Mac users of the Zoom video conferencing app are warned their webcams could be hijacked, security firms warn of how scammers are deepfaking audio to steal from businesses, and our guest owns up to the role he played in an Iranian cyberattack against US organisations.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Charl van der Walt.
Visit https://www.smashingsecurity.com/136 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Charl van der Walt.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
Links:
- Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
- Zoom Mac flaw allows webcams to be hijacked - because they wanted to save you a click — Graham Cluley.
- USCYBERCOM Malware Alert on Twitter.
- CISA Statement on Iranian Cybersecurity Threats — Department of Homeland Security.
- Patch for Microsoft Outlook security vulnerability.
- U.S. Military Warns Outlook Users To Update Immediately Over Hack Linked To Iran — Forbes.
- U.S. Cyber Command Shares Malware via VirusTotal — SecurityWeek.
- Steve Buscemi Swapped On Jennifer Lawrence — YouTube.
- Fake voices 'help cyber-crooks steal cash' — BBC News.
- New AI deepfake app creates nude images of women in seconds — The Verge.
- Horrifying DeepNude App Undresses a Photo of Any Woman With a Single Click — Motherboard.
- Learn how to spot deepfake videos — Slate.
- 507 Mechanical Movements.
- ‘Born a Crime,’ Trevor Noah’s Raw Account of Life Under Apartheid — The New York Times.
- The global tree restoration potential — Science.
- How to erase 100 years of carbon emissions? Plant trees—lots of them — National Geographic.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Band-Aids are the solution to this.
CHARL VAN DER WALT. Sounding more and more like it.
CAROLE THERIAULT. Not for your butt, for the current—
GRAHAM CLULEY. Yes, exactly. Yes, yes, yes. Careful which hole you cover up.
CAROLE THERIAULT. Okay.
UNKNOWN. Smashing Security, episode 136: Oops, we created Iran's hacking exploit.
CHARL VAN DER WALT. With Carole Theriault and Graham Cluley.
UNKNOWN. Hello, hello, and welcome to Smashing Security episode 136. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault. How are you, Mr. Cluley?
GRAHAM CLULEY. Oh, I'm all right, thanks. You're over in Canada at the moment, aren't you?
CAROLE THERIAULT. Yeah, did you notice? You missing me?
GRAHAM CLULEY. Oh, the whole country's missing you, Carole. It's gone to hell.
CAROLE THERIAULT. Actually, I'd like to do a shout out. I am in Canada, but I went and saw my Aunt Mimi, right? She held a big party on the weekend. Mimi? And you know what she told me? She listens to the show every week.
CHARL VAN DER WALT. No.
CAROLE THERIAULT. My aunt. Yeah, she listens every week and she loves it. So Mimi, shout out for you.
GRAHAM CLULEY. There you go. Goodness, Mimi listens to you, you.
CAROLE THERIAULT. Yeah, Mimi listens to you, you. Exactly. God, it's like I've heard that before.
GRAHAM CLULEY. Now, people may have already have noticed that we have a special guest who's joined us. So Carole, you're all the way, you're far, far away in Canada, but even further away, I suspect, is our guest today, Charl van der Walt. Charl, did I say your surname correctly?
CHARL VAN DER WALT. First of all, Graham, I think you said it as correctly as you're ever going to say it.
GRAHAM CLULEY. So let's go with that and explain to people where you are and who you are.
CAROLE THERIAULT. Maybe say your name correctly first so that people can actually know what it is.
CHARL VAN DER WALT. So I'm Charl van der Walt.
CAROLE THERIAULT. Van der Walt. Okay.
CHARL VAN DER WALT. Van der Walt. Okay. And I am in Cape Town, South Africa, where I work for a pen testing company called SensePost.
CAROLE THERIAULT. And is it very hot there?
CHARL VAN DER WALT. It's winter here, so it's not very hot. We're struggling with a blizzardy 16 degrees or something.
GRAHAM CLULEY. Oh, how hellish that must be. 16 degrees Celsius. Oh, so chilly that one, isn't it?
CHARL VAN DER WALT. You know what they say about the snows in Africa.
GRAHAM CLULEY. Don't start that again. Now, now we met, didn't we? I was down in Johannesburg giving a talk and you were there as well. And a splendid time was had by all.
CHARL VAN DER WALT. By all, yes, we did.
GRAHAM CLULEY. Yeah, it was a good old conference. And that's why we've missed it.
CHARL VAN DER WALT. Well, you weren't invited, Carole. Oh, nice.
CAROLE THERIAULT. Nice.
CHARL VAN DER WALT. Sorry.
GRAHAM CLULEY. Thanks.
CAROLE THERIAULT. No.
GRAHAM CLULEY. Carole, to make up for it, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, let's high-five this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. On today's show, Graham looks into Zoom video conferencing software. Shal talks vulnerabilities, Iran, and US cyber command. Heavy stuff. And I visit the world of deepfakes.
CHARL VAN DER WALT. Ooh.
CAROLE THERIAULT. All this and boatloads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. It's been 6 years, 6 years since we quit our jobs at that cybersecurity firm.
CAROLE THERIAULT. 6 years, 1 month, actually.
GRAHAM CLULEY. Is it? Okay. It's been, it's been quite a while, hasn't it? And there are, there's a few things I miss. I don't know about you. There's a few things I miss.
CAROLE THERIAULT. The loo without any seat covers?
GRAHAM CLULEY. No, no, no, not that. Not the messages about not dropping jam on the carpet tiles, on the carpet tiles or anything like that. No, no.
CHARL VAN DER WALT. Yeah.
GRAHAM CLULEY. There's a few things I miss, but there's also quite a lot which I don't miss. And up high on that list of working working in corporate life is meetings. Boy, I don't miss those one bit.
CAROLE THERIAULT. Especially the meetings when you weren't actually required to be there, but somehow you had to be there.
GRAHAM CLULEY. Let's be honest, I really wasn't needed at any of those meetings. Having me at any of those meetings was a disadvantage to everyone else in the meeting. It was just a waste of time for me and a waste of—
CAROLE THERIAULT. Hey, hey, don't put yourself down so much.
GRAHAM CLULEY. No, because, you know, there's really nothing worse than getting lots of people in a room to discuss something. In fact, there's only one thing worse than getting lots of people in a room to discuss something, and that's getting lots of people who aren't in the room to discuss something as well by teleconferencing. Do you remember some of the teleconference calls we were on?
CAROLE THERIAULT. Hello, Australia!
GRAHAM CLULEY. Can you hear me over there?
CHARL VAN DER WALT. Hello?
CAROLE THERIAULT. Hello?
CHARL VAN DER WALT. Are you listening?
