Listen early, and ad-free!

113: FaceTime, Facebook, faceplant

With , ,
January 30, 2019
Read the transcript

A FaceTime bug allows callers to see and hear you before you answer the phone, Facebook's Nick Clegg tries to convince us the social network is changing its ways, and IoT hacking is big in Japan.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: John Hawes.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. You could listen to someone or even see them before they answered your phone call. So you would send them a call via FaceTime and you'd be able to listen to what they're doing before they've hit the answer button.

CAROLE THERIAULT. Okay, let's act it out, Graham, right now. Pretend you're calling me. Oh God, it's that fucking asshole again.

UNKNOWN. Smashing Security, Episode 113: FaceTime, Facebook, Faceplant, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 113. My name is Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. Hello, Carole.

CAROLE THERIAULT. Hello, Graham.

GRAHAM CLULEY. Hello. And we're joined this week by a special returning guest. It's John Hawes all the way from AMSOÖ again, the Anti-Malware Testing Standards Organization.

CAROLE THERIAULT. The worst acronym in the world.

JOHN HAWES. Hey, it's a great name. It's a great name.

GRAHAM CLULEY. Bit cheeky.

JOHN HAWES. Leave our name alone.

GRAHAM CLULEY. It's all right.

JOHN HAWES. I missed that week when they chose the name.

CAROLE THERIAULT. It's just hard to say fast.

GRAHAM CLULEY. Well, Anti-Malware Testing Standards Organization.

CAROLE THERIAULT. AMTSOÖ.

JOHN HAWES. AMSOÖ. It's very good for Eastern European people.

CAROLE THERIAULT. What does AMSOÖ do?

JOHN HAWES. We encourage and guide people to test better. In the security anti-malware space. So we tell people how to do it. We get them to sit down and talk to each other and play nice with each other.

CAROLE THERIAULT. To use today's parlance, are you trying to drain the swamp of crappy reviews?

JOHN HAWES. Exactly. Yes. We're all into swamp draining.

GRAHAM CLULEY. Oh, thank you for draining swamps, John. And thank everyone as well who has joined us on our Reddit page. Um, after we put out the plug in last week's episode, we've had literally hundreds, yes, plural of hundred people joining our Reddit page and chatting with us. And you can join us there as well at smashingsecurity.com/reddit. Hope to see even more of you up there.

CAROLE THERIAULT. Exactly. It's the best place to get a bit of behind-the-scenes information, if anyone actually could care about that.

GRAHAM CLULEY. Now, we've got a fun-packed show, right, Carole? Yeah.

CAROLE THERIAULT. Listen to this. We've got DJ Daddy Cluley covering the the FaceTime privacy snafu. Mr. John Hawes digs into Nick Clegg's work duties at Facebook. And yours truly heads to Japan to see how they're prepping for the 2020 Olympics. All this and oodles more coming up in a pretty sweary version of Smashing Security. Are you not running a password manager in your organization? What are you thinking? Check out LastPass Enterprise. Just go to this URL: lastpass.com/smashing. Here you can learn all about what password managers can do for your firm. And you can learn more about LastPass Enterprise. I mean, if you want to solve poor password hygiene, if you fancy securing every password-protected entry point in your business, slide on over to lastpass.com/smashing. I use them, so you should check them out. Hey, Graham?

GRAHAM CLULEY. Yes?

CAROLE THERIAULT. So I've got a problem.

GRAHAM CLULEY. Yes?

CAROLE THERIAULT. I use a cloud service, I put all my files and data up there, and I'm kind of nervous about prying eyes looking at it. Any advice?

GRAHAM CLULEY. Yeah, you've got to encrypt it.

CAROLE THERIAULT. Before I load it up?

GRAHAM CLULEY. Well, I would recommend so, because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement. Ransomware or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer, and any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control. So the cloud service itself can't see the contents of the files which I'm putting on the cloud drive. It's all encrypted.

CAROLE THERIAULT. Cool, I'll check it out.

GRAHAM CLULEY. Go to Boxcryptor.com, and thanks to Boxcryptor for supporting the show this week. Now, We are recording this on Tuesday. The episode goes out, most people I think pick it up on Thursday, so things may have changed. I'm just putting this in context because we have breaking news. Ooh. Last night I was tucked up in bed in the wee small hours of the morning with my long johns on and my Womble hot water bottle clutched close to my heart.

CAROLE THERIAULT. What a glorious image that is.

GRAHAM CLULEY. And I felt a little tingle. I felt a tingle in my spider senses.

JOHN HAWES. Oh, are your long johns connected to the internet?

GRAHAM CLULEY. I knew something was not right with the internet. And so I awoke, I turned on my wee little phone, and I saw that the Twitterverse was going bonkers.

JOHN HAWES. As usual.

GRAHAM CLULEY. About a bug which had been found in FaceTime.

CAROLE THERIAULT. Are you sure it was your spider sense and not just your phone going?

GRAHAM CLULEY. But yeah, I turned on Twitter and people were sharing this video. And what people were demonstrating in this video is that you could listen to someone or even see them before they answered your phone call. So you would send them a call via FaceTime and you'd be able to listen to what they're doing before they've hit the answer button.

CAROLE THERIAULT. Okay, let's act it out, Graham, right now.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Pretend you're calling me. Oh God, it's that fucking asshole again.

JOHN HAWES. You guys.

CAROLE THERIAULT. That could hurt our friendship, man. That could really, that could really damage our budness.

GRAHAM CLULEY. Exactly.

CAROLE THERIAULT. I'd go down a tier, I think.

GRAHAM CLULEY. Right. You'd definitely, yeah, you'd be definitely tier 2 by that point.

CAROLE THERIAULT. So dangerous.

