What is Kaspersky's ugly ring for? Is there something suspicious about how NordVPN lets you stream Disney+? And why did a hacker impersonate a music producer?
Plus we have a bonus feature interview with Rachael Stockton from Logmein, the folks behind LastPass, all about behavioral biometrics!
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/157 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Maria Varmazis and Rachael Stockton.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- "Eau de Eugene Kaspersky" — Smashing Security, episode 12.
- Kaspersky Labs - Packin' The K — YouTube.
- Thousands of taxpayers tell HMRC to delete voiceprint data it stored without consent — Graham Cluley.
- Hackers Have Stolen Almost Six Million US Government Fingerprints — Tripwire.
- Fingerprints are not the same as passwords — Graham Cluley.
- Face/Off trailer — YouTube.
- Picture of the (rather ugly) Kaspersky ring — Twitter.
- Kasperky's synthetic fingerprint ring — YouTube.
- This Ring Uses a Fake Fingerprint to Protect Your Biometric Data — PC Magazine.
- How is NordVPN unblocking Disney+? It might be through YOUR own computer. Even if you’ve never used Disney+ or NordVPN. — Derek Johnson.
- The Rise of “Bulletproof” Residential Networks — Krebs on Security.
- SmartPlay by NordVPN: What is it and how does it work? — NordVPN.
- Resident Evil: Understanding Residential IP Proxy as a Dark Service — XiangHang Mi.
- Alleged Music Hacker Indicted for Impersonating a Producer to Steal Unreleased Music — Hollywood Reporter.
- Hacker stole unreleased music and then tried to frame someone else — ZDNet.
- Manhattan U.S. Attorney Announces Charges Against Austin Man For Computer Hacking And Fraud Scheme To Steal Unreleased Music From Music Industry Professionals — Department of Justice.
- Why the f**k was I breached?
- President Nixon Never Actually Gave This Apollo 11 Disaster Speech. MIT Brought It To Life To Illustrate Power Of Deepfakes — WBUR News.
- Which Classic Toy Came First? — Mental Floss.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. So Kaspersky have ridden in on their great big Russian bear and they have come to your rescue because they say that—
CAROLE THERIAULT. Sorry, I've gone picturing that for a moment.
MARIA VARMAZIS. Shirtless. Make sure they're shirtless.
GRAHAM CLULEY. They're shirtless. Yes, they're wrestling a bear. They stumble in.
CAROLE THERIAULT. Holding hands with Putin. I got it. It's beautiful. Oiled.
MARIA VARMAZIS. There's a choir singing somewhere and it's really glorious.
UNKNOWN. Smashing Security, episode 157. Biometric Knuckle Duster with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 157. My name's Graham Cluley.
CAROLE THERIAULT. Hello, I'm Carole Theriault.
GRAHAM CLULEY. Hello. And we are joined this week by a returning fabulous guest. It's Maria Varmazis. Hello, Maria.
CAROLE THERIAULT. The crowd goes wild.
MARIA VARMAZIS. Hi. Thanks for having me back.
CAROLE THERIAULT. Yay for coming back.
MARIA VARMAZIS. Yay.
CAROLE THERIAULT. It's almost Christmas. Are you guys panicking yet?
MARIA VARMAZIS. No, no, no, no, not really.
GRAHAM CLULEY. No, no, I heard it's pretty Christmasy there. I mean, we don't like to talk about the weather on this podcast, Maria, but I hear you are snowy.
MARIA VARMAZIS. I'm snowed in. So, um, yeah, we're getting some unseasonably large amounts of snow right now, so it's very, it's very— well, you know, it's not unusual for us to get a little snow, but this is, this is quite a bit of a big, a big snow dump. Yeah, it's unusual. Usually we start getting that later, but it's cozy. I've got my coffee, I'm good. I've got my fuzzy slippers and Working from home because I'm a freelancer, so I do this every day.
GRAHAM CLULEY. We're all in our pajamas. Yes, we're all freelancers.
MARIA VARMAZIS. Like every day, even in the summer. I'm really cozy.
GRAHAM CLULEY. Well, snuggle up, everybody. And Carole, tell us what's coming up on the show this week.
CAROLE THERIAULT. One moment, please.
MARIA VARMAZIS. We're not actually having a show.
CAROLE THERIAULT. First, thanks to this week's sponsor, LastPass. Its support helps us give you the show for free. Now, on today's show, Graham showcases Kaspersky's new foray into improved security. Maria, Maria, take over from me.
MARIA VARMAZIS. Uh, I'm talking about, uh, residential proxies and what NordVPN is or isn't doing.
CAROLE THERIAULT. Who could have said that better? And I'm looking at what could have been a pretty neat little hack were it not for egos getting in the way. Plus, we have a special feature with LastPass. Rachael Stockton explains all all things single sign-on, including behavioral analytics. Creepy stuff. All this and loads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, cast your mind back to the early days of Smashing Security. You may remember that we discussed once the scent of Eugene Kaspersky.
CAROLE THERIAULT. Was that like a pick of the week or something?
GRAHAM CLULEY. No, it was a main story. Kaspersky released a perfume called Kaspersky, ah, the essence of an antivirus researcher.
MARIA VARMAZIS. Oh, I remember this.
GRAHAM CLULEY. And, uh, you— it got us thinking, I think, at the time, you know, what other people could release a perfume? Maybe the, uh, the aroma of John McAfee coming all the way from Costa Rica.
CAROLE THERIAULT. Oh, please.
MARIA VARMAZIS. Strong sense of bullshit.
