GRAHAM CLULEY
No, come on, what are you talking about?
CAROLE THERIAULT
No, no, I'm serious. So the phone does a very high-pitched squeak that you can't hear outside your hearing.
GRAHAM CLULEY
But if they're having a conversation with someone and asking them, "When was the Battle of Hastings?" When?
Unknown
It's not like they can say it in a really high-pitched tone, is it? It's not like they're a dolphin.
Smashing Security, Episode 94: Rogue Browser Extensions, Twitter Presence, and How to Cheat in Exams with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 94. My name is Graham Cluley.
CAROLE THERIAULT
I'm Carole Theriault.
GRAHAM CLULEY
And we are joined this week by a returning guest, technology journalist, our very own Inspector Gadget. It is David McClelland. Hello, David.
DAVID MCCLELLAND
Hello, Go-Go Gadgets, something or other. I can't quite think what. Go-Go Gadget Arms.
Yes, I'm surrounded on my desk by a ton of gadgets that I haven't managed to pack away yet because I've just moved house, living in the sticks like your good selves.
And yeah, I haven't done all that well with the packing up yet.
GRAHAM CLULEY
Hey, we live in Oxford. That's hardly the sticks, man. It's not like all carts and haystacks here. This is— especially Carole. Carole, you're very urban, aren't you?
CAROLE THERIAULT
Oh, I am. It's HQ. Yeah, this is the hive. Yeah, in the middle.
GRAHAM CLULEY
Well, we're pleased that you've got a decent internet connection out there, David.
DAVID MCCLELLAND
Well, yes, I live on the side of a hill in the middle of a forest with no cell phone connection whatsoever.
But I do have fibre broadband, which, touch wood, has been pretty stable so far.
CAROLE THERIAULT
I'm jealous.
GRAHAM CLULEY
You're jealous, Carole? Is your internet a bit rubbish?
CAROLE THERIAULT
No, no, I'm jealous of having a view of trees and, you know, hills, greenery.
DAVID MCCLELLAND
I'll send you a view. We have the most beautiful view over—
CAROLE THERIAULT
You've already sent me one.
DAVID MCCLELLAND
Oh, I have, haven't I? I'm so sorry.
CAROLE THERIAULT
You've already rubbed my face in it.
GRAHAM CLULEY
Carole, you've got a view of a multi-storey car park and— Is it a Lidl or something that's near you?
CAROLE THERIAULT
Yeah, yeah, this is okay. Yeah.
GRAHAM CLULEY
Actually, I shouldn't identify your location too much. Like, people could narrow it down from that.
CAROLE THERIAULT
Yeah, very much so. We'll just get rid of this bit.
CAROLE THERIAULT
Yeah. But thanks.
GRAHAM CLULEY
Okay, good.
GRAHAM CLULEY
Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous! Nightmare!
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass.
Well, happy, happy birthday to the Chrome browser. 10 this week, 10 years since the Chrome browser came out. It's incredible, isn't it?
GRAHAM CLULEY
I don't know if you guys— do you remember the browsers you were using in the mid-1990s and the late 1990s? Things like Netscape and all of those.
DAVID MCCLELLAND
Definitely Netscape for me.
That was the first one that I remember using, but I remember very clearly when Chrome came out, I was living in Holland at the time, 10 years ago, and the whole concept of having multi-tabbed browsers seemed quite revolutionary at the time.
I know, it just seems that I must have maybe a million tabs open at the moment. And the idea of just not having that, it has changed the way that I use the web, certainly.
GRAHAM CLULEY
Well, just this week, a brand new version of Chrome came out and it included some interesting features, strong password generator, rounder tabs, and other user interface changes.
CAROLE THERIAULT
Rounder tabs?
GRAHAM CLULEY
Yes, I know.
CAROLE THERIAULT
That's one of their top selling points?
GRAHAM CLULEY
Yeah, you know, people are impressed by bells and whistles quite often, aren't they?
Just a simple change to the canvas or altering some of the icons and people go, "Ooh, yes, I want that." And sometimes that is what encourages people to switch, I suppose.
CAROLE THERIAULT
Okay, fine. Still lame.
GRAHAM CLULEY
But whatever browser you might be using, chances are you're not just using the pure vanilla browser.
You're probably also running third-party extensions and plugins which can boost your browser's capabilities, tweak its behavior, and maybe give you some other benefits.
CAROLE THERIAULT
Yeah, give you loads of gizmos. I've got tons running.
GRAHAM CLULEY
Right, I've got a few running as well on mine, and I think it's perfectly normal to do that. You know, you might, for instance, have an ad blocker.
CAROLE THERIAULT
One might.
GRAHAM CLULEY
Yeah, hopefully you do. One might have a password manager.
But all of these, even if they're security-focused, they can actually be a security risk because it's terrifying just how much power a browser extension can have and what it's capable of doing.
GRAHAM CLULEY
So an ad blocker, for instance, if you think about it, it has the ability to read and change all of the data on the websites that you visit because it has to be able to tell there's an ad there and then it has to be able to remove it.
Which means it can technically read everything that you're reading too, right?
GRAHAM CLULEY
And it needs to do that to do its job. So you're putting a lot of trust in your browser extensions not to turn evil.
And I'm afraid there is a browser extension for a popular service which did turn evil this week.
The extension for Mega.nz, which is the file sharing service, cloud-based service founded by that larger than life figure Kim Dotcom, although he's no longer connected with Mega.
CAROLE THERIAULT
Jesus, pot kettle.
GRAHAM CLULEY
You said I'm larger than life, Carole.
CAROLE THERIAULT
You certainly are in so many ways.
GRAHAM CLULEY
Charming.
Well, this week, the official browser extension for Mega was compromised, and there was an automatic update for the extension which was received on users' desktops, which requested more permissions, including the ability to read and change all the data on the websites that you visit.
And in all likelihood, most users would just click through and say, yeah, yeah, yeah. You know, I use the Mega.nz extension because it helps me download stuff from the service.
