So they were shaking hands is what I'm understanding. Very vigorously.

Agreeing to something else, I think.

Vigorously welcoming each other. Apparently the video lasted for a full 20 minutes. That would give you RSI, wouldn't it? Smashing Security, episode 148. Billboard boobs, face forensics, and Alexa Ransomware Gets Way Too Personal with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 148. My name is Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we are joined by a terribly popular returning guest. It's Maria Varmazis. Yes, I know.

Yay. Yeah.

Hello, Maria.

Hey, Maria. It's been a while.

It has.

Hello.

It's very early in the morning for you. Tell me you have a cup of tea in front of you or something.

I do, and it's in my Swear Trek mug.

Oh yeah.

Swear Trek mug.

Yeah. Oh yeah. One of my very first picks of the week. But I ended up buying a mug from them 'cause I love them so much.

I have a Bob Ross mug.

Oh.

And I think someone put it in the dishwasher and it's starting to peel off because when you put hot drink in it, his painting comes alive. Oh. Yeah, it's cool.

So it felt apropos. But it can't take the heat. All right, interesting.

Yeah, can't take, well, it can't take the dishwasher.

All right, this has been Mug Talks, brought to you by Smashing Security.

Carole Theriault, tell us what have we got coming up on the show this week.

Thanks to this week's sponsors, LastPass and Immersive Lab. Their support helps us give you this show for free. Apropos. Now on today's show, Graham gives us an SFW look at a porn incident along an American highway. Maria muses on the latest in the deepfake, cheapfake space, and I'll investigate whether Amazon really is finally taking our privacy concerns seriously.

Apropos, totes apropos.

All this and loads more coming up on this episode of Smashing Security.

Now, fellows, fellows, do you remember what you were doing? I'm not allowed to say chaps.

No, no, no.

Do you remember, do you remember what you were doing in 1994?

Yeah, having a great time.

I'll remind you of a few things which were happening back then. Nancy Kerrigan got walloped on the knee. The ice skater got walloped on the knee.

Huge, huge in my world.

That was huge in my world as well. It was massive.

Nancy Kerrigan was from where I'm from around here. So it was big local news. That was all I heard about. Yep.

Of course, her arch rival, Tonya Harding, her ex-husband was the one who did it. There's a great movie about it.

That movie was good. Yeah. Yeah.

Great movie.

Netscape Navigator was released.

Oh, bless it. That's the best way to be online.

RIP.

Some superb movies came out like The Shawshank Redemption, The Flintstones with John Goodman, and of course, Maria, Star Trek Generations.

Oh yeah.

Was that the movie?

It's the one where Picard and Kirk meet up. I remember seeing that one.

Malcolm McDowell is a bad guy, isn't he?

Yeah, it was weird. It's not a great movie.

It's not a good movie.

It's not. It's not.

Most of the Star Trek movies, it's kind of—

Is that the one where Kirk dies? Is that where Kirk— Spoilers.

Yeah, it is. Yeah.

1994, dudes. Alright.

And O.J. Simpson, he fled the police in his white Ford Bronco.

Yeah, another huge thing.

Oh my God.

Was that one of the first live tracking? There was helicopters following. It was a big deal when that happened.

Yes.

It was bonkers.

The miniseries they just did about O.J., they— American Crime Story or something? Fantastic. Really good. That's my pick of the week.

There you go. Now it all— Hey, wait, wait, wait. Now it all seems so innocent, doesn't it? All those years ago. But it was also the year when a dangerous and pernicious ad campaign appeared on roadside billboards, putting drivers in peril.

Okay.

Yes, it was a serious road traffic incident. Well, here in the UK at least, there was a campaign which featured Czech supermodel Eva Herzigova.

Mm-hmm.

And it was very controversial, much to the delight of the PR people working for Wonderbra, which is what she was advertising. There was a famous advert of Eva Herzigova looking down at her, and it was accompanied by the words—

Looking—

Sorry, sorry. Looking down at her what? I'm sorry.

What, you can't say boobs? You know, what's the embarrassing bit there, Graham?

She was looking— Anyway, it was accompanied by the words, "Hello, boys." Now, I never quite understood whether she was saying hello, boys, to her boobs.

I don't think any woman that I've ever met would do that. So I don't think there was a problem there.

No, they're always ladies. They're never men. That's kind of rule number one.

But they do look kind of a couple of bald-headed men, don't they? It could almost be a couple of cards there. Maybe, yes, I suppose so.

This is getting really perverted.

Now, Eva Herzigova, she is not the only person to strip down to their undies for a roadside ad. You may remember, of course, David Beckham advertising Armani underwear. There he was reclining as though he was having a sandwich. I don't know where he kept his cheese and pickle, but there he was enjoying himself.

You had fun pulling the story together, didn't you?

Oh yes. Google image search. But if we were to believe the tabloids, there were road accidents galore, traffic jams, utter chaos as men ogled the billboard boobage while others—

Right, because they're hot. They're sexy pictures. And so what, people were ogling them?

And Eva Herzigova? Yes, she's, she's, you know.

Oh yeah, David Beckham. I'm sure no one looked at that and had a bit of a drool.

People were averting their eyes, if anything, concentrating more on the road.

