We discuss how Microsoft Word helped trap a multi-million dollar fraudster, how Amazon Ring may be recording more than you're comfortable with, and how teens are flocking to TikTok (and why that might be a problem).
All this and much much more is covered in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/160 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Senior Manager Of Global Internet Company Pleads Guilty To Wire Fraud — Department of Justice.
- IT exec sets up fake biz, uses it to bill his bosses $6m for phantom gear, gets caught by Microsoft Word metadata — The Register.
- We Tested Ring’s Security. It’s Awful — Motherboard.
- Amazon Ring isn’t even good at pretending to care about your privacy and safety — Fight for the Future
- Amazon’s Ring to let customers opt out of receiving police video requests — GeekWire.
- Letter to Amazon's Jeff Bezos from Senator Ron Wyden and others (PDF).
- House panel asks Apple, Google if app makers must reveal foreign ties — Engadget.
- U.S. Military Bans TikTok Over Ties to China — Wall Street Journal.
- The Growing Popularity of Chinese Social Media Outside China Poses New Risks in the West — PIIE.
- TikTok Privacy Policy.
- Statement on TikTok's content moderation and data security practices — TikTok.
- Revealed: how TikTok censors videos that do not please Beijing — The Guardian.
- Parents warned to check kids' phones for 15 popular apps used by paedos and bullies to target youngsters — The Sun.
- Dracula — BBC iPlayer.
- Dracula — Netflix.
- Obsessed With... - Dracula - Episode 1: The Rules of the Beast feat. Mark Gatiss and Steven Moffat — BBC Sounds.
- Dracula TV series — Wikipedia.
- The Witcher — Netflix.
- The Witcher Soundtrack - Toss A Coin To Your Witcher Lyrics — YouTube.
- Ricky Gervais 2020 Golden Globe Monologue — Reddit.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
MARIA VARMAZIS. You can place them around the outside of your house and also within your own house as like a baby monitor or a nanny cam or whatever you want.
GRAHAM CLULEY. In the bathroom. Yeah.
MARIA VARMAZIS. Yeah. If you like to watch your own family in the bathroom. Yeah. You can do that. And a lot of people said, you know what? That sounds great. They want to do that.
ROBOT. Gives a whole new meaning to livestream, doesn't it? Oh. Smashing Security, episode 100. 160: Snafus, MS Word, Amazon Ring, and TikTok with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 160. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And it's a brand new year of Smashing Security, Carole.
CAROLE THERIAULT. Yes, it's a brand new decade and a brand new year.
GRAHAM CLULEY. Is it? Is it a new decade?
CAROLE THERIAULT. It is 2020.
GRAHAM CLULEY. Oh, is it?
MARIA VARMAZIS. Yes.
CAROLE THERIAULT. Year zero counts.
GRAHAM CLULEY. I don't know. Some people say it has to be 2021.
CAROLE THERIAULT. Yeah, there are.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. It's not hard.
GRAHAM CLULEY. Maria Varmazis, our guest this week. Any opinions on this?
MARIA VARMAZIS. No.
GRAHAM CLULEY. Very sensible.
MARIA VARMAZIS. I just, it's so pedantic. I just don't. Exactly. I can't bring myself to care.
GRAHAM CLULEY. Quite right too. Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. First, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now, Graham tells us how Microsoft LastPass could be your downfall if you're up to no good. Maria is ringing in the new year with some Amazon home surveillance nightmares. And I'm tiptoeing into the world of TikTok to see what all the fuss is about. All this and loads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums.
MARIA VARMAZIS. Friends.
GRAHAM CLULEY. Well, yes, probably.
MARIA VARMAZIS. Pals, frenemies.
GRAHAM CLULEY. Acquaintances. Fellow podders. I want to talk to you. We've worked at big companies, right? I haven't ever worked for a company which has tens of thousands of employees, but I've worked for fairly big companies.
CAROLE THERIAULT. I know, we used to work for Nortel. That's pretty big.
GRAHAM CLULEY. Did you? Oh, well, yeah, absolutely. And big companies, sometimes there's a chance that one of your staff colleagues might actually be a bit crooked as well. And that really is the essence of what I want to talk to you about today with a tale of Rakuten. You know Rakuten? They're a Japanese ecommerce company. They've got offices around the world, sponsors of the Golden State Warriors basketball team and Barcelona's football team, tens and tens of thousands of employees.
CAROLE THERIAULT. Oh, there you go. Today I learned.
GRAHAM CLULEY. Oh yeah, they're quite a big deal. And they've got offices all around the world, of course. And there's a chance that some of them may be a little bit crook, but of course, let's not be too negative. I think new year, new way of viewing things right. People can also be a great line of defense inside a company, spotting suspicious behaviors and activities.
MARIA VARMAZIS. Insider threats, if you will.
CAROLE THERIAULT. Yeah. Are you kind of saying that the bigger the company, the more likely you might have someone who's up to no good?
GRAHAM CLULEY. Well, I think it's almost inevitable, isn't it? Right.
CAROLE THERIAULT. Well, yes. Okay.
MARIA VARMAZIS. Or, or is it smaller companies have people who think they can get away with stuff? Ah, I don't know.
GRAHAM CLULEY. I actually don't know. Well, we've talked before about this threat known as business email compromise, where baddies will send in bogus invoices to companies posing as suppliers or partners and then tricking firms into paying out sometimes millions and millions of dollars, right? That's a big problem. We've spoken about it. Different companies have suffered from that in the past.
CAROLE THERIAULT. And some of these attacks are really, really sophisticated. You know, we've gone through them and you're like, wow, I probably might have fallen for that one.
GRAHAM CLULEY. They can be very convincing. And I think there are some technological defenses you can put in place, but Ultimately, it's all down to the humans, it's all down to the staff inside your organization to hopefully spot when something a bit dodgy is going on. And the star of our story today is a chap called Hashem Kabej.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And he joined the New York offices of RAK10 as a Director of Operations in May 2015, eventually went on to become Senior Vice President of Tech Ops and Engineering.
MARIA VARMAZIS. Oh, a nice happy ending there.
GRAHAM CLULEY. Yeah, well, I—
MARIA VARMAZIS. That's— Oh, okay.
CAROLE THERIAULT. President of TOE. Yeah.
GRAHAM CLULEY. Yes. TechOps and engineering too.
MARIA VARMAZIS. VPN.
GRAHAM CLULEY. Yeah, I know that 'cause I was able to look him up on LinkedIn and see a lovely picture of his smiling face up there and sparkling career history. Around 4 months after he was hired by Rack10, Hashem Kabej received an invoice claiming to come from a supplier called Interactive Systems.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And the invoice asked for payment for some firewall systems. Which they were gonna put onto their network and plug in to protect the company. And Kabej took a good look at the invoice and he thought, well, everything here seems to be in order. And the invoice related to the purchase of two firewall devices and it referenced their model numbers and serial numbers of firewalls that had been installed in the offices. And so he asked Rack 10's finance team to pay the supply. Thought, yep, go and pay this company Interactive Systems for this work.