GRAHAM CLULEY. Well, Kaspersky's marketing department, they've been busy beavering away, and they've come up with something new that has caught the media's attention. So they're quite creative, those folks.
CAROLE THERIAULT. Well, these are the guys that came up with Packing the K, if I remember rightly.
GRAHAM CLULEY. Let's never forget the Packing the K video. One of our favorite cybersecurity music videos.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. When I'm packing the K, I can say with affection, the K-man gives me the best protection.
CAROLE THERIAULT. Who's the key?
GRAHAM CLULEY. Kaspersky. K is the key. Kaspersky. Always a good excuse to link to it in the show notes. So thank you for giving us that. Now, before I reveal what Kaspersky's marketing plan I've done this time, I think it's a good idea to explain what the problem is that they are trying to address.
CAROLE THERIAULT. Perfect.
GRAHAM CLULEY. Because we live in a biometric world, don't we? Our phones are unlocked with a glance of our face, and bank accounts are unlocked with a fingerprint. And we find ourselves— Well, some of us do.
MARIA VARMAZIS. Specifically Graham's. Mine is unlocked with Graham's fingerprint.
CAROLE THERIAULT. God, that must make it tough since you live in different countries.
GRAHAM CLULEY. And some places, like in the UK, you can be identifying yourself when you ring up the taxman with your voice.
CAROLE THERIAULT. Yes. Oh, delightful.
GRAHAM CLULEY. Yes, wonderful, isn't it? Well, the problem is with those sort of technologies being used to identify whether it's really us looking or touching or speaking is they need to somehow store some kind of print to compare against our voice or our fingerprint or our face.
CAROLE THERIAULT. Yeah, and this is all addressing the whole problem of authentication, right?
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. You know, we have username and passwords, but then we forget our passwords or we forget our usernames, and then we have more than one email address and more than one phone number. So using something like that is a very good way of authenticating, I'm guessing.
GRAHAM CLULEY. Yeah, yeah. Authentication, I think, lies at the heart of many of today's security problems. A failure to reliably identify it is the individual who you wanted to give access to something who's really trying to gain access.
CAROLE THERIAULT. That's almost the definition of a hack, right? Is that someone who wasn't authenticated got access as though they were authenticated to something, right? And that's the big problem, right? Okay.
GRAHAM CLULEY. So there are organizations out there and technology which obviously need to store biometric data in some way or another. And if that was ever stolen, yeah, could be quite harmful.
CAROLE THERIAULT. That's the big problem, right? You only have one set of fingerprints. Well, you've done, I suppose.
MARIA VARMAZIS. Well, yeah, you can get hacked 10 times and then you move on to toes, ear, bum. Oh, butt prints. That's the future. At least you heard it here first.
GRAHAM CLULEY. Maybe more in some cases. But it's so— but the important thing thing to remember is you can change your password after a hack occurs, right? We see hacks all the time and you're told, oh, reset your passwords. Well, just try resetting or changing your face or your fingerprints. It's going to be really difficult, isn't it?
CAROLE THERIAULT. It's going to be a huge lineup at the plastic surgery outlets around the place, isn't there?
GRAHAM CLULEY. Well, I have been on YouTube this morning, Crow, and I've watched the trailer for that marvelous 1997 movie Face/Off.
MARIA VARMAZIS. Oh, the classic. An American classic, if you will.
CAROLE THERIAULT. Someone I know, maybe it's my parents, I think it's them, but someone I know walked out of that film within the first 10 minutes.
GRAHAM CLULEY. I walked out during the trailer. I found it too confusing working out which one was John Travolta and which one was Nicolas Cage.
MARIA VARMAZIS. They're remaking it, aren't they? They're remaking the series.
CAROLE THERIAULT. You're kidding me.
MARIA VARMAZIS. No, I'm pretty sure they are. Because we didn't get enough with the first one. Or maybe they already did and I missed it, but—
GRAHAM CLULEY. It's so ridiculous. Anyway, so— For normal people outside of this sort of fantasy Hollywood world, it's not possible to change your face or your fingerprints. So they're not the same as passwords, and you can't change your fingerprints, and you leave your fingerprints everywhere. Maybe fingerprints aren't actually the ideal mechanism for security or authenticating yourself.
CAROLE THERIAULT. Do you want to tell every single airport in the world operating right now?
GRAHAM CLULEY. Well, there are challenges, aren't there? Because when a breach happens, what are you going to do about it? So Kaspersky have ridden in on their great big Russian bear, and they have come to your rescue because they say that—
CAROLE THERIAULT. Sorry, I've been picturing that for a moment.
MARIA VARMAZIS. Shirtless. Make sure they're shirtless.
GRAHAM CLULEY. They're shirtless. Yes. They're wrestling a bear. They stumble in.
CAROLE THERIAULT. Holding hands with Putin. I got it. It's beautiful. Oiled.
MARIA VARMAZIS. There's a choir singing somewhere and it's really glorious.
GRAHAM CLULEY. They have teamed up with Swedish designer Benjamin Way to create a ring that you wear on your hand.
CAROLE THERIAULT. Do you know that name? Benjamin Way?
GRAHAM CLULEY. He's a Swedish designer.
CAROLE THERIAULT. Okay. Okay.
MARIA VARMAZIS. Okay.
GRAHAM CLULEY. So you should know him. And this ring creates a fake synthetic fingerprint, right? It houses a 3D-printed rubber stone made out of, quote, thousands of conductive fibers that basically simulate a fingerprint. Now, I've included a picture in the show notes here, and I'll also include a link to the video so our listeners can— as you can see, it's completely and utterly ugly.
MARIA VARMAZIS. Oh my God, looks like a tumor.
