Hey, Graham.

Hi, Carole.

I have something to tell you.

Oh, goody, goody, goody.

I was talking to a work contact named Melanie about a week or so ago, and she was telling me how she likes Smashing Security and she listens to the podcast. Yeah, isn't that great? And she also said to me that one of the episodes she listened to was sponsored by Recorded Future. And Recorded Future produce a daily threat intelligence newsletter that she decided to sign up to.

Great.

And she says the newsletter is absolutely great. She works in media, so she wants to know all the security things that are going on, and she says it's an amazing newsletter and she loves it. So isn't that cool?

It is fantastic.

She loves our show and she loves our sponsor.

And if people want to sign up for this newsletter, they just have to go to recordedfuture.com/intel.

That's right.

And thanks to Recorded Future for supporting this show today.

On with the show.

Smashing Security. Smashing Security, Episode 40: The Show That Cost Troy Hunt $14. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 40 of Smashing Security for the 31st of August, 2017. I'm Graham Cluley, and I'm joined as always by my good chum and co-host, Carole Theriault. Hello, Carole, how are you doing?

You always say my name so weird. It's you haven't known me for 20 years.

It is a very, very weird name. Carole Theriault.

Carole Theriault. I bet our guest could do it better.

Well, yes, we've got a special guest from far, far flung over the seas from— it's a horrendous place where he lives, let me tell you. I've been following him on Twitter. It's almost an Instagram celebrity.

Jeez.

With the number of pictures he shows of his wonderful sun-kissed life all the way from the Gold Coast in America. No, America? No, not America.

Jeez.

I'm so sorry.

Are you going there already?

I cannot believe he just did that.

All the way from Australia, it's Mr. Troy Hunt. Hello, Troy.

How are you? G'day, guys. And look, I say Carole in a strange way because I say everything with an accent anyway. So, you know, here we are.

You say it much, much better than Graham does.

Now, Troy, I'm sure most of the people listening to the podcast know who you are and may well have signed up for some of your services. But just briefly describe who you are, what you do, and what are you doing here on our podcast anyway?

Based on your description, I basically just hang around on the beach, take photos of my legs while I'm laying on my jet ski, and tweet them at the world, particularly English people where it's cold and wet. But in between doing that, gee, what do I do now? So I do a lot of traveling and speaking at events on security things. I do a lot of training. I do a lot of workshops for companies. I do a lot of online training. And I run this little thing called Have I Been Pwned as well.

Yeah, we know. We've mentioned Have I Been Pwned maybe a dozen times in this podcast so far.

Awesome. Yeah.

We're big fans.

So, I mean, Have I Been Pwned is a great service for people to sign up for, enter their email address, and they can get informed when their details are included in one of these horrendous data breaches.

Yeah, hey, that's good. I needed to hear some positive vibes at the moment because it's been one of those days, but I'm sure we will get to that.

We'll get to that later on. So what we do each week in the podcast is we look at some of the stories which have happened over the last week and give our opinions. I'm going to kick off and now guys, I don't know if you— well, Carole, you were here for last week's episode. Troy, I think you may have heard last week's episode with Scott Helmee. I ran a very, very popular and successful quiz last week on the show. And when I say it was popular, I had one person who replied positively.

You have to bring it up every episode.

What? I liked the quiz. Well, look, I think it's time for us to do another quiz. Not acronyms this time. It's a game of true or false? I'm going to give you a statement by a politician and you're going to tell me if it's the truth or a lie.

I think I could say right now it's probably false.

Exactly.

Okay, go.

All right. So I'm very excited. Yeah. All right. So I'm going to start off here. I'm going to do some impressions because I'm quite good at those. I'm going to do some accents, right? I want to say one thing to the American people. I want you to listen to me. I'm going to say this again. I did not have sexual relations with that woman, Miss Lewinsky.

You know, that's not bad.

What have I said?

Yes, Sue, I was impressed by that. That was quite good, wasn't it? Hard to believe I can do Richard Nixon that way. Can you believe that was almost 20 years ago?

Yeah, it was '97, wasn't it?

It was around about then.

Yeah, I think it must have been '97, maybe '98. '97.

Yeah. So was that the truth or was it a lie? Did he have sexual relations with that woman? What's your opinion?

So the answer came down to how you define sexual relations, from memory. And I don't know if it's the kind of show where we're going to do that. But it is late here and I've had a bad day. So yeah, why not?

I think most people would say he got a little bit saucy with her, right? A bit more than saucy, maybe. Okay. So I would say that shall we say truth or a lie that he said?

True. True.