CAROLE THERIAULT. Surely, okay, well, can I have a question here? So, Mr. Kerbej is the president of tech ops and engineering.
GRAHAM CLULEY. Senior vice president, yes.
CAROLE THERIAULT. Oh, sorry, he's the senior VP and he— He's the Mike Pence of ransomware security. Yeah, yeah, and he sees an invoice for two firewalls to be installed in his offices and he goes, okay, fine, but doesn't know about them. And I guess that's normal for a big company, probably.
GRAHAM CLULEY. No, no, he's approved it. He said, yep, yep, this is all good. There's nothing wrong. Crew, you're being suspicious. There's nothing to be suspicious of. This is just a normal story of administration and nothing's gone wrong.
MARIA VARMAZIS. It had numbers on it that are official and things.
GRAHAM CLULEY. Serial numbers. There's nothing suspicious here. And over the next 4 years or so, Interactive Systems sent a further 52 invoices for services and tech hardware to Racktens' marketing offices in New York. Each one, addressed specifically to Hashem Gabbej, and he would approve them, and Interactive Systems would get paid.
MARIA VARMAZIS. La-dee-da, sounds great.
GRAHAM CLULEY. Well, there was a slight fly in the ointment, Maria. It wasn't really that great.
MARIA VARMAZIS. What?
GRAHAM CLULEY. Because, because, yes, it would be a rather dull story otherwise. Yes, shock horror. Because Interactive Systems never provided any services to Rackten.
MARIA VARMAZIS. Get out!
GRAHAM CLULEY. And it never supplied any firewalls or servers.
MARIA VARMAZIS. Scoundrels.
GRAHAM CLULEY. And yet it was paid over the 4 years a total of over $4.5 million of your American dollars.
MARIA VARMAZIS. Wow.
GRAHAM CLULEY. By Rakuten.
CAROLE THERIAULT. You've got to wonder about who's looking at the finances here if $4.5 million was siphoned off.
MARIA VARMAZIS. That's like a one-bedroom apartment in New York. I mean, I don't know.
GRAHAM CLULEY. Yeah, this is a really big company, Kroll, and they're spending money left, right, and center.
CAROLE THERIAULT. And here it is, the senior Mike Pence of So what you're saying basically is if you can write a very competent invoice, you are likely to get paid. Well, by big companies.
GRAHAM CLULEY. Maybe you want to hear a little bit more about what was occurring.
CAROLE THERIAULT. Okay. Okay.
MARIA VARMAZIS. I was going to say, does that track with your experience in freelancing at all? No. Because it doesn't with mine.
GRAHAM CLULEY. Now, you may think it seems odd that Kabej never noticed that this company was being paid, which never supplied the hardware and services to his department. Mm-hmm. And what's particularly odd is that some of Rack10 staff who worked in the data center said they had no recollection of any new firewalls being delivered to match the invoices.
MARIA VARMAZIS. Hmm.
GRAHAM CLULEY. And it was unlikely they would ever need that many servers. There was one order for like 10 new servers, which were described in some of the invoices. Furthermore, they had no recollection at all of Interactive Systems ever coming to the data center to provide the services that the invoices referred to. And as these particular chaps controlled access to the data center, anyone who wanted access needed approval. And these guys who worked in the data center, well, we've never even heard of Interactive Systems. So what is going on?
CAROLE THERIAULT. Okay, so I would say I can see that happening if a company, for example, got a third party to distribute and install something, right? So Interactive Systems works with a distributor who would actually go do the third-party work. That could have happened. But my gut says that your main guy, our Mr. Toe, he's up to it to his neck.
GRAHAM CLULEY. Mr. Hashem Kebbeh? He's dirty.
CAROLE THERIAULT. He's involved. He's part of the crew.
GRAHAM CLULEY. The toe is up to his neck, you're suggesting, right? Interesting anatomy issue there. So let me tell you what's going on, because a special agent for the US Attorney's Office investigated, and he found when he looked at Interactive Systems' bank account, that the only money that had ever been deposited in their bank account was from Rack10.
MARIA VARMAZIS. Uh-oh.
GRAHAM CLULEY. They had no other customers. Furthermore, the only payments from the Interactive Systems account were transfers into the personal bank account of one Hashem Kabej. Oh, you see.
MARIA VARMAZIS. Dun dun dun. But you know, if you managed to siphon off $4.5 million, right?
CAROLE THERIAULT. He must be feeling pretty safe. You wouldn't worry about anything.
GRAHAM CLULEY. Over 4 years?
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. And Kabaj was the only signatory on that Interactive Systems bank account, and he had actually registered the PO box number for the company as well. Now, what finally—
MARIA VARMAZIS. No attempts to even hide this, apparently.
GRAHAM CLULEY. Well, it turned out he hadn't done great covering his tracks because an examination of the invoices, remember there's something like 52 invoices just sent over the 4 years. Found that 4 of them had actually been sent in, not as PDFs, as you might imagine, but as Word documents.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And the Word documents, as you may know if you've used Microsoft Word, they have metadata in them.
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. And it will often reveal the username of the computer which has created the Word document. So in this particular case, these Word documents had the name of Hashem Kabej. Inside them. So the invoices, he was writing the invoices, sending them to himself. He was then approving them, saying, yep, that piece of hardware has been ordered and has successfully arrived.
MARIA VARMAZIS. Totally.
GRAHAM CLULEY. His accounts team to pay the money.
CAROLE THERIAULT. I often find getting people involved in projects slows them down. So why not just do it on your own?
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. And he doesn't have to share any of it, doesn't have to share in the spoils that he gained.
GRAHAM CLULEY. Exactly. He's doing—
CAROLE THERIAULT. Except he got caught, didn't he?
GRAHAM CLULEY. Well, perhaps, you know, running this shell company, Interactive Systems, and then directly moving from their bank account into his own wasn't so sensible. Maybe he'd have been wiser to get that company, I don't know, to buy property. And then at some later point, the property could have been sold to him or something. I think— Some other kind of scam. There's some other way to launder the money, I'm sure.
MARIA VARMAZIS. Do you think it's a lack of imagination on his part or just it was so brazen 'cause he thought he could just get away with it easily?
GRAHAM CLULEY. I think after years and years, he probably just thought he was never going to get caught. And apparently he acquired a number of different homes. No kidding.
MARIA VARMAZIS. One in New York. Just one.
CAROLE THERIAULT. And was he, and yeah, well, of course, I guess he wasn't paying taxes on these ill-gotten gains, which is a very important thing to do in the States. You still gotta pay taxes on your ill-gotten gains.
GRAHAM CLULEY. And you'd be hard to explain where the money came from, wouldn't it?
CAROLE THERIAULT. Well, that's exactly the catch-22, yeah. Hence you get a— what is it? You get a Chinese takeaway or a laundromat or a car cleaning service.
GRAHAM CLULEY. Now he has now pleaded guilty to wire fraud. He could face a maximum sentence of 20 years, 5 of that for the wire fraud and 15 for sending an invoice as a Word document, which is, of course, a federal crime. I think there's something for all of us to learn here, okay? First of all, you can't necessarily trust all of your colleagues to be doing the decent thing.
