Don't hire a hacker, they might scam you! What works and what doesn't when it comes to protecting your email account? And China's controversial social credit system comes under the microscope.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/129 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Vote for Smashing Security in the EU Security Blogger Awards
- "How to hack a Facebook account..." - how on earth to answer? — Graham Cluley.
- Hack for Hire: Exploring the Emerging Marketfor Account Hijacking — Report from University of California, San Diego and Google.
- Google research: Most hacker-for-hire services are frauds — ZDNet.
- New research: How effective is basic account hygiene at preventing hijacking — Google Online Security Blog.
- The complicated truth about China's social credit system — Wired.
- China bans 23m from buying travel tickets as part of 'social credit' system — The Guardian.
- Is China’s social credit system as Orwellian as it sounds? — MIT Technology Review.
- Opinion: Why India needs to be wary of China-style social credit ratings — LiveMInt.
- Mihail Tal vs. Vassily Smyslov // Sacrificial Maniac vs. Positional Maestro — YouTube.
- Outray Chess — YouTube.
- What We Left Behind: Looking Back at Star Trek: Deep Space Nine — A documentary film produced by 455 Films.
- DS9 Doc Heads To Uk & Ireland - List of Locations — TrekSphere.
- Joe Rogan — Wikipedia.
- Tesla’s Elon Musk smokes weed on Joe Rogan podcast, havoc ensues - Vox — Vox.
- Faux Rogan — Can you tell which are real or fake (Faux Rogan)?
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
UNKNOWN SPEAKER. Now, on with the show. Smashing Security, episode 129. Too long, didn't listen, with Carole Theriault and Graham Cluley.
GRAHAM CLULEY. Hello, hello, and welcome to Smashing Security, episode 129. My name is Graham Cluley. I'm Carole Theriault. And, hello, Carole. We are joined this week by a special returning guest. It's fun time family favourite. It's Maria Vamarsis. Back again. Hello, Maria.
MARIA VAMARSIS. Hi. That's a great intro. Fun time family favourite.
GRAHAM. It could have been worse, couldn't it?
MARIA. Different. It's Maria. Hi.
GRAHAM. Carole, what have we got coming up on the show this week?
MARIA. Coming up on this week's show, thanks to this week's sponsors, meta compliance and LastPass their support helps us give you this show for free this week Graham investigates hackers for hire Maria digs into whether account hygiene is actually effective or not and I will take you into the future of zoldan to uncover just what kind of leaders Maria and Graham would be all this and loads more coming up on this episode of Smashing Security. What? What podcast am I on?
GRAHAM. Now, now, chaps, chaps. Have either of you run your own blogs or anything like that? Oh, yeah. Yeah? Oh, yeah, definitely. Okay, in which case you'll probably be familiar with the concept of comment spam being posted up onto your blog, where people try and post messages which you don't want to appear. Sometimes they'll be selling pharmaceuticals or fake degrees or something like that. And other times, in my experience, messages will appear saying, oh, I had such a big problem with an account, but then I were able to contact ABCZY. He's a great hacker who was able to hack into my Instagram account and allow me to get access back to it. He's an elite man.
MARIA. I've never ever had one of those. You've never had one of those. Maybe
GRAHAM. you aren't running a security blog like that.
MARIA. I was I'm not familiar with that one specifically. Okay.
GRAHAM. But I've seen plenty of people posting up hacker for hire services and trying to promote them. And obviously the idea is that people want to break into accounts. Maybe it might be for a legitimate reason, they can't remember their password and it is really their account. Quite often, I imagine it's a girlfriend or boyfriend or spouse whose account they want to break into to find out what they've been up to.
MARIA. Okay, so we're not talking legit hackers. We're talking account level stuff. Yes. Invading privacy, spouse on spouse. Not I'm going to deploy a botnet or something. No, I
GRAHAM. think these are people who are principally selling their ability or their claimed ability to break into accounts and get reliable and password or maybe even two-factor authentication in some cases as well. Yeah, and sometimes these things have even crossed over from the sort of digital world into the physical world. I remember a while back, I actually received some voicemails, people calling me up, asking me if I could help them hack into a Facebook account, which they claim to belong to a loved one of theirs. And I've actually got a recording of that voicemail right here, if we want to listen to it.
UNKNOWN SPEAKER. Hi, Graham Cluley. This is ****. I was trying to figure out how to hack a Facebook account. I've been trying so many ways to do it, and it's just not working. Oh, I remember this. You played this before. you know do these kind of things you just kind of help me out here is
MARIA. this just when an aunt goes hey I can't get into my email it's not my aunt it's not my aunt call him out but it's kind of a different sort of thing isn't it this person seems to be legitimately calling you up to try and get your help not really understanding that's not something you do well
GRAHAM. obviously it's not something I do but how do you know they're legitimate maybe they're just really good at social engineering maybe they sound so helpless and pathetic that you think oh, maybe they have locked themselves out of an account. I'm your biggest fan. Yeah. Good, good. Actually, that bit does sound legitimate, Maria. I don't know why you're mocking that bit. Oh, yeah.
MARIA. I'm sure a social engineer would not try to butter you up at all.