Yeah. Now it may not surprise you to know there are public safety rules about roadside adverts. I have been looking these up in the UK and elsewhere, which means I looked it up in the UK and assumed elsewhere as well. Your advert can be banned.

Always going the extra mile, eh, Clue?

Your advert can be banned for being distracting or confusing if it puts vehicles or pedestrians in jeopardy. And this was the allegation about the Hello Boys advert. But of course, ads have moved on in the last, I don't know, 25, 30 years, haven't they? You know, the old days of spaffing some wallpaper paste up on a billboard and slapping up the advert, they've long gone by because it's now all digital ads. And some of them are video ads as well, and video images alongside the roads, which seems to me like a crazy situation.

You can get them on the side of buses.

Really? Yeah. What is the— why would you? It just seems crazy. I mean, how distracting would that be, a moving image while you're trying to drive a car?

Oh yeah, I'm used to this now. They're kind of everywhere here.

Well, last Saturday night, the police department at Auburn Hills, Michigan began to receive phone calls. Michigan. Yes. How do you say it?

Michigan.

Michigan.

Michigan.

No.

Michigan.

Yes, exactly like that.

Yes.

I had this argument at home the other day about, you know, those lizardy reptile things. Iguana with the funny ears.

Iguanas?

You say iguana, do you?

Perfect. Well done.

How on earth else do you say it?

Oh, I've obviously been getting it wrong then. I've been saying iguana.

Do you say gee-you-uh-tar?

English is such a fucked up language, honestly. Nobody can get this right.

All right, well, welcome to Not Graham Week here on Smashing Security. Anyway, so the police in Auburn Hills Michigan, began to receive phone calls from motorists because they were calling to say that an electronic billboard on the interstate was displaying a rather unorthodox video. Now, this video was—

So you mean unreligious?

No, no, no. Not Greek Orthodox. That's not what I'm talking about. The video was of a couple of young ladies with at least part of a gentleman as well. And—

What was it, his hand?

There wasn't much talking going on.

Perhaps.

Well, I don't know. I haven't seen the video.

Are you talking porn here?

Possibly, yes.

Oh God. So they were shaking hands is what I'm understanding. Very vigorously.

Right, yes.

Agreeing with each other.

Shaking something else, I think.

Vigorously welcoming each other. Apparently the video lasted for a full 20 minutes.

Wow.

That would give you RSI, wouldn't it? Something like that. It's quite impressive, that, these professionals. Anyway, now you won't be surprised to hear that this video was somewhat distracting, but what surprises me is that some of the drivers who saw this, they responded by instantly leaping into action.

Yeah.

By grabbing their camera phones and recording their videos of the video being played on the billboard as they were driving down the interstate and uploading it to the internet.

We begin with a shocking distraction for drivers along I-75, a pornographic video playing on a giant billboard.

We are blurring out the explicit portion of the video, but this is what drivers saw near M-59 in Auburn Hills last night. And 7 Action News reporter Jen Schanz, she spoke to the driver who took that video.

I kind of almost got in an accident.

That's because Dr. Justin Camo was distracted by this on his way home from dinner Saturday night. He was traveling on I-75 North near M-59 East in Auburn Hills.

Came across the billboard and it was something unusual. Saw two girls, you know, lesbian porn. I assume someone hacked it right away. I kind of seen that billboard always having, you know, the user going through the desktop and making sure the proper billboards are up. So it's one of those digital things that's easy to get hacked. So the newspapers and the internet sites, they got hold of these videos of the footage that had been played for about 20 minutes. And as Motherboard reports, the porn aficionados on Reddit—

Do people call themselves that?

I'm sure they do.

I'm a porn aficionado. That'd be a great business card.

Well, they, if you pardon the expression, they put their heads together and they identified the actresses concerned as Zev Bellringer and Princess Leia. Wait. What? Hmm. Now, I've done a little bit of research into these two. I've done some Googling.

I'm sure you enjoyed that research.

Now, first of all, Maria, I'm not claiming that you're one of these, but do you know who's—

I'm definitely not.

Do you know who Zev Bellringer is?

Oh yes, he's a buddy of mine. Yeah.

According to IMDb, this particular Zev Bellringer has appeared in well-known movies such as A Hard Situation.

Of course.

I've Had Bigger. And Bratty Sisters Converted to Sexbots. Now—

Oh, I've watched that one.

I can't tell you.

I've lived it, Carole.

She has a lot of entries on IMDb, and I had to go down a long way to find 3 that I felt comfortable repeating on the podcast, can I tell you? Because a lot of them—

On this family podcast.

Exactly. You can't even say the word boobs, so I'm not surprised.

Princess Leia, meanwhile, doesn't really have an IMDb entry other than the one for Carrie Fisher. Right.

And we're definitely not talking about her, right?

No, no, no.

Not Star Wars. No. Okay.

Well, I was thinking Star Whores perhaps could have been it.

Oh!

If I was hiring her. But anyway, what happened was the guys at Motherboard actually approached these porn actresses for comment about their video appearing on the motorway. I love that.

Oh my Lord.

I was very impressed with Princess Leia, who said that she was shocked on hearing the news, very relieved to hear that no one was hurt. And she said, "It is my sincere hope that this will open a larger public discussion regarding the safety of electronic billboards." Bravo.