CAROLE THERIAULT
And people are being inundated with GDPR requests every time they go anywhere. I certainly am. So I can see how people would just go, yes, accept, go, go, go, accept, accept, accept.
GRAHAM CLULEY
I know that was the big irony, wasn't it? That all these companies were told that you have to tell your users what you're doing with the data.
And we were so bombarded with all these messages that you're just like, whatever, you know, just get rid of it.
So you still aren't informed as to what most of these services are actually doing. Technically you have been, legally you have been, but never actually read them.
CAROLE THERIAULT
Not in all cases. Some of them are absolutely awful. Anyway.
GRAHAM CLULEY
So many people have just accepted this MegaNZ update, and that of course was a big mistake because this malicious version of that Chrome extension started to steal information.
CAROLE THERIAULT
So it wasn't the bona fide plugin or extension? It was—
GRAHAM CLULEY
The bona fide one was replaced by this bogus malicious one. So it's not as though people downloaded the wrong one and installed it on their device thinking it was the real one.
It was pushed out to them. If they were originally using the genuine article, they had now been effectively infected by a bad one.
And it was stealing usernames, passwords, cryptocurrency, private keys, and it would activate on sites like Amazon, Google, where you may have your email, for instance, Microsoft, GitHub.
GRAHAM CLULEY
And so potentially the criminals could not only mess around with your Amazon or read your emails, they could even maybe change your software projects, which you might be working on on GitHub, change your code, and it could also steal private keys for your cryptocurrency.
CAROLE THERIAULT
So when you say potentially, did they— did it steal stuff? We don't know.
GRAHAM CLULEY
It was stealing the credentials and it was stealing the private keys. And what then was done with that information which it's stolen, we don't know. Who knows?
DAVID MCCLELLAND
So where did the data end up going to then?
GRAHAM CLULEY
Well, the data was being secretly and silently siphoned off to a Ukrainian server, and who knows if that was a proxy for someone else somewhere else in the world.
We simply do not know, but the data has gone.
CAROLE THERIAULT
This is a nightmare.
GRAHAM CLULEY
Well, it's a real problem if you happen to have this particular extension installed.
GRAHAM CLULEY
You know, the presumption is that their account was hacked and whether that was phishing or they chose a dumb password or reused a password, we don't know.
And for now, nobody's saying, but the extension was up for some hours and users who were updated during that time period may have had their credentials and private keys stolen.
There could be follow-on impacts from that. And that obviously is not good. The good news is the Firefox version of the extension is not affected.
This is purely the Chrome extension, in fact—
CAROLE THERIAULT
I'm expecting a press release any day now.
GRAHAM CLULEY
From the guys at Mozilla saying, there we go, it's yet another— Well, you know what?
There might actually be a basis in fact there, because Mega are saying that Google themselves are partly to blame.
They are pointing out that the security measures in place on the Firefox plugin or extension area are stronger than those which are in place for the Chrome Web Store.
You even have a quote from a third party now too. Exactly, as endorsed by Mega. So yeah, you know, potentially there are improvements maybe which Google can make there.
So rather than rounding off all those tabs—
GRAHAM CLULEY
There you are, Carole, you see, you're absolutely right.
Rather than rounding the tabs and doing all those fancy icons and things like that, changing those, maybe they need to get their house a bit more in order.
So some takeaways for everyone here. First one, browser extensions, even the ones that are supposed to be keeping you safe, they've got an enormous amount of power.
If an extension goes rogue, everything you do in your browser is now compromised.
So Google Chrome itself is a pretty secure browser, and they've got real experts working on the security of it.
But you are plugging in code written by third parties who may be rubbish at security, who may not have properly looked after their code, or maybe aren't looking after their accounts properly, and you're running that on your computer.
So you are increasing your threat surface, as the marketing people like to call it, by increasing the number of extensions you run on your browser.
CAROLE THERIAULT
That's not a nice takeaway. That just makes us all feel a bit—
GRAHAM CLULEY
Well, yeah, I'm just— okay, we're going to get to the good stuff in a moment.
Now, the other thing is, of course, sometimes you may have a browser extension installed and the ownership of that browser extension may change.
The company may change, the developers may change, it may get sold on to someone else.
So it may no longer be the same developer who you originally thought was writing the extension, and it may be someone less benevolent.
So always be wary when a browser extension asks for increased permissions.
So normally your browser will pop up and say, this extension is now asking, you know, to scoop up all the information on every web page you visit.
You can ask yourself, well, you know, do I really want it doing that or not? Is there a justified case for it?
And maybe there is with some extensions like ad blockers, but, you know, be careful because other extensions may not need that.
And if they suddenly start requesting it, then that suggests that something has changed in their underlying code.
Keep the number of extensions you run in your browser to a minimum, and if you're an extension developer, remember that you've got a responsibility to secure your code, secure your account, so that others can't exploit it and maybe spread their attack in such a wide fashion.
DAVID MCCLELLAND
And just to add to that, I mean, just while you were talking there, Graham, I've got Chrome open right now. I've been Googling.
Well, actually, no, I haven't so much, but I opened up to have a look at the extensions that I have installed in my Chrome browser right here. And do you know what?
There are quite a few here that I installed many, many moons ago, maybe 2 or 3 at a time, to try and do a particular thing, whether it's email the page that I'm on right now to myself or whatever it is.
And there's some here that I don't really remember. I certainly haven't used for an awfully long time.
And, you know, I probably wouldn't even realize if some of these had turned rogue until it was too late.
So not only be careful about extensions that you install, but every now and then do a little bit of housekeeping and go, actually Bitly or Flash Control, I haven't used that for months, haven't used it for years.
CAROLE THERIAULT
Get rid of them.
DAVID MCCLELLAND
Exactly.
GRAHAM CLULEY
Yeah, and some of them you just mentioned, for instance, an extension which emails you a link to the page you're currently looking.
