See, Graham, that's called humility. That's what that was, and it's very, very attractive in people.

Alien concept.

FYI.

Yeah.

Smashing Security, episode 124: Poison Porn Ads, The A-Word, and Wipro with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 124. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole.

Hello, Graham.

It's good to be back, and here I am in full voice again.

Oh yes, we couldn't wait. No, it was a bit, you know, there was a lot of time last week, actually. You know, there was a lot more time than we're used to.

Yeah.

We didn't have to do the show in full.

Did you like that?

No, I missed you.

You missed me. Oh, and we're joined this week. Very odd. We're joined this week by a special guest. It's Ireland's tallest leprechaun, independent consultant Brian Honan. Hello, Brian. How are you?

Hey, Graham and Carole. Thanks for having me on.

So glad you've made it onto our show.

Yeah, we've been trying to do this for a while, so I'm looking forward to it. Be gentle.

So Brian, you are one of Ireland's leading security experts? You're always in the press. You're speaking at conferences. You're a pretty big deal, aren't you?

Well, I would never say that.

You jealous?

I'd never say that, but I try and contribute where I can.

See, Graham, that's called humility. That's what that was. And it's very, very attractive in people.

Alien concept.

FYI.

Yeah.

Carole, what's coming up on this week's show?

Well, on this brand new episode of Smashing Security, Graham, you're heading to the casinos to hang out with a few high rollers. Brian heads to India to give us the lowdown on some nasty data breach. And I'm diving headfirst into a sea of digital assistants. This and so much more coming up on Smashing Security.

So chaps, I am going to start off this week with a quiz.

Cool.

Yeah, good fun, eh? Now you two are going to be working together. You're on a team together. I am the quiz master. I'm going to say a word.

Of course you are.

Of course I am. You can run your own quiz if you want to ask me questions. I'm going to say a word and you're going to consult amongst yourselves and tell me what the word means without looking it up.

Without what?

Without looking it up.

Okay.

Right. Without doing anything like that. No cheating.

Wait, you want to just embarrass us on—

No, I'm testing your knowledge. Maybe you'll be able to work it out because you're both clever people. Okay. First up. What does macrophilia mean? Macrophilia?

Well, okay.

I think that's easy enough. That's someone who likes large spreadsheets. A big fan of Clippy.

Yeah, exactly. A lover of the big.

A lover of the big.

Yeah. Are we right?

A love of big things.

Yeah.

Like the Eiffel Tower or something like that.

Yeah. Or I don't know. You know, big, strong, hunky men.

Well, according to my internet research, yes. According to my internet research, not just ordinary big people. It's especially big people. It's not basketball players. It's like Attack of the 50-Foot Woman. So if you had a particular thing about being crushed by a huge woman, you might be a macrophiliac.

My husband is 6'4". Does that make me a macrophiliac?

No, that's pathetic. He really needs to work harder.

6'4" is nothing. I'll let him know.

We've got Ireland's biggest leprechaun on the line right now. He's not going to be impressed by that, is he?

What is he, 5'10"?

6'3".

Okay.

Close.

There you go.

Boom.

Next up, next up is spectrophilia. Spectrophilia. Any ideas on that one?

Spectra.

Sets you a sight.

James Bond, Spectre.

Oh yeah, no, but almost. Oh really? Almost kind of Spectre, possibly.

It's obviously love of—

It's a love of something, isn't it? It's a love of ghosts. So people who want to—

Oh yeah. Oh.

People who want to get down and dirty with a phantom.

What are you doing all the sex stuff with? Phil doesn't mean— These are all our fetishes.

All right, next. Flautulophilia. Flautulophilia.

I don't even want to go there. That smells terrible.

I think you're trying to trap us. Yeah. Okay. I think it's flutes. Lover of flutes. Flautists?

Lover of flautists. Blow it, I suppose. But anyway, it's—

Well, guys, this is going out in Ireland, and flutes have a completely different connection in Ireland, particularly on this topic. Yes, they do.

Do they, Mr. Leprechaun?

They do, yes.

I play the flute a bit. Would it be unwise for me to play the flute in Ireland, or would that be—

In public it would be, yes.

Okay. I've opened the innuendo door. And finally, hibernophilia. Oh, sorry. It's to do with farting. Hibernophilia. Hibernophilia?

People who love Irish people. People who like sleeping.

You're absolutely right!

Really?

Oh, wow.

We all love Irish people and the Irish culture here. So we're all hibernophiliacs. Now, if you're interested in exploring your particular sexual fetish online—

Whoa! This has jumped, this has jumped left.

No, because these are all potentially sexual fetishes, which I've meant. Now, if you're interested in exploring any of those by visiting porn sites, I strongly recommend that you install an ad blocker first, right? Makes sense to install an ad blocker. In fact, I think we'd agree that it probably makes sense to install an ad blocker most of the time you're on the internet, not just on porn websites.

Yeah, yeah, advertising, loads of reasons for it. Yep.

