Newsflash! Newsflash! Smashing Security is extremely unlikely to win anything in the Podcast Awards, unless someone votes for us. Visit smashingsecurity.com/vote and vote for Smashing Security in the People's Choice and Technology categories. Yes, you have to create an account at the Podcast Awards website to vote for us. That's a pain. But it's nothing compared to the pain I could do to your eardrums if I decided to sing. La la lee diddle lee da da da. So, smashingsecurity.com/vote, if you know what's good for you. Smashing Security, Episode 87: How Russia Hacked the US Election, with Carole Theriault and Graham Cluley. Hello. Hello and welcome to Smashing Security episode 87. My name is Graham Cluley.

I'm Carole Theriault.

And Carole, it's just you and me today.

Finally.

Don't get any ideas.

Now we need to talk about Elon Musk.

Elon Musk. What a charmer he is.

Wow. Right. Last week I was kind of accusing you of being jealous of him. And of course, he popped up all over my feeds this week, just being a bit of a dork, really.

So to summarize, for those people who haven't heard, Elon Musk, of course, sent his little mini submarine over to Thailand, and one of the Thai rescue divers, one of the British guys, was a little bit derogatory and told Elon Musk where he could shove his periscope on his mini submarine. And Elon Musk turned to Twitter, and obviously he's one of those thin-skinned chaps, a little bit prickly, it seems.

Powerful and thin-skinned, what a combination.

Yes, I know. Thank goodness there aren't many more of those sort of people in the world.

Exactly.

And so he made an accusation, shall we say, about this man living in Thailand.

Ech. That's what I got to say about it all. Just, Graham, we have so much to cover this week. In a way, it's good we don't have a guest because there's so much stuff we have to cover. So we should get on with it. Let's get going.

All right.

Hey, Graham.

Hey, Carole.

So you run your own business, right?

I do. Yes.

I run my own business. Yes. And how many different applications and services and software pieces do you need to buy or rent in order to run a business ours? In the technology space.

Scores, if not hundreds.

It would be physically impossible, would it not, to remember unique passwords for every single one of those apps, let alone your personal life and all the stuff you have there, all the chess and Doctor Who stuff you have.

Not completely impossible, because if your password was DoctorWho1 or Chess2, if you made— so you could have unique passwords. They wouldn't be very good passwords though, would they?

Yeah, so you're recommending that people have crappy passwords, or should they use a password manager like LastPass?

They should use a password manager like LastPass. I think all businesses have got to really, because otherwise your employees are going to choose sloppy rubbish passwords.

And you're going to get lazy yourself and use the same password for different accounts.

Horrendous. So you want central control of everyone inside your business and how they're using passwords and properly manage it.

Check out lastpass.com/smashing.

I don't think you need to say forward slash. Anyone who's listening to this knows which way the slash goes.

You're probably right. Hey Graham.

Hey Carole.

Okay, quiz time, quiz time.

All right.

What percentage of Ha, it's a pretty good guess, but you're way wrong. Ninety-six percent. data breaches originate from email?

Because that's how they get your passwords, I guess.

That's how they get your passwords. So MetaCompliance make it easier to train and prepare your whole environment to stop these kind of attacks. They have information on phishing and cybersecurity and policy and privacy and incident management. There's all kinds of training out there, and our listeners can get ten percent off by quoting the code Smashing.

Oh, so all you've got to do is visit metacompliance.com, quote the code Smashing, and save yourself a fortune and protect your business.

That's all you gotta do.

Well, Crow, what a week it's been, eh? Been crazy, hasn't it?

I've been glued to the news.

Have you? Because earlier this week, of course, this is what I imagine you were paying attention to in the news rather than some skateboarding duck. We heard about the summit in Helsinki which saw Donald Trump and Vladimir Putin get together. Now, Donald Trump, I don't know what your opinion of him is, I think he's a very tough guy. Do you? Oh yeah.

You wouldn't want to have a fight with him. You think he'd knock you down cold.

Oh, he's a tough guy. You know, you don't mess with him, he doesn't let anyone walk over him. The point is this, right? He just means business and he's going to sort things out, right? Doesn't put up with any nonsense, isn't going to allow a foreign leader to make him look a bit of a wombat.

Yeah, I think you've got it. Nail on the head, I think you described him perfectly.

Right. And the summit in Helsinki went really, really well.

Oh, come on.

No, he does the best summits. He does great summits.