All right.

That's a little more sobering than I expected.

I know. She can't be that much fun, can she?

Yeah, she could have worked it a bit to kind of go, "Hey, you can buy the movies on Amazon still. They're available.

$2.99." Zev Bellringer, meanwhile, she tweeted that she was flattered by all the attention, but keep your eyes on the road and both hands on the steering wheel. I think there was some concerned there could have been people messing around with their stick shifts. Anyway, the thing is that this is all, of course, quite serious.

What?

You don't know, enjoying these?

Well, it's just, just fucking. Sorry, but God. Keep going, dude, it's great.

I'm just composing myself.

He's like, I got 20 more. And then the segment is only halfway over.

Now, this is no giggling matter, as you probably noticed. There's nothing amusing here. No. If you thought there might be.

Serious business, obviously.

The police obviously have said that this is pretty serious stuff. They have got some CCTV footage of two people breaking into a shed under the billboard, hacking into the computer, putting porn onto the digital billboard. Apparently it was a 3-foot by 3-foot shack hidden behind some shrubbery. So they went behind the bushes and uploaded the video there.

To the love shack, if you will.

Baby.

Indeed. And this has made it quite a serious offence.

Sorry, can I ask a question?

Yes.

So you started off talking about 1994. This video, was that filmed then? Was that when it came out?

No, no, no. The point was about destruction on the roadside, which began back with Eva — sorry, could someone—

So this is a recent movie?

I don't know, Carole. I haven't actually watched the movie or carbon dated it or anything. Well, yeah, IMDb is one thing. When did the film come out? I don't know when the film came out.

Do you call it a film? Is that what it is?

A film? Yes, yes.

A film?

Anyway, messages, lessons to learn. Don't have default passwords. Don't have no passwords at all. Quite often, the computers running these billboards or road signs are very poorly secured. And they're poorly secured in terms of physical security as well. They may not even be locked up.

You've just given every teen something to do on a bored Saturday night now.

No, I don't.

Oh, it is known, Carole. Come on, everybody knows this. It's a bad Monty

Everyone knows.

You think everyone knows this?

Oh yeah. Oh, for sure.

And I'm not suggesting anyone play with anything, Carole. That would be completely out of order.

No.

But there have been a number of instances in the past.

Python sketch. Yeah.

Signs have been hacked, display messages "zombie invasion," "the Daleks are coming," "impeach the bastard," I saw over the weekend.

Yep.

These sort of things, they're not big or clever. And it can actually end up being a serious felony because you're breaking into a building and the cops may well come and grab you. I'm not sure this latest porn film was big or clever either. I don't know how big or— well, I don't— Anyway, so there you go. Princess Leia. I think just keep your eyes on the road, right? And why do we have these kind of adverts on the roadside anyway? It seems terribly, terribly distracting.

I agree. I hate them.

Hate them. Well, let's stop them. Let's stop them right now.

Vermont doesn't have any.

Okay, I know. Every time you go by one, just close your eyes.

Yes. Drive fast. Good idea.

Okay, excellent.

Problem solved.

Maria, what's your story for us this week?

So from porn to deepfakes, which is also porn related, I suppose.

Yeah. Quite often.

I'm actually doing a follow-up to the first time when I came on the show and talked about deepfakes, which was a year and a half ago, I think we said.

February 2018.

Not that long ago in the grand scheme of things. But I just remember when I brought it up, it was like, hey, this brand new thing called deepfakes, they're using it to fix Carrie Fisher's face on the latest movie posthumously. And, you know, it's wild that this technology exists somewhere in the ether and maybe one day we'll be using it for more nefarious purposes. But that's surely a long, long way away. And I'm laughing because I kind of can't believe it, how in such a short amount of time we went from that brand new implausibility to holy shit, it's a real, very easy thing to do and it's an actual problem already.

So I think you were right on the crest of the wave. You were reporting on this just as the deepfake porn problem first emerged on Reddit, weren't you?

Yeah. And I had only heard about it

Yeah.

I hadn't read about it at all through— I hate using that phrase— mainstream media about the potential political implications just yet, because that was very sci-fi. Nobody really cared yet. So we're already there a year and a half later. So I guess what I just wanted to talk about for this segment was an update to all of this. So in that year and a half, we are already at the point where organizations and companies are stepping up and saying this is a huge problem for us and our platforms already. through my sci-fi fandom circles, basically talking about So for one example, multiple companies and organizations formed the Deepfakes Detection Challenge. Which is actually starting this month, October 2019. And here's their mission statement. And again, remember, this is in response to a problem that started a year and a half ago. When new forms of misinformation emerge, we need new efforts to combat them. how they fixed the Star Wars movie. New technologies deepfakes, where realistic AI-generated videos show real people doing and saying fictional things, are a huge technical challenge. Deepfake technologies are rapidly evolving and are getting incredibly hard to detect. Adversaries creating fake content and the platforms finding it are competing in something comparable to a high-stakes, fast-moving chess game. No single organization can— Yeah, I thought you'd be interested. No single organization can solve this on their own. Now Graham's really into it. That's why we are working together on an ongoing initiative. So who are these companies?

Yeah, I was just going to say, who's part of this?

