This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
JOHN HAWES
How are you going to listen to Smashing Security podcast while you're in the secure room?
GRAHAM CLULEY
Right.
JOHN HAWES
No, no, no.
GRAHAM CLULEY
So I'm not going to say no speakers. My idea, it's ultrasonics, right? Get a chihuahua. Every office needs a chihuahua.
CAROLE THERIAULT
A little Maltese.
GRAHAM CLULEY
Or a lovely Maltese. I love Maltese. I love those.
JOHN HAWES
A Pooberdor.
GRAHAM CLULEY
What's that?
JOHN HAWES
It's the opposite of a Labradoodle.
GRAHAM CLULEY
And it could pick up the high frequencies and go yep, yep, yep, yep, yep, yep.
CAROLE THERIAULT
Pooberdor could be pug and Labrador, actually. That's a poor Labradoodle. Poor pug.
Unknown
Smashing Security, Episode 69: Cryptomining, China, and Bob Ross. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode number soixante-neuf. My name is Graham Cluley.
CAROLE THERIAULT
I'm Carole Theriault, or Carole Theriault.
GRAHAM CLULEY
Oh, I see. Oh la la. And we are joined today by Monsieur John Hawes of the Anti-Malware Testing Standards Organization, AMTSO. Hi, John.
JOHN HAWES
Bonjour, bonjour.
GRAHAM CLULEY
So, John, AMTSO, it's not a reviews agency, is it? You're sort of setting standards for tests instead, as I remember.
JOHN HAWES
That's right. Yes. We're trying to guide people who do tests to do it better.
GRAHAM CLULEY
Have you thought about rating and considering reviews instead? Because we've had a couple of bad reviews on iTunes for this podcast in the last week or so. Yeah.
And I really would like an independent organization like yourself to take a look at them and give us your feedback. Are they fair? That kind of thing. How does that sound to you?
JOHN HAWES
Are reviews supposed to be fair? Isn't the point of them that it's people just venting?
CAROLE THERIAULT
Well, I don't know. You're the one who's testing reviewers.
GRAHAM CLULEY
Carole, would you like to start off by reading out the first bad review that Smashing Security has had, at least this week?
JOHN HAWES
Oh, not ever.
GRAHAM CLULEY
No, not ever.
JOHN HAWES
Okay.
CAROLE THERIAULT
Okay. So it's entitled 'Could Have Been Good' by Vrai Chevalier from the United States, or 'Real Horse' as a translation.
GRAHAM CLULEY
Do you think that's Maurice's brother or something?
JOHN HAWES
Brother Vray.
CAROLE THERIAULT
Vray's quite a nice name, actually. Now it says, this could have been a good tech podcast, but the bigotry spoils it. I cannot and will not abide bigotry. Such a shame.
So he seems bigoted against bigotry, but I don't know what bigotry he's referring to.
JOHN HAWES
Bigoted against bigotry. You've been spreading so much bigotry you can't pick out what he's—
CAROLE THERIAULT
No. Yeah. Last week Graham talked about aliens and put a lot of blame on them. And so maybe he's an alien enthusiast and thinks that's unfair.
JOHN HAWES
He's being speciesist.
GRAHAM CLULEY
Don't forget our special guest last week, James Thompson. He had a bit of a go at cyclists, or was it drivers? I wasn't quite clear. He was having a go at everyone.
So it might have been a few people. I mean, it's possible. I mean, a few episodes ago, you spoke about gun control. It can't have been that though.
I mean, everyone's sort of sensible about that, aren't they?
JOHN HAWES
Well, it starts off pretty reasonable when they say could be good. I mean, there's not much wrong with that, I guess. Yeah, the use of the term bigot seems a little unnecessary.
I mean, from what it sounds like, all you've been doing is venting strong opinions. Surely that's what podcasts are for.
If you listen to a podcast and then you're shocked that there's strong opinions on it, then maybe you should be listening to something different.
GRAHAM CLULEY
Thank you. Now there's one other review which came in this week which was a little bit negative with one star, and that was from someone in the United States.
Again, it seems to be United States. His username is Not a Bonehead Like You. I don't mean you, John. I think that's just sort of generic you. Subject title: Worst Podcast in History.
Wow.
CAROLE THERIAULT
I think that's quite an award.
GRAHAM CLULEY
Quite an accolade, I would like to say. We want to be award-winning for. And it says, you can tell listening to these morons that they just don't get it.
I think it's it as in it rather than IT, because it's not capitalised.
CAROLE THERIAULT
He must be talking about the guests.
GRAHAM CLULEY
John, if you were to sort of finger your nautical beard and muse about this, where do you think this chap's coming from?
JOHN HAWES
Well, he's not really going into a lot of detail. Also, I'd be concerned that Worst Podcast in History is actually somebody's trademark.
There's probably a board scheme that's giving that out that he's using.
GRAHAM CLULEY
A bit like the raspberries. I think what we'd like is obviously we accept that not everyone's going to love our podcast and that's fine, right?
CAROLE THERIAULT
That's totally fine.
GRAHAM CLULEY
Totally fine. We'd be upset if we had a bland podcast that people didn't hate.
CAROLE THERIAULT
Expect them just not to listen anymore. But if they feel the need to tell us this way.
