Office Depot and OfficeMax are fined millions for tricking customers into thinking their computers were infected with malware, car alarms can make your vehicle less secure, and facial recognition in apartment blocks comes under the microscope.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.
Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Dave Bittner.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Is Office Depot diagnosing non-existent computer problems? — YouTube.
- Office Depot and Tech Support Firm Will Pay $35 Million to Settle FTC Allegations That They Tricked Consumers into Buying Costly Computer Repair Services — FTC.
- Alarming vulnerabilities in automotive security systems — The Cyberwire.
- Gone in six seconds? Exploiting car alarms — Pen Test Partners.
- The Landlord Wants Facial Recognition in Its Rent-Stabilized Buildings. Why? — New York Times.
- Brooklyn Landlord Wants To Install Facial Recognition Tech At Rent-Stabilized Complex — Gothamist.
- New key-less Moscow apartments use facial recognition to open doors and elevators — Achinect.
- Study finds gender and skin-type bias in commercial artificial-intelligence systems — MIT News.
- The woman who doesn't feel pain — BBC News.
- TVR Exploring — YouTube.
- Lost Dutchman's Gold — BBC Games Archive.
- Dirty John: The Dirty Truth — Netflix.
- A Complete Timeline of the Events of Dirty John — Harper's Bazaar.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
DAVE BITTNER. Now, what drew their attention to this initially was one of the vendors of one of these alarm systems put up on their website that the security of their system was unhackable.
CAROLE THERIAULT. Ah, see, red flag to a bull.
GRAHAM CLULEY. That's also like, which instills confidence, isn't it? When you see a claim like that.
DAVE BITTNER. Yeah, that is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers—
CAROLE THERIAULT. Roll up your sleeves, lick your lips.
DAVE BITTNER. That is like red meat.
GRAHAM CLULEY. Yeah, oh really?
DAVE BITTNER. Watch this, hold my beer.
UNKNOWN. Smashing Security, episode 122: The Big Fat Con at Office Depot, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 122. My name is Graham Cluley.
CAROLE THERIAULT. I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Grium.
GRAHAM CLULEY. Strange way of pronouncing my name. What a peculiar person you are. And we are joined this week by returning guest. One of our fan favorites is Dave Bittner from the CyberWire and Hacking Humans podcast. Hello, Dave.
DAVE BITTNER. Hello, hello. Nice to be back.
CAROLE THERIAULT. Fellow podcaster on the CyberWire and Hacking Humans.
DAVE BITTNER. Yeah, that's right.
CAROLE THERIAULT. I work with them as well because both of you do Hacking Humans.
GRAHAM CLULEY. So you both appear on that.
DAVE BITTNER. We do. Well, Carole does CyberWire as well. She's all over the place.
GRAHAM CLULEY. Oh, she is all over the place.
CAROLE THERIAULT. I can't get rid of her.
DAVE BITTNER. Yeah.
GRAHAM CLULEY. So Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. Well, you, Graham, looks like you're going to get your IT ware serviced at Office Depot. Dave gives us the dirty down low on third-party car alarms. And I dive into a privacy dilemma specifically for apartment and condo dwellers.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. All this and so much more coming up on Smashing Security.
GRAHAM CLULEY. I like how you script your hmm.
CAROLE THERIAULT. I know I did. I put it right in there.
GRAHAM CLULEY. Hmm. Now, chaps, chaps, we are all a little bit nerdy, at least, aren't we? I mean, we're into computers, we're savvy around the keyboard, we feel comfortable.
CAROLE THERIAULT. Not that nerdy.
GRAHAM CLULEY. But compared to the average person, compared to your Auntie Marge or she who works down the— She's not average.
CAROLE THERIAULT. Well, she's pretty awesome.
GRAHAM CLULEY. Is she? Oh, okay. But compared to the typical person, we probably know a little bit more. But there are so many people these days who are using computers and are dumbfounded when something goes wrong with them and they need some help. And if they don't have a nerd on call—
CAROLE THERIAULT. Or the nerd doesn't pick up.
GRAHAM CLULEY. Right. Yeah, yeah, totally. Tell me about it. Exactly. Oh, I recognize that mouth.
DAVE BITTNER. In my family, I say, I pick up the phone and I say, hello, Dave's Free Lifetime Unlimited Tech Support. Dave speaking. How may I help you?
GRAHAM CLULEY. Well, imagine you weren't related to Dave. What would you do? Chances are you might pop down to the local shopping mall and see whether there is a techie shop which is offering you a free PC health check.
CAROLE THERIAULT. Oh, like a Currys or something where they sell computers, that kind of thing.
GRAHAM CLULEY. Right. Or it's weird, isn't it, that Currys sell computers? I always feel that's—
CAROLE THERIAULT. Do they even exist anymore?
GRAHAM CLULEY. I don't think they do. They do exist, but I just think that's like trade descriptions. How can they advertise? They don't actually sell curries. But they do computers. It seems so wrong. But maybe in the United States you would go to a store like Office Depot or Office Max.
CAROLE THERIAULT. Oh yeah, I know Office Depot.
GRAHAM CLULEY. Right, where they have free PC health checks. And if you went there to get a free PC health check, or as they sometimes call it, a professional tune-up, and these are things which have been advertised on radio commercials and print and online.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And normally they say, look, this is normally worth $19.99 or even as much as $60, but we're going to offer this to you for free if you come to Office Depot.
CAROLE THERIAULT. Ah, so the idea is bring in your computer, we'll do a quick scan on it, make sure it's, you know, make sure the basics are covered, and maybe you'll buy, you know, some printer paper.
GRAHAM CLULEY. Maybe you will, maybe you will, but you know, it's a friendly, generous thing to do.