CAROLE THERIAULT. Can you hear me? Hello?
GRAHAM CLULEY. It was like trying to collect the votes at Eurovision as we would dial around the world and people wouldn't have the right number or people would drop off the call, just shouting at each other. It's like really a mega phone would have been better.
CAROLE THERIAULT. I had to go into the office once at like 5:00 AM to do one of those.
GRAHAM CLULEY. Horrendous. Well, how could anything be worse? Well, I'll tell you how. By adding video onto a teleconference call. Oh boy, oh boy. Because then you can't even disguise how bored you are. So when you've been on the call for 8 hours, and sometimes the calls do last that long, you know, you're rolling your eyes. Everyone in the Singapore office can see that you're actually playing solitaire or not really paying attention or doing your receipts.
CAROLE THERIAULT. You know, the trick is just to be really, really quiet, right? Because then it doesn't actually— the camera doesn't focus on you. Most of these new video conferencing tools highlight whoever's making noise.
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. STFU, Graham. STFU.
CHARL VAN DER WALT. There is one advantage, Graham, to be fair.
GRAHAM CLULEY. Yes?
CHARL VAN DER WALT. To video conferences. You don't have to wear trousers.
GRAHAM CLULEY. Well, I don't know what you do down there in Cape Town, Shaul, but in England, we tend to wear trousers in the office. We tend not to—
CHARL VAN DER WALT. But not on a video conference. I mean—
GRAHAM CLULEY. It's bad enough getting jam on the carpet tiles, let alone getting something else on the seat covers. So we tend to—
CHARL VAN DER WALT. Oh yeah, I had to go there. Yeah, you went there.
GRAHAM CLULEY. Now, I'm not a big fan of video conferencing, and despite now running my own business, I haven't been able to completely cut it out of my life. I do cover my webcam at all times, and if someone says, "Oh, can you turn your webcam on?" It's like, well, if you don't need to see me, if this isn't actually being recorded for a webinar or something, I'm— no, I can't.
CAROLE THERIAULT. Just for the record, I am perfectly happy not seeing you.
GRAHAM CLULEY. Yeah, exactly. It's for everybody, really. No one wants to see me. Win-win.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. But of course, because I'm dealing with different clients and things, they all want me to sign into their particular video conferencing app, the one they've chosen for their business, which could be Skype or Zoom or GoToMeeting or Google Hangouts or Join.me.
CAROLE THERIAULT. It's a pain in the butt because you have to install stuff and then you have got like 4 or 5 different video apps on your computer that you don't want. Yeah. I've been there.
GRAHAM CLULEY. And you only need them infrequently, but they're there. And it's, it's, and normally you only realise with about 90 seconds before the call begins, or maybe 2 minutes after it was supposed to begin. There's not a phone number for you to ring, but you have to go in through a particular app. It's, it's—
CHARL VAN DER WALT. You have to download it.
GRAHAM CLULEY. Yeah, you have to download it and then you—
CAROLE THERIAULT. Okay, so you're going to complain about first world problems. Okay, good. Carry on.
GRAHAM CLULEY. So that's the whole show, Cruel. So. So I'm going to actually talk about one of these today, which is Zoom, and specifically the Mac.
CAROLE THERIAULT. I've used Zoom.
GRAHAM CLULEY. Yes, well, it's very popular. Have you used Zoom as well, Charles?
CHARL VAN DER WALT. Zoom, Zoom, Zoom. Yes, we use Zoom as our corporate choice. That's what we use. We have it installed in all the boardrooms and on all the computers.
GRAHAM CLULEY. How interesting. Do you have any Macs in your office at all, may I ask?
CHARL VAN DER WALT. Graham, I'm not sure I should tell you. No, I think I may be incriminating myself if I do. We may or may not have some Macs in this office.
GRAHAM CLULEY. The issue today is specifically with the Mac version of Zoom. It's a very popular video conference app, not just Charl using it at SensePost down in Cape Town.
CHARL VAN DER WALT. Otherwise I wouldn't have anyone to talk to.
CAROLE THERIAULT. You know what, I think, yeah, I have actually been asked to install it by a leading security, IT security firm.
CHARL VAN DER WALT. No, really? Yeah. Don't do it.
CAROLE THERIAULT. I know this was a long time ago, but that's how it ended up on my system. Yeah.
GRAHAM CLULEY. Well, you wouldn't be alone because around about 3/4 of a million businesses around the world are using this app. It's one of the leading video conferencing apps.
CHARL VAN DER WALT. Including us.
GRAHAM CLULEY. Including us. Including us. Now, this week, a security researcher has uncovered and released details of a vulnerability that can allow any web page to open up a video call with a Mac user who's already installed Zoom without asking permission. In other words, if you go to a dodgy web page, your webcam can be hijacked into a Zoom video conference and people could spy on you without you realizing.
CAROLE THERIAULT. It's time to liquid paper those cameras, isn't it?
CHARL VAN DER WALT. It is. I have some, I have some naughty plasters we could use. Do you call them plasters?
CAROLE THERIAULT. What do you call them?
CHARL VAN DER WALT. Yeah. Yeah. Naughty band-aids.
GRAHAM CLULEY. Now, when I first saw this headline, SendZoom, and I thought, oh crumbs, you know, I've probably installed that at some stage. I'll have to uninstall it because I don't use it regularly, but sometimes with some clients. Now you might think that taking that nuclear option of uninstalling Zoom, you know, dragging it into your trash can on your Mac means that you're no longer at risk of having someone unexpectedly spying on you. But I'm afraid piff, paff, poof. That is not true. That is piffle. Because Zoom has a little trick.
CAROLE THERIAULT. So wait, let me just back up for a second. This is the legitimate Zoom app. This is not a fake Zoom app or anything like that.
GRAHAM CLULEY. Yeah. Yeah. It's a slick little app which you have on your Mac and you can, like any other Mac application, go into the Applications folder and drag it into the trash can and it should be deleted and uninstalled. It's a fairly easy sort of process, but it doesn't actually get rid of everything which it installed because it turns out Zoom, when you first install it, also installs a little bit of web server code onto your Mac.
CAROLE THERIAULT. Potentially unwanted software.
GRAHAM CLULEY. Yeah. Well, exactly. Potentially unwanted application, you know, because after you uninstall Zoom, that piece of code is still there. And do you know what it does?
CHARL VAN DER WALT. Tell us.
GRAHAM CLULEY. If someone sends you a Zoom meeting link, if you get one in your email or something like that and you click on it, when you click on it to join that meeting later, having uninstalled Zoom, that bit of web server code gets activated and in the background and very, very quickly, it will reinstall Zoom onto your computer without asking your permission and bam, Zoom is there again.