GRAHAM CLULEY
We need more detail in our bad reviews. Specifically, who are you upset with? Which of the hosts? Carole, for instance, is one of the hosts. Wow. And wow. All the guests.
For instance, John, no pressure, but people will be judging you on your performance today. Get into detail.
Maybe give us a timestamp of what in particular upset you, and then we can fix it in the future.
CAROLE THERIAULT
I really would prefer them not to do that to me.
JOHN HAWES
But you have to improve. And just saying really bad, 1 star doesn't really help you very much.
CAROLE THERIAULT
No, I know.
JOHN HAWES
You need specifics.
GRAHAM CLULEY
I agree.
CAROLE THERIAULT
I would like specifics very much.
GRAHAM CLULEY
Because if we don't keep getting good reviews, we're not going to be able to get decent sponsors, are we?
JOHN HAWES
Segue. Smooth, smooth.
CAROLE THERIAULT
This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size with the right tools to secure your business with centralized control of employee passwords and applications.
But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users.
Go to smashingsecurity.com/lastpass smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.
GRAHAM CLULEY
So guys, I want to ask you this week a very important question. How do you feel about paying a subscription for the software you run on your computer?
CAROLE THERIAULT
Perfectly fine with that. I mean, I preferred, I obviously preferred the old model of buying software once and for all and it's yours.
But, you know, there are advantages to subscription models. Obviously things can be kept up to date, vulnerabilities are addressed very quickly.
GRAHAM CLULEY
A lot of software does seem to be moving that way. Of course, Microsoft Office is moving that way.
You know, you can pay a monthly fee to get the new features as they're developed and you don't have to pay a huge amount if a major new version comes out.
And of course it helps support developers as well. It means, rather than you just having paid them in 2005, they're continuing to get support from you.
So I actually think it's reasonable to do as long as the fee isn't too big.
Not everyone loves them though, which is understandable because people are so used now to 99 cents apps on your phone.
JOHN HAWES
Or free.
GRAHAM CLULEY
Or free even, right? Apps maybe which are advertising supported or just, you should just do this for free because you should just do this for free.
And that's why a developer called Cubix has made a change in its calendar app, a rather popular Mac calendar app imaginatively called Calendar 2.
CAROLE THERIAULT
Okay.
GRAHAM CLULEY
There is a calendar app.
CAROLE THERIAULT
I've not heard of this app.
GRAHAM CLULEY
You've probably heard of Calendar, which comes shipped with macOS. But this is Calendar 2 because it's better.
You know, a bit like, I don't know, Back to the Future 2 or something like that. And it recently shipped a new version of software with a new feature.
Rather than paying a flat fee of $17.99 or your 99 cents per month subscription to gain access to all of the app's advanced features, you can all get those advanced features for free.
Yes, for free. Hooray!
CAROLE THERIAULT
For free with no strings attached.
GRAHAM CLULEY
There's not one string. Not one string attached. Not one single— no, absolutely none, John. Absolutely none. There's no way that you can— well, there is one little thing. Okay.
CAROLE THERIAULT
Just one little tiny thing.
GRAHAM CLULEY
One little tiny, tiny, tiny, weeny weeny, whiny whiny thing.
And what it does is it says, look, if you want all of our advanced features for free rather than paying up, you can choose this, which is to unobtrusively generate cryptocurrency in the background.
CAROLE THERIAULT
Another one. You've covered this recently as well.
GRAHAM CLULEY
Well, crypto mining has really become the fad du jour, hasn't it? Which is French, I believe.
JOHN HAWES
Cryptojacking as well.
GRAHAM CLULEY
Cryptojacking. I think I found it. Jacques.
CAROLE THERIAULT
John.
GRAHAM CLULEY
So everyone knows the iPhone App Store, right? It's a walled garden, Apple controls, only vetted apps are allowed inside and it's— they're control freaks at Apple.
And it's one of the ways in which Apple has managed to keep malicious attackers off iPhones and iPads. And mostly it's worked really well.
Basically developers have to jump through lots of hoops to get their smartphones vetted and out there for the audience.
CAROLE THERIAULT
And approved. Yeah, exactly.
GRAHAM CLULEY
If you don't have an Apple Mac, however, a desktop computer like a Windows PC, but better because it's running Apple Mac, you get something very similar, which is called the Mac App Store, where you can choose to get your apps from.
It's really super because it automatically updates. It's one-click install. It's easy. It's one place.
And the idea is that Apple has vetted it and it will lead you to believe that it is safer as a result.
CAROLE THERIAULT
Honestly, that would be my assumption.
GRAHAM CLULEY
Well, you would like to think so.
CAROLE THERIAULT
Oh, God. Okay.
GRAHAM CLULEY
So it all depends, of course, on how well Apple polices the Mac App Store. Let's go back to Calendar 2, because Calendar 2 is cryptomining you, right? Or asking for tokens.
JOHN HAWES
Well, does it specifically say that it's going to do that, or does it do it quietly in the background?
GRAHAM CLULEY
It does tell you that it's going to do it. But there's a couple of things here. First of all, is Apple allowing apps that are open and public about crypto mining into the App Store?
You know, what is their official policy on that? Are they — if that's all right with them, then it'd be good to know that, right? Or did Apple miss this app?