GRAHAM CLULEY. Well, what we've got here is a picture of a man with an enormous ring on his hand.
CAROLE THERIAULT. Okay, yeah, I see the ring.
GRAHAM CLULEY. And a great big black oval, like it's a stone. It's basically the size of a thumb, I guess, on his finger and made out of some kind of black rubber. It's like a—
CAROLE THERIAULT. yeah.
GRAHAM CLULEY. And the idea is that rather than using your thumb to register, for instance, your fingerprint, you'd use your ring. So you sort of turn it over and press that against your Touch ID.
CAROLE THERIAULT. Dudes, this could be maybe the cutting edge of Russian chic right now. Now, okay?
MARIA VARMAZIS. Seriously. It looks ugly, but I'm like intrigued by the idea behind it.
CAROLE THERIAULT. But you get to punch in. So effectively, so instead of using your fingerprint, you literally punch the ring in and it has a simulated fingerprint.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. So it's basically a deep print fake print thingy.
MARIA VARMAZIS. Oh, deep prints.
CAROLE THERIAULT. Deep prints, TM, Carole Theriault.
GRAHAM CLULEY. It's not a copy of your fingerprint. So it has its own unique fingerprint. No, no, I get it.
MARIA VARMAZIS. And let me guess, if you lose it, you can buy another one.
GRAHAM CLULEY. So you can reach. Yeah, exactly.
MARIA VARMAZIS. It's like there's a built-in profit there.
CAROLE THERIAULT. At this stage, at this stage, if someone had brought this up at a meeting on a Friday afternoon, I would be, let's do it. How much would it cost to do a prototype? This can't be that expensive. It is a PR winner. Okay. So, okay. And I like it. I kind of think I like it.
GRAHAM CLULEY. On a pure fashion scale, Kroll, would you wear one of these?
CAROLE THERIAULT. Well, I might wear it the other way around.
GRAHAM CLULEY. Oh, I see. So it's underneath.
CAROLE THERIAULT. Right into my palm.
MARIA VARMAZIS. Right.
GRAHAM CLULEY. It's quite large. You know, I don't think you'd be able to hold on to things like the handlebars of your exercise bike and things.
CAROLE THERIAULT. I don't need to hold on to the handlebars of the exercise bike, Graham.
SPEAKER_03. Geez.
GRAHAM CLULEY. You're not going that fast.
CAROLE THERIAULT. I'll take you on any time.
MARIA VARMAZIS. Imagine trying to do yoga with that curl. Like you're doing a handstand or something.
CAROLE THERIAULT. Presumably you can take it off for certain activities. Like yoga.
GRAHAM CLULEY. No, no, you have to wear it forever. Of course you can take it off.
MARIA VARMAZIS. It's fused to the bone.
CAROLE THERIAULT. Exactly.
MARIA VARMAZIS. So you just remove it.
CAROLE THERIAULT. Oh my God, imagine you lose it. Okay, I know. Okay, I can see where the problem's—
GRAHAM CLULEY. okay, go, go, go. This is where the flaw is, right? So first of all, first of all, yes, you could lose it, right? Because when you go to the gym, or when you're doing the washing up, or when you're lathering yourself in the shower, it could slip off with all the soap. When you go swimming—
CAROLE THERIAULT. Hey, I lost my engagement ring, right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Still married, but there you go.
GRAHAM CLULEY. People take off their rings when they go swimming, or if they're baking, because you don't want to get lots of— yeast under there. So there's that issue. A real finger is hard to lose, but I would argue that a ring is pretty easy to lose. And furthermore, okay, there's this problem of, well, you use the same fingerprint for everything.
CAROLE THERIAULT. Can I ask some questions?
GRAHAM CLULEY. No, can I finish what I'm saying?
MARIA VARMAZIS. You too. Oh shucks.
CAROLE THERIAULT. This is a fun chat.
GRAHAM CLULEY. I just said furthermore. You keep interrupting me.
MARIA VARMAZIS. Simmer down now, children.
GRAHAM CLULEY. But furthermore, right? So it's not only the issue, I've just, I've gotta edit this bit. It's not only the issue of whether you lose this thing, right? And have to replace it. And that's gonna be a nuisance 'cause people do take their rings off. But furthermore, wouldn't it be great if you had different fingerprints for different services rather than having your fingerprint stolen in one place, your fingerprint data, and then used to break into other accounts? So are you supposed to wear 10 different?
CAROLE THERIAULT. A knuckle duster.
GRAHAM CLULEY. One on each.
MARIA VARMAZIS. Yeah, a knuckle duster.
CAROLE THERIAULT. All right. Sorry, I interrupted, sorry.
MARIA VARMAZIS. Actually, to be fair, I think this is an interesting approach to the biometrics problem. I don't know if it's the solution, but I want to give them credit. This is actually kind of interesting. This ring, I think, is ugly as all hell. I mean, it— I just— oh, it looks nasty. But it is an interesting, you know, you lose your finger—
CAROLE THERIAULT. Oh, you like blood diamonds better?
MARIA VARMAZIS. No, no, I don't. I'm a millennial. I don't do that. We kill diamonds, remember? It's a thing. But maybe there's another solution that's not literally on your hand. I don't know. But an earring?
CAROLE THERIAULT. Perhaps? You could just—
MARIA VARMAZIS. A keychain fob? You know, we had a bunch of those. We seem to really like those in InfoSec. Yet another little dangly thing.
GRAHAM CLULEY. But the problem with all of these fingerprint replacements is that it doesn't prove it's really you, does it? It just proves that someone else has possession of the item, which you're using to try and prove that it's you.