That basically says to me, you're a bit lazy, David, and you could be just doing a copy and paste of the URL and bunging it in an email to yourself.
CAROLE THERIAULT
I was just about to say, isn't it nice that Graham's your little fairy godmother? But now I'm taking it back. A bit harsh there, Clue.
DAVID MCCLELLAND
I'm all about saving myself a few clicks, Carole.
And, you know, if it means I'm not having to, you know, open up my mail browser, do a copy and paste, if I can just tap one button and save myself 20 seconds and do that 10 times a day, then I'm happy.
Even if you aren't, Graham.
GRAHAM CLULEY
I need to apologize for not waving my wand in the direction of David McClelland.
CAROLE THERIAULT
Right. Twinkle toes.
GRAHAM CLULEY
Twinkle toes. Thank you. That's much nicer than being called larger than life. Appreciate that, Carole. Okay, David, what's your story for us this week?
DAVID MCCLELLAND
Well, it's funny you talk about prioritization there and things that Chrome perhaps should be working on rather than things that it actually is.
Looking on another platform, news surfaced last week that social network Twitter, who I think Twitter's investors are surely the only ones who are still chirpy about Donald Trump's ongoing presidency, Twitter has been testing some new features, it turns out.
And one of these features, I personally think, in one fell swoop fundamentally changed the entire dynamic of the interactions on Twitter and make it even more of a magnet than it already is for unsociable behavior.
So it was a post by, I think she's Director of Product Management at Twitter, Sarah Haider, revealed that alongside threaded replies, and replies and threads are already a real mess on Twitter if you ask me, that Twitter is also testing something called presence.
Now, Carole, that's not birthday or Christmas presents or presents for good behaviour. Oh, thank you, James. Sorry about that.
Instead, it's a little green dot that indicates whether you are online at that moment in time.
Now, on the one hand, you could see that this is a fairly minor change that might increase the sense of immediacy of the conversations that take place on there.
And it's all going to maybe grow the engagement that I'm sure Twitter's owners and investors want to see on the platform.
But I think that subtle change makes a huge difference in a number of ways. Inasmuch as, you know, if you see somebody's online, you expect a response from them.
It's like a read receipt on an email or iMessage or WhatsApp. Twitter becomes a bit too much of a messaging platform. You know, it's like, well, I know that you saw my @reply.
Why didn't you respond to it? I don't want to live my Twitter life like that. I've got enough platforms where that's the case already. Thank you very much.
GRAHAM CLULEY
Because we all love those emails, don't we, with read receipts or those ones where people put those secret tracking pixels in.
In fact, that's something which some people probably put a browser extension in place to try and prevent from happening.
DAVID MCCLELLAND
I certainly do. That is one of the extensions that I do have enabled, although that's got access to my complete Gmail inbox. Anyway, that's another story.
So I come to Twitter to chill, to take in information, to, you know, get access to news stories. Twitter and chill. Twitter and chill, yes.
GRAHAM CLULEY
We're so middle-aged.
DAVID MCCLELLAND
That's as good as it gets. I know. But I certainly don't go to Twitter for a guilt trip. You know, sometimes I don't want to reply to conversations, at least not immediately.
I want to do them in my own time. And a change like this, certainly would change that. But also, not everybody on Twitter plays nicely, and it's— Really? Yeah, really.
And there were certainly a lot of objections to this post from Sarah all across the internet.
So, for example, if I'm a troll— and I disagree with the term troll for various reasons, that's another story— but if I'm a troll—
GRAHAM CLULEY
I'm quite interested in that.
DAVID MCCLELLAND
Oh, okay.
GRAHAM CLULEY
Are you from the Royal Society of Prevention of Cruelty to Trolls or something?
CAROLE THERIAULT
He's probably in pantomimes, and he probably has to play the troll and doesn't want to be disdained.
DAVID MCCLELLAND
Not this year. I do really like the film Trolls, but I think that's fantastic.
No, if we're going there, then trolling for me is a very specific kind of online interaction if you look back at the history of it.
And I think trolling is used as a bit of a shorthand for what is often online abuse. Yeah, it's hate speech, it's misogyny, it's sexism, it's racism.
And I think if we are going to stamp this stuff out on the internet, then we need to name that stuff what it is.
And sugarcoating it with the term trolling which can also mean more provocative, more playful interactions, I think is the wrong thing.
If it's hate speech, it's hate speech, and call it that.
GRAHAM CLULEY
I'm with you, brother. Yeah, agree with that.
CAROLE THERIAULT
But I don't— I have never thought of the word trolling as a sugarcoating. I think it has a really yucky connotation.
No, I've never heard it in any kind of positivity way that I thought, oh yeah, cool, thumbs up on that one.
DAVID MCCLELLAND
Yeah, I mean, I've done various bits TV and investigations and stuff into trolling, in particular the history of trolling, the history of chat rooms, and the way that certain corners of the internet like to poke fun to try and get reactions from people.
And sometimes I think that that is— calling it healthy is perhaps a little bit too cozy, but sometimes it's not altogether a bad thing.
But if my intent is to abuse, if my intent is to harm somebody, to cause them emotional hurt, that isn't trolling in my book. It's hate crime. So there we go.
CAROLE THERIAULT
Graham, be careful.
DAVID MCCLELLAND
Anyway, there's a lot of that that takes place on Twitter. I think we all agree with that.
And if I can see that somebody is online, if I got that little green light that says that that person is online, then maybe I can start targeting them.
I can start hounding them, or maybe using that information about when they are and aren't online and offline to start build a profile about them for, I don't know, identity fraud or whatever.
And then I did see a tweet.
It was from Rob_Sheridan, and he replied to Jack, @JackDorsey, who's the big boss at Twitter, said, okay, everyone, Twitter has a serious problem with harassment and abuse.
Please fix it. Twitter, we're listening, and we've decided to make it easier for abusers to know when you're online. Yeah, so that's a bit of a shame.