Because in this particular case, it tells you it's going to do it. It gives you the option to say no, thank you. But according to some of the users, it did it anyway.
There is a guy called Fred Laxton who installed the app and insists he did not choose to do the crypto mining, to opt into that.
CAROLE THERIAULT
Right.
GRAHAM CLULEY
And as a consequence, it was mining the Monero cryptocurrency without his permission and raised his CPU to 200%.
The app has been pulled from the App Store, but not before security researcher Patrick Wardle managed to grab a screenshot of some of the bad reviews it was getting in the App Store.
So JFM25090 said, I was pleased with this app till it started doing weird things. Kept on popping up alerts over and over again. I kept on hitting ignore report.
It just kept on popping up. And an app should not be allowed to make a sudden change to your settings and turn into crypto money machines.
I immediately reviewed it and came to write a review and I never write reviews.
CAROLE THERIAULT
Right.
GRAHAM CLULEY
Some advice for — That's another 1-star review. It was, it was.
CAROLE THERIAULT
So this does suggest that it may have bypassed and filtered through the safety net, doesn't it?
Because this kind of behavior is not something that you see very often in the Apple Store apps.
GRAHAM CLULEY
As far as I know, this may be the first time that this particular thing has happened. Big M37, whatever that is, he says, this shady practice is not acceptable.
I don't know how this app passed Apple's quality inspection. So not ideal by any means.
CAROLE THERIAULT
But the app's been pulled now.
GRAHAM CLULEY
Yes.
JOHN HAWES
But it also depends a lot on whether Apple permits that kind of thing and how upfront it was about it.
'Cause it seems to me like a pretty reasonable way of making money out of software.
If you're trying to defeat this horrible thing we've got into where everybody wants everything to be free, you know, there's a lot of worse choices you could make.
You know, you could be bundling all kinds of crapware with your software that you're trying to monetize.
You could be hijacking people's search settings to point them to somewhere else to make a few pennies. But this one seems reasonable.
GRAHAM CLULEY
We've all seen examples of that kind of abuse going on in the past and the problems that that can cause. I completely agree. So what we need to know is what's Apple's policy?
I'm presuming they have a policy of saying, well, you can do this if you're upfront about it.
How come they didn't spot that it actually did it even when people thought they hadn't enabled that feature? 'Cause it does appear there's a bug.
The developer Cubix has blamed the problem on a perfect storm of bugs that didn't work as planned.
CAROLE THERIAULT
I wonder if Apple would be able to limit the amount of processing power it would provide should it decide that crypto mining is a viable solution for apps, providing that they're upfront and clear about it.
GRAHAM CLULEY
But you mean actually in the operating system to say, oh, that app is using too much?
CAROLE THERIAULT
Yeah, or they'd have to set limits for the app itself.
JOHN HAWES
I don't think that shouldn't be too difficult.
GRAHAM CLULEY
Yeah, but there may be a danger, you know, why should Chrome be allowed to use so much of my computer's resources? That's a real hog, or something like Final Cut Pro or Logic.
You know, there are some apps which do use a huge amount of resources perfectly legitimately.
Like you, John, I think maybe crypto mining is okay if it's public and if it's definitely agreed to. The problem is that there were bugs.
Qubix told Ars Technica it's supposed to have only used between 10% and 20% of a Mac's computing power, depending on whether it was plugged in or not.
But it actually used much larger amounts and they were using third-party crypto mining code, which they hadn't viewed. They didn't know about service chains.
And so they didn't really have visibility on exactly how it was going to work. And it seems that it was doing too much. So they've ripped out the app for now.
They're going to put out a new version, which doesn't include it, but I suppose our message to Mac users and other computer users out there about their apps is take heed and developers, make sure you don't ship buggy crypto mining code.
CAROLE THERIAULT
Well, yeah.
GRAHAM CLULEY
Mm-hmm.
JOHN HAWES
Well, it's always difficult if you're building an app and you want to find a way of monetizing it, you're going to go to somewhere else and just get some stuff to slap in there, whether it's advertising or some crypto mining like this.
GRAHAM CLULEY
Well, you probably are, aren't you? You're not gonna write, you're not gonna roll it yourself 'cause the chances are you're gonna make even bigger blunders if you do that.
CAROLE THERIAULT
So what you're saying in this is it's a supply chain issue and they're saying it's a perfect storm. They don't know how it happened.
Apple are saying, God, I don't know how we missed it. Our big question is Apple, are you gonna be allowing this in your apps or not?
GRAHAM CLULEY
Exactly. And I think they are the ones who've really failed here. Apple promises a vetted App Store.
It's unclear what its rules are regarding this and it allowed this app to go through, which has upset its users. Okay, okay, calm down.
Well, only because the press and others, you know, caused it because— all right, look, hey, Carole, if this app has got many thousands of users, right, what would happen if it was an app which was being used by millions and millions of people?
If this kind of thing can leak through, what other malicious activity could potentially leak through? That's what we need to worry about. You're just a bleeding heart, aren't you?
JOHN HAWES
But it's not really malicious. I mean, all it's doing is using more resources than it was supposed to.
CAROLE THERIAULT
Oh, really? And rendering your machine basically useless because of all the processing power it's using.
GRAHAM CLULEY
John, if I'm using my computer to also act as my iron lung, keeping me alive, and suddenly my calendar software is using up all of its resources, I find that pretty malicious.