CAROLE THERIAULT. Loss leader.
GRAHAM CLULEY. Yeah, you know, and obviously sometimes there'll be a problem with the computer as well, which, you know, they might be able to sell you some antivirus software or something.
CAROLE THERIAULT. Oh, totally. Yeah, good point.
GRAHAM CLULEY. So if you go in, you come across one of their experts and they will say, you know, when was the last time you had a professional tune-up done on your PC? I don't know what that means. No, well, that's the same with me. I've never had my PC professionally tuned up.
CAROLE THERIAULT. It's not a car.
GRAHAM CLULEY. So the answer is instantly you're just thinking, oh crumbs, you know, I haven't, you know, no, I've never done it. They can go, sharp intake of breath between the teeth.
DAVE BITTNER. You've never had your USB ports rotated?
GRAHAM CLULEY. Ooh. And so they run this program on your computer which will try and make your PC run faster or check for viruses, things like that. And the program they run, this PC Health Check program they run, first things it does is it displays a message. It says, does your computer have any of the problems listed below? And it gives you 4 options. So it will either say frequent pop-ups or other problems preventing you from browsing the internet, or has it become much slower or too slow to use, There'll be a member of staff who's walking you through it, and so he's asking you questions. You may well be looking at the screen at the same time, but he or she is choosing—
CAROLE THERIAULT. doing the tune-up.
GRAHAM CLULEY. Yeah, well, an expert, exactly. It's a professional tune-up. You wouldn't be doing this on your own. And it then says, you know, have you been warned of a virus infection or asked to pay for virus removal, or does your PC frequently crash? As if a Windows computer would frequently crash.
CAROLE THERIAULT. Never seen that ever in my life.
GRAHAM CLULEY. So, and so you go through this process and maybe you answer some of those questions. Well, yes, that does something. My computer does crash sometimes. Sometimes, or it does seem a little bit slow. Well, the workers at Office Depot and OfficeMax— they're all part of the same company these days— they were selling this service, or rather they're giving this service away for free, but it was actually something which did bring in a decent amount of cash because at the end of the process, if there was a problem with the computer, they could sell you some kind of repair service. And PC Health Check was responsible for a substantial share of the store's tech service revenues. And in fact, staff were being encouraged all the time, if anyone comes through the door, really try and get them to bring their computer in so that we can take a look at it, work out what the problem is. Don't wait for them to come in with the computer saying they've got a problem, you know, encourage them, say, oh, you know, maybe you should get that checked out, let's make an appointment for you. Now, this PC health check software was created by a company called Support.com.
CAROLE THERIAULT. Sounds very legitimate and nice.
GRAHAM CLULEY. Yeah, they bought an expensive domain name there, probably, right? And support.com, they have a website where the Office Depot staff can download the latest version of PC Health Check, and it would keep a record of when the software was downloaded and used by staff, and it would send those records to the management of Office Depot, allowing them to monitor and compare different stores' performance. You know, how many health checks are going on, right?
CAROLE THERIAULT. So, you know, is Dave, who works at this Office Depot, doing an enough of these tune-ups compared to everybody else.
GRAHAM CLULEY. Exactly.
CAROLE THERIAULT. Right. So it's like employee monitoring kind of thing.
GRAHAM CLULEY. Right. And many of the staff were being incentivized with like weekly goals as to how many PC health checks are you doing?
CAROLE THERIAULT. You too, employee of the week.
GRAHAM CLULEY. To be honest, this is all good, right? Because this is all helping people deal with problem PCs and maybe finding malware. You know, what could possibly go wrong with this? You know, it's fantastic news. What a great altruistic thing that Office Depot is doing. But, uh-huh, the PC Health Check software, when it did its quick malware scan, turns out it wasn't actually looking for any malware.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. It was actually producing a report describing the computer's security status as poor, and it would say it found malware symptoms or infections regardless of which checkboxes had been ticked. So if you remember at the beginning, I said there are 4 checkboxes at the beginning that say, does it sometimes slow down or does it sometimes crash? Any of those boxes were ticked, it would say you've got a problem and you've got a security problem, and you would be advised to get some costly, up to $180, diagnostic repairs protection service.
CAROLE THERIAULT. Hold on a second. Okay, so I go into Office Depot with my computer and I say, hey, something, check this out, you want to tune up, you're begging to look at it, here you go. They asked me one of those four questions. If I said no to all of them, nothing would happen, I guess. They'd say, oh, you're all fine. But if I said yes to any of them, it would just bill a negative report on my machine saying it's infected.
GRAHAM CLULEY. It would show a little progress bar, as though it's scanning something.
CAROLE THERIAULT. As though it's scanning.
GRAHAM CLULEY. As though it was scanning something, and it would look at various things like the disk integrity, but including the security, and it would come up with the conclusion that your security was poor. And there was malware or malware symptoms on the computer.
CAROLE THERIAULT. Come with me. Let me bring you to the cybersecurity range available at Office Depot.
GRAHAM CLULEY. Understandably, in this day and age, people would be scared by that.
DAVE BITTNER. It's also kind of like asking a barber if you need a haircut.
CAROLE THERIAULT. Yeah.
DAVE BITTNER. Right?
CAROLE THERIAULT. Yeah. Yeah. Exactly.
GRAHAM CLULEY. Right. Yeah. And so you'd end up paying maybe up to $180 and you'd get your copy of McAfee and you'd get 12 months virus removal from Sophos. Feeling relieved. Yes. You'd be so grateful Thank the Lord.
CAROLE THERIAULT. Thank you for begging me to come in. You were so right.