GRAHAM. So the point is there are people out there who are offering their services because there is a strong demand to crack into accounts. Okay. And a lot of people, for instance, will have a Google account, right? And so Google, they have recently teamed up with boffins at the University of California in San Diego. And in this latest report, they're actually examining what do the hackers do? How do they get in? So what Google decided to do with these researchers is they approached hackers. They found Hackers for Hire online and they said to them, can you hack our accounts, please? They posed as members of the public and contacted around about 27 hackers and black market services in English, Russian, Chinese. They got local speakers to do it. And they said, can you break into accounts? And these were all websites which were offering this particular service. In some cases, they were saying that they could even bypass SMS two-factor authentication and other methods as well. Question. Did they pay for these services? Well, I wondered that as well, because I thought, would it really be right for Google to pay criminals to hack accounts?
MARIA. I see great minds, Graham. And
GRAHAM. The answer is yes, they paid them. Ooh, controversial. Now, they say that they immediately stopped paying as soon as the minimal amount was done. But they did actually give some money. And sometimes the prices range from $100 to up to $500 per account. But what they did, because they were obviously concerned about the legal consequences of this. So normally you can't go around hiring hackers to break into accounts. But this is Google. And Google owns Gmail. And so what they did was they created some synthetic accounts on Gmail.
MARIA. Synthetic accounts? This is what they
GRAHAM. Called them. So they fabricated online personas.
MARIA. Okay, they've got enough data to be able to do that convincingly. So
GRAHAM. They created fake... Probably create
MARIA. An entire universe. A few
GRAHAM. Billion. Exactly. So they created fake Gmail accounts and populated them with information so they looked legitimate. And then they pointed the hackers at these particular accounts and said, can you try and break into this account? And so then the hackers sent phishing emails and whatever else to those Gmail addresses which Google had specified. By the way, obviously Google didn't announce they were Google when they were doing this. That would not have worked terribly well.
MARIA. Yeah, but it's kind of a shame, though. If they had, it would have been, okay, bring your A game. We really want to see if you can do it. Why operate in full transparency?
GRAHAM. Well, I suppose they do that a lot of the time with the sort of bug bounty programs, don't they? Where they invite people to find vulnerabilities and they will then reward people who find those vulnerabilities. But here they really went to the dark side and they ended up with some attackers launching tailored phishing messages, some, as I said, with the ability to capture two-factor authentication information as well, in order to see how many were actually capable of getting in.
Yeah, I'm interested in the results now. The findings were rather interesting, which was that in the majority of cases, it turned out that they didn't actually hack anybody.
MARIA. What do you mean? Surprise! What I mean is
GRAHAM. The hackers, when you pay them, most of them didn't actually go through with it. Imagine. They took your money. Imagine that. Criminals actually not holding up their side of the bargain. No honour amongst
MARIA. Thieves. So what you're saying is Google under a pseudonym said, hey, hack me, hack me, please. Hackers said, OK, that'll cost 400 bucks. Google under a pseudonym says, no problem. Where shall I pay you, sir, madame? And they received the payment and then out of here.
GRAHAM. That was another thing, by the way. Only a handful of the hackers advertised that they accepted Bitcoin as a payment. Google, on each occasion, was actually forced to say, well, actually, rather than just, could we pay you in Bitcoin, please? And then most of them were receptive to that. But a lot of these hackers were quite happy to accept payment.
No one had a Google wallet? Through some sort of traditional form instead. So there were some accounts which were actually prepared to go through. According to Google, they said only five of the 27 different websites which they contacted were willing to take their business. I mean, maybe some of them worked out that they were being set up. I don't know.
MARIA. Google contacted only 27 of these dudes. So this is not very... So they had a less than 20% success rate. It's a pretty small sample size, though, for Google. I mean, really. And
GRAHAM. What they said was that roundabout a third never responded, despite repeated requests to buy their services. And some, they say, were outright fraudulent. No surprise. No surprise. And they said that these services had inconsistent and poor customer service.
MARIA. Oh, yeah. Yeah, you expect concierge-level service with your hacker for hire. For
GRAHAM. Example, said Google, three of the services charge significantly higher prices than their advertised price.
MARIA. How dare you, sir? How dare you? No order amongst thieves these days. And some,
GRAHAM. When they were actually executing the hack, said, well, actually, the price has gone up. And they also complained that they were slow at getting back to them.
MARIA. You know, Graham, you have a very excellent takeaway here. Stop looking to hire these idiots, people. Exactly. Don't make your hacker your front desk guy if you're expecting customer service.
GRAHAM. So here are the takeaways, right? Hackers for hire may not even hack. They may be hard to hire, but even when you do hire them, they may not actually hack. They might actually... Now, think about this, right? If someone gave you money and said, can you hack an account? You thought, oh, that'd be a bit naughty and I could get in trouble with the law and things. Well, what some of these hackers might actually do is they might look up your credentials and details in a previously leaked database to see if passwords are listed there. And then they could say, here is password one or let me in. That will get you in or you go. Seriously,
MARIA. If that's the bar, I'm a hacker. I mean, honestly, I've done that. Come on.
GRAHAM. But there are other dangers in hiring a hacker, which is one of the things that you need to watch out for, because you might end up being blackmailed by the very hackers that you've hired and given your $500 to.
They may either threaten to tell your victim or even report you to the police if you don't cough up. And imagine how annoyed the police are going to be when eventually they get these reports to them of someone trying to hire a hacker and they ultimately find out it was actually Google who were doing it in the first place against their own
MARIA. accounts. It's insane. You all sort it out. Yeah.
GRAHAM. And furthermore, imagine your disappointment if you try to hire a hacker and you actually end up not on a real hire the hacker website, but on a honeypot set up by some rival cybersecurity firm called Moogle or a law enforcement agency trying to catch people who are in the habit of hiring hackers.