So far, it's companies Microsoft and my obligatory mention of Facebook.

Yes.

No, these medium-sized companies, medium, tiny, little tiny companies.

And the Partnership on AI, which is this big coalition of a lot of leading tech universities Oxford University, Cornell, MIT, a whole bunch of others. And in fact, Facebook is on its own ponying up a mere $10 million towards this project. So I don't know if that means they're actually taking it all that seriously because that seems a drop in the bucket for Facebook.

But it is still a consortium of people that hopefully will come up with something better than if there was nothing at all.

That's true.

That's the hope. That's true.

And at the same time as this is going on, there's also another initiative going on via researchers at Google. So they just came out with this new custom dataset of faces and face swaps that they made in this project called FaceForensics++. And they actually put it on GitHub, so you can poke around a little bit. Google basically hired a bunch of actors and with the actors' knowing consent, they made a bunch of face swaps with these actors using four popular deepfake makers, which is Deepfakes, Face2Face, FaceSwap, and Neural Textures. So we've got four of these makers, again, year and a half, can't believe it.

So these are tools which are used to make deepfake videos.

Correct.

And there's four big ones. There's probably more than four, but those are the four known big ones. And so they did the face swapping with these actors that they paid and they swapped them onto over 1,000 videos that they easily sourced on YouTube. And then the idea was that they just made this brand new dataset so they could help reverse engineer how deepfakes are made and smarten up their own AI so they can better detect deepfakes. So, right, yeah.

So it's kind of trying to build something and then test it.

Correct.

And this is a playground that they can test it in. Correct.

Yeah. Okay, cool.

Yeah.

I mean, to me it makes sense that orgs Google, which owns YouTube and Facebook, which, you know, is Facebook, are working furiously to get ahead of deepfakes. I mean, the ethical issues aside, right, about why deepfakes are a problem — hopefully that's obvious — but when they're gonna have all these credibility issues where you're gonna have fake videos running rampant on all their platforms. If they can't detect it, people are gonna go, I can't trust anything that's on YouTube or Facebook, so I'm logging off. Which actually might be great.

Yes, fantastic.

So we should just let them do that. It didn't seem at first any of these companies were taking this all that seriously. It seems maybe they thought it was gonna be a niche hobbyist thing, or maybe just relegated to the world of porn, and who cares about that? But then we saw just a few months ago, some deepfakes that an artist made of Mark Zuckerberg announcing his plans for world domination.

I think that was actually a real video, wasn't it?

That was, yeah, it was behind the scenes. It wasn't supposed to go live, right. And then there was another one of supposedly drunken slurring Nancy Pelosi, and that one went viral on Facebook, yeah.

Oh yeah, we talked about that on the show, I think. Yeah.

Yeah.

Yeah.

And then, so Facebook had said they weren't gonna get involved with this sort of thing, but once those started going viral, they realized they needed to and they started taking those down. And I don't know if it was Nancy Pelosi or the Zuck video that was just too much egg on their face, but.

You know, when you're speaking, I'm thinking, you know, they've actually impacted some pretty big players, haven't they? Nancy Pelosi — I'm sure she's okay, something needs to be done. You know, Obama was hit with it, I'm sure Trump has, right?

Oh, everybody at this point, yeah.

So that would have— I'm wondering if that kind of kickstarted this consortium. But the problem with these consortiums is it can— it sounds good that you're creating one and you're working on this, but the proof's in the pudding. It's what actually gets agreed and pushed out, right, as a standard that is important. And that sometimes can take consortiums years to get, you know, to agree and to decide on the wording. It's a lawyer's nightmare or field day, depending on what kind of lawyer you are.

It's just alarming because we are already in very much a heated arms race situation. These orgs are, if they're trying to get in front of this problem, they have to move extremely quickly. And yes, I was just reading a story last night about the proliferation of child pornography and how platforms like Facebook are completely failing at taking the stuff down in a prompt way. So I'm thinking if they can't even prioritize child abuse images, how on earth are they going to get ahead of things like deepfakes? I mean, and it's not going to be just big names that are going to get affected. I mean, people are talking about revenge porn videos being made, people being angry at their ex-boyfriend or girlfriend making a deepfake of them on porn videos. It could potentially affect anyone. I'm actually honestly shocked that deepfakes haven't come up yet in the current US election, impeachment, etc., etc., a whole news cycle.

I think the thing is they couldn't make a video which was more outrageous than the truth.

Yay, happy story. So glad I'm on the show today.

Just like you told us in February 2018 that deepfakes were coming, it was the end of civilization as we know it.

You're going, told you.

I'm moving to a cabin in rural Maine and just cutting myself off from society. And so when societal collapse does happen, I'll be okay.

Graham We should create a deepfake of her so she can come on the show regularly.

Oh, Carole, what's your story for us this week?

So I wanted to look into a recent Amazon event. This was held at their HQ in Seattle, last week. I don't know if you guys seen pictures of Amazon's HQ.

I have not. I imagine it's a big square or sort of rectangular cardboard box, with some brightly colored tape up the side.

No. Oh, it's a biodome, isn't it?

Oh, is it?

Yeah, yeah, yeah.