CAROLE THERIAULT. They may be—
GRAHAM CLULEY. Oh, good.
CAROLE THERIAULT. Is this the decade of fear and doubt?
GRAHAM CLULEY. No, it's not that. It's just being sensible.
MARIA VARMAZIS. Do you have something to tell us, Graham? Is there something that we should know?
CAROLE THERIAULT. Yeah. I've been trusting you. Maybe I shouldn't. Hmm.
GRAHAM CLULEY. What are you up to? So obviously that. But I mean, also, if you are creating sensitive documents, make sure you're properly redacting them of any information which you wouldn't necessarily want to get out into the world. We've seen plenty of examples of that lately as well.
CAROLE THERIAULT. Are you saying had he not done this Word document stuff, he might have got away with it for longer? Well, is that what dumped him in the soup?
GRAHAM CLULEY. I think that was one of the things which ultimately was his undoing. But there were a number of other problems as well. Certainly registering the PO box number of his shell company in some name.
MARIA VARMAZIS. The Word docs were the cherry on top of a lot of— Stupid, stupid cake.
GRAHAM CLULEY. Yeah. For someone who was involved in the acquisition of security equipment to produce those invoices using Microsoft Word, I think was perhaps a little bit unwise. So take heed, fellows, not to do something similar yourself.
MARIA VARMAZIS. When you're committing fraud, be smarter about it is what we're saying.
GRAHAM CLULEY. Welcome to the Advice on How to Commit Fraud podcast.
CAROLE THERIAULT. A new column from Graham.
GRAHAM CLULEY. A new column.
MARIA VARMAZIS. The 2020 edition. Yes.
GRAHAM CLULEY. Maria, what have you got for us this week?
MARIA VARMAZIS. Not fraud, actually. So do you know what week it is here in the States, aside from apocalyptic and doom week?
GRAHAM CLULEY. No? I think it's every week in the States.
MARIA VARMAZIS. Lately it's been feeling that way. It's— no, it's CES week. Does that mean anything?
CAROLE THERIAULT. The biggest gadget show in the world.
GRAHAM CLULEY. The Consumer Electronics Show. Is that what it stands for?
MARIA VARMAZIS. Yes. Gosh, I'm getting so many press releases from people who think I care about this. I don't really, but you know, please stop sending them to me. So it's the, it's gadget week. Yes. So, um, I thought I would turn my attention for this week's story to one gadget that I see pretty much everywhere, uh, the Amazon Ring camera.
CAROLE THERIAULT. Uh, so this is not the Amazon Ring that has a camera, which I think was shown off at last year's CES. But Amazon's Ring camera.
GRAHAM CLULEY. Sorry, what? What's— That sounds like the same thing.
CAROLE THERIAULT. Don't you remember last year at CES?
GRAHAM CLULEY. I don't understand the difference. What would be the difference between the Amazon Ring with a camera and Amazon's Ring camera?
CAROLE THERIAULT. Are you asking me?
GRAHAM CLULEY. Yes, I don't know. I don't know.
CAROLE THERIAULT. So Amazon launched last year some kind of ring that you wore on your finger.
GRAHAM CLULEY. Oh, right.
CAROLE THERIAULT. That had both a microphone in it. So you could say, hey, Amazon, get me some diapers. Put it on my list or whatever.
MARIA VARMAZIS. And hey, smart speaker, get exactly—
CAROLE THERIAULT. oh, and monitor my everyday.
GRAHAM CLULEY. They did that in a ring?
CAROLE THERIAULT. Yes, we talked about it on the show. You were obviously having a snooze during my section.
MARIA VARMAZIS. This is clearly— they were watching Lord of the Rings, they were like, you know what, that's a great idea. Yeah, we just— let's do something like that except for us. Uh, no, this is not that. This is the, the brand called Ring. And yes, yeah, so, uh, it— in the States it feels like it's getting pretty ubiquitous here, especially in the vaulted suburbs that I live in.
GRAHAM CLULEY. It's basically a doorbell thing, isn't it?
MARIA VARMAZIS. It's a doorbell thing with the camera in it. Yeah, it's a web-enabled camera. And the gimmick, as you guys just mentioned, is usually it's hooked up to a doorbell so you can see who's at your door no matter where you are. So if you're at work and somebody's delivering a package, you can watch them deliver it and be like, okay, here it is.
CAROLE THERIAULT. And presumably you can watch that the person's stealing the package. Right. It's been left outside.
MARIA VARMAZIS. Yeah. Which is a thing. Like a lot of people do have package thieves. So that's a reason. That's a use case. And, you know, Amazon also threw in some completely innocuous facial recognition in there for some good measure.
CAROLE THERIAULT. Oh, thanks guys.
MARIA VARMAZIS. Yeah, so for example, if your mother-in-law is at the door, Ring will go, "Hey, we recognize this person. It's your mother-in-law dropping by." And you can talk to her via the camera's two-way speaker and pretend you're like, "Oh, I'm at the grocery store. I'm sorry, I totally can't come to the door 'cause I'm not home." Even though you're hiding in your living room.
GRAHAM CLULEY. Oh, because it will sound the same.
MARIA VARMAZIS. It sounds the same.
GRAHAM CLULEY. Brilliant.
MARIA VARMAZIS. So it's like you have a doorman sort of thing or a bouncer for your house.
CAROLE THERIAULT. I had a friend once who didn't want to go to work and was trying to fake the phone call in. And her deal was that she was trapped on the side of the highway and couldn't get into London. So the way she did it was in her bedroom, and she had a hairdryer that she was swinging on the cord past the phone intermittently.
MARIA VARMAZIS. That's a lot of work to play that game.
CAROLE THERIAULT. Yeah, to beat cars that were screaming past. So Ring makes these things much easier.
MARIA VARMAZIS. So much easier.
GRAHAM CLULEY. This was your friend, Carole Theriault.
MARIA VARMAZIS. Yeah, it was.
GRAHAM CLULEY. Your friend.
MARIA VARMAZIS. It was friend, your friend. Yes, definitely not your ex.
CAROLE THERIAULT. My friend Loretta.
MARIA VARMAZIS. There you go.
GRAHAM CLULEY. Get back, Loretta.
MARIA VARMAZIS. I should mention that Ring also offers a suite of other web-enabled cameras that all hook up to each other. So you can place them around the outside of your house and also within your own house as like a baby monitor or a nanny cam or whatever you want.
GRAHAM CLULEY. You can follow through.
MARIA VARMAZIS. You'd like to. Yeah, if you like to watch your own family in the bathroom, yeah, you can do that. And a lot of people said, you know what, that sounds great. They want to do that.
GRAHAM CLULEY. Gives a whole new meaning to livestream, doesn't it?
MARIA VARMAZIS. Oh. Can I end my segment now? I want to just end my segment.
GRAHAM CLULEY. Two or three weeks off and I've gotten them all bubbling inside me. I've got to get them out now.
MARIA VARMAZIS. So—
GRAHAM CLULEY. Keep going, Maria.