So I guess this is a feature of Twitter that's just being tried out. As Sarah, to be fair, did say, will it be turned on by default? Would it be something you have to enable?
Graham, I saw also on Twitter that you, ever the consumer champion, you actually waded in directly with Sarah on this point, didn't you?
GRAHAM CLULEY
Yes, I did, because I was concerned as well that this might be turned on by default and that we'd have to opt out of it, which is the normal way that social networks work, isn't it?
And she replied saying, don't worry, users are going to have full control over the option. I thought, hang on, and she kept on saying you'll have full control of it.
I thought, well, what does that actually mean? Does that mean you'll have the full control to turn it off or full control to turn it on in the first place.
And I have to say, I was very pleased because she came back to me and she said, this will be opt-in, which is the right—
CAROLE THERIAULT
Now leave me alone!
GRAHAM CLULEY
Yeah, stop bugging me, Graham. Stop harassing me online. But yes, she's saying that it's going to be opt-in.
So that, I have to say, I can't imagine this is a feature that many people will want, to be honest. But I'm pleased to hear that it's going to be opt-in rather than opt-out.
That's the right way round.
I imagine Twitter itself is seeing the success of services like WhatsApp and Facebook Messenger and maybe it wants to get more into this instant messaging kind of game as a way of growing itself.
There's obviously the concern that this feature may slowly creep in and may become the default in future.
CAROLE THERIAULT
You know what? I like that you used that word because that's what I think this is, creepy.
People might find it useful, but I think the creep factor of what does suggesting and how is it going to change our behavior online? And people are already a bit wary.
It's just asking more of us and tracking us more.
GRAHAM CLULEY
And as David says, there's so much unpleasantness on Twitter right now already. I can see this being abused.
CAROLE THERIAULT
So not in my echo chamber. I just have flowers, butterflies, trees.
DAVID MCCLELLAND
Speaking of echo chambers, Graham, I also noticed that you have found a different echo chamber that you're trying to hang out in as well. Tell me about Mastodon.
GRAHAM CLULEY
Yeah, Mastodon's quite nice. Do you know what a mastodon is, Carole?
CAROLE THERIAULT
No, I have no idea.
GRAHAM CLULEY
I think a mastodon is some kind of elephant-like creature, like a mammoth or something like that. Anyway, Mastodon is a bit like Star Trek: The Next Generation.
So everybody likes each other, all the countries around the world. So it's a Twitter alternative. I haven't explained this very well.
CAROLE THERIAULT
No, I have no idea.
GRAHAM CLULEY
Mastodon is an alternative to Twitter and it's ad-free.
Free, and anyone can set up their own little Mastodon pod, which connects to all the other Mastodon pods, and you can post your little statuses.
You have up to 500 characters on Mastodon.
And there are third-party apps which aren't being blocked as to what they can do, whereas a lot of the Twitter apps at the moment are being basically having their goolies chopped off by Twitter and prevented from doing things.
CAROLE THERIAULT
Are you sneaking your pick of the week in early?
GRAHAM CLULEY
No, no, this isn't my pick of the week, but I would say to people, you might want to try out Mastodon.
It's quite interesting, and certainly you get the feeling that it's being driven more by privacy concerns. And at the moment there's no Nazis who are pitching it.
CAROLE THERIAULT
Or just kick social on the shins and, you know, go outside.
GRAHAM CLULEY
Well, yeah, a bit of vitamin D in everyone's diet never does any harm, does it?
CAROLE THERIAULT
Listen to a podcast while you're, you know, breathing the fresh air.
GRAHAM CLULEY
Yes, exactly.
DAVID MCCLELLAND
Take the podcast.
CAROLE THERIAULT
Hallelujah.
GRAHAM CLULEY
Carole, what is your story for us this week?
CAROLE THERIAULT
Well, you guys may have seen other parents dancing in the streets as kids head back to school, right? I'm free! I'm finally free!
So to my memory, the first few weeks of school are pretty much a dawdle academically, right?
I mean, it's a while before students have to start facing the dreaded tests and examinations.
CAROLE THERIAULT
Tests and examinations. Some people really excel in those environments. I wasn't bad, but others might be well tempted to cheat, right, in these tests?
GRAHAM CLULEY
No, piff-paff, surely no one cheats.
CAROLE THERIAULT
Did you guys ever cheat? Seriously, time to come clean. Sorry, did you guys ever cheat in school?
GRAHAM CLULEY
So there's a bit of problem with the connection.
CAROLE THERIAULT
Okay, I'll ask David instead.
DAVID MCCLELLAND
You're only cheating yourself.
CAROLE THERIAULT
Did you never cheat?
DAVID MCCLELLAND
I don't think so. I mean, we literally had, you know, there were no calculators in our exams. It was pencils and paper and stuff, as I remember.
CAROLE THERIAULT
Okay, I cheated, and I'll tell you how I did it. Oh yeah, reveal how I did it.
CAROLE THERIAULT
So I especially cheated in classes where I'd have to memorize terms and then remember how to spell them, right? Things like — I remember one was hemophiliac.
I just could never remember exactly how to get — I knew I'd get it mixed up. And there was another one was metamorphosis. That was another one.
And so how I pulled it off was using a sharp H2 pencil, which was very important.
I would write the word very tiny so my teacher probably wouldn't be able to read it on my eraser, my Staedtler eraser.
And then if I felt I was in the danger of getting caught, I would just frantically start erasing. Evidence gone. Boom, right?
DAVID MCCLELLAND
Don't try this at home, kids.
CAROLE THERIAULT
Well, they probably don't even use pencils and erasers anymore. Now cheating is on the rise. Apparently people cheating last summer was up 25% over the previous year.
And a recent report involving 25,000 students in the States reported that 95% of students said they participated in some form of cheating, be it a test, plagiarism, or copying homework.
And the culprit everyone is pointing the finger at is, I'm sure you can guess, technology, right? So say hello to what some people are calling smart cheating.