Yes, it's a biodome. And I guess that's what billions and billions of profits gets you, right? A pretty swanky—

Especially when you don't pay enough taxes on it. Hey-oh!

So Amazon had unveiled at this event a number of new devices and talked more seriously than ever about privacy. And this is funny because last year Amazon actually made zero mentions of privacy features during its 80-minute unveiling. At the same event. Actually, I seem to remember privacy was discussed pretty seriously when Bezos was papped stepping out on the then Miss Bezos.

Oh, when his private photos leaked out and things of his.

But Amazon, the company, haven't waded very deeply into these privacy waters. Anyway, according to CNET, within the first 5 minutes of Amazon's product launch event, hardware chief David Limp— Odd name.

It's Limp, actually. Is it? No, I have no idea.

Is it a pronounced limp?

So hardware chief David Limp, his voice took a really serious tone just 5 minutes into the event, right? And he's head of development, right, at Amazon. Now, he also said, this Amazon head of hardware during this launch event, privacy, so this is quoting, privacy is absolutely foundational everything we do in and around Alexa.

Bullshit.

Oh, very funny you say that word.

I do not have a smart speaker anywhere in my house, so Alexa is not reporting me to Amazon HQ right now.

Well, so what has been highlighted as new privacy features for the device's assistant? From now on, I'm going to call it Al, right, just because otherwise the beeping is going to get annoying in the piece. Okay, so there's a new auto-delete feature letting the users of Al's voice recordings, letting them delete voice recordings on a rolling 3-month or 18-month basis. Now Recode reports that Amazon will not give you the option to automatically delete your voice data. Amazon also announced that users can now ask the speaker, "blah blah, tell me what you heard," or "Al, why did you do that?" And these queries are meant to increase transparency. I can't help but wonder though, some of the answers must be just like, "because," or "don't worry your pretty little head about it," or something to that effect, because what are they going to explain the ins and outs of every reason?

Or it's going to be like, "I am refining my algorithm." Well, that was really helpful.

Yes, exactly. Amazon is also letting customers opt out of human reviews of voice recordings. Now note I said opt out, not opt in. And Apple, you might remember when we talked about a few weeks ago, actually have done it the other way around, so turning it off by default and then you turn it on and they hope you will. Now, Amazon's two new Echo Show smart displays, right? They introduced even privacy shutters on their cameras. You know, that thing that you can buy for 50p?

If that.

Or 10 cents.

Or a Post-it note.

They've thrown those in.

Oh, wow.

That's very generous of them, isn't it? Little webcam cover. Wow.

This may all smell rather rosy, but I tell you, there is a faint whiff of something a little sketchy in the air. So let me show you the new Amazon gizmos and services that are on offer. So number one, an Alexa-enabled eyewear called Echo Frames. Now these glasses pair with your Android phone and can read out notification, make calls, play audio. Do you feel like we've been here before with some other, you know, big tech giant? And you can play music and podcasts and you can ask Alexa for rundowns of your calendar, blah, blah, blah. Okay, you can always obviously do some shopping, right, because that's always there.

Exactly.

You might go, "hey, remember, I need to buy some bananas." There's the Al wireless earbuds, so at any time you can say the name Al, the Al wake word, and the familiar chimes will tinkle tinkle in your ears.

I don't want anybody tinkling in my ears.

It's not your kind of thing.

I think Zev Bellringer actually has a video where there's some ear tinkling going on.

Yeah, probably.

There's also, this is the craziest one, an Alexa-enabled ring for your finger called an Echo Loop.

No, I don't want any of this.

They've taken a whole Echo speaker and they've put it into the ring. Now, can we talk about the logistics of this, please? How is your finger anywhere near your flipping ear?

So hang on, so they've—

Didn't we do this?

Why wouldn't you create an earring? They put a speaker in your ring?

Yes.

Is what you're saying?

So Alexa's with you all the time.

No, I mean, didn't we try this with Google Glass and we all decided that that was the dorkiest, dumbest thing? Why are we doing this again?

Yes, I'm expecting Bezos and co. are going, "Hey, maybe their timing was wrong. It's a good idea." No.

I'm reminded a little bit, if you've read Hitchhiker's Guide to the Galaxy, do you remember the Golgafrincham thing where they put all the people they didn't really need, the telephone sanitizers, into the B ark and sent them off to another planet? And I'm wondering if all of these Amazon devices with all these daft speakers involved, they're just to identify the people who are utterly useless in society and aren't required actually, because they're arsing around with this kind of technology. And it's like, oh, you're wearing one of those, are you? Thank you very much. Take the door on the left. I just, why, who, what?

Yeah, so exactly. I think the question is why would Amazon want this?

You can do it technologically, but should you do it? Yeah.

Yeah. Does anyone really need it?

No.

Well, no, no, no, but that's it, right? They're making you forget how you've ever lived without it before. Think of us 30-year-olds who actually remember life before mobiles. I mean, how did we live? How did we live? I bet most of us, if we left the house for 2 minutes without the phone, they might go, "Forgot my phone, even though I'm just going to the shops, I better run home and grab it." I still wipe my own ass, but I wonder in 20 years' time—

Well, congratulations. I know. Well, I don't—

That's wonderful to hear.

I don't always do it perfectly.

Because you are getting on in age, and we were getting a little nervous about that.