Now, it would have been particularly helpful to you if you wanted to protect yourself from a criminal scheme run by a British criminal called Zain Qaiser.

That's a good old English name.

Yeah. Zain?

Now, Zain or Qaiser. Zain or Qaiser. He's confused me now. Zain Qaiser from Barking in Essex. He was living the high life, which probably means he managed to get out of Barking in Essex. He was booking himself into high-end hotels. He was buying drugs. He was hiring prostitutes. He was buying £5,000 Rolex watches, and he was spending £68,000 in just one London casino.

So, like all good criminals, he was keeping a low profile.

Exactly. A responsible individual.

Well, yeah. You know, well, he was doing quite well for himself. I mean, all that despite being registered unemployed and living with his mum.

Lovely. Lovely.

You know, he was living quite an adventurous life. Now, you may be wondering, how on earth did he manage all that?

I'm guessing there's something legal coming up.

He was using the online handle of King where the I was an exclamation mark because he was cool like that.

Oh, I like that actually. I'm gonna give him a hat tip for that.

Do you? It's a change from a Y.

It's like an upside down I. Yeah. He hooked up with a bunch of Russian cybercriminals when he was in his late teens and he dreamt up a dastardly scheme. He was a computer science student, so he knew his way around a computer a bit, but he was young, but he was also fairly intelligent and, you know, able to string a sentence together. And he used those skills to build up a variety of bogus identities and fake companies. And he posed as a legitimate online advertising agency. So what he was doing was he was running an ad company saying, look, I've got customers who want to advertise things. He was going to other advertising agencies and adult websites and saying, can I book ads on your advertising network? And they were saying, oh, yes, please.

Okay.

However, the ads which he was putting on these websites and some very big pornographic websites were themselves poisoned with the Angler exploit kit, which is a notorious exploit kit which takes advantage of vulnerabilities on unpatched computers to try and infect them with malware.

So this is what we would call malvertising, right?

Yeah, exactly.

And which is why you have ad blockers.

Exactly. And that's why you have ad blockers to block these kinds of ads, as well as stop tracking and things like that. So the end result is that unpatched computers visiting these porn sites were infected by ransomware, which included Reveton. And Reveton is not a piece of ransomware which encrypts your files, but instead it locks up your computer, displays a message claiming to come from the FBI or the UK police, and saying that they've realised that you've been committing offences online. Maybe you've been viewing child abuse material, it may claim, and that you need to pay a fine before your computer will be brought back to normal operation, before your computer will be unlocked. Which is a pretty scary thing to happen to people, you know, because even if you haven't been looking at that kind of material, you're not going to want to take the computer down to the local computer store to go and get fixed.

Is it morally less bad that they're doing this on porn sites than on normal sites? Or not?

I don't think so, really.

People shouldn't be punished for visiting pornography sites by getting ransomware. And actually, I saw a study about a year or so ago which showed that many church websites hosted more malware than pornography sites did.

Jeez.

So you may not take your computer down to the local computer shop. You certainly wouldn't take it down to Office World or Office Max, where we heard about those times ago. Well, just if you go listen to our episode from a couple of weeks ago, you'll remember about the scam they were pulling on people. So you don't necessarily trust them. But the computer infected with Reveton would say you have to pay maybe up to $1,000 worth of cryptocurrency in order to unlock your computer.

It'd be cheaper to buy a new PC.

It would be, exactly. So Keyser was managing to infect computers and he was splitting the proceeds with his Russian-speaking buddies who were likely responsible for Reviton and the Angler exploit kit, and other criminals around the world who were helping him launder the cash. And he was making really quite a lot of money. He made hundreds of thousands of dollars. Some estimates have said way over $700,000 he managed to make from this, and possibly even more which has never been accounted for. And the interesting thing is these ads, of course, which were being distributed by legitimate ad agencies and on legitimate, albeit pornographic websites, were not going unnoticed. And the advertising agencies would sometimes come to Keyser's company and say, "Hey, we've noticed some of the ads you're giving us are infected. Do you think you could clean up your act a little bit?"

Oh, but come on, Graham. The guy made $700,000 or something, and they happened to notice occasionally? Surely it would happen right away that someone would alert them to this. Well, you'd certainly hope so, wouldn't you? It's not always obvious which advert has actually infected you, of course. I'm sure they weren't looking super hard.

Well, this is often the problem with websites using ad agencies as well, is that they take the ad agencies or the brokers at face value that the content and the ads they provide are clean.

Good old supply chain issue.

Exactly. And we've seen it with many websites where one in ten adverts, one in twenty may actually contain malware, but the agencies aren't reviewing the content or checking to make sure it's clean. So it's important that websites do secure that supply chain and make sure the providers have the controls in place to keep the ads malware-free.

Fair point.

Yeah. And I think there is this assumption all the time that the pipes will be clean.

Yeah. Especially on the pornography sites.

Imagine doing this in your own home, right? Imagine if you couldn't trust that the water coming into your house was actually going to be clean. And one in fifty times that you turned the taps on in the bath, out of the taps rather than water would come, I don't know, porridge or snot or some other kind of effluent.