Who does the best summits? Helsinki? Other people have tried to do summits, never as good as him. It went really, really well, no problems at all. Okay.

But he is narrow.

Yeah, but whichever, whatever your measurement of straightness is, he is that measurement, right? But someone, Carole, someone didn't get the joke because he's working on a very high level of sophisticated humor. Someone didn't get the joke. And do you know who it was who didn't get the joke? Who turns out Russian hackers don't have a sense of humor and took Donald Trump seriously. Now, this— Seven out of ten.

We don't know,

We don't know what?

we don't know

Well, I hope you're not suggesting Donald Trump isn't universally comedic. He's a funny guy.

that. We don't know.

That's how I think of him anyway. Now, it appears that the US president has been banjaxed yet again by his intelligence agencies because they've been consistently saying that Russia interfered in the 2016 election and that Vladimir Putin was behind it. Furthermore, just a couple of days before the summit, FBI special counsel Robert Mueller issued an indictment against 12 Russian intelligence officers, giving in great detail how the hacks occurred, what was taken, and even naming the names of Russian officers who were sat at their keyboards. These were the hacks, of course, which were directed at the Democratic Party in the States.

Right. Yep.

Now everyone was fully expecting Donald Trump to go steaming into the summit, wallop Putin round the head with a rolled-up copy of the indictment and say, "Stop this immediately. You bad man, and don't you dare try anything similar in future," because of course the midterm elections are coming up soon. Instead, he chose to take a different approach, an approach which I'm sure many people would have thought, 'You know what, this is very crafty. This is real three-dimensional chess,' because he is tricking Putin into thinking that he doesn't actually care at all. "My people came to me, Dan Coats came to me, and some others. They said they think it's Russia. I have President Putin. He just said it's not Russia. I will say this. I don't see any reason why it would be. I will tell you that President Putin was extremely strong and powerful in his denial today." What he did was he decided, I'll just ask Putin if he was involved in the meddling. And Putin said, no, nyet. Yeah, nyet at all. That's perfect.

That sounds exactly him. Yeah.

And so they left it at that. And so that was the depth of it. So he's taking Vladimir Putin's word for it, and he believes Vladimir Putin more than he does his own intelligence agencies.

Well, we don't know what they talked about because he refused to bring even someone to take notes, a note-taker.

I think they just had translators with them. Maybe they just had Google Translate or something with them.

Oh, that would be safe. No problems there.

Anyway, Vlad and Donnie are now definitely confirmed BFF. And no one wanted to ruin the party atmosphere. In fact, you could argue that Donald s Vladimir more than he s NATO or Canada. That dreadful Justin Trudeau.

Donald thought that Finland was in NATO, I think.

Well, yeah, but he's just been at that NATO meeting. He didn't get on very well with them, did he? Doesn't get on very well with Canada.

He doesn't Mr. Trudeau.

Twenty-seventh of July, 2016. This is what he was saying, remember this? Russia, if you're listening, I hope you're able to find the thirty thousand emails that are missing.

Best friend to have.

So he seems to be getting on much better with Vladimir Putin than he does with conventional allies, which is a strange thing. On this occasion, he decided to trust Vladimir Putin more than his own intelligence team, who he of course ran over with a bus. I think you will probably be rewarded mightily by our press. Now, obviously, he's making a joke there, he's not serious, right? He is a joke, he's always laughing, always telling gags. He wasn't seriously suggesting people hack into Hillary Clinton's email server, right? That's not the kind of thing he'd do, right? He's straight as a die, right? Not literally, at least not so far. Doesn't do that stuff.

Okay, but hang on, hang on. Did he not just retract this whole statement? Has he not just said "No, when I said wouldn't—" Is that what he said? "When I said would, I meant wouldn't." It's easy to get confused.

Well, he got very confused. You're absolutely right. He's come out with this retraction.

Well, they've made— that may have been a way of activating them as well. It may have been a pre-deal.

So at the press conference, he said, when asked, you know, was it Russia, he said, I don't see any reason why it would be. And he's now saying that he should have said, I don't see any reason why it wouldn't be. And a key sentence in my remarks I said the word would instead of wouldn't. The sentence should have been, I don't see any reason why I wouldn't, or why it wouldn't be Russia. So just to repeat it, I said the word would instead of wouldn't. And the sentence should have been— and I thought I would be maybe a little bit unclear on the transcript or unclear on the actual video.

It's not that they don't have a sense of humor. I just don't think you should say that all Russian hackers don't know how to have a laugh.