So I think we can summarize my story this week is being don't hire hackers to break into accounts. Try and remember your password or hit the I've forgotten it button or just ask someone hey can you tell me what your password is, I'd like to break into it please. You know, maybe that would be a better approach.
MARIA. Don't give it away guys. Come on, don't hire a hacker who's advertising their services in the comments spam on a blog.
GRAHAM. Well, it's not just that. I mean, that isn't how Google found these hackers. Google had access to a high-quality search engine called AltaVista, which they used to scour the internet.
MARIA. Maybe they asked Jeeves to see if they could... Ask Jeeves. Does that even still exist?
GRAHAM. Ask.com. Yes, it's a toolbar, isn't it? It's an odious thing. Lycos. Lycos. HotBot. Was it dogpile, or is that something else? That's something else. Sorry. Don't go there, folks.
Maria, I'm sure you've got a story for us this week.
MARIA. I do. And it's interesting that you talked about that Google was doing some studies with New York University and University of California, San Diego, because my story is additional research that they did. Imagine that. It's like we planned it, except we didn't.
GRAHAM. So you're saying Google and the University of San Diego again?
MARIA. University of California at San Diego and New York University. There's some other data that they were pouring through to find out some answers to questions about security hygiene, which is unsexy, but very, very necessary.
So what do we mean by security hygiene? Does everybody know what we mean by security hygiene? Like antiseptic on your keyboard? When you're at a conference, make sure to take a shower every day. Use deodorant. That's what we mean about security hygiene.
GRAHAM. I gave my keyboard a wipe down the other day, actually, and I completely bust my keyboard. It's been a nightmare. I've got this one of these lemon wipes. Don't do that, folks. Pro tips from the pros.
MARIA. Yeah. So security hygiene, that could mean that. But what we usually mean is stuff use a password manager, make sure you get the basics nailed. And we talk about that stuff here all the time. 2FA. All that good stuff.
So the question that Google and the universities also wanted to answer were how effective are all these, quote, security basics at actually securing user accounts? So in Google's case, they figured it probably helps that they have a ginormous sample size to look at. So they looked at over 1.2 million of their own users. Oh, a tiny drop. Just a wee bit, yeah.
And of those 1.2 million users, they looked at over 350,000 real-life hacking attempts on those users. And they wanted to get some answers about what kind of security methods were effective at keeping attackers out of those accounts. Okay, whoa. Yes. They poured through those logins and those attacks types for about a year.
And what they did is they divided the users into users who had one of two types of security challenge. So one category. Are you guys following me here? Yeah, totally. One category is for people who use some kind of 2FA. So device-based category. So it's a thing that you had. So this means these were people who had an on-device prompt. So tapping a confirmation button on a Google app that asks you to confirm you are who you say you are. Or an SMS code or a physical security key, e.g. YubiKey. So that's one category of people.
The other category of people were folks who were in the knowledge-based category. So folks who relied on Google to say, hey, can you verify via a secondary email address or a phone number or your last sign in location? So that's
GRAHAM. when if, for instance, you're on holiday and you sign into your Google account, Google might recognize, oh, suddenly you're logging in from Paris. And therefore, we're doing an additional security check to make sure you are who you claim to be, right?
MARIA. Right. That's something that. So, again, we've got the device-based folks and we've got the knowledge-based folks. So, those are the two categories of users.
So, Google and the researchers wanted to see which set of users were better at thwarting attacks from automated bots, bulk phishing attacks, or targeted phishing attacks, the kinds you just talked about, Graham, in your story. Hey, hey. And what kind of trends might emerge from that data.
So, any guesses on what they found out of curiosity? You guys have any guesses? Well, I… And I think, Graham, you've seen the data. I have. So knowledge base would not be nearly as good as device base. Right. That's a great guess. Okay, that's your guess. Graham, any guesses from you?
GRAHAM. Well, I've written an article about this research. So pretend that you
MARIA. Haven't written. Okay, forget that. Maria is trying to make this interactive, Graham.
I'm trying hard.
GRAHAM. Right? And you have to go, I know everything.
First of all, I'm encouraged that they managed to find 300 and what was it? However many.
MARIA. 250,000 real-life hacking attempts, yeah.
GRAHAM. So I'm really encouraged that there are some people out there who've got any kind of additional security beyond just their password in place, because I think the vast majority of Google customers probably don't, right? Most people are just using a password.
So having anything at all has got to be better than nothing. Yes. So that's terrific.
Yes. But I would think anything which doesn't put a reliance on the human brain is going to work better. And so therefore, maybe the authentication will work better.
It's almost like you've seen
MARIA. The research, Graham.
Why, yes, indeed. So users with a phone number attached to their account. So folks that went beyond merely using a password were able to thwart account takeover attempts by automated bots 100% of the time.
And yes, Curl, people who used any kind of TFA, device-based basically, did a whole lot better than people who did not. So overall, there's a number of data sets, and you can drill down into the different numbers here.
But overall, you're looking at more than 90% of the time, regardless of the 2FA method that you use, you're able to thwart an attack attempt with one tiny important exception being SMS-based 2FA.
GRAHAM. So everything has a 90% success rate, a block in the attack, or better.
MARIA. If you're using 2FA, yes.
GRAHAM. And the only one who's sort of lagging behind in the race is SMS-based.
MARIA. Correct. So it's easier to hack, right?
Right. I mean, we've talked about it before. You guys have talked about it before with other folks.
You know, it's a much maligned 2FA method for good reason. It's certainly better than nothing. And the takeaway from Google study is that, yes, it is better than nothing.