Porridge or snot?

Well, yeah, okay. I'm just thinking, you know, taking nothing for granted.

Spitballing here, spitballing.

But it would obviously be unpleasant if that was to happen that regularly, just as it does with advertising networks. I might say, you know what, I'm going to have a water blocker just like I have an ad blocker. And in future, I will have a big tank up on top of my house full of San Pellegrino, and I will purely wash in Evian and San Pellegrino from now on. And the bubbles might be funny as well. But somehow we just put up with this rubbish being drizzled out to us via all these websites, which isn't being properly checked.

I think most of our listeners do use ad blockers, you know?

Yeah, but most of our listeners do, Carole, but I'd say many of the people out there who would trust websites to have clean content would not have ad blockers in.

Maybe we should have a campaign. Every listener go out, introduce an ad blocker to one innocent person out there. Help them, save them.

Even the not so innocent, they all should be protected.

Even those going to porn sites.

Like I said, a couple of these ad-brokering firms noticed and asked Keeser to stop the dodgy adverts. One Canadian firm did just that. Do you know what his response to them was? He said, "It'd be much better if you cooperated with me. Really, it's just better if we work together. We can make some serious money together. It's my way or no way, the king!" with an exclamation mark. "It's for the eye. He's back," he said. And then when they rejected, when they said, "No, you know, we don't want to spread malicious ads," he then launched a denial of service attack against the ad agency.

Trying to force their hands.

Yeah. And said to the director of one of the firms, "I'm going to kill your servers and then I'm going to send porn spam abuse complaints about your site as well." What a charmer.

Oh, Zain is not a very nice guy.

No, criminals tend not to be.

Clearly, this was a highly organized campaign by Keyser and his buddies. They managed to fleece millions out of unsuspecting internet users. They exploited these highly popular porn websites as well. But I think there's really a kind of irony here that none of the visitors to these sites would have been affected at all if they'd taken the simple precaution of enabling an ad blocker in their browser, which are typically free as well. But Keyser, meanwhile, he's going to be spending the rest of his, well, next six years plus in jail as a result of this.

Yes, focusing on his, what he did wrong here. He's not going to plan his next heist as soon as he gets out.

Well, let's hope not.

But while we're on the topic of ransomware, I know it's quite prevalent and we focused here on what's known as police ransomware, identifying individuals, but there is lots of other types of ransomware out there. Europol, the EU's police intelligence agency, has partnered quite a lot of the security companies and certs and researchers around the world to have a website called nomoreransom.org, which is a free website that provides advice and information on how to prevent your systems being infected by ransomware. And if that should happen, they also enable you to download the decryption keys for some of the ransomware strains out there as well. So it'd be a good resource for some people to have in their arsenal in the event they ever have to deal with any ransomware attacks.

Absolutely. We'll put a link to that in the show notes. It is a tremendous resource. Obviously not all ransomware can be decrypted, but some can be. And if you don't have backups or if you're unable for whatever reason to restore from a backup, it's well worth going to the nomoreransom.org website to see if they have some advice or a tool, a safe tool to try and decrypt your files.

Good tip.

Absolutely. And if you don't have backups, the first thing you do at the end of this podcast is go and do some backups.

Yeah.

And do some more.

Still waiting, Graham, for you to come over and do that. You know, it's been over a year now.

All right.

Okay. Maybe I'll, yeah. All right. So we all run an ad blocker, don't we?

Yeah, absolutely.

Yeah.

And how do you feel when websites try and say, oh, you know, would you pretty, pretty please disable your ad blocker so that we can, you know, make a little bit of money because the content we're putting out is...

And on my

As someone who produces content on my own site, I don't have ads on my site, but I can kind of sympathize with them that they want some way of making cash.

mobile phone as well.

It just feels like ads are so grubby these days, all the tracking that's going on that I don't feel happy enabling my ad blocker or disabling it.

I'm the same. And it's not just ads. It's all the pop-ups. You know, you go to read an article and you have to click through 4 or 5 pop-ups. And do you want to subscribe to this list? You want to do this? This, that, and the other, and the experience doesn't become very pleasant. And to be quite frank, if a site says, you know, you can't read our article unless you disable your ad blocker, I go, okay, I'll just see, can I Google the article somewhere else or get it from Google Cache? But I do have sympathy with large sites, etc., who look to generate revenue online. But until there's some way we can make the internet a safe and secure place those organizations will have to try and think of ways to better improve the experience.

Exactly.

It's not good enough. It's not good enough yet.

It's really up to the ad networks, isn't it, to up their game and properly police this stuff or give us great big barrels full of San Pellegrino.

Well, yes.

Brian, what's your topic for us this week?