JOHN HAWES
I would recommend if your computer is that important, then pay real money for your software.
CAROLE THERIAULT
Yeah, pay for your apps.
GRAHAM CLULEY
John, what's your story for us this week?
JOHN HAWES
So I wanted to talk a little bit about the mosquito attack, which has been getting a lot of headlines the last week or so. It's basically yet another way to defeat air gapping.
So for those who aren't down with the terminology, air gapping is a pretty common thing in keeping computers secure.
It's basically a step up from firewalling if you want to keep your machine safe, but you need it to be connected to the internet, you use a firewall.
If you want it to be really safe and you're not too worried about it being connected to the internet, then you have it air-gapped, which basically means unplugged.
It's not connected to any network.
GRAHAM CLULEY
Yeah.
CAROLE THERIAULT
I mean, that's probably the safest machine. That's what I've always thought. The safest machine you can have is one that's completely disconnected, standalone.
GRAHAM CLULEY
Air-gapping is pretty good, but if you really want to make it secure, then you also unplug it from the electricity.
JOHN HAWES
Smash it up with a big hammer.
CAROLE THERIAULT
Put a plant on it and done.
GRAHAM CLULEY
Right.
CAROLE THERIAULT
Yeah.
JOHN HAWES
Right. Yeah.
GRAHAM CLULEY
Lovely.
JOHN HAWES
But yeah, I mean, it's a concept that's used fairly as standard. I mean, I've worked in air-gapped environments.
It's something you use when you, if you have like a production room where you're making your software and you make sure that only stuff that you absolutely trust goes into that room, you would maybe burn it to a CD and you scan the CD before you put it in any of the machines in the air-gapped room.
CAROLE THERIAULT
Yep. And everything's vetted.
JOHN HAWES
Totally. Yes. And exactly.
And obviously in TV and movie shows, you often see that the bad guys will send a USB to the cops and the cops will plug it into their computer to see the secret files that have been stolen.
And then they say, oh no, we've infected the entire FBI network. And then obviously in real life, they would do that on an air-gapped machine.
They would just take it to a safe machine that wasn't connected to their network and have a look at whatever mysterious stuff they had to be sure it was safe.
GRAHAM CLULEY
Or another great way to illustrate an air-gapped computer, which probably many people would understand is— remember that bit in Mission: Impossible when Thom Cruise comes down on the wires, right?
And Jean Reno is up there with the rope, isn't he? And he's beginning to sweat and all the rest of it. And he sees a rat. Oh, I hate rats, he goes.
And Thom Cruise swoops down and all— it's terribly exciting.
JOHN HAWES
The reason he had to do that was that the room was air-gapped. If it wasn't, he could just hack in from anywhere in the world.
GRAHAM CLULEY
So you're saying you're going to tell me that this mosquito attack is a way of not needing Thom Cruise to come down the ventilation shaft.
JOHN HAWES
Well, actually, no. Oh, yeah, it kind of, I mean, it sounds like that. So basically there's a team in Ben-Gurion University in Israel.
They've been working on this stuff for quite a while now. So early attacks against air gaps, at least 5 years old.
CAROLE THERIAULT
Okay.
JOHN HAWES
This is more about getting data out from inside the air gap. And people have shown that you can use sound.
So you could make noises on the air gap side, and then you could detect those noises on the other side and you could use those to send signals between two computers.
GRAHAM CLULEY
John, what kind of noises would people be making on the air gap side?
JOHN HAWES
Well, they'd probably be little tiny beeps or clicks that would be like a binary signal.
GRAHAM CLULEY
Oh, okay. I see.
JOHN HAWES
And they've done it using fan noise. They've done it using blinking LEDs on disk drives or routers. They've even done it using heat signatures.
So making the machine warm up and cool down at predictable rates so that the pattern can be converted into a signature.
GRAHAM CLULEY
Right.
CAROLE THERIAULT
Wow.
JOHN HAWES
Obviously that last one tends to be quite slow. So this most recent one, this Mosquito attack.
So this is using ultrasonic so people can't hear it, which is important because obviously if your highly secure machine suddenly starts making weird noises, you'd be a little concerned.
But it also doesn't require a microphone.
So what they've done is basically they've taken speakers and using the computer that those speakers are connected to, reversed the way they work.
So rather than turning electronic signal into sound vibrations, they're taking sound vibrations and turning it back into electronic signal to go into the computer.
CAROLE THERIAULT
Holy moly.
JOHN HAWES
So that's— and then they've set up these two machines.
They've got a cute little video on YouTube with a— they've set up these two computers and they've sent an image of a little panda from one machine to the other, just using the sound coming from the two machines.
Actually, the main thing about this is that it's two-way.
So you have on either side, you're jumping the air gap using these two sets of speakers to communicate between the two machines. Now, there are some problems with this, obviously.
You need to actually be in control of the machine on the air gap network in the first place. So you still need Thom Cruise to abseil down with his USB and stick it in.
Which makes it kind of pointless. But obviously it's not, if you want to grab something off the machine, you can just do it at that point.
But if you want something more long-term, then you can get in, get the infection in place and have it sit there and send messages backwards and forwards.
GRAHAM CLULEY
And in this demo video, they've sent this, right? It is a bit like ASCII art really. It's very low res.