But it only prevents account takeovers about 76 percent of the time in a targeted phishing attack. So going back to your story, Graham, those hackers that are going after people in a targeted manner, they have better success than folks who use a physical key or have an on-device prompt.
GRAHAM. Right. And in this particular research, they were looking at these automated attacks, these sort of bulk attacks, as it were.
Yes. And bot-based attacks where there isn't a human element. And they wouldn't even bother, really, I think, trying to get past an SMS-based...
It's
MARIA. Too much effort.
GRAHAM. It's too much effort. But if someone was determined to break into Maria's Gmail account and she had SMS-based to factor in place. You may well go to the effort of ringing up her mobile phone provider and trying to get her number switched over to you or something.
MARIA. Oh, it could be even easier than that. You just text the target and say, hey, I'm from blah, blah, blah, customer service. We just sent you a code. Can you send it to me?
And that works an alarming amount of time. So yes, the overall takeaway from Google's research was that people who have device-based security challenges fare a lot better than those who rely on knowledge-based challenges.
So feather in the cap, yet again, for please use 2FA, it really, really helps. Even though SMS is not great, it does better than not using it at all.
Do you know what, though? Do you know what the irony of this situation is? Is the more and more people that start using 2FA. So let's say we get to a 90%, a world where 90% of people are using 2FA.
Then what happens to us people who are in the gold bit at the moment, right? Right now, we have additional security to most people. So we're kind of safer just to...
You've outrun that there slightly? Exactly! Exactly. It's the arm brace, isn't it?
Yeah. So that just shows how giving we are as a group. It's our generosity.
But maybe you'd
GRAHAM. Get a hardware key or something like that, Carole. Maybe you'd go, you know, a step further.
I'm not suggesting any of this is fun. And I think that is a problem with all of these things, isn't it? It's dreadful.
MARIA. Yeah. And that was one of their other takeaways is that why don't we just implement it for everyone?
It's because I think they said over 30% of the time users don't have a phone with them when they're logging in. So they can't do device-based stuff because they don't have a device. So that's an issue.
And it's funny that you mentioned the keys because the only group that was able to beat account takeover attempts 100% of the time, literally every single method, were folks that use a physical security key. Yeah, that's the trick.
But then it becomes, is it that the key is that much better? I mean, I'm sure that is part of it. Or are the folks that use the key people who are more security minded or they have a threat model that requires the keys?
Good point. Good point, Maria.
GRAHAM. There's another slight fly in the ointment as well, which is didn't Google just announce there was a vulnerability in their physical security keys?
The Titan?
MARIA. Yes. And they're having to
GRAHAM. Push out an update or something. And I don't think that's a reason necessarily to throw them all in the bin.
No. I'm sure there's still better security there than not having one at all. But it's confused things rather, hasn't it?
MARIA. It has. But yes, the TLDR is 2FA still beats no 2FA.
And now we have a lot of data to prove it. Hey, yeah, it turns out we've been right all along. Hooray!
GRAHAM. I'm going to have to write down these acronyms. TLDR, no 2FA. Too long, didn't read. SMH, Sydney, what's that one? Shaking my head.
Oh, is it? I always thought it was the Sydney Morning Herald. I'm always seeing that online I find that one very difficult good excellent well thank you very much Maria so yes protect yourself people I think was what Maria was saying yeah it was a bit more in depth too long didn't listen
MARIA. TLDR Graham didn't even pay attention he just demonstrated too long didn't listen Kro, what have you got for us?
It's the distant future, okay? And you two, Maria and Graham, are the co-leaders of Zoldan, a world very similar to our own. I've seen that episode of Doctor Who. I know where this is going.
Except that in Zoldan, people break into three basic parties. The Trekkies, the Warsies, and the Whovians. Okay,
GRAHAM. Okay. Oh, Star Wars. I couldn't work out what Warsies was. Okay, right.
MARIA. Yeah, I was like, what is it? I had to look it up. I don't know if it's right. That doesn't sound right.
Okay, well, you guys can, if you get bored during my story, you can look it up and we can correct it by the end. Okay, so for reasons we're not going to go into here now, the social construct in your world of Zaldan feels like it's going to utter pot.
And despite the two of you being so woke, there seems to be just less respect for your authority these days and more and more people are breaking the laws and acting, well, immorally. Acting the fool?
Yeah, there's accusations from the Trekkies saying that they're spying on the Worsies and the Whovians are mocking the Trekkies saying they don't know what sci-fi is. That
GRAHAM. Is pretty accurate. This is real life, I think.
MARIA. This is real life, yeah. It's like, welcome to the internet, Carl. This is every day.
GRAHAM. So where's the fiction in any of this? Doctor Who fans and Trekkies, they find it difficult. I must say, there is a...
MARIA. And yet you and I get along. So, you know, peace can happen. I know, it's so weird.
Now, what's going on is there's all kinds of infiltration and secret stealing and little cyber attacks and law-breaking. Leaks, spoilers.
Yeah, and people, your people seem to always be complaining about you two because you guys can never agree which Zoldan party is best, right? Is it the Trekkies, the Worsies, or Whovians?
It's definitely not the Worsies. I think Graham and I are agreed on that one. It's
GRAHAM. Definitely not Star Wars. It's Doctor Who. Yeah.
MARIA. Okay. And there's even in team fighting, like the Trekkies are split between the Jean-Luc Picard group and the James T. Kirk group and the Doctor Who guys. Accurate.
Don't even want to talk about that. It's a total mess.
It's like the Conservative Party in the UK. Yep. Yep.
But there is one thing you both share. Okay.