Yeah, my topic this week came to light thanks to the most effective and probably famous intrusion detection system we have known as Brian Krebs. And it's to do with a large outsourcing firm based out of India called, I hope I pronounce this properly now, I don't know if it's Wipro or Wipro, W-I-P-R-O, where they have, are said to be investigating reports that their own IT systems have been compromised. So they're the third largest IT outsourcing company in India. And assuming that they have been a victim of a multi-month intrusion. So they've had a breach for quite a few months. They're saying that it may be state-sponsored. And obviously what the big question mark this raises is that if their systems are compromised, their customer systems could also similarly be compromised as well, because lots of information will be traveling to and from Wipro and the customers, and also maybe having access into those systems for network monitoring or delivering IT services as well. So it's going to be very interesting to watch this one play out. But it kind of builds on the theme of your piece there, Graham. It's the good old supply chain again. We need to keep, make sure our supply chains are secure and that whatever agreements we have in place with our partners and vendors, that you maybe you've got them contractually obliged to notify you if they suffer a security breach that could impact your services and not wait till Brian Krebs puts a story out that they can react to.

And so what if Wipro said, you know, people obviously been contacting them saying, you know, tell us more about the breach? Are they, are they all over it? Are they being responsible with information, or—

Well, they've said— here's a statement from a spokesperson saying that Wipro has a multi-layer security system. The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure, heighten our alertness to deal with any potential cyber threat.

So, oh, that is the most— I would find it so offensive to get that as a message if I was a customer.

It's a non-statement, isn't it? Now, I don't know if that's a statement that they're giving out to the customers or that's just the one that they gave to Brian Krebs to say, you know.

I think there has now been an update actually.

Okay.

So we're recording this on Tuesday the 16th, which is the day that they're reporting that quarterly results as well, which is slightly wonderful timing for them. Following the Krebs story, they have been approached by some media. They didn't give Brian this quote, but they have been giving this to other media, and they said they have detected potentially abnormal activity in a few accounts belonging to their employees on the network who apparently were phished. And they say that they're investigating, they've identified the affected users, and they've taken remedial steps to contain and mitigate any potential impact. We don't know from this whether they are contacting affected customers. They may not even know which customers are affected now, but this is one of the problems, I think, is that many of us listening to this show may not have heard of Wipro, right? We might, we have no relationship with them.

It's huge though.

They are huge.

They have almost 200,000 employees.

Right. Because many Western companies outsource their work to Wipro to do. I remember TalkTalk were using Wipro, for instance, and there was a big scandal a couple of years ago about TalkTalk customer service representatives abusing the database. It turned out it was actually people inside Wipro who were doing it. And obviously those people were fired and everything when it was investigated. But this does seem to be an ongoing problem. And I think you're absolutely right, Brian, about locking down and securing the supply chain as much as possible. You have to make sure that your suppliers are as secure as you are. But this isn't something you can purely do when you bring them on. You have to continually assess, are they doing the right job to make sure they maintain hardened and secure from attacks in future.

Well, it's also interesting that in this day and age of the good old GDPR, what implications this will have not just for Wipro but Wipro's customers, because under GDPR, those customers could potentially be the data controllers who are responsible for personal data. And if any personal data of their clients or staff has been compromised in this breach, then not only are Wipro's customers potentially liable, but also Wipro themselves as a data processor could be potentially liable. So this could have large implications, not just from a cybersecurity point of view and supply chain, but also GDPR. So be interesting to keep an eye on this one, see what happens.

Absolutely. So I think we're not only concerned about the breach which has affected them, but who Wipro's customers are who may have been impacted by this, because then it may really come home to us, oh my word, you, me, Carole, whoever, you know, we are impacted by this too.

Yeah. It's not just some company in India that has been hacked. It could be one of the companies you've given your information to. Well, cheery. Thank you for that, Brian. Have you listened to the show before, Brian?

Yes, I thought I'd bring it up a level.

Some gravitas. Yeah, no, good, good. Carole, what's your story for us this week? So we're interrupting the recording for a quick news update. Everything you've heard so far was recorded on Tuesday the 16th of April. Actually, it was recorded while the Wipro earnings call was going on, which was obviously quite awkward for them as they'd just suffered a security incident. Well, who do you imagine called into the earnings call? None other than Brian Krebs himself, the man who first revealed that they had suffered a security breach, and he was less than impressed that they had claimed some of the reporting of the breach was inaccurate. And so he asked for some clarification. Well, I managed to get a hold of a recording of the earnings call, and I've included it now for your edification.

The next question is from the line of Brian Krebs from Krebs Security.

Please go ahead.

Hi, yes, thank you. This is Brian Krebs from Krebs Security. I'm the reporter who wrote the story yesterday about the security incident at Wipro that was discussed earlier. Thanks for taking my question. One of the gentlemen speaking in response to a question earlier said the incident— said the original report in the news media was incorrect on several points. And I was just curious if you could clarify what points in the story were an error given that you guys made me wait 3 days for a statement which didn't address any of the points brought up by my sources. Could you also, could you just please clarify what points, you know, what points in particular were wrong about the story and also how would you clarify the current situation? You know, does Wipro believe that it has this situation under control? Where would you characterize the company in terms of its process of going through and finding out the extent of this incident? Thank you.