MARIA VARMAZIS. Yeah, yeah, yeah. So— Uh, web-enabled cameras in your house. We've heard that story before. Crappy IoT baby monitor cameras. We all know that thing. Uh, so Ring has a lot of the same problems in the web-enabled cameras that we've all talked about for years and years.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. So is it that their, their security on them is not considered as high as you might expect and people can break the security?
MARIA VARMAZIS. Yeah, it's the same old song that we've heard for so many IoT devices. 'Cause this is not actually the main part of my story. I just need to mention it. Because you would think Amazon behind this product, their security might be a lot better, but there's been a lot of recent headlines that show actually Ring is just about as bad in terms of their own software security practices as a lot of the contenders on the market. So there's been all these sorts of headlines about attackers becoming peeping Toms, shouting abuse at families while they're sitting in their living rooms, and generally being able to spy on like people and children, and often without people knowing that they're even victims. So it's a We've heard these kinds of stories before about IoT cameras, so it's kind of disappointing that Ring is another one of these examples, but yes. Yeah, and so just put a pin in the fact that Amazon has been asked, what are you doing on the technology side to improve Ring security? Right now, the answer is bare minimum. It offers two-factor authentication, but it doesn't verify logins from an unknown IP address.
GRAHAM CLULEY. Right.
MARIA VARMAZIS. With their reasoning being like, well, you could be anywhere in the world checking on your house. We don't want to keep flagging you every time you log in, but eh.
CAROLE THERIAULT. Yeah, I heard them make an excuse like, oh, well, you're reusing compromised passwords. That's the big issue here. And I'm thinking, well, Amazon, that's a pretty easy problem for you to solve, isn't it? Just basically check against the database and say, please don't use that password.
MARIA VARMAZIS. Yeah. And they're not doing that either, which is like a stupid easy thing for them to do. You know, it's not like they have the largest cloud computing behind them or anything.
GRAHAM CLULEY. Yeah, because I think the average person in the street would expect Amazon's Ring security to be better than all those Chinese knockoff video doorbells that you're able to pick up for $10.
MARIA VARMAZIS. Yep. You would think.
GRAHAM CLULEY. You would think so, wouldn't you?
MARIA VARMAZIS. You would think.
GRAHAM CLULEY. But clearly, yep, it needs to do better.
MARIA VARMAZIS. Yeah, it, it sure does. In the show notes, there's gonna be a whole bunch of links that I'll provide, uh, for you to post, um, that talk about all the things that people have found, or they're going, you know, that you could at least send the user an email if you see, oh, I don't know, the same user with concurrent sessions in two different geolocations.
GRAHAM CLULEY. Right.
MARIA VARMAZIS. Not even an email to the user saying, this is a little funny. Maybe you might wanna look into that. Nope. So yeah, that's surprising. But in addition to all this, the thing that's, I think, most alarming to me and a number of other people is the idea behind Ring is that it's an inexpensive home security system. It's a big disruptor in that field. So the big names are all upset about it. And it's an IoT device, so it can turn on your house lights and a loud siren if you see someone coming up to your house that you don't recognize.
CAROLE THERIAULT. Oh, great. I love the new world.
MARIA VARMAZIS. Oh, yes.
CAROLE THERIAULT. I don't know them. Alarm.
MARIA VARMAZIS. Alarm. 110-decibel siren alarm, actually. Eating. No, no, bust those eardrums.
CAROLE THERIAULT. Oh my God.
MARIA VARMAZIS. Yeah, I think over 130, like literally shattered your eardrums.
CAROLE THERIAULT. I don't like this new world.
MARIA VARMAZIS. So on top of all that, Ring also saves the video of the person walking up to your door, you know, for safety reasons. So you can share this video of the obvious criminal looking into your windows, and you can share it with your neighbors or the cops. And so if you blanket the interior and exterior of your home with all these cameras, you know, you have hours and hours of video of people doing all sorts of things. It's great.
GRAHAM CLULEY. Cool.
MARIA VARMAZIS. So who do you think, who do you think loves this more than homeowners? Wild guesses, anyone?
GRAHAM CLULEY. The police.
MARIA VARMAZIS. The police. The police. They love this. And they know that homeowners are just very happy to offer up any old video of anything if they just ask. Does Nextdoor exist where you are, or is that a US thing?
GRAHAM CLULEY. Oh, I don't know. What, what's Nextdoor?
MARIA VARMAZIS. Nextdoor is a, they market it as a, sort of a social media for, for neighbors. So you have to actually verify your physical address, and then you get added to, um, groups of people that are actually your physical neighbors.
CAROLE THERIAULT. I do know this. It is in the UK. I got a mail, like a mail shot through saying it was in my neighborhood and I could join, uh, but it was a bit— I don't know, I didn't like the way it went about it, so I didn't do it.
MARIA VARMAZIS. Yeah, so Nextdoor seems to be ubiquitous here as well. And I know on many of the neighborhoods that I've been a part of These Ring camera footage is everywhere. People are always posting videos of, hey, I saw this person like looking at my house for more than one half second than I feel is appropriate. Here's a video of them.
GRAHAM CLULEY. This guy walked by in a loud shirt.
MARIA VARMAZIS. Yes. So here's a video.
GRAHAM CLULEY. It's some unscrupulous person stepping on the cracks in the pavement. Could be dodge.
CAROLE THERIAULT. It's like, you know, it's like those people that see a car parked on its own somewhere and are convinced that they're up to no good in it.
MARIA VARMAZIS. Or like a van and, oh, that person's definitely a human trafficker.
CAROLE THERIAULT. Exactly.
MARIA VARMAZIS. No, that's not how this works. Yeah, so that's troublesome, of course. And to make it easier for cops to see what's going on in these neighborhoods, Ring has worked with over 600 law enforcement agencies within the United States so they can easily ask for videos in their jurisdictions all within the app. So the Washington Post says that police in those communities can use Ring software to request up to 12 hours of video from anyone within a half square mile of a suspected crime scene covering a 45-day span. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.
GRAHAM CLULEY. Wow.
MARIA VARMAZIS. And the Post also notes that there's no restriction on how long law enforcement can keep the videos that they receive.
CAROLE THERIAULT. Well, to serve and protect.
GRAHAM CLULEY. So Amazon have created an app for the cops to basically access Ring footage. Without very much of any hurdle to jump through, or hoop even.
MARIA VARMAZIS. Correct. That's the big thing. So this is hopefully raising some alarms for people going, you know, I'm sure, and actually I've read that these kinds of videos have actually helped people nab folks who've committed real crimes. So I don't want to be totally flippant about like, oh, this is only bad. But you know, what's the recourse for someone who's been captured on video doing something harmless? And then, you know, the police have a video of them forever. Like, what do their civil liberties look like? Like, what are my civil liberties in situations like this? I'm just walking my dog in the neighborhood and my neighbor's got video of me, you know, doing something. I don't know, picking my nose. I don't know. Like, what is that?
GRAHAM CLULEY. An offense where you live, picking your nose?
