Newsflash! Newsflash! Smashing Security has made it to the finals of the European Security Blogger Awards! If you can be arsed, please go to smashingsecurity.com/vote and you can vote Smashing Security the best security podcast. Voting closes on the 1st of June, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote, and now, on with the show. They went to his house and they found a USB thumb drive hidden inside a box of tissues.

Are you sure it's a thumb drive that he was smelling? No offense, but he is a teen boy, right?

I wonder what that thumb drive's got on it.

Smashing Security, Episode 78: Hounds Hunt Hackers. Two human Google AIs AI and ethnic recognition tech. WTF? With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 78. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined again today by returning guest, investigative cybercrime reporter Geoff White. Hello, Geoff, how are you?

I'm good. How are you guys?

Well, great. Welcome to the show.

Hello. It's good to be back.

Good to have you back as well. Now, I remember last time we had you on, I think it was a while back actually, you were on your way to Edinburgh to perform in your show, The Secret Life of a Mobile Phone. How did it go?

It went really well. And statistically, I can put hand on heart and say it went well because we sold out. We were a sellout hit at the Edinburgh Festival. 95.1% sold, I think, was our figure.

Wow.

Really good. Really good.

Very impressive, I have to say. Now, I'm wondering if you can give us any tips because we are about to make our first theatrical performance as well. We're not charging.

Right.

That's it. That's it. You've conquered the first tip then, which is to do it for free.

But there is going to be a series of Smashing Security live shows in June up and down the country. Appearing as part of Chess Cybersecurity Secure Tour in Cambridge, London, Manchester, and Edinburgh. Now, are there any things that you found we shouldn't do? Anything which works?

Yeah.

The more hands-on you can make it, the better. The more—

Literally or figuratively?

It depends what kind of show you've got. But if you can get face-to-face with people and say, look, this isn't about somebody else somewhere over the other side of the world, this is your information, this is your data, it just introduces that little sort of frisson to things and people pay attention. That would be my advice.

Frisson and getting hands-on with people. Carole, this sounds right up your tree. I mean, I don't really like to touch the public too much. I'm a bit like Victoria Beckham in that way. You know, civilians, I think, keep your range, you know, just keep away from me.

Is that right?

I'm actually a little bit uncomfortable, Carole, because I'm going to be in the same room as you, and of course we never normally record the show in the same room.

Are you worried that I'm going to outshine you? Is that what it is?

It goes without saying.

How do I tone down my shine, Geoff, so that Graham feels comfortable?

Well, no, what— see, this will work well as a double act. You have one person out the front who's kind of the shiny, cheery, acceptable face of cybersecurity, and you have somebody in the background who's frankly a bit creepy and dark.

Creepy?

And the audience look at me, oh, that's the guy, who's that person?

Creepy and dark, yes.

I'm just putting it out there. These are characters, Graham. They're not necessarily real, but they're characters you can play, you know, in the things.

Okay. Well, we've got a little time to practice.

Well, any listeners that would like to see us live and watch us do the best job ever should check out the SecureTier website. We'll put a link in the show notes.

It's at smashingsecurity.com/live. We've got all the links there.

Well, there you go.

There you go. Thanks to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture. And MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management. Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code SMASHING. Just visit www.metacompliance.com. That's www.metacompliance.com. And welcome back.

Well, I've got a bit of a doozy of a story for you today.

Yeah. And in some ways it reminds me, do you remember when Ferris Bueller hacked into his school computer and I think it said that he was ill or something, or changed the number of days that he'd been out of school or some sort of shenanigans like that?

That is a great, great film.

It's a wonderful film.

Bueller.

Well, has anyone seen Ferris Bueller?

Well, there is a—

Swing ba-da-ba-da-ba-da. Sorry, go on.

You're right, Carole. Well, there is a high school student in the San Francisco Bay Area who's just been accused of hacking his grades. Oh, probably not the first time that's happened, is it? But it's all said to have started with a simple phishing email and a police sergeant, Carl Cruz, told the local TV station, KPIX, it's a really cool name for a TV station, I thought.

KPIX?

He told them that what happened was that an email was sent, which looked like it was coming from the Mount Diablo School District site, telling teachers to log in. To update their passwords, reset something or other. And when one of the teachers did, of course, the student was able to grab their login details. And once he logged in, he did of course change his grades, but he didn't just change his grades. He also changed the grades of about 16 other students.

Oh, he is young, isn't he? Thinking he wouldn't get caught and change 16 other people's students. How many students are in the school? How many in the class? Dumb mistake, dude.

Well, some students' grades went up.

Of course.

Like his buddy's.

Oh no, did he put some down?

