SCOTT HELMEE
I saw your tweet, Graham. You are not a fan of the whole bio implant thing, are you?
GRAHAM CLULEY
Not really.
CAROLE THERIAULT
It's always those that need it most that complain the most.
Unknown
We'll skip over that. Yes. Smashing Security, Episode 70: Facebook and Cambridge Diabolica with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 70. My name is Graham Cluley.
CAROLE THERIAULT
I'm Carole Theriault.
GRAHAM CLULEY
And we are joined today by a returning guest. It's Scott Helmeee. Hello, Scott.
SCOTT HELMEE
Hello, guys.
GRAHAM CLULEY
How's it going? Not too bad at all. Now we've got a packed agenda today, so sorry, Scott, no time for chitchat.
CAROLE THERIAULT
You've been here before.
SCOTT HELMEE
We can skip the courtesies.
GRAHAM CLULEY
Let's find out who our sponsor is and let's get on with it! Thanks to MetaCompliance for supporting this episode of Smashing Security.
People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management.
Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.meta-compliance.com/smashing.
Www.metacompliance.com. That's www.metacompliance.com. Righty-ho. We've got a lot to cover today because I think there's a huge story right now. It's exploding.
Yes, hundreds of headlines.
CAROLE THERIAULT
All right, welcome back. It's probably one of your favorite guilty pleasures on Facebook. I'm talking about those personality quizzes. They seem pretty harmless, right?
Well, now a data firm associated with the Trump campaign has been suspended by Facebook after reportedly using information from those quizzes without permission to target voters.
GRAHAM CLULEY
New developments tonight on Cambridge Analytica, the firm that worked for the Trump campaign and tried to influence American voters using information harvested from 50 million Facebook users.
CAROLE THERIAULT
Hi everyone, I'm Reena Ninen. Thank you for joining us. We begin with a major data breach carried out by a firm that worked with President Trump's campaign team.
The Guardian is reporting that Cambridge Analytica used personal information from the profiles of millions of US voters without permission.
GRAHAM CLULEY
Cambridge Analytica, rather shady data analytics firm which has managed to get its paws on information about some 50 million Facebook users which were collected by somebody else's personality testing app.
Now, before I go on, I need to give you a little caveat. We are recording this with Scott on Tuesday afternoon. In the sunshine, yeah. And this story is changing by the hour.
There are new things happening.
In fact, I know tonight Channel 4 here in the UK are going to be broadcasting another in its series of undercover investigations into Cambridge Analytica.
And they're going to be focusing on what the firm may have done to help the election of US President David Dennison. Get the popcorn! That's definitely a popcorn job.
CAROLE THERIAULT
He's not admitted it's his name yet, as far as I know.
GRAHAM CLULEY
Dirk Diggler? No, he has. No, wait, has he? Yes, yes. Potentially the first thing he's ever admitted to.
CAROLE THERIAULT
I'm David Dennison.
GRAHAM CLULEY
I don't think he's done it on audio, but on legal papers now says Donald J. Trump, aka David Dennison, from his lawyer. So there you go.
Anyway, it's a fast-moving story about Cambridge Analytica, so I wanted to cover it, explain what we know so far. Excellent.
And some of the implications for all those people out there who are on Facebook. So Cambridge Analytica, who are they?
Well, they are a company which do something really kind of in a technical way, really very cool and clever.
What they do is they analyze social network data in order to create personality profiles of people online, which you then could influence in different ways, maybe to buy something, or maybe, just maybe, to vote in a particular direction.
CAROLE THERIAULT
Okay, I would agree it's technologically cool, but not societally cool at all. I think these things are scary. Not ethically cool. Not ethically cool either. Downright yucky.
GRAHAM CLULEY
Anyway, carry on, Chris. I think I probably agree with you.
Now, the knowledge which you can ascertain from people's social network data and what they're sharing online can be immensely useful to these kind of organizations and the people who employ them, because it means individuals can be targeted with content designed to appeal to them and perhaps influence their behavior.
Oh, like propaganda. Right. So Alexander Nix, he is the chap who runs Cambridge Analytica, and he's basically a bit of a— he's shady as anything.
Well, he's a bit like an old-style Bond villain. He's an Old Etonian.
SCOTT HELMEE
He does look like— oh, is he?
GRAHAM CLULEY
Is he? He does look a bit of a villain, and he's described his company's, what they do as this.
He said, "Our job is to understand what are those really deep-seated underlying fears and concerns.
It's no good fighting an election campaign on the facts because actually it's all about emotion." So you're a typical really great guy. Right. Yeah.
Now, so he's in one corner of the boxing ring, right? In the other corner, up against him, is pink-haired whistleblower Christopher Wylie, who used to work at Cambridge Analytica.
And left under a cloud because he went to the press with information about what had happened because he thought it was wrong.
In fact, he describes their operations as Steve Bannon's psychological warfare mindfuck tool, TM. Which he helped build. Well, yes, which he helped build.