Hi, this is Manu here.

So we can definitely clarify to you what we observed.

You know, we can have a separate conversation, right?

You and I, we can set up the time with you on that call. At the same time, I do want to stick to the statement which I told you at the beginning of this call, that, you know, we have looked at the incident and we taken the steps that are required to be taken, right? And we have continued investing in that.

Carole, what's your story for us this week?

I'll bring us back down to where we should be. Today I'm going to delve into the world of A-words. What? Not assholes, Graham.

Okay.

But the world of digital assistants that start with an A and rhyme with eczema. Does that work? Oh, it kind of works. Kind of works.

Anorexia.

That's right.

Yes, exactly.

Now, did any of you guys listen to the Gimlet podcast Sandra? I think it was one of my pick of the weeks previously. Oh, if it's your pickle— nice. No, no, I definitely did. Yes, same here. Same here for you.

It.

Well, it turns out that this sci-fi pod isn't so far from the truth. Last week, news broke that Amazon employs thousands of people around the world to eavesdrop and record what you say to the A-word digital assistants. So effectively, the team listens to voice recordings captured in the A-hole's e-hole speakers. Oops, I meant A-word, A-word, e-word speakers. Then the recordings are, quote, transcribed, annotated, and then they're fed back into the software as an effort to eliminate gaps in Alexa's— oops— in A-word's understanding of human speech and to help it respond better to commands.

Just to be completely clear here, Carole, you're not suggesting that when you speak to one of these dinguses, it's always responding via a human, is it? It's not always a human who says, oh, Carole's just asked for, you know, what time is Waitrose open so I'll go and look it up.

And then someone's going, 5 o'clock.

Right. Yeah.

No, I'm not suggesting that for a second. What I'm saying is there are auditors that are data mining data for specific utterances, and then they're annotating them to improve performance. Let me give you an example.

Okay.

So if you were to ask A-word for 50 Cent, it'd be likely denoted as a rapper, not a monetary value, right?

Oh, okay.

Or if you asked it to play The The's best hits, it would assume you meant the English, you know, post-punk band, not you stuttering, right?

Okay. Yes.

Now, according to the Bloomberg article who broke this story, this is how it works. A mix of contractors and full-time Amazon employees— and these guys are based internationally, from the US to Romania to Costa Rica—

Right.

These guys work 9-hour shifts, and they parse as many as 1,000 audio clips during that time. So that's more than 100 an hour. It's demanding.

How many podcasts is that?

So yeah, let's pause for a second. So what do you make of this so far? So you guys are a bit geekier than I am, and I mean that with the best respect in the world.

With respect.

But doesn't it make sense that these voice assistants are being helped along by human brains, right? People to iron out glitches or iron out inconsistencies just to make the service better? Or do you think people are being mis-sold on that?

Well, maybe because I am geeky, I've always had a mistrust of these devices and always assumed that there is somebody listening at some stage. Not that somebody's actively listening to the device on a 24/7 basis, but that snippets could be reviewed at some stage because they'd have to be.

You know, it's the same as we are monitoring this phone call for performance and for quality assurance.

Yeah, but the issue being though is— so we have an Alexa device in our house and I don't recall, and maybe it's because, you know, as Mikko Hypponen says, that the biggest lie on the internet is I've read the terms and conditions.

Yep.

I don't recall any big sticker or anything on the device saying be aware everything you say in front of this device could be eavesdropped by third parties.

I would imagine that this is how they would defend it. I would imagine if this is going on, it would be occasional. It would be to improve the performance. They would be keeping no record as to who said what or identifying which device or where its location is.

But wasn't there a fairly famous case there, Graham? Sorry to cut across you there, but a year or so ago, didn't the police in some US city look to Amazon to give them any recordings from Alexa, an Alexa device where a murder happened? You know, we just can't assume anything we say is not being recorded.

No, and I think you're both actually right. I think, Graham, from what I'm reading, only a small subset are taken. So for example, they might be thinking of, you know, say 50 Cent, right? So they're going to go through and they're going to make sure it's categorized properly so that when people come into the device at different modes, it will hopefully, you know, bring it to the right 50 Cent they were looking for at the time. I think upshot number one is Amazon, Apple, and Google all employ staff, and they've all admitted this to the BBC, who listen to customer voice recordings from their smart speakers and voice assistant apps, right? And they do this to improve performance. So they've all agreed to this. Bloomberg sources also said that the auditors sometimes get to hear stuff that people might rather keep private, like for instance someone singing very badly off-key in the shower.

And it's Graham and Sampina Green again.

Yeah, or a romantic je ne sais quoi, or perhaps the passing of wind. Graham, phobia. Yeah, phobia.

Yeah, I've got a phobia, you may have a philia. Let's kill the whole thing off.

And these auditors admit to sharing some of these more unusual clips over an internal chat system to relieve stress or share a hilarious moment.

What, really?

Yeah.

Now what do you think of that? Do you think that's naughty that they do this?

