Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Dad pays girl $200 to give up Facebook — YouTube.
- How much is social media worth? Estimating the value of Facebook by paying users to stop using it — PLOS.
- Being paid to quit Facebook — Graham Cluley.
- This account has been hijacked (temporarily)! — Insinia.
- Security firm hijacks high-profile Twitter accounts — BBC News.
- 'Serious' Twitter flaw allows hackers to post on other people's accounts — Computer Weekly.
- Twitter is Broken — The AntiSocial Engineer.
- About Twitter's SMS PIN feature — Twitter.
- How to Tweet via text message — Twitter.
- Earn $2,000,000 by remotely jailbreaking an iPhone — Graham Cluley.
- Zerodium Offers $2 Million for iOS Hacks, $1 Million for Chat App Exploits — Security Week.
- Life as a bug bounty hunter: a struggle every day, just to get paid — MIT Technology Review.
- Yahoo changes bug bounty policy following 't-shirt gate' — ZDNet.
- Equifax Was Warned — Motherboard.
- Remove Background from Image - remove.bg.
- 'Tidying Up With Marie Kondo' Is a Quiet Delight — The Atlantic.
- Tidying Up with Marie Kondo | Official Trailer — YouTube.
- Bear Brook podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
MARIA VARMAZIS. As an American, I have no idea who there is.
GRAHAM CLULEY. I've sat behind Louis Theroux on an aeroplane.
MARIA. It's like we're there right now. Did you try and lick his hair?
No. Is that a thing that you normally do?
GRAHAM. Smashing Security, episode 110. What? You can get paid to leave Facebook with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 110. My name is Graham Cluley.
And I'm Carole Theriault. And we're joined for this brand new 2019 episode by our returning special guest. It's Maria Varmazis. Hello, Maria. Hello. Hello, Maria. Hello, Carole.
CAROLE THERIAULT. Welcome back. How are you?
MARIA. I am great. Let's do the whole podcast this way. Let's keep it up. Oh, my God. I could do it.
GRAHAM. Yes, right. So everything good with you, Maria? You had a good break?
MARIA. Oh, it was made extra special by receiving some Texan single malt whiskey in the mail from a listener named Adam, who's a buddy of mine. So thank you, Adam. Sorry, a Smashing Security listener. Yes. Sorry. Sent you whiskey. Yes. Which I'm totally open to receiving at any time from all listeners, for the record.
GRAHAM. So hang on, hang on. This is my 110th episode, and no one sent me any whiskey. Carole, how many bottles of whiskey have you received? I'd rather not say. Oh, okay. Okay, no, release zero.
CAROLE. Actually, I don't mind because I'm not drinking at the moment. This is 2019 New Year's resolution. Oh, for the whole year or just for January? January. What, if I make it to the end of the week, it's a hurrah moment.
MARIA. Some people try to go all of January without drinking. It's a thing. Yeah, good luck with that.
CAROLE. Now, we have a doozy of a show for you this week. Graham tries to find out how much it would cost to get Maria off Facebook. No. Maria slaps Twitter's fingers for ignoring a reported problem with their service for more than six years. And I look into bug bounty programs. Turns out they're not all created equal. All this and much more coming up on Smashing Security.
GRAHAM. part of every organization's defense against the latest cyber attacks. Download your free copy now by visiting smashingsecurity.com slash intelligence.
CAROLE. Are you not running a password manager in your organization? What are you thinking? May I invite you to check out LastPass Enterprise? Just go to this URL, lastpass.com slash smashing. God, I find that so hard to say. LastPass.com slash smashing. Here you can learn all about what password managers can do for your firm. You can download a Forrester report all about the topic. And you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry port in your business, then put on your digital skates and slide on over to LastPass.com slash smashing. I use them, I heart them, so you should check them out. On with the show.
GRAHAM. Maria, the big question, it's on everyone's lips, is do you have a New Year's resolution?
MARIA. Hell no. Absolutely not. Have you ever done, ever had one? I'm sure when I was more optimistic, yes, but I now know it's just setting myself up for failure, so I just don't bother.
GRAHAM. Okay. Well, look, we are going to suggest one to you, and that is to get you off Facebook once and for all for your sanity. I see. To protect you. It's good for you. This actually is an intervention. You thought you were coming on as a podcast guest. Oh, no. It's all a setup.
CAROLE. Is that why my mom's here? Yeah. Sit down and buckle up, Maria. That's it.
GRAHAM. We'll buckle you up around the back, actually. This is the thing, right? We want to wean people off Facebook for their own sanity. And I'm interested in what it would actually take. Could I bribe you, Maria, with money to leave Facebook? Ooh, interesting concept. How much would it cost to pull you off Facebook?
MARIA. I mean, technically nothing, but I don't know. I've never thought about it. Yeah. Well, think about how much value you get out of it. Very little. So, 500 bucks?
GRAHAM. Could you quit for a year for 500 of your US dollars?
MARIA. Of my US dollars, which is now worth very little. Thank you, stock market.
GRAHAM. Well, compared to British pounds, I think 500 bucks is worth about 97,000 British pounds, I believe.
MARIA. What about Zimbabwean dollars? Are we there yet? 2 billion?
GRAHAM. Anyway, listen. Some people are actually turning to money as an incentive to quit Facebook. Six years ago, for instance, there was a news report about a chap called Paul Baier, and his teenage daughter was getting a little bit sick of Facebook. And so she asked him, hey, Dad, would you pay me $200 to quit Facebook? Presumably she said it in a Boston accent. Where is she from? I think she's sort of Massachusetts.
MARIA. Yeah, they're from Wellesley, so they don't talk like that in Wellesley. No one talks like that.