But the controversy here is how they got their data to make this thing.
Now, there is a Cambridge psychology professor, University of Cambridge, not connected with Cambridge Analytica, it's just a cool name, isn't it?
His name is Alexander Kogan, and he is, of course, Russian. He created an app called This Is Your Digital Life, and he encouraged people to take part in a personality test.
270,000 people ran that Facebook app. Yeah.
CAROLE THERIAULT
It told you whether you were anxious or things like that. It had 5 different profiles or something.
GRAHAM CLULEY
All kinds of information it requested, and then they put up a profile of you. You can imagine this is the kind of thing people run on Facebook all of the time. Yeah, totally.
But it didn't just grab information about users and find out about their personalities, it also scooped up personal information about their Facebook friends and details of their Facebook activity.
So it was able to collect an enormous amount of information. Now, under Facebook rules, that information should have stayed with Kogan, okay, because he was the app developer.
Although they can collect data, and that may be alarming in itself that people can do that and collect so much information about you by just getting you to run an app or try and work out what your porn star name is.
You know, Peggy Pegscroft or Dirk Diggler. Is that yours? What, mine? Wow.
SCOTT HELMEE
I wasn't going to ask where that came from.
GRAHAM CLULEY
What's it meant to be? It's meant to be— Oh, sexy. Your name of your first pet and— Oh, there's loads of them.
CAROLE THERIAULT
Yeah, first pet, first street you lived on.
GRAHAM CLULEY
Yes. I think mine is— Yes, I will. Actually, I shouldn't say, should I?
CAROLE THERIAULT
Mother's maiden name. Yeah.
SCOTT HELMEE
Well, you almost got him then. Yeah, yeah.
GRAHAM CLULEY
His quiz questions. Yeah. So, what happened was, that data which Cogan collected ended up with Cambridge Analytica.
I don't know if they bought it or he gave it to them or what the deal was, but they got hold of it. And that shouldn't have happened.
That was against Facebook's terms and conditions. So the story became very big, very quickly.
In fact, on Monday night, apparently at Cambridge Analytica's offices in London, there was a digital forensics team sent by Facebook who were there.
The ICO, the Information Commissioner's Office, found out that they were there and they said, "Oi, clear off." Because obviously there are concerns that they could be cleaning out data and things because the ICO want a warrant to go in and examine those computers and find out what's going on there.
CAROLE THERIAULT
There's one thing here though I think you've kind of skipped over, which is kind of big, right?
So 270,000 people downloaded and took part in the quiz, but under this friends permission feature that existed in Facebook up until 2015, they were able to grab all the data of every single person they were connected to.
So their friends, for instance. So they were able to kind of scoop up not just that 270,000, but up to 50 million profiles of people.
GRAHAM CLULEY
50 million.
CAROLE THERIAULT
So people that did not take part at all's information were snarfed up by Facebook's data feature that existed until 2015.
GRAHAM CLULEY
And 50 million is a pretty big number. That's what, 1 in every 4 people in the United States, for instance. Yeah, huge.
Pretty significant for the little pokey little personality test which they were running. So this has been in the news.
The ICO last night at Cambridge Analytica's offices, and on Channel 4 last night as well, there was hidden camera footage shown of Cambridge Analytica talking about some of the shady things they could do to try and influence people, including claiming they could send sexy Ukrainian girls to act as honey traps.
Yes! Unbelievable. Unbelievable. In fact, there's a really ironic part of the video. The guy who runs Cambridge Analytica says, "We can secretly record them with video cameras." Yeah.
And then release the information on the internet. Okay, so I thought that was quite amusing.
CAROLE THERIAULT
It's just the irony of that one, huh?
And apparently Facebook and Cambridge Analytica are threatening to sue the journalists over the story, so The Guardian, The Observer, Channel 4, for breaking the news.
GRAHAM CLULEY
Well, yeah, I think they are less than impressed. Cambridge Analytica are suddenly saying that the video has been edited in a way which doesn't reflect the true conversation.
They claim that all this talk about sexy Ukrainian girls and some of the other things was them actually trying to ascertain the ethics of the potential customer.
And so they were trying to draw her out. They were going along with the conversation, then they would decide, "Oh, these aren't the sort of people we would want to work with."
CAROLE THERIAULT
Yeah, I mean, The Guardian's been working on this for over a year, more than that in fact, and I bet they've crossed their T's and dotted every single I, because this would have been hot.
GRAHAM CLULEY
Well, it's certainly a major investigation, and we're putting links to The Guardian and some of the Channel 4 content as well, so other people can go and check it out in full.
So one of the big questions is, was this a breach?
And there was quite a discussion about this in the last day or so on Twitter in particular, because Alex Stamos, who is the chief security officer of Facebook, posted a tweet which he subsequently deleted saying, you know, it was wrong to classify this as a breach.
And indeed on Facebook's press release about this incident as well, because they've banned Cambridge Analytica from Facebook now as a consequence of this, they said, you know, it's wrong to portray this as a breach.