And some went down.

Oh, you see, revenge.

Revenge. And surprise, surprise, surprise, surprise, the authorities were able to trace who was responsible. I guess it wasn't that difficult.

Fiona, Fiona, normally an A+ student, was shocked with her F.

And then Tony, who's got an A in computer science and a D in theatre studies, has suddenly got an A in theatre studies. How does that happen?

How does anyone get a D in theatre studies anyway? Let's face it. Anyway, police went round to the house, but they didn't go on their own. They brought with them their friend Doug.

Doug?

Now Doug is a dog. He's from their K9 division and he is trained to sniff out electronic equipment. Whoa! And there apparently are more and more dogs which are being trained to sniff out SD cards, flash drives, USB.

What?

Go, "Oh, that has Ferris Bueller's Day Off on that one." Well, I don't think they can identify the contents of what's on. It's a nice idea, Carole, but I don't think— although dogs have noses which are thousands of times more powerful than ours, I don't think they're able to do that yet. Frankly, they need to put a bit more effort in.

Yeah, reading a hard drive with your nose is quite impressive.

I believe it only takes about 6 weeks to train a dog to find these things. So, I mean, it's—

Okay, so he's smelling the little, what, skin particles that someone has left on a piece, a device, is what you're saying?

No, no, no, they are trained.

Well, no, it'd have to be the metal, wouldn't it?

Well, let me tell you right now, Dr. Jack Hubbell, who is a forensic science examiner in Connecticut, he has successfully isolated the chemical compounds used on circuit storage devices like micro SD cards. And that's one distinctive scent. Oh, and there is another scent which is found on DVDs and CDs and floppy disks.

That's kind of cool.

So they have these compounds now. Scary. Yes. They have these compounds which are used to train dogs to actually have the smell, which obviously is something they're able to identify above and beyond the typical smell of the hacker's bedroom.

You get there with your Doug, right? You say Doug, Doug the dog Doug, go find the DVD player. Go, go, boy. And then he unplugs it with his gob and brings it to you.

It's the actual DVD or tiny SD cards.

Oh yeah, that'll work really well after the dog slobbered all over it.

Look, all right, I didn't think you were going to get this technical, right? But I've actually researched this story. They don't actually grab these things with their teeth and slobber all over them, right? No, Carole, it's not plugging the— first of all, it's not

They don't do that.

These are normal questions.

You shouldn't— They treated me like an idiot.

the DVD player. That's not hard to spot, is it? What they do, what they do, we can just make an assumption. What they actually do is they sit still or they sort of point or sort of, I don't know.

Over here, boss.

They get a thumb and sort of go, "I've already shown, gov. This way, right? Here it is." And they motion towards where the thing is. A great big clunky thing from the 1980s. And I imagine they woof or whatever, right? So they don't actually touch it because you don't want to mess around with the evidence. But back at the beginning of this section, I talked about the student, right? Who'd hacked in and changed the grades. They went to his house. And they found a USB thumb drive hidden inside a box of tissues.

Are you sure it's the thumb drive that he was smelling? No offense, but he is a teen boy, right?

I wonder what that thumb drive's got on it in the box of tissues.

Now, the report I've read doesn't make clear what, you know, if any incriminating evidence of hackery was found on the USB stick. But why else would a teenage boy hide something like that in a big box of tissues? You know, it goes—

Because he probably has porn on it.

I wasn't going to say that.

That's obviously the answer.

Exactly.

Carole just went straight for it, went straight for the jugular.

She did. I mean, the thing is, Carole, you said earlier, are they able to determine what's actually on the drive? And the dogs can't currently, but I think if they're able to learn within six weeks to sniff out an SD drive, if they were given six months, if these dogs were actually put to some hard work and encouraged properly, maybe they would be able to work out if there are some secret PGP keys on there or a Bitcoin wallet or a database of stolen credit card information. It's not beyond the realms of possibility. Now, this isn't Doug the dog, and I love saying Doug the dog. He is not the only canine who is helping police sniff out cybercrime. In 2014, police in Rhode Island revealed that they had a secret weapon against pedophiles, Thoreau the Labrador.

Well, you know, what a perfect name for a smart dog. Good boy, good boy, good boy.

Well, that found— that sniffed out hard drives and even found a USB stick hidden inside a metal cabinet.

Wow.

And so they have been used in the past to pick up pedophiles who've hidden storage devices and everything from ceiling tiles to radios. So it is extraordinary that these sort of things happen. My feeling is though that surely there must be a high false alarm rate and they must be picking up the smells of other things which are similar as well.

I have a plan.

I have a plan. Yes.