GRAHAM CLULEY
Smart cheating.
CAROLE THERIAULT
Yep, I know. So it's not just phones, right? So there was a case of smart calculators being hacked to store lots and lots of cheat sheets.
Smart glasses can be used to send information to a third party, and then the answer arrives by text on your smartwatch.
GRAHAM CLULEY
I did used to know how to program my calculator to display the word boobies.
CAROLE THERIAULT
I could do that too.
GRAHAM CLULEY
Would have been useful in biology or something that, I expect.
CAROLE THERIAULT
I'm not sure that's the technical term.
CAROLE THERIAULT
Now, some kids even use high-frequency ringtones. These are ringtones that are outside the hearing range of an adult.
CAROLE THERIAULT
And they actually can answer the phone and get the answers and get some help.
GRAHAM CLULEY
No, come on, what are you talking about? These are people in the exam hall, yeah. And so the phone does a very high-pitched squeak.
CAROLE THERIAULT
That you can't hear, outside your hearing.
GRAHAM CLULEY
Okay, but presumably it's not outside my vision to see a student pick up their phone and say, "Yep, okay, so I've got question 14 here." Well, Graham, I don't know if you ever were in university doing a test in a big student hall.
I think you do know. But, you know, I do feel for the teachers. Spotting cheaters is difficult.
GRAHAM CLULEY
But if they're having a conversation with someone and asking them, "When was the Battle of Hastings?" "When?"
CAROLE THERIAULT
What?" Yeah.
GRAHAM CLULEY
It's not they can say it in a really high-pitched tone, is it? It's not they're a dolphin.
CAROLE THERIAULT
So now even you can check out, if you're online, you're probably Googling still, David.
If you can go Google photomath.net, it's an app that you basically can put your phone over the actual math problem and it will just show the answer.
DAVID MCCLELLAND
I'm looking at this now and I'm agog.
CAROLE THERIAULT
Great for math homework.
DAVID MCCLELLAND
It's not just 2 and 2 is 4.
DAVID MCCLELLAND
There's some serious equations and squiggles that I've not got a clue about, frankly.
GRAHAM CLULEY
Oh, long division.
DAVID MCCLELLAND
Yes! And there's—
CAROLE THERIAULT
Logarithms!
DAVID MCCLELLAND
There's some cosines and tangents and square roots and all sorts of things. And this app, it's an augmented reality app, or Word Lens or whatever it is.
And it's just solving it almost instantly just by putting your phone to the math book.
And there's no explanation on this website about trying to pretend that it has a use other than just for cheating doing homework.
CAROLE THERIAULT
Yeah, so parents, when your kids run upstairs and bounce down the stairs five minutes later having finished their math homework, check their phone.
GRAHAM CLULEY
I'm looking at the website as well. It's got a little animated video on the front page. I mean, it is very impressive, this kind of technology.
But are people allowed to take their phones into exams?
CAROLE THERIAULT
Very good question. You fell into my trap, right? Because exactly, the easy answer seems just ban tech from the testing room.
But the problem is a lot of tests are now being given online. This makes the taking and the marking of the tests easier, and it makes them more standardized across the board.
And this is kind of important because students are basically relatively ranked to establish their academic standing or potential for university or post-education or jobs.
But how do you control the cheating? Many schools can't afford to hand out clean lockdown laptops to students for every test, right? Of course not.
And all these tests, of course, they can't — we're not talking air-gapped computers because these are online tests that require access to internet services.
So students are being asked to bring in their own laptops or devices. And here is the crux: how is the school supposed to lock down devices outside their immediate control?
GRAHAM CLULEY
Okay, so I've got a great answer for you. They could install a browser plugin, and the browser plugin would be mandatory to do the online test.
And that would be monitoring all your other tabs and other processes running on the — you'd have to give it a lot of power, of course, and you'd have to trust it that it didn't go rogue.
But that could make — we see this actually in — sorry to be nerdy for a moment — we see this actually in online chess tournaments because there's a big problem with people cheating in chess.
If I was a good chess player, I wouldn't be allowed to take my phone with me, and it would have to be switched off, and no technology hidden in the toilets.
But there's this problem now of online chess tournaments, and what some of the big sites do where you can watch the grandmasters playing each other is they have a webcam on the grandmaster as well, watching their face, and they actually monitor their eye movement, and they have other ways of determining whether there is dodginess going on, because of course it could be a little sneaky plugin in the corner which is processing the online chessboard and working out which the best move is.
CAROLE THERIAULT
Now, Graham, I would like to ask you to get your big bag of popcorn and listen to this, because it's not as far-fetched. The same things are happening in school. All right, cool.
So, I have two examples. There's a number of examples out there because obviously this is a tech problem, right?
And of course, not far behind tech problems, there's all sorts of tech responses, especially if it's going to make some money.
So, there's a few little options out there, but I wanted to share two with you today.
And I want you two, because you both are daddies, so I want you to kind of think about, hey, if this was my kid with his device or her device, you know, how would I feel about this as a parent?
Okay. Example number 1, Microsoft. So under Windows 10, it has an offering called Take a Test. And, but you have a secure browser.
Effectively, they have their own user, which bans you from going to the desktop or accessing any copying and pasting or searching opportunities.
You're basically locked into that session. Oh, okay. Kind of maybe a guest session, you know, a kind of lockdown guest session on a computer. Right.
The only problem with that approach is, of course, it only works on Windows 10, right? Now, let me give you another example. This is an online company called ProctorU.
This is a digital—
GRAHAM CLULEY
Proctor? ProctorU. Doctor Who? Proctor Who?
CAROLE THERIAULT
ProctorU. This digital service describes itself as the go-to source for online Identity and Exam Integrity. Sounds pretty good, right?
Now, they boast that ProctorU provides secure and live automated online proctoring services for academics and professional organizations, similar to what you were talking about, Graham.
Let me show you how this works. It's remote proctoring.
What I mean is there's a person in a remote location sitting and monitoring the student and the surroundings as they do the exam.