The sentence should have been, I don't see any reason why it wouldn't be Russia. Sort of a double negative.

I'm sure some of them have a good sense of humor.

Okay, but it's crazy because he was pretty clear when he was on the podium in Helsinki. He was pretty clear about what he meant. And I think everyone's jaw dropped.

Yes.

Oh, and now he's saying, no, no, no, no, no, you guys got it all wrong.

No, no, they got it all wrong. Got it wrong. So, so maybe he was very tough on Putin after all. I mean, very believable. I think this could have happened to anyone really, couldn't it?

I just, I don't even know what's, I don't even know what's going on anymore. I don't even know what's going on.

Anyway, I thought you might be interested, Carole, in what actually happened and how the hack occurred. Would that be of interest to you?

Yes, it would. Thank you very much.

Because it's not actually that sophisticated in some ways. The way in which it started off was fairly elementary stuff— spear phishing.

Okay, of course.

So the hackers targeted over 300 people connected with the Democratic Party and Hillary Clinton's presidential campaign. Most well-known victim is probably John Podesta.

John Podesta. Yeah.

Who was chairman of Clinton's presidential campaign. He had over 50,000 emails stolen from his hacked account. And it all began when he got an email purporting to come from Google claiming that hackers had tried to access his account, but they'd managed to stop it. But they said, we'd still recommend you change your password. Now, Podesta—

Can you imagine when he found out? Fuck, fuck, fuck, fuck.

Well, Podesta is no dumb-dumb, right? Podesta passed the email onto his IT team and said, hey, what should I do about this? And they responded to him, but they made a little typo in their response. And they made it sound as though the email which he'd received was legitimate rather than illegitimate. Doesn't the British Prime Minister. Well, actually, he says he gets on

Oh, that's an awful type of thing. Legitimate, illegitimate, would, wouldn't, what's the diff?

with these people when he's face to face with them, but then Right. And so as a consequence, he clicked on the link in the dodgy email to reset his password, was taken to a fake login page, which grabbed his credentials. So now they're into his email and they're able to grab thousands of accounts. he sort of slags them off when they're not around.

So it is coincidence a bit that it all happened, really.

Well, it's, you know, a series of happy—

Series of unfortunate mistakes or mishaps.

Or happy accidents if you are looking from the Russian point of view. Now he wasn't the only one targeted. The hackers also created an email account in the name of someone who worked in the Clinton campaign with just one letter different and then sent spear phishing emails to over 30 different workers. And the email contained a link to a spreadsheet called Hillary Clinton Favorable Rating.xls. And clicking on that took them to a dodgy website, which again, tried to steal their password. So it's not that sophisticated again. Carole, if you were sent an email, which appeared to come from me, for instance, and it contained a link to a spreadsheet called Smashing Security Favorable Rating Spreadsheet. So you think it's full of positive reviews of our podcast. Would you click on that to read it?

Definitely.

Right.

No, we've seen this time and time again.

They're crafted emails to be convincing, but it's basically a human weakness, which is allowing the bad guys in. They did try other techniques. Explored the democratic computer networks, looking for vulnerabilities which they might be able to exploit. But the primary initial method of gaining access was phishing. And once they'd gained access, they planted multiple versions of malware known as X-Agent onto computers, monitoring activity, stealing passwords, taking pictures of screens. X-Agent.

It sounds powerful.

It sounds like X-Men, doesn't it? X-Agent. Yeah. And that allowed them to mine that access to the network for some time. And they were searching computers for information using terms like Hillary, Cruz, if you remember Ted Cruz, not, it wasn't Thom Cruise.

How could I forget?

And Trump, of course. And they stole the contents of entire folders, including one called Benghazi Investigations, which, that must be juicy. And they targeted computers containing information about opposition research and operational plans for the 2016 election. So tell me, Carole, on your computer, do you have folders with titles like Benghazi Investigations and things like that?

I keep thinking that could just be a code name for something. It's a good one. It's a good one. You would think it was the Benghazi Investigation, but actually it was everyone's lunch menu.

Ah, so that's maybe what you would do is you deliberately rename and have bogus names. Your folder could get a little bit confusing at some point.

A bit like my computer is now. I have no idea where anything is. So basically took whatever they could get their hands on.

Grabbing huge amounts of information. So they've accessed this information. Now, how are they going to get it off these servers, which they've compromised? Well, they had set up their own server, the bad guys, the hackers in Arizona, and they were leasing some space there, which they bought with bitcoin payments and to try to cover their tracks even more, they'd mined their own bitcoins rather than purchasing them on exchanges. They'd tried to make it really—

I love that. Yeah.