CAROLE THERIAULT. And it has probably all your old settings as well.
GRAHAM CLULEY. It's all set up.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And so I did this this morning. I uninstalled Zoom.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Because I was reading about this and I clicked on a Zoom link and in literally the blink of an eye, the entire app was reinstalled.
CAROLE THERIAULT. And it's not cool.
GRAHAM CLULEY. I, I even tried to get a screenshot of it as it was doing it and it was too fast. Cost for me to do it.
CAROLE THERIAULT. Well, you are at a certain age now.
GRAHAM CLULEY. I am. I am a bit slow.
CHARL VAN DER WALT. So no user interaction required, Graham. It just reinstalls seamlessly in the background.
GRAHAM CLULEY. That's right. Just by clicking on the link.
CAROLE THERIAULT. You could try it right now, Shall, on your computer.
CHARL VAN DER WALT. Well, that would be confessing that I run a Mac, wouldn't it? And I can't do that.
GRAHAM CLULEY. Nice try. Nice try, Krill. Nice try. So I think that's first of all pretty darn rude, you know, installing software without my permission, you know, and I expect software to behave nicely. If I've uninstalled it, I expect it to be properly uninstalled.
CAROLE THERIAULT. We probably wouldn't have a show if they all did that though.
GRAHAM CLULEY. No, that's right. Thank heavens for rude misbehaving software. Otherwise, where would our entire careers be?
CAROLE THERIAULT. We'd probably be still working in a corporation.
GRAHAM CLULEY. Right. Well, that corporation probably wouldn't exist, would it?
CAROLE THERIAULT. Probably.
GRAHAM CLULEY. So, yeah. So I think we should all have control over which apps get installed on our computer.
CAROLE THERIAULT. 100%.
GRAHAM CLULEY. I think most Mac users would expect that that thing had been uninstalled.
CAROLE THERIAULT. Not just Mac users, all freaking computer users should be able to expect that.
GRAHAM CLULEY. Yeah, totally. See, I don't mind the idea that if I click on a Zoom meeting link, I don't mind if it then pops up and says, oh, you don't have Zoom installed. Would you like to install it? That would be kind of acceptable to me, I think. I don't have a problem with that because then I could say, no, I don't want that ruddy software. I'll go into the web version of Zoom instead of actually installing an app.
CHARL VAN DER WALT. Yeah, because they have a web version, don't they?
GRAHAM CLULEY. Yes. I think there is a web-based version, although I was looking at their support knowledge base and it sounded like almost It's up to the host of the call to decide whether it also sends you a link to the web version of the meeting rather than using the app, which seems rather—
CAROLE THERIAULT. That makes sense though, because you wouldn't want to confuse people by sending multiple links potentially. But basically we're saying, I can say as a consultant, I want the web version of everything. I do not want to install apps.
CHARL VAN DER WALT. There's some other weird things that that researcher points out. For example, that the host can dictate that when you join the meeting, your mic and camera are immediately activated. That's one of the features he's abusing, but it's a feature of the app.
GRAHAM CLULEY. This is extraordinary. It's worth underlining. So with Zoom, by default, the meeting host has the ability to decide whether participants' video is turned on automatically when they join the meeting. And again, let's talk about your trousers situation, Charles. Potentially, that's disastrous, right? If you dropped dropped your pen or your notes on the floor just as you were clicking on the link, and then you're off. We'd never go back.
CHARL VAN DER WALT. We would never go back.
GRAHAM CLULEY. I mean, I know you're not a hirsute chap. I mean, you've got a beard, don't you? But you're, how can I put it? You're sort of focally challenged on the top of your head.
CHARL VAN DER WALT. A little.
GRAHAM CLULEY. I have no idea what's going on on your bottom. But that could be broadcast to everyone else on the video conference call.
CAROLE THERIAULT. Again, Band-Aids are the solution to this.
CHARL VAN DER WALT. Sounding more and more like it.
CAROLE THERIAULT. Not your butt, your cryptocurrency.
GRAHAM CLULEY. Yes, exactly. Yes. Yes. Yes. Careful which hole you cover up. Uh, yeah, it could lead to problems, but yeah. So, okay. So the, the researcher pointed this out and he said, look, this isn't good because basically, because this all can be done with just a link, potentially a bad guy could booby trap a webpage to initiate the link or trick people into clicking on it, or maybe even use malvertising to open up video conferencing stream with someone. And the researcher reported that to Zoom. And Zoom's response was a little bit snidey, I thought. It felt a little bit like— What did they say? Well, they didn't really acknowledge it. They said, well, look, the reason why we've implemented our software in this way is because it's a legitimate solution to poor user experience problem. In other words, they're saying we've saved you a click. And we want our users to have faster one-click-to-join meetings rather than have to confirm that they really want to do it. And I think, well, come on.
CAROLE THERIAULT. I know, but I get, I agree with you. I agree, obviously, 'cause I, you know, but I can understand that there are many times when a service provider has to make a call of how many features to add to improve a service and may not, you know, and this is why baked-in security is so important. You need to have a security expert in those meetings. Sorry, Graham, I know we won't call on you, but we need We need people in those meetings from the get-go to think, hey guys, whoa, whoa, that may not be all that secure.
GRAHAM CLULEY. But in a video conferencing system where it's possible for the host to determine if your microphone and your video is enabled instantly, then that seems really rough that that person doesn't have a choice. I agree. They don't have the ability to.
CAROLE THERIAULT. But I also, you know as well as I do that when we do these things, sometimes people can't find the right mics or the right headphones or et cetera. And, you know, maybe they don't know how to turn it on. And, you know, sometimes you can grease the wheels I'm just saying there's two sides to every coin. Two sides.
CHARL VAN DER WALT. Well, you know, it seems to me like the, the approach of running a web server locally on a machine and the, the, the kind of website hack that they use to create this feature, it just seems really hacky. It seems like a strange workaround. And, you know, we, we all know how this goes. I think, um, you've got a feature set like that and one vulnerability gets discovered, I think we can expect that There'll be more. We're going to see more of this.
CAROLE THERIAULT. You guys are going to be all over it now.
CHARL VAN DER WALT. Yeah.
CAROLE THERIAULT. Okay. So we need to tell people how to get Zoom off their computers and also how to get this nasty little hidden bit of Zoom off their computers too.
GRAHAM CLULEY. So there are links in the show notes where we've linked to the researcher's blog article where he gives the technical instructions. Unfortunately, it isn't as easy, like I said, as just dragging the Zoom app into your trash can. You do have to use some terminal commands. That's like going to the command line. In order to do this properly. Zoom has said that it is changing its software. It said it already said, well, look, we've dealt with one of your complaints. Okay. So what we're doing is we've released a quick fix, which disables the meeting creator's ability to automatically enable participants' video by default. And you think, well, that's good that they've done that, right? Unfortunately, a couple of days later, that vulnerability sort of Crept back into the software. So they'd fixed it and then the fix fell off.