And I actually think maybe Facebook is right about that. Maybe this wasn't a data breach because certainly there were no malicious hackers breaking into any servers.
There was no vulnerability exploited. There were no grabbing of passwords.
CAROLE THERIAULT
Facebook were aware that they were doing this and were— it was within the guidelines at the time what they were grabbing. Oh, absolutely.
And Facebook— and just today, there's a great article in The Guardian all about how Facebook actually didn't properly necessarily vet what their third parties were doing with the data they were collecting.
GRAHAM CLULEY
Well, how could they, right?
CAROLE THERIAULT
Yeah, because exactly, this ex-Facebooker saying, I never once saw any audit.
GRAHAM CLULEY
Right.
If they're allowing third parties to scoop up this data and then put it on their servers and, you know, interact with it in some fashion, Facebook doesn't have any visibility on that.
The concern is that this actually is how Facebook is designed to work.
Many apps, over the years have scooped up users' information and privacy settings permitting those of their friends as well. So this isn't news.
Facebook has been doing this for years, and maybe the data shouldn't have been shared with Cambridge Analytica by the Cambridge professor. Because that does breach their terms.
CAROLE THERIAULT
And then sold to other third parties who use it to basically change the way people vote. Big deal. It's a big deal.
GRAHAM CLULEY
Well, it is, exactly. So I think this isn't necessarily a security breach, but it is maybe a data policy breach.
CAROLE THERIAULT
Ugh, you're splitting hairs. I don't know.
SCOTT HELMEE
I think that's a really important clarification, 'cause especially from my background in the security world, when you say breach, my mind goes to somebody in a dark room hacked into the servers and stole all the data.
I think there's a breach of something. You know, this is a breach of trust, a breach of policy, a breach of ethics. But I don't think, you know, security wasn't breached.
And that's kind of typically where people's mind wanders when you say breach. They think security. You know what? That's fair.
CAROLE THERIAULT
That's fair. So because Facebook were aware and the people taking the data didn't bypass security and steal it, we shouldn't call it a data breach.
GRAHAM CLULEY
I think the real failing here is from Facebook users who haven't realized this is what Facebook is all about. You are outrageous. No, what do you mean I'm outrageous?
CAROLE THERIAULT
You are outrageous blaming users. Don't blame the victim.
GRAHAM CLULEY
Yes. Look, if you read the teaser— How many times have you tried to get me on Facebook?
CAROLE THERIAULT
How many times? Just for, you know, even for Smashing Security.
GRAHAM CLULEY
Look, the fact is, this is how Facebook is supposed to work, right? And I actually believe that makes it worse than any data breach.
People joined Facebook and they thought, "Oh, this is fun. I can keep in touch with my mother-in-law. We can poke each other and pretend to be a vampire," or whatever it is.
And Facebook has turned a blind eye to these sort of abuses and the information because that doesn't work for their business model.
Their business model is to get as much data about you as possible and find ways to monetize it and make it an attractive platform for companies.
CAROLE THERIAULT
Yeah, and get as many people on it as possible. So they want to spread far and wide, and this might hinder their spread, so they just kept schtum about it, which is illegal, right?
Well, that's the thing. Is it illegal? What's illegal? Yeah, yeah, you're right, you're right.
I was thinking it was illegal that they didn't tell individuals, hey, by the way, your data was given away, but GDPR isn't in effect yet.
SCOTT HELMEE
No, gosh, can you imagine if this was next month though? Or actually the month after, sorry.
GRAHAM CLULEY
Oh, you know what?
Friend of the show, Martin Grütten, he posted a great tweet earlier today where he said, "Remember, if you don't delete your Facebook account or set your privacy settings correctly by the 25th of May, GDPR requires you to inform all of your European-based friends that you've sold their details to Steve Bannon."
CAROLE THERIAULT
Yeah, because he's of course involved as well, isn't he?
GRAHAM CLULEY
Well, yeah, he used to have a senior position at Cambridge Analytica, and of course he was very involved in — what's his name again? David Dennison's presidential campaign.
CAROLE THERIAULT
I wonder how our professor's doing as well right now. You know, that seems—
GRAHAM CLULEY
I think he's keeping his head down, to be honest.
CAROLE THERIAULT
Well, the press are certainly talking about him.
GRAHAM CLULEY
So what I hope comes from all of this is that people have a little bit more awareness about what Facebook is doing with everything that you like, every piece of information you share.
And if you've left your privacy settings open, you may want to go and — I'll put in a link.
There's a good article on the EFF website where it tells you how to reconfigure your privacy settings to reduce the chances and the ability for apps to scrape your information.
So if you're concerned about that, you can do that. And of course you can, although none of you probably will, delete your Facebook account. Oh, I think people are.
CAROLE THERIAULT
I think people are doing it. Delete Facebook movement is gaining steam.
SCOTT HELMEE
I've seen it hashtagged on Twitter quite a lot.