MARIA VARMAZIS. It certainly is offensive. Well, I just— I'm uneasy with the idea of these videos just being kind of shuttled off to law enforcement under the very thin guise of, oh yeah, crime happened in my vicinity, so let me send you all my video surveillance. So there are some big, big questions around what is happening to this video footage? What about the civil rights of people who are caught on all this footage doing nothing wrong? And Amazon, again, giant company Amazon owns Ring. And so what is Amazon doing with all that facial recognition biometric data of the people that it sees? What is it collecting? What is it doing? What is it storing? What is it thinking with all that?
GRAHAM CLULEY. So if I've understood you correctly, Marie, you're saying that Amazon is helping the police collate an enormous database of people picking their noses and loitering on porches.
MARIA VARMAZIS. That is the fear. So right now, I don't want to say that is what's happening because we actually just do not know. So to get some answers, a number of US senators sent— they have been sending Amazon a number of very official letters, and I included one for the show notes, saying, hey, Amazon, what are you doing with all this? Because there's also some questions about, you know, some of their contractors are based in Ukraine, and that's a whole thing right now in the States. So like, what is that all about? There's a lot of worries about what is Amazon doing with all this data? And also, are we making it too easy for law enforcement to get their hands on all this basically unlimited trove of video surveillance on people in private areas. So earlier this week, so the reason I'm bringing this up now, I promise there's a reason.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. Earlier this week, January 6th, was the requested deadline for Amazon to let those senators know what their plan was to not just beef up Ring's own software security, which we talked about earlier, but also what they're doing in terms of protecting the civil liberties of folks caught unawares on Ring's videos.
CAROLE THERIAULT. Right.
MARIA VARMAZIS. So the official response from Amazon came in through a press release and it was in a nutshell, Users can now opt out of email requests from law enforcement.
GRAHAM CLULEY. Oh, so—
CAROLE THERIAULT. How?
GRAHAM CLULEY. So if you didn't want the police to view the footage which you had collected on your Ring, you can opt out in advance and say, if the police ever ask for footage from my camera—
MARIA VARMAZIS. I'm not interested in giving it to them.
GRAHAM CLULEY. Oh, well, I imagine lots of people will opt out, won't they?
MARIA VARMAZIS. Oh, right. Yeah. Yeah. So they can opt out.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. They can. So remember, it sounds like you're opting in from— default, but you can now opt out. And also Amazon promises that more granular security controls within the software of Ring are coming later this month, but we don't know exactly what that means yet. That's all. That's literally all we know.
CAROLE THERIAULT. Well, they're also the makers of that software called Rekognition with a K, right? Which is basically facial surveillance software that they sell to the cops and have in often public areas, right? And there was some stories about them maybe being used in shopping centers to find illegal immigrants. Like it was all a bit shady, shady. So, yeah, but big money in surveillance.
GRAHAM CLULEY. Yeah, Amazon are big on facial recognition, aren't they? And this potentially, so much information being gathered from people's homes. And I mean, I'm beginning to feel a bit odd because I don't have one of these video doorbells, but it seems more and more people are purchasing them and putting them in and think that they're a good idea.
MARIA VARMAZIS. But yeah, it depends a bit on your neighborhood and how the homes are laid out. But I know where I live, if one of my neighbors had one of these, it would show probably 3 or 4 houses at the same time because our houses are close together. So it's kind of like even if I don't have one of these, if one of my neighbors does, then basically I'm under surveillance all the time and I'm not doing anything illegal, but I'm still just not really comfortable with that. I like privacy. I don't want to think that I'm being streamed all the time when I'm just in my front yard.
CAROLE THERIAULT. I hear you.
MARIA VARMAZIS. So it's just there's all sorts of problems with this for me. I get the convenience of it. I get, you know, package theft is a real problem and people are really sick of it. You know, I understand that. But there's gotta be some oversight here, and I think the senators are going in the right direction by saying, Amazon, have you even thought about this?
GRAHAM CLULEY. That's the thing, isn't it?
MARIA VARMAZIS. The response seems to be no.
CAROLE THERIAULT. Yeah, because if they invade your personal private property, then I think that is an issue. Certainly in some states, that's definitely an issue, right? Because you're allowed to have privacy on your own property, and if the camera's facing and somehow capturing you, but if you're on public property just walking by, It seems now you're— anyone can take a pic of you, right? Anyone can record anything you do.
MARIA VARMAZIS. That— well, that, that's seems to be in the nutshell version of the laws. I've understood it in the States.
CAROLE THERIAULT. Happy new decade, people!
MARIA VARMAZIS. Yeah, it makes me feel like there's no hope.
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. Yay! It's great. Everyone feels fantastic.
GRAHAM CLULEY. Crow, what's your story for us this week?
CAROLE THERIAULT. I just got the best Opening acts this week. Have either of you guys used TikTok? Have you played with it?
GRAHAM CLULEY. I am over 14 years old, so no, I haven't.
MARIA VARMAZIS. I do not have the app, but I've seen the videos everywhere. I know what it is. I just, I don't want the app on my phone.
GRAHAM CLULEY. I don't even know what it is. Is it like Vine or something?
MARIA VARMAZIS. Yes, it's a lot like Vine.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Right. Okay, so I didn't know a lot about it either, right? And but it seems like many teens, Z-gens, are like totally hooked, in love with this app. And I kind of did a little recon and talked to some, you know, younger friends in the States, Canada, the UK. All of them have at least heard of it, and most of them use it. Thing is, is the app is not considered squeaky clean by everyone. The Wall Street Journal and others reported on New Year's Day that the Army, the Marines, and the Navy have all put the kibosh on TikTok.
GRAHAM CLULEY. Oh, you mean when they're out on active combat now, they're not going to be able to make little videos of them pouting and taking selfies to each other?
CAROLE THERIAULT. Don't think active combat is like you're running around with a gun at all times. There's a lot of times when you're doing absolutely nothing, right? And phones have completely changed that horrible, horrible boredom into something at least more tolerable. But of course, a lot of these apps collect information, which you may not want your armies and Marines and navies to be sending out to different parties.
GRAHAM CLULEY. Of course.
CAROLE THERIAULT. They haven't publicly shared the why, right? They haven't said this is why we don't want these people to use it. So I wanted to do a little digging and check out the TikTok Security and Privacy Pulse, right? Just to see what the big deal was.
GRAHAM CLULEY. Yeah. Is it a US application or is it from somewhere else in the world?
MARIA VARMAZIS. It is not a US application.
CAROLE THERIAULT. Put your brakes on, dude. First I'm gonna tell you what TikTok is.
GRAHAM CLULEY. Okay. Oh, okay. Sorry. Sorry. Yep.
CAROLE THERIAULT. Right, so basically it's like an app that lets you create short music videos. TikTok originally bought Musical.ly. Do you remember that? Musical.ly was like an app in the early noughties, and TikTok bought that app and then allowed you to use the music they bought from that app, and you could overlay or lip sync it to a video. So you'd create a video, and then you would choose the song you wanted to lip sync. You'd have the song playing in the background, and you could show yourself lip-syncing at it.
MARIA VARMAZIS. Amazing.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. That's basically it. The videos go up to about, I think it's a minute or 90 seconds maximum. And, you know, it's a bit like Vine. I would say that was probably where you said that earlier, but it's a bit like Vine. But like, why don't you go take a look? So if you just put in tiktok.com, T-I-K-T-O-K dot com, and then slash trending.