So what you do is if you have a USB you don't want anyone to find, you put it inside a doggy treat, right? Then the dog comes, smells the doggy treat, maybe eats it. Although I suppose then he'd be in police custody when he went to the loo.

Some poor policeman John's job.

Yeah, I need to rethink this.

Get the rubber gloves out, Sarge.

Well, it is an interesting question though, because those of us who don't want the authorities to find our electronic paraphernalia, whether we've been naughty or not, going through security—

Or your housemate, or your housemate, or anyone.

Who has a poodle with them, which is sniffing out your USB drives. How would you disguise the smell? What would you use?

I'd wee on it.

Liver.

You'd what on it, Geoff?

I'd wee on it. I don't know, just the first thing that came into my mind. It's worth a go, isn't it?

That's not going to attract a dog at all, is it?

And also, if they're very sensitive, they'll be like, "Ugh." Your secret P-mail messages will be safe there, I'm sure.

But I wonder if there's a market for pre-scented electronic equipment, something with a hint of lavender about it.

Or liver, something that dogs like but are trained not to like when they're on the job.

Or if you are a cyber crook, maybe you've got your cyber crime den, maybe you should just cover it smear pedigree chum everywhere to put dogs off the scent, and then they won't be able to grab it, will they?

Yeah, it's true.

Stealing my idea, putting it inside the dog biscuit. Just saying, get your own material, Cluley. Christ.

Well, anyway, kudos to Doug the dog for digging up his data in this fashion. Hey, Carole?

Yes?

Did you ever cheat at school? Did you ever change your grades or anything like that?

Sorry, your line's breaking up. I'm finding it hard to hear you at the moment. I can't quite make out what you said. Geoff, what's your story for us this week?

Well, I inadvertently provoked a Twitter storm this week, which is a first for me. I've never had a Twitter storm before. I don't know whether storm is— maybe a Twitter squall or a Twitter piece of inclement weather. I was researching a story about facial recognition and I came across a company called NtechLab who actually have hit the news before. It's not the first time they've been in the news. Russian company, they do facial recognition. They're very good, apparently, at facial recognition. They've won several awards and competitions for it. Their website has a section on their upcoming projects, among which is ethnicity recognition. Oh. And—

Sorry, like really? Ethnicity?

Ethnicity recognition. And you can already hear the can opener hitting that can of worms. You can start to hear that opening up. And then they have a picture illustrating what this might look like, and it's a picture of people of different ethnicities apparently with sort of boxes over their faces with European and African and Arabic next to them.

Oh, I'm looking at it now.

Yeah. Oh my God. Still on the site as we speak. The first problem they had and the thing that a lot of people on Twitter picked up on is that Arabic is a language, not an ethnicity. So immediately you're kind of in bad territory there. It's interesting, you know, this is new territory for me. I'm a tech person, but I find it fascinating because obviously then people start talking about, well, what is race and what is ethnicity? And clearly from a photograph, there is no way, there's absolutely no way you can work out someone's ethnicity. And so these people are saying, oh, well, look, my dad's from here, my mum's from there, nobody knows what my ethnicity is, people get confused. So the idea that from an image, you know, from a camera, you can do that.

Why the fuck would anyone want to though? Like, who would want this? Companies? Who are they marketing to?

I was racking my brains for what you would see as the positive, good, benign use case for this. And the only one I could come up with is some kind of equal opportunities monitoring where you can say, well, you know, we had this many people of this ethnicity or this, but it's skin colour. It's not even, I don't even think it's ethnicity. I think it's just, we have this many people of this skin colour through the door. And I don't really see how that helps anyone, anybody. And obviously the bad use cases are horrific.

Yes. Could it be that this company is targeting law enforcement, for instance, and if they're looking for a suspect of a particular ethnicity, this cuts down the number of people that they have to check out? Is that a possibility?

Dude in a yellow hoodie running down the street is an easier way of identifying.

When you say that, Carole, there was just a big facial recognition case where the police were using the technology in Wales at an Elvis convention. And I believe Elvis convention, there were a lot of people in great big white flares, you know, the big pantsuit and hard to get a description of what they were wearing.

Right. But it's interesting. I mean, the Wales example is interesting and this technology actually is getting more and more advanced to the point where grabbing an image off a CCTV camera or with your phone or whatever, and matching it to a picture that you've just got from the internet somewhere is now feasible. Apparently there's this little triangle between your eyes and your nose and the geometry of that exact triangle. So it works. You can even work through if you're wearing a scarf over your mouth or whatever.

Time for plastic surgery.

You said it.

You would have to get rid of your whole nose. You would have to take off your nose in order to make it work.