JOHN HAWES. Or if you're having a poop or something and you don't want your camera on and someone's trying to do a camera—

GRAHAM CLULEY. Well, there's all number of embarrassing scenarios. And of course, as people were sharing this video and the instructions on how to do it were really very, very simple indeed. Basically, you sort of added yourself to a group call with the person, and somewhere the Apple logic went bonkers.

CAROLE THERIAULT. I didn't even know you could do group calls on FaceTime.

GRAHAM CLULEY. Yes, you can do group FaceTime in iOS 12.

CAROLE THERIAULT. I didn't know that.

GRAHAM CLULEY. But people were using this to prank each other, and I've actually got a video which you're welcome to take a look at if you wish, of two gentlemen who use it— well, one gentleman uses it to spy on his bro.

JOHN HAWES. Doesn't sound very gentlemanly.

GRAHAM CLULEY. So you can check out the video right now. We'll put it in the show notes as well.

CAROLE THERIAULT. Looking.

GRAHAM CLULEY. And this is a guy who's calling his buddy. He's calling his buddy. That's right. And his buddy doesn't, you know, isn't expecting a call, let's put it that way, because he's, he's otherwise engaged.

CAROLE THERIAULT. Oh, oh, oh.

JOHN HAWES. Is it inappropriate? You good? Okay. I haven't clicked it.

CAROLE THERIAULT. That's a bit rude, Claire.

GRAHAM CLULEY. It's a bit rude.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. It's a bit rude.

JOHN HAWES. Oh, no.

CAROLE THERIAULT. So to the guy on Reddit who told us he doesn't like our show because he can't listen to it with his 12-year-old son, this is very much not the episode you should be listening to.

GRAHAM CLULEY. I should think within a couple of years his son will know all about this, to be honest, if he doesn't already.

CAROLE THERIAULT. He probably already does.

GRAHAM CLULEY. Anyway, so then it turned out it wasn't just audio. They could actually look at you as well. They could take over the front-facing camera.

JOHN HAWES. Wow.

GRAHAM CLULEY. Now, Of course, that's deeply, deeply embarrassing for Apple, right? If you remember at the CES show recently on the West Coast, they were touting privacy very much. They had a great big poster up on the side of a hotel saying, you know, we're basically the privacy company because Google and Facebook keep on getting themselves into a mess. Apple is trying to differentiate itself, isn't it?

JOHN HAWES. Mm-hmm.

GRAHAM CLULEY. So this bug has only really become public knowledge for less than 24 hours at the time of recording. It's hard to tell quite how serious it is. If you were a state-sponsored attacker, for instance, and you wanted to hack into the phone of a leader of a rival country, it doesn't seem like a way to persistently sort of open up a microphone. It's going to be quite a short length of time. It can be a little bit obvious if they haven't turned off their ringtone and suchlike. So it doesn't seem like that kind of scale of thing, but It's still bad.

JOHN HAWES. Oh no, no.

CAROLE THERIAULT. And it's getting huge number of headlines everywhere.

JOHN HAWES. Also, if you know that a major politician keeps their phone on a stand on their desk with lots of important secret documents underneath it.

CAROLE THERIAULT. And what, they're wearing their phone underneath their chin facing down?

JOHN HAWES. No, they've got it on a little stand on their desk so that they can, you know, either watch videos or something. And the camera happens to catch a little glance of The nuclear codes or something?

GRAHAM CLULEY. It could be. I suppose it could be. Could be.

CAROLE THERIAULT. Could be.

GRAHAM CLULEY. I think, don't panic. If you're really worried about this, until Apple pushes out a proper patch, you can just turn off FaceTime if you want to. To be honest, I haven't turned off FaceTime. What Apple has done overnight, probably because they saw the furore which was going on on social media and in the newspapers as this story was breaking, was that they've made changes on their server side. They've effectively disabled group FaceTime calls.

CAROLE THERIAULT. I imagine not that many Which kind of solves the problem in the short term. I think they handled it very, very quickly. I was kind of impressed by that. I kind of thought your story would be more of a—

GRAHAM CLULEY. Were you impressed?

CAROLE THERIAULT. Yes. But okay, tell me why I'm wrong on that. I can tell by your— I feel like I'm being set up here to follow my face.

GRAHAM CLULEY. Well, maybe you shouldn't be quite that impressed. 'Cause at first I was thinking, well, that's quite a good response. I mean, it's obviously embarrassing that the bug was there, but they've responded quite well. Until you do a search on Twitter and what you find out is that over 10 days ago, a 14-year-old kid contacted Apple support multiple times saying that they had found this bug and they wanted it fixed, and Apple never got back to them.

CAROLE THERIAULT. Okay. Okay. Can I just defend Apple? Just, I know I'm an, I know I'm a big, uh, Apple whore. Apple whore.

GRAHAM CLULEY. Yes. You're like the Nell Gwynn, but rather than oranges, you're apples.

CAROLE THERIAULT. Apple is a big company. Who knows who they called at Apple? Media.

JOHN HAWES. Exactly.

CAROLE THERIAULT. Who knows who they called, right? And who knows if that person just was like, oh God, okay, thanks, thanks. I mean, a lot of people must call with those kind of things, that they found something.

GRAHAM CLULEY. Well, at least get back to them and say, can you give us more details? I mean, in these days of bug bounties and serious vulnerabilities happen. And remember, this is Apple, which is all about, well, they're now wishing that they had.

CAROLE THERIAULT. I bet.

GRAHAM CLULEY. They now wish that they had just tweeted about it. And this problem would have been fixed faster. They also, by the way, contacted Fox News, and they never heard back from Fox News either. Oh, which is surprising to me because you would think Fox News are looking for alternative news stories to focus on rather than other things which may be appearing in the headlines. So you'd think they'd want to do that.