MARIA VARMAZIS. Knock you over the head with the hammer and put your finger as you're passed out on the phone. Good, good.
SPEAKER_03. Look.
CAROLE THERIAULT. I think all these companies are trying to make these devices much more part of our everyday life, which is why we have these watches. We saw the Amazon Ring, right? And there's like necklaces and now all these things. So is it harder than losing your finger? Of course it is, but it's probably less likely that you'd lose a wearable than something that's in your pocket, like a dongle.
GRAHAM CLULEY. A dongle? I don't know. Well, yes, Possibly, I suppose. I suppose you change your trousers more often than you take your ring off, right?
CAROLE THERIAULT. Well, and often you, when you, when, if you wear jewelry, you tend to— well, not me, obviously, because I lost mine— but you would put your rings down in the same place if you're removing them, right?
MARIA VARMAZIS. It's a, it's a tough nut to crack. I don't know.
CAROLE THERIAULT. Okay, so did this go wrong? Did this go wrong?
GRAHAM CLULEY. It hasn't gone wrong. I think that they— oh, I, I'm going to give them the benefit of the doubt on this one. I assume this is just a marketing concept rather than something that they're really going push.
CAROLE THERIAULT. I don't know.
GRAHAM CLULEY. So it's an interesting idea. I think it doesn't really solve the problem, or at least it solves some problems, but then it introduces a whole load of ones which we have in the first place.
CAROLE THERIAULT. What's your solution? You complain about people using fingerprints.
MARIA VARMAZIS. You think he'd be on the podcast if he had a solution? He'd be marketing it and making a whole boatload of money.
CAROLE THERIAULT. I know, he's just whingy. Whinge, whinge, whinge.
MARIA VARMAZIS. He wouldn't be doing this if he had the solution.
GRAHAM CLULEY. Maria, what have you got for us this week?
MARIA VARMAZIS. Not Facebook. So that's fantastic. I'm going to be talking about residential proxies.
GRAHAM CLULEY. Ooh la la.
MARIA VARMAZIS. Yes.
CAROLE THERIAULT. That sounds riveting.
MARIA VARMAZIS. I know. We're done here. We're done.
SPEAKER_03. Bye.
MARIA VARMAZIS. All right. So I had asked on Twitter, as I often do, hey, what story should I talk about for the show today? Because I'm lazy and our listeners are very helpful. So some of our listeners sent in a blog post that's been making the rounds. It went out about 4 days ago from recording. It's about NordVPN. And does that name ring a bell for anyone?
GRAHAM CLULEY. Hmm. Have they been in security headlines recently for any reason at all?
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. I wonder.
CAROLE THERIAULT. Have they had any snafus?
MARIA VARMAZIS. Yeah. Well, I'll do a little backstory for folks who don't know.
CAROLE THERIAULT. Absolutely.
MARIA VARMAZIS. Yeah. So about 2 months ago, correct me if I'm wrong, guys, they were in the news because because they'd been compromised, but they sort of sat on that news for a number of months. So their servers got compromised in 2018, or their data center rather, and they found out about it in April 2019, and they only came clean about it in October of 2019 after a lot of public pressure. That is a very nutshell version of what happened. It was a bad look for a VPN given that the whole deal with VPNs is that they're supposed to help your security. So sitting on news of a data breach for months and months is a really, really bad look.
CAROLE THERIAULT. Yeah. Well, weren't they doing this massive push? Because for a while they were all over television like terrestrial TV or digital TV. And I would see them in numerous Reddit feeds as well. So it felt to me like they had a lot of money to burn to get their name out there.
MARIA VARMAZIS. They're a big name. Yeah. Yeah.
GRAHAM CLULEY. And they had rather blotted their copybook around the same time as the news of this data breach. They had been criticized for some ads which they were running, which were basically saying, you get rid of all of your security problems if you're running a VPN.
MARIA VARMAZIS. That's a bold claim.
GRAHAM CLULEY. Which was a rather bold claim. And they did pull it back. But they have had something of a challenge Record history, I'd suggest. I mean, they sponsored lots of podcasts and videos and things like that. And sometimes the claims made by the people appearing on those podcasts and videos weren't completely legitimate.
MARIA VARMAZIS. Specious, maybe.
GRAHAM CLULEY. Hmm. Good word.
MARIA VARMAZIS. So, so there's a blog post by Derek Johnson that NordVPN is doing something that they shouldn't be able to do and that there's something really bad behind it. And I'm not saying this is true or not. I just like to dig into what's behind this claim and maybe we can draw some conclusions there. Because I'm not really sure that this is the case. But in any case, let's dig in. The big question is this: how exactly is NordVPN able to serve up Disney+ to countries that shouldn't be able to access it? That is the question, right?
GRAHAM CLULEY. And Disney+ is their version of Netflix. It's a new streaming service, isn't it? And I think there's some kind of Star Wars TV show or something on it. I can't get it from over here, but that is correct.
CAROLE THERIAULT. So is your point that Disney blocks most VPNs from attempting to do this, and for some reason Nord is not on their blocklist?
MARIA VARMAZIS. Kind of, yeah. So basically, to just back up half a second, Disney+ is only available in a very small number of countries— so Canada, US, Australia, New Zealand, Netherlands— and then everyone else has to wait at least a year, if not longer, right? So companies like Disney+ and Netflix are always doing whack-a-mole with VPNs. So that— yeah, we're just establishing that. So that, that's a known problem. So if you want to access Disney+, say, in Europe, like literally anywhere in Europe outside of the Netherlands, Uh, what are you gonna do? So you're gonna try your VPN and you find out you're blocked. So this is where it gets a little weird. Users of NordVPN are still able to access Disney Plus even though pretty much every other VPN apparently, or a lot of other VPNs, can't access it, right? Because Disney Plus goes, nope, you're a VPN, I'm not letting you in. So how is that happening? And that is the question that Derek Johnson is asking in his blog post. Like, this really shouldn't be able to be happening, and yet it is.