You can both smell the stink of revolution in the air. And you agree that this is bad news for the two you who are the most powerful leaders on sold on we need to get this fixed right and you like your power you need a game plan to regain control where are we going and you decide together that you want to identify these bad apples and you know the ones that are acting in bad faith and causing the red dwarf fans yeah those smeg heads we can't understand them with their holographic h's on their foreheads and everything
Okay, so we need to spitball some ideas here. How are you guys going to efficiently and effectively identify these guys and strip them from their powers, right? What can we
GRAHAM. Do? Yeah, we need to identify them. We need to round them up, send them to labor camps in the north.
MARIA. Is that what you want to do? No, no, no. That's very who.
In Trek, we send them to a distant colony, and we're just like, good luck. It's like sending people to Australia.
Do you give them a trial or anything? No, no, we're just like, yeah, just go colonize. I'm sure there's no problems with the indigenous species that live there. I'm sure there won't be an issue.
GRAHAM. Oh, thank goodness, because this might happen.
MARIA. Well, look, I have a solution for you. And it's based on something that us humans tried a long time ago on Earth in a land called China.
And it's called the social credit system. And this is where bad behavior was tied to a low score.
And a low score could ruin your life in more ways than one. Now, hear me out.
Hear me out. So in the first decades of the noughties, China mashed together economic and social reputations of every person, every business.
And they called this social credit. And the system was marketed as a way to rebuild trust.
So China felt that there was distrust and people didn't know who to trust and why they should trust. And the whole idea was trying, well, this will help you trust people again.
GRAHAM. It's a bit like that website Klout, isn't it? Do you remember Klout with a K?
MARIA. Oh, it was the worst. It's gone. I think they
GRAHAM. Tried to give everybody a score, didn't they? Yes. Based on their social media activity and things.
MARIA. Yeah. It shut down just before GDPR became a thing.
Hallelujah. I wonder why.
Oh, fancy that. So the Chinese government was really clever way back then because it was the job of the credit core system was basically to parse all the data it could collect and identify it to a single individual and then give an overall score that assess the trustworthiness and the compliance of each person.
And a low score would mean your life would suck. But a high score could open lots of doors.
And this is where it gets clever, right? This is how you sell it to the masses.
What does this have to do with Star Trek? Well, you guys, I'm offering you this solution.
I can put this service into Zoldan for you without a problem,
GRAHAM. Right? So you've kind of gamified it really, haven't you? You've gamified being a good member of society and doing what the joint rulers, currently we're joint rulers, Maria and Graham. That won't last.
MARIA. Yeah, okay. You know, because all your guys, they have online accounts and you've got facial recognition systems in some places and people are using their smartphones and they're on the network all the time and on Wi-Fi. So all that gives us all the information behavior and location and who their friends are and what their health records are and what their employment history is and their academic results and their insurance and blah, blah, blah, blah, blah.
GRAHAM. Now, as leader, as co-leader currently of Zoldan.
MARIA. Co, yes. Yeah, he has trouble with that word. Trust me, I know. I know. Yeah.
GRAHAM. I quite approve of this idea, provided we've got enough IT security data secure so it doesn't fall into the hands of the Mingmongs or some other country where they may try and exploit it.
MARIA. Right. OK. Mingmong's interesting term. They're an alien race.
GRAHAM. They're on the twin planet on the other side of the sun.
MARIA. OK. Near the binary star system. OK, so I didn't do my research very well, did I? Listen, you're going to create a fictional universe keep up. OK, so that all sounds quite good. But is this also good for the people or should I not worry about that? Because I'm all right.
GRAHAM. You tell me. Right. So let me tell you what happened, what the plan was in China. Yeah. So the idea was to reward good law-abiding people. So people that follow your rules and act with integrity and morality, they get a high trust score. And that can really help them move ahead in the world in terms of who they get to hang out with, where they work, where they live, how they travel. A social meritocracy. It's what everyone really wants. And those that don't step into line, all without incarceration or legal entanglements, the system will just basically limit their freedoms and negatively impact their social life to kind of, you know, push them into the right direction. One of the aims in one of the guides in China when they were developing this was allow the trustworthy to roam everywhere under heaven while making it hard for the discredited to take a single step. That's not terrifying at all. Yeah. So, so for example, in China, caught jaywalking or you don't pay a court bill, play your music too loud on the train, you can lose certain rights, such as booking a flight or a train ticket. And in fact, by March 2019, China had blocked millions of discredited quote unquote travellers from buying plane or train tickets.
MARIA. So if I was there and I was caught, I don't know, wearing a loud shirt in a public place or...
GRAHAM. What about your shorts were too short?
MARIA. My shorts were too short. They'd have to be very short, Carole, very short short for those to cause offence. Who wears short shorts? So then it would be a little black mark on my social media score or something, but on my credit system. That's right. But that social credit score might be shared with me when I try to friend you on a social network system. And I might say, oh, do you really want to friend this guy? Oh, because I could drag you down. Yes. Oh, I see. Because then I'm your friend.
GRAHAM. Oh, okay. Right? That's terrible. It's you've got social herpes. This is good. All right. Yeah. But if your shorts were a correct length and you donated to a respected charity, up goes your score. And bingo, it might be. So have the opportunity to fix a bad score by doing things which our beloved leaders would applaud.
MARIA. And paying what sounds an indulgence fee. This sounds all very medieval Catholicism a little bit. Well, it's happening right now, Maria. Yeah. It's scary. It's very scary, isn't it? It's anyway, so there you go. So you guys are the leaders. And from your point of view, you know, from people who want to secure, you know, you want to secure your position, your rulership, your society and the social fabric that you help construct and the laws you have. This is a pretty sexy tool, don't you think?