JOHN HAWES. But then also, people like Fox News must get a lot of calls from people saying, hey, look what my kid can do with his phone.

GRAHAM CLULEY. Sure.

JOHN HAWES. Which aren't necessarily all going to be great news stories.

GRAHAM CLULEY. Right, but I mean, the people who I think have dropped the ball here are Apple themselves. They should have got back to him. They should have asked for more details. They should at least have acknowledged the bug report. So there's an official bug report which was submitted. They never got any response.

JOHN HAWES. Well, and also they should have noticed the problem in the first place. If it's something that a 14-year-old can spot, surely a team of professional software testers should have been able to spot it.

GRAHAM CLULEY. Well, yeah, because this does seem to keep on happening with Apple, doesn't it? I mean, there've been so many bugs involving the lock screen, for instance, and ways to bypass it and bizarre logic like that. You would think with something like a phone call, there shouldn't be any data transmitted to the other person until you've actually acknowledged, yes, I want this phone call to happen. There shouldn't be any data going back at all, should there?

JOHN HAWES. You should be testing that pretty thoroughly with every release.

GRAHAM CLULEY. Could be embarrassing.

CAROLE THERIAULT. I use FaceTime fairly regularly with some people.

GRAHAM CLULEY. Do you ever have problems with FaceTime, Carole?

CAROLE THERIAULT. Yeah. I do.

GRAHAM CLULEY. Yeah, me too.

CAROLE THERIAULT. One of the things I find is I find it very easy to accidentally call someone. So what happens is I'm thinking in my head, I need to call Graham, right?

JOHN HAWES. Right.

CAROLE THERIAULT. And I put in my passcode, get to FaceTime, and then I forget and I go do something holding my phone. So FaceTime's open on my phone and I end up calling someone who's like in San Francisco at 4 in the morning. And then I'm madly trying to get the hang up button to stop bugging them. And it always kind of goes wrong at that point.

GRAHAM CLULEY. And there was that weird thing in a— we actually covered this in a special bonus episode, didn't we? We had a little breakaway behind-the-scenes episode. Do you remember my phone used to call you on FaceTime when I was in the shower? And it didn't matter if it was my shower at home or a shower at a hotel. And I wasn't even close to the phone. I want to stress that.

CAROLE THERIAULT. And I would hear, I'd pick it up and I'd just hear this shh. And I'd go, oh no! Oh God! Oh God!

GRAHAM CLULEY. It wasn't a video call. It was only ever audio, I think.

CAROLE THERIAULT. Thank the Lord!

JOHN HAWES. Have you filed Carole's Contact under Shh.

GRAHAM CLULEY. John, what's your story for us this week?

JOHN HAWES. Well, I wanted to talk a little bit about Nick Clegg.

CAROLE THERIAULT. So I'm gonna go get a cup of tea.

JOHN HAWES. Yes, exactly. I'm gonna go get a pillow. For those of you who aren't familiar with the obscure end of UK politics of the last 15 years or so, so Nick Clegg, he used to be the leader of the Liberal Democratic Party, basically the third party in a two-party system. So they're always kind of Small and feeble. For a brief period, I guess it was the credit crunch really, they got a bit more popular and they formed a coalition government, which—

CAROLE THERIAULT. With the Tories, that's right.

JOHN HAWES. Everyone hated them for because, you know, you vote for Party A and they use that to get Party B into power. You're not going to get a lot of friends that way. And they didn't really do anything in the 5 years Clegg was Deputy Prime Minister, but— Well— Really? Did they? What did they do?

GRAHAM CLULEY. Well, I think they put the brakes on things like the Snooper's Charter. And they prevented some of that, you know, which Lib Dems strongly believed was a bad thing and the Conservatives want to push forward.

JOHN HAWES. So they slowed it down a little bit.

GRAHAM CLULEY. Well, unfortunately, you know, politics took a particular turn and we no longer have a coalition government able to stop the Conservatives from doing things like that.

JOHN HAWES. Yeah.

GRAHAM CLULEY. Little bit of politics there.

JOHN HAWES. Anyway, after he was Deputy PM for 5 years, you know, they had another election and by that point everybody hated them. So they're the whole party pretty much collapsed. They lost all their seats. He lost his seat a couple of years later, 2017. And yeah, my main memory of him is that he was on Desert Island Discs, the BBC show where they interview celebrities about what they would take to a desert island. And his luxury he wanted to take was an unlimited stash of fags. That's what he wanted.

CAROLE THERIAULT. Cigarettes for our American counterparts.

JOHN HAWES. Yes, don't take that the wrong way.

GRAHAM CLULEY. What was he planning to do then? Make a raft or something? What was his intention?

JOHN HAWES. I don't know. Well, the other thing the Lib Dems were famous for was that they were very supportive of the legalization of marijuana. So maybe he was hoping that there would be other things to smoke on the island.

CAROLE THERIAULT. I don't know.

JOHN HAWES. Anyway, that's beside the point. So the real thing is that he was given a job with Facebook back in October last year, Vice President of Global Affairs and Communications. So he's basically there.

CAROLE THERIAULT. Ooh, nardy da title.

GRAHAM CLULEY. Head of propaganda, basically.

JOHN HAWES. Yeah, he's there. They're lobbyist. He's there to pester government people and because he knows how to talk to them. So he's the liaison between Facebook and politicians.

GRAHAM CLULEY. You know, he is actually quite a good choice to talk about these subjects, particularly in Europe. I mean, he speaks not only English, he speaks Spanish and German and French and Dutch.

JOHN HAWES. Yes, yes. He used to be an MEP and he was in Europe for a long time.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. My nephews used to go to school with one of his sons.