GRAHAM CLULEY. TikTok dot com trending.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I object at the Ks already. That annoys me. Okay. There's lots of videos here. So I'll just— what, just click on one of these? Oh my goodness, right?
CAROLE THERIAULT. Oh, so what are you seeing? Trying to describe how—
MARIA VARMAZIS. oh, a lot of spilt milk.
CAROLE THERIAULT. But people seem to use it most like for gymnastics or for music lip-syncing or for comedy, like little jokes. Uh, you can use different voices and kids absolutely love it. CNET announced TikTok to be the 7th most downloaded mobile app of the last decade. Okay, that's huge. Decade, right? And in 2019, it has more than a billion monthly users. So it's a pretty big mover and shaker in the world of social networks, right? And teens are hooked. The daily average interaction time is something like 50 minutes or something. That must be up with Facebook. 50?
GRAHAM CLULEY. 5-0?
CAROLE THERIAULT. Yeah, 50 minutes a day.
GRAHAM CLULEY. The amount of time people are spending slagging off the idea of going to see the Cats movie, which is about 90 minutes, and saying it's the worst thing that's ever happened in their life, but they're spending 50 minutes every day on TikTok watching these dumb little videos.
MARIA VARMAZIS. Well, 50 minutes of 30-second videos. That's a lot of videos.
GRAHAM CLULEY. Well, unless you're watching it, unless it's so entertaining, you just watch it over and over and over again. But yeah.
CAROLE THERIAULT. Now TikTok is owned by ByteDance. This is a Chinese headquartered firm in Beijing. Okay. And that's one of the big question marks around that. So put that in your back pocket. ByteDance is what is known as a unicorn startup company. So a unicorn is basically a billion dollar privately held startup, and ByteDance is number 2 on the world list with a $78 billion valuation. And the guys that— founder Zhang, his personal wealth is said to be $13 billion. So all this to say, tons of money. And you're probably thinking right now, okay, Chinese app, all Chinese users. No, TikTok is not available in China at all.
GRAHAM CLULEY. Oh really?
CAROLE THERIAULT. What ByteDance did is they created a sister company or sister app called Douyin. And Douyin operates in China and is designed to comply with Chinese restrictions. So they have two apps, one for the outside world and one for inter— inside China.
MARIA VARMAZIS. I was gonna say, wasn't the Chinese version the original one? And then they— yes, yeah, they— that came first.
CAROLE THERIAULT. Uh, so yeah, it came out, I think that was in 2012 that came out.
MARIA VARMAZIS. Yeah, I remember seeing those videos before TikTok was a thing.
CAROLE THERIAULT. And yeah, so okay, so there we have an idea of what TikTok is. Kids love it, it allows you to do videos and they share them all over. So what's the controversy going on here? So in 2019, in January 2019, this American think tank called Peterson Institute for International Economics described TikTok as a Huawei-sized problem that posed national security threat to the West. And it said that it noted the app's popularity with Western users, including armed force personnel, and raised concerns over the app's data hoovering ability. Chinese, because the app was owned by Chinese parent unicorn ByteDance. The problem according to the investigation is that China internet security law makes it impossible for ByteDance not to share the data with the Chinese government. And that seems to be where the problem is.
GRAHAM CLULEY. And the fear isn't that these videos are gonna be shared with the Chinese government, I imagine. I, I've just been looking at a few of them and they're, they all seem pretty inane, but But that there might be other information they're gathering from people's phones, such as their location.
CAROLE THERIAULT. Exactly. All that stuff is in there. Exactly. So whether or not ByteDance has the best interest of its users at heart, the argument here is once the information is beyond the Great Firewall, quote unquote, there's no telling what will happen to it. So recently we have US members of Congress, they've raised concerns about data collection and Chinese ownership and sent a letter to this effect to the US intelligence officials saying like, what, you know, WTF TikTok? And TikTok responded to this with a short unsigned statement on its website effectively saying that the data centers were not located in China and none of our data is subject to Chinese law, which is a pretty bold and sweeping statement for a company worth $78 billion and is in 75 different languages across the entire world. I'm not sure how they can say that, but it was unsigned, so it's basically like a webpage. They've also been fined by the federal FTC. They've been fined almost $6 million for collecting information from minors under the ages of 13 in violation of the Child Online Privacy Protection Act. And ByteDance then responded by creating a kids-only mode of TikTok, which blocks the upload of videos. So just imagine, imagine your, your, your son, right? Say like he used TikTok and it was great, and suddenly TikTok said, oh, okay, we're gonna make a place just for kids. So you say, here, use this one instead. So he can't upload any videos, but he can view other people's videos, presumably. Yeah, he can't build a user profile, he can't do any direct messaging, and can't comment on any other videos, but he can view and can record content, just can't upload it. I'm not sure how many kids would be happy with that, really, right? I'm not sure. Now, um, Indonesia and India also independently banned the app for having too much porn and blasphemy, all while being really popular with younger people. But both countries reinstated it after TikTok made a few changes. Right. But they say that the India ban, which lasted about a month, probably cost TikTok 15 million new users.
MARIA VARMAZIS. They'll get them back. They'll get them back.
GRAHAM CLULEY. You didn't say before there was porn and blasphemy out there. Now I can see why people might want to install it. Because up to now I've been thinking, why would anyone want this app?
CAROLE THERIAULT. So there's a problem of whether it's safe for kids that people are using this for nefarious purposes. And that means, you know, if you're trying to protect your child from seeing certain, you know, unwanted content, TikTok might not be a great platform for that. But there's also a censorship debate going on about it. Washington Post reported that there was barely a hint of the Hong Kong unrest in sight on TikTok when you search with the city's tags, which was completely unusual. The Guardian reported last year that it saw leaked documents that showed TikTok was instructing its moderators to censor videos that mentioned Tiananmen Square, Tibetan independence, and banned religious group Falun Gong. Now, ByteDance responded to this saying, oh no, no, no, no, no, those documents were created really in the early days of TikTok and we don't even use them anymore. They were under investigation in the UK for how it handles personal data of its younger users and whether it prioritizes the safety of children. And just last week, Merseyside Police in the UK listed a list of 15 apps to watch out for, especially if you're giving smartphones to your kids for the holidays, for Christmas.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. And they were saying these apps are known, uh, for child bullying and grooming, right? And the apps included WhatsApp, TikTok, and Hot or Not. Hot or Not, do you remember that?
MARIA VARMAZIS. Still a thing?
GRAHAM CLULEY. Yeah, still a thing, is it?
CAROLE THERIAULT. Oh my God, it's like, why do kids love it? I mean, just from you guys looking at it, why do you think kids are just like hoovering this up like popcorn?
GRAHAM CLULEY. I just think I'm very, very old. I, all the time you've been talking, I've been scrolling up and down and trying to find anything which it's, it's just wallpaper really. It's just people sort of jiggling around to a bit of music.