GRAHAM. Couldn't. I mean, I'm just wondering how we're going to overthrow this because obviously this isn't a very cool thing that's going on. Now, I remember Ferris Bueller. He managed to hack in and change his attendance records at school or something, didn't he? Yes. So he could have his day off.
MARIA. Not so successful with the car odometer, though. Just remember that. People forget that part.
GRAHAM. So, I mean, they must be storing all this data somewhere, hopefully not in an unsecured Amazon, or maybe it should be. A little bucket. Where it isn't properly secured. But there's a risk someone could come in and sort of fiddle the scores, isn't there?
MARIA. Yeah. I mean, there's a lot of risks. because it is. Well, it's also who determines what's good, what's bad or what the weights are of. I mean, imagine for artists, for example, right? You know, you're either on trend and you're fitting the moral fiber of the day or you're a little bit out there. And that might play against you. Well, I'm also just thinking, as I am the leader of Zordon.
GRAHAM. Co-leader. Co, co, co-leader. Listen. I'm going to have a lot on my plate deciding what's in and what's not, what's hot and what's, you know. Yeah, you've got a whole job ahead of you. It's going to be exhausting working out what's a good thing to do and what's not. I just hope your
MARIA. Algorithm doesn't ever go wrong, right? Because what's weird about this is it seems as though the burden of proof shifts from the accuser to the accusee. Because, for example, if the machine said, yes, your score should be 50 instead of 500, and you go and argue that, surely you have to prove the machine made a mistake in order for anyone to listen.
So it's a really weird legal change that happens under this, which obviously works for legislation, way more than it does for the individual. So watch out. This is sexy for some governments.
GRAHAM. Well, thank you very much for cheering us up, Carole.
MARIA. What? It's true. Yeah, well, maybe one silver lining for you maybe is there are a few academics that say, look, we've looked at actually the data they're collecting and it isn't that amazing yet. Like it's not enough information that you would require to get a bank loan, for instance.
But I keep sinking the word yet, right? I mean, there's certainly going to be a lot of – there's a lot of people going to be working on this to try and make it work as soon as possible. I think there are deadlines 2020. Yeah, and I don't think it's going to be just China. I really don't think it's going to be just China either. Yeah. So
GRAHAM. Things to look forward to in 2020, as if you weren't worried about anything else happening in 2020. Now you've got this.
MARIA. No, yeah. No. Well, there you go. So, but what Trekkies, what I just... Well, coming back to you guys. I mean, if you want to secure your reign, obviously this is the best way forward for you because you'll know all and be able to, you know, reward the good and punish the bad. And you'll have all the information.
Or you can relinquish control and realize that no one cares. Trekkies versus Whovians, no one cares. Same diff.
GRAHAM. It's not the same. It's not the same it's definitely not the same damn it girl
MARIA. It's not the same you know sorry dude yeah it's not the same and we are sponsored by Meta Compliance now Meta Compliance make this platform to help you train up all your employees and all things cybersecurity related
GRAHAM. That's right you can simulate phishing attacks you can teach them about password safety, all aspects of data security. Go and sign up right now at smashingsecurity.com slash metacompliance and you can save because... Because you listen to this podcast.
You're a listener to this podcast.
MARIA. Boom. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
GRAHAM. Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an Enterprise Password Manager like the one offered by LastPass.
MARIA. Listeners can learn all about LastPass Enterprise at lastpass.com slash smashing.
GRAHAM. You don't have to say forward slash by the way, you can just say slash, just so you know. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
MARIA. Pick of the Week is
GRAHAM. The part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily.
Should definitely not be. Now, my Pick of the Week this week is... OK, look, sometimes I have mentioned this subject in the past, but I think this is quite a good one. It's Doctor Who again. It's not Doctor Who, it's chess related. Shock! I
MARIA. Fell over in my chair.
GRAHAM. I have stumbled across in the last week a YouTube channel by a bunch of crazy Danish guys who call themselves OutRayChess and they are working with the Danish Chess Federation in helping them promote the game in their country.
MARIA. Is that a recognised federation?
GRAHAM. Yes. The Danish chess. Oh, yes. Every country has a chess federation crew. OK. But they are struggling somewhat. TIL. They are struggling somewhat chess federations around the world because the problem is that a lot of chess players are sort of middle aged, slightly podgy, anti-social men.
And we really need a few more of the lady folks. Some youngsters get into chess as well, but then they sort of grow out of it until they become middle-aged men and then get back into it. And so we're not doing a great job at encouraging people to join chess federations and people are playing online rather than in real life.
Now, the guys at Outray Chess, they have made some amazing videos. For instance, let me point you towards the one about Tal versus Smyslov and the sacrificial maniac versus the positional maestro. They have made a commentary of a chess game, but what they've done is they've brought in a real tank, a T-34 tank.
MARIA. That's loud. Did I not see quite a strong swear word at the beginning of this video? Smithloff... Did you feel... Oh, I'm solving all my problems now. Elegantly.
GRAHAM. He plays knight to f6, attacking the queen with a tempo, saying, Oh, Tal,
Unknown Speaker. Am I repelling your precious attack? But now we see a hammer blow from the magician from Riga. He plays queen
GRAHAM. Takes f7. What? Anyway, if you've ever wondered how the grandmasters decide to make a particular move or whether Chess is excited or not, you may want to check out Outray Chess because I think he does quite a good job and he's made some other videos as well, this chap, with a cast of hundreds in some cases.