JOHN HAWES
It's pretty basic. Yeah. Well, it's because this kind of sending signals this way is not very efficient. You know, you're not sending millions of bytes per second. You're sending—
GRAHAM CLULEY
No, of course you're not. Yeah. So I've thought of a potential way of securing against this.
CAROLE THERIAULT
No way.
JOHN HAWES
No speakers?
GRAHAM CLULEY
Just while you've been speaking. Well, there's that obviously, but then how are you going to hear when your computer goes, eh, eh?
CAROLE THERIAULT
Always work with heavy metal music playing, blaring.
JOHN HAWES
How are you going to listen to Smashing Security podcast while you're in the secure room? Yes.
GRAHAM CLULEY
Right.
JOHN HAWES
No, no, no.
GRAHAM CLULEY
So I'm not going to say no speakers because we need reviews from people working in air-gapped environments, although I'm not sure how they're posting the internet.
My idea, it's ultrasonics, right? Get a chihuahua. Every office needs a chihuahua.
CAROLE THERIAULT
A Maltese, a little Maltese.
GRAHAM CLULEY
Or a lovely Maltese. I love Maltese. I love those.
JOHN HAWES
A Pooberdor.
CAROLE THERIAULT
What's that?
JOHN HAWES
It's the opposite of a Labradoodle.
GRAHAM CLULEY
And it could pick up the high frequencies and go, yep, yep, yep, yep, yep, yep. Maybe if you got one which knew Morse code as well, it could actually communicate with you.
Say, oh, I've just spotted a panda has been sent or something like that.
CAROLE THERIAULT
Poopador could be pug and Labrador, actually.
JOHN HAWES
Just saying.
GRAHAM CLULEY
That's a poor Labrador.
CAROLE THERIAULT
Poor pug.
GRAHAM CLULEY
Kroll. What's your story for us this week?
CAROLE THERIAULT
For my story, gentlemen, we are off to China. China's been in the news a lot recently. They have been making a huge effort in terms of cleaning up pollution.
Aside from the fact that China suffers from a lot of polluted waters, ground, and air, it might be spurred on by speculations that they want to be world leader in the electrical car business, which is booming.
GRAHAM CLULEY
All right.
CAROLE THERIAULT
But as we know, not everything is happy, happy, joy, joy in China.
Specifically, China's already stronghold on what its 1.4 billion citizens can access and say does seem to be tightening, both in real life and online.
So let me introduce you guys to the concept of a citizen score, and I wonder what you guys are going to make of it, whether you think something similar might ever happen in less overtly controlled places like Europe or America.
So back in 2014, the State Council of China published a document outlining the construction of a social credit system.
According to Wired, the principal question asked in the doc is this: what if there was a national trust score that rated the kind of citizen you were?
Now, 4 years on, this document is much more than a pipe dream. China's social credit system, quote unquote, is looking to launch in a few years' time, in 2020.
So the gist seems to be this: how you behave on popular social media sites—so what you say, show, and share—will contribute to your social credit score.
In other words, can China authorities monitor so much behavior that they can accurately assign a holistic value to a specific individual?
GRAHAM CLULEY
So they're looking at everything that you do online and they're going to give you a score. They're going to think, oh, very complimentary message they've posted there.
Not so complimentary this.
CAROLE THERIAULT
Or for example, they might be interested in if you're a suspect in a crime, for instance, right? Or not just what you post online.
JOHN HAWES
So it's real world stuff too.
CAROLE THERIAULT
Real world stuff too. Now China has in place this, what we call the Great Firewall. This is designed to control and prevent access to Western news websites.
And sites like Google, Facebook, YouTube, Twitter, these are all really strongly controlled in China. But they have an alternative, the replacement social site called WeChat.
And WeChat is seriously popular. We're talking 902 million daily users, and about 38 billion messages are sent on the platform every day. This is according to The Verge.
GRAHAM CLULEY
So this is like Twitter, but this is the Chinese version.
CAROLE THERIAULT
This is Twitter times 1,000.
So on WeChat, you play games, you book meetings, you make video calls, you pay bills, you access bank accounts, you find out local hangouts, you book doctor appointments, you file police reports, you hail cabs.
You're hearing me, right? You do everything through this site.
And more interestingly, WeChat will soon issue virtual ID cards, which individuals will use in lieu of their physical state-issued ID card.
So this kind of suggests to me that maybe people don't have a lot of choice about using WeChat.
GRAHAM CLULEY
Because of these virtual ID cards, yeah.
CAROLE THERIAULT
Well, not just the ID cards, but it's so convenient to use this one platform to get everything you need done.
GRAHAM CLULEY
I'm sitting here listening to this, Carole, and I can't believe that Smashing Security isn't on WeChat. Why haven't we created an account?
Hey, would they let us have that missing G in our name, which Twitter won't let us have?
JOHN HAWES
They probably need even shorter names.
CAROLE THERIAULT
As I expect, you know, its parent company Tencent scored 0 out of 100 for WeChat's lack of freedom of speech protection and lack of end-to-end encryption in a 2016 Amnesty International report on user privacy.
Probably not allowed. 0 out of 100.
GRAHAM CLULEY
I don't want an account anymore.