GRAHAM. Anyway, he agreed and he wrote up a contract, which he got her to sign, as he told a TV station.
ROBOT. It turns out that Paul Baier's 14 year old daughter was serious about quitting Facebook. So earlier this week, the Wellesley father and daughter signed a contract. And I'll have access to Facebook.
MARIA. Oh, I love the bit where they have a laptop bouncing on the hood of the news van. It's like this is what a computer is. This is what Facebook looks like for those at home who don't know.
ROBOT. She's pretty good about honoring a contract.
MARIA. Oh, and the guy's got a socks cap on in the store. I love my own statement. It's so predictable.
CAROLE. So she wants to leave Facebook and she wants to get paid to do it. Not bad.
GRAHAM. Yeah, as a little incentive. And he agreed. Amazing.
Now, it got me thinking, you know, how much would it take to get people to quit Facebook? How much money would they have to be given? And it's not just me who's thinking this. A series of boffins have also been exploring this question, and they have determined in a brand new study that the average person would need to be paid more than one thousand US dollars to agree to stop using the social network.
CAROLE. God, I feel so cheap now. I did it for free.
GRAHAM. It'd be good, wouldn't it, if there was some charity which popped up and said, oh, yeah, we'll look out. You know, you could give your money to the starving in Africa or to—
CAROLE. To Carole Theriault, who gave up—
GRAHAM. Facebook for a year. Exactly. We do a charity song for Carole because she's given up on Facebook.
MARIA. Do they know that Facebook really sucks?
GRAHAM. Copyright. Get Bob Geldof on us now.
MARIA. Don't sue me. Please don't sue me.
GRAHAM. Now, this study by three economists and a social media researcher was published on the Public Library of Science website. And it describes how they ran a series of real-life auctions with real, genuine money. And they asked over 1,200 people to bid on how much money they would need to quit the social network for as little as an hour or even up to a year.
Now, the way this works, these sort of auctions, it's kind of crazy, isn't it? Because if you say, well, please give me $20,000, right? And I'll quit Facebook. That's not quite how—what happens is this. They give the money to the lowest bidder. So the lowest bidder who agrees to sell their Facebook access gets the amount of money of the second lowest bid. So in this way, people actually bid a realistic amount for what they would be happy to receive.
Sorry, don't follow. Do not compute.
MARIA. They're trying to get people to stop inflation on the bids, basically. So the people who lowball are probably the people who are closest to the real value.
GRAHAM. Right. So they commit in advance to agreeing for the price of the second lowest bid. So that cuts out the really stupid bids.
MARIA. Right, right, right. One million dollars.
GRAHAM. And it also cuts out anyone who puts out a really, really big bid as well. So you go for the second lowest one in this particular setup because you're giving something away. You're not actually trying to win something.
So to receive the cash, they had to show a page from their Facebook settings showing the date when they deactivated their account, and then when they reactivated their account, if they did bring it back after the year. And they were also told that their accounts would be checked throughout the year to ensure compliance.
Now, by checking it, surely you're activating it. Oh, no, I don't think it's not logging in. I think maybe you're Facebook friends with the boffins or something like that. They see if you're online or something. And they see, I imagine, or post.
Now, I find this all full of flaws, to be honest. As a sort of shyster myself, I'm instantly thinking, I'll say that I'll give up for a year, but of course you just create another account, don't you?
MARIA. Is that what you did with the Smashing Security podcast page? Is there a shadow podcast page? Hashing Smurdy.
GRAHAM. Anyway, obviously there are ways around this, right? It's not entirely foolproof, and you can imagine all kinds of ways in which you could game the system if you really, really wanted to.
They didn't really touch on that, but they do get this price of over $1,000. Now, some people refused to participate at all in the auction. They said, you know, frankly, any deactivation of our Facebook account for a year would be so crippling. It's just not something we would ever welcome.
CAROLE. I can imagine for small businesses, that's the case, right? I mean, there's loads of web presences out there that only exist on Facebook. So people have shops there and stuff. Yeah, I could see that.
GRAHAM. Yeah, this wasn't actually asking businesses. This was mostly asking sort of students, you know, just sort of lolling around, not doing very much, probably just updating their Instagram when they're not on Facebook. You know, it was those sort of people who are mostly being questioned.
Very scientifically explained. And some of them, of course, said, oh, give me fifty thousand dollars. They obviously hadn't understood the rules of the actual auction to realize that wasn't going to work. So they were kicked out as well.
But they ran three different auctions. The average bid for a year's worth of Facebook account deactivation was over $1,000.
So what it seems to me is that despite all of the scandals and the data privacy screw-ups we've seen over the last year and the headlines, the Cambridge Analytica, the vulnerabilities, the trolls from Russia, the fake news, the sloppy handling of private data, users are still valuing Facebook really highly. You can't imagine anyone actually paying $1,000 for Facebook, can you?
CAROLE. It's interesting how people use Facebook to stay connected. It is the biggest connection tool, isn't it, really?
MARIA. Yeah, it's got its tentacles in everything.
CAROLE. Yeah, it's what, two billion users or something?
MARIA. Yeah, it's not easy to extricate yourself from it. That's the problem that I have. So even if you barely use it anymore, getting off of it completely is a different story. You kind of have to leave a toe in, even if you're not really using it much.
GRAHAM. And I can understand. I mean, I don't know your reasons for being on Facebook, Maria, but I know you've got a young child, for instance.
MARIA. She's not on there, though.
GRAHAM. No, right. But maybe you want to keep people updated regarding, you know, you and what you're doing. You know, you can set your privacy. No, don't do it. What are you doing on Facebook?