CAROLE THERIAULT. No way.

GRAHAM CLULEY. Yeah, I don't know, I can't remember his name, Fernando or something like that, or maybe that was Alan Partridge. But yeah, no, it's something like some sort of Spanishy sort of name.

JOHN HAWES. How very international.

GRAHAM CLULEY. Sorry, slightly off topic.

JOHN HAWES. Anyway, yes, so he started this job in October. He's not been very visible in that role since he was given it. But this last week or so, he's been doing a European tour with Sheryl Sandberg, going around talking to politicians and people like that. And anyway, so he gave a speech the other day as part of this tour to a room full of journalists and policymakers and influencers in Brussels. He spent a lot of time defending the ad-supported role model that Facebook operates.

CAROLE THERIAULT. And Google.

JOHN HAWES. Right. Oh, you know, we could charge for things, but then, you know, all the poor people won't be able to use it. So advertising is much better. And it's how the internet works, I think he said. And also TV and newspapers and things like that. And he talked a little bit about the data economy and how that was a growing thing and how Facebook was a big part of it and it was going to be very useful for the world in the future. Oh, really? He talked a little bit about all the efforts they're making to restrict bad content, terrorism and hate speech and things like that, and particularly fake news, obviously, and fake accounts with all the political shenanigans that have been going on, Cambridge Analytica and all that.

CAROLE THERIAULT. This seems a little flip-floppy from, you know, things like the Snooper's Charter and not supporting it. Doesn't it?

JOHN HAWES. Well, he's got a new job, you know, so he's got to start spinning a new line. That's what he's paid for.

GRAHAM CLULEY. Yeah, you've got to get Fernando through school, you know.

CAROLE THERIAULT. Does anyone have any good faith anymore? Does anyone stand for anything?

JOHN HAWES. I have to say, actually, in his speech he did come across as quite genuine and he was quite flexible. He was saying, look, yes, I admit this is quite bad, but, you know, we're trying to do this about it. And I'm not sure exactly how true it was.

CAROLE THERIAULT. You think Facebook is mending its ways? That's what you think?

JOHN HAWES. No, no. I think he was clearly well chosen as a person to make it look a little cleaner. Yeah, just because he's making—

CAROLE THERIAULT. because he's gonna stench off the pile of doo-doo.

JOHN HAWES. Yeah, yeah, yeah.

GRAHAM CLULEY. Well, look, he can say all he likes, and yes, he is a very nicely presented chap, and he seems like a decent fellow as well, but he alone isn't going to fix Facebook. He's not going to stop all the trolls, the fake accounts, the bad news which is on there, or the offensive material. There's been something in the press in the last week or so about a young woman who killed herself because of all these images of self-harm and so forth, which are still being found on Instagram. If Facebook and its sister companies wants to really improve its image, it's got to clean up that stuff.

JOHN HAWES. Well, he did. He talked about that a little bit as well. As always, you know, hiring more people to get more human involvement in the moderation and fact-checking and things like that, and also investing more in machine learning technologies to do it all automatically. So, but what his main point seemed to be throughout all of this was that it shouldn't be down to Facebook to deal with this stuff. Oh, it's the users' problem? No, no, they shouldn't be the ones who decide what the rules should be. Talked about they've set up an independent board to review free speech complaints, they're setting up an operation center on election integrity, but his central theme throughout it all was governments, seriously, you need to be setting some rules about what we can and can't do.

GRAHAM CLULEY. And they're just saying that because they know it's too complicated for governments to do that.

CAROLE THERIAULT. Well, they'll try and it'll take them forever and the bureaucracy is going to take forever. And if they helped, it would go a lot faster. And anyway, this really pisses me off.

JOHN HAWES. And he put a little caveat on that saying, please don't restrict data flow too much because, you know, you'll still damage all kinds of innovation and things like healthcare and stuff where big data is going to be very useful in future.

GRAHAM CLULEY. So We're not suggesting we should damage data flow too much. No, we're just suggesting Facebook. Let's just cut off Facebook at the knees, right? I haven't got a Facebook account. Carole, you're not on Facebook, are you?

CAROLE THERIAULT. No.

GRAHAM CLULEY. John, I can't imagine you're on Facebook either.

JOHN HAWES. I don't spend a lot of time on that. Right.

GRAHAM CLULEY. You know, and Instagram and WhatsApp and all of those. If you feed into the Zuckerberg—

CAROLE THERIAULT. You know, he owns 51% of Facebook. So he is like, he's properly the owner. Not like That's not like Geoff Bezos or anything. He's— no.

JOHN HAWES. So yes, coming back to the financial side, so he very briefly touched on taxation. And in various— there was a few other interviews and stuff he's been doing this last week as well where he got slightly less friendly questioning, and a lot of people obviously brought up the whole tax thing and why Facebook doesn't pay much tax. And he brought that back to pretty much the same point, saying that, you know, it's not Facebook's job to volunteer to pay tax. You as governments should be fixing this. You should be setting some rules that can handle things like Facebook, which I think is actually true and is correct and is the only possible way forward. And I think should in the long term have a much bigger impact on the internet and security in general, because once governments get together and set some kind of global system that can handle companies the size of Facebook, alongside that you have to also have not just tax regulation but also laws and crime prevention. Because at the moment, if someone attacks someone in America from a computer in Russia via another computer in Japan and steals the money that the American's been keeping in Sweden and transports it off to China, you know, you can't just call your local Bobby. You need the world police to do that.

CAROLE THERIAULT. And okay, and that's a while away. What I'm hearing in what he's saying is we are a company. Our design is to get as much as we can and give out as little as possible. And we do not want to have to do the right thing. Ethically or morally. We want to do the right thing legally. And right now it's a fricking wild west and we want to be free to take advantage of that without getting our wrists slapped.