What? He did not have sexual relations.

I think he did. So I am saying that it is true that he did, which would be the inverse to what he said. So no, false. Is this how the game works?

He should have hired you as a legal team. That's very impressive. Okay, well, I think it's probably a bit of a fib. So it was a fib. Okay, here's another one.

Okay.

Read my lips. No more taxes.

Okay.

It's Republican presidential candidate George H.W. Bush in 1988. In case you weren't sure.

I thought it was Nixon.

I thought it was going to be Nixon.

Yeah, I was going for Nixon.

There'll be no more whitewash at the White House. I can do them all. I can do them all. Okay. So was that true or was it false? That no more taxes.

It was false, Graham.

You're absolutely right, it was a fib. And finally, you're wondering what this game is all for. I'm sure you're thinking that, Carole. Why are we doing this?

I'm thinking we have to find a way to edit it out. That's what I'm thinking. Keep going, you're doing great.

So finally, we are going to come to the curious case of Trump appointee William C. Bradford. He's an American lawyer who was recently appointed by Donald Trump to run the Energy Department's Office of Indian Energy.

Has he been fired yet?

No, hasn't been fired yet. So he's, by all standards, he's doing quite well.

How about now?

Well, as the Washington Post discovered, before entering public office, Bradford's Twitter account was prone to making some rather eyebrow-raising declarations about previous US President Barack Obama, describing him as a Kenyan, describing him as a cream puff, whatever that is. I have no idea what that is, and calling Mark Zuckerberg— and apologies for this, I am quoting— an arrogant, self-hating Jew.

Oh, yes, which on Twitter.

Yes, which was curious for William Bradford to say because he is Jewish himself. But anyway, that's what was going on. Now, he admitted sending some tweets saying Barack Obama's mum was a fourth-rate porn star and whore.

Sorry, this is the American lawyer who's been recently appointed by Donald Trump to run the Energy Department's Office of Indian Energy.

Yeah, that's right. Yeah, yeah, yeah.

Good.

So he admitted that when the Washington Post said, hey, we've been looking at your tweets. I mean, it's pretty offensive to call someone a fourth-rate porn star, isn't it? Especially if it's someone's mum, although not as bad as a fifth-rate. What he's saying now, right, is this. He's making a statement which says that it wasn't him who left similarly veined and similarly styled messages via the Disqus commenting system, as dug out by CNN. No, no, no, he says, although he admits to the tweets, those comments weren't from him at all because, and here's the quote, right? Here's the next round of the game, final round of the game. Here's his quote. I don't know what he sounds like, so I'll just do a standard American accent at this point.

Thrilling.

I can't comment on an ongoing federal investigation into multiple cyber attacks and internet crimes committed against me. Over the past several years, which include email intrusions, hacking, and imposters in social media. In other words, he's saying that hackers took over his Disqus account and are leaving all these offensive comments on blogs and things, but he can't go into more details because the feds are investigating it. My question for you two, is he telling the truth or telling a fib?

That is, that is so dog ate my homework all over.

Yeah, but I love how it's, I cannot comment because there's a, you know, federal investigation of multiple cyberattacks and internet crimes committed against me, PR bows wrapped all around it.

I'll leave it to the listener to decide whether he's telling the truth or not, right? You know, it does seem a little bit of an odd coincidence considering the tweets which he has admitted to. Really?

You think so?

But, you know, I just think the gall of people. We've seen over the years, for instance, I know there's been a number of rappers and things, you know, sort of celebrity rappers who sometimes have said really offensive stuff on social media. And then their get out of jail free card is always to say, "Oh, my account was compromised. I was hacked." Didn't—

Who was the guy in New York? Weiner. Weiner. Didn't he say the first time that it was hackers that did it? Oh, bless him, old Weiner. Yeah, I think maybe he did, or it wasn't his underpants or something like that. Someone else may have gained control of his phone.

Yeah.

Okay. But he's not just being dumb.

You know, the thing with that too is that we have got such a digital footprint everywhere with everything we do, right? I mean, look, everyone listening to this knows this sort of stuff is— these are solvable mysteries, right. So it's the sort of thing where if you want to go and sort of spin a yarn on this, you want to be pretty sure no one's actually going to look into it, or else the whole thing is going to come apart pretty quickly, right?

Because Google will somewhere have cached this stuff, or someone will have a copy, or, you know, the pieces will be able to be put together so you can work out where they've originated from.

I can kind of think though that he probably didn't think anyone would look into it.