Well, I guess they had the resources to mine bitcoins, didn't they? Had a lot of computing power probably to help them do it. Now, May 2016, the Democrats realized they've got a security problem. They call in security firm CrowdStrike to kick the intruders out. And mostly that happened and servers were re-imaged and computers were chucked and things were reinstalled. However, a Linux-based version of X-Agent remained on the DNC network until roundabout October, which wasn't that long before the actual election, was it?

Oh no.

And in the meantime, the hackers launched their own website called DCLeaks. Originally they wanted ElectionLeaks, but apparently that domain name had gone. And so they got DCLeaks and they claimed it had been set up by a group of American hacktivists and they had fake fictitious names like Jason Scott, Richard Gingrey, Alice Donovan. But these guys were all Russian agents. And they had Twitter accounts and Facebook, and they were encouraging people to come to a flash mob opposing Hillary Clinton. They were posting images of the hashtags #BlacksAgainstHillary. They were trying to get people to do anything other than to support Hillary Clinton's campaign.

As per Trump's request. In his public—

Yeah, well, they want to know that he was just joking and that he wasn't. Please, come on. So the Democrats, CrowdStrike announced in June that they believed they'd been hacked and the hackers in response created an online persona called Guccifer 2.0, who claimed to be the hacker who had been releasing all this information. And they said they were a lone Romanian hacker, but we know that Guccifer 2 was not Romanian. How do we know that? Because this self-proclaimed independent hacker from Romania forgot to enable their VPN client.

That's right.

I knew I was thinking, and just once he left it off his VPN client, which meant that the investigators got a real Moscow-based IP address in their server logs.

You see, isn't that crazy? Your VPN's just off for even a second, you know, and if it just pings, it can capture the data.

And that IP address pointed to military intelligence headquarters in Moscow. Hmm.

It could of course been redirected there.

Yes. Maybe some Romanian hacker decided that was a good place. Let's hack the Russian— let's use their computers because they won't mind that at all.

They won't mind.

They won't notice. According to the FBI release, they say Guccifer 2. was in regular contact with senior members of the presidential campaign of Donald Trump. Now, they haven't named who that is, so we've got no— Roger Stone! We've got no way of knowing who that is. Actually, I almost ruined your joke.

I almost said, what about Roger Stone?

Well, Roger Stone has actually come forward and said, that's probably me. It's like, yeah, of course it's you. I know who was talking to him. The hackers also transferred many of the documents and emails that they stole, and they passed them on to a mystery organization referred to in the document only as Organization WikiLeaks. Sorry, Organization One. And on July 6th, 2016, communications which have been picked up by intelligence agencies say that Organization WikiLeaks said, if you've got anything Hillary-related, could you get it to us in the next couple of days? Because the Democrats convention is about to happen. And, you know, she's going to solidify Bernie Sanders supporters behind her. And they said, we think Trump's only got a 25% chance of winning against Hillary.

Well, everyone did.

Well, I wouldn't have given him as much as that anyway, but they wanted to brew conflict between Bernie and Hillary. And sure enough, in due course, let's not beat around the bush, WikiLeaks released 20,000 stolen emails and other documents a few days before the Democratic convention. They didn't say that they'd received them from Guccifer 2.0. And between, in fact, October and November 7th, WikiLeaks released yet more stolen emails and documents, over 50,000 in total. So this is the sort of central part of the indictment. Now, if you go and read it, it's 29 pages. It's very interesting. I mean, obviously this is something which has been investigated for a long time. In fact, I think this was part of the investigation which James Comey was working on, and until of course his career got halted by the intervention of someone who gave him the sack.

But so, so yeah, basically the TL;DR here. Yes.

The TL;DR is, is we've now got more evidence than ever that Russia was involved in the hacking. The leader of US intelligence says it was Russia meddling in the election, trying to influence the results, hacking into systems. They were in contact with senior members of Donald Trump's campaign team, people who are working alongside them as well. And they've actually named these individuals. If there was anything—

There's 12 of them, isn't there?

There's 12 of But the point is, Carole, it's not so much of a witch hunt, it's a vitch hunt. Every one of them has a vitch in their name. them. They've all But if there was anything to whack Vladimir Putin around the head with and say, oi, 'You should stop doing this because we're on to you, mate. This was it.' And that, of course, didn't happen at the summit. got names, you know, that—

You know, more and more you remind me of Bruce Forsyth.