DAVE BITTNER. You would be. I suppose you could make the argument that you would be leaving in a better position than when you came in, because now you might have some actual real antivirus running, whereas before you didn't.
GRAHAM CLULEY. You could say that. I mean, obviously you could also use some free antivirus or an antivirus of your choice, but it might be— I mean, $180 is a lot more than most people pay for antivirus software, isn't it? I guess that's because you've benefited from a professional tune-up, a professional check, which happened there.
CAROLE THERIAULT. You always trust that, those three little letters, pro.
GRAHAM CLULEY. So I dug into this and it turns out that from 2009 until June 2011, the Health Check software said your system could be infected with malware. For the next four years or so, it started to say it had found malware infections on your system. Regardless of there being nothing there. And then from October 2015, it said it identified potential malware symptoms. So basically over time, PC Health Check became more aggressive with some of its reports. And so it became a little bit scarier for some periods of time. But, but here's the thing. The companies knew about this. What?
CAROLE THERIAULT. Office Depot?
GRAHAM CLULEY. Office Depot. Office Depot had known about this since 2012. In May 2013, OfficeMax even warned its stores that it shouldn't run the software, shouldn't run the PC Health Check after PCs had been serviced, because if they did that, the warning message would come up. So if you brought in your computer to get fixed and they fixed it, they actually told their staff, don't run the check again because it'll still say there's a problem on the computer.
CAROLE THERIAULT. So it was all smoke and mirrors, the whole thing.
GRAHAM CLULEY. Yes, Support.com even contacted the sales management team at Office Depot to remind find them. By the way, this is the way the software works. It's unbelievable.
CAROLE THERIAULT. It's really gross. So Office Depot, have you— they have them?
DAVE BITTNER. We do. Yeah, there's one right, right down the street from where I stand right now.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Go shake your fist.
DAVE BITTNER. I will drive by and I will shake my fist angrily at them. Say, you rascals.
GRAHAM CLULEY. You won't be the only one who's annoyed because the staff working at the stores, they weren't oblivious to what was going wrong either. You know, some of them obviously were genuinely technical, rather than the typical person you meet in such stores. And some tried to blow the whistle. Some claimed it was deceptive practice. Some even left their jobs over this. Meanwhile, the ones who kept quiet were getting all these bonuses because they were bringing in the cash.
CAROLE THERIAULT. Oh, this is so disgusting. Oh.
GRAHAM CLULEY. Now eventually, in November 2016, one of these guys working at Office Depot went to the CBS TV show This Morning. And said he blew the whistle, right? And they went undercover, they took computers into the stores to see what would happen. They even bought brand new computers from one Office Depot, drove around to the next Office Depot with that new computer, and were told, oh, oh, I love it, this is dodgy, poor security on this one. And I've actually got a clip right here where you can see some of that report. Office Depot technicians repeatedly told us our computers were infected and that they could fix them for a hefty fee.
DAVE BITTNER. Actually, it looks like it's $180, right?
CAROLE THERIAULT. Okay, so this is what I need to get rid of that malware.
GRAHAM CLULEY. The only problem? All the PCs were brand new and fresh out of the box. We even purchased one of the new computers. There you go, guys, at Office Depot. But when we brought it to technicians at a different store, Malware symptoms were found in the machine. Office Depot employee Shane Barnett says his bosses ignored his repeated warnings and were more concerned about sales and quotas.
DAVE BITTNER. I refused to do it. They're like, you have to hit these numbers. I'm like, I'm not going to make things up so you can hit your numbers. I'm not going to do it.
GRAHAM CLULEY. So really astonishing practice.
DAVE BITTNER. Well, and this is the sort of thing I think we've seen with auto repair shops before, where I've seen this exact same thing where your consumer advocate on Your local TV station will— they'll take a brand new car just taken off the lot, and they'll take it over to a repair shop, and they'll get a little old lady to drive the car, or someone who, you know, looks like they might be an easy mark for these repair scammers. And they'll say, oh gosh, you know, you got a problem with your, uh, you know, your pressure release valve on your, your widget wadget.
GRAHAM CLULEY. And my dipstick had to be recalibrated once.
DAVE BITTNER. Yeah, how interesting that Computers are the new frontier for this, right? I guess not that new.
GRAHAM CLULEY. I think that's a great comparison, though, because I mean, I know I'm absolutely clueless about cars. And, you know, I wouldn't have a clue, you know, if someone said to me, oh, something's wrong. I actually, actually, I had to pay a bill at a garage just this week. And they were listing all these things. And it's just like, well, I don't know. You know, I'm just gonna have to give you the money. I don't know if that's a reasonable amount of money. I don't know if that was actually a problem.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And I guess it's the same for most people when it comes to computers. These are highly technical things which do require sometimes some maintenance, but that's out of the bounds of the typical user, isn't it? That's something they're not capable of doing.
DAVE BITTNER. Right. Don't have someone you can run things by. Well, you're going to be susceptible to these things.
GRAHAM CLULEY. Well, Support.com, who wrote the PC Health Check software, and Office Depot and Office Max, they made millions, tens of millions of dollars in revenue from this PC Health Check program. And until it got onto the TV screens, it'd been going on for something like 7 years, this scam. This week they have agreed to pay. There's been an FTC settlement, $25 million Office Depot is going to pay, and Support.com has agreed to pay $10 million for what they've done. They're not admitting any guilt. Well, the FCC say that those funds are going to be used to provide refunds to consumers. But I don't know quite how that's going to work out. But it's— well, so all we need is a punishment for this depot. I don't know what that should be.
CAROLE THERIAULT. Dave will moon them when he drives by next time.
DAVE BITTNER. Well, I do that already. I mean, that's standard operating procedure.