That's naughty. You shouldn't be doing that. You shouldn't be sharing "Hey, take a listen to this."

Yeah, but okay, I don't know. I thought that at first too, but then I thought, okay, so let's say, you know, all these 1,000 people that are employed to dive in and check sound recordings, so they all are privy to all that information. If they see... isn't that the right group to share it with? Any one of them could see that information.

If you need some light relief at work, that's what YouTube cat videos are for.

They don't have time. They have to do a thousand other things.

Well, then you haven't got time to forward the funny ones.

You're doing a job as an auditor to improve the system, not to mock or make fun of individuals you come across.

Yeah, hey, a workday can be long. I don't know. I don't know if I feel horrid about that one. If we just talk about how it works just quickly, right? So these devices are designed to continuously record snatches of audio, always listening for the wake word. When it hears its wake word, the light turns blue on the Amazon device, indicating the device is recording and beaming a command to Amazon servers. And the algorithms use models of probability to make educated guesses, right? So if someone asks if there's a hot Italian nearby, the algorithms are probably going to assume, you know, you're looking for a restaurant, not a Fabio lookalike.

How old's Fabio? 84.

Okay, so maybe upshot number 2 then is that nothing that you say in front of your digital assistant is private, right? One of the people told Bloomberg that the auditors each transcribed as many as 100 recordings a day when Alexa receives no wake command or is triggered by accident, and the auditors are still mandated to transcribe it. So even though they know that someone has accidentally been recorded saying something, Jesus, Frank, pick up your slippers, or something like that, they still have to transcribe it.

Well, yeah, if they didn't, then I can imagine the Amazon overlord saying, how come you haven't written, transcribed anything today, and you say, well, Jesus, Frank was dropping a lot of slippers.

You know, there should be a button that says, you know, accidental recording. That's it. Go to next. Because that's 10% of the number. No, my maths are amazing, as we all know. But if they're doing 1,000 clips a day and 100 of these a day have no wake commands, this is recording basically someone eavesdropping in your house and then they're mandated to transcribe it.

I think that sounds a bit — look, no one's saying that this is a great job, right? Doing the transcriptions, right?

I don't know, it could be great fun. Sounds hilarious if someone's singing badly in the shower.

It does in your office where you're sharing all the funny clips, then you have a great old time. But for the people who are actually working, unlike you, Carole, it's not actually that great a job, I would argue, right?

Well, I think it's more, you know, the people that have been listened to and this is an intrusion on their privacy, you know, so.

Exactly.

Yeah.

Yeah, totally.

If anyone's going to get upset about this, we shouldn't be as worried about the workers. We should be worrying about the people who bought these things without realising that they're going to do this. And if there's no very clear message saying, by the way, we will sometimes pick up on things you're saying and pass them on to people, whether they anonymise the location or whatever.

You're making a good point. You're making a good point. Okay, ethical dilemma, because you know I love those, right?

Yes, please give us one. Give us one.

Okay, so sometimes auditors hear things they shouldn't hear, and sometimes it's truly ghastly stuff. Maybe someone's being beaten, or maybe there's a cry for help. Two workers said they were sure they picked up what they believed to be sexual assault.

Ooh.

Okay, now Amazon says it has procedures in place for workers when they hear something distressing, but two of the employees reported to Bloomberg that after requesting such guidance they were told it was not Amazon's job to interfere. So I find this really interesting. So Amazon, Google, and Apple all have people powering the machines that are helping us with our day-to-day lives. They risk hearing and transcribing intimate and private things, but they also risk hearing horrific violence, for example. And do they have a moral obligation to stop that or try to stop it?

You have a duty to report it. It doesn't mean you have to intervene, but you should be able to act as a witness and report it so that the police can take the appropriate action.

I mean, they don't — the auditor doesn't know the identity of the person. So Graham, you were right about that. But they do have an ID for the actual device, right?

They would be able to somehow look it up or link it to a purchase.

Either you could have a code on the device that if the device thinks that you're in distress, you have to enter a code. Or it can make an announcement like, we've recorded suspicious activity on the device and we're keeping it timestamped and safeguarded until the owner removes it. Or, please say yes or no with the following question: do I dial 911?

Well, often those situations, Carole, you wouldn't even want people in the room to know that the information is being recorded because you could put the person at greater risk.

But I don't want cops showing up at my house accusing me of something when some guy in Romania got it wrong.

It may be simply an email or a message is sent to that person's private account.

Yeah.

That there's no public announcement, oh, hey, we think you're committing a crime. Do you want us to delete it? Yes or no?

Yeah, yeah. Yeah.

I think it's very complicated. I mean, hundreds of millions of these dinguses have been sold, haven't they, of the various forms. And I wonder how many times there might be a snatch of someone shouting in the home or whatever, and you might be open to misinterpretation. It may be something which seems rather unpleasant. If that was all to be forwarded to the police, you'd almost think the police would think, you know what, we just can't handle this amount of stuff coming in because it's not clear whether a crime is being committed. We'd have to investigate it. It's very interesting. I think it's a very difficult one.