CAROLE THERIAULT. Do you think it's because a few people have gotten very famous off this, right? Like there's a 0.0001% chance that you might make it big, you know, some musicians have made it big.
GRAHAM CLULEY. Well, I suppose it's possible to get lots of followers like it is on Instagram. So if you had a talent for making short little TikToks videos, they might trend and you might get more followers. And I suppose then you become an influencer and then you might have some big brands wanting you to promote their product on TikTok. I don't know if that sort of thing happens or not, but it certainly does on Instagram, doesn't it?
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. But it, but it's, um, it, it is astonishing how much some of these videos have been watched because it's just like—
CAROLE THERIAULT. we should quit the podcast and start doing TikToks. Is that what you're saying?
GRAHAM CLULEY. Well, I'm wondering, do we need a Smashing Security TikTok account?
MARIA VARMAZIS. Oh no, I thought we said no video. I have to put on pants if we do that.
GRAHAM CLULEY. There's a reason why we say no video. Yes.
CAROLE THERIAULT. You know that pants means underwear.
MARIA VARMAZIS. I do. I left that just to let people wonder which one I meant.
GRAHAM CLULEY. It's smutty.
MARIA VARMAZIS. Oh yes, I know.
CAROLE THERIAULT. Hey, Graham.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility. Visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect.
GRAHAM CLULEY. Do you want to make it more conversational? I don't know.
CAROLE THERIAULT. I think it sounded great.
MARIA VARMAZIS. And welcome back.
GRAHAM CLULEY. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
MARIA VARMAZIS. Week of the Pick.
CAROLE THERIAULT. Hey.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone choose something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. I have taken the opportunity to watch some television.
CAROLE THERIAULT. That's the way to spend the family holiday.
GRAHAM CLULEY. Well, yes, it is.
CAROLE THERIAULT. I know, I know.
GRAHAM CLULEY. It's an old Cluley tradition of sitting around the TV. And we went into BBC iPlayer, although I believe this show is also being made available on Netflix internationally. But it was on the BBC for me. And it's from the makers of Sherlock, Stephen Gatiss— no, Stephen Moffat and Mark Gatiss. Get the names right, Graham. Who worked on Sherlock, of course. They have now produced Dracula.
CAROLE THERIAULT. Oh, really?
GRAHAM CLULEY. And I have to say, I rather enjoyed it.
CAROLE THERIAULT. Is it edgy, or is it kind of true to form?
GRAHAM CLULEY. As with everything Steven Moffat-ish, as people who've watched Doctor Who under his— or Sherlock or something like that, you will know that he sometimes twists things a little bit, but this is set in the past. Now I have to admit, right, I have to— okay. Look, hands up. I've only watched one episode.
MARIA VARMAZIS. Oh, how dare you?
GRAHAM CLULEY. They're an hour and a half each. There are 3 episodes. I haven't had a chance. I had to do my VAT return.
CAROLE THERIAULT. Uh, but that's like someone who reads like the first 50 pages of a book and then hardly recommends it. And then it turns out the end doesn't even work.
GRAHAM CLULEY. Hush, hush, hush, hush, hush. After one episode, I can tell you it's brilliant. It's funny. It's dark. It's quite grisly in places, but it is laugh out loud funny. There is the funniest nun you have ever seen in your life, who's very entertaining. Um, and it's—
MARIA VARMAZIS. Chaucerian even.
GRAHAM CLULEY. It's, uh, and it's, it's most amusing. And if you become obsessed with Dracula, as I think you will be once you check it out, then you may want to check out a podcast on BBC Sounds called Obsessed with Dracula.
CAROLE THERIAULT. Oh, and have you, have you listened to that? Or you've not bothered because you're too busy with your bat routine?
GRAHAM CLULEY. Well, I've listened to the first one because it's about the first episode. So they have a podcast for each episode and where Gatiss and Moffat appear and talk about the show. And I'd heartily recommend that as well because it's most entertaining. Now my brother has seen all 3 episodes. Now he's a bit of an Eeyore. He does listen to Smashing Security.
CAROLE THERIAULT. He's a bit of an Eeyore?
GRAHAM CLULEY. Yeah, he's a bit of an Eeyore. Not like me. Not me.
MARIA VARMAZIS. You're a poo. A giant poo? No.
GRAHAM CLULEY. Silly. Now he told me that the last episode, he said the first two episodes he said are brilliant and the second one he kind of goes, it's a bit rubbish.
MARIA VARMAZIS. It's like Game of Thrones all over again.
GRAHAM CLULEY. And he said the finale, he said the ending was a bit of a disappointment. Now that could have been my brother. My brother could be talking nonsense here.
CAROLE THERIAULT. Yeah, great pick of the week.
GRAHAM CLULEY. So, but I can heartily recommend episode one at the very least.
CAROLE THERIAULT. You hadn't done an episode of Smashing Security in two weeks and you couldn't find the time to watch three episodes?
GRAHAM CLULEY. No, listen, I also—
CAROLE THERIAULT. It's Vanu's turn. They don't take that long, seriously.
GRAHAM CLULEY. I think you'd enjoy it. Hour and a half. It's pretty good, Kryll, right? So, Dracula. Mwahahaha. The Count. What a shame Vanu Schweitzer isn't here to do the voice. Maria, what's your pick of the week?
MARIA VARMAZIS. My pick of the week is something that I have actually watched in its entirety.
CAROLE THERIAULT. Thank you very much, Maria.
MARIA VARMAZIS. Yes. I don't recommend things unless I've at least watched the whole thing, unlike other people. So mine is also available on Netflix, hopefully globally, and it is The Witcher.
CAROLE THERIAULT. Ooh, I've heard about this.
MARIA VARMAZIS. Is it good?
CAROLE THERIAULT. Is it good?
MARIA VARMAZIS. So it's many people who are into video gaming may be familiar with the video game of the same name.
GRAHAM CLULEY. Yes, it was a video game.
MARIA VARMAZIS. It's 3 video games actually. I have never played The Witcher video games, although my spouse has. And you don't need to know the video games to enjoy this series. So I just wanted to put this out there because you— this entire series on Netflix is based on the books that also the video games are based off of. So it goes back to the source material. I found it to be a really fun watch. I thought the first few episodes were a little like, I like it, but I'm not really sure if I'm going to keep watching. But I was hooked by the end.
GRAHAM CLULEY. So what's the premise of the show?
MARIA VARMAZIS. The premise? You're in a sort of medieval-ish type world, sort of Game of Thrones-y fantasy type place. You know, there's supernatural beings and there's this dude called the Witcher who basically kills them for a fee. And then there's all sorts of other folks and intrigue as kingdoms rise and fall. And I don't wanna give away too much because a lot of people go, it's like Game of Thrones, except I've never seen Game of Thrones because I heard the ending was crap, so I didn't bother. So, but it's right now the Netflix series is 8 episodes. I think each episode is about an hour long. Uh, I actually watched it all in one weekend. I couldn't stop watching it.
GRAHAM CLULEY. Oh really?