I look quite good without a nose, I think.

Well, you know, yeah.

I could pull it off.

If you don't wear glasses.

You haven't thought this through, have you, Carole? That's normal.

That's normal. The facial recognition company in question, NtechLab, have responded, did get back and said they apologized. This has caused negative reactions. They didn't mean to hurt any feelings. And they said the misunderstanding was caused by a communication and localization issue.

Oh, a localization issue. Basically, their English translator ain't that hot.

Who knows? It's still quite opaque what happened there.

So this was a Twitter storm, you were saying, right? So what happened on Twitter? What did people say?

It's basically sort of 37,000 likes for the tweets and that kind of thing.

I'm so jealous, I can smell it now.

It was, do you know what's fascinating? There was 3 responses, right? 3 responses. Number 1, Arabic is a language, not an ethnicity, right? We've covered that. Number 2, you can't work out ethnicity and race just from images, you know, and there's a whole thing about what that actually means. But number 3 was really interesting. Number 3 was just because you can make this technology, does that mean you should? And for me, that gets into really interesting territory because I understand the thing that you, you know, this has some horrific uses, but then do we turn around to technology companies and say, stop researching that particular area because somebody might use it for bad purposes? And they could say, well, yeah, but they could use it for good purposes. Whose sort of job is it in a way to police this? Because you could get it wrong either way. That could stop companies working on stuff that could be dangerous.

Internet ethicists.

True. Should we have, you know, should every company have an internet ethicist that they have to consult? And if so, who would that, you know, do you want that job? I don't.

Or maybe we, or maybe there should be a, you know, we should form a consortium where everyone has a representative where we can agree on, you know, I mean, there's lots of people looking into trying to do this as well already.

You're absolutely right, Carole. If we set up a consortium, then there'll be no rogue regime anywhere in the world, which is already breaking human rights, which will, they'll say, oh, well, there's that consortium, isn't there?

Oh, here comes grumble guts once again.

No, I'm not being grumble guts. This is the genuine problem, right, is that we— I think—

So don't try, don't try, just sit on your ass and bitch about it.

I think maybe guidelines are helpful to people, and you know, but we cannot expect everyone to not engage in this kind of thing because the technology is available and we can see that it is powerful, and in the wrong hands it could be extremely dangerous. There are companies that we've all witnessed, we've all got—

How does this really help? I mean, I have eyes. Presumably, if it's about telling someone's skin color I presume anyone with full vision can.

But for some companies, this would help. For instance, you might want a system inside your business which scans people as they come in to work out if they are authorized to enter the building. And just like you might use facial ID on the iPhone X to unlock the phone, you may use a system like this to say, this person, yep, they can come in. We know who they are. And you keep track of people without them having to scan themselves. It's just an advancement of technology. I'm not saying I like it. But that is the kind of thing which is beginning to happen and which companies like this are beginning to sell to people as well. Now that, combined with other data which they might have about you, becomes an incredibly powerful surveillance device.

There is another way around that I thought of, another possible thing with this, is licensing agreements. I mean, if you're the company that makes this technology and you sell it, we're used to signing up to terms and conditions. Obviously we don't read them ever, but you could have a sort of thing where the licensing agreement says, we have ethical guidelines about how this should be applied, anti-discrimination guidelines.

Yeah.

By licensing this technology, you sign up to it. The problem is, of course, I suppose if you just hand it over and say, look, you bought it, take it away, use it, the licensing agreement means you've got an ongoing thing. But it does mean that technology companies are then sort of on the hook for how their stuff is used. I just— it's a thorny one.

Yeah. And besides the fact, if 99% of people decide, yes, I'm going to follow the regulations and the guidelines, and the 1 rogue percent that always raises around, decides to try and circumvent the rules and do something a bit naughty, that's still better than 20% just feeling their way through and not knowing what's actually even ethical or unethical.

It's interesting.

It's interesting also. I mean, a lot of these technologies get developed in places where the people who are developing them are in the majority ethnic group, and there might be laws to prevent discrimination there. They don't sort of think, well, hang on, when this gets exported to somewhere where ethnicity is a massive issue and where there aren't laws to completely, how is it going to get used there? It's just interesting. Who are their marketing people then?

You know, surely they're asking somebody going, do you think this is a good idea for the US market?

There should just— I mean, look, the number of stories I've covered where a technology company does something incredibly crass and dumb and offensive and sometimes illegal. And I just think, did it never occur to you to just ask some of your non-techie mates, hey, I was at work today and we're working on this new thing. You know, they go, you're doing what? Just real people will be able to tell you.

You know what, you're right.

You know what I'm going to do? I'm going to invest in hoodies. I think hoodies are the future.