MARIA. Coffee mornings? No, I honestly, it's most of my family lives very far away. And same thing with most of my friends, they've all scattered to the four corners of the earth to find their fortune. So I mainly just post bullshit memes on Facebook and leave comments on what my friends post. So they don't come to me to find out what's going on. But when people make an event or something, that's basically what I use it for. But I don't use it for photos. I don't post updates. I'm barely using it. So, yeah.
GRAHAM. But you're privacy conscious. You're security conscious. I wonder if it's not a thousand. What the hell are you doing, Maria? What would Facebook need to do to get people to leave in droves? What more could they possibly do to upset their users? How much more
MARIA. can they fuck up before you decide to leave? It's the critical mass of people. That's the problem. So I saw over the Christmas New Year's break, I saw a ton of people posting these long-winded statuses or notes saying, I'm going to leave Facebook because it's just gotten to be too much. And they were saying, here are all my reasons. And then every single one, a week after they said they would quit, they were going, I found out that I can't really quit because too many of you are still on here. I mean, it was so predictable. So I'd read all of these and go, yep, I know what's going to happen here. Make a big noise and then nobody leaves. It's just that everybody else is still on there, so you can't leave because where are you going to find your friends? Well, Graham and I are not there. Yeah, but you don't count.
GRAHAM. We don't count as friends. You don't count. We're podcasters.
MARIA. You're just voices on the ether, you know. Yes, it all comes out now in 2019.
GRAHAM. What needs to happen is everyone needs to leave at the same time. You need some kind of Jonestown scenario, some sort of solar temple cult saying on October 31st, the aliens are going to land. We're all going to die. So we have to drink this juice beforehand. The truth is, right? Well, this is the truth, as I say, is that Facebook is an addiction. But you know what? Why not go cold turkey right now? Yeah, Maria. But maybe going cold turkey is too difficult. Maybe just like some folks are giving up drink, or stopping smoking for a month. Maybe there should be a month when everyone tries to get past without logging into Facebook.
CAROLE. Yeah, just deactivate and see how long it takes you before you activate again. I am sure it is so slippery to reactivate. I'm sure all you can do is go to the pages. No Facebook
MARIA. February. Make a commitment. Yeah. I could try that. I could give that a shot.
GRAHAM. What? No Facebook in February?
MARIA. The thing is, though, I have two Facebook accounts.
GRAHAM. Oh, because you've got a work one or something. Yeah, I've
MARIA. got a work one and a personal one, basically. It's a personal one. Okay.
CAROLE. Yep. And you can come on at the end of February, maybe, and tell us how it was.
GRAHAM. We'll check up on you.
CAROLE. Yeah, I can do a Facebook February. Absolutely. Okay.
MARIA. I'm up for you, listeners. Okay. Can you? Because it's the shortest month of the year, so, you know.
CAROLE. Whatever gets you through, baby.
GRAHAM. Maria, what story have you got for us this week?
MARIA. Well, the long and short of it is, how nicely do you have to ask a company to fix a vulnerability if it's been around for, oh, I don't know, five, six, seven years? They haven't fixed it. It's been kicking around. What do you do?
CAROLE. Yeah, it's a crazy situation. The fact that when you go and report it and you don't hear anything back, what do you do? How frustrating.
MARIA. Yeah. I mean, do you just continue to ask nicely? Do you go tell the world? So there's a security firm called Insinia, and they wanted to highlight a longstanding Twitter bug that has existed for six years. And what they did, basically zero day style, is they hijacked the accounts of various celebrities and posted phony tweets to their accounts to demonstrate how the zero day worked, where I'm calling it a zero day, whatever if it is or not, you know, that's up for discussion.
CAROLE. Six year old zero day. Yeah, it's
MARIA. kind of weird to call it that. But they wanted to show it live. They wanted to do it live. So to do that, they actually posted funny tweets to accounts of a bunch of people who I do not know, but Louis Theroux, Simon Calder, Syra Khan, Eamon Holmes. I don't know who these people are, but they're verified on Twitter. So I assume that they're very important.
GRAHAM. Very, very important. Well, I know who two of those are.
MARIA. Yeah, I know who two of those are, too. Okay, so their names you recognize. As an American, I have no idea who they are.
GRAHAM. I've sat behind Louis Theroux on an airplane.
MARIA. Did you try and lick his hair? Is that a thing that you normally do, Graham?
GRAHAM. I've sat on a sofa with Eamon Holmes. So those are the two I know.
MARIA. Did you try to lick his hair? Okay, we need another podcast for this because I need to explore what's going on there.
That's okay. So Insinia was basically trying to show that there's a really remarkably simple problem with Twitter where if you know a user's phone number and that user has their phone number attached to account, which many of us have that for 2FA reasons, you can spoof a tweet or a retweet or a like to that person's account with very simple technical know-how, basically. So all you need to do is just basically send a text to Twitter with that person's phone number and a little bit of something else. And there you go, you've now posted a phony tweet to their Twitter account.
OMG, this has—
CAROLE. Been lurking around for six years. Six something years and no one even cared?
It's madness, isn't it? So you know how we talked—
MARIA. About in December about spammy promotional tweets on Twitter that have been the accounts that have been hijacked? This to me seems a bit more under the radar, but sort of in that vein.
So you could post a nasty fake tweet to somebody's account and, yeah, they could notice it and then delete it later. But if that person's abandoned their account or something, you could really take over what they're putting out there and put all sorts of nasty shit out there in perpetuity.
Yeah, so that actually could be pretty dangerous if you think about it, malicious links or links to terrorist propaganda or you name it. That could get kind of gross pretty fast.
You—
CAROLE. Know what? Ironically, if people did start doing that, Twitter would probably do something about it.