Now, I was looking around online, found a number of little complaints about ProctorU, so I started— I thought, go to their terms and services.
That's where they actually have to tell you exactly what's going on. And I'll paraphrase a bit, lose the legalese, but in the show notes you can read them for yourself.
So ProctorU will remotely connect to your computer in order to monitor your computer screens and premises. Proctors will view you and your surroundings via webcam.
Them or other means by listening to you or monitoring your computer screen. You agree to maintain audio contact during the entire session.
ProctorU may record your entire session, and you acknowledge that ProctorU is not responsible for anything that appears on your webcam or desktop.
And you consent to all such monitoring until you take the, quote, affirmative action of disconnecting completely from all services, quote.
So it's your responsibility to disconnect from the services, and unless and until you disconnect from the services, they can continue to be monitoring and recording you.
So I was like, what the heck? This seems a bit bizarre. So I was looking around. Redditor Mr. C. Backs calls it blatantly malware, and he says he refuses it for his class.
He wrote a comment saying that he decompiled and deobfuscated the ProctorU software, and his findings.
Quote, it makes a foreign call to a server and downloads a rootkit for your specific OS. Oh, that's nice. Linux included. It requires you to run Chrome as root.
They literally pay people to sit there and stare at you through your webcam while you take the test. So any thoughts on that approach?
We have the Microsoft approach, a kind of secure browser session, and then you have this more outrageous—
GRAHAM CLULEY
It's basically the proctor that sort of asking for backdoor access to your computer isn't it?
As you've already insinuated, I didn't actually make it to a proper university in my life.
CAROLE THERIAULT
We still love you a lot of the time.
GRAHAM CLULEY
I've never heard of this word proctoring before, and that has rather distracted me. But I've just looked it up. No, I don't know.
Is this a North Americanism, or is this just my ignorance?
CAROLE THERIAULT
Well, okay, I have to defer to David for the UK, but I certainly have used it my whole life. So this is—
DAVID MCCLELLAND
It's not something I've come across.
CAROLE THERIAULT
Maybe it's an American one then. Maybe it is.
GRAHAM CLULEY
So this is when you supervise or invigilate? Invigilate, exactly. It's like an invigilator. A test, because I must say, I had rather more grubby thoughts as to what it could be.
CAROLE THERIAULT
You have to remember this software has— I'm trying to bring you back on point. The problem is this is your daughter or son's computer, their own device, right?
And in order to take the exam, you need to install this software that is installing, you know, it's an EXE you're installing onto your system that has access to basically block services when the session is on.
GRAHAM CLULEY
From the security point of view, I mean, it just sends shivers down our spine, doesn't it? It sounds like a recipe for disaster.
It sounds like the kind of thing which is going to have some security hole or vulnerability or be exploited in some fashion.
And then it's the most vulnerable members of society, the young people, who ultimately are going to find themselves exposed or have their information stolen from them.
CAROLE THERIAULT
And in the ProctorU terms, they also say, oh, and we will be collecting information about you and sharing it with third-party affiliates. Thank you. Oh, ransomware. So—
GRAHAM CLULEY
You know, it feels to me like this isn't a great solution.
I mean, ultimately, if people want to cheat, Carole, as you did with your eraser trick, they're going to cheat, aren't they?
Even if they have a locked-down computer, if they're doing it remotely from home or something, they could have another device right next to it, which is helping them answer the questions.
Maybe the solution is to look for unusual behavior.
CAROLE THERIAULT
Well, that's what these remote proctors are doing. They're watching your facial expressions. They're watching what's going on around you with people next to you in the game.
You know, and they're making a call and they're locking you out of the system if they feel that you are not abiding by their regulations.
GRAHAM CLULEY
But what I'm thinking is, if you were monitoring in a less techie way the success of pupils during the course of the academic year, and you have some sort of projection as to how good they are at long division and all the rest of it, if they suddenly get a 100% score in an exam, then that may lead you to think, hang on a minute, they've done an awful lot better than we expected, and that maybe will cause deeper investigation as to what may have happened in that particular test.
CAROLE THERIAULT
Yeah, we had some scary, scary invigilators.
We had one that used to walk around slamming his cane into his hand as he walked around through the aisles, and it's just so you hear this thwack.
And so you did not cheat, you know, you could hear it getting closer and further. But another one would throw erasers. Yeah, so you see, you guys have it easy now, kids.
So easy these days.
GRAHAM CLULEY
They weren't erasers with words carved into them.
CAROLE THERIAULT
The thing is, okay, I know this is controversial, I'd kind of say cheating may not be as bad as all that because it takes some advanced skill to be an excellent cheater, right?
I mean, obviously I'm pretty top drawer. And who knows, it turns out that outright cheaters can now become president of the United States. So, you know, I think why not?
GRAHAM CLULEY
Go for it, right? I'm not sure that's the kind of cheating he was doing, is it?
CAROLE THERIAULT
Oh yeah, I'm sure he got straight A's and earned every one. Hey, Graham. Hey, Carole. I have a question for you about these password manager things you keep talking about.
All right, go on then, shoot. What happens if you forget your master password? What are you gonna do about that?
GRAHAM CLULEY
Oh, you think you're really clever, don't you? Yeah. You think if you've forgotten your master password, you can't access any of your other passwords anymore.
Well, piff-paff-poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory.
And that means the same password that your employees are already comfortable with using to log into your system will unlock everything.
It will unlock their passwords, it will unlock their Word, Sophos Network makes it super easy to bring LastPass into your enterprise.
CAROLE THERIAULT
Seriously? And it's still super safe?
GRAHAM CLULEY
It's still super safe.
CAROLE THERIAULT
Wow! That's kind of cool.
GRAHAM CLULEY
It's a great way of getting new employees using passwords safer and more securely. Rock on LastPass, I say!
And Carole, if you, or indeed our listeners, want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. And welcome back.