These sort of things keep on happening. I think if you're going into public office, particularly if you've already been outed for something else, maybe do your best to clean up the rest of your online activity, or if you can't do that, just put your hands up when you're accused and say, yeah, I used to say those things several years ago. I've grown up now.

Yeah, everyone will say that's okay, no problem.

Well, maybe they won't, but a cover-up is always worse, and lying is always worse, isn't it? And claiming that the feds are investigating cyber attacks against you.

Hey, look, I just think it's gross that some guy who's tweeted this stuff has actually been appointed to a responsible job.

Wow. We're going to get more complaints, aren't we? It's not just him though. I mean, there are others as well. Sometimes there is a genuine hack or compromise of a social media account. We saw this last week, Selena Gomez, who used to be dating Justin Bieber, her Instagram account got hacked. She has 125 million followers on Instagram. How are you comparing with that, Troy?

You know, okay, this is like my little security mind, right? That every time I hear about people with massive followings like this, that the first thing that comes to my mind is that this would be the most awesome sort of organic DDoS engine in the world. It's like, I don't like someone, I'm just going to tweet something, you know, or Instagram it or whatever they do. And it's like, boom, that's it, you're gone, you're offline. You know, you've got to have some serious defenses.

Yeah.

And it would be awesome because it's distributed to all these legitimate people in the world. But I think you'd need some pretty serious scale for that. But I reckon 120+ million followers might do it.

But I certainly remember Stephen Fry, who's a bit of a national treasure here in the United Kingdom. He was a major Twitter user in Twitter's early days and had a big following. And he actually used to contact companies before he tweeted their website because he knew the power of his audience could bring down sites, which obviously wasn't his intention. So it can be a problem. Gomez, her Instagram got hacked. Chances are, I think, that she didn't have two-factor authentication enabled. Instagram does offer it. You should turn it on. Unfortunately, Instagram only offers two-factor authentication via SMS message. It'd be nice if they got a little bit more modern about that because some have concerns about that method of authentication. But I think the other message is, you know, aside from everyone should turn on 2FA or two-step verification, when you say something unpleasant online, when something bad happens, in this case, Justin Bieber's— I believe in Australia you call them ankle spankers. Anyway, a part of his anatomy was exposed.

I don't know what it is, but no, we don't.

Anyway, you know, so, you know, make sure you're acting clean online. Keep yourself secure so that you can't be exploited. I would love one of these celebrities one day when they get hacked, not just to go, oh yeah, I got hacked, but actually talk to their 125 million followers and say, don't make the mistake I made. Turn these features on to protect your accounts.

And, you know, this is what it boils down to, because regardless of what name you want to put on it, and I understand the desire to put the word hacked on it because it sort of shifts blame. You did something stupid. Like, that is what it boils down to. And it's probably the same stupid thing that 90% plus of people do, which is it's a crap password and you used it on LinkedIn, and then that got hacked, and then it was SHA-1 and it got cracked. And, you know, here we are. It's always the same story over and over again. And I honestly can't remember a time where it was legitimately, 'Well, yeah, Twitter did actually have some funky 0-day and someone broke into someone's account.' It's always someone doing something stupid.

The thing is though, with this one though, is, well, he's admitted to the tweets, right? And the Disqus, or Disqus, however you want to say it, comments are in a similar vein. So basically he's already eating poo for his comments he's already done.

Right? Is that a common metaphor?

I thought it was more polite than the other word I could have used.

Troy, what have you got for us this week? I've got a feeling I might know what you want to talk to us about.

Well, it's kind of worked out well because we agreed to do this chat what was a week ago or something like that, and I don't know what we're going to talk about. But as luck would have it, things eventuated such that I came across 711 million email addresses which are now and have ever been pwned.

711 million. Yeah.

And, you know, I put the numbers in a blog post I wrote today about this, but I think off the top of my head it took something like 2.5 years and 110 data breaches to reach the first 715 million— or 711 million, rather— accounts in the system. And now it's like, yeah, here's just one whack, 711 million. So I have spent the last, basically the last 48 hours firstly consuming a great deal of Azure's capacity trying to load all this data. Next I'll be explaining to my wife why we have suddenly spent a lot of money to a company based in Redmond. And then I've— I made this data live. I'm at sort of 10:20 PM or something now, so I made it live about 15 hours ago. And I've— I'm up to about 200 comments on the blog post, and the floods of tweets and emails, and I've been doing media and stuff today as well. So it's just been an absolute write-off of a day, on a day where I was actually meant to write a talk. So I'm not quite sure how that one will work out, but—

Crikey. So Troy, this— we appreciate you staying up late and taking the time to speak to us today, but this data you have, these 711 million email records, where did they come from? How were they being abused? And what should people do if they are one of those 711 million?