CAROLE THERIAULT
Yeah, it's big. It's big. I think a lot of people, and it's not easy to do. It's kind of hidden, you know, how to delete.
I know you should provide a link to that as well, exactly how to delete your account.
GRAHAM CLULEY
Yeah, and it takes 90 days and they keep on saying, "Are you sure?
You really, really sure that you can do this?" And you can download any data which you have given them in the past.
But I understand it's not necessarily an easy thing to do because it may be one of your primary ways of keeping in touch with people.
SCOTT HELMEE
What about an alternative though? The one thing that's always baffled me, especially with my security focus, is, you know, how much per month do Facebook make off each user?
Because they've got billions and billions of users. So if I was just to do, hey, look, here's $2 a month subscription. Please don't sell all of my data. I just want to use Facebook.
You know, would that not be — I wonder if that would be viable, $2 a month times their user base.
GRAHAM CLULEY
It's like a Spotify model, isn't it?
I mean, wouldn't it be great if you could just rent Facebook for £2 or Netflix £6 or whatever it is and get some additional, you know, like Facebook Pro or something?
I guess that's kind of admitting though that if you don't do that, it's okay if they sell your data. Yes, your data is being monetized in a fashion.
I can't imagine Facebook ever making that change. I think unless there was a really large number of people leaving the site because of this—
CAROLE THERIAULT
There is right now. Do you think so, Carole? Yes. Eat your popcorn, sit back, watch Channel 4 tonight. I honestly don't think so.
GRAHAM CLULEY
Read the papers tomorrow. I don't think so.
SCOTT HELMEE
It's one of these news cycles where we have this big flare-up and everyone gets irate and it just fizzles out.
CAROLE THERIAULT
I think they're going to lose about 20% of the users. That's what I'm going to say.
SCOTT HELMEE
I think they're growing so fast— 20%. Come on, guys. They can replace that.
GRAHAM CLULEY
How many people closed their Yahoo account?
CAROLE THERIAULT
I have no idea.
GRAHAM CLULEY
Their what account? Do you remember Yahoo? Their what? What? All right then. And Scott, what have you got for us this week?
SCOTT HELMEE
So the headline that caught my eyes was the one about Uber with the accident in the vehicle that was in autonomous drive mode. You know, this is quite a sad story.
Of course, you know, there's been an accident with a vehicle and that resulted in a fatality.
And Uber has subsequently suspended all of their testing across America, actually, of all of their autonomous fleet.
You know, it's a real shame because this technology is in its proving ground right now. It's obviously being tested.
I think here in the UK we're actually apparently pretty good for autonomous driving as well. It's very favorable with the legislation here.
And I think the reaction and the wider response to this has been really polarizing, and I think it's difficult to decide which side I come down on because, you know, many people are saying that this vehicle was in autonomous mode and it's caused a fatality.
CAROLE THERIAULT
So what happened? Do you know the story? Like, how did it exactly happen?
SCOTT HELMEE
So from the reports, this lady was, you know, just apparently walked out into the road.
One of the news stories said that it wasn't a crossing, it was just, you know, she was just crossing the street somewhere, you know, in the middle of the street or wherever, assuming the driver would stop or slow down for her, I guess.
Well, I mean, I guess we don't know. Maybe she just didn't see the car coming and stepped out. But I guess one way or another, this vehicle has been involved in a collision.
And unfortunately, of course, later that day, the lady passed away.
CAROLE THERIAULT
Oh. So this is the first kind of death by autonomous car.
GRAHAM CLULEY
Yeah. Was there a driver in it, but just wasn't in control of it? Yeah, so there was— Sitting there reading the paper or something.
SCOTT HELMEE
I can't remember the official term, but there was a human safety advisor or something behind the wheel.
So there was a person in the vehicle, but it was in full autonomous mode at the time, meaning the vehicle was in full control. You know what I mean?
The human drivers do have the ability to take control. You place your foot on the brake pedal, the car will brake.
You don't have to go into some system and disable autopilot or whatever.
GRAHAM CLULEY
But you're never going to be as alert as you would be if you were normally driving, I think. As alert as you could be, rather.
Because you will be distracted or doing something else or picking your nose or, you know. Yeah, this is where—
SCOTT HELMEE
You would. I don't know. Just to clarify, you would. Yeah, Graham would.
But it's, I don't know, it's kind of like the Tesla Autopilot because this, the Uber one here is full autonomous, which means that the person behind the wheel is not really supposed to be paying attention.
The vehicle does it all itself.
The Tesla Autopilot system, because we did have a news headline about that last year when a gentleman crashed into the side of a tractor or something and the Tesla vehicle was in Autopilot at the time.
Now, autopilot is, it's kind of like cruise control. It's a driver aid.
You're supposed to still pay full attention, but it just takes away the boring bits, you know, going up and down 10 miles an hour on the motorway when it's slightly—
CAROLE THERIAULT
What else do you do if you have to still pay attention? It's just you can't even turn the wheel even at a centimetre each way.