MARIA VARMAZIS. Yeah. And, uh, I, I wanna say that there's some amazing women characters in this show, girls and women, and, uh, they're all very different. Some of them might make you go, wait, I don't like this character at all and I really hate her story. Keep, keep with it. There's this, there's this one character that made me go, oh, I really don't like that. It's very regressive. But I stayed with it and I'm glad I did. And there's definitely going to be more of it. I think they're going to do a season 2, which is great. And the best part of the show is the memes that have come out of it, including the song "Toss a Coin to Your Witcher." So you definitely need to watch the show so you can get the memes because there's about a million covers of that song now. The song gets stuck in your head. It's very, very catchy.
GRAHAM CLULEY. This is where he sings about his lute or something, isn't it? Which I think isn't a euphemism.
MARIA VARMAZIS. Maybe.
GRAHAM CLULEY. But all I've done is I've watched the trailer. The Witcher, and it does look very Game of Thrones-y. The main character, he looks a bit like Legolas, you know.
MARIA VARMAZIS. Yeah, he does.
GRAHAM CLULEY. Crossbred with Mikko Hipponen. Yes, it's obviously quite a violent show. It is like Game of Thrones. It seems there's— there's— would it be fair to say there's some gratuitous nudity?
MARIA VARMAZIS. Only female.
CAROLE THERIAULT. Oh, well, yay! Hashtag for that.
GRAHAM CLULEY. Okay, suddenly I'm interested.
MARIA VARMAZIS. Yeah, I was a little sore about that. I'm like, we don't see a single male butt at all in the show, but I saw a lot of boobs. Are you into butts? No, but it's equal opportunity. I'm gonna see a lot of female frontal nudity. I better see some men nudity, and there was not, and I get a little angry about that.
CAROLE THERIAULT. I agree, actually.
MARIA VARMAZIS. So that's my bone to pick with The Witcher. However, there's a second season coming out.
CAROLE THERIAULT. Get more dicks out there.
GRAHAM CLULEY. Your bone is the lack of bone in The Witcher.
MARIA VARMAZIS. Correct, correct. But I will say there's a bit of a gimmick they do with the storytelling. That you're not going to recognize until you're a few episodes in, and then you're going to start picking up on it. It's either— you're either going to love it or hate it, and I'm just going to drop it there.
CAROLE THERIAULT. Okay. I love a little bit of intrigue.
GRAHAM CLULEY. Crumbs. All mysteries. Kroll, what's your pick of the week?
CAROLE THERIAULT. Okay. My pick of the week. Last night I saw Ricky Gervais' Golden Globe welcome address for the 77th Global Awards or something.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Oh my. God, it was quite—
GRAHAM CLULEY. it was shocking.
CAROLE THERIAULT. Epically shocking, I thought, and beautifully so. But epically, because he basically went up there and stirred everything up as he normally does, but it's almost in a Trumpian move of, I don't care, I'm gonna say what I want. Except he isn't a president but a comedian, so it kind of makes it more okay in my view, right?
MARIA VARMAZIS. He's been doing that since— that's his thing. I mean, that is his thing.
CAROLE THERIAULT. Yes, but you know, like, even someone who's very scathing, they can become even more scathing. And I don't think I've seen him be this scathing before.
GRAHAM CLULEY. Really?
CAROLE THERIAULT. I mean, I don't know, I, you know, I've seen— not all this stuff, but a lot of it. It's— and, you know, the premise was basically this is his fifth and final year and he's gonna let loose because he just doesn't care anymore. Okay, so just a few choice quotes here, right? So one of them was he's talking to the audience, right, and saying like, if anyone— if any of you win a Golden Globe—
GRAHAM CLULEY. can you do the voice? Can you do this?
MARIA VARMAZIS. No, no, I want to hear the voice.
CAROLE THERIAULT. Nobody says— so if you do win an award tonight Don't use it as a political platform to make a political speech. You are in no position to lecture the public about anything. You know nothing about the real world. Most of you spend less time in school than Greta Thunberg. So if you win, come up, accept your little award, thank your agent and your God, and fuck off. Okay? So cute.
MARIA VARMAZIS. Fair.
CAROLE THERIAULT. He punched in with a nod to last year's college admissions scandal, saying he came here in a limo tonight and the license plate was made by Felicity Huffman. Okay, cheap shot. Um, and Epstein came up. And when Gervais took aim at Quentin Tarantino's, uh, Once Upon a Time in Hollywood, he said Leonardo DiCaprio attended the premiere and by the end his date was too old for him. Even Prince Andrew was like, come on, mate.
MARIA VARMAZIS. Wow, nice.
CAROLE THERIAULT. All right, but the killer, the killer for me was his portrayal of Dame Judi Dench. Oh, as a cat, I don't know if I can. I don't think I can do it.
MARIA VARMAZIS. I don't know if I can hear it.
CAROLE THERIAULT. Okay, it's a— I'm gonna say he, he's talking about Cats, the movie, and, and talks about her, a cat licking, and I can't. Okay, I just can't. I just can't. It's just too bloody far.
GRAHAM CLULEY. No. Have, have either of you seen Cats?
MARIA VARMAZIS. No, no, but I heard you're supposed to get really high and then go see it, like high out of your brains. That's That's what I keep hearing.
GRAHAM CLULEY. I've got no interest in Andrew Lloyd Webber musicals at all or anything like that, but the bad reviews are almost tempting me to go along and see it. I wonder if it falls into the category of so bad it's good.
MARIA VARMAZIS. No.
CAROLE THERIAULT. All you have to do is the equivalent, is just have a few cans of Coke, you know, full fat, full caffeine Coke, and go in there and you'll have a time of your life.
GRAHAM CLULEY. Crazy night.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. Basically, if you want to cringe and die inside, but also enjoy a shocked guffaw Watch Gervais, the God of Comedy's Golden Globe tap dance.
GRAHAM CLULEY. All right. Well, on that bombshell, I think it's just— we've just about wrapped it up, haven't we? Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARIA VARMAZIS. Follow me on Twitter. I am still there. Holding on by fingernail. Yeah, I don't use it much anymore, but I'm still there. @mvarmazis is my Twitter handle. And if you're on infosec.exchange via Mastodon, I'm @maria but I also don't use it much either. Just find me on this podcast. That's basically where I live.
GRAHAM CLULEY. Just find me on the Amazon Ring. Yes, my neighbor's Amazon Ring.
MARIA VARMAZIS. My neighbor's Amazon Ring. Yes, exactly. Me picking my nose.
GRAHAM CLULEY. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G. And you can also join the discussion on Reddit. We've got a Smashing Security subreddit up there.
CAROLE THERIAULT. A huge thank you for listening this week and every week. For supporting us on Patreon and giving us a few kickin' reviews. And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
MARIA VARMAZIS. Bye!
GRAHAM CLULEY. Bye!
CAROLE THERIAULT. Ah, guys, first one of 2020. How do you feel?
GRAHAM CLULEY. Tired. It's a bit of a marathon, isn't it, doing these?
CAROLE THERIAULT. What, doing work after such a long break?
GRAHAM CLULEY. Yeah, exactly. I've just been sitting around like Judi Dench licking—
MARIA VARMAZIS. Did you?
-- TRANSCRIPT ENDS --