Who's dead, of course. I know he's dead.

I don't mean that he's dead, but your sense of humour.

Do you mean Bruce Forsyth, or do you mean Bruce Willis? Good game, good game. Carole, what have you got for us this week? Well, I have a big hitter of a topic as well, Graham. I've just been seeing so much news about surveillance technology recently. My echo chamber largely consists, as you know, of Doctor Who, Burt Bacharach, and the Beatles, and chess. Okay, really? Not Donald Trump? A little bit. You don't want to admit that.

I'm just trying to make it sound beautiful. We all know your dirty secrets. So I'm talking things facial recognition and video and audio tracking and fingerprint tracking, all that jazz. I think most people are clueless when it comes to the actual power behind this tech, and it's still only in its infancy, but I find it a little bit scary. So with great power comes great responsibility, right, Graham? Right? Do you know who said that? Do you know who it's attributed to? Wasn't it Spider-Man? Well done. Spider-Man, Spider-Man.

Because I didn't realize in time that with great power there must also always be great responsibility.

Here comes the Spider-Man. I'm just not clear on who's holding who accountable for shitty surveillance practices? So what I've done is I've come up with a few stories that recently all happened just to kind of run through a few of these to see whether I'm becoming a conspiracy theorist or if you're on board with me and think, yeah, this is a bit nutso and we should have some regulations here. So number one, let's start with Amazon. We learned earlier this year from the ACLU that Amazon was marketing its own brand of facial recognition software to US enforcement agencies. And Amazon tech let cops sift through images of faces to find suspects. But Amazon also clearly indicates that the software can be used to preemptively identify persons of interest and prevent crimes.

What do you mean preemptively identify people of interest? What does that mean? Does that mean before they've actually committed any crime? If their eyes are a bit too close together?

Exactly. Say you were at my house and you were thinking, you know, I'm going to steal Carole's cat. And I had this Amazon Rekognition surveillance system in my house. One of the things that the surveillance can do is analyze emotions. What, normal Russian names? So not only just tell whether you're smiling or frowning or looking constipated, but it can also pinpoint the corners of your eyes and mouth, right? And monitor them in a relative movement to establish sentiment over time.

What if you have quite small squinty eyes? Can it cope with that?

Okay, if they grew immeasurably, I think you'd probably bust the software, wouldn't know what to do with it, right? But you have small little eyes.

Flattering.

And then even when you open them quite wide, they may be smaller than most people's normal eyes, right? But they're relatively much bigger. And Amazon is basically suggesting that it may be able to detect whether you're shifty or nervous or crazed and potentially help an authority put you on a watch list because you may be a person of interest and they want to prevent future crimes.

Sorry, is this insane? So what you're doing is you're saying they are scanning the size of people's eyes and determining whether they look a bit shifty in case they're stealing your cat. Are they also analyzing the cat's face? 'Cause that's got pretty weird eyes, and they're yellow.

See, you've pulled me off on a weird—

You pulled me off in a weird way. I'm trying to understand all of this.

Okay. Do you not really understand what I'm saying? It pinpoints the corners of your eyes and mouth. So you, obviously your eyes and your mouth are a certain distance apart on your face. Different from my face. Thank goodness. And as you smile or frown or do whatever, they change, right? So the software sits there taking pictures time after time, and it takes little snapshots, and it goes, oh look, his face is getting shifty and nervous and crazed, and maybe we need to alert the authorities that this guy may be doing something bad on the subway or on the bus or in the mall.

That's the point where I've got a little bit of problem with this, right? Just because someone's feeling a bit bad or they're squinting a bit or they've got a bit of 'Oh, I've got something in my eye.' 'Are you crying?' 'No, I'm not.' You know, it's just because that happens on the subway.

Yeah, imagine if you had Tourette's, for example, something I've been accused of many times.

What? You tell us about it, girl. And I'm very sympathetic. No, you fucking haven't.

Now look, you know what? You're not alone. A spate of people have been nagging Amazon to stop selling its powerful recon wares right to the authorities. These people include reps from human rights groups and employees and even those who directly profit from the sales, shareholders. So 18, I think, of them came forward saying, look, dude, do you mind just, you know, calming down the whole surveillance stuff? Right, right. So my question is, should Bezos and friends be able to sell their recon software to whomever they like, or should there be governance to kind of go, whoa, what are you doing with this? And, you know, maybe you shouldn't be able to record everything even if it's on private property. See, there's a lot of issues here. Do you think you should be allowed to have surveillance in your house, should you choose to? If you're family and you chose to have video surveillance in your house, do you feel, yes, it's my property and I should be able to do that?