I wonder in 20 years' time whether young people will think, oh, that's extraordinary that you do that. Why don't you get your Alexa to do it for you?

Yeah.

Well, I mean, they have those bidet attachment thingies. Those have been around for a long time.

Right. And then you could have the little ring there, which has Echo embedded inside it and off it goes.

I mean, Amazon desperately obviously want to sell their kit. Right. Fair enough. You know, so all these little gizmos go for $130, $150, $180 a pop. US. I know. I agree.

People with a lot more money than sense, I guess.

And they're building, they're getting it from both sides, 'cause they're also building the people's constant use of these devices, which of course then allows them to listen and collect as much audio recordings as possible to win the so-called AI game and come out on top, ahead of Google, ahead of Apple, ahead of Facebook.

Right, the organizations are winning the AI game. Everybody else loses.

Right, so in other words, they wanna kick Google in the googlies, Apple in the ass, Facebook in the—

It's not just me doing puns this week.

And the freaking apple right in the peach.

So my question is, yes, does this need for a billion of us to feedback tons of audio requests, some legit and some of them are mistakes. We've seen that all in the press over the last few months. How does this square with so-called personal privacy?

I mean.

And remember, Amazon are the providers of facial recognition technology called Amazon Rekognition with a K, which they provide to law enforcement and businesses.

With a K?

Yeah. R-E-K-O-G.

If you ever need evidence that someone is a twat, it's spelling something incorrectly deliberately. It's Toys R Us. They annoy me as well.

Yep.

Or Print 4 U. Yep. But Rekognition with a K, that's just— See, I would just refuse on principle.

Well, don't worry, I don't think you're their target market for purchase.

I don't think I am.

So listen, there's even more, right? At the Seattle Amazon event, they also announced this product called Amazon Sidewalk. Have you heard about this?

No.

This is a new wireless protocol that links smart objects and Eero. This is a Wi-Fi router that Amazon acquired recently, and now it sells for home use, right? So it's a Wi-Fi router or router.

Okay.

Now Sidewalk will use this proliferation of Eero devices to build a mesh network or a wireless network where each device communicates with one another. And the idea is that all the devices will work together to transmit data across the network, spanning large, broad geographical areas. So for example, according to Amazon's own announcement, the company found that placing 700 devices across LA was enough to cover the entire metropolitan area of the city.

Oh, I'm sure police departments are going to love this.

It gets even more delicious if you're ready. So even if you do not use Amazon wireless networks in your own home or join any of the Wi-Fi networks when you go out, the mesh network could enable Amazon to get data about the location of your devices. According to Business Insider— and tell me, guys, because you guys are geekier than me in this area— owners of Wi-Fi networks track what devices are nearby, and even if those devices don't sign onto the network, just a smartphone can, it can detect nearby networks without signing on.

Okay. Yep.

It'll be able to detect your phone. So if you've used that device to download an Amazon app or log into your Amazon account, the company could pair that MAC address with your user profile.

Jesus.

So basically, it is the opposite of respecting your privacy, this mesh concept. And this geographic data is really important for Amazon's future. It helps build user profiles and it helps targeted advertisements. Right. And that's a seriously growing business for them.

Yeah. I'm just trying to imagine explaining this to the general public and explaining how to opt out of something like this, if

Yeah.

that's even possible, because I'm wrapping my mind around— I don't want that for myself. Oh, wow.

I mean, I don't even know how.

And there are other telecoms. I mean, I remember that BT, British Telecom, they have something called BT Wi-Fi.

I imagine opting out of that's going to be a pain in the ass, but how do I explain this to my mom?

So lots of people's home routers are available as a sort of mesh network. So they sort of boast that, oh, we have 5 million hotspots up and down the UK because it's residential Wi-Fi, which you can log into. Effectively. I've just done a search on their online map, and there are 211 BT Wi-Fi hotspots near me. I mean, within a walk of 3 minutes.

Oh, wow.

So they know every time you go for a walk, right?

Well, I don't connect to it, but yeah.

But doesn't matter. I don't think it matters. That's what I'm wondering. I'm wondering if BT's doing a similar thing. So the idea here is even if you're not connected to it, they can actually see you walk by because your phone's going, oh, there's a Wi-Fi hotspot.

You can't even hide in your own home anymore. There's no—

I mean—

Well, there is.

Just get rid of your phone. Isn't it amazing how it's become such heroin that despite all these concerns, we just can't get rid of them? So anyway, all this to say that I cannot tell you how thrilled to the gills I am about Amazon's privacy announcements. And what did the head of software development say again? Privacy is absolutely foundational to everything we do in and around Alexa. And to your exact words, I think I'll wager to call that a big fat stinking bullshit.

Yeah, it's important to them so they know how to avoid it.

Can I point out that at the beginning of the show I had a lovely, heartwarming, life-affirming story about a porn video. Life-affirming.

What's firming?

Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.

You don't need to say the forward slash. So you've got an IT security team, but you want to turn them into security superstars. How can you best provide each employee with the opportunity to upskill themselves? Immersive Labs provides a cloud-based system, meaning it's available 24 hours a day, whenever is convenient for them to learn. It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations. It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there. Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive-labs.com/lite. Welcome back and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week?