CAROLE THERIAULT. While driving? That's pretty hard.
DAVE BITTNER. I'm a man with many skills, Carole.
GRAHAM CLULEY. Dave, what's— Hitch up your trousers and tell us. Oh, thank you very much. What's your story for us this week?
DAVE BITTNER. Good thing we're not on YouTube. Um, my story comes from a company called Pentest Partners. Uh, they provide third-party testing and they provide verification of security. So these folks at Pentest Partners, they took a look at third-party car alarm systems. So we hear stories about people, uh, with these, uh, fancy key fobs that can be cloned and someone could run off with your car.
CAROLE THERIAULT. Well, drive off.
DAVE BITTNER. Right, yes, thank you for that.
CAROLE THERIAULT. If you're carrying it, then wow.
GRAHAM CLULEY. That's right, that's right.
DAVE BITTNER. So people will install third-party alarm systems to try to make their car more safe. And what Pentest Partners found was that some of these systems could actually make your vehicle less secure. Now what drew their attention to this initially was one of the vendors of one of these alarm systems put up on their website that the security of their system was unhackable.
CAROLE THERIAULT. Ah, see, red flag to a bull.
GRAHAM CLULEY. Yeah, that's also something which instills confidence, isn't it? When you see a claim like that.
DAVE BITTNER. That is a hornet's nest you do not want to whack, right? Because when you say unhackable to a bunch of hackers—
CAROLE THERIAULT. Roll up your sleeves, lick your lips. Yeah.
DAVE BITTNER. That is like red meat.
GRAHAM CLULEY. Yeah. Oh, really?
DAVE BITTNER. Watch this. Hold my beer. So What they did was they went and they purchased several of these systems and they fitted them to cars that were owned by some of the people who work there. And as everything does these days, these systems have an app, right? Everything has an app.
GRAHAM CLULEY. Oh yeah, you gotta have an app.
DAVE BITTNER. You gotta have an app. And that's where the trouble was. So the apps, turns out, had what's called an IDOR vulnerability. Graham, does that mean anything to you?
GRAHAM CLULEY. It's an insecure direct object reference. Yes. Are you impressed?
CAROLE THERIAULT. No.
DAVE BITTNER. I am very impressed. Carole, are you impressed?
GRAHAM CLULEY. No. It's not a peephole in a hotel room door. It's an eye door. No. Yes. But what it is, is it's a thing. So it's where you're passing a parameter, which may be like the user ID and maybe in like a number. And simply changing the number allows you to access someone else's account or information. So it's a very sloppy way. Of protecting accounts.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Yeah.
DAVE BITTNER. Right. Right. So the app had this vulnerability and basically what this meant was that the bad guys could get into someone's account. They could change that person's password. They could lock out the original user and have control of the alarm system's functionality. And speaking of functionality, you could use the app to first of all, search by vehicle type. So you could say, "I would really like to have a Land Rover." Okay. So you could look up and see Land Rovers.
CAROLE THERIAULT. So I see, let's say I see 50, I guess.
DAVE BITTNER. Yep.
CAROLE THERIAULT. Okay, then.
DAVE BITTNER. Yep, and you find one that's close to you on the map.
CAROLE THERIAULT. Oh, you have a GPS coordinate?
DAVE BITTNER. It tracks GPS real time.
CAROLE THERIAULT. Oh, gosh.
DAVE BITTNER. So you go, you find this vehicle, and you take over the account for it.
GRAHAM CLULEY. Yeah.
DAVE BITTNER. And once you have control of the account, you can set off the alarm, You can trigger the immobilizer. You can unlock the car doors. On some of these cars, you can kill the engine while the car is in motion.
GRAHAM CLULEY. Oh, that's not a problem.
CAROLE THERIAULT. Kill the engine?
DAVE BITTNER. What?
GRAHAM CLULEY. Why would you want that functionality anyway? Why have they built that in?
DAVE BITTNER. That is in there in case someone steals the car, that while the bad guy is driving the car away, you can shut the car down.
CAROLE THERIAULT. And he's pressing on the gas.
GRAHAM CLULEY. But I think that maybe that could be abused by someone.
DAVE BITTNER. No, no. Now, it gets better. And by better, I mean worse. Some of these systems have a built-in microphone to allow for SOS-type calls. And guess what the bad guys can do with a microphone?
CAROLE THERIAULT. Oh my God, can they eavesdrop?
DAVE BITTNER. They can!
GRAHAM CLULEY. No way! They can!
DAVE BITTNER. They can snoop on the passengers in the car through the mic. On some cars it also gives them access to the CAN bus. Are you guys familiar with that, with what that is?
GRAHAM CLULEY. No.
DAVE BITTNER. So the CAN bus is on modern cars, it is the internal network that the car uses for all the different systems to communicate with each other. You have, for example, some cars these days have automated cruise control. So the cruise control can communicate with the brakes, with the accelerator, with different sensors on the car, and they all tell each other, this is what's going on. Turns out that that system is unencrypted, and messages can be sent around in the clear on the CAN bus. So guess what happens when you give the alarm system access to the CAN bus? You have control over things like the brakes.
GRAHAM CLULEY. Oh, it's a good job these alarms are unhackable, isn't it? Yeah.
CAROLE THERIAULT. Thank God.
DAVE BITTNER. That would be a problem if they were.
GRAHAM CLULEY. Thankfully, the marketing team have assured us that it's unhackable. You know, we think it would be better if we said unhackable rather than hackable. You know, the nerds are like, well, I don't think you can really say that. Yeah, just leave it to us. Thank you. We're building the website. Yeah.