SCOTT HELMEE
I do kind of— it's weird because I was very apprehensive at first, and I've actually test-driven a couple of Teslas, and I do— Yeah, they're such great cars.
And I have actually got one on order. Oh, wow.
And I really— because I drive a lot in traffic, you know, you're in stop-start traffic where you kind of drive for 100 metres and stop, drive 100 metres.
And it's so monotonous having to do everything. You can kind of sit there and pay attention and just let the car nudge you along gracefully.
CAROLE THERIAULT
But don't you think your eyes are going to go down to your phone a few times to see when you get a text? Are you going to avoid that?
SCOTT HELMEE
Well, no, I mean, because you could theoretically still do that now, I guess, in stop-start traffic.
I just, you know, my phone goes onto the Bluetooth on the car so I can take calls. And anything that requires a screen is just, you know, tough luck.
If the world ends on Twitter, then I'll just have to read it when I get out the car.
CAROLE THERIAULT
The bots will tell you eventually.
GRAHAM CLULEY
Scott, this is quite a step up because you're famous, of course, for hacking your Nissan Leaf. And now you're going to go up to the Tesla.
SCOTT HELMEE
And his arm. Oh, yes.
GRAHAM CLULEY
Put something in his arm. Oh, yeah, we don't.
SCOTT HELMEE
Oh, for goodness' sake. I saw your tweets, Graham. You are not a fan of the whole bio implant thing, are you?
CAROLE THERIAULT
Not really. It's always those that need it most that complain the most.
SCOTT HELMEE
We'll skip over that. Yes, I was involved with the Nissan Leaf research with Troy Hunt. And yes, I am moving onwards and upwards into Tesla ownership when they eventually deliver.
GRAHAM CLULEY
So are you at all worried that when you get your Tesla, rather like the Uber, it may, you know, act inappropriately?
Because wasn't there a Tesla recently which went dramatically off-road, as it were?
SCOTT HELMEE
In fact, heading towards Mars or something? Yes. Unfortunately, that one's not coming back, is it? I think it's in high Earth orbit right now.
But, you know, they're imperfect systems because they're built by people. You know, no software or hardware system built by a human is ever going to be flawless.
And I think if autonomous vehicles or even Autopilot can vastly reduce the number of fatalities on our roads, then— I mean, it was always going to happen.
CAROLE THERIAULT
There was always going to be— Of course, yeah.
SCOTT HELMEE
Nothing can be perfect. But, you know, just— It still sucks, though. Yeah.
GRAHAM CLULEY
I think you're right. My expectation is that, of course, there will be accidents with driverless cars and autonomous vehicles. I mean, that's just going to happen.
CAROLE THERIAULT
There's accidents with driving cars.
GRAHAM CLULEY
Well, and there were accidents with horse-drawn carriages.
And there are probably people who said, my goodness, you're going to get rid of the horse, you know, this is all, you know, even though it's — there have been accidents with it in the past.
So I think there's almost this desire now to have 100% safety, and that's just going to be unachievable, isn't it?
SCOTT HELMEE
Yeah, we can't let the perfect be the enemy of the good. You know, if we can reduce fatalities by 90%, then why on earth would we not?
You know, yes, the autonomous or the driverless car might be responsible for those 10%, but that could be, you know, hundreds of families that don't lose a child or a husband or — I can totally see that with this particular incident, the pain and the problems with that, but at the same time, if I cross the road or my little boy crosses the road, if there's something that we can do to reduce the chances of him being involved in an incident, then I absolutely want to see us take that step.
GRAHAM CLULEY
Did you say we can't let the perfect be the enemy of the good? Is that a quote from Star Trek or something? Or was that you? Was that your deep action?
SCOTT HELMEE
No, no, I totally — where did that come from? I will have totally heard that somewhere, stored it in the back of my mind and just brought it up now.
It's probably from the Daily Mail. I don't read my toilet paper.
GRAHAM CLULEY
So, Carole, what have you got for us this week?
CAROLE THERIAULT
Well, I want to talk to you about ransomware or ransomware-like scam that's been going on.
You know, obviously ransomware is where scammers take sensitive and valuable assets from you and hold them until you pay up.
Well, in this instance, we're seeing numerous reports of people being held up for ransom for sending nudie shots of themselves.
So this morning, this is Tuesday, 20th of March, Australian media warned West Australians to be wary of being targeted on social media as part of what they're dubbing sextortion scams.
So this is how it works. I really don't like the name.
SCOTT HELMEE
The media love that name, don't they?
CAROLE THERIAULT
So here's how it works. So the scammers friend their victim and convince them to record and then send sexually explicit videos and photographs.
The scammers have created a real-looking online profile, and then they lure the victim by reportedly sending images first to the victim.
So basically saying, hey, look at me nude, you send me some nude pictures back.
SCOTT HELMEE
Hasn't this been going on for a long time though?