JOHN HAWES. So, well, but he's also saying, please make sure that at some point you actually implement some kind of—

CAROLE THERIAULT. yeah.

JOHN HAWES. So Facebook has done a nice little PR exercise here and they've put out some talking points. But for me, the big point is that we do need much better global regulation of the internet and these giant companies, and governments don't want to hear that because it basically means the purpose of a government is to be in charge, and you don't want to admit that you're too small to be in charge of something anymore.

CAROLE THERIAULT. Well, why don't you wait to hear my story and see if you change your mind on that?

JOHN HAWES. Alright then.

CAROLE THERIAULT. It might enlighten you.

GRAHAM CLULEY. Alright, well, Carole, you've teed it up nicely. What's your story for us this week?

CAROLE THERIAULT. Well, for my story We head to Japan. This is the land of deliciously slurpy ramens and sci-fi toilets with built-in butt sprays and dryers. You've been on one of those, haven't you, Cluley?

GRAHAM CLULEY. Not this morning, but yes, in the past.

CAROLE THERIAULT. But whatever your thoughts on Japan, it's a country where people enjoy the fourth largest life expectancy in the world.

JOHN HAWES. That's all that sushi.

CAROLE THERIAULT. Of 84 years. Can you guess, actually, guys, can you guess what might be a country that beats Japan?

JOHN HAWES. Is it like Nepal or something?

GRAHAM CLULEY. Oh, good guess. Nope. Iceland?

CAROLE THERIAULT. Get 3 guesses. Nope.

GRAHAM CLULEY. More than Japan?

CAROLE THERIAULT. Yep. So people live longer than in Japan. There's only one I think you might get.

JOHN HAWES. The Vatican. No, a lot of very old folks there.

CAROLE THERIAULT. So, but you know what, you're on the right, you're on the right, uh, the right path. First one's Monaco, then Hong Kong and Macau. So interesting. Um, you always get interesting facts from me. So Japan is getting its glad rags on and putting on a bit of face slap ahead of the 2019 Rugby World Cup and 2020 Olympics. And all manner of gentrification and improvements are afoot. Two of Japan's biggest 24-hour convenience store chains have said they will stop selling porn magazines ahead of the two world-class events. The stores fear that this could give a negative impression.

GRAHAM CLULEY. Be inconvenient.

CAROLE THERIAULT. People are going to be so disappointed. Darn it.

JOHN HAWES. Well, no, I've been to Japanese convenience stores and they quite often have basically a porn aisle. You get one for a cup of soups and one for, you know, your everyday basics, your milk and eggs and cheese. And then the other one is porn.

GRAHAM CLULEY. Do Olympic athletes tend to go into a convenience store to buy a porn magazine just before?

CAROLE THERIAULT. Graham, I think we're talking about the 20 million tourists that are showing up.

JOHN HAWES. Yes, it's all about—

GRAHAM CLULEY. Oh, I understand.

CAROLE THERIAULT. I understand.

JOHN HAWES. Giving a good impression of the company. They did this. They had a either was it a Winter Olympics or was it World Cup, I think they had there a while ago. I'm not sure this is strictly true. I just heard this from someone I knew out there. They temporarily banned the sale of magic mushrooms during the event, which no one at the time knew that magic mushrooms were even legal in Japan. They kept it very quiet. But while all these foreigners were there, they made it illegal and then they overturned the rule when everyone left.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Now apparently not all bogs are high-class gizmos, right? Thousands of public ones are actually squat loos, where there's a pan or a bowl on the floor.

JOHN HAWES. But you have little footmarks to show you where to put your feet.

GRAHAM CLULEY. What is your obsession with lavatories?

CAROLE THERIAULT. Well, it's interesting. It's interesting because they're concerned that these squat loos will be stressful for tourists. Maybe I'm just thinking—

JOHN HAWES. They are quite stressful.

CAROLE THERIAULT. I would find that stressful. And so they're going to be replaced by Western toilet models.

JOHN HAWES. Okay. Yeah, not the super fancy ones with the dials and the knobs.

CAROLE THERIAULT. Actually, if you had to squat, it must be a really good thigh workout.

JOHN HAWES. It's all poop related.

GRAHAM CLULEY. Crow, is there any security content at all in what you're telling us?

CAROLE THERIAULT. Yes, I'm teeing it up now. And Japan also wants to improve cybersecurity ahead of these big sporting events. So I took a peek at Japan's 2018 cybersecurity strategy. There's a link in the show notes for anyone interested. And one of the big focus areas is the establishment international delivery model for addressing vulnerabilities in IoT devices. So this is a fancy schmancy way to say we need to figure out a way to fix the growing problem of insecure and vulnerable IoT devices all over the land.

GRAHAM CLULEY. Okay, sounds good.

CAROLE THERIAULT. According to Koji Nakao, government advisor on cybersecurity and guest professor at Yokohama University, so, you know, a knowledgeable dude, one would presume, one of the big reasons that these IoT devices are vulnerable is because they use very simple user IDs and passwords. And he says the typical end user— this sounds very familiar to us here in the West as well— the typical end user has poor knowledge of cybersecurity. They connect and forget, relying on default passwords provided maybe with the device. And he says most people in Japan wouldn't have a clue how to update it. So all these millions of devices connected all around Japan, and they're all holding a ton of information, private and sensitive and all that. And the big worry is that too many of them are vulnerable and they could compromised by some malicious code or an attacker today or in the future.

GRAHAM CLULEY. Mm-hmm.