DAVE BITTNER. Pipe down, nerd boys.
CAROLE THERIAULT. There's such irony in this too, isn't there? Like they're saying, we're going to keep your car more secure by actually putting your life at risk.
GRAHAM CLULEY. Yes. You've spent money getting this other lock, the other alarm system and the app and all the rest of it, thinking I'm going to secure my car better and it's made it worse.
DAVE BITTNER. So, uh, fortunately there is a happy ending to this story. Pentest Partners did reach out to the companies involved, and to their credit, uh, all the companies fixed these things within a matter of days. The, the vulnerabilities were easy to find, easy to fix, and they turned it around quickly and pushed out updates. As with everything, there could be people out there who have not yet updated their systems, uh, and they estimated that there There could have been about 3 million people who were vulnerable based on the number of installations. But yeah, really an interesting story. I actually interviewed one of the guys who did the research here, so if you're interested in hearing more about it, one of our CyberWire Research Saturday shows, you can go look it up. I guess we'll have a link in the notes as well. He tells the story, and it's a doozy. It's quite a story. Yeah, yeah.
CAROLE THERIAULT. Graham, you know what, when he was talking about CAN buses or whatever, I was just thinking you should ask Dave next time you have a car problem. He seems to know a lot more than we do.
GRAHAM CLULEY. Do you often have a bit of oil on your hands? You a bit— are you a bit like Cooter in The Dukes of Hazzard?
DAVE BITTNER. Oh yeah, that's me, all right. Good, good.
GRAHAM CLULEY. Yeah.
DAVE BITTNER. That's right.
GRAHAM CLULEY. Krow, what's your story for us this week?
CAROLE THERIAULT. So I think the three of us all own houses, or at least we're in the agonizing process of handing over incredibly large chunks of money of our paychecks to pay for these said houses. And homeownership is really the American dream, isn't it? I mean, who wouldn't want to spend weekends trying to evict a zillion wasps from their attic or unclog a stinky drain? Or repave the driveway. I mean, so fun, guys.
GRAHAM CLULEY. So that's useful.
DAVE BITTNER. Living the dream. Living the dream.
CAROLE THERIAULT. And it's a pretty different lifestyle to those that live in condos or apartments because you don't need to worry about maintenance so much. I mean, I guess you pay for it, right? You pay a fee and then it gets all taken care of. And that means you can actually go to the park and do something fun instead of all these crazy jobs. And there seems to be a growing trend towards renting, and the reason is pretty simple: many people can't afford to buy where they work. Take the tech sector. They're a well-paid bunch comparatively, right, compared to other industries. And San Francisco is a big tech hub. Can you guess how many potatoes the average home in San Francisco costs?
GRAHAM CLULEY. So they buy things with potatoes now in San Francisco?
CAROLE THERIAULT. Yes. Read the news, Graham. Read the news.
DAVE BITTNER. Inflation's really bad.
CAROLE THERIAULT. So, yeah, $1.6 million is the average house price in San Francisco.
DAVE BITTNER. Wow.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And the average detached home in London, Cluley?
GRAHAM CLULEY. I have no idea.
CAROLE THERIAULT. Almost a million quid. 900 quid. Really? Yeah. So about a million dollars.
GRAHAM CLULEY. Insane.
CAROLE THERIAULT. So how many people in tech can afford those prices? Right. And if the techies can't afford it, you got to consider all the backbone of society, right? Teachers, cabbies, artists, cops, podcasters. We don't stand a chance. So all this to say, more and more of us are renting. But it seems that there's an unusual situation that renters might be facing that private house owners Do not.
GRAHAM CLULEY. Is it where to keep all the potatoes? Is that the challenge?
DAVE BITTNER. Your potato larder.
CAROLE THERIAULT. Exactly. Yeah, you don't have a basement. Actually, it's an ethical dilemma and I thought we could noodle on it. So, so in the news this week was the Atlantic Plaza Towers. Now this is a 700-unit rent-stabilized apartment complex in Brooklyn. And they recently sent out letters to tenants saying they would soon be introducing using facial recognition.
GRAHAM CLULEY. Oh, marvelous.
CAROLE THERIAULT. They had a flyer from the management and it said, "Your daily access experience will be frictionless, meaning you touch nothing and show only your face. From now on, the doorway will just recognize you." So they didn't obviously hire a very expensive marketing firm to do that one. So the idea is that, yeah, this is the way to go, facial recognition. Now the apartment complex already has 24-hour security in its lobbies. And a functioning camera system. So the question is, why is management forcing tenants to submit photographs for its new facial recognition system? Not all tenants are super pleased with this. Some of them are quite peed off, and they're talking to the housing rights attorneys and logging complaints. And I don't know, I wanted to know what you guys think. Do you think it's different having facial recognition versus CCTV? Because CCTV is kind of an invasion of privacy. So it's not a privacy thing so much. But facial recognition—
GRAHAM CLULEY. CCTV is introduced typically to improve security, isn't it? That's the argument is we will, if something bad happens, we'll have a record of it and we'll be able to follow up on it because we'll have some sort of video content which will be able to give to the cops. Right.
CAROLE THERIAULT. Like if the cops came over and said, we'd like to see the CCTV footage from this time to this time, you can then look at it. But they are the ones who are coming to do the work. It's not basically taking a picture of every single person saying, uh, Dave Bittner at 9:02 has walked into the building.
DAVE BITTNER. And it's also not making your access to the building contingent on the ability to recognize you. With CCTV, I can wear a hat and sunglasses and a fake beard, and not that I do that every day, but I could, and, uh, and still go about my business. With this, I couldn't get in the building without without it actually recognizing who I am.