GRAHAM CLULEY
Obviously there's a new alert going out in Australia about this right now.
CAROLE THERIAULT
Not just in Australia, not just in Australia.
SCOTT HELMEE
I know a lot of things are online.
GRAHAM CLULEY
It's always struck me as strange, this, the idea that if someone sends you nude images of them, that you would want — the last thing I would want to do is send them genuine nude pictures of me back.
I might go on the internet and find something —
CAROLE THERIAULT
Graham, you're not 24, you're not a 24-year-old teenager, are you?
GRAHAM CLULEY
No one's a 24-year-old teenager.
CAROLE THERIAULT
You wouldn't need to worry that someone, you know, someone would get the pictures and just go, oh, okay, move on. All those 24-year-old teenagers out in the world. Oh, sorry.
I didn't even hear I did that.
GRAHAM CLULEY
But the point, you know, but it just seems a very strange thing to do to me. I don't know why anyone would want to send a nudie pic online.
My guess is that it all starts banally enough, but then, you know, becomes an online romance or something. Then it's, oh, take a look at me and all the rest of it.
And they might even want you to go on Skype or something. So video, that would be more difficult to fake. If that's happening, just wait.
CAROLE THERIAULT
Just wait, right? So the scammers of course then threatened to post the images and footage on the internet, sharing with family and friends and partners, employers, and teachers.
And then they say, look, I don't want this to happen, pay between $500 and $5,000 via Western Union. So this is the Australian scam going on.
But also this week, across the world in Somerset, UK, a 16-year-old student named Jacob made headlines for performing explicit acts on video for what he thought was a girl he'd met online.
But his performances were actually being recorded by a scammer. And the scammer, still pretending to be the girl after they got the recording, asked for Jacob's phone number.
And Jacob answered the phone when the phone rang, expecting to hear the dulcet tones of his new lady friend, but instead got this aggressive, threatening guy who self-proclaimed himself as a pro hacker.
And he said, I have a list of all your Facebook friends, I'll ruin your life. And Jacob was saying his heart was bleeding out of his chest.
He was shocked and he went in panic mode and he was just picturing all his family and friends at school seeing the video and looking at him differently.
He wanted it to stop, so he asked what he wanted. And it was 800 quid.
And he says he doesn't care about the money and he paid it up because he can make the money again, but he can't, you know, rebuilding his reputation after that would be too hard.
GRAHAM CLULEY
He must be thinking, no, why did Cambridge Analytica target me in this fashion?
CAROLE THERIAULT
Yeah, and this is also happening in the States.
So this is not a new scam, but there seems to be a new surge of authorities in pockets around the world, giving warnings to their communities about this.
GRAHAM CLULEY
And I mean, I just joked about this, but I've heard stories in the past of people who have actually sadly committed suicide as a result of this because they've been too petrified to tell their parents.
They've been too alarmed about the images or whatever the video footage is being released. And it is ghastly that this goes on.
CAROLE THERIAULT
In 2016, the UK National Crime Agency's Anti-Kidnap and Extortion Unit dealt with 1,250 reports of cyber-enabled blackmail offenses.
There were 4 deaths by suicide in 2015, all in the UK and all linked to sextortion. I think it's very worrying because they're obviously targeting teens, right?
GRAHAM CLULEY
And those are the ones we know about, right? In many cases, people will not report this kind of thing because they're simply too ashamed and embarrassed.
CAROLE THERIAULT
Well, exactly. So, okay, so some advice. First, don't accept friend requests from people you don't actually know, right?
Change your settings to ensure only contacts can see your details on social accounts. And, you know, there's always going to be risks doing sexy pics or shows online, you know.
So I'd say think twice before you whip it out here. No, get off Facebook. Literally. Yeah, I know. It's good. Think before you snap. How about that? Okay. And get off Facebook.
Yet another reason to kill your account. You see, Graham, this is why everyone's going to get off because of the story.
Now, if this happens to you, if you're in this situation, it's really important if the videos are uploaded on things like YouTube and Facebook, it's important to report them immediately for it to be taken down and flag them as inappropriate.
That tends to work quite well. And don't assume that someone is going to actually honor the ransom deal that they're making with you.
In other words, just because you're paying up doesn't mean that you're going to get all the pictures and the problem goes away.
SCOTT HELMEE
Can't destroy the originals of a digital picture, can you?
CAROLE THERIAULT
Exactly. And the biggest thing is, especially if you're a teen, telling a trusted adult what's happened.
And yeah, of course, of course it's embarrassing and it's awful, but you are the victim. You know, doing nude dances online is kind of stupid, but not criminal.
SCOTT HELMEE
And it's a shame though, isn't it? Because I kind of see your point.
And I think from one of the reasons they're targeting the younger people is perhaps they're slightly lesser foresight of, you know, how this could go wrong into the future, which I think as we grow older, we start to cast our minds much further forward on our actions.