It— look, it's actually kind of interesting. And one of the things that always happens after I load data of sort of— I was going to say ill repute, but you know, where it's sort of from odd kind of sources— after I load it and people start finding their data on Have I Been Pwned, I start to learn a bunch of interesting things. But the background in terms of how it turned up is a French malware reverse engineer bloke who does a lot of looking into how some spambots run had found an open folder share as part of— I think it was actually part of his reverse engineering of one of the pieces of malware. He had ended up pointing to an IP address, found a folder share on there, and found 180+ files that totaled, I think, about 35GB worth of data.

Oh wow.

And in that data was just a real mix of stuff. So we had massive lists just of email addresses. So one was a 14GB list just of email addresses. Yeah, I know. Yes, you can actually have a 14-gigabyte text file. Don't try and open that in Notepad, everyone listening.

Edlin would be fine.

Yes, there are other ways to do this. So, you know, there was that. There were a bunch of files that had username and password pairs. But all of this seemed to be— well, a lot of it seemed to be sort of unrelated to each other, other than it was all in this sort of realm of credentials. So the usernames and passwords were kind of interesting because one of these files reconciled verbatim with LinkedIn, the LinkedIn data breach. So every time I put in an email address to Have I Been Pwned, it was like, yep, LinkedIn, LinkedIn. Another one reconciled with one of the big combo lists I loaded. So these were lists of email address password pairs. So sort of the origin, if you like, was clear there. But then just a bunch of random junk as well. I mean, there are a bunch of files in there, or one file with a bunch of rows that indicated it was from the Roads and Maritime Services Department in one of our local states here, and it related to the e-toll, which is the little tag you put on your windscreen when you drive through the tolls.

Huh.

Yeah, it's just kind of bizarre stuff. So anyway, we've found all this data, and the guy who found it has explained that this is used by an online spam bot called Onliner Spam Bot, which is kind of interesting. And he said what's actually happening here is it's a combination of some of these files have credentials as well as SMTP addresses of the mail servers that these accounts would use and the SMTP port it was using. There's a few different ports that SMTP typically uses, and the spam bot is using these because it will then connect to those SMTP servers under the identity in these files because it's hard to find open SMTP relays these days to send spam. So part of the value proposition of the data was here is a mechanism for us to send spam, and then of course, the masses and masses of email addresses and just email addresses in files.

Yeah.

Well, you know, every time you get Viagra spam, it's stuff like this. That's kind of interesting - they were just being used to send mail to. And then as I loaded this and I started getting feedback, some really interesting trends popped up. So one of the features on Have I Been Pwned is you can do a domain search and you could just prove that you own the domain via getting an email to the WHOIS record or adding a TXT entry to DNS or something. And you do a search and people were saying basically 70% plus of the aliases on my domain in this quote-unquote breach were fake, you know, that they're not real. And it looks like there's a bunch of junk in there as well as a bunch of fabricated addresses. And one person actually said to me, he said, I have a catch-all on this domain, so I get everything that goes to @whatever. And I found that a bunch of those aliases that were in this spam bot list had actually been getting spam. And this sort of asked the question to him, you know, what on earth is going on? Where's this coming from? And that was just the beginning. And then the day just unfolded as people came up with everything from really interesting insights to abuse. That was fun.

Have I Been Pwned? Don't go to Have I Got Pwned because I don't know what's there. And I have searched for things on the internet that have led me to places I didn't expect to end up.

So I think that's happened to everybody.

Yeah, so these are all the kind of hoaxes, right, that don't seem to cause much damage to individuals. But there is a much bigger concern here. And that's things like insurance and charity scams. So basically, fake disaster relief campaigns. And US-CERT has just issued a statement this week warning people to remain vigilant of criminal activity capitalizing on the interest in Hurricane Harvey. So according to CNET, we have seen a few phishing emails relating to Hurricane Harvey. And this is how they're working. So they are citing legitimate fundraisers, right, like the Greater Houston Community Foundation and the Hurricane Harvey Recovery Fund, but the actual links go to bogus or fake sites.

And you know, it's the same thing that you get every day. I mean, I get the iTunes one, you know, you just bought this on iTunes or whatever and you want to dispute it. And you're right, it is social engineering because you sort of have that moment of dread where you go, what have the kids done now? You know, let's go and figure this out. And of course, they leverage off the combination of the inquisitiveness that we have when these incidents happen, whether it's a natural disaster or a celebrity dies or something. And they sort of combine these factors together in a very cunning way.