CAROLE THERIAULT. So what does a country do when it wants to educate its users on being better with passcodes and user IDs? So you expect them to launch a splashy media campaign, right, on password hygiene. But Japan went a different route entirely. They've approved a rather radical approach to dealing with this problem just this past Friday. So starting in a few weeks' time, Japan plans to crawl the Japanese internet, hammer away at IoT devices in homes and in offices all around Japan to break in, to break into them. And here's the gist. Using an exhaustive list of passwords, the National Institute of Information and Communication Technology, NICT, will attempt to break into devices by hammering away at these usernames and passwords.

JOHN HAWES. Presumably the first thing they're testing there is not whether your password is any good, it's whether your device allows you to try tens of thousands of passwords until it lets you in. Surely it should lock you out after 3 attempts or something.

CAROLE THERIAULT. Webcams and routers is where they want to start, and they plan to attack hundreds of millions of these devices. And when they successfully gain access to the device, the owner will be contacted and advised on how to improve security measures. The researchers at the institute admit that it will potentially be possible that they might unintentionally gain access to webcam images or stored data.

GRAHAM CLULEY. Oh, that's fine.

CAROLE THERIAULT. But they say it would be a violation of the constitutional rights to privacy if those identities were revealed. So note that it doesn't say that they see it, it's just as if they release that information. And the many articles I read on this all include assurances that this is all for the betterment of the country's cybersecurity defenses. Naturally.

GRAHAM CLULEY. Oh, so this sounds a little half-baked.

CAROLE THERIAULT. Thorny little nest of ethics here, isn't there?

GRAHAM CLULEY. First of all, yes, there is the ethical concern of should they even be hacking in at all? Are they going to access other countries' devices? And how will the other country feel if this organized Japanese government effort to access their IoT devices is spotted and how they might respond to that. Maybe not be— well, but how are they going to contact the owners of these devices to tell them to improve their security? How are the owners of these devices going to respond if they are contacted at all, if that's possible? Are they even going to understand what any of this means? It seems weird.

JOHN HAWES. How do you— if someone came to me and said, oh, your webcam allows me to try 10 million passwords before it locks me out. I can't fix that.

CAROLE THERIAULT. Yeah, yeah, exactly. That's true. Now, both of you have not mentioned the big question that came to me immediately. I was like, whoa, is this even legal, right? Is this legal? And apparently it is. So reportedly, a revised law went into effect last November which gives the NICT the authority to gain access to people's devices over a 5-year period.

JOHN HAWES. Yeah, so they were getting ready for this.

CAROLE THERIAULT. No, they've been getting ready for it since they created their smashing security strategy in 2018. So all the things you mentioned, Graham, I worry too. Like, how do you know? Who are you gonna contact exactly? And are you just gonna snoop at the information you've accessed to find out the identity so you can contact them? Is that how they're gonna do that? Right? And then aren't they setting a dangerous precedent here? Like, so many people would definitely not want their governments having full access to all their private day-to-day stuff. And why should they? And what, what if you don't trust your government? Right?

JOHN HAWES. Well, hopefully with most things you can actually, you can kind of log in without them going through all the data that's available in it.

GRAHAM CLULEY. You don't have to, you don't have to sit and watch a webcam for 8 hours to know that you would imagine that they're logging in, they're accessing the admin panel and maybe they can initiate an update, for instance, a firmware update or something like that, if that is required or But this, it's weird, this sort of resetting the passwords and telling people what—

JOHN HAWES. That's a whole nother step is if once they're in there, do they then go and fix any problems themselves?

GRAHAM CLULEY. Right.

JOHN HAWES. Oh, right.

GRAHAM CLULEY. Yeah, yeah, yeah.

CAROLE THERIAULT. From the stuff I've read, I didn't see anything on that. It was all about contacting the owner, but that is another big can of worms. I'm sure that will be eventually how it is that they can go in and just change stuff or remove stuff or add stuff as—

GRAHAM CLULEY. And break stuff.

CAROLE THERIAULT. Yeah.

JOHN HAWES. You get a letter in the post saying, sorry, your password was rubbish. Here is your new one.

CAROLE THERIAULT. Now, the other interesting thing I was thinking about is how do they compel people to care? I was reading all these—

GRAHAM CLULEY. Is the answer magic mushrooms? Is that how we're going to make them care?

JOHN HAWES. Actually, but that's a good point. How is this going to help with their appearance to all these visitors that are coming for the Olympics? You know, you wander around the country.

CAROLE THERIAULT. Connecting to people's Wi-Fi. I don't know, maybe people do. There's 20 million people expected, right?

JOHN HAWES. Yeah, but you don't kind of wander around the country going, oh, this is a rubbish country, all of these webcams have been hacked, you know.

CAROLE THERIAULT. Yeah, yeah, it's true. I, I think it probably might improve the country's overall cybersecurity posture, but I don't think the ends justify the means here at all in my book. I think in You know, basically to ensure better privacy and security, we will compromise your privacy and security, and now it's legal for us to do so. And we're doing it in the name of good, so that's okay. So yeah, so while they live the longest, the Japanese, they are not the happiest. They're 56 out of 154, apparently.

JOHN HAWES. That's all the suicides.

CAROLE THERIAULT. Canada's 7th.

GRAHAM CLULEY. So this is another typical segment of Smashing Security. Something has gone terribly wrong with the internet and we're going to grumble about it.

JOHN HAWES. Isn't that what we're here for? Really?

CAROLE THERIAULT. Is that how you've reduced my work? I've put quite a bit of work into this. I don't know.

JOHN HAWES. I'm sure someone from the Japanese government is listening and they will change this.

GRAHAM CLULEY. I've heard we're big in Japan. Oh, that was in the '80s, wasn't it?

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. I think we should probably move on. To pick.

CAROLE THERIAULT. I shouldn't sing it yet.

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

JOHN HAWES. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part.

CAROLE THERIAULT. I like it.