CAROLE THERIAULT. Because they did a rollback or something.
GRAHAM CLULEY. Who knows? But somehow or other that fix is no longer present. They've also said they're going to make some other changes as well.
CAROLE THERIAULT. They're Muppets. They're Muppets.
GRAHAM CLULEY. So I guess we're going to have to find out how to do this in browser rather than installing the app, aren't we?
CAROLE THERIAULT. Yeah, exactly.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I mean, you know, the porn industry proves that you don't need an app to sell a service, right? So I think, no, let's go back to the web. I'm a big fan of that. No installation, visit a webpage, do what you need to do, and then get out of Dodge.
GRAHAM CLULEY. Do you take a lot of advice from the porn industry, Carole?
CAROLE THERIAULT. Well, there's lots to be learned there.
GRAHAM CLULEY. Oh yeah. Yeah, Satan's school for girls. That's how I've decided to live my life. Interesting.
CAROLE THERIAULT. I'm very happily married. That's all I gotta say.
GRAHAM CLULEY. These days, it's not really relevant, Carole. Shaul, what's your story for us this week?
CHARL VAN DER WALT. My story is about Twitter, but not the kind of Twitter where that's all YOLO and selfies. This is the Twitter account of US Cyber Command, who we know is the cyber warfare branch of the US military, who, who've sort of been growing in prominence and getting louder and louder over the last few years.
GRAHAM CLULEY. And they don't, they don't tweet out selfies of themselves, is what you're saying? They don't seem to.
CHARL VAN DER WALT. I think that they're more on Instagram for that.
GRAHAM CLULEY. Right, okay.
CAROLE THERIAULT. And this is their official Twitter page?
CHARL VAN DER WALT. This is their official Twitter page. Okay. Well, an official Twitter page called US Cyber Command Malware Alerts. And they post out warnings about things that are happening that they're aware of. Okay. And that they think kind of civilian space should know about. And on the 2nd of July, so just a few days back, they tweeted out about this Microsoft vulnerability affecting Microsoft Outlook, which is the email application that Windows users use. That's being exploited in the wild. But what, what we can read between the lines and what a number of analysts picked up on is that what they're referring to is a campaign linked to a threat actor group, uh, which is believed to be Iranian state-backed hackers called APT33, are exploiting this, uh, Microsoft Outlook vulnerability in the wild, and Cyber Command wants us to know about it because it's a big deal.
GRAHAM CLULEY. So basically we've got Iranian government-backed hackers who are attacking other countries and maybe breaking into the systems of industries based overseas, using Outlook, up to all kinds of mischief. And so you've got US Cyber Command, who obviously— there's a little bit of tension at the moment, isn't there, between America and Iran, is something I picked up on.
CHARL VAN DER WALT. Yes, very astute, Graham.
GRAHAM CLULEY. So they are— I try and keep my finger on the pulse. So they are alerting organizations, watch out, because people are using this particular Microsoft vulnerability and we think it's Iran who's up to it.
CHARL VAN DER WALT. Exactly. And to summarize that sort of in a nutshell, the Forbes article that ran around this tweet, the headline for that article reads, US military warns Outlook users to update immediately over hack linked to Iran. So your finger is very much on the pulse, Graham. You summarized that perfectly.
GRAHAM CLULEY. Thank you.
CHARL VAN DER WALT. So I'm reading into this article And it turns out that the vulnerability is being exploited using a hacking tool called Ruler, like the thing that you measure distances with. And this tool, as it happens, was developed back in 2017 by my team. So my team—
CAROLE THERIAULT. Oh, wow.
GRAHAM CLULEY. Hang on a moment. So there are Iranian government-backed hackers who are trying to break into American systems And effectively, the tool which they are using, the weapon which they are using, was written by you and your buddies.
CAROLE THERIAULT. Thanks, Charl. Thanks so much.
CHARL VAN DER WALT. In South Africa. Yeah, there you have it. This might be my greatest achievement, you know. And, and, and, you know, this story kind of rattled me because I thought, good, you know, look, we do this, right? And pen testing companies do this routinely. It's how we demonstrate capability. It's how we attract people people to come and work for us. It's how we warn the industry and our customers. It's how we demonstrate that threats are real. And, you know, arguably this, that kind of disclosure of vulnerabilities and exploits is a very powerful tool in moving the industry forward. And, you know, I spoke to a lot of people off the back of this and asked them how they felt about it, people from my team, and they all kind of stood by this decision to publish the exploit at the time. And they all believed strongly it was the right thing to do.
GRAHAM CLULEY. You basically released this tool and this information in order to get the problem fixed because you found the problem and thought, thought there might be a way of exploiting this. Let's build a little tool which does it. It's not as though you guys were using it maliciously yourselves.
CAROLE THERIAULT. But they did build the weapon that was used, so to speak.
CHARL VAN DER WALT. We weaponized the vulnerability, yeah, that's true. And we use it, we use that toolkit extensively in our work.
CAROLE THERIAULT. For good, yeah.
CHARL VAN DER WALT. For good. And the vulnerability wasn't actually disclosed by us. The vulnerability was disclosed by a crowd called Silent Circle Security sometime before we wrote the tool. So the knowledge of the vulnerability was out there. We just kind of shrink-wrapped it and demonstrated how it could be used in a weaponized way.
GRAHAM CLULEY. And I guess the normal way in which you actually use that in the course of your work is, would you be doing something like testing the defenses of a company who's asked you to see if they are vulnerable, and this tool would be one of the methods which you use, for instance?
CHARL VAN DER WALT. Exactly. That's exactly how it would work. And it's very effective, and it demonstrates a very real contemporary threat, which can incidentally be exploited in a lot of other ways too, because the tool requires two things. It requires this outdated version of Outlook, but it also requires us to have valid credentials for that user, valid Microsoft credentials for that user. So we're demonstrating not just that bug, we're demonstrating a whole class of bugs linked to, you know, weak passwords or password reuse.
GRAHAM CLULEY. So once you exploit this vulnerability, what can you then do with it? What's the risk to the person who's been targeted in this case? Obviously Iran is targeting organizations in America and maybe elsewhere around the world. What could they do with it?