And my story actually is about exactly that. It's worked very well for Zuckerberg, actually.

He's very much a role model for me. It's those Anonymous masks, the Guy Fawkes masks, which Anonymous wear.

That, exactly that. So, yes.

And I always loved the irony that they were actually all licensed by Time Warner from the V for Vendetta movie. So they were making a fortune out of everyone.

I didn't know that.

That's funny. Carole, what have you got for us this week?

Well, I'm here to talk about making appointments. So Geoff, you know, when you have to make a car service appointment or whatever, how do you feel about that? Do you look forward to those phone calls?

I love them. I do them on behalf of other people because I love them that much.

Do you?

Fantastic. No, absolutely not.

Are you kidding?

I'm so glad we're friends. And Clue, what about you when you call your manicurist or Botox guy? How does that go?

What?

What?

Manicurist? Botox?

Yeah, come on, you're a total baby face.

We've all seen your lips, Cluley. We've all seen your lips. Tell me that's natural. Go on, tell me that's natural, girlfriend.

Are you trying to say that you've never plumped?

How dare you? We all know about my plumpness issue, but it's not that I'm fattening up anything deliberately. Okay, okay, we believe you, we believe you, we believe you.

But back to the question, if I could magic up a for all these calls to be done for you, for no extra charge, you'd be like, "Tell me more," right?

Yeah, yeah, if it works, why not?

I have good news for you. Google is planning to ride in on its beautiful unicorn and whisk this awful burden of making appointments away from you. And it's called Google Assistant. It was unveiled at last week's I/O 2018 tech conference, and The Verge did a very cute series of articles covering it. So I'm actually covering The Verge here. The idea is that we are inundated by having to make all these annoying calls to book or change or delete appointments. And why not let Google Duplex, the AI that powers Google Assistant, do that work for you? Now, Google's been working very hard on this Duplex baby, and by its own admission, it's not the final service offer. So they still have some work to do. So let's, you know, consider it a beta. But they presented it at the conference very proudly. And during testing, they showed that Duplex can communicate complete appointment calls without any intervention from a Google human. So basically, this means the AI makes the entire phone call on your behalf.

This sounds wonderful. This doesn't sound like something to concern me at all. Let's leave the computers in charge. Yes.

Where do I sign up?

So apparently it's pretty advanced. It even understands human nuance and can react intelligently when the conversation doesn't go quite as expected. And if the system gets confused, it hands it over to a human Google operator to deal with the complexities and complete the task.

Who's got a lot of explaining to do.

Right?

Oh, it's me, Tammy. You were speaking to a computer.

I know.

It's like if you suddenly just said something like, Graham, what about the clowns that eat the veggie lasagnas by the sea?

What?

Sorry?

Exactly. Exactly. That is what Duplex is gonna do. It's gonna have a mental barf and it's gonna hand over to someone else to finish the call.

All right. Okay.

Okay. So I know this sounds perfectly gorgeous, doesn't it? Hunky-dory.

Sounds absolutely fine.

Yeah. And the audience at the conference is pretty impressed. But after Google shows this real-life demo, which I'm about to show you, there was both amazement and horror. And the horrors kind of mushroomed so badly that Google's had to do a U-turn in the last few days. So let's see if you can spot what people freaked out about in this clip.

So what you're going to hear is the Google Assistant actually calling a real salon to schedule the appointment for you.

Let's listen. Okay, here we go.

Hi, I'm calling to book a woman's haircut for our clients. I'm looking for something on May 3rd. Sure, give me one second.

Mm-hmm.

Right? What time are you looking for around? At 12 PM. We do not have a 12 PM available. The closest we have to that is a 1:15. Do you have anything between 10 AM and 12 PM?

Carole, that's what Google would like

Depending on what service she would like. What service is she looking for? Just a woman's haircut for now. Okay, we have a 10 o'clock.

you to think is the reason,

10 AM is fine. Okay, what's her first name? The first name is Lisa. Okay, perfect. So I will see Lisa at 10 o'clock on May 3rd.

right? You've just fallen for it.

Okay, great. Thanks. Great. Have a great day. Bye.

Right.

Well, that is very impressive, isn't it?

Yeah, but did you— anything freak you out by it?

Oh, absolutely. It freaks me out because the person didn't know they were speaking to the Googleplex, did they?

Exactly. And they try and make it even more human sounding by adding in all those erms and mm-hmm and ahs. Mm-hmm.

Yep. Yeah.

And yeah, the lady at the salon had no idea she was talking to a robot. It duped her just as it would dupe me or someone else.

Can I just give my honest opinion about this story?

Yes.