Interesting you—
MARIA. Say that. So Insinia said, you know, we've been waiting six years and rattling cans and throwing boots at Twitter's head and stuff, but they're not doing anything.
So we're tired of waiting. And so they decided to draw attention to the issue by, quote, ethically hacking accounts.
Ethically hacking. What does that mean?
In their own words, they said they contacted the user notifying what was about to happen. So we're going to hijack your account, post some tweets to it, you can't stop us, but we're going to do it.
They then sent the passive command in order to send the tweet. They then retweeted their own tweet with a link to their own blog post explaining what happened and how it works, and then they offered to provide support to anyone who was concerned about the attack and wanted additional information on how to protect and secure themselves.
So they weren't hiding. But—
GRAHAM. They also didn't ask for any permission, did they?
MARIA. Right, they did not. They were just, we're going to do this, heads up.
Yeah, because—
CAROLE. It's not Louis Theroux's fault, for example, that Twitter have this bug. Correct.
Yet it's his account that has been smacked around and he looks like a dumbass.
MARIA. Yeah, yeah. And it's just this account has been hijacked ethically.
It has been ethically hacked. Here's what's going on.
It's, oh, come on, really? So just to be clear, they never had control over the accounts that they hijacked.
They're just able to send those tweets. And they were pointing people to blog posts saying, yeah, this is us doing it, it's not the account owner, we're totally taking accountability for what we're doing.
So there's no mystery. And they communicated what's going on and how people can protect themselves.
But the folks who actually got their Twitter accounts compromised did not agree. So Simon Calder for—surprise!
How completely unreasonable of them. Right.
So Simon Calder was interviewed by the BBC about this and he said—was he outraged? No.
He confirmed the attack had been done without his permission and he described it as, quote, tedious and annoying. Okay, that's so English.
And it was an experience that had left him feeling unimpressed. Yes, I love it.
So here's the funny thing. After all this, it actually, this tactic worked.
You see? So apparently Twitter has now actually fixed this problem because of these nasty tweets that Insinia sent out through other people's accounts.
So they use zero-day tactics, sort of, I guess, sort of a stretch to get attention on this issue, on this really old problem with really questionable ethics, but it worked. And the harm was minimal to the victims.
So what do you think? One thing that—
CAROLE. I noticed, they are defining what they say ethical hacking is. Right, right.
They're saying ethical hacking is, well, we're coming clean and we're doing this, therefore it's fine.
MARIA. Yeah, they made this decision without talking. Yeah.
CAROLE. But by putting the word ethically in front of it doesn't make it ethical. No, yeah, yeah.
But it worked.
MARIA. And I'm sure it worked. But it worked, that's for them.
The end goal is get Twitter to fix their shit.
GRAHAM. It was also arguably illegal what they did.
I don't think—
CAROLE. Arguably. I think it is.
GRAHAM. Well, you know, this was unauthorized access to other people's accounts. It wasn't done with their permission.
And in fact, a very similar stunt was performed just a couple of weeks before Insinia did it. A guy I know called Richard Devere, who's also known as the anti-social engineer, he worked with Computer Weekly magazine. And with their agreement as an experiment, he basically hijacked Computer Weekly's account and got them to post a message. They knew that he was going to do it but it was all under his control and they then wrote that up whereas Insinia got an awful lot more PR attention from this, hacked into basically celebrity accounts and posted these messages and caused some concern.
Now what's curious is Insinia have on their board some of the top dogs at the company are actually former members of the Met Police and the Computer Crime Unit and so you would expect
MARIA. That's a great little bit of colour.
GRAHAM. You would expect them to know a thing or two about the computer crime laws. And it feels to me like this was just a huge PR stunt, even if this was... Come on, six years! You're right, that's not good at all.
But Computer Weekly and the work done by the antisocial engineer had already raised awareness of this. And it was in the public eye, albeit it wasn't picked up by the Daily Mail and Co, like Insinia's stunt was because of the celebrity angle. And the problem didn't go away. Well, that was only days before they then did it. And we're claiming all the credit for having this amazing discovery. It's like, well, this has been known for years. I would imagine most of us would never want to update Twitter via SMS anyway by sending an SMS message. Not anymore.
MARIA. When Twitter first started, though, I remember I actually used that message. Yeah, maybe like 10
GRAHAM. Years ago, you might have done that. But I mean, I think for most of us, it just became an impractical way to interact with the site.
And bad thing has been that as far as I know, there hasn't been a way to turn that off. And the PIN code, which Twitter could supply for you to use as a security measure to protect your account. And so you had to send a message with your specific PIN code to update your account. That only worked in some countries. It didn't work in all countries. I think it may be relevant that these particular attacks all appeared to happen against UK-based accounts. So things with Twitter and SMS work differently in different countries is one thing to be aware of.
CAROLE. You know what, though? It's a really good lesson, though, for people that have services with legacy functionality that's no longer popular. Maybe turn it
MARIA. Off. Maybe turn it off.
CAROLE. I've worked in big companies, and people hate revisiting old code and deciding whether they should retire stuff. It's so boring, and people hate doing it.
And this is what happens. They probably thought it wasn't important because it's a functionality that people don't use. Or they forgot that it was even there.
GRAHAM. Yeah. And wouldn't it be great if Twitter now decided to change its default? So if you create an account on Twitter now, wouldn't it be great if all this SMS nonsense, which the vast majority of people would never need, was disabled by default? And you had to knowingly turn it on and say, yes, I want to be able to interact with my account via SMS.
MARIA. I just wanted to ask a quick question. Do you think we're going to see other people trying to do this kind of stunt work, like this kind of bullshit stunt work that, I mean, we see it all the time anyway. But since this actually, quote, worked, is this going to create a lot of copycats?