And the thing that really irks me about all this is, of

Right.

course, it's going to make people shy to give in these situations because they don't want to get themselves into a pickle.

Wow.

I'm still shocked at how huge it is. This is one of the biggest ever.

Well, it's the biggest I've ever loaded into Have I Been Pwned. The largest before that was only 500 million something records.

You know, he could fool

So that's tiny. I know.

anyone. Dared to do any I mean, although it's cool Australian accents in this episode.

So this takes me to 4.7 billion-something records, which

technology, this is actually useful

is kind of crazy. I think what it would have

Do you think it's kind of interesting that you're seeing overlap in the different lists that you've loaded up so that, you know, I don't know, I'm wondering if that's starting to happen, that maybe you may have come to almost to

technology as well.

You don't think an end maybe of how many addresses so far have been used in this way.

to do is it'd have to Well, the funny thing is that there'll never really be an end because obviously there's a lot of new addresses that get registered. There's new domains that get stood up. And as I said, a bunch of these were fabricated as well. And you can - geez, you can make up as many fake email addresses as you like. But to your point about the flow, the flow is really interesting, you know, how data goes from one breach to another list somewhere, and then it gets abused somewhere else, and then gets passed downstream. And one of the comments I made in the blog post I pushed out with this today was that most people have got no idea how far their data gets spread and reused. And it's just mind-boggling. broadcast it to the surfers.

they got to their goal? Yeah, that's a cheery story. Thanks. So you've had a really, you've had a really crappy few days, or has it been really challenging in a good way, or you're just now, you're just dead?

It's been mostly good. I think the thing that sort of started to get to me a bit today is I made a judgment call when I started this service almost 4 years ago that I wasn't going to have passwords in the system. So, you know, if you're in, say, the LinkedIn data breach, you can't go to Have I Been Pwned and find your LinkedIn password. And there's many reasons for that that include technical reasons. So for example, a lot of passwords are, say, bcrypt hashes. Nothing you can do with the bcrypt hash other than give the hash to people, which will make absolutely no sense to 99-point-something percent of people that use the service. Because this thing is so mainstream these days, imagine saying to a non-techie person, hey, here's your bcrypt hash from Ashley Madison, just so you know what your password was. Yeah, good luck with that. And the other side of it is that no matter how much we sugarcoat it, this is all data that someone has illegally obtained out of various systems, often using means which will land them in prison for a long time if they get caught. Yeah, the legitimacy of actually having it and making it available in this fashion is questionable without a doubt, and I am doing everything I can to try and run the thing ethically. And, and to be honest, I was going to say keep my head down a little bit, but it's a little bit hard when it's this well known now. But I guess not do things that would raise the ire of either individuals or organizations. And we have seen cases in the past where the likes of LinkedIn has issued— this is It's just getting late. LinkedIn issued a takedown to one of these really dodgy services that popped up called LeakedSource because these guys were making passwords available. And, you know, to me, this was sort of one of the indicators of once you have passwords as well, you're sort of stepping into another realm. And no matter how well I try and protect them, just the fact that I would have those passwords in the system and they were retrievable, just— it just is way, way too much risk for my comfort level.

It's scary, isn't it? I mean, it would be hard to sleep at night knowing that you've stored that much data and potentially, even if you've gone to great efforts to encrypt and keep it securely, that someone might have found a vulnerability or some way in order to get some of it to spill out.

I mean, yes, it was when I turned 40.

Exactly. And I think the security people get that because we sort of have this, you know, data minimization mindset, can't lose what you don't have, yada, yada, yada. And then you get your great unwashed out there, apologies to the great unwashed, and they're sort of going, "Well, why don't you just email me the password?" "Oh no, I can't. Do I have to explain it?" Yeah.

I'll tell you.

Well, folks can find out much more about this on your blog.

Life begins at 40.

We'll include a link to that in the show notes so people can discover some more.

So anyway, happy birthday to us.

And we'll also include a link to Have I Been Pwned as well, because it really is a fantastic service. I think everyone— Maybe we better go and register that domain right now.

Maybe Graham already has registered it. But seriously, fantastic service which you offer people there. And folks really should sign up because, I mean, I got my warning because I've registered my domain with you and it told me about a number of email addresses which apparently are included in this spam bot dump, including ones which aren't really addresses. You know, it was interesting to me as well that some of those popped up in the list. I was in the list from LinkedIn, I remember.