Right. Basically, everybody's wowed by this thing where Google's AI phones up for you and makes a hair appointment or whatever, makes phone calls with a human voice on a phone and everything. This is a hair salon that doesn't have a website and an online booking form, and Google is encouraging you to use that kind of business that doesn't have a website where you can make an online booking. Let's face it, it'd be a lot easier if you just told Google, "Book me at this salon. There's the web address," and it goes and books. Isn't that the easy way to do it? What is the point of this? It's just nonsense.

I suspect the point is there's lots of places in the world where people don't have online presence. I can tell you that my GP here, it is much faster making an appointment via the phone than it is online. You don't get an appointment for a month on the website.

And actually, yeah, because you have to phone up at 8 in the morning, and if you miss 8 in the morning, then you're—

you—

yeah, exactly.

I did.

Well done. Yes, of course you have. This is all about the rise of the robots.

I hate the rise of the robots.

This is the destruction of humankind.

I agree.

This is just another step along because what they're doing is they're making them completely plausible as humans.

But also they're making them as flawed as humans. There's that great bit, isn't there, in one of the Kill Bill films where they're talking about superheroes and they're talking about what the different superheroes are like. And they're like, yeah, Clark Kent. Clark Kent is Superman. Superman dresses up as Clark Kent. All the other superheroes change in their superhero costumes. Superman is Superman. Clark Kent is his impression of us, of our weakness and that kind of thing. What worries me with this is, you know, they've implanted these weaknesses in human conversation, the stutters. Why? Why do that? Why not just have perfect communication?

And that's what Clark Kent does to fool all of us as well, doesn't he? He has the glasses and he's all like, oh, clumsy.

Hey, enough. I like Clark Kent. I like Clark Kent.

You're supposed to like Clark Kent because Superman would be really creepy.

I know. Well, I do.

That's the point.

He's not just hot, he can fly. Right, okay. Unsurprisingly, people went nuts online for about 5 days. Articles from the media littered the tech press about the AI concerns. Primarily the problem is, hey, we're a little uncomfortable that the lady at the salon doesn't know she's actually talking to a robot. On Twitter, Ka-Ping Yee, he had a really nice tweet, but he said, what Google Duplex presented, celebrated, and normalized was A, recording a person without consent, obtaining consent, which is a crime. B, deceiving someone for a client's personal gain. C, deceiving someone for Google's corporate gain. And D, doing the above in an automated way at scale. And I think that kind of sums it up beautifully.

So did Google not contact the hair salon later and say, oh, by the way, that was a robot?

Surely they must. I mean, Google wouldn't be that dumb. Surely just record a person's voice and then put out a conference. I'd be stunned if they hadn't got the sign-off after.

Yeah, I would expect them to. So it feels like that tweet may be a little bit over the top.

And also, this wasn't a live demo, was it? This was a recording.

This was a recording. Now, to credit Google, interestingly, because of this whole hoo-ha that's gone on, and I think it's pretty legit hoo-ha, I have a problem with the AI trying to mimic a human. I don't understand why it wouldn't just go, hi, this is a robot calling. I'm trying to book a hair appointment for Lisa, right? Let them know. But they have come forward and effectively said, "Thank you, critics. We'll now make sure the Google Assistant discloses that it's a machine and not a human being." But you know that the guys and girls that have worked so hard to make it sound as human as possible must be having a fricking breakdown right now, right? The poor sausages. They spent so much time. You said you wanted it human.

We made it human. Why do we waste all this time putting the ums and ahs in if you're not gonna tell people?

I've spent years working on that. I'm the erm guy.

I'm your erm. I was the erm guy. What's my job now? I'm gonna have to find another job.

There's also been some funnies made at its expense, like this Howler showing how Siri might do in the same context if Siri were making a call for you. Hello, thanks for calling Sharky's. How can I help? Hello? Hello there, Sharky's Mexican Cantina. I would like to eat lunch food at your restaurant business. Did you—

I'm sorry, did you want to make a reservation?

I can search the web for that. Yes.

Okay, what time works best?

I found this: Time magazine was founded in 1923 and originally— I love how accurate it is.

Yeah.

Now let's rewind just for a second. So before Google said that Duplex and Google Assistant would disclose its robotness in calls, I was thinking what workaround I could come up with. How would receptionists and appointment takers be able to fight back?

All right. Okay.

And like a genius, I came up with something awesome.

You are a genius, Carole. I can't wait to hear what you thought up, which maybe Google will actually implement now because, you know, this is what they're going to suggest to people. Okay. Let's hear it.

Are you ready? For an appointment taker to check whether a caller is a person or a machine, you have to say something a bit random so it freaks out and bumps it to a human teller, a human person working at Google.