GRAHAM CLULEY. So it's kind of impressive and maybe a competitive advantage if NordVPN says, well, we can give you access to Disney Plus.
CAROLE THERIAULT. Well, totally.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. You know, I assumed, perhaps incorrectly, that some were just blocked and some they just weren't on the hit list and it was that easy.
MARIA VARMAZIS. This could be possible. And then there's another theory.
CAROLE THERIAULT. Okay.
MARIA VARMAZIS. So the theory is this thing called a residential proxy, which is sort of new to me. I haven't really heard this term much, but you'll probably be hearing more about it.
CAROLE THERIAULT. It.
MARIA VARMAZIS. So a residential proxy is a real person's IP address, like a real, like it's assigned to them by their own ISP. So it's not an anonymous block of VPN IPs that the VPNs tend to get. So they're, they're newish and folks love them for going around these VPN ISP blocks and also maybe doing some more dirty stuff on the internet. I'll let you fill that in with your own imaginations. So one, I did a little digging for the marketing spiels that some of these VPNs use. And there's like this very breathless description of how great residential proxies are. Just listen to this. These proxies are the highest quality product on the proxy market for one simple reason, which is that residential IP addresses are undetectable. They look exactly like real mobile and desktop devices. They are immune to bulk bans and blocks because these proxies do not share any subnetworks. A residential proxy network is a pool of real residential IP addresses that are associated with real internet service providers, which makes them unstoppable.
GRAHAM CLULEY. So, so the reason why they look exactly like real mobile and desktop devices is because they are real mobile and desktop devices.
CAROLE THERIAULT. Yeah. Okay. I think I'm following. Okay. Because I was— yeah, there's a lot of marketing hubbub there.
MARIA VARMAZIS. Yeah, it is. And I was like, that is a very breathless description. And I was reading that. I'm going, this sounds like a botnet a little bit. And I'm like, that's— but they're not. It's not the same thing. But it made me think of that. So bringing it back to Nord and Disney Plus, Derek Johnson is thinking that Nord is using residential proxies. Now, NordVPN, they don't say anything about that on their website. They say they use something called SmartPlay technology, which is not a term I've ever heard, and I'm guessing that could be their own branding on residential proxies.
CAROLE THERIAULT. I—
MARIA VARMAZIS. it's not a term that I'm familiar with at all. So in any case, if NordVPN or anyone else is using a residential proxy, how does a VPN get their hands on these IPs? Because how do you get your hands on some Joe Schmo's IP address? How does that happen?
GRAHAM CLULEY. Right.
MARIA VARMAZIS. So, because it's kind of odd. So there's a number of possibilities. I was doing a little digging and learning on this one. So one theory is that the VPNs are kind of doing a tit for tat with their users. So say the US users are routing overseas traffic through their own IPs in exchange for being able to do the same. So if I'll route you, if you route me kind of thing.
CAROLE THERIAULT. Yeah. So a quid pro quo, if you will.
GRAHAM CLULEY. Keeping it topical. Good. Is that what this is all about?
CAROLE THERIAULT. About.
MARIA VARMAZIS. Yeah, it comes back to that every time.
GRAHAM CLULEY. So hang on, so Rudy Giuliani has a NordVPN account and he's letting some guy in Ukraine— I don't, I haven't been following it too closely.
CAROLE THERIAULT. Just go to Wikipedia's conspiracy page.
MARIA VARMAZIS. You're throwing those theories out there rapid fire. Amazing. I'm impressed. So the idea is you sign up for the VPN and they say, hey, we're going to use your IP address, but this will allow you to use somebody else's. So this is sort of called colloquially a volunteer channel. So the idea is that you're telling someone when they sign up, hey, this is what's going to happen with— and we're asking your permission explicitly. But as long as you sign up for this, then everything's kosher.
CAROLE THERIAULT. Okay. My question is like, what if guy using my IP address does something a bit yucko, right? That's on my watch, effectively.
MARIA VARMAZIS. That's awfully unfortunate, isn't it?
CAROLE THERIAULT. Yeah.
SPEAKER_03. Yeah.
MARIA VARMAZIS. I don't have an answer for you, but that is unfortunate.
GRAHAM CLULEY. Or on the other side, if you are someone who does something naughty on the internet, if you are allowing other people overseas to use your IP address, then that's your get out of jail free potentially, isn't it? That's your excuse. You could maybe use that argument.
MARIA VARMAZIS. Yeah. I don't know how people would be able to distinguish between the two, 'cause it looks completely just like a legitimate IP. I, I don't know enough about networking. So quid pro quo is one option. Second option is that providers, yeah, I'm just throwing that out there. Providers, uh, with that already have residential proxy IPs will resell them to others in big batches. So we don't know how they're getting those IP addresses, but the horses are out of the barn and they're being resold. Ba ba ba ba ba.
GRAHAM CLULEY. Okay.
MARIA VARMAZIS. So there's a bunch of different options here. Another option, which is kind of a boring option, but realistic, uh, Brian Krebs did a story on residential IPs and proxies a few months ago. And according to his sources, a bunch of the world's biggest ISPs are more than happy to just sell chunks of their IPs to anyone who asks. As long as you got the money to pay for them, they'll be like, you want some residential IPs? Here you go.