CHARL VAN DER WALT. So when this vulnerability triggers, we effectively have persistent remote command and control over that user's machine with their privileges. So it's kind of as if we're sitting on the user's machine at their terminal, you know, at that command interface and typing commands. And anything that user could do we could do, too, but remotely. And from there, once we have that control as one user, then we exploit all those, you know, privilege escalation, lateral movement techniques that you hear people talk about. And our testers would argue that once we have that initial entry point into the network, to get from there to domain administrator is a matter of days, maybe, probably hours. Never weak. It's that quick and easy to go from that initial foothold to having full control of the domain for most environments.
GRAHAM CLULEY. So the good news is Microsoft has patched this vulnerability in Microsoft Outlook, and they did it, they did it a while back, didn't they?
CHARL VAN DER WALT. Yeah, they made a patch available, and, and, and of course more recent versions of the software simply don't have those features anymore. That particular feature is now gone from the software.
CAROLE THERIAULT. Defunct, okay.
GRAHAM CLULEY. Yeah. But clearly the selfie-taking guys at US Cyber Command are still concerned that there's gonna be some organizations out there who haven't properly patched and are still vulnerable to, I'm afraid to say this again, Charles, but against your weapon.
CHARL VAN DER WALT. Against our weapon, VPN. Yeah.
CAROLE THERIAULT. It's a really complicated situation for you guys, actually.
CHARL VAN DER WALT. I feel for you. It is a complicated situation. And you know, there was a time where this trade-off between keeping a vulnerability to yourself or exposing it was, it seemed simpler to think through. But now in a world where nations and armies are using these kinds of tools effectively in kind of low-level cyber wars, the equation becomes much more complicated, I think.
GRAHAM CLULEY. [Speaker] But come on, come on, come on. When you read this, right? When your team heard about this, did you kind of think, well, you know, this is actually the, you know, this is kind of the best endorsement we've ever had because we, we, we, we wrote this thing a while ago, but I think he pooped his pants a little bit. You know, Carole, we have to keep on coming back to that.
CHARL VAN DER WALT. I'd like to avoid using the word poop in public.
GRAHAM CLULEY. Carole, what's your story for us this week?
CAROLE THERIAULT. So my story this week, actually, actually, Graham, would you just read the following paragraph, please?
GRAHAM CLULEY. Okay, hang on.
CAROLE THERIAULT. It's in the document there.
GRAHAM CLULEY. You've got something in front of you.
CAROLE THERIAULT. You read it rather than me. You just read that.
GRAHAM CLULEY. You want me to read it? Oh, do you work for you? Why not? Okay. Wonderful Carole. Okay. You are not only a great trusted friend who is much, much funnier than me, but also the best co-host in the world. You're the only co-host I've got. Really, you are much funnier than me, and I learn so much from you.
CAROLE THERIAULT. 'Just wanted you to hear it directly from me.' Okay, no offense, but is that the best you can do? Like—
GRAHAM CLULEY. Wonderful, Carole. You are not a great—
CHARL VAN DER WALT. You know what?
CAROLE THERIAULT. Forget it. I'm just going to deepfake it. It's probably much easier and it'd probably be much more believable and it'll lose that sarky tone that you brought in with your little comment there. So deepfakes, that's what we're talking about. The reason for the story is I fear we're going to see a lot more of them and there's not a lot we can do about it.
GRAHAM CLULEY. Well, there's a lot of talk about it, isn't there?
CAROLE THERIAULT. Like all things internet, though, clearly deepfakes can be used for fun, right? Or to make a valid point. But they can also be used for the more nefarious purposes, like all that horror show of propaganda, disinformation, reputation destroying and all that.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So basically, for those that don't have a full grasp on deepfake, it basically takes existing footage, real footage of a person, and doctors the face, body, words, or clothing. So it's being used to target celebrities, politicians, and other high-profile people. And this deepfake tech is getting slicker. And I need you all to appreciate that it could be pretty darn convincing. I have put a link in the show notes there. You guys can go see it of a video.
GRAHAM CLULEY. Hang on. Oh, for goodness. Oh, bloody Rik Astley.
CAROLE THERIAULT. It's a live Donald Trump, just more aged. I just had to Rickroll him. It was time.
GRAHAM CLULEY. Every couple of months she does that.
CAROLE THERIAULT. Okay, no, here's the real link. Here's the real link. So this is Steve Buscemi as Jennifer Lawrence mashed up into a kind of deepfake.
CHARL VAN DER WALT. I've been taught not to click on— Oh my goodness. Yeah.
GRAHAM CLULEY. I'm looking at a video of, well, it's Jennifer Lawrence's lovely body. But she has the face of Steve Buscemi, which I have to say is slightly alarming. But I don't, I don't think this would fool me into thinking it's really Jennifer Lawrence, Carole. It's not the most convincing.
CHARL VAN DER WALT. Exactly.
CAROLE THERIAULT. Exactly. You see, in this case, this mashup isn't set to dupe us, right? We're kind of, as the viewers, we're in on the joke. We know it's Jennifer Lawrence and Steve Buscemi being mashed up together.
GRAHAM CLULEY. Right, right.
CAROLE THERIAULT. But there are many deepfakes out there that are designed to bully people or mislead us humans. And the worry is the tech is getting much, much better at it and people are figuring out much more nefarious ways to work with it. So just last week there was this Windows app that came on the market called DeepNude.
GRAHAM CLULEY. Oh, that was horrendous, wasn't it?
CAROLE THERIAULT. Right. And it cost something like $50.
GRAHAM CLULEY. Exactly. It was so expensive. It was horrendous how much one had to pay to get hold of it. Yes.
CHARL VAN DER WALT. Yeah.
CAROLE THERIAULT. And you know what? It was taken down very soon after it was made public, thanks largely to the tech press led by Motherboard for vilifying it for its gross raison d'être, right? And get this, this is how it happened. You would load up a picture of a clothed woman, is the idea, and using its so-called AI, the woman would be transformed from a clothed woman to a nudie fake version. Basically all her clothes are stripped off. And the first thing I wondered when I saw the story is why they keep talking about women. Surely you— what happens if you load up a man? And what happens is you still get a fake female bit, a female growler, instead of the meat and two veg.
GRAHAM CLULEY. Oh, right. So if you use this against me, you would see my naked— my face, but I'd have breasts and things.
CAROLE THERIAULT. You'd have boobies and a little—
CHARL VAN DER WALT. yeah.
GRAHAM CLULEY. Which I don't have in real life.
CHARL VAN DER WALT. Moobies, Graham. I heard on a previous show that you have boobies. I heard it at the source.
CAROLE THERIAULT. Or mitts. Mitties is another great one. Yeah.
GRAHAM CLULEY. Mitties? What are mitties?
CAROLE THERIAULT. Man tits.
GRAHAM CLULEY. It's all for good music.