Oh, okay. All right.

So I say channel something your inner Kate Bush, dive into Babushka, right? Babushka, babushka. And then it might go, but a real person might sing along. They might laugh at it.

They might go, hey, I've got one, I've got one. Agadoo, fresh pineapple, shake the tree. Journalists, Geoff, I found, you don't have to worry, only 11% chance of automation.

No, no, I can beat both of those. The thing comes on and you go, mana mana. Oh yes, they don't go— you're not speaking to a human being, you're speaking to a computer.

Which is better than ballet dancers.

Graham, that was very good.

You like that? And thanks once again to MetaCompliance for supporting this episode of Smashing Security. Apparently ballet— not belly dancers, I haven't looked up belly— but ballet dancers, 13% chance of automation. People are the key to minimizing your cybersecurity risk posture. You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING. I also looked up milkmen. On with the show. And welcome back. Can you join us at our favorite time of the show, It's the part of the show that we like to call Pick of the Week.

Pick of the Week. Huh?

What?

Can you say Pick of the Week?

Oh, Pick of the Week.

Thank you very much.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever they like. It doesn't have to be security related. Necessarily.

Could be this week.

You think this week it could be?

It could be. It could be this week, baby.

Well, my one isn't security-related. My one is a website.

Okay.

And it's called willrobotstakemyjob.com.

Touché.

You can sense the theme coming through me today, can't you, with my grumbling? So willrobotstakemyjob.com is a simple website where you enter your job title and it will tell you if you're doomed or not.

Oh, I gotta give this a go.

I know, podcaster, podcaster. I'm going in right now.

Well, unfortunately, Carole, I've already tried podcaster and it doesn't have podcasting. My suspicion is it doesn't consider podcasting to be a real job.

It didn't have podcaster, but it does suggest cement masons and concrete finishers.

It's the closest thing.

It's 94%. 94% robots will take your job if you're a cement mason.

Right.

I'm looking up husband right now.

Milkmen are doomed, 98% of automation.

I get animal scientist when I put in husband, probably.

That's a straight swap.

Isn't it? So whatever your job, go to willrobotstakemyjob.com.

I make bread, right? Bread maker. I'm excited.

Bread maker.

What do you mean?

Robots are already making bread, Carole.

No jobs found. Bread maker. I suppose it's called a baker, isn't it?

Unless you're very niche.

Baker, 89%. Damn.

Yeah. Right.

Politician.

Politician.

Not listed.

Politicians are apparently indispensable.

Maybe they've already been dealt with and replaced with cyborgs.

Exactly.

Anyway, I think a very useful site for keeping track of this very important issue.

You know what, I'm bookmarking it.

Right.

I'm bookmarking it.

And it's called willrobotstakemyjob.com.

Boom.

Good pick of the week.

Thank you very much. Geoff.

My pick of the week is a book. Okay. It's called Algorithms to Live By. 'Cause all I read are tech books. I don't read any other books, proper books.

Don't read any fiction. Fiction, detective, crime.

Are you telling me Algorithms to Live By isn't written by Jane Austen?

Reader, I calculated him. This is Brian Christian and Thom Griffiths' book. This is basically— what I like about this is, you know, there's a lot of negative stuff, and I read a lot of negative tech books obviously about how it's going to kill us all and take our jobs. Algorithms to Live By is how you can actually use the computer algorithms in your own life for your own benefit. I've not— I'm not massively advanced in the book at the moment, but the first chapter is all about internet dating, how to know how far to push internet dating and when to stick and when to twist.

You're on an internet date and you need to know when to stick and when to twist. Is this some kind of Tinder euphemism? What does this mean?

Get with the program, Graham. That's what the youth are talking about. Obviously there's this issue where you've got an infinite amount of possible dates coming up and you meet somebody and you think, well, this person's good, but how do I know if I need to hold out, if I should hold out for the next person? And the answer statistically apparently is 37%. If you're going to date 100 people, after person 37, if the next person is better than the last person you looked at, marry them. Propose to them and marry them. 37%. Stick at 37%. Don't look beyond that.

Oh my goodness.

Statistically, if you're a maths or science or stats or logic geek, the book is really interesting from that point of view. I'm not sure that I entirely buy the internet dating advice, but I do think it's nice. Because it's basically taking the algorithms back from machines and giving them to us.

Geoff, have you thought of having a podcast where people could call in with their relationship problems and you could give them a percentage based on what you've learned in the book on success or failure? Because I'm in if you're in.

I've got a great name for it, Algorithm Aunt.

Oh, I love it.