Yes, I think that's absolutely fine. If you want to have video surveillance inside your house, that's absolutely fine.

Okay, so if I come over to visit you, do you think you should tell me? Are you under any moral obligation to say, look, Carole—

Yes, you know how it works, Carole. If you come around here, I'm going to make you sign the terms and conditions and make sure you accept the rules, which will include not stealing my dog while you come in to visit. Right. And if you want to do the same to me, that's absolutely fine with me. Yeah, of course. I think it's fine to have this in your own house. You can do what you like in your own house. Right. As long as it doesn't hurt anybody.

But isn't your house the same as someone's business?

If there's someone else coming into your house, then it changes. And if someone, if it's happening in a business, then again, you need to make sure that your staff are absolutely aware of all of this. And that they're comfortable with it.

Okay, well, interesting, because I've got another little example for you. I want to see what you think of this one. So we're going to California. We're going to California. Now, California recently passed its own version of GDPR called the Consumer Privacy Law, and it's basically to help force companies to be more respectful of personal data. And yet, and yet, last week the EFF launched an exposé that showed how California shopping centers were spying for an ICE contractor.

So a company— For an ice contractor. An ICE contractor. Someone to deliver ice because it's hot. No, that's immigration.

Oh, I see.

Oh, I see. Okay. Right. Sorry. ICE. Yes.

Yes. So I say ICE. Everyone, there is debate on whether— I'm going to say ICE. Basically, California shopping centers are spying on behalf of the ICE. Now, not directly for ICE. They're doing it through a contractor.

Oh, you mean they're scanning on behalf of the ICE, the immigration? I thought you meant they were scanning in order to recruit people into the ICE. Spying. Spying. Okay, right. Now I understand. Okay. I thought you meant they were looking for people who might want that particular job and they were going to see if they looked shifty or not and say, oh no, he'd be perfect. The way he's going up and down that aisle. All right.

This is both ingenious and scary as anything. So a company that operates 46 shopping malls in California is collecting info from its automated license plate readers, ALPRs, and handing them over to ICE contractor Vigilant Solutions, which run surveillance technology, and they then give it to the ICE so that they can go, 'Oh, that car is often associated with this illegal immigrant. I know exactly where they are right now.' So in a nutshell, they're filming the car parks.

Yep. They're identifying who might own particular cars, and then they're passing that over—

People of interest, that seems to be the term du jour. Right. And they're passing that over to the immigration people and saying, 'There may be a bunch of unauthorized Mexicans or something in the car park.' Now, of course, they're saying they're doing that to keep us safe, you know, to keep local people safe. But here's the thing, the only reason we know that this is even happening there is that California law requires ALPR operators to post their policies online. So malls in other states where no such law exists could well be engaged in similar violations of customer privacy without any public accountability at all. This is all according to the EFF.

But here in the UK, I quite often see signs when I go into a shopping mall, for instance, or a car park which says, you know, we have CCTV here and we are recording you for your own protection and safety or whatever. And if you've got a problem with this, call this number, which I imagine isn't manned. Sort of generic, oh, we're just for your own safety.

That's exactly how they are doing it. I mean, there's so many more. I mean, Walmart just had a patent approved. What patent? Oh, audio surveillance in stores to monitor employees and shoppers to make sure everything is running extremely smoothly because, you know, these very high-paid employees need to be as efficient as possible.

Recording people, what they're saying. So you wouldn't be able to slag off your boss or something if you worked at Walmart anymore.

They have these kind of sound zones, so they'd be able to listen, for example, to the rustling of bags, and they would be able to tell by the sound and its distance away from where it is being recorded that, oh, we're running out of bags and we need new bags, and is the employee getting them fast enough and putting them in the place, or can we automate that? System, or we may hear voices far away from the till. And we might say, oh, that's a really long line because it's not moving in any direction. This is not happening now in Walmart. This is a patent that they have that they may make use of or not.

If they wanted to record people's conversations, if you knew that your conversation was being recorded in the supermarket and you felt uncomfortable with that, you'd have to find somewhere quiet and private to have your conversation, like the loo, for instance, wouldn't you? So now in future, we may not hear the rustling of bags, maybe we hear the rustling of toilet paper. What on earth is going on in the world? Why is there so much crazy surveillance going on? Can't they just have someone occasionally go down the line and say, oh, there's quite a long queue here, maybe we should open up another checkout rather than using all this audio surveillance equipment?