Yeah, it is. It is.

It is. And it's an indication, I think, of things to come in our world as we become more interconnected with more internet of things around the place listening to our voices, monitoring our movements, everything else. It's a big question we have to ask as societies, is how intrusive we want this stuff to be and how do we want to protect our privacy from it. And Carole, I just want to say, you gave out to me for bringing the tone down into being serious in my topic. How could you bring this here into 1984?

Now, you know what really annoys me about all this is that this is all turned on by default, right? So your recordings are open for transcription by default. However, there are ways you can turn it off, certainly in the Amazon thing or Amazon device, you can.

Yeah, at the plug, just turn it off. Exactly. Turn the whole darn thing off and unplug it. Job sorted.

I'll have a link in the show notes that's on our website. If you're interested in turning it off, just click on it and go check it out and follow the instructions.

Cool.

Or do what I do, set up fake email accounts and fake Amazon accounts or Google accounts for the device so that it's not linked directly back to you.

Oh, sneaky, sneaky.

And then swear as much as you like in the kitchen, right?

Yeah.

Where's my fecking dinner? Yeah.

That's suspense though. So my fecking dinner.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence.

Quote: "Most business security breaches are the result of one thing: phishing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page, and most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashing. On with the show.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Brian.

Yep. Oh, sorry. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.

It really shouldn't be this week, really.

No, we really don't know. Now, my pick of the week this week comes from one of our loyal listeners. Ben has been in touch. Ben is from Norway and he says that in Norway, the official broadcasting company, the TV company, they have had a number of live streams called Minutt för Minutt, which translates surprisingly from Norwegian to minute by minute.

Thanks for that, Graham.

It is slow TV, slow TV. And for the 10th anniversary, they had this giant— well, it was fantastic. I loved this. They streamed for 30 hours continuously, a bunch of workmen who appear to be in some sort of railway station. Building this huge digital clock with planks. So each segment of the clock is a different plank. And on the minute, every minute, they change the planks around to be the next digit. And they did this for 30 hours. It's wonderful. It's watching a little bunch of minions hard at work. And they get their ladders up and they climb up the ladders and adjust them.

Okay, listeners, I'm going to go look at it right now. You go look at it.

I'm looking at it right now. I'm looking at it. Is it good?

Yeah.

You can see.

So far it's just the aerial photograph.

Oh, you need to fast forward a bit. Fast forward. You're looking at the intro. Fast forward.

Really? This is

It's wonderful. It's beautiful. Carole, this is zen. This is incredibly relaxing. As you know, I'm a very zen kind of guy.

Okay, so they're now changing it from 14 minutes to 15 minutes.

your pick of the week? Wow, this is riveting. It's 30 hours. Well, yeah.

I haven't watched it all.

I'll be honest with you.

Maybe part of it.

You know what, this makes sense.

You know, older people sometimes just sit in the park for a few hours and just watch the birds, you know, this kind of thing. So I understand. And you know what, I'll understand one day. And for those of you that may be maybe more advanced in age, this might be—

If the world's moving too fast for you, you may just want to watch the minutes. I do the simplicity of trickling by until your eventual journey to the coffin. I can just watch the minutes go past.

Oh, wow. This episode is really cheerful, isn't it?

Well, I really enjoyed this.

Fingers crossed.

We're talking about eavesdropping on crimes, and now Graham's talking about dying. Thanks for having me on, guys. You've really picked me up for the day.

All right, Brian, if you're so great, tell us about your pick of the week.

Well, I like this one because who hasn't given their iPad or their computer or their device to their kids to keep them quiet for a few minutes. And this is a story about a reporter in the US who gave his 3-year-old an iPad to play with, and the 3-year-old couldn't unlock the iPad, and he ended up locking the iPad for 25,536,442 minutes. So it's 48 years' time, this gentleman Evan Osnos, can now type in the correct code to unlock his iPad.

So it's not allowing any new entries of the code.

No, it's stopped now. Apparently it's an old iPad, so it's one of the pre— it's an old version of iOS that's on the device.

My husband has an old iPad he plays this game on, and he plays this game way too often.

There you go. And I know of people who have done this where they've borrowed somebody's phone and the phone has been locked and they just keep repeatedly putting in the wrong PIN code deliberately to lock the phone on the person.

But there must be a way of resetting it. There must be some funny sequence or way of wiping the device.

Now, I'm a much bigger fan of a mug

Basically, yeah, that's what this gentleman's had to do. He's had to go on completely to reset the whole device and started from the beginning.

than a cup and a saucer thing.

So which you would hope, coming back to our talk about ransomware, that he's got good backups.

Are you— is you the same?

But he could tell his kid next time the kid asks for the iPad and say, I'm afraid you have to wait until you're 52 years old before you can.

You guys are—

And you have negotiated with 3-year-olds before, Graham?

I have, yes. Yeah, it'll definitely work.