Algorithm Auntie, where we will statistically analyze the odds of you getting dumped or whatever.

This is a great idea.

I love it. Okay, TM Carole Theriault and Geoff White.

Excuse me, excuse me, I'm still here, guys. Sorry. Yeah, whatever. Is this the end of my podcast?

Who are you, Mr. Botox?

Carole, what's your pick of the week? And don't say algorithm on a brand new podcast with Geoff White and yourself.

You know me so well. So privacy, online privacy is rightly so becoming a bigger deal right now. And a lot of people want an easy cross-platform way to communicate without having to share too much personal information with the app providers or indeed with the person they're talking with. So I have a recommendation and that is Signal, a secure messaging app. Have either of you used it before?

Oh yes. Oh yes. Yeah.

So I know it's not new, but I just thought actually it's just worth giving a heads up because I've been using it for actually probably the last few months and I've just recently started using it for voice messages as well. So voice calls, voice quality seems really good. Onboarding new contacts is easy. I reached out this morning to a few non-Signal users and to get them to install it, and it seemed to work like a charm. So it's not just for the techie heads out there. The install and config is really easy. I think the UI is really nice, and it's not owned by Facebook, which I think, you know, yay, yay. So some people have said that it has been glitchy on the iPhone. I didn't find that. There is one annoyance I found though, is if you are on a call, I can't see any way to be able to access the messaging functions or other signal settings or anything. You're kind of locked on that screen. And one thing from a privacy side is that you will require your phone number for contact discovery.

Yes. And that's something which has drawn some criticism of Signal in the past compared to some of the other messaging apps out there, is they do ask for your phone number. So if you want to be completely and utterly private, you have to be comfortable with that, or indeed go and buy yourself a burner phone.

I don't know. You've used Telegram. I haven't used it.

I would lean more towards Signal than Telegram personally. Yeah. I've used Signal for texting mostly rather than for voice calls. Yeah. Are you able to send people little audio messages and things like that with Signal? I've never tried doing that.

Hold on a second. Let me just check for you.

It's just that you said voice messaging and I wasn't sure if—

Oh yes, you can.

You can.

So you could. So you can kind of tap a microphone and keep it pushed down while you leave a voice message. Is that what you mean? Yeah. So one thing I was wondering about was, is there an ability to sort of recall messages? I don't make drunk texts.

Well, I don't drink, but people do, don't they? Just say, I love you, and I want to tell you, or whatever. Is there an ability with something like Signal or a different app to send that message and then think, oh my word, I've got to delete that, even though I've already sent it before the other person sees it?

You know what? If you're an idiot, you're an idiot.

I don't know.

Being drunk with a mobile phone, it's a bit like getting into a car when you're drunk as well, isn't it?

There should be a breathalyzer thing on the phone to stop you. Yeah. Yeah.

Yeah, I think if you're ever sitting there going, this is a really good idea, I know this is a really good idea, you're trying to convince yourself of it, back away.

Yeah, exactly. Like Algorithm Ant, for instance, which at the moment to you two sounds like a really good idea.

You know what?

Jealous.

Maybe Geoff, he's jealous. He's jealous.

I know, I know. Well, we can diagnose that statistically.

On that bombshell, we're going to wrap up the show today. Geoff, thank you very much for joining us today. Once again, it's been terrific having you. Where should people find out what you're up to? Anything you want to plug at this point?

You can follow me on Twitter, @geoffwhite247, and also you'll find details on there of the podcast series that I did on the dark web.

Yes, for Audible.

It's a 10-part series and it is chapter and verse on the darkweb. It's everything you need.

I can't wait.

Really fun stuff.

It's in my feed to listen to already and I can't wait, Geoff.

It's terrific. Fantastic.

Thanks for having me. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G.

Everyone wants a sticker.

Everyone wants one of those.

Everyone wants a sticker. You can go to Smashing Security Store at smashingsecurity.com/store. Thanks for tuning in. Please rate us, please rate us 5 stars. You see, I've changed my tune. Remember at the beginning I used to be like, don't force people to give us 5 stars, but they should. But now I've changed my mind.

It helps new people discover the show, so we really do appreciate it.

It's good for my ego, and particularly for Graham's mood.

So you can check out past episodes at smashingsecurityguard.com. Until next time, cheerio, bye-bye. Bye. You're kind of crazy today, Carole. You all right?

I know, yeah, it's spring.

It was high energy.

You were quite bonkers.

Was I too bonkers?

No, I'm not saying too bonkers. I'm just saying you had a lot of energy. Oh, dear. I know what that means.

No, no, no, no, no, no, no, no.

Look, I had a coffee right before the call.