Well, then you have to pay those people, right? I get, you know, the thing is, in most of these cases they're saying, look, isn't there a benefit to humanity? We are making something faster, more efficient, easier for you, safer, better, whatever way to entice us. But it does bug me. No, actually, I just want some fucking rules that crazy rich powerful people who develop intrusive privacy blitzing tech have to follow. I want some rules.

I just think, what's there to stop... Rules set by who? Rules set by who?

Well, that's a really good question because it kind of supersedes even kind of geographical boundaries, doesn't it?

And even if there was international agreement. These are rules which are going to be enforced by the state and governments, and governments quite often are in the pocket of big businesses, aren't they?

We need a watchdog who answers to the people. How, you know, I sound like a— but anyway, so these things are kind of scary, right? Even Google's working on tech that can pinpoint a voice. You should see this video. It can pinpoint a voice in a crowd and isolate it and cancel out the noise around it and listen to it. And it does it for real. It does it through lip service, even if your mouth is covered. So imagine you're standing there and its cameras are on you. And say you kind of cover your mouth even just a little bit, it can still work out the movement of your mouth to realize you are saying those words and isolate all noise out of it.

I'll send you the video. It's amazing. Hang on a minute, Carole. Did this actually happen? Is this something you've actually seen or is this something you've imagined? You think I imagined it? I don't know. I'm just asking. So then were you under the influence of anything?

Okay, listen to this. This is two comedians talking simultaneously and Google's AI is trying to isolate one of them, and it does it in a matter of seconds.

Check it out. I'm not a fan of flying. I hate it. I hate being on planes. He might say, in general, why so many noises? You know what I mean? I won't flush the toilet on an airplane because of the noise. It scares me. You go, you hit flush, then you turn around, nothing happens for 5 seconds, then out of nowhere, boom!

Pretty impressive, right?

So the TL;DR, Carole, to use your phrase.

The TL;DR is there are a lot of people out there with a lot of money and a lot of tech, and they're using it to collect a lot of information from innocent, law-abiding, good people. And there's the argument that if you're decent, law-abiding, good people, why would you care about all the surveillance around you? But I don't subscribe to that argument because I feel it's a right, human right. And I don't know why anyone's— no, that's not true. Lots of people are fighting for it, but we don't have a kind of collective force yet, but maybe it's heating up because I'm seeing more news about it in my echo chamber. So here's hoping that we can do something. Now listen, Geoff Bezos today, as of today, is now the richest man in modern history. His fortune is a tiny bit more than chump change, having just crossed the $150 billion mark. And that's $500 for every person who lives in the US.

But Carole, you got to ask yourself, is he happy?

Is he happy? Nope. But I bet he's laughing his ass all the way to the bank. Enjoy that money, Jeffy.

I bet he is happy. I hate websites which don't allow you to have decent

Hey, Graham.

Hey, Carole. Did you register with MetaCompliance yet and use our discount code so that you could get some training on cybersecurity? passwords. Ah, grumble, grumble.

Oh, for goodness' sake, I've been doing a podcast, haven't had a chance to register on their website. I promise to do it as soon as this podcast is over, all right?

Okay then. What do I have to do again?

Jeez, Graham, you have to go to metacompliance.com and quote the code SMASHING.

And that'll save me 10%? I hope you wrote it down. Hey, Graham.

Hey, Carole. Hey, do you know what? LastPass has this automated password generator, so no more do you have to sit there and dream up silly long passwords that mean nothing to you. You can just press a button and presto, you've got a 25-character, 50-character password that's impossible to guess.

Will it put all kinds of crazy characters in?

You can choose to put them in or not, depending on the website, because some websites don't let Check out lastpass.com/smashing. I'm glad you said slash that time.

You're welcome. And welcome back.

you do the crazy characters, do they?

You join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever.

You're very good at that now with an app.

After the complaints, we had to fix it. Whatever they like. It doesn't have to be security-related necessarily.

Please don't be security-related.

You like to watch BBC and listen to BBC Radio and all that kind of jazz, right? Of course you do, because you are one of the literati. Imagine you have been watching a TV programme or radio. It's been on in the background and there's a bit of incidental music or a record that plays or something like that, and you think, oh, I like that, I wonder what that was. Well, the BBC has got you covered because they have a little website which you can go to and it will tell you all the music that they have played in the last hour or the last week or last day, and you can find that track even if it's been used in the background in a promo, even if it's not a record, even if it's a documentary.