He has planes in this. Did he just go underneath the flight path? Where did he
MARIA. Get the budget for this? Seriously? He just aligned himself. Do Danes not have jobs? I think
GRAHAM. The Danish military basically haven't got very much to do. There haven't been any...
MARIA. I mean, they're just sitting around with all these freaking weapons, just talking about chess. Well, chess is
GRAHAM. Quite a big deal in Denmark. A lot of people do like chess in Denmark. And so... I'm
MARIA. Planning to be in Denmark
GRAHAM. Later this week. Oh, you're lucky to get up. So I'll
MARIA. Go check him out. I'll see if I can find him. I'm sure everyone knows him. I'll be...
GRAHAM. Anyway. Where can I find him? I've included a link in the show notes, which you can go and check out at smashingsecurity.com if you want to check out the video. And I thought it was quite an inventive, imaginative way to talk about a particular game of chess complete with
MARIA. Not the Game of Thrones but the game of chess. And
GRAHAM. That's why it's my pick of the week. Nice Maria, what have you got for us as your pick of the week?
MARIA. My pick of the week is not Game of Thrones because I've never seen it. She's never seen Game of Thrones. I've never seen Game of Thrones. I know, I know. All right, so my pick of the week is again shock and surprise, it's about something that I'm very interested in and it happens to be Star Trek. So there are many iterations of Star Trek, one of the best if not the best is called Deep Space Nine. It came out in the '90s, it was great, it's 25 years old now and the producer showrunner of the show, he made a documentary about why this show was so groundbreaking and a lot of behind the scenes stuff about what went into making it, things they wish they had done better.
Fascinating retrospective on this great series. And it's called What We Left Behind. And this documentary came out in the States, it aired in May. And it is available to watch, I believe, in June in the UK and Ireland. It's going to be one night only in theaters in the UK and Ireland. Yes. Wow. So unfortunately, from our US and Canada listeners... tough. You can't see it in theaters again. Sorry. But it's going to be out on Blu-ray in August so you'll be able to see it very soon. But if you're in the UK and Ireland you can go see it, please go see it if you're into Star Trek, especially Deep Space Nine because they have HD clips, they actually remastered a lot of great clips from the show, the behind the scenes stuff is fascinating, I cried many times while watching this, it was very affecting. Really? They get into a lot of great stuff about... Odo, is
GRAHAM. Odo in it the shapeshifter, is that his name?
MARIA. Yes, Odo's in it, yes he's in it. They get into a lot of stuff about social issues in the '90s that prevented them from doing certain story types and what they wish they could have done. I thought it was a fascinating look and it's very well done. This is slightly tangential, but do you want me to tell you my favorite line from Star Trek, the only one I would say is most powerful and I bet you could totally identify it's probably up there, is it when William Shatner says come on? No, I'm not even going to say who it is. I bet she'll identify right away. I might not. I'm not that great at this kind of stuff, actually. There are four lights! Oh, come on! Don't even... Of course. That's not even... Come on. Sorry,
GRAHAM. I have no idea what just happened.
MARIA. There are four lights when Picard sees... anyway. Totally. Do you want to know the story behind that whole thing? I do. He was doing an episode against torture. He talked to Amnesty International, and they collaborate. I think they worked with the writers on writing series episodes against use of torture. Oh, because
GRAHAM. The Cardassians, they're into torturing people, aren't they?
MARIA. Cardassians! Cardassians! Same diff, really. I'm using that word a lot this week. Cardassians. Keeping up with the Kardashians, yes. Anyway, folks in the UK and Ireland, if you're into Star Trek, especially Deep Space Nine, go see the documentary in theaters. It's worth it. I've never
GRAHAM. Really seen an episode of Deep Space Nine, but I have heard it's quite good. And if I had time, I probably would. I just didn't like the Ferengi. The Ferengi.
MARIA. Well, the Ferengi are their capitalism gone crazy. It's a great little, it's very timely now. And if you've ever seen Battlestar Galactica, the new one that Ron Moore wrote, he wrote for Deep Space Nine before he wrote Battlestar Galactica. I love Battlestar Galactica. So if you enjoyed Battlestar Galactica I think Deep Space Nine is an easy segway.
GRAHAM. I would be tempted to watch this documentary even though I've never seen Deep Space Nine because I quite like documentaries and I think I would find it interesting. It may be a way for me to get into the show. It's a bit like if there was a... steal some ideas for the Whovians, maybe. Oh there are some very good Doctor Who documentaries like that too. But anyway, if there was a documentary about the Golden Girls for instance I'd probably watch that because I think I'd find that quite interesting as well and Murder, She Wrote. There probably is one
MARIA. Called On the Lanai or something. Let's have some cheesecake. I'm sure there is. There's got to be one. That's a missed opportunity if there isn't. Thank you for being a friend.
GRAHAM. Carole, what's your pick of the week?
MARIA. Mine is Quick and Dirty. So this is for those that, you know, if you live underground and have no access to anything Wi-Fi or mobile data. Can't even talk.
If you don't know who Joe Rogan is, you can't be listening to podcasts. Because everyone knows who he is. You may not like him, but you know who he is.
So he's known for being a comedian. He's big into MMA or mixed martial arts. And he does this whole video podcast, which I personally need to argue, is a video podcast a podcast?
GRAHAM. No, it's a video podcast.