CHARL VAN DER WALT. Carole, not to I do, not to diminish how gross this idea is, I do see a legitimate business application.
CAROLE THERIAULT. Okay, shoot.
CHARL VAN DER WALT. When used in conjunction with the right kind of video conferencing application, it could be used to remove your trousers if you happen to accidentally be wearing some.
CAROLE THERIAULT. Or we could reverse engineer it and add trousers on you. So you could be sitting there right nude but actually look fully dressed in your sports slacks and blue button-down.
CHARL VAN DER WALT. That's why you're the host of the show and I'm only a guest.
GRAHAM CLULEY. I am reinstalling Zoom right now. It's going back on my system.
CAROLE THERIAULT. But the point is, the point is this app DeepNude, it's very easy to see how people could be bullied by it.
GRAHAM CLULEY. My goodness.
CAROLE THERIAULT. Yes, it was. It's an awful— And the other thing that happened just this week was Symantec has just reported that it sees what it believes to be deepfaked audio of CEOs being used by phishers to trick basically the company financial controller into transferring cash over to the fake CEO.
GRAHAM CLULEY. So that's interesting. So these are these business email compromises where someone— there's a variety of ways you can do it, but you could ring up pretending to be the CEO and go, "Okay, you know, I'm ringing up from head office in Glasgow." It's exactly like a voice phish, right? "Move £1,000 into this bank account." And because they've grabbed the audio from earnings calls—
CAROLE THERIAULT. The real CEO.
GRAHAM CLULEY. Yeah. It would sound like the real— Gosh, that's very devious, isn't it? If they combined that with background noises of an office and things, then it would maybe even seem more convincing.
CHARL VAN DER WALT. Golf clubs, right? If it's the CEO, you want to go ping!
CAROLE THERIAULT. The golf cart, the golf cart. It's similar to the Smashing Security story Jessica Barker did on our show on episode 134, where she was talking about how scammers used bad lighting and a 3D-printed mask to dupe millions in France to give out money to help the government. Anyway, it was a great story. Go listen to it. Episode 134.
CHARL VAN DER WALT. You know what that's called, Carole?
CAROLE THERIAULT. What's that called?
CHARL VAN DER WALT. Bad light and cheaply printed 3D masks. That's not deepfake. That's cheapfake.
CAROLE THERIAULT. Great.
CHARL VAN DER WALT. I didn't even invent it. That's what it's called.
GRAHAM CLULEY. Kaboom.
CHARL VAN DER WALT. I didn't know that. Cheapfakes. Cheapfakes refers to like if they're just slowing a video down, for example, to make someone look drunk or just cutting a part out of a video. You know, there's no real machine learning or AI. It's just just kind of really cheap and dirty hacking with media.
CAROLE THERIAULT. Right. So they did that to Nancy Pelosi, right? So we call that a cheap fake as opposed to a deepfake. That would be a cheap fake. Yeah. Okay. Today I learned.
GRAHAM CLULEY. Yep.
CHARL VAN DER WALT. I saw a demo by Adobe of a piece of software they were planning to release that would take a voice recording of someone delivering a speech or in a meeting. I think they said they needed, maybe it was 20, maybe it was 40 minutes of text. So it's a fairly significant amount. And then while a person was speaking, they could transcribe voice to text in real time. So, you could see the words. It would appear on your console. And then you could change words in that text and it would play it back in that person's voice, even if you used words that weren't in the original recording. You could literally, in real time, on a Windows GUI app, change what somebody said.
CAROLE THERIAULT. I saw that. So, it needs about a few hours of video, apparently. That seems to be the consensus from my research. This morning, right? And you need about a few hours. Sometimes I've seen 40 minutes, but you need about a few hours to make a really good deepfake. And people are saying it is a lot of work. So people aren't going to do this for no return, right? There's going to be a game plan.
GRAHAM CLULEY. So if I had some footage of Carole speaking, for instance, I could get her to convincingly say words like whilst.
CHARL VAN DER WALT. Whilst.
GRAHAM CLULEY. Without sort of gagging.
CHARL VAN DER WALT. Surely she would say whilst anyway.
CAROLE THERIAULT. No, I know I would never.
CHARL VAN DER WALT. Isn't that the correct?
GRAHAM CLULEY. Apparently she's got some sort of issue.
CHARL VAN DER WALT. Isn't that the proper English?
GRAHAM CLULEY. No, Yes, it is.
CHARL VAN DER WALT. That's what I would have thought. You know?
GRAHAM CLULEY. Yes, exactly. Very wise. Excellent guest. Excellent guest.
CAROLE THERIAULT. I know what you all are wondering. How the heck do I handle this? How do I spot them? And right now, you know, there's no reliable reverse engineering to a deepfake as yet that I'm aware of. So I was looking around to see what people recommended. And I have to agree with Slate journalist Jane C. Hugh, because what she suggests seems to be the best for me. Perhaps you don't want to get lured by deepfake, you need to get familiar about them, right? So there's like, for example, on Reddit there's a subreddit called Git Fakes, and there's a lot—
GRAHAM CLULEY. not Git Face, but Git Fakes.
CAROLE THERIAULT. Yep. And there's many, many hundreds of examples, right? And you can look at those images and those videos and look at the lighting, look for fuzziness around the neck where it connects to the body, look at fuzziness around the mouth, face discoloration, and, you know, you need to teach your brain what to look for. And that's basically how you train yourself for it.
CHARL VAN DER WALT. That is, you know, that is so hopeless.
CAROLE THERIAULT. Yes, because technology is going to get better and those lines are going to become imperceptible to the human eye.
CHARL VAN DER WALT. We still haven't solved that problem for something as simple as phishing, right? Whether these clear technical markers— and, you know, of course, also that your brain sees what it wants to see, right? It's cognitive dissonance. You— people are going to believe it.
CAROLE THERIAULT. I think it's awful, right, Graham? So maybe if you don't want me to create a deepfake of you saying nice things to me, maybe you in real life should say nice things to me more often.
CHARL VAN DER WALT. That would be one way to do it.
GRAHAM CLULEY. Maybe, maybe you could give me some reasons to say nice things.
CAROLE THERIAULT. Let me share one last weird thought that I had when I was preparing for this story. So I'm doing this, right, and I'm thinking, you know, in a way, if the internet gets littered deepfakes, we actually in a way get our privacy back because none of it's real.
CHARL VAN DER WALT. You can deny everything.
CAROLE THERIAULT. Not real, you have no idea. Yeah, so everything's a lie or unprovable as a lie or truth. So we basically go back to square one on privacy fronts.
CHARL VAN DER WALT. That's true.