Yeah, there is a billion record dump out there somewhere, allegedly from Yahoo. Remember them? So this was late last year, they said, hey, we had half a billion accounts exposed, and it was very embarrassing. And then they came back a few weeks later and they said, 'Oh, if anything happened—' Well, they didn't say 'if anything,' but they came back and they said, 'We've just realized there was also another one and it was a billion.'

Yes! Carole, what's your topic for this week?

You guys, of course, have been following the devastation in Texas resulting from furious Hurricane Harvey? Yeah, it's apparently the worst hurricane that's hit the state in 50 years. And today I just read that 13,000 people in the Houston area and surrounding areas have been rescued from the tropical storm, and there's been at least 18 deaths. And one of the big problems is people don't want to leave their houses. They don't leave their stuff. They don't leave their lost pets. Right. And it's just horrible. But with crazy situations and weather this, crazy things happen. And you might have heard about the planes that were flooded at Houston Airport thanks to the tropical storm. You may have heard about a shark that was found swimming along the flooded highway, as reported by Fox News.

It sounds Sharknado.

It sounds a normal day at home.

So we've got an Australian on the line.

I forgot. Yeah. Do you sit there going, why are you guys all excited about a shark?

We've got a shark. What's the issue? Get on with it. So these things are making the rounds, and it turns out both these stories are hoaxes, designed to dupe us into sharing the story, whether we be a journalist our Fox News reporter or users of social media. So the drowning planes picture was a 2013 mock-up created by Climate Central to show the effects of climate change.

Oh yeah. Oh yeah. Criticize them for that, Carole, that they can't tell the difference. So all the people who are real airport nerds, it's, I think you'll find that's actually LaGuardia. Come on, Carole. Yes.

They should have jumped in much earlier.

You can't tell one airport from another? Well, if you can't— No, I mean, maybe from where you go in, the arrivals hall or whatever, but you can't tell when it's just a runway with some planes on it. I think you've been a bit harsh. Have you seen the picture? Yes, I have. What was the skyline? I can't remember.

New York!

Well, I wasn't looking at the skyline, was I? I was looking at the planes which were flooded. The shark shot was a doctored photo from Africa Geographic from 2005. It was actually a shark trailing a kayaker in the water. Not in Houston, that's the point, right? Not in Houston, no. The shark was overseas.

Just for Troy, there aren't very many sharks in Houston, just so you know. Gotcha. The question I've got really is, is there a problem with these hoaxes? Some people would argue that because of these hoaxes, the disaster is staying in the press and it gives journos new angles to talk about the problem and the disaster.

I think that there's just this bigger issue which has obviously popped up, particularly in the last year, about the whole sort of fake news thing, where you've just no longer got any idea what's legit and what's not. And it's not just the politics side of things. I'm seeing it the whole time even in the security side of things, where people will sort of say, hey, this incident happened, or this security thing happened, and it's like, well, it sounds stupid, but there's a lot of real stuff that happens that's actually pretty stupid too. And I don't know what's legit anymore or not. And it's— in fact, I've read something about this only last week, because this is it. I've certainly seen things and shared things that seemed perfectly feasible, and then, you know, here we are.

I think that's one of the challenges, isn't it, is because it's so easy to share stuff. It's just a click or a retweet or sharing it to your Facebook friends. You know, you've found it interesting. You may not even have clicked on the link yourself. You just thought, oh, I should tell my mates about that. And you kind of pass the buck onto them to find out whether it's true or not and to be skeptical. But you've given it some kind of endorsement by sharing it.

Yeah. And sometimes people don't even read what they're sharing. No. Right? So they just share it because the title looks good and they think, great. I mean, Journalism 101 was always, you know, have two independent sources verify a fact, right? And today, that's quite difficult, because if everyone's repurposing news and not necessarily crediting a source, you can— it's easy to kind of think you've done your research and you've got something that's valid. In fact, you're just spewing garbage.

Okay, so we've got fake sharks, flying planes at LaGuardia Airport at the moment, Carole. Oh, I see. Right. So the site— And of course, there you're on that site and you think it's made to look like the Greater Houston Community Foundation. You put your donation in and say goodbye money. And of course, your Facebook friends may be sharing dodgy links unwittingly, completely innocently. We've got a good heart and all the rest of it because they're touched just like the rest of us as to what is happening out in Texas. And because you've seen them do that, you think, oh, well, I'll donate as well and I'll click on that link that Fred has just shared with me.