MARIA. Right? It's a video. I think podcast is just audio. I certainly feel that way. Strong feelings. Yeah, I guess. So
GRAHAM. I've never heard Joe Rogan's podcast. I know he's a very popular podcaster.
MARIA. Yeah, it's long form. They tend to have chit chats, unedited. He's very open about what he knows, what he doesn't know, his views, his thoughts. He's built huge following.
He also did a lot of, I think he did TV before too. So I don't know if he came to the podcast world with a huge following.
GRAHAM. He did the podcast that Elon Musk went on and lit up a great big doobie, right?
MARIA. I have no idea. I don't know enough about him. I think so. Sounds about right.
Anyway, so I saw on Reddit, on the podcast feed, that Dessa have pulled together a model that replicates Joe Rogan's voice to showcase the current artificial intelligence techniques. And they've created a little game where you can decide if it's the real Joe Rogan speaking or a fake. Do you guys want to play?
GRAHAM. Oh, I wouldn't know what he sounds like, to be honest.
MARIA. Well, no, but yeah. But I've only listened to maybe one or two shows in my life, right? He's not a big... I only know him from TV, really. I've never listened to his podcast.
If you listen to one or two of these, there's a link in the show notes. So I've gone to
GRAHAM. fakejoerogan.com. And here we've got a whole bunch. We've got a grid of things we can play. And I imagine we then listen and then we have to decide if they're real or fake.
MARIA. Yeah, yeah. It takes about a minute of your time. So listen to one and then just decide if you think it's real or fake.
GRAHAM. OK, let's do the first one.
MARIA. What was the person thinking when they discovered cow's milk was fine for human consumption? And why did they do it in the first place?
No, I got one saying you are much less likely to injure yourself if you do it correctly.
GRAHAM. You are much less likely to injure yourself if you do it correctly.
So I think mine was fake. So I'm gonna hit the fake button. Correct! I got it right.
Hey, why did you think it was fake? It just sounded a little bit well, first of all, it was just stupid content, but it just sounded a little bit clipped to me.
MARIA. So I did them all. Right. And I got one wrong, the first one wrong, and then the rest I got right because suddenly my brain adapted very quickly as to what to listen for, weird hesitations. Yes, the speed. Longer and shorter hesitations, yes. Yes.
So there was just a few weird giveaways. I probably didn't even notice most of them because they unconsciously hit my brain. So there are tells in there that you're able to detect. That's interesting.
Though it's pretty scary how accurate it is. They've put together a video of him saying lots of different things, and you watch it and you think, oh, my.
So it's not long before we won't be able to trust anything that you hear, including someone who claims to be from Smashing Security. I've been generated fakely this whole time. Well, hey, you're welcome any time. Hooray!
GRAHAM. So I've just done a few of these. Sorry, I don't know what you've been talking about. I've just done a few of these. And I've got 100% you, Maria, at the moment, of the ones I've done.
But it is quite good, but it's not quite perfect.
MARIA. No, but you have to really listen, though. If they were talking and, you know, you, well, maybe in this, yeah, we were talking.
GRAHAM. The other thing is that you alerted me. You told me, listen out as to whether this is a real or a fake. If I'd just heard it, I wonder if I would have spotted it or not. I suspect I probably wouldn't.
MARIA. As Dessa say in their announcement, it's pretty fucking scary. So there you go. You want to play?
GRAHAM. Is that an actual quote in their press release?
MARIA. Yeah. Well, the F star king, but I think we all know what that means. Yeah, there was one I swore. I was oh, that's so easy. That one's definitely real. And it was fake. Yeah.
So check it out. fakejoerogan.com. See what you make of it. I'd be really interested in hearing from people that are actually big Joe Rogan fans to see if they found it easy or difficult.
I mean, I don't know, Graham. We spend a lot of time editing this podcast, right? So we may have an editor's ear now. Maybe a listener's ear would find it more difficult. Who knows?
GRAHAM. We don't edit this podcast, Maria.
MARIA. Hardly at all. You're right. What was I? What am I thinking? We just add some music at the start and the end. Some plinks and some plops.
GRAHAM. Maria, I think you're really great. You know that?
MARIA. That was definitely fake. You're the favorite podcast co-host. Can't imagine.
Oh, you get co now. Yeah, now it's co-host. If he talks about me, it's always co. Co, yeah, he doesn't forget that time.
GRAHAM. And on that bombshell, we've just about wrapped it up for this week. Maria! I'm sure lots of our listeners would love to stalk you online. What's the best way for folks to do that?
MARIA. Please don't stalk me. You can find me on Twitter at mvarmazis, that's me, or on Mastodon if you're on infosec.exchange I'm at Maria.
GRAHAM. And you can follow us on Twitter at smashinsecurity, no G. Twitter wouldn't allow us to have a G and you can also join our discussion on Reddit. The quickest way to find our Reddit subreddit is smashinsecurity.com/reddit and it will take you right there.
MARIA. Hugs to this week's Smashing Security sponsors LastPass and Meta Compliance. Their support helps us give you this show for free so be sure to check out their offers and kisses to you our lovely listeners. I dread to think where we'd be without you so thank you. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us.
GRAHAM. Until next time, cheerio! Bye bye bye. I just paused because you're talking about kissing our listeners after I got in trouble.
MARIA. I know, I know. I didn't say with tongues. I don't do that. I haven't done that since 18.
GRAHAM. Too much information. Maybe not.
MARIA. Yeah, it's a podcast. Surely that's another stipulation of a podcast. And what? Kissing? It's cold outside.
GRAHAM. I'm going to hit the stop button.
-- TRANSCRIPT ENDS --