I need to see this.

Right, well, I've given you the link. The link is in the show notes. I will read it out, but it's a bit long, so it's better to find it in the show notes. bbc.co.uk/music/tracks/find. And if you go there, it will tell you— go on, try it right now, Carole.

Okay, so you have I Heard a Track, and you can choose yesterday. Yesterday, that's the Beatles on Radio 6 while I was cooking dinner, 8 PM, something like that. Mr. Clarinet from the Birthday Party, excellent song. Very good.

There you go. This is good. Isn't this cool?

I love little tools like this. I love that someone just said, you know what would be really useful? And someone, yeah, yeah, go ahead and build it.

Take you 20 minutes. Because they're obviously collecting this information probably for rights or something, you know, they have to fill out a little form saying what music they've used. And so they've just chucked it up on the web and it's really handy. So as well as the obvious thing of if you're listening to a record that's being played on the radio, that's simple enough. But I really like the fact that you can also find out what the music is in the background of a documentary or in a drama.

And you can play it right in this window as well. In some cases you can, yes. You can listen to it or a little snippet of it right there and then. It's not as cool as mine.

Excuse me. Go ahead. That is my pick of the week.

You always get the music.

You can say pick of the week as well if you want. Great. Yes. You know my pick of the week because I waited and waited and waited for you to finish watching it. It's wonderful. This is the thing on Netflix, isn't it?

It's up there with the Get Me Roger Stone, which we already talked about. It's up there with Weiner. And that is The Staircase on Netflix. The Staircase. Yes. So excellent. Okay, let me give you a tiny premise for our listeners because we'll just sit here.

Don't give away too much.

No, no, no. Okay, I've tried to craft this carefully. I've had to write this down even just to make sure. I would say it covers the legal battle that ensues following the death or murder, question mark, of Kathleen Peterson and her novelist husband Michael, who's a bit weird. He's a bit weird. Starts in 2001 with Kathleen being found dead at the bottom of their McMansion stairs. Blood everywhere. Michael swears she fell. Cop thinks it was murder. A lot of blood, as you say.

But was it murder?

But this baby twists and turns, and I love the characters so much. The DA battle axe lady. Who did you love?

I like the guy who was in charge of the projector. PowerPoint guy?

The PowerPoint guy. There's the FBI agent, Dwayne Deaver.

Oh yes. Yeah, yeah.

And then there's Michael's head counsel.

God. So what's incredible about this documentary is it's a fly-on-the-wall documentary produced by a French team, I believe. And they follow this story for years.

They started— so this all happens in 2001. There's 13 parts make up the season. They start at the beginning and they film all the way to the last year. So there's a few episodes from the beginning. They were released in 2004. There was a few that were released in 2013. And then there was a few released in 2017. And then last year, Netflix packaged it all up into one big, delicious documentary series.

There are some real twists in the story, things which make you go, OMG. This is real binge-worthy material. I have to say, I stayed up very late watching all of these.

You loved me and hate me at the same time, didn't you? You were like, I love that she suggests this.

I hate because I'm so exhausted. Yeah, it was a great recommendation. Thank you, Carole.

Well, now it goes to everyone else. Enjoy it.

Yeah. And then when they've all watched it, they can let us know and then we can talk about it. Fantastic. Well, Carole, that just about wraps it up for this week. If folks want to follow us, they should do on Twitter. We're @SmashingSecurity, no G. Twitter won't allow us to have a G. You can buy t-shirts and mugs and stickers and things like that at smashingsecurity.com/store. And you can, if you really like the show, you can rate it on Apple Podcasts. Really does help new listeners discover the show. And go to smashingsecurity.com for past episodes and for details of how to get in touch with us. Until next time, Carole Theriault, bye-bye. Toodles.

Guest next time.

Yes, we were supposed to have a guest this time. Just circumstances. It was my fault.

Well, it wasn't my fault.

No, it was my neighbour's fault.

Yeah. I wonder if he hears the show.

Well, maybe he'll stop chainsawing in the back garden. We'll be able to record it at a sensible time of day.

Psst, if you're still listening, remember, please visit smashingsecurity.com/vote so that you can register your vote for Smashing Security in the upcoming Podcast Awards. We need your help, guys. Thanks.