SPEAKER_03. Ah.
MARIA VARMAZIS. That is kind of a boring answer, but if that's the case, then I mean, that seems like a very easy way to do it. And NordVPN, for example, their website says that they do purchase IPs directly from ISPs. So that's a thing. You know, I wouldn't have thought that ISPs would want to do that, but I guess if you've got a gazillion IPs, what's a few hundred thousand to sell for some, some money? It's like free money. So this is all pretty above board.
CAROLE THERIAULT. But these are all bona fide attached to particular people, right?
MARIA VARMAZIS. They've been assigned by ISPs to be assigned to a resident. So this, this all is the more aboveboard stuff. But there are a lot of theories that there are some more malicious things going on with residential proxies as well. So, for example, there is a security researcher who works at Facebook named Shanghang Mi, and he wrote a paper this year for IEEE on residential proxies. And I'm going to really, really boil it down and simplify it massively. And the link I, I provided for the show notes if people want to read his paper, but one of his data points is that he collected hundreds of thousands, if not millions, of residential IPs that are used by proxy services. And he was able to identify that about half of the IPs that he could identify clearly belong to IoT devices like web cameras, DVRs, and printers. So I do wonder how a device volunteers to share its IP. Like, where's that option? Yeah, interesting.
GRAHAM CLULEY. Good point. Yes.
MARIA VARMAZIS. And then in addition, the researcher, me, also found that there was a correlation between the presence of potentially unwanted programs or straight up malware on a user's machine to that machine then serving itself up as a residential proxy. So it seemed about like 10% of the time, at least, that person who was a residential proxy had no idea that they were. And they had malware that was making them into one.
GRAHAM CLULEY. One, right?
MARIA VARMAZIS. Okay.
GRAHAM CLULEY. Yep.
MARIA VARMAZIS. So that's a much more nefarious thing. So this could be somebody downloaded malware on—
CAROLE THERIAULT. you know, for them, time too, at least. That's huge.
MARIA VARMAZIS. Yeah, yeah. And it could be much more than that, and this is just in that one data set. So there are above-board methods of getting these IPs and not so above-board methods. So back to NordVPN and Derek Johnson's blog post. So he thinks there's something really nasty happening here, and he's drawing a connection between NordVPN and this other company called Oxylabs. OxyLabs, which has a hefty residential proxy network, and nobody really knows how they're getting it, but there's some allegations that it's Shifty, and there's also the rumor that the two companies are owned by the same guy. So the thinking is that if they're, if OxyLabs is getting IPs through a nasty way, they're sharing them with Nord, and it's all kind of behind the scenes. That's the assertion that's happening in that blog post.
CAROLE THERIAULT. Or they might just be buying them deliberately, and there's just a hole in the regulation that allows, you know, And we're all getting screwed.
MARIA VARMAZIS. Yeah, I mean, that's the thing because we have no way of knowing how they're getting these IPs or even if they're doing residential proxies, but it's a good guess. So yeah, I was thinking it's probably a lot easier to go the more legit route and just buy them.
GRAHAM CLULEY. Yeah, yeah, totally.
MARIA VARMAZIS. So NordVPN also, for the record, they got tweeted at about this blog post and they have denied that anything fishy is going on. And they say that they either purchase the IPs directly from ISPs, so what we just talked about, out, or that they get user IPs from people who have, quote, voluntarily downloaded a program that shares their bandwidth and the users are fully aware of the purpose.
GRAHAM CLULEY. Fully aware as in they clicked on the OK button.
MARIA VARMAZIS. Yeah. And I'm sure they didn't read whatever fine print that is, but, you know, they did hit the OK button. So, yeah. Yeah. So I always think that the truth is usually pretty mundane. I have a feeling they bought the IPs from ISPs. Right. I just don't think it's worth going through the trouble to do something shifty. But who knows? I mean, I don't have any way of saying that allegation is true.
CAROLE THERIAULT. So yeah, it's just basically there's not enough— you know, the technology companies are way ahead, regulations way behind, and there's a Wild West mentality going on. Like, if you can get away with it, go for it.
MARIA VARMAZIS. Pretty much.
CAROLE THERIAULT. We're the ones who are going to be paying the price.
GRAHAM CLULEY. So I read the Derek Johnson blog post. It did feel like he was jumping to a conclusion, perhaps without the smoking gun of proof. Proof that NordVPN were doing quite what he suggested, because he does sort of paint a picture that imagine you were downloading an app to your device, for instance, and it was malicious and it was secretly helping NordVPN. But you sort of think—
MARIA VARMAZIS. We have no way of knowing.
GRAHAM CLULEY. Yeah, exactly. That could have happened, but I didn't feel really comfortable with him making that allegation without something a little bit more serious to back it up. And some of the ideas which—
MARIA VARMAZIS. and suggestions you've made here seem a little bit more plausible and likely Yeah, I think it's very possible, if not likely, that other VPNs are doing the shifty stuff. And in fact, there are plenty of studies out there that show that some VPNs are. Uh, it's just, um, I, I don't want to be making that allegation without really having the proof, as you said. But I think just watch the space for residential proxies. Cause I mean, I, as I said, this is sort of newish to me, but I think a lot of companies are keeping an eye on it. And certainly I imagine big content providers like Netflix, Netflix and Disney Plus are keeping an eye on it. I think it's gonna be interesting to see how this continues to develop.
CAROLE THERIAULT. Yeah, and hey, you can be accused, you know, because your name could be associated with an IP that's been slurping up loads of stuff you shouldn't be, when in fact you actually are in the right jurisdiction.