Week of the Pick?

Oi!

Just too early for Maria.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Better not be.

Now, my Pick of the Week in some ways, Carole, actually follows on rather nicely with your previous story.

Oh, really?

About how these big ugly technology companies are scooping up our personal information, maybe without us realizing.

Sounds pretty security-related.

Well, yes, it is a bit security-related. It doesn't have to be. It's not that it shouldn't be.

No, no, you don't get to decide.

It doesn't have to be.

Remember? It's cooperative.

It doesn't have to be security-related. Anyway, my pick of the week is a website called Google.

Ooh, tell me more.

Yeah, right. Okay. Now, I don't use the Google search engine, okay, because for obvious reasons. But I checked out a page on the Google site today, google.com/history. And I was curious. I thought, I don't use Google as a search engine. I thought, I wonder what they've been capturing about me. And I've chucked in a couple of screenshots here of what I saw for on my particular account. And what I found was that from about a year ago, there were a number of search requests made, not using the traditional Google search engine, but using the voice-activated one. So I think what was happening here was that maybe I was driving or traveling or something like that, and I might have gone into, maybe on my mobile phone, I might have accessed the app or something, or the site, and rather than type anything, I've actually said, "Who is the greatest chess player of all time?" Or, "Is Donald Trump the worst president in American history?"

Excellent. Deepfake fodder. Fantastic.

So I am— if I go to google.com/history, I'm able to replay these old messages. So I found that my wife had used my phone. And she'd ask questions like, when was Rubik's Cube invented? What's the difference between red lights and blue lights on an ambulance?

Colour?

And how old is Ann Robinson from The Weakest Link?

Oh, very important questions.

Very important questions.

What's the difference between the red lights and the blue lights on an ambulance?

When was Rubik's Cube invented? What is 3,000 kilometers in miles? Who is playing in Wimbledon's men's final 2018? Anyway, I was a bit surprised by this because I thought I'd mostly been living a Google-free life, and somehow these have been recorded from over 18 months ago. Now obviously I can zap them so I think I did this recently.

I don't know where I got the idea to do this, but I just looked at our— I went to the page, the Google History page, and I went to activity controls and all mine are turned off, although it has captured lots of YouTube things that I have done.

Right.

But it's only I can see this data. Is that what you had set up as well?

Yes, it says that only I'm able to see this, it says. But even so, I'm just a little bit disturbed that all these recordings of me have been kept.

Well, you can dump them. There is a little trash bin there.

Well, yes, but I think people forget this. I forget, I'm sort of privacy conscious. I wasn't aware that I'm using the search engine.

Google collects information on you.

Yes, I know.

We've talked about that just today.

My Pick of the Week is go to google.com/history and you might get a nasty surprise and make sure your settings are set properly and that everything is deleted if you wish it to be deleted.

I think it's very privacy related, but I think it's important, so you can have it.

Oh, Carole, one of them is, who is Bob Ross?

Ah, so you didn't know.

You must have mentioned. So on July 13th, 2018, I was trying to find that out. Or what's the time in Mauritius?

Can you believe that, Maria? He learned who Bob Ross was last year.

It's part of the cultural DNA over there.

I knew when I saw him, then I thought, oh yeah, I've seen that guy before from the Hair Bear Bunch. Anyway, Maria, what's your pick of the week?

My pick of the week is something I just discovered a few days ago. And the premise is this. It's a lovely day in the village. And you are a horrible goose.

Okay.

And it is called Untitled Goose Game. And the whole idea is that you're an asshole goose and you go and do asshole goose things.

Oh, well, Graham, have you played this? Did you help consult on the game?

Actually, Carole, I was playing this with my son this weekend, actually, on the Nintendo Switch.

So this is hot. This is hot to trot right now.

This is a huge game right now. It's a fun game.

Oh, yeah?

Yes.

Oh, maybe I'll come over and play.

It's one of the most downloaded games. It's beating out some of the hugest titles right now on Switch. But it's all— yeah, I said beating out, sorry. But it's on— it's also available for Steam on the PC and Mac, so you don't have to be a Switch player. So basically it's super fun. It's very easy. Very young children can play it, and you can honk and steal things. Yeah, you basically can just go around honking at people, which is just super fun. But you can go around and steal things and, you know, just wreak asshole goose havoc everywhere, and it's just— it's super funny.

You steal things from behind people's backs and you dress up statues in brassiers and spectacles and just cause a nuisance generally. Like geese do, I suppose.

Yes, it's super funny. And I think they should come out with a patch where it's not just a regular white goose, but it's a Canada goose, and then you shit everywhere. That would be my— that would be my recommend— listen!

She speaks the truth.

It's not Canadian racism, it's just a fact about Canada goose.

Well, kind of feels like gooseism, Canada gooseism. It does, actually.

Well, it is. I am very anti-Canada goose.

Wow, you heard it here, folks.

Listen, I am. I'll go on record about that. They shit everywhere.

So do babies.

Should they go back to their own country?

Babies eventually stop shitting everywhere. Canada geese don't.

Well, I'm respectfully disagreeing with you.

So your pick of the week is the Untitled Goose Game, and you're—

Yes, it's at goose.game is the website, actually, so you can check it out. You check out a little video of it. It's extremely— it's kind of twee. It's pretty funny.