CAROLE THERIAULT
I felt pretty invincible as a teen, and I don't think I would have ever thought this would have happened to me. I just don't think it occurred to me. I think that's partly it.
GRAHAM CLULEY
And I think also, it feels more like the end of the world when you're a youngster.
I mean, it's a bit like being in your first relationship or whatever, you know, and it goes sour and you really think that you're never going to find anyone who will love you ever again.
Whereas if you get to your 30s and 40s, you've been through a few of those rodeos and you think, "Okay, this isn't pleasant, but I'll be able to pick myself up." So I think it's actually more intense when you're a teen.
SCOTT HELMEE
Yeah, you don't have the capacity for, you know, to deal with that kind of trauma or emotion or—
GRAHAM CLULEY
Okay, so do we have any advice for parents as well though? Probably there are lots of people listening who've got young kids in their family.
CAROLE THERIAULT
Yeah, I think it's wise to read up on scams like this targeting young folk, you know, and understand how they're being duped.
And the thing is, is you've got to hold your judgment back. It's a really scary time for a kid. I imagine many parents' reactions would be explosive in this situation.
Like, how could you have been so dumb? You know? And I think you really want to hold that back.
GRAHAM CLULEY
Well, we just have to remember the dumb things which we did, but we did them without the problem of everybody having a smartphone in the vicinity.
CAROLE THERIAULT
How about you share one of the dumb things you did, Graham?
GRAHAM CLULEY
One of the many. I kidnapped the school's Christmas tree once and held it hostage. Okay. We'll go to the Pick of the Week? Yeah, maybe we should.
And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture.
You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING.
That's metacompliance.com, and don't forget the code SMASHING.
And welcome back to that part of the show which we like to call— it's our favorite time of the show, it's Pick of the Week. Pick of the Week.
SCOTT HELMEE
Pick of the Week.
GRAHAM CLULEY
During Pick of the Week, everyone on the show chooses something they like.
Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, podcast, whatever they like. Doesn't have to be security related necessarily.
Sorry, Carole, what was that? Shouldn't be. Oh, and my one this week isn't security related so much, but it is privacy related. What's wrong with that?
CAROLE THERIAULT
When I, you know— Yeah, go ahead. Go ahead. I'll take a snooze while you—
GRAHAM CLULEY
It is. Now, many people, many privacy wonks tend to recommend a search engine called DuckDuckGo instead of Google, right?
But I've tried DuckDuckGo and I've never really gotten with it very well, although it's got a very cute logo, which is normally my decision as to what website I use.
I just don't find its search engine results to be as good as Google. And so I keep on thinking, oh, I'm going to use Google instead.
So for the last few years, I haven't been using Google.
I have, because I don't really like the idea of them tracking what I'm doing and keeping records and targeting me with ads and all that sort of nonsense.
So I use a site called Startpage, startpage.com, and I've set up my browsers to use that as the search engine instead.
And what's really sneaky about Startpage is it actually acts as a proxy for Google.
What it does, it displays Google search results within its own little frame, as it were, on its own website.
And you get all the benefits of the Google search engine, but without the privacy concerns, no tracking, no targeted ads.
And so it's just as good a search engine, but you don't get all of the horribleness. Now, I don't quite know what Google thinks about this.
SCOTT HELMEE
I was just going to say, how do they get away with this?
GRAHAM CLULEY
I don't know, but they do. And they have been for some years.
CAROLE THERIAULT
They're probably just selling their information over to Google afterwards.
GRAHAM CLULEY
Maybe, maybe I shouldn't publicize it, but they seem like a good bunch. That is my brief, short, helpful, topical pick of the week, and it's startpage.com.
CAROLE THERIAULT
I would agree. I've used it as well, and I think it's very good. I think it's a great service. So good pick of the week.
GRAHAM CLULEY
So Scott, what's your pick of the week?
SCOTT HELMEE
So my pick of the week is a new feature that I've been playing with over the last couple of weeks, actually.
A big security and CDN cloud company called Cloudflare, they kind of sit in front of your website, shield you from all the bad guys and all of the bad things, and they've just deployed or released a new feature called Cloudflare Workers.
Normally they just sit in between your visitors and you, and they only let the good visitors through and they stop the bad ones.
But now with workers, you can actually write some code that they will also run as they analyze your traffic in and out. You can start to do some really cool stuff with it.
I don't get impressed by stuff because I fidget around with new technology all of the time. But I've been sat at my keyboard this last week and been like, "Can we do this?
Can we do that?" I've been like, "Whoa." Oh, that's awesome. Yeah, we could do this, we can do that, and it's been really exciting. It gives you more control.
CAROLE THERIAULT
You can do a lot more with it. You've got more—
SCOTT HELMEE
Yeah. Normally they just fetch the page from your website and then pass it on over to the visitor.
Whereas now you can say, okay, take that page and do XYZ with it, or add this thing, or move this thing, or in our case, we're using it for adding some security features to the page.
It's like, okay, pass the page down to this user, but also add all with these security features. It's been really awesome.