GRAHAM CLULEY. Is the part of the show where everyone choose something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security related necessarily.

CAROLE THERIAULT. Oh, no, it should not be.

GRAHAM CLULEY. And my pick of the week this week is a website. Well, actually, first of all, let me ask you, do you remember the '70s and '80s when you turn on the TV and there wouldn't be any programs on? This was certainly true in the UK. We didn't have programs all day long.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And there would be something on the screen called teletext, or sometimes called Ceefax. And they had this in different countries around the world. It was beautiful. There's 24 lines of 40 characters. So like, it's like a blocky sort of pixely game. And it would give you information about the news or the TV listings. Pistons.

CAROLE THERIAULT. I remember it in the UK. I don't remember it when I was in Canada.

GRAHAM CLULEY. You were probably more advanced in Canada and North America.

JOHN HAWES. You probably had all-night TV.

GRAHAM CLULEY. Yeah, you probably had hockey reruns or something. The website I want to point you towards is called Teletext the World, which is a celebration of teletext.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And specifically, it has a feature which I quite enjoyed where you can upload an image and turn it into its teletext version as it would have, because they were remarkably creative on that small palette. I've also included a little link to a YouTube video where you can see— we'll put this in the show notes— you can see some of the incredible things which can be done with teletext. And I've made images of myself and both you, John, and Carole Well, you've loaded my picture on a random website. Well, you have been converted into teletext on the website via the website's image generator. And with your permission, Carole, with your permission, which wasn't granted, this is a picture which you have put on the Smashing Security website. I will post these on Twitter so people can see your teletext representations.

CAROLE THERIAULT. That's fine. I think my teletext representation is excellent, actually. I really like it.

JOHN HAWES. Yes, these are probably quite good for privacy because no one's ever going to recognize any of these people, right?

GRAHAM CLULEY. Your one is clearly you, John. There's no doubt that is you.

CAROLE THERIAULT. 100%. That must just definitely John.

GRAHAM CLULEY. Anyway, I think teletext was fab. I enjoyed checking out this website and being reminded of teletext. And that is why Teletext the World is my pick of the week.

JOHN HAWES. Super.

CAROLE THERIAULT. Nice little pick of the week.

GRAHAM CLULEY. Thank you very much. John, have you got a pick of the week for us?

JOHN HAWES. I have, and I feel quite proud of myself actually, because it kind of connects back to my main story, even though I chose the pick of the week much longer ago than the whole Nick Clegg thing came out.

GRAHAM CLULEY. Is it a Nick Clegg 2019 calendar?

JOHN HAWES. It is not. It has nothing to do with actually Nick Clegg. So it's— I wanted to think a little bit about perspective. You know, sometimes it's important to take a step back look at the bigger picture and just remember that probably your problems aren't that serious. And I have a few things that I use when I, when I feel the need for a little perspective, which I quite like to share with you. One of them is the Cosmic Eye video. Actually, all of these are quite old. This is from 2012. So I've been, I've been dipping in and looking at this every now and again for a long time. It's very famous. It's, it's, you know, it starts with a a face and it zooms out and it goes face, person, building, city, country, planet, all the way out to universe and then all the way back in into the eye and then all the way into—

GRAHAM CLULEY. Oh yes, I remember this. It zooms. I'm watching it now. It zooms all the way out into the cosmos and then goes back into this woman's eye.

JOHN HAWES. Yeah. And then all the way down to the size of atoms and things like that. Okay. Which is very fun. It's only about 3 minutes long. I thoroughly recommend it. I have another one called ChronoZoom, which is a time thing. It's an academic project. Again, this is from 2012. Obviously sometime around 2012, I felt the need for a lot of perspective and I looked up a bunch of these things, which I've hung on to ever since. So this one does pretty much the same thing, but with time. So it's laid out various bits of timeline and you can— I recommend going to Humanity, where it shows you like the last 5,000 years where we've kind of documented history since we invented writing. And then if you click from that and then go to, I think it's Cosmos, and you watch it zoom out and it shows you how insignificant an amount of time humans have been around. It's kind of, kind of super. And then the third one, which is actually my favorite of the three, is a site called Wait But Why. They have a post from, again, from from about 5 years ago. It was called Putting Time in Perspective, which is kind of similar to Chronozoom, except that it's much more simple than—

CAROLE THERIAULT. Oh, it's quite fun.

JOHN HAWES. It kind of, it starts with, you know, a year and then puts that year into the last 30 years. And each time the previous graph shrinks down into the corner of the next one. And it does the same thing. Kind of goes through—

GRAHAM CLULEY. Oh, I like that one, John.

JOHN HAWES. History of humanity.

GRAHAM CLULEY. Yeah.

JOHN HAWES. Yeah. So that's brilliant. And I actually, the whole website, I thoroughly recommend. Their piece on electric cars is amazing. Amazing.

GRAHAM CLULEY. This is the Wait But Why website.

JOHN HAWES. Yeah, it's really, really good. Again, they don't do stuff very often. I'm not actually sure they're still doing stuff. They typically only put out something like every 6 months or something.

GRAHAM CLULEY. But I like in their banner, their banner image, they say new post every sometimes.

CAROLE THERIAULT. Yeah, that's very sweet.

JOHN HAWES. And they're very cute. They have lots of little cute little line drawn cartoons to illustrate things and lots of little graphs and things like that. But they do some amazingly kind of in-depth stuff, which is very recommended.

CAROLE THERIAULT. Cool. Okay, it's bookmarked. Thank you very much.

GRAHAM CLULEY. Your talk about perspective there, John, reminded me of something about perspective as well. Do you remember that Father Ted sketch where Ted speaks small, teaches far away? Yeah, with the cows. Very funny. I've just put the YouTube link in there for you. Right, Carole, what's your pick of the week?