Can you join us at our favorite time of the show? The part of the show that we like to call Pick of the Week.
DAVID MCCLELLAND
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
Doesn't have to be security related necessarily.
CAROLE THERIAULT
Should not be. Should never be.
GRAHAM CLULEY
Well, my pick of the week this week is not security related.
GRAHAM CLULEY
Do you remember a few weeks ago I told you about this website which told you about how to find good shows on Netflix and Amazon Prime?
CAROLE THERIAULT
Yes, I've used it actually.
GRAHAM CLULEY
It's a very, very good pick of the week. Well, thank you very much.
I've been trying it as well, and I found a documentary which came out a couple of years ago called Tower, and it's an unusual documentary.
CAROLE THERIAULT
Oh, you told me about this.
GRAHAM CLULEY
Yeah, it's about the 1966... It's a bit of a grim subject, I'm sorry about that. It's about the 1966 shooting from the University of Texas's clock tower.
Now I love a good documentary and this is a superb documentary.
And what makes it unusual was that the filmmakers had a particular challenge because they were able to interview people who are still alive, obviously, but there wasn't very much footage of the actual event.
So how were they going to do this? And they could have dramatized it in a traditional kind of reconstruction sort of way, but they—
CAROLE THERIAULT
With really bad actors and bad lighting.
GRAHAM CLULEY
You know what the kind of, you know, sort of, yeah, Forensic Files style. But they didn't do that.
Instead, what they did was they filmed actors, but they then later animated them with rotoscoping. So much of the documentary— rotoscoping?
Yeah, that's when I think they did it in that Lord of the Rings cartoon movie, which came out in the late '70s or early '80s.
That may have been one of the first cases where they actually record you, so they know how you move and how you talk and all the rest of it.
But they sort of— they get their tracing paper out, Carole, and they sort of draw your outline, and you end up with something which is moving in a human kind of way, but it's actually an animation.
So that's what they did with this, and they have young actors who are reenacting what happened, and they're speaking straight to camera, but they're animated.
Animated, and they're saying the words of the interviewees who were obviously interviewed 50 years later for the movie.
And it gives a real immediacy to their memories because it's like they're talking about it when they were young, when it actually happened.
And there is a particularly moving part of the documentary which still sends chills down my spine thinking about it. You're watching— Oh, tell us!
DAVID MCCLELLAND
Oh, I want to! Are you going to tell us?
GRAHAM CLULEY
Yeah, I'm going to.
You're watching an animated young woman describing her experience, and suddenly the film cuts to a real-life filmed interview with the actual victim as she is today, 50 years older, continuing the sentence.
And you're suddenly sort of brought— it's given me chills right now. It just becomes so real.
CAROLE THERIAULT
It's a hard thing to describe. It's more something you have to see.
GRAHAM CLULEY
It is something you have to see. And I don't think I've given away much by telling you that, but I would really recommend it. It is superbly done.
So it's called Tower, it's on Netflix, very interesting and very touching. So that wasn't very cheery, was it?
But that is, that was, I have to say, one of the best documentaries I've seen for a while, so I'd recommend it. David, what is your pick of the week?
DAVID MCCLELLAND
My pick of the week is definitely not security related. Good, David. It is an app.
Now, I don't know if it's only in our family, but it would appear as though my wife and I have often infuriatingly different perceptions of colour.
So, for example— yeah, okay, go with me here— so, for example, she might say something, "Darling, could you grab my blue coat from the hallway?" And I will get her distinctly blue coat from said hallway, and upon handing over said distinctly blue coat, I will get berated for picking up her obviously green coat.
Obviously green.
GRAHAM CLULEY
That particular shade of green known as obviously green.
CAROLE THERIAULT
I was thinking because you've just moved house, right? So I was thinking that you would be having the fights over the paint colour.
DAVID MCCLELLAND
Oh no, we have had that, yes. Curtains, actually.
And this was a particular conversation that we had in bed looking at the new curtains, and I was saying, oh, you know, that the curtains, they go nicely, the green on the curtain goes nicely with the green on the bedsheet.
CAROLE THERIAULT
It's not green, David! Were you there?
DAVID MCCLELLAND
This is weird. So I swore blind that this color on our curtains was in fact green. Yes, okay, see what I did there? I swore that it was green. She said, no, it's not.
So I said, right, there has to be an app for this.
Now, what I would say is that I know that generations of genetics mean that men are more prone to color blindness, but I don't think that that's what it is, because I don't have this problem with anyone else, and it's just that we're dim, isn't it?
It's just that perhaps, perhaps that's it. So what I found was an app called Clone Live Color Picker, and it's a really simple app for iPhone.
I think it's on Android as well, and it's certainly helped to douse one or two arguments in our house already.
At its most basic, it uses your phone's camera or a picture that you've taken on your camera roll or something that you screen grab from a website or whatever, and it tells you the color that you point or tap to, and it'll give you that in RGB or CMYK, hex, hue, saturation, brightness, and it'll even tell you the closest official Pantone color.
That's what you want. Exactly.
CAROLE THERIAULT
And you don't care. Yeah, you don't want to argue.
DAVID MCCLELLAND
Yeah. And you want the words. Oh no. And some of the words are amazing as well.
You can change the color temperature if you're not sure your camera's quite got it right, and it'll even suggest some complementary colors that fit into the same palette.
And it's got a colorblind mode, so it just highlights the basic color, so it'll tell you if it's red, green, or blue in the live view mode. Yeah, it's really, really good.
It's also really well designed, as you would expect an arty app to be, and believe it or not, it's actually quite addictive.
You know, once you start pointing it at things around your house and you see some of the weird and wonderful color names that these things have, like Blaze and Epic and Swirl.
You're like, what?
CAROLE THERIAULT
So, okay, do you have the phone with you now? Do you have this app right now near you?
DAVID MCCLELLAND
I do indeed.
CAROLE THERIAULT
Let me open it up. Could you—I'm trying to think of something. So could you do the back of your hand? Oh, I just want to see.