MARIA VARMAZIS. Oh God, let's hope the FBI is listening. Hey FBI, please don't arrest me for something I didn't do because someone else is using my IP address. Oh, that's scary.
GRAHAM CLULEY. Thank you, Maria Crowe.
CAROLE THERIAULT. What's your topic for us this Well, we are now going to bop into the music world and see how a crew of nefarious opportunists tried to make fast buck. And this might also be a lesson on how not to conduct yourself online. So the music industry, right, Graham? The world of performance art, producers, recording artists, live shows, festivals.
MARIA VARMAZIS. Graham's in it up to his eyeballs. He knows this stuff well.
GRAHAM CLULEY. Oh, is this because I'm a pianist now? Is that why you're including me?
CAROLE THERIAULT. Well, there's a lot of struggling musicians out there, young and the old, right, Graham? Yeah, and the young and the old. And there is an ocean of moolah at the top, which indeed is probably one of the reasons why the music industry is often targeted by cybercriminals. But the thing is, is not all cybercriminals are super smart, right? Sometimes some might seem to be knitting with a single needle.
GRAHAM CLULEY. How dare you!
CAROLE THERIAULT. And dare I say if this New York indictment sheet is anything to go by, 27-year-old Mr. Christian Iraso of Austin, Texas might just be one of these single knitting, single needle knitters. And maybe I'm being harsh. Maybe I'm being harsh. You guys can decide. So I'm just going to set up the play here. So Iraso and his 3 chums decide one day in 2016 that they want to make a bit of easy money, right? Bit of easy wedge. And they must have felt like they had some elite skills because they agreed to go after two US-based music management companies, one based in New York and one based in LA. Now both are unnamed, okay? Now it's weird to me because these guys are based in Austin. Isn't Austin like music capital, blah blah blah? And yet they target out-of-state producers, which Anyway, just me.
GRAHAM CLULEY. But I mean, there are certainly major artists I imagine are being managed from New York and Los Angeles. You're right. There is a vibrant music scene in Austin.
CAROLE THERIAULT. But maybe they're tougher. Maybe you just don't want to piss them off. Right.
GRAHAM CLULEY. Right. I don't know. You don't want to shit on your own.
CAROLE THERIAULT. Exactly. It just makes the whole thing a federal level. Right. Takes that out of the state and moves it to the Fed level.
GRAHAM CLULEY. Oh, true.
CAROLE THERIAULT. So anyway, these four opportunists managed to get their hands on stolen employee credentials. And they use these credentials to access the producers, these two in New York and in LA, their cloud storage. And they successfully infiltrate it and snoop around. The plan? Get some unpublished tunes under their belt.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So the New York producer attack came up trumps. Oh my God, is that Sing Now ruined forever?
GRAHAM CLULEY. Uh, came up Trump. Yeah. So smelling like bullshit.
CAROLE THERIAULT. So the New York producer attack worked really well for them. And apparently they accessed the cloud storage account more than 2,300 times in several months. And they ended up stealing more than 50 gigs worth of music, including hundreds of unreleased songs. Is that weird though? You guys are a bit geekier than me. Is that weird that that didn't raise any suspicions? So they've stolen some employee credentials, they've added 2,300 searches to the log that would have otherwise not happened, and they've downloaded 50 gigs and no one noticed?
GRAHAM CLULEY. Yes, it's a music management company. They're not like Columbo. They're not keeping a close eye on what's going on on their network, are they? They're all like—
CAROLE THERIAULT. This is after the Sony hack, which we discussed last week.
GRAHAM CLULEY. Well, yeah, that was Sony Pictures though, wasn't it? But regardless, I think, you know, it's probably a fairly relaxed environment. Darknet when it comes to network security. It shouldn't be, of course, because there's so much valuable commercial material there. But I would imagine in some cases they're not keeping a close eye on it.
MARIA VARMAZIS. Yeah, guarantee there's a lot of password 123s happening. Yeah, yeah, it's—
GRAHAM CLULEY. yeah, 123 better than ABC. Oh, that's it. That's not the word.
CAROLE THERIAULT. Is it? I don't know.
MARIA VARMAZIS. Is it Hunter 2?
GRAHAM CLULEY. It's Hunter 2.
CAROLE THERIAULT. So, so these guys have all these tunes, right? Hundreds and hundreds of unreleased tunes, 50 gigs worth of stuff. And what do you do now? Any guesses?
GRAHAM CLULEY. They release them as their own material. They create a fictional band.
CAROLE THERIAULT. How did you get—
GRAHAM CLULEY. oh, really?
MARIA VARMAZIS. Did they really?
CAROLE THERIAULT. No, of course they didn't.
GRAHAM CLULEY. Oh, I was hoping it'd be some K-pop band just stealing people's songs. No? Okay.
CAROLE THERIAULT. No, um, these guys contact the victim in New York, right? This is months into their, you know, uh, song snarfling situation. So whilst they're contacting them, they are still actively snarfling music off their systems, right? So they email the New York producers and they blame another producer called Individual One. Okay, so in the court indictment, they're unnamed. So an unnamed party is blamed. So they say, look, Individual One was behind all these shenanigans, okay? And Individual One is the guy who accessed your cloud database. Individual One stole all the tunes, and he's currently selling the stolen for $300 a pop. And the guys are like, whoa. And they're like, yeah, I just wanted to let you know. Right.
MARIA VARMAZIS. Wait, so it's not extortion. It's blackmail.
CAROLE THERIAULT. Well, we don't know.
GRAHAM CLULEY. We're trying to get someone else in trouble from the sound of things.