CAROLE THERIAULT
And I should say, Tencent do have a contested reputation for being, well, in bed with, you know, the government of China, that they may be sharing a lot more data than perhaps is being said.
GRAHAM CLULEY
I think if you say someone's in bed with the Chinese government, that probably damages your social score as well, Carole. Little bit grubby.
CAROLE THERIAULT
Is it a bit grubby? Well, it is episode 69. Okay, so back to our social credit system.
Now, there are not a lot of details on how this is going to work exactly, but since there's so much information being put on these sites, I think it's fair for us to speculate maybe, right?
So let me give you a few scenarios. So if you were online on a social site, told someone to fuck off, would that mean that you'd lose points? Would that be considered socially rude?
What if you hearted a picture of a political leader?
JOHN HAWES
Well, then you probably lose those points as soon as they go out of power.
CAROLE THERIAULT
Or what if you connected unwittingly with a suspicious individual or a suspect? You may not know that, and it might occur to you.
I don't even know if you would know what your score is. Do you get to watch the score?
GRAHAM CLULEY
Oh, I'm sure you get to check your score. Isn't that a big Black Mirror? Remember?
CAROLE THERIAULT
And you kind of see this number go up and down.
GRAHAM CLULEY
I wonder what would have happened to my score when Piers Morgan blocked me on Twitter.
CAROLE THERIAULT
They would have gone up. Probably. Now, okay, so this is all the WeChat and the social credit system, and we're going to probably find out more as we get closer to their launch.
But tie this announcement with this news that came out today at a border near Beijing.
Chinese authorities are currently testing out the use of smart glasses to identify through facial recognition who's naughty and who's nice.
So these are AI-powered glasses made by LLVision, and they pick up facial features and car registration plates and then match them in real time with databases of suspects, right?
If you want a picture of the future, imagine a boot stamping on your human face forever.
JOHN HAWES
I think that's a little bit harsh. Do you? Well, basically, so what China's implementing here is what you were asking for earlier, is a way of rating people who are reviewing you.
A lot of sites have that already. So you can see the reviewers and it says whether they're a regular or they're a newbie or things like that.
And it's basically just an extension of that.
CAROLE THERIAULT
So you're saying you think it's okay the state controls and allocates points based on behavior online and offline?
JOHN HAWES
Yeah, it kind of depends what you get for those points. You know, if at the end of the year your points are nice and high and they say, here's a free sandwich or something.
GRAHAM CLULEY
Oh, free sandwiches. Yeah, that does sound nice, actually.
JOHN HAWES
And if your points are kind of low, they say, oh, please try harder to be nice in your reviews online. Then that's great.
CAROLE THERIAULT
John, you have been in China recently, haven't you?
JOHN HAWES
I have. Yes.
CAROLE THERIAULT
What did you make of everything, of, you know, being able to connect online and everything?
JOHN HAWES
I was actually, I found it much easier than I'd expected, to be honest.
There were obviously quite a few, Google, especially Google, Facebook, big foreign services tend to be blocked on local systems.
But as a foreigner, I had a phone so I could just use my 3G connection to go anywhere I wanted.
GRAHAM CLULEY
Oh, I see. You didn't use convenient Wi-Fi hotspots, John. You just think, oh, this is very handy. My hotel is offering me this. You stayed on 3G, did you?
JOHN HAWES
Well, as much as possible. Yeah, because things worked and on the Wi-Fi, a lot of stuff was blocked.
GRAHAM CLULEY
Yeah. Oh, interesting.
CAROLE THERIAULT
Well, the thing is, did you use a VPN while you were out there? Yes, I did.
That's obviously something that most internet-savvy people are doing to try and bypass all these blocks that are put up to sites like Google, Facebook, etc.
China is actively, however, cracking down on the use of VPNs.
And according to the BBC, Beijing ordered its state-owned ISPs, which you were probably connected to— China Mobile, China Unicom, and China Telecom— to block access to unauthorized VPNs.
GRAHAM CLULEY
And the thing is, can you trust the authorized VPNs? Because what have they had to do to allow China to say, oh yeah, you can use that VPN, no problem with that one.
CAROLE THERIAULT
Exactly.
And you just can't help but wonder if there's lots more VPNs coming on the market only to try to make sure that they're not listed on the list of VPNs that might be blocked.
The government's also even demanded that shopping websites like Alibaba remove references to VPNs on their site. So basically, don't sell them, don't talk about it, hush hush.
GRAHAM CLULEY
I wonder if we have any listeners in China who might be able to give us some perspective on all of this. We'd love you to get in touch.
CAROLE THERIAULT
We'd love some information on that.
GRAHAM CLULEY
Because you can speak more knowledgeably about this than probably—
CAROLE THERIAULT
Than I can. Thank you very much.
GRAHAM CLULEY
No, no, it's good.
No, I'm not saying— what I am saying though is if they begin scoring people based on their social media activity and whether they've said something which might be considered anti-government, for instance, it might be tempting to install some kind of little bot or something which does automatically like or heart or retweet or re-WeChat or whatever the phrase is, people in power inside the Chinese authorities and show that you're a model citizen and then just occasionally pepper what you really think.
CAROLE THERIAULT
Follow Graham's advice. I'm sure no harm will come. This episode of Smashing Security is sponsored by LastPass.
