Yeah, you know what, thanks for going to seek them out because I know you have all the latest consoles, but you went for me and I'm grateful. Now, um, I know everyone goes on and on about how the sexy new consoles are and the flashy-ass games, but my pick of the week brings us to the Wii. 2006, the Wii console was released and it is It was and still is awesome. We played, uh, Just Dance and we played some Zelda and it was excellent.
JOHN LEYDEN. No, Wii Sports. I remember the Wii Sports.
CAROLE THERIAULT. Yeah, Wii Sports, exactly.
GRAHAM CLULEY. The tennis was fantastic. The tennis was just brilliant, wasn't it?
CAROLE THERIAULT. Yeah, yeah. Um, yeah, my favorite that we did on Dance 4, I think it was Just Dance 4, we— I did about 5 times, Rock Lobster by B-52s. Seriously, the best song. Yes, it is the best animated exercise class ever. We did a 10-minute jobbie of it. I was sweating bullets. It was excellent. So dig out your Wiis, people. Dust off your old consoles and relive some of the early noughties because it's fun. It's really fun, and you actually get off your ass, which is, you know, a lot of us need to do. So there.
GRAHAM CLULEY. I think that's a terrific pick of the week.
CAROLE THERIAULT. Thank you. It's a great game.
JOHN LEYDEN. It's great. It reminded me of how much fun I had with it.
CAROLE THERIAULT. I'm going to organize a Wii party soon. It's going to be a retro, but it's good.
JOHN LEYDEN. Awesome.
GRAHAM CLULEY. Sounds cool.
CAROLE THERIAULT. You might get invites, guys. I'll let you know.
GRAHAM CLULEY. Well, on that bombshell, I think we've just about wrapped it up for this week. John, I'm sure lots of fellows would like to follow you online. What's the best way to find out what you're up to?
JOHN LEYDEN. Right. So these days I write regularly for the Daily Swig, which is a cybersecurity news site created by Port Swig which people will know, the makers of Birk Suite. But if you want me to chat sports or security, then I'm also available on Twitter @jleyden.
GRAHAM CLULEY. And you can find us on Twitter as well, @SmashInSecurity, no G, Twitter won't allow us to have a G. And maybe you might want to support us on Patreon. If you want to support the show, just go to patreon.com/smashingsecurity with a G, and we've got different tiers and goodies to offer you up there. That.
CAROLE THERIAULT. Once again, thanks to this week's Smashing Security sponsors: Recorded Future, MetaCompliance, and LastPass. Their amazing support helps us give you this show for free. And thanks to you super duper people who listen week in and week out. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye-bye.
JOHN LEYDEN. Totally great pick of the week, Carole.
CAROLE THERIAULT. Thanks, it's so fun. Seriously, it's so worth the money.
GRAHAM CLULEY. Graham Cluley and Carole Theriault making a podcast together harmoniously, choosing picks of the week, which aren't security-related necessarily.
CAROLE THERIAULT. Hahaha.
-- TRANSCRIPT ENDS --