CAROLE THERIAULT. Well, I kind of wanted to do Roger Stone's documentary, Get Me Roger Stone, because of everything that's been going on politically in the past few days with respect to the Nixon lover. But I think you did it already on a previous show.

GRAHAM CLULEY. I have spoken about it before.

CAROLE THERIAULT. Yeah, yeah, yeah, I think it was your pick of the week. So I have another political satirical mockumentary. Well, this is a mockumentary rather than a documentary. Jonathan Pye, and it's called Jonathan Pye's American Pie. Now, Jonathan Pye is not everyone's favorite, but I find him quite edgy and I like him. So, in this show, Jonathan Pye's American Pie, he plays a spoof news reporter. He kind of mashes together, you know, Louis Theroux's Weird Weekends personal deep dive bits and the furious blasphemy from Peter Capaldi in In the Thick of It. And the kind of Steve Coogan suaveness in Alan Partridge. So it's kind of like a mashup of those three, for real. And he pulls it off, I think, quite well. Not everyone thinks so. It's not perfect. But I was really glued to the script, to him, to how he was handling it. And I love how you kept seeing the cameramen behind people. Like, I don't know, there's kind of a behind-the-scenes feel to it that makes it— Great, I think.

GRAHAM CLULEY. It's easy to create a narrative that Donald Trump is just this orange buffoon. Very easy. Huge mistake. The people who voted for Donald Trump in 2016 are not having buyer's remorse. Sometimes we get fixated on, he can't have said that, the president can't describe African countries as shithole countries.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. You know, I mean, the words I've used on air, grabbing people's pussy. I mean, I've never said that Not before in my career. Not in your career, not on camera. Plans for election night? Because we're all going to go and have a few beers on, you know, you can join us if you like for election night. What do you think I'm doing?

JOHN HAWES. I'm working.

GRAHAM CLULEY. I'm covering an election. Yeah, of course, sorry. Done well for yourself, John. Done well for yourself. Good to see you, John. Cheers. Cheers. Thanks a lot. Arsehole. What a dick.

JOHN HAWES. You dare dance?

CAROLE THERIAULT. Anyway, I say check it out. It's on iPlayer. It's an hour long. It did air on BBC Three, but don't let that put you off too much. It is worth it. And that is Jonathan Pye's American Pie.

JOHN HAWES. I've seen it. I quite liked it. Yeah. That's it. I didn't think it was hilarious. And I actually, I found him quite, I didn't like him at all to begin with, but he kind of grew on me through the thing.

GRAHAM CLULEY. I've seen some very short videos of his, which popped up on Twitter from time to time, often by people who think they were genuine news reports. Yeah, so I think that's how he made a name for himself, wasn't it? We're talking about some political things.

CAROLE THERIAULT. And yeah, and that's kind of interesting because I was just thinking when I was covering this, deciding to put it into the Pick of the Week, it's— I was suddenly going, oh, I wonder if satire is going to die because of fake news.

GRAHAM CLULEY. I think satire has died because you just can't send up reality any longer.

JOHN HAWES. The world's too crazy.

CAROLE THERIAULT. And it's such a sad thing because, you know, one of the reasons I moved to England was because you guys were pretty satirically wonderful.

GRAHAM CLULEY. Don't worry, Carole, everything's going to be wonderful. We have a glorious future lying ahead. I just feel sorry for Europe. I just don't know how they're going to cope without the United Kingdom. Poor, poor fellows.

CAROLE THERIAULT. You guys are still welcome to listen to our show no matter what happens. We're here.

GRAHAM CLULEY. And that just about wraps it up for this week. Thank you, John, for joining us. John, if people want to find out more about you or about AMPTSO, what is the best way to do that?

JOHN HAWES. Thanks for having me. You can email .

CAROLE THERIAULT. God, how '90s.

JOHN HAWES. I'm very old school.

CAROLE THERIAULT. That's cool.

GRAHAM CLULEY. Well, you can find us on Twitter @smashinsecurity, no G. Twitter wouldn't allow us to have a G.

CAROLE THERIAULT. You can find us on Reddit at smashingsecurity.com/reddit.

GRAHAM CLULEY. And if you enjoy the show, please tell your pals.

CAROLE THERIAULT. Yeah, you could even leave us a review if you wanted.

GRAHAM CLULEY. That'd be nice.

CAROLE THERIAULT. Thanks to all of you for listening to the show, and thank you to our sponsors, Boxcryptor and LastPass.

JOHN HAWES. Is that it? Are we done?

GRAHAM CLULEY. Right, until next time, cheerio, bye-bye!

CAROLE THERIAULT. Later, bye!

JOHN HAWES. Bye!

CAROLE THERIAULT. Bye!

GRAHAM CLULEY. Um, excuse me, my phone's ringing. Ugh, someone from France. I told them I wasn't free.

CAROLE THERIAULT. Well, turn— why don't you turn off the ringer?

GRAHAM CLULEY. Well, I'm trying to do I'm going to do it without actually answering the phone because I have to pick it up.

CAROLE THERIAULT. It's on the side. To answer it.

GRAHAM CLULEY. Hang on, takes a while to turn off.

CAROLE THERIAULT. No, I'm alright. Are we all following at the moment?

GRAHAM CLULEY. Yes, I'm going to act out. I want to respond to that.

JOHN HAWES. Mm-hmm.

CAROLE THERIAULT. You're going to act out?

GRAHAM CLULEY. I'm going to act out right now.

JOHN HAWES. Right.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. Okay. I'm ready.

GRAHAM CLULEY. Hang on, they're going to contact the owners and tell them how to improve the security. How will they contact the owner?

-- TRANSCRIPT ENDS --