GRAHAM. Well, that's a real danger, isn't it? Is that it's seen anyone in the security community thinking, oh, the computer crime laws don't cover us. You know, they don't abide by us. And so, therefore, we can go and do what we want. It does kind of give the green light to others to do similar things.
And I think most people in the security research community think, no, what happened here was wrong. It shouldn't have been done this way. It was irresponsible disclosure. It wasn't just the disclosure. It was the fact that they abused other people's accounts without their permission. You know, I could have tapped on Louis Theroux's shoulder when I was on the airplane and said, hey, Louis, do you mind when we land? Can I lick your hair? That's what they should have done, right?
MARIA. Yes. Consent is a thing.
CAROLE. You know, Graham, maybe for February you should give up Twitter. You keep going on at Maria.
MARIA. Bollocks to that. It's his podcast. He doesn't have to do that.
CAROLE. Oh, how addiction is defensive. Shall we go on?
GRAHAM. I'm not talking to you. You've upset me.
CAROLE. So today we are skipping off to the wild world of bug bounty hunters. Can someone be a full-time bug bounty hunter and make a worthwhile career? Basically make enough money to live. The thing is, we have oodles of listeners that are tech savvy, right? So this could maybe be a surefire way that they might be able to make a living.
Bug hunting kind of evolved with tech savvy and curious guys and gals tinkering away, you know, poking and prodding away at a new system or application or service. If they found a serious bug or problem, many would report it to the company that was in charge of that service or application or whatever. And they may be doing it for the kudos or to make the service less vulnerable for other users or whatever their motivation.
Few expected to be paid for it in the early days. And from a typical bug hunter point of view, the gold would come if the company publicly announced, thanks to the bug hunter's discovery and report, the company fixed the vulnerability before it was ever exploited, right? And now that person has got a good career ahead of them. Good news.
Yeah, exactly. Now, a company with a zero-day vulnerability did not always respond predictably when they were told about it, right, Maria? As we've just seen. So where one company might take it seriously, assess the report and address the issue, another company might just ignore the messages from the security researcher, either not checking the public facing email account to which the bug was sent or not prioritizing the problem.
MARIA. Happens all the time. Yep. Sending the lawyer after the researcher is another one. They love doing it.
CAROLE. And this was the case, in fact, with the Equifax cyber snafu, right? Six months after a security researcher first notified the company about the vulnerability, Equifax patched it, but only after the massive breach put millions and millions of people's personal info at risk.
MARIA. I am on the floor shocked. I can't get up. I just can't get over this.
CAROLE. I know, but in a way, your blood should boil because it's so – I mean, that makes it so freaking annoying. They were actually forewarned and did nothing, right? And it's so ironic because if companies were thinking logically, it's, of course, much, much, much preferable to find out about a zero day or a serious vulnerability directly and privately rather than having it splashed all over the news, as per your story, Maria.
And should the vulnerability end up making headlines, it's much, much better that said company can say, hey, we've already resolved it. They don't have to deal with the media fallout as well as the vulnerability. So this is where bug hunter bounty firms fit in.
So these investor-backed fat cats are kind of streamlining the process, as well as driving some serious revenue into the business model. The main players in the space include HackerOne, SYNAC, and BugCrowd. And these firms help run bug bounty programs for clients. And they also seek out researchers to find vulnerabilities in return for a payout. So it's a nice little system, little ecosystem going.
Okay. HackerOne, for instance, say they pay just shy of $2,000 per vulnerability in 2017, for a critical vulnerability in 2017.
GRAHAM. Is it them paying it, though, or is it the company which had the vulnerability?
CAROLE. Well, how much has been paid out using their service? Oh, I see.
GRAHAM. Critical vulnerability, you get that kind of money. Oh, okay.
CAROLE. And then on Cynac, they say about $650 per vulnerability. And that's not critical, but vulnerability. And they say some have paid up to 30,000 for uncovering critical bugs. And then you've got Bug Crowd. They have about 3,000 people working for them and they average between $1,000 and $2,000 for all bugs. So you can kind of see a price point there.
GRAHAM. And I think it's good that people are finding the bugs who are basically doing the work of the software and hardware manufacturers, which they should have done. Yes. They should be rewarded for finding these bugs and vulnerabilities.
CAROLE. Oh, absolutely. Think of all the time these guys are wasting not finding stuff and therefore not getting paid for it. Right? So, yeah, I mean, I'm surprised it's so low.
But in comes this company called Zerodium. Zerodium announced today, this is the day of recording on Tuesday, announced payments of up to $2 million for iOS hacks and $1 million for chat app exploits.
MARIA. But not just any iOS hacks, I would imagine. They're very specific ones, right?
CAROLE. Exactly. Now, look, I've shown you their price list here, and you can see some of the stuff that they are offering money for. So if you can remotely jailbreak an Apple iOS, they'll give you $2 million for it. And that's up $500,000 from the previous year. So you can see this is big money, and this has obviously gotten big headlines.
Now, before you get excited, especially after the financial hit that was Christmas, Zerodium are a very different breed of bug bounty hunter firms. They're certainly getting all these big headlines with their big payouts. But what they do with the vulnerabilities that they buy from independent researchers, so they pay the independent researcher for the exploit, but they don't sell it to the company. They sell it to government intelligence services so that they can take advantage of these loopholes.
MARIA. Eek! Eek! Oh, of course.
CAROLE. So law enforcement and intelligence agencies are kind of their target market.
GRAHAM. Because they're the ones with the money and they're the ones who really want to hack into somebody's iPhone. Oh, yes. And they want to use a vulnerability which hasn't been patched and which isn't going to become known to, for instance, Apple or Google.