CAROLE THERIAULT. Exactly. And there's another really interesting thing. So this New York Times journalist, Jeannia Belafonte, wrote on this story a few days ago. And she says, "It is not an accident these systems would arrive in otherwise low-tech disadvantaged communities like Atlantic Plaza Towers." Comment was left there like that. And I thought, well, maybe these people are less likely to complain than say the hoi polloi living on Fifth Avenue. Right? It's going to be hard to find a replacement place to live. And then there's this other weird problem that comes up. Facial recognition may not be that reliable. Some studies that have been done by Stanford MIT find that gender and skin type bias is alive and kicking. So an examination of facial analysis software showed an error rate of 0.8 for light-skinned men. But 34% for dark-skinned women. So if 10 dark-skinned women walked in front of it, it would get it 3 to 4 wrong.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So, golly, if that— does that mean that if the facial recognition system doesn't recognize you because you happen to be a darker-skinned lady living in a rent-controlled apartment, can you not access— can you not get access to the building?
GRAHAM CLULEY. So are they purely going to use facial recognition? There's no sort of backup system? There's no, well, if you— if it won't let you in, you can use this fob, or you can— you and ring the bell to get the security guard.
DAVE BITTNER. That's what I would imagine would happen, is the security guard is there also, just in— They'd have to be. Because what happens if you're outside the building and someone is out there chasing you or trying to do something bad to you, and you can't get in because it doesn't recognize your face? Well, now the apartment complex is in big trouble.
CAROLE THERIAULT. Yeah, exactly. Yeah, if Monique from apartment 920 can't get in her apartment, because the facial recognition system just says, "Oh, you're not her." I mean, what happens if, you know, something happened to your face, like you fell over, Graham, right?
GRAHAM CLULEY. What if? Yes, yes. Or what if I grabbed Dave Bittner in a headlock, had him under my arm, and yanked his head up to the camera to let me in?
DAVE BITTNER. Keep going.
GRAHAM CLULEY. Is that your dream? Huh?
DAVE BITTNER. I'm sorry.
GRAHAM CLULEY. I said it out loud. Yeah.
DAVE BITTNER. All right.
CAROLE THERIAULT. Another similar project, not without its own controversy, is called Project Greenlight. This is in Detroit.
GRAHAM CLULEY. Smashing Security.
CAROLE THERIAULT. This is a system of monitored interconnected security cameras outside businesses. It's been going for about 3 years. It's kind of a pilot to see if all this interconnectivity will help reduce crime. It started with only 8 businesses, but now 400 businesses in the area are involved. I read somewhere, but don't quote the number, but I seem to remember somewhere it said that crime has gone down 11%. They're claiming because of this system. Now, it gets interesting because the Detroit Housing Commission and police are ironing out an agreement that will bring 26 real-time— that's what they call them instead of facial recognition— real-time cameras to Sheridan Place 1 and 2. These are two high-rise towers on Jefferson Avenue that cater to elderly and near-elderly community. And one of the problems is it needs a mobile phone. And not everybody, especially those that are older, have access to smartphones. Once again, it's like a security— security seems to be pitted against privacy.
DAVE BITTNER. I think there's an important component of this, which is for the three of us here talking, you know, three middle-aged white people, it'd be easy for us to overlook that there's a racial component to this, particularly here in the US, where in these rent-stabilized apartments, you have a high percentage of these folks are going to be people of color, and they are rightfully sensitive to being kept track of by the police. Surveilled.
CAROLE THERIAULT. Yeah.
DAVE BITTNER. Surveilled by the police, by ICE. So I think there's a compelling case to be made that whether or not, regardless of the legality of this, that they have a justifiable sensitivity to this sort of surveillance.
GRAHAM CLULEY. Just be devil's advocate for a second on that point though. If they had a fob or some other electronic means for gaining access to the building, that could be recorded as well. So that would just as easily say, oh, Brian Smith just entered the building at 7:03 PM or whatever, in the same way that facial recognition would. But for some reason, facial recognition gives us the jeepers a little bit more, it?
CAROLE THERIAULT. It does.
DAVE BITTNER. But also, if my cousin Lenny wants to get in the building, yeah, I can loan him my fob.
GRAHAM CLULEY. Yeah. Yes.
DAVE BITTNER. And I can't do that with, with facial recognition.
CAROLE THERIAULT. The fob is not compiling a list of my biometrics.
GRAHAM CLULEY. And don't forget John Travolta and Nicolas Cage when they swapped faces.
DAVE BITTNER. Well, there's that.
GRAHAM CLULEY. That got very confusing, didn't it?
DAVE BITTNER. That's not at all an edge case. No, that could happen.
CAROLE THERIAULT. I don't know. I think unless people make a stink about this, I think it's going to be the accepted norm sooner than later. And I think it's really unfair that people that live in apartments or in condos, I don't think it's even actually just for renters. I think anywhere where you have a shared space, this is now something that can be asked of you if you want to live in that building. It can be demanded of you as part of your contract.
GRAHAM CLULEY. And furthermore, facial recognition systems, you know, there seem to still be headlines about them being fooled or tricked or into thinking they're seeing someone and they're actually seeing someone else instead. You know, there's ways to get around them. And I can't imagine that they're going to have a terribly expensive, top-quality system in this, in this particular property.
DAVE BITTNER. And when they say they're not going to share any of this information with anyone, well, my response would be, prove it.
CAROLE THERIAULT. We're unhackable, right? No one's gonna get to our very, very secure, unhackable servers.
GRAHAM CLULEY. If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence.
CAROLE THERIAULT. Quote: "Most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
DAVE BITTNER. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, website or an app, whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be, boys.