Don't you love that someone wrote a game rather than the normal sort of rubbish you get as video games. It's just an imaginative idea, and it is silly and fun. I like it too.

It's the game we need right now for these troubled times.

This is what's going to heal us and unite us, isn't it?

It's true. It is. Carole, we're all going to come together over Untitled Goose Game.

Peace on Earth.

Oh shit.

Carole, what's your pick of the week?

So my pick of the week this week is a website, more specifically a website that's a dictionary for Cockney rhyming slang.

Blimey, governor.

I know, and I thought we'd play a bit of a game, right? I thought I would give you some Cockney rhyming slang examples and you could tell me what you think it might be.

Oh, I'm gonna fail this so hard. No, no, no, no.

So first, let me just give you a quick explanation about how it works, right, so people can play at home as well. It started up, and they think around 1840, and it's a kind of humorous slang that was used by Cockneys who live in East End of London. And it was probably first used as a kind of language to disguise what was being said so that passersby wouldn't know. So, for example, if you didn't want your customers to know that you were going to lower your prices in 10 minutes, you could say it in Cockney rhyming slang.

Okay.

It's a way also to talk, you know, without the earwigging officers.

And the way it works is the phrase rhymes with the thing which you're trying to say.

For example, the word look you would say butcher's hook. So the second word— there's always normally two words involved— and the second word rhymes with the word you want to use.

But the first word is basically irrelevant kind of thing, or just padding?

No, because that becomes the key word, right? So because what you would do is get rid of hooks, you'd say, oh, take a butcher's at that.

Yes, exactly.

And butcher's would mean butcher's hook. Hook rhymes with look, and that means take a look at this.

And if they said butcher's hook, that would be too obvious. But you say you take a butcher's.

Yeah, that kind of makes sense.

Okay.

Okay, come on, let's have a go. Let's have a go. Maybe Maria has a first go, right? And then Graham can jump in.

Yes, it's true. Yeah, you're gonna be good at this.

Okay, so number

Okay.

On your loaf, you have a barnet or maybe even a syrup.

Oh, for fuck's sake. There's no way. No, I have no idea what any of that means.

one. There's three Okay, I'll give you the full rhyming cockney slang for each one, okay?

I think I know most of that one.

of them in here. Okay. Oh, do you?

Yeah, I think I understand that.

Can you do it with all the full rhyming slangs before you translate it?

There's one of them I'm not sure about, but I can definitely do two of them.

On your loaf of—

Loaf of bread.

You have a Barnet—

Yeah, I know what that—

Fair.

Oh, okay. Barnet Fair. Okay, yeah.

Yep. Or maybe a syrup of—

Syrup of figs. Yeah.

So Graham, can you translate that?

So what it means is on your head, you either have hair or a wig.

See, on your head rhymes with bread. Fair rhymes with hair.

So you say on your loaf, you've got a barnet or you've got your syrup.

Okay. You took me there. It's still completely incomprehensible to me, but okay.

Mary Poppins.

No, no, no. It's better.

Now you know. Okay, now you know that loaf is head, right? So your loaf sits on your Gregory Peck, which sits on your naughty holders.

Okay, so neck and shoulders. Gotcha.

But I—

Okay, good. But see, even the phrases syrup of figs is not a phrase I would ever— that's not a thing.

Not faced constipation in your life yet? Yes. Okay, last one, last one, last one. Male or female, we've all got a bottle and glass at the back with which we can have a thom tit.

Oh, Carole, that's smutty. Please, can we please raise the tone on this podcast?

I think I can guess what that one is.

I didn't say anything about Ethan Hunt.

Whoa, whoa, whoa. I think let's just stop right there. Let's stop right there. Carole, shush.

Fair enough, fair enough.

We're talking to Maria now. You can put your rhyming slang away.

How dare you after your initial story.

Hang on, you can actually tell us where is this website? Is that in the show notes? Are you going to tell us where it is?

Yes, it's in the show notes, but it's called cockneyrhymingslang.co.uk.

Okay. All right. So Maria, hello, Maria. Hi.

Hi. Yeah.

Now I'm sure— let's be civilised. I'm sure lots of our listeners would love to follow you online, what's the best way for folks to do that?

I'm still on Twitter for some incomprehensible reason. So my handle is @mvarmazis. No, no, no, no XYZ. No XYZ. It sounds like it, but no. And I'm also on infosec.exchange if you are a Mastodon user. And my handle is simply @maria. So I'm squatting on that one.

Yeah. And you can follow us on Twitter @SmashingSecurity. No G. Twitter won't allow us to have a G. And you can also join us to discuss the show on Reddit. We're at smashingsecurity.com/reddit, or just search on Reddit for Smashing Security and you'll find us.

Once again, thanks to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their amazing support helps us give you the show for free. And thank you to all the people that listen to us and view us or support us on Patreon. We love you. Everything you do is magic. And of course, check us out on smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.

Mwah! Mwah!

Until next time, cheerio, bye-bye!

Ta-ta!

See ya! Quite smutty this week.

Oh yeah, just see who's smutty. Mr. Cluley.

Yeah. Yeah, not me this time. Not me.