CAROLE THERIAULT. Because, you know, you— an employer wouldn't be able to trust the deepfake to say, oh, you can't get a job because you, you know, photocopied your butt when you're 14 at your dad's office because it won't be online.
CHARL VAN DER WALT. And I could claim that I was actually wearing trousers on that.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. You did what in your dad's office?
CHARL VAN DER WALT. I didn't.
CAROLE THERIAULT. I'm just—
GRAHAM CLULEY. All right, well, I've just heard you say it, haven't I? I can take that audio. Thank you very much.
CHARL VAN DER WALT. That's a cheap fake, Graham. Cheap, cheap fake.
CAROLE THERIAULT. We are sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
GRAHAM CLULEY. Yes, stolen passwords, poorly chosen passwords, reused passwords, passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
CAROLE THERIAULT. Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.
GRAHAM CLULEY. You don't have to say forward slash, by the way, Kian, just say slash.
CHARL VAN DER WALT. Just so you know.
GRAHAM CLULEY. If you're baffled by threat intelligence and how it might be able to help secure your company, The Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Sean?
CHARL VAN DER WALT. What? Pick of the Week.
GRAHAM CLULEY. It's the one thing a guest has to do. It's the one thing we ask them to do.
CHARL VAN DER WALT. Every time.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, I am going to go back in time once again for my Pick of the Week, but further back in time than normal. I'm going all the way back to 1868.
CAROLE THERIAULT. Oh, do you remember that time?
GRAHAM CLULEY. I don't remember that time. No, no. But there was a book published, a mechanical encyclopedia published by a chap called Henry T. Brown. Have you heard of 507 Mechanical Movements, Mechanisms and Devices? Very, very— it's a classic.
CAROLE THERIAULT. Are you trying to prove to the world that you're quite intelligent?
GRAHAM CLULEY. No, I'm trying to prove to the world I've been on Wikipedia.
CHARL VAN DER WALT. I heard it here first, Graham. I heard it here first.
GRAHAM CLULEY. So this 507 Mechanical Movements, its subtitle is it embraces all those which are most important in dynamics, hydraulics, hydrostatics, pneumatics, steam engines, mill and other gear impressors, horology, and miscellaneous machinery. Now I'm not recommending as my pick of the week the actual book, which is now in the public domain, you can check it out, but instead a website which has taken all these mechanical movements and has animated them.
CAROLE THERIAULT. So you don't have to read any words.
GRAHAM CLULEY. Cool. Which is my preference. So if you go to 507movements.com, you will see a number of these things. And go there and click on some of the ones which are in red there. And you will see little animations of gears moving and pulleys going in reverse and—
CAROLE THERIAULT. Yeah, it's kind of cool, Graham.
GRAHAM CLULEY. It is kind of cool. And levers moving. And this There's 507 ways that they've documented in this ancient book.
CAROLE THERIAULT. I'm tweeting this to my nephew right now. I think he's going to be in heaven.
CHARL VAN DER WALT. Graham, did you notice that some of these don't have the animations? Is that right? Or is it just my internet that's broken?
GRAHAM CLULEY. Not all of them have yet been animated, sadly, but a good few have.
CHARL VAN DER WALT. This is fantastic.
CAROLE THERIAULT. I've seen about 1 out of 5 so far have been animated.
GRAHAM CLULEY. I think— well, I'm not sure if it's quite that bad. I think it's I think it's quite good, but it's rather lovely.
CHARL VAN DER WALT. I'm going to use this to teach my 4-year-old. It's fantastic.
CAROLE THERIAULT. Exactly. Yeah.
CHARL VAN DER WALT. And myself.
CAROLE THERIAULT. Exactly. And you can sound really knowledgeable by just reading the little script at the bottom. This is a screw propeller, son.
CHARL VAN DER WALT. Obviously.
GRAHAM CLULEY. Seriously.
CHARL VAN DER WALT. Or daughter.
GRAHAM CLULEY. It is worth looking through because it is, especially with the animations, you really get a sense for how these different things work. How ingenious it all is.
CHARL VAN DER WALT. I find it wonderful that these things all have names. You know, have you ever had these conversations where you try and describe to someone that kind of mechanism? You know, that thing that the engine where it pushes down those other things that go round that turn the gears that turn the wheel? And actually all those things actually have names.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. 406 doesn't.
GRAHAM CLULEY. 406 doesn't.
CAROLE THERIAULT. Nope.
CHARL VAN DER WALT. I think Carole is just in a bad mood today.
GRAHAM CLULEY. I'm looking at a triangular eccentric at the moment. Given an intermittent reciprocating rectilinear motion. What? Apparently it was used in France for steam engines.
CHARL VAN DER WALT. For the guillotine. Oh, for steam engines.
CAROLE THERIAULT. I have to say, I don't, I don't know if we're selling it very well on a podcast, but I do think it's a very good website, Graham. I think people should check it out, particularly if you're just in engineering or you have kids that like things that move around.
CHARL VAN DER WALT. Right.
GRAHAM CLULEY. Yeah. Right. 507movements.com. And that is my pick of the week.
CHARL VAN DER WALT. Good pick, Graham.
GRAHAM CLULEY. Thank you very much. Charles, what is your pick of the week?
CHARL VAN DER WALT. Well, before I give you my pick, Graham, I have a test for you. I need you to try and pronounce me the word that is spelt X-H-O-S-A. X-H-O-S-A.
GRAHAM CLULEY. X-H-O-R. Now, I've got a feeling— well, I'm sure I can't pronounce it correctly, but I think I know I think I know what language this is. And Carole, do you have any idea how you say this? Because I think it's quite unusual, isn't it? It's not like— Frank. It's not Frank. It's not ex-hoser. It's not chozer. But there's— isn't there some clicking or something? Isn't there like—
CHARL VAN DER WALT. There's some clicking. Yeah.
GRAHAM CLULEY. Can you do it for us?
CHARL VAN DER WALT. You know, I'm not very good. I learned this language at school, but, you know, my tongue is not accustomed to it, but I'm going to do my best. So the word is tossa. X-H-O-S-S. Yeah, and it's a toss-up. It's the name Tosa. No, Graham, no, no, no. And it's the name of a South African tribe and a language. We have 11 here. Yeah, and they have 3 clicks. There's the X, which is, and the C, which is, and then the best one is the Q, which is—
GRAHAM CLULEY. Oh, I like that one.
CHARL VAN DER WALT. Yeah, so for example, my son's nickname is Kakambile, which means the light. Anyway, the reason I mention it is because my pick of the week is a book by a South African author called Trevor Noah, who is unusual in South Africa because his mother was a Xhosa and his father was a Swiss German.
CAROLE THERIAULT. Is this Trevor Noah Trevor Noah?