GRAHAM CLULEY. And my pick of the week this week comes from the Scottish Highlands. Aye, it's a Breard Brook McTaggart tonight and a Bonnie Hoots McGonigle, because I'm going to tell you about a 71-year-old woman called Jo Cameron, and she Apparently, according to media reports, is one of only two people in the world known to have a rare genetic mutation. No, not a mutation that makes her Scottish, a mutation that means she feels no pain at all.
CAROLE THERIAULT. Oh, yes, there's only one of two in the world.
GRAHAM CLULEY. So she— so it is claimed by no less an illustrious organ than the BBC News website. Oh, so I'm going to believe them.
CAROLE THERIAULT. Yeah, I, I I listened to a show on BBC, actually, all about— there's a big pain research center in Oxford, actually, that does this kind of stuff, and there was someone in there that didn't feel any pain. Maybe he was the other person.
GRAHAM CLULEY. There's a pain research center in Oxford? What do they get up to?
CAROLE THERIAULT. Yeah, at one of the universities. So they basically shock you and do different levels of pain. Some of it can be quite intense, and then it's to help to see, understand if this— how a shockwave that I could take would make you pass out. Yeah, right?
GRAHAM CLULEY. So is it electric or is it— Yeah, electric. They drop something on your foot or what? What do they do?
CAROLE THERIAULT. Yeah, they have a sledgehammer. They have a sledgehammer and they sledgehammer your hand and then they see how you react.
GRAHAM CLULEY. Is this legal to inflict this kind of pain?
DAVE BITTNER. Well, you got to read the eulogy. It's in there.
GRAHAM CLULEY. It's the sort of thing you expect business executives to pay good money for. But you're saying this is some research project.
CAROLE THERIAULT. Anyway, I was stealing your story.
GRAHAM CLULEY. Go back to your story. All right, no, I'm fascinated. Anyway, Jo Cameron, apparently she only realises her skin is burning when she's doing the ironing, when she smells the singed flesh. Wow.
CAROLE THERIAULT. It's like Heroes, the woman in Heroes, the girl in Heroes.
GRAHAM CLULEY. The cheerleader, save the cheerleader, save the world. It also means that she never feels anxious or afraid. So there's some good aspects to it potentially.
DAVE BITTNER. Oh, wow.
GRAHAM CLULEY. She only figured out she was different when she was about 65 because she was having some operations for osteoarthritis and the doctor kept asking her, you know, are you in any pain? They kept on sending her to hospital because she would walk and she'd claim her hip would come out. And the hospital would say, well, does it hurt? And she'd say no. So they said, well, come back when it hurts. And her hip would keep popping out. And eventually they thought, we've got to get rid of this woman. We'll X-ray her. And they thought, oh, you've actually got quite serious problems. But the no pain gene has meant that she wasn't aware of them. So it's quite an interesting little story. About actually how important pain can be.
DAVE BITTNER. I read this story this week too, and I think it's fascinating. And the other little details that caught my eye, one was that she doesn't scar the way most people do.
GRAHAM CLULEY. Really?
DAVE BITTNER. And also, because of her lack of anxiety, she spent some of her professional career working with folks who have developmental disabilities, who could be violent or unpredictable, and it just didn't bother her. She was fine where other people would be upset or would feel anxious about this, she could just roll with it and just be fine.
GRAHAM CLULEY. Well, I don't know what she did for a living, but it seems to me that maybe she should have been hired by someone like the SAS or Delta Force to go into dangerous places and sort out the baddies. You know, because she would have been like Schwarzenegger, wouldn't she?
DAVE BITTNER. Yeah.
GRAHAM CLULEY. Anyway, get this. This is the thing, the little detail which really interested me. about actually how important pain can be. I read this story this week, too, and I think it's fascinating. And the other little details that caught my eye. One was that she doesn't scar the way most people do. Oh, really? And also because of her Lack of anxiety. She spent some of her professional career working with folks who have developmental disabilities who could be violent or unpredictable, and it just didn't bother her. She was fine. Dave, what's your pick of the week?
DAVE BITTNER. Well, I have a fascination with abandoned things.
CAROLE THERIAULT. And I was thinking dirty socks, tissues.
DAVE BITTNER. But no, no, no, no, no, no, no. Like how you're driving along in the country and you see a house that has fallen into disrepair. And I wonder how could that happen? How could something as substantial as a house, something with as much value as a house, how a beautiful farmhouse, house? How does it fall into disrepair? And not long ago, I was watching a video on YouTube I'd wandered across where someone was exploring an abandoned house, and one thing led to another, and the next thing I knew, I was watching videos with people who were exploring abandoned gold mines in the American West. Now, I didn't know this was a thing, but I found myself fascinated with this and hooked on these videos. And I've included a link to one of my favorite gold explorers, and his channel is called TVR Exploring. And he goes through— they find these old abandoned gold mines, and these can be 100 years old, and some of them are quite dodgy. They're— these are risky places to be. And they go back hundreds of thousands of feet into these mountains, and there's pits, and sometimes they'll find old abandoned ore carts and boxes full of dynamite and things like that. Yeah, Yeah, I was watching one of them and I was trying to figure out why do I like these so much? Why is this so much fun for me? Why is this thrilling? And the guy who does these, he came to— he was in one of these mines and he's going down this long, long tunnel and he gets to a split in the tunnel. There's a fork in the road, right? There's a tunnel going off to the left. There's a tunnel going off to the right. And he says, well, which way should I go? And then it struck me. Graham, do you remember the first game you ever played on a computer?
GRAHAM CLULEY. Very first one.
DAVE BITTNER. Like an 8-bit computer, you know?