Exactly. Because it gives it legitimacy that your friend that you trust and respect maybe sent it. Now, all this isn't new. We saw this, for example, in — was it 2010 Hurricane Sandy? 2012? This is awful, I don't remember. But there was an email that came from redcross.net. This is just to give you an example of another way that these work. So the email would read, "Thank you for your donation to Hurricane Sandy relief." You haven't really done a donation. You never — you just received this unsolicited email. "We appreciate your donation," the letter continues, "of $435. The credit card on file has been charged. If you did not authorize this donation, please go to enter fake website URL to unauthorize the charge." Sounds legit. So a little reverse psychology going on.

Yeah. The social engineering, you know, whenever you think you've been hit in the pocket, you disengage your brain, don't you? And you just think that's outrageous. How can they have debited my credit card for that much money?

And also money which maybe they would have given to a legitimate charity has ended up with the scammers instead. So, I mean, you know, the victims really suffer here, don't they? So what can people do about this?

Don't not give because of these scams. Victims of Hurricane Harvey need all the help they can get, but you have to be smart about this. So I would recommend don't follow unsolicited web links and email messages that you haven't requested. Don't click on ads in order to give money away. And go to the National Charity Report Index and check with the FTC information on wise giving in the wake of Hurricane Harvey. So these two links will be in the show notes.

Okay, good piece of advice there. So folks, please be careful. Do give to the people who need it, but go through trusted charitable sites in order to do it. And be wary, even if your friend is sharing a link, it may be that they've got some bad information. I saw one scam being passed around where people were being told if they found themselves in an emergency situation to ring an emergency number and they gave a number and apparently it was the number, so I'm told at least, of an insurance company rather than —

Yeah, that was BuzzFeed, wasn't it? That was BuzzFeed, I think. And yeah, I don't know if it's been verified or validated. But yeah, those things have happened before, and I'm sure we will see them if it hasn't already happened.

Okay, well, thank you very much, Carole Theriault. And I think it's time to find out who our sponsors are this week.

This episode of Smashing Security is brought to you in part by Recorded Future. Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical critical, open, and darkweb sources to give organizations unmatched insight into emerging threats. Sign up for free daily threat intelligence updates at recordedfuture.com/intel.

Welcome back to the show, and it's the section of the show that we like to call Pick of the Week. Troy? Pick of the Week. Troy, please join in the fun.

You might have fallen asleep. I'm here.

No, I'm still here. No, Troy, sorry, you have to say pick of the week.

Oh yeah, pick of the week. Troy is so— that was— you can edit that out later on, don't worry. You know, there was that thing the other day which was showing how you— I don't know if you guys saw this— where it can take someone's voice, you can listen to a few words that they say and then reconstruct sentences. So, you know, you'll— you'll— I don't know if it speaks Australian, but you'll work it out. Well, Graham can just—

Graham can just mimic you already.

It always comes out sounding like a South African if you do it.

I'd love to hear Troy do an English one sometime though.

Maybe like Matthew Van Dyke. Yeah. Yeah. All right. So, but no, he's not going to do that. So this is where we choose a funny story, a book we've read, a TV show, a movie, record, app, whatever, podcast, something like that. Not necessarily security related. Something cool, which is our pick of the week.

Can I ask you a question? Did you not have a Pick of the Week, and then you just looked down on your desk and you saw the magazine lying there?

No, I've been thinking of talking about The Phoenix for weeks. For weeks. I love it, Carole. Yes, it's absolutely tremendous. Maybe I should get you a copy, a subscription for your birthday or something like that.

Do you like it more than your son? What kind of question is that? No, do you like The Phoenix magazine more than your son likes The Phoenix magazine?

If I answer that question, where's it going to stop? You're just going to go through a whole range of things and say, okay, so you prefer your son to the comic. What about your car? What about your house, Graham? What about your pension, Graham? Well, I mean, eventually, right? It's going to become— what about your wife, Graham? Do you prefer your son or your wife? Right? That sort of question.

Troy, do you have a Pick of the Week?

That's going to get me in trouble.

Yes, Troy, what's your Pick of the Week? I have an epic one. And this is— I didn't know Carole was going to talk about the shark thing, but this ties in very well to this. Now I've put a little link in our document here, and this only goes for 30 seconds, so you guys can watch this while I'm talking about it. It is called a Little Ripper Lifesaver drone that can spot sharks. Now this is pretty awesome. This was in the news, probably the news all the way around the world, certainly the news here just last week. And it is a drone that they fly over the beaches, and it has— it's OCR for sharks, right? Or it's— well, it's not even OCR, it's facial recognition for— I'm watching it right now. So, you'll see it's going dolphin, dolphin, fish, shark. Yes. You know, so it's flying above the ocean and it's just that it— you could just see these blobs, right? But it knows what is a shark and what is a dolphin. Well, there's a whale. And the cool thing about it is that this obviously feeds back to a bloke who's sitting there, you know, flying the thing around, and you can then sort of go, okay, surfers, it might be time to get out of the water.