DAVID MCCLELLAND
Yeah, let's see. Okay, I'm doing this right now. Whatever. Yeah, okay, I'm getting, depending on which bit of my hand I'm looking at, I'm getting Santa Fe spicy, spicy mix.
And oh, this one's a little bit less salubrious: wax flower.
CAROLE THERIAULT
That's, that's what I've always thought.
GRAHAM CLULEY
David, David, I've got a good one for you to try out. Do you remember The Dress from a few years ago?
DAVID MCCLELLAND
Oh yes, of course.
GRAHAM CLULEY
The black—it was a dress and people were arguing as to whether it was black and blue stripes or white and gold stripes.
So if you go and check out, we can settle this argument right now. Okay, is it black and blue or white and gold?
DAVID MCCLELLAND
I'm going in right now. So here's the original dress that I'm looking at on Wikipedia, and I'm pointing my phone at it now, and drum roll. Oh gosh, it changes. So rock—What? Rock.
I'm getting rock blue. And then I move down here and I get light slate grey. So rock blue and light slate grey are the two kind of main colors on that dress.
GRAHAM CLULEY
But there's no white or goldish sort of color there. Maybe we've—
DAVID MCCLELLAND
Anyway, do you know what? It's a really good, interesting sort of browsing color app. It's not going to change your life unless you have lots of arguments with your wife.
And I should say—
GRAHAM CLULEY
It will change my life, trust me. This is quite useful.
DAVID MCCLELLAND
The Pantone color for my wife's coat definitely reads a shade of blue, but apparently me and the app are both still wrong.
GRAHAM CLULEY
Boom! Was the app written by a man? You see, that's what you have to ask yourself. Was it a man who can't really tell colours at all?
DAVID MCCLELLAND
I can't remember. Was Pantone sorted out by the colour, by men who may have colour blindness? I don't know.
GRAHAM CLULEY
So, Carole, what's your pick of the week? Well, okay, controversial.
CAROLE THERIAULT
I'm breaking a few rules here. Security related. This is a gizmo. No, it's not security related. It is a gizmo, one that I do not own or haven't even played with. Controversial.
GRAHAM CLULEY
So you're recommending something that you have no experience of?
CAROLE THERIAULT
I'm strongly incentivised to learn more about it. And I think it's worth recommending to you at this stage, darling listener and hosts, that you do the same.
Okay, so hold your breath and you let me know at the end. So this is an innovative startup company called Altered. These guys make taps or faucets.
My grandmother always used to hate that word faucet, and I hate it too. I don't have no idea why.
Now Altered, they make taps and they call them Nozzle, and it's a patented technique to develop affordable water-saving for people. It reduces water use by over 90%. 9-0.
How do they do this? Well, I'm quoting founder Kaj Mikosch, who explained to Nordic Business Insider, an ordinary tap loses 10 to 12 litres of water per running minute.
Okay, that's a lot of water. Only a small part of that touches your hands or rinses off the plate.
Now he says, my idea was to atomise the water so that every drop gets its own surface. At the same time, increased speed, you get a bigger effect out of every single drop.
Pretty cool, right? So this saves an average— you did a few tests in the States, right? Saves an average of 50,000 litres of water a year per household. That's a serious saving.
DAVID MCCLELLAND
Yeah, but, and I get that if you're washing your hands or doing something like that. But what if I just want a glass of water?
GRAHAM CLULEY
Yeah, my wife drinks a lot of tea every day. How's this going to help fill in the kettle?
CAROLE THERIAULT
Is it not? This is not— this is the kind of nozzle that fits over your tap, right? And it's cheap. You can get it for around €30 or maybe $50.
And companies like IKEA have adopted the tech to create their own tap offering using the same technology. So it's worth a gander, don't you think, boys?
90% of water is going to water one? I've looked into it, yeah, because I've done research for this episode and I am getting one. So I'll let you know in a few weeks how I—
GRAHAM CLULEY
Are you on some kind of commission or something? What's the—
CAROLE THERIAULT
No, no, I haven't even talked to them. Never talked to anyone at the company before.
GRAHAM CLULEY
Okay, so it's gonna create some sort of spray, so it's droplets rather than—
CAROLE THERIAULT
Oh, why don't— Here, should I send you a video?
GRAHAM CLULEY
Is that what I need to do? Send me a video. There you go. Okay, let's check it out.
DAVID MCCLELLAND
Ah, they've got— they do have a dual flow option here as well, I see. Okay, so this fixes my filling a glass of water or a saucepan problem. You just twist it around.
GRAHAM CLULEY
Give it a little twiddle.
CAROLE THERIAULT
Yep. Give a twiddle.
GRAHAM CLULEY
Yes, it's like a— It's kind of cool. It's a spray when you're washing your hands and then you—
CAROLE THERIAULT
Atomisation. Very cool, Cruel. I think a nice saving of over 90% of water would be a good thing for all of us to think about. So there you go. Save money, be responsible.
GRAHAM CLULEY
Boom. Well, that just about wraps it up for this week's episode of Smashing Security. David, thank you for joining us.
If people want to follow you online or find out what you're up to, what is the best way to do that?
DAVID MCCLELLAND
Well, probably on Twitter.
I can't guarantee that I'm going to be online all that much, but @DavidMcClelland, all the C's, all the L's with a couple of vowels chucked in for good measure.
GRAHAM CLULEY
And on Twitter you can follow us as well, @SmashInSecurity, no G. Twitter wouldn't allow us to have a G. We've got an online store. Remember our revamped store?
There's all kinds of goodies up there. And you can get t-shirts and mugs and stickers and goodies at smashingsecurity.com/store. And if you show, what should people do, Carole?
CAROLE THERIAULT
They should definitely give us a review, listen to old episodes, send us story ideas, give us 5 stars, the whole caboodle.
GRAHAM CLULEY
Until next time, cheerio, bye-bye, bye everybody.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.