GRAHAM CLULEY. Yeah, they were— they were like text games because they weren't video— like text adventure games.
DAVE BITTNER. Like Zork. Right, exactly.
GRAHAM CLULEY. Yeah, yeah, yeah, twisty windy passages.
DAVE BITTNER. Well, the first game that I remember playing on a TRS-80 Model 1 was called Lost Dutchman's Gold. And it was— you would go and explore in an old abandoned mine and you were looking for the Lost Dutchman's Gold. And so I found myself thinking when we're at this fork in the road in this video and the guy, which way should we go? And I found myself thinking, go east, go east, get lantern. I'm playing along.
GRAHAM CLULEY. It's like, oh my, what Watch out for the Gru.
DAVE BITTNER. There's a monster just around the corner.
GRAHAM CLULEY. So spelunking. That's what you're doing. You were spelunking.
CAROLE THERIAULT. Yes.
DAVE BITTNER. Now.
GRAHAM CLULEY. Yes.
DAVE BITTNER. Turns out you can play Lost Dutchman's Gold online. And I have a link for it here. The original text adventure game. It is available. It's a UK site, BBC Micro.
CAROLE THERIAULT. I'm starting now. I'm playing right now.
GRAHAM CLULEY. Oh, it's in a little emulator in your browser and it's like it's emulating a BBC computer. This is fantastic.
CAROLE THERIAULT. Yes. I hope you don't end up a ghost like me.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Press space.
GRAHAM CLULEY. Do what? There's saddlebags. I'm going to get the saddlebags.
DAVE BITTNER. Yeah. Imagine 10-year-old version of me being completely drawn in by this. And I was hooked from that point on. So that the combination of videos exploring old mines and the Lost Dutchman's Gold text adventure game combined to make my pick of the week.
GRAHAM CLULEY. This is totally cool, Dave. I'm playing it right now. And the language is like, rather than say, I can't do that, it says, I can't tell what you want. It's really in character. It's fantastic. So, Crow, what's your pick of the week?
CAROLE THERIAULT. So some of you might have enjoyed the Dirty John podcast. I may have actually had it as a pick of the week in the past. So it's produced a few years back by Wondery. And it's not porny. It's a fascinating look at crazy human behavior.
GRAHAM CLULEY. What's the premise of the show? I haven't heard Dirty John.
CAROLE THERIAULT. Dirty John? Well, Dirty John is about this guy called John Meehan. He's like a pretty good-looking medical professional who seems to really have a way with the ladies. Or does he just really know how to pick his targets? You need to decide. So, they, I think that the Wondery was able to sell its rights to Netflix because Netflix last year put together an 8-part, I don't know, drama on Dirty John. Wasn't my favorite thing. But a few weeks ago, they put out a Dirty John documentary. It's called Dirty John: The Dirty Truth. And this is like face-to-camera interviews with all the people closest to John Meehan and how they what role they played in it and how they were impacted by his behavior.
DAVE BITTNER. So is this— this guy's a pickup artist?
CAROLE THERIAULT. I kind of don't want to give it away.
DAVE BITTNER. Oh, okay.
GRAHAM CLULEY. I kind of—
CAROLE THERIAULT. because it's kind of— because it's kind of shocking. It's a bit— you remember Staircase, Graham? We watched that. It's kind— it's much shorter. It's only like an hour and a half or so. So it's— it's on par with that. Like, you're just— I was watching with my husband. We'd stop it and just go, what the f—
GRAHAM CLULEY. and can we just watch the documentary if we haven't heard the— yeah, yeah, yeah, totally.
CAROLE THERIAULT. Okay, totally. Oh, okay.
GRAHAM CLULEY. You want to watch the drama, do it first, then listen to the entry.
CAROLE THERIAULT. Don't do it the other way around.
GRAHAM CLULEY. Drama, shama, llama.
CAROLE THERIAULT. Yeah, yeah. Um, so yeah, so my pick of the week is all things Dirty John related. Go to Netflix or go to Wondery to hit up the podcast. Um, and I actually will— in the show notes, I'm also going to put an article from Bazaar that actually details out the timeline, because once you've read it and, you know, listened to it or watched it, you're gonna go, what?
DAVE BITTNER. How?
CAROLE THERIAULT. And then when they have have it all outlined, you're like, aha. So I hope I have piqued your interest.
GRAHAM CLULEY. You have intrigued me, Carole.
CAROLE THERIAULT. Yeah, I think you'll like it, Mr. Cleely. I think you'll like it.
GRAHAM CLULEY. Okay, I may well check it out in the next couple of days. Thank you very much. And that just about wraps it up for this week. Dave, thank you for coming on the show this week. If people want to find out more about you and what you get up to, what's the best way to do that?
DAVE BITTNER. You can go to thecyberwire.com to find out everything there. I am @DaveBittner on Twitter.
CAROLE THERIAULT. Bitner on Twitter.
GRAHAM CLULEY. Superb. And we are on Twitter as well. We're at @SmashInSecurity, no G. Twitter wouldn't allow us to have a G. And we have an active discussion group up on Reddit. You can get to our subreddit very easily by going to smashingsecurity.com/reddit.
CAROLE THERIAULT. And hat tip to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And thank you, lovely listeners. Where would we be without you? About you. If you like what you hear and you want to help us grow, tell your friends about the show or leave us a nice review. It all really, really helps.
GRAHAM CLULEY. And you can check out smashingsecurity.com for past episodes and for details how to get in touch with us. Until next week, cheerio, bye-bye.
CAROLE THERIAULT. Bye. Right, take the sec— take sector. Take the tech sector. It's hard to say. Take the tech sector.
-- TRANSCRIPT ENDS --