CHARL VAN DER WALT. Trevor Noah Trevor Noah.
GRAHAM CLULEY. The comedian?
CHARL VAN DER WALT. The comedian, yes, who took over from Jon Stewart as host of The Daily Show. Yeah, so, so long before he was hosting The Daily Show, he was a stand-up here in South Africa. Right. Extremely funny.
GRAHAM CLULEY. Yes.
CHARL VAN DER WALT. Really, he's the kind of guy that, you know, you can only listen to for little bits because you start to hurt in all kinds of places.
GRAHAM CLULEY. A bit like Carole. I listened to her for a while and I begin to feel quite painful. Yeah, I get it.
CHARL VAN DER WALT. No, well, yeah, no, I don't know. And he does a sort of comedy that's very local. So, you know, as a South African, you can really relate to him. He talks for us. And because he's half white and half black, he really speaks into the sort of contemporary South African context, which is still, you know, kind of trying to come out of apartheid, still very racialized, still very kind of confused about where it's at and what it's doing.
CAROLE THERIAULT. So what's the book about?
CHARL VAN DER WALT. So the book is a memoir. It's called Born a Crime: Stories from a South African Childhood. And he really tells his story and uses it to be funny, to comment on the context in South Africa, to talk, you know, very lovingly about his mom. It's one of those books that really does a whole lot of things all in one go. So at times you'll laugh, at times you'll cry, at times you'll learn. I highly recommend it. He's, he's very funny. He's very insightful. He's very smart. Yeah.
CAROLE THERIAULT. Okay. I'm gonna take a look for that.
GRAHAM CLULEY. Okay. And it's called Born a Crime.
CHARL VAN DER WALT. Born a Crime. Born a Crime. Yeah. Stories of growing up in South Africa.
GRAHAM CLULEY. Okay. Thank you very much. Good pick of the week. Crow, what's your pick of the week?
CAROLE THERIAULT. Okay. So I'm going to use my tween niece's vernacular here. Okay.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. I love me me some trees. I love me some chocolate. I love me— yeah, anyway, um, so I'm visiting family right now, as we all know, and my parents have a rather manicured garden, you know, like full of flower beds and trees and all this, right? And my mom is often out there weeding, weeding, weeding, weeding. And I was watching her the other day just pulling out all of these baby maple saplings and throwing them into the compost, right? And I, who love trees, think, why aren't we putting those in little clay pots and see what happens? What a fab present that would be for someone, yada yada. So my pick of the week this week is actually an article that I saw in National Geographic, and it basically talks about how using Google Earth, scientists have found almost 1 billion hectares of land that is basically good for plants. So we could plant forests on that almost 1 billion hectares, restoring—
CHARL VAN DER WALT. great.
CAROLE THERIAULT. Gigatons, hundreds and hundreds of gigatons of carbon back to the atmosphere. So this is based on a report that was published last Thursday in Science, and it's called The Global Tree Restoration Potential, and found there's enough suitable land to increase the world's forest cover by one-third without affecting existing cities or agriculture. Amazing. Amazing. See, technology for the good. This is a super clever idea, but it is yet still just an idea, right? And if we want to help curb the glut of carbon emissions, plant a frickin' tree.
CHARL VAN DER WALT. Plant a tree.
CAROLE THERIAULT. Put a few tree weeds in a pot and give them to loved ones. Guess what you're getting for Christmas, Graham?
GRAHAM CLULEY. I think, Carole, you need to scrabble around in your mum's compost heap right now and pick out those saplings.
CHARL VAN DER WALT. Maybe you can find some old wrapping paper in there too, Carole, for Graham's Christmas gifts.
CAROLE THERIAULT. It's not worth that.
CHARL VAN DER WALT. You know what the other technique is you could use to reduce carbon emissions by 25%? I heard this is legit. I heard this.
CAROLE THERIAULT. Okay.
CHARL VAN DER WALT. You feed garlic to cows.
GRAHAM CLULEY. Oh, there you go.
CHARL VAN DER WALT. I bet that would work. Apparently, apparently feeding garlic to cows reduces the amount that they— and we've said before, so I'm just going to say it again.
GRAHAM CLULEY. Did you read this on the internet?
CHARL VAN DER WALT. I saw it on TV, Graham.
GRAHAM CLULEY. Oh, then it must be true. It must be true.
CAROLE THERIAULT. It must be true.
GRAHAM CLULEY. I'm sure they wouldn't have found it on the internet.
CHARL VAN DER WALT. But apparently it's not universal, so it depends on where the cow's from and what they eat, but for certain kinds of cows, if you give them— it's the garlic extract, whatever the sort of active ingredient in garlic is— it significantly reduces the amount of methane they emit. They test it in a lab, there's a lab for this.
GRAHAM CLULEY. There's a lab where they're force-feeding cows garlic?
CHARL VAN DER WALT. And measuring how much they poop. How easy is this? Which is the scientific part.
GRAHAM CLULEY. I have heard before that if we stopped eating beef and instead we switched over to kangaroo meat, that would be good because apparently kangaroos don't fart.
CAROLE THERIAULT. Or just go vegetarian, Graham.
GRAHAM CLULEY. That's also a possibility. Yeah, vegan. But then we'd be increasing our emissions as well, wouldn't we?
CAROLE THERIAULT. Hmm.
GRAHAM CLULEY. Hmm. Well, this is— well, on that bombshell, I think we've just about wrapped up the show for this week. Shola, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
CHARL VAN DER WALT. Graham, the best way is to follow me on Twitter. I'm gonna have to spell out my Twitter handle because it's a bit complicated. So it's Charl van der Walt, which is C-H-A-R-L-V-D-W-A-L-T. That's without a G because Twitter wouldn't allow me to have a G in my Twitter handle. Or onlinesecdata.com, S-E-C-D-A-T-A.com.
GRAHAM CLULEY. Fantastic. And you can follow us on Twitter @SmashinSecurity— no G, Twitter doesn't have a G— and we've also got our website at smashingsecurity.com. And maybe you want to check us out on Reddit, or indeed our online store. You can get mugs and t-shirts and things like that, smashingsecurity.com/store.
CAROLE THERIAULT. And as always, huge thank you to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you bring you this show for free. So be sure to check out their offers. And fist bumps to you listeners out there, especially those of you who get in touch with your emails and reviews and your shares. They all mean the world to us.
GRAHAM CLULEY. Until next week, cheerio, bye-bye, bye! Don't forget Aunt Mimi.
CAROLE THERIAULT. Don't forget Aunt Mimi. Shout out to her as well.
CHARL VAN DER WALT. Best Mimi.
CAROLE THERIAULT. I don't think any of the others listen.
-- TRANSCRIPT ENDS --