LastPass simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users.
Learn more at smashingsecurity.com/lastpass.
GRAHAM CLULEY
And welcome back, and it's our favorite time of the show, the part of the show which we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
GRAHAM CLULEY
Pick of the Week.
JOHN HAWES
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever. Doesn't have to be security-related necessarily. Shouldn't be.
And my pick of the week this week is, have either of you mastered the Rubik's Cube? John, you seem like the sort of person who would have whiled away your—
CAROLE THERIAULT
I feel insulted. Okay, now I haven't, but I don't know why you would say— John, of course, you know, because you have a penis, you must have been able to do it.
JOHN HAWES
You don't actually use that, but it's mainly a hand thing, the Rubik's Cube.
GRAHAM CLULEY
No, the reason is, Carole, is that I thought you probably had an active social life and maybe John coming from Cornwall would be less likely. No, that's why I said it.
CAROLE THERIAULT
Just for the record, I've only done two sides of a Rubik's Cube. I've never been able to do it.
GRAHAM CLULEY
Okay, that's about the same as me.
JOHN HAWES
I think I have done a whole one at some point in the past. Probably a long, long time ago.
GRAHAM CLULEY
Really? Well, I bet you haven't done it in 0.38 seconds.
JOHN HAWES
Whoa. Well, no, that would spoil the fun entirely.
CAROLE THERIAULT
You haven't even—
GRAHAM CLULEY
You can't even blink that fast.
Because there are a couple of dudes, Ben Katz and Jared DiCarlo, and they have built a robot that can solve a mixed-up, messed-up Rubik's Cube in world record time, smashing the previous record.
CAROLE THERIAULT
Well, it won't take you much time to watch that video, I guess, of them solving it.
GRAHAM CLULEY
Well, what they do actually— so we put a link to the video in the show notes, or you guys can watch it right now if you like. Solving in 3, 2, 1.
CAROLE THERIAULT
Okay, it's over. It's already over.
GRAHAM CLULEY
Yeah, but then they show it in slow motion. Now a typical Rubik's Cube takes about 19 to 23 turns. They reckon that they could actually make this even faster.
They can make it 0.25 seconds.
GRAHAM CLULEY
And it's quite interesting. You can read all about it on their blog where they've talked about their contraption which they've built.
And they got a couple of webcams to view the cube from different angles.
CAROLE THERIAULT
Yeah, the video's done quite well actually, and it's only 30 seconds long, and I think they go through it a number of times.
They really explain exactly what they're doing in that 30 seconds.
JOHN HAWES
I don't think that's an official Rubik's Cube. The ones I had were always very kind of sticky, and they'd get jammed up very easily.
GRAHAM CLULEY
Well, in the video you'll see that sometimes things go wrong. Oh, and I didn't notice that, it was so fast. They destroyed a number of Rubik's cubes.
JOHN HAWES
Well, exactly. You see, they're fragile.
CAROLE THERIAULT
Cool. Good pick of the week, Graham.
GRAHAM CLULEY
Pick of the week.
JOHN HAWES
John, what's your pick of the week? So I was wondering, Graham, this sounds something you might know. How much real estate would $1 million get you in Monaco compared to Cape Town?
GRAHAM CLULEY
Oh, any ideas? Well, Monaco is going to be more expensive, surely.
JOHN HAWES
Exactly. Yes, it's quite a lot. Cape Town is meant to be quite nice too, but—
JOHN HAWES
Oh no, but it'll get you almost 10 times as much for your— A million dollars in Monaco would get you 16 square metres, and in Cape Town, 157. Oh!
And you're wondering why, how I know that, right?
CAROLE THERIAULT
Yes, because you're so smart.
JOHN HAWES
So it's because I get an email every day from a site called Statista, who are a bunch of statistic freaks, and they send out all these daily updates that I subscribe to on just random bits of information, basically.
I'm going to the site.
GRAHAM CLULEY
Hang on, John, you sign up for this useless— It's a great—
JOHN HAWES
It's very entertaining. It's not—
CAROLE THERIAULT
How long have you been signed up? How long have you been doing it?
GRAHAM CLULEY
I would say at least 2 years. Oh my goodness.
JOHN HAWES
And every morning I go and have a little look. It's just a little infographic, a little graph or something, and I go, oh, that's interesting.
GRAHAM CLULEY
So it's not always about real estate prices?
JOHN HAWES
Oh no, no, no, no. No, it's a lot of it actually is kind of digital stuff.
So finances of the big tech firms and users of different social media sites and all kind of matched against each other and put into perspective.
There's a great one Carole, you're gonna love this one. I think this was in the last few days, I think.
JOHN HAWES
So Bob Ross, yes, the host of The Joy of Painting, they have a great infographic of different items that he's to have in one of his paintings.
Apparently you have a 56% chance of a deciduous tree compared to 53% chance of a conifer tree.
CAROLE THERIAULT
Welcome back, certainly glad you decided to spend a half hour with us today.
I think you'll enjoy the little painting we're going to do, and I hope you take the time to paint along, or you pull up your easy chair and just relax with us.
I thought today we'd just—
JOHN HAWES
I love that you're more likely to have two mountains in one of his pictures than a single man-made structure. Oh, there you go.