It will, exactly. But I think this is, you know, I know it's Pick of the Week and we're not supposed to talk about security, and it is kind of related to security, but I just thought it was, yeah, who hasn't had their own moments where you've typed in the wrong PIN codes, but not for 48 years. And if I may, if I could have a second pick of the week, and this is something that may be close to your heart, Graham, and I'd actually think it is. This year, the Security Blogger Awards are on again. The European Security Blogger Awards were open for nominations. So if you're out there and you listen to a podcast that you like, please nominate it.

Oh, okay. So you can vote for your favorite security blogs, GrahamCluley.com, and your podcast, and there's a video blogger and tweeters.

So, Graham, did you just plug your own site as opposed to—

So Smashing Security was— I was very, very lucky and honored to win the best security podcast last year, I believe, at these awards. So thank you to everyone who nominated us last year. That was terrific. And we'll put a link in the show notes if you want to vote for whatever your favorite security podcast might be this year. Now, Brian, you're on the judging panel, is that right?

I am, yes.

You know, you've been a fantastic guest, and I think your pick of the week this week was so much better than mine, and probably better than the one Carole's going to come up with as well.

Oh, Brian, I'm not going to kiss your butt. I have faith in mine.

Okay, what's— let's hear your pick of the week, Carole.

Okay, so I like a mug of coffee. Coffee, right? I like a mug of tea. Graham, you started drinking tea recently, haven't you?

I have, yeah. I had a big birthday, and so I've decided to occasionally drink a cup of tea just to liven things up a bit.

The waterworks working. Yep.

Yes.

Yeah, yeah, it has to be—

Has to be a mug, right?

It's a bit complicated to have a saucer.

Exactly, it's too complicated. But the thing is, is many mugs are absolute crap. You know, they stain very easily, they chip within a week, the handle's too small maybe for my big massive mitts. But somebody recently gave me a very lovely mug.

Was it a Smashing Security mug from our—

No, it wasn't. I did receive one of those, but that's not the one I'm featuring here for a number of reasons, Graham Cluley. Now, I've had this mug for a few months, and I love its shape, handle quality, plus it has an added feature. Check out the link. Oh, I should have sent it to you. PhilosophersGuild.com. Here, I put it in. I'm putting it in, putting it in.

Right.

And we'll put this in the show notes as well.

Yeah, yeah. Oh, I have to scroll, scroll, scroll, scroll, scroll. Here in my section.

All right. Like this.

I just read the URL. So this is going to be interesting. Do I need to turn my— keep my ad blocker on? No, no, no, no, no.

Okay, so my word, right? So ding dong, the mug, when hot liquid is poured inside it, the dressed characters go nude, right?

So there's a bunch of characters on the outside who are posing, little cute— yep, and they're wearing clothes and black clothes, blue clothes, but yeah, when the mug goes hot, their clothes disappear.

Yes, and these are well-known artworks. These are from Da Vinci and Duchamp and Picasso.

Yep.

If you go look at all their mugs, if you look at just their collection, they've got a number of these. The one that I'm coveting at the moment, Mr. Graham Cluley— I'm worth $15— is the Bob Ross mug.

That's a Bob Ross.

Yes, and when it's—

When it gets warm, his painting comes— Oh, as long as it's just his painting.

You guys, it's Bob Ross!

Exactly. That's why we were worried.

This is rude. This is blasphemy.

Oh, I'm looking at the Bob Ross one right now.

Isn't it glorious?

Oh, that is lovely, yes. And not as grubby as I imagined.

So thank you very much, Lou, for buying me this amazing gift. And people, check out philosophersguild.com, particularly the great nudes mug. Or the Bob Ross mug. I'm sure it's equally great.

Very cool. Okay. Well, on that artistic bombshell, I think we just about wrapped it up for this week. Brian, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

My best way, I suppose, is Twitter. So @BrianHonan, that's B-R-I-A-N-H-O-N-A-N. VPN. That's where you find me.

Fantastic. And you can find us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And you can continue the discussion with us about the episode or anything else you think is interesting on Reddit. Fast way to find us is smashingsecurity.com/reddit.

And huge thanks to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And thank you to you guys. We'd be nowhere without you, thank you for listening and to help us grow.

Yeah. For the awards?

And an extra special high five to those who have taken the time to share their thoughts with us, rate us, review us, whatever. I know you guys are busy and we're grateful.

Until next week. Cheerio. Bye-bye.

Later.

Cheers.

And we made it.

Thank you very

Thank you for having me.

Was it fun? Did you have fun?

It was, yes.

Which day of InfoSec are the awards on, by the way?

Tuesday night.

Tuesday night. Well, I'm not sure if I'm going to be able— I might be in Slovenia doing something, so I might not be able to make it this year. much, Brian, for coming along. Carole, are you going to try and get there?

What, to InfoSec? My two favorite guys aren't there.

The awards?

Yeah, okay, definitely for the awards. If we're nominated. If people love us, yes.

You know you'll be nominated, so—

You think? I don't know, man. I don't know.

I don't know.

Fingers crossed.