Oh, I love that. Isn't that cool? I love that. Yeah.

So just from the shape of— I mean, it's not identifying individual sharks and saying, "This one's Bernard and here's Harry the shark or Bruce," right? Something that.

But that's that jerk George.

It's a big thing with teeth. It might eat you. Get the hell out of the water. That's how it works.

Does it start playing the Jaws

But it is. I don't care what his name is.

theme tune when it spots one? Well, that would be cool. Yeah, they could just do a live feed. They could do a live feed and have huge system. Yeah, speakers are still very heavy. You're right.

The funny thing is, you'll see in part of this video, there's a shot there where there's a couple of sharks and a surfer. Yes, yes, it's shark, shark, surfer. Okay then, that's really cool.

Thank you, Troy, for your pick of the week.

Pick of the week.

Carole, what's your pick of the week?

Well, my pick of the week is a site called chirpchange.io. Now, Graham, can you guess, or Troy, but Graham, I'm thinking you, can you guess what that might be? Quite a clever name.

Chirp change. So I think maybe it's—

This is my game. Okay.

Yeah, 'cause you haven't told me about this before. So chirp, I'm thinking it might be a way of making payments via Twitter?

Because— Yes. Am I close? Yes, yes, yes. Really? Yes. But it's for a specific, specific cause. Why don't you punch that in?

Okay, I'm going to type it in right now and see what— chirpchange.io. Yeah. All right.

It would monetize something ridiculous that may happen via Twitter. Oh, look at this.

What ridiculous things we see via Twitter? It's very cool. Yeah, this is funny.

So basically every time Trump tweets, you, if you've signed up, give a micro donation to a chosen charity from those they've made available. And it can be like 2 cents or 5 cents or 3 cents. And you can also set an upper limit because, you know, we know he loves the Twitter. All right, so you don't want to sit there finding out that you've got 10 grand to owe every month.

I like the fact that you're donating single-digit cent amounts. And because you're so worried about how crazy he might go on the Twitter, you have to actually set a threshold.

I know. But isn't it kind of great that, you know, that something unexpectedly good can come out of, you know, someone who tweets a lot?

That's a very cool, fun idea. Yes.

Well, that's my pick of the week. So, chirpchange.io. Because apparently someone else is trying to get to ban Donald Trump from Twitter. I didn't read into this a lot. Apparently that is—

Yes, there was a crazy story. Someone is running some sort of online fundraising campaign. I think they're trying to raise a billion dollars so that they can buy a big enough share of Twitter to get his account deleted. I don't think they've raised very much.

Why deprive us of the entertainment? Come on.

That's terrific. So chirpchange.io, very amusing. And you can give money to, I don't know, immigrants or women's rights or climate change.

Loads of different charities represented. And it's just a really clever way to do it. I think, you know, hats off to them.

It's a great sense of humour, isn't it? Well, that's terrific. Thanks very much, Carole. And thank you, Troy, as well for your picks of the week. Well, that just about rounds off the show, I think, for this week. Oh, you know what? Sorry.

Yeah. We haven't said something.

Oh, have we not? It's our 40th show. Is 40 that big a deal? Happy birthday to us. We'll do it again in 10 episodes' time, I imagine. If you want to wish us a happy 40th you can follow us on Twitter @SmashingSecurity without a G, that's Twitter's fault, not ours. They wouldn't let us put a G in there, too many characters. Or you can follow us on Facebook as well. You can go to smashingsecurity.com/facebook and that'll take you straight to our Facebook group. And we've got swag now. You can buy a t-shirt at smashingsecurity.com/store. All that remains to be done is ask our guest. So Troy, where can folks find you online? What do you want to plug? Where should people go if they want to find out more about you?

Well, the easy thing is I'm very active on Twitter. You can find me @TroyHunt on Twitter. You can find me on the web as TroyHunt.com. And of course, you can find HaveIBeenPwned.com as well.

Thank you for getting the website address.

Yes, well done. At least you know your website address, even if I don't.

And just because I knew someone would try and do it, I just registered while we're talking HaveIGotPwned.com. So if you're listening to this thinking you're going to get it, it's too late. You can go there right now and you get redirected. You are brilliant. Thanks for costing me $14 a year Graham Cluley, I'll send you the bill. Thank you so much, Troy, for joining us late at night for this. I know you've had a really busy time.

Smashing, I know, we didn't even talk about net neutrality.

Oh no.