CAROLE. This is the ultimate ethical issue here. The premise here is not to make the service safer, but to help authorities get access to information they really shouldn't have. Finding a route into private messages, for instance.
MARIA. I'm sure something like this has been happening on the black market for ages. Just these are people working for somebody else, and we didn't know about the transactions. So this is sort of making it a little more visible. But if you want these kinds of really hot button vulnerabilities, you've got to be willing to pay serious money. Because $1,000 is not going to get somebody's attention necessarily. A million bucks, $2 million, yeah.
CAROLE. Yeah. CNN Business said, Zerodium is a cyber arms dealer. It pays hackers to learn about their tactics, then packages it and sells it to elite subscribers. Now, the problem I have here is you're talking, Graham, I saw the article in the comment you just made about intelligence companies and governments having a lot more money to pay for these loopholes. But I don't know. I poo-poo that a bit. I mean, Google and Apple are not hurting, right? Amazon are not hurting. They don't want to get into a game where the price is constantly going up to extortionate incredible levels for bugs being reported to them.
GRAHAM. Oh, come on. Remember T-Shirtgate? In 2013, Yahoo were accused of paying for very serious bug fines, which is for XSS vulnerabilities. They paid with a T-shirt, a $12.50 T-shirt.
MARIA. Yeah, but this is cross-site scripting. It's not a big deal. That's no big deal. That's no biggie.
GRAHAM. But they did subsequently initiate a proper bug bounty program because someone went public with the fact that they were pissed off with getting a $12.50 T-shirt. But you can't go from one extreme to the other Carole, you can't go from a $12 T-shirt to two million dollars.
CAROLE. No, but listen, I was reading the story about Philippines-based bug bounty hunter Evan Ricafort, right? He spends 75 hours a week, he says, looking for bugs. And he averages about $187 a month. Now, before you think he's obviously very crap at his job, he has found vulnerabilities in products from over two other companies. Yeah, right. And $187 is the average salary in the Philippines. But it certainly ain't for the US UK. You mean, you're not having burgers that night. Yeah, ain't gonna cut it. No, that's one burger. Exactly, depending on where you go. Yeah. So I guess the question is, do we think these bug hunting firms are valuable middle guys that might help grease the wheels for safer code and actually pay researchers what they deserve? I'm not just talking about Zerodium here. I'm talking about bug hunting firms in general, HackerOne.
GRAHAM. Well, no, hang on. The likes of HackerOne are running the bug bounty programs for big tech firms, aren't they? And so the tech firm partners up with HackerOne and says, these are the rules of our bug bounty program. This is the money. Please, can you run this for us? Because we're a software company. We've got no idea how to run a bug bounty program. HackerOne isn't then selling them off to the highest bidder, those vulnerabilities. Those vulnerabilities are only going to get passed on to the people who can actually fix the problem. So the unpleasant thing here, I'm afraid, is Zerodium and its ilk, who are basically selling to the highest bidder. Now, having said that, would it be any better if they were driven underground?
MARIA. Yeah, because that's where this is going on anyway. No. Yeah.
CAROLE. Wouldn't it be better if legitimate firms like HackerOne told their clients, hey, maybe up the bug bounty from $25, buddy?
MARIA. Yeah, you got to walk before you run, though, right? I mean, if you think about the T-Shirtgate, in 2013, you were lucky if you got a response from somebody if you sent in a vault. And I don't think a lot of people were even paying any bounties back then, and there's still kind of a new thing. Turns out if you find a bug in Twitter, you're lucky in 2018. Right. Yeah. So I mean, the fact that bug bounties now exist and are being adopted is great progress compared to where we used to be just a few years ago. So it'd be great if companies paid more. But I mean, the fact that some of them are doing it at all is pulling teeth.
GRAHAM. Why don't the intelligence agencies use these vulnerability brokers against each other? Why don't you go to vulnerability broker number one, get a hack, which you then use against vulnerability broker number two, to spy on their communications and all the vulnerabilities they are selling to other countries. And then you get all the rest of them for free.
CAROLE. Or why not appeal to smart security researchers and say, before you get into bed for the highest price, why don't you find out what the information that you're providing them is going to be used for and who it's going to be sold to?
GRAHAM. I think once you've sold it to the likes of Zerodium, you know, it's up to them what they do with it. You don't have any control over it. It's out in the wild.
CAROLE. Yes, but you can choose before you, you know, who you partner with. If you found an exploit, you don't have to, you're not necessarily in bed with one player the entire time.
GRAHAM. And I think a lot of security researchers would feel very uncomfortable selling their exploit, even for $2 million. A lot of them would view it as an almost religious zealot-like thing. It was we have to tell the vendor.
MARIA. And thank the Lord for that. Ethical security researchers, yes. Yeah. There are a lot of people who are going to go, $2 million is not enough. And I'm going to go elsewhere to find some cash. So it's a thorny problem for sure.
CAROLE. I mean, all this said, though, I think this industry of having bug bounty program marketplaces, not necessarily those that sell it to intelligence agencies, but actually help make security better and make services more secure. I think it's percolating and it's going to settle. And I think it's going to be an industry. You know, this certainly will prepare you well for a job in IT and cybersecurity if you start looking into bug bounties and how you can help companies make their security better.
I've had another evil—
GRAHAM. Thought. Imagine you worked at one of these big tech companies and you heard that there's the possibility of making $2 million and you could actually embed something, a bug inside the code.
CAROLE. You're stealing this from that story you told about the lottery guy. I don't know who told it, but it was on the podcast a few months ago.
David Bittner about the lottery. You're lifting stuff—
MARIA. From Bittner now, man. I know.