I've just, I don't often kind of get excited in, you know, using something and then look at the clock and be like, whoa, it's 2 AM.
CAROLE THERIAULT
So you've customized a lot already with it?
SCOTT HELMEE
Yeah. So I've got two of our websites are using it right now.
The one of the companies that I run and we've literally just scratched the surface and done our first blog post of some of the awesome things we've done with it already.
And there's gonna be a lot more coming over the next week or two.
GRAHAM CLULEY
Cool. Yeah, I read your blog post. It looks very neat. Yes, it definitely is. Looks like a cool thing to do, and I'm sure many people would love to take advantage of it. Groovy.
Okay, well, we will put a link in our show notes to that. And Carole Theriault, what's your pick of the week?
CAROLE THERIAULT
Well, mine is very much not privacy or security related. As you know, Mr. Graham Cluley, I've been studying music theory and guitar for the last few years.
SCOTT HELMEE
You can play the guitar? I'm so jealous.
CAROLE THERIAULT
Yeah, not great yet. I wish, I wish. I'm getting better every day.
SCOTT HELMEE
Carole, will you do our outro?
CAROLE THERIAULT
Not today. No, I'm going to work on it. I will work on it though. I need to get an electric guitar. I'm holding myself off until I can actually play beautifully.
Anyway, because I've been learning, I've been doing a lot of online study, and I have a few YouTube channels I wanted to shout out in case anyone wants to learn some music theory or some guitar.
So 3 sites. Number 1, PNG Piano. But this is great at reviewing chords, intervals, scales, and more. And it's a 2.5-hour intro on piano. And it's a great way to learn music theory.
It's the best instrument because of its layout. And then the next one is Move Forward Guitar. Now this is pretty comprehensive.
And if you can stand the guy's voice, you're in for a treat. But I know, and I feel bad, but it did grate on me.
GRAHAM CLULEY
It's a very great review. I've got to check this one out. Hi, I'm Chad with Move Forward Guitar. This lesson is from our core Beginner Course 1.
This course will take you from an absolute beginner to a budding guitarist with a solid foundation.
By the end of this course, you'll have all the tools you need to start learning songs. Yeah, you've got to be pretty dedicated to learning the guitar to put up with that.
I watched every single one.
CAROLE THERIAULT
Did you really? Yep.
GRAHAM CLULEY
Well, it sounds like fantastic content.
CAROLE THERIAULT
It's great. It's great. It's a great free way to just dip your toe into the world of music. So I did it in little chunks, but there's a lot of really good information in here.
And the third one is called FretJam. This is my favorite resource. Not as introductory, but really well-presented, explained, useful resource.
Really good about modes, chord changes, and everything. Really nice site. So there you go. FretJam, Move Forward Guitar, and PNG Piano. All the links are in the show notes.
GRAHAM CLULEY
Marvelous. Well, Carole, we look forward to you playing the theme tune for us in some future episode. I cannot wait. I'll be there on the kazoo. Scott, do you play anything?
SCOTT HELMEE
I don't, and that's why I'm always incredibly jealous of people that can play instruments.
CAROLE THERIAULT
Just go buy a tiny keyboard and go get started. Just do it.
SCOTT HELMEE
I would. It's time. I have so many little projects and things, and I— Cloudflare, WordPress, code, I break websites, I break cars.
GRAHAM CLULEY
Carole bought me some bagpipes once. They were great fun.
SCOTT HELMEE
What, really? Yes.
GRAHAM CLULEY
Like full-on massive, big, like not worth anything?
GRAHAM CLULEY
Yeah, they were wonderful until they mysteriously got punctured by my wife in the loft. I'm not quite sure why that happened exactly.
Anyway, that just about wraps it up for this week. You can follow us on Twitter @smashinsecurity without G. Twitter wouldn't let us have a G.
On Facebook, we're in the Smashing Security Podcast Facebook group if you are still on Facebook after listening to this episode.
Or you can go and get stickers and t-shirts and mugs and things like that at smashingsecurity.com/store.
Before we go, we need to say, Scott, where's the best place for people to follow you or find out about you online?
SCOTT HELMEE
Probably my Twitter account, @Scott_Helme.
GRAHAM CLULEY
Terrific. Thank you, everybody. Thank you, Scott, for joining us. Thank you for tuning in. If you like the show, rate us on Apple Podcasts. It really does help new listeners.
CAROLE THERIAULT
Yes, thanks to everyone who did last week. Really amazing, the outflow of love.
GRAHAM CLULEY
I know, wasn't it? Wasn't it great? We mentioned a couple of bad reviews and we got some really nice ones in return to rebalance things.
So go to our site to check out past episodes and for details how to get in touch with us. Until next time, cheerio, bye-bye, bye-bye, bye guys!
CAROLE THERIAULT
Smelly cat, smelly cat, what are they feeding you?
GRAHAM CLULEY
Smelly cat, smelly cat, it's not your fault.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.