GRAHAM CLULEY
I was wondering, John, why you signed up for this thing. Now I'm wondering— I really can't remember who is it that is collecting this data.
Well, it's watching Bob Ross videos and working out what kind of trees he's just drawn.
JOHN HAWES
Well, I don't know. So I think a lot of the stuff that they pull in kind of data from various different sources, either from people that have done academic research or—
GRAHAM CLULEY
Academic research on Bob Ross pictures? Possibly.
JOHN HAWES
John, this is crazy! It's coming from all kinds of different sources. It's quite a big firm, Statista.
And the other thing that I wanted to mention this week, because this is what made me think of it this week, they recently put out a thing called their Digital Economy Compass 2018.
Which is basically a bunch of their standard infographics put together in a kind of massive— I think it's 220 pages or something.
Just hundreds of little graphs and charts all about the digital economy. It's fascinating.
CAROLE THERIAULT
I have just bookmarked the page, Graham, so you should too. I thought it was great. Percentage of females aged over 75 with hypertension.
JOHN HAWES
Exactly. Bet you want to know. You want to know, right?
CAROLE THERIAULT
It's almost 80%. What's the link?
GRAHAM CLULEY
I need to know that right now.
CAROLE THERIAULT
It's statista.com. Oh, easy. One more for you.
JOHN HAWES
Yep. Apple has enough money offshore sitting, waiting to do something to buy every single one of their 132,000 employees a Bugatti.
CAROLE THERIAULT
John, I think that's a great Pick of the Week.
GRAHAM CLULEY
I think it sounds very interesting. I'll go and check it out. Carole, what's your Pick of the Week?
CAROLE THERIAULT
Okay, let me start with the story first. I was at a meeting and this guy stood up at the meeting to show a video he'd been working on. And the video loaded up on the guy's YouTube.
So he basically put the video on a YouTube channel and set it as private and then was going to show the group.
And he was asked to access the channel from the computer connected to the display or the presentation screen. You with me?
JOHN HAWES
Yeah.
CAROLE THERIAULT
So as he's logging in and looking for the video, we're watching the screen and he gets to his account and is searching for the video on YouTube.
And while he's doing all this, we are looking at his Up Next section of his YouTube channel with recommendations of videos on display.
And many of these were what we would call NSFW, if you know what I mean. And I kind of felt for the guy, right?
So anyway, fast forward to a few days ago, I'm scanning Reddit's No Stupid Questions sub and see this question from handle Absar.
Is there a way to stop certain video suggestions on YouTube?
I watched 3 flat earth videos so I could have a good laugh, and now 90% of the recommended videos are from flat tarts, quote unquote.
GRAHAM CLULEY
Flat tarts?
JOHN HAWES
Quote unquote, quote unquote. The famous flat tart community.
CAROLE THERIAULT
So lots of people replied to this guy, but one called Trilicon gave great advice, which I'm gonna share with you here. All you need is to curate your history and recommendations.
So let me summarize the advice for you. First, on YouTube, go to history, delete any recent videos that you don't want recommended to you in the future.
Start with big hitters like over a million views because they really skew your recommendations. Yeah, I didn't know that either.
Second, in your Up Next section, if you see the videos that are lined up in your Up Next sessions, right beside them you can see a column of three dots right next to your recommendations.
If you click on that, choose Not Interested from that list and select Tell Us Why and tell them I don't want recommendations based on this video.
Third, consider watching videos with over a million views in some form of private browser because they have such an impact on recommendations they provide you.
If you'd rather watch a video that has lots of views that you don't want to recommend to you in future, do it in a private browsing session.
And four, only like videos that you're actually interested, which seems pretty easy, right? That's a duh option, but I'm sure lots of people don't think that way.
So if you do like a video, say yes, give me more of this please. All right, and there you go. So thank you very much, Trilicon.
And now many, many presenters around the world who have to open up YouTube on a display can clean up. I mean, the best way to do it is have two accounts.
I'd say have a business account, a personal account. That's the way I'd handle it personally. But there you go. Cool.
GRAHAM CLULEY
That's a very practical pick of the week.
CAROLE THERIAULT
Well done, you. Very useful. There you go. It's not only a pick of the week, but a tip of the week.
GRAHAM CLULEY
Well, that just about wraps it up for this week. If you want to follow us on Twitter, we are @SmashingSecurity without a G. Twitter didn't let us have a G.
We are on Facebook in the Smashing Security podcast group. We've got a store, smashingsecurity.com/store.
And oh, the other thing I need to do is, John, thank you very much for joining us on the show today.
If people want to know more about you and AMTSO, how should they get in touch with you?
JOHN HAWES
You can reach me at . Fantastic.
GRAHAM CLULEY
Well, thank you at home for tuning in. If you like the show, please give us a rating and positive review on Apple Podcasts.
It really does help new listeners discover the show, and you can check out past episodes at smashingsecurity.com.
JOHN HAWES
Until next time, cheerio, bye-bye, bye-bye, au revoir, adieu, après ma lettre de douche.
CAROLE THERIAULT
I love Bob Ross.
EPISODE DESCRIPTION:
How come Apple's Mac App Store authorised a buggy app that mined for cryptocurrency in the background? How can a Mosquito attack steal data from an air-gapped computer? And is China keeping score on its social media-loving citizens?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest John Hawes.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.