GRAHAM. But that was the same premise. I'm just saying with two million on offer or that kind of money on offer.
CAROLE. Chump change, Graham. Chump change. Yeah, but after taxes.
GRAHAM. And welcome back. And you join us in our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they like. Doesn't have to be security related necessarily. Definitely should not be.
And my Pick of the Week this week is not security related. It is very simple. Huzzah! It is a website and it's a website with a .bg domain. Bulgaria, I believe. Belgium? I thought, oh no, that's B-E. isn't it yeah i think bg is bulgaria i think i don't know but anyway it's nothing bulgarian it is a website called remove.bg and if you go to remove.bg something magical happens all you have to do is upload an image a picture of a person and remove.bg better known as remove background will remove the background so it gives you a transparent png file or a gif with just the person so crawl if for instance i took a photograph of you or your loved one took a photograph of you and you had something embarrassing my loved one have you just done it maria
MARIA. I just did that actually worked I gave it a really complicated photo with a lot of noise in it and stuff and it did a great job. It's pretty clever, isn't it?
CAROLE. Yeah. I'm surprised that you slapped up a photo of yourself without checking the privacy policy, Maria.
Just uploaded a meme.
MARIA. It's not a photo of me.
GRAHAM. Smart girl. She's destroyed someone else's privacy. Yeah, whatever.
So, Carole, this is the thing, though. If someone took a photograph of you and you had something embarrassing on the... Like you behind me. On the mantel shelf behind you, you know, and you thought, I don't want that in the picture because people will laugh. then put it through remove.bg you can do this kind of thing with photoshop and other tools of course and normally i do i have a specific tool for doing this on my computer but then i came across this site and it's so easy why is the picture
CAROLE. On the home page of a girl with crazy hair oh is that to show how amazing it is at cutting out the background with all the strands here I understand
MARIA. This used to take so much time to do manually in Photoshop this is amazing and always look shit I remember
GRAHAM. You doing something with a picture of a hamster because you wanted a hamster to appear in a teacup do you remember? oh yeah that was that's about 20 years ago I think there was a virus it was called hamster or something that we wanted to it was a storm in a teacup So you said what we need is a picture of a hamster and a teacup.
MARIA. And I said to work. And there you are with the lasso tool in Photoshop 2. 12 hours later there's jagged edges everywhere. And then you're what the hell is anti-aliasing? And then you just.
GRAHAM. There is a drawback with remove.bg, which is that it is not compatible with hamsters. I have tried. It only recognizes. Feed me a hamster. It only recognizes human faces. You could put a human face on a hamster and then it might work, of course. That is possible.
So there you go. Remove.bg is my pick of the week. Thank you very much. Not bad. Not bad.
MARIA. Useful. Yeah, that was pretty cool. I it. I'm adding that's my bookmarks. That's servicey. Bookmark.
GRAHAM. Maria. Maria, what's your pick of the week?
MARIA. My pick of the week is a wee bit controversial. Oh, that's refreshing. Yeah, it's something that everyone I know has been talking about since it came out. And it's my pick of the week simply because I want to get us talking about it. And I really want to hear your thoughts. So my pick is the Marie Kondo show on Netflix called Tidying Up.
And I will admit that I really enjoyed it. And I know a lot of people who hate it. And the reason I like it is because mess and clutter drive me insane.
Marie Kondo, who is a Japanese organizational expert, she goes into people's houses and helps them get their stuff in order. She has a TV show all about her specific tidying up philosophy.
So she goes to a lot of American homes in Southern California that are all extremely over cluttered and kind of prestages a very gentle intervention to them and saying, let's just get your house a little more in order. Let's get rid of all the extra shit you don't need. She doesn't say it like that. She's much nicer than me.
And it's done in a way that's very respectful to the people as well as to their things. She doesn't sit there and go, fire up the incinerator. It's not like that.
It's very, very gentle, and you always end an episode feeling really good about everything that's happened for the most part. And it's the most, the only way I can think of it is The Great British Bake Off is really popular in the States, and now we have our own version of it.
It's a very gentle reality show that is a feel-good reality show where nobody's yelling at each other. It's great.
GRAHAM. I saw you put this on the list. So last night, I realized you were going to speak about this. So I said to my wife, let's go and check out this TV show that Maria is going to talk about tomorrow. Let's see if it's worthy of our business. And my wife said, Marie Kondo. I said, yes, have you heard of her? And she said, oh, yeah, we've got books of hers cluttering up our bookshelves.
MARIA. Missing the point.
GRAHAM. So we put on the show. And I have to say, the first episode I saw, I was thinking, what? I couldn't understand it because this couple had a house which I thought was perfectly tidy had considerable storage space compared to mine.
MARIA. Oh yeah, the houses are all enormous because they're all in Southern California. It was enormous! Yeah, I'm watching the show, I'm also American going, these houses are five times the size of mine and they can't see their kitchen countertop. Meanwhile, my house is probably the size of their bathroom. I mean, it's just I can't, I don't understand what they're cluttering up with.
GRAHAM. But the first house in the first episode, I thought, okay, they're kicking off the series. Let's see how good it gets. It was this is hardly untidy at all. They had two young kids. And you...
MARIA. Graham, I've seen your office. This is very revealing about you, Graham, but go on.
GRAHAM. I know you've seen my office. This is more to dampen any echo than I have items around me, okay?
MARIA. Oh, of course. That's why it was like that 10 years ago as well. It's for science. It's actually for science.
GRAHAM. Yeah. You were preparing for your podcast future. But there are shows on in Britain, and maybe you have them in the States as well, which are seriously about hoarding. Where you actually have to tunnel into the house past the milk bottles full of urine and the newspaper collections.
MARIA. Yes. Oh, there's a lot of those in the States. I can't watch them, but yes, they exist.
GRAHAM. So I was expecting something like that rather than this rather petite, sort of gentle, sort of Japanese woman who was, you know, hoping that clothes sparked joy and you had to be respectful to the clothes.
MARIA. It's very Shinto. I love it. She was a Shinto shrine maiden before she started doing this. And in Shinto, you believe that all objects have a spirit. So that's where that comes from. I love it. I think it's great.
CAROLE. I didn't. Ooh, who's got the Japanese bugs since they traveled?
MARIA. I minored in Japanese in college. Yeah. That's true. Sorry.
GRAHAM. I didn't dislike it. I just thought couldn't they have found some people who had less tidy homes? Have you watched the whole series? They had... I've watched two episodes. And the second one they did have a guy who had loads of baseball cards and a woman who had a huge mountain of ugly clothes.
MARIA. That house was insanely cluttered. You didn't think that was that bad? You thought it was normal? I mean that house is the size of a football stadium and you couldn't see the floor. I don't know how much more cluttered you needed to get. I mean, they had an entire bathroom they couldn't find anymore. I mean, I cannot relate to that.
GRAHAM. I just thought, I thought that when they had the before and after pictures, there should be more of a difference because it's oh, the before picture, oh, look, now they've done it in moody black and white and the after picture is in colour. It's hardly changed at all. It's could they have not added another ten minutes to the programme and they could have sent someone in to put up some new shelves or something or new storage room?
MARIA. It's not a home renovation.
GRAHAM. Well, that's what it needed. I wanted that Japanese woman to knock up some shelves or something.
CAROLE. Okay, Marie Kondo, whose name you can't even remember.
MARIA. Yeah, Marie Kondo. She's a Brazilian heir, so, you know, I don't think she's mad about it.
GRAHAM. She's a Brazilian, is she?
MARIA. Brazilian heir, yes. She's got Brazilians. Made her billions in Brazilians. Yes, it's true.
GRAHAM. Carole, what have you got for us?
CAROLE. So my pick of the week is a wonderfully told whodunit podcast series from New Hampshire Public Radio called Bear Brook. I listened to it during the Christmas hiatus and I loved it.
So in 1985 the bodies of a young woman and a little girl are found in a barrel in the woods of Allentown, New Hampshire. And 30 years later the cops still hadn't identified... Is this true?
GRAHAM. Yes. Oh, right. Yes.
CAROLE. There's six episodes that tackle the murders from a variety of different standpoints. They talk to residents, they talk to cops, they talk to amateur detectives. There's a load of people that have been just obsessed with this whole case and trying to find out who these people are.
So the podcast introduces you to a serial killer known as the chameleon. And really, it totally blew my mind. I actually think I listened to all six episodes in a row.
The case also led to massive changes in how murders will be investigated from now on. And that's a little teaser because it has something to do with the topics that we sometimes talk about.
GRAHAM. Oh, go on, tell us. Go on, give us a bit more of a hint than that.
CAROLE. I don't know if I can.
GRAHAM. So is there something computer related?
CAROLE. I don't know. Just listen to it. It's worth it.
But there's something modern technology and that has come in full force because of the internet that plays a huge part in discovering who these people are. DNA? Biometrics? Maybe, maybe. Maybe you should listen.
So all I want to say is hat tip to the Bear Brook team because I think it's just a great piece, a great production piece. I love it and I want more of it. So well done. And you guys should check it out, it's worth the time.
So that's Bear Brook from New Hampshire Public Radio.
GRAHAM. Do they end up catching the chameleon or does he blend into the background?
CAROLE. Yeah, they couldn't find him. Boom, boom.
GRAHAM. On that piece of comedy gold, it's about time to wrap up the show for this week. Maria, I'm sure lots of listeners would love to follow you online. What's the best way for them to do that?
MARIA. They can find me on Twitter. I'm still on there, I haven't quit it yet. So Mvarmazis, find me there.
GRAHAM. You won't find her on Facebook in February, though. You can also follow us on Twitter at Smash Insecurity. No G. Twitter won't allow us to have a G.
And you can check out our online store if you're interested in getting T-shirts and mugs and things like that at smashinsecurity.com slash store. And let me tell you, we don't make a single cent out of our store because, well, I'd like to say it's because we're really generous, but the truth is we just don't fancy dealing with the tax man.
CAROLE. Thank you to all our listeners who listen to us every week. Thank you to our sponsors, LastPass and Recorded Future. And if you want to help us out, the best way you can do that is by telling your friends to listen to the show.
GRAHAM. Fantastic. Okay, until next time. Cheerio. Bye-bye.
MARIA. Bye. Happy New Year.
CAROLE. Now, Maria, I owe you an apology. Because my husband decided to watch a bit of The Good Place. Remember, I poo-pooed it.
MARIA. You did. You did.
CAROLE. Yeah, and I have to admit, when he started watching it, I was like, oh, it's better than I thought. And I remembered that I did watch it, but very peripherally. I was doing some kind of project or something.
So, you know, it was on, but I wasn't fully watching it. And I actually think I missed most of the plot. So I wanted to say it is a good show and you've got my thoughts on it.
MARIA. Oh, I'm so glad to hear it. I really enjoy it. Thank you for recommending it. That makes me so happy. Thank you.
GRAHAM. It's good to know that we can change our opinion sometimes, isn't it, Carole?
CAROLE. Yes, Graham, it is.
GRAHAM. Any change of opinion on the red pill? Remember Michael Hucks's pick of the week? That's still rubbish, isn't it?
CAROLE. Still shit.
-- TRANSCRIPT ENDS --