SPEAKER_03. That's—
MARIA VARMAZIS. I was thinking it would be simple extortion. Like, hey, I got all your songs here. I'm going to release them early on the web unless you pay me X to not do it.
GRAHAM CLULEY. Maybe they were too scared to do that and they thought the consequences could be serious. Whereas if they were to point the finger of blame elsewhere, they could do some damage, but also come out fairly safe. I mean, maybe it's a rival hacking gang or something like that.
MARIA VARMAZIS. It sounds like a vendetta. Yeah.
CAROLE THERIAULT. Remember when I was talking about the one needle knitting? Needle knitting. It's hard to say. So this is where Razzo really got into his role. And he called back 10 days later, called back the New York producers and said things like, quote, I'm doing this for the love of the art. Artists and claimed that he wanted no harm done to the producer, that because, because he was on his side, right? So Erazo says to them, I'm happy to help you out if you need any of the info or anything I could dig up for you guys, just let me know and I'm more than happy to help you guys out with this. He even urged the music label to take legal action against the person, Individual 1, and also advised this New York producer about improving their security of, of their cloud storage account.
GRAHAM CLULEY. Well, it's a way to get an IT security contract, isn't it? Is to hack a company and then come in and say—
CAROLE THERIAULT. And then act like the cool kid.
GRAHAM CLULEY. Hey, I can help you fix all these things.
CAROLE THERIAULT. So in the indictment, there is quote, yeah, and another thing to— okay, so he's not the best writer, right? So I'm going to try and quote this. In the indictment, he says, yeah, and another thing to why we are going to you guys is we just hate this fucking person. Bottom line, we aren't even going to beat around the bush. Bottom. We, we line is just, we hate this person, we want— so they're basically really trying to build a strong rapport of trust between, um, the actual guy who's stealing the songs and the victim. And the whole thing goes like clockwork, you know, because Arazzo feels he has them all duped. And even a week later, he sends an online message to one of his co-conspirators saying that this the perf cover-up, which everyone's assuming means perfect.
GRAHAM CLULEY. Oh, that's what it means, right?
MARIA VARMAZIS. Yes. Drop half the words.
CAROLE THERIAULT. Very French.
GRAHAM CLULEY. Oh, fail.
CAROLE THERIAULT. What Erazo did not know—
MARIA VARMAZIS. That would be parf. That would be parf. Say parf.
SPEAKER_03. Yes.
CAROLE THERIAULT. Now, what Erazo did not know is that, of course, the New York producers had contacted the authorities days after his initial call 10 days earlier. So when he was doing all this showing off, he was actually talking to an undercover agent.
GRAHAM CLULEY. Oh, calamity.
CAROLE THERIAULT. Yeah, yeah.
GRAHAM CLULEY. I mean, it wasn't— it wasn't really the police, it was a sting.
MARIA VARMAZIS. Or was it Sting?
CAROLE THERIAULT. It was Sting.
MARIA VARMAZIS. Is he still alive?
CAROLE THERIAULT. Can I just say, probably is after all that tantric sex.
MARIA VARMAZIS. It's just Sting in little blue spandex and a knife, and I will kill him. Anyway, sorry.
CAROLE THERIAULT. What's really interesting for me in the indictment, because I haven't read very many of these in my life, but there's a lot of talk about how he never ever reveals himself during these conversations. Like, he never goes, oh, by the way, I know something more, and I have access to the data, and let me give it back to you, or anything like that. And they— there's all these big segments kind of saying basically he's constantly trying to do LastPass. And, and that kind of adds weight to the whole case. He ended up— apparently they found on his computer 850 stolen music files.
MARIA VARMAZIS. Jeez.
CAROLE THERIAULT. And he was charged in a New York court on Monday under 3 counts. Charges include one of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years, and one count of conspiracy to commit computer intrusion, which carries a maximum of 5 years. And he's got aggravated identity theft as well. Minimum of 2 years imprisonment. So basically he's looking at up to 20 years.
GRAHAM CLULEY. So this is this chap Erazo, is it?
MARIA VARMAZIS. Yes.
GRAHAM CLULEY. I bet he wishes he'd erased those files that he downloaded rather than storing them on his hard drive.
CAROLE THERIAULT. I'm not even listening to you. During this hack, he also managed to get the LA producer, an LA producer's Twitter handle. Well, they didn't say Twitter, they said microblogging and social networking accounts.
MARIA VARMAZIS. With a bird on it.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. I wonder which one they mean.
CAROLE THERIAULT. Exactly. And they used this account to send direct private messages to other producers, music artists, saying, hey, can you send your unreleased songs to this email address? Which of course was in Erazo's, you know, in his cohort's control. And in the indictment, there's this part where someone replied, right, to this DM saying, yo, just got into Manhattan. I got this exclusive track that didn't make the album, but I'll definitely be a club banger. Want me to send that one over? So there you go. So they're hanging out with some real serious musicians here.
GRAHAM CLULEY. Carole, this chap isn't knitting with one needle. He's knitting with a baguette or something. He's a complete loon. What a thing to do. Yeah, well, he did that. Seriously, the quality of cybercriminal has really gone downhill, hasn't it?
MARIA VARMAZIS. Really? Really?
CAROLE THERIAULT. Has it? Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing. You don't need to say the forward slash.
GRAHAM CLULEY. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
MARIA VARMAZIS. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or a an app, whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my pick of the week is a bit security-related this week.
SPEAKER_03. What?
MARIA VARMAZIS. Well, doghouse.
GRAHAM CLULEY. My pick of the week this week is a website which you may have seen popping up on Twitter. People have been amused by it, and I thought maybe some of our listeners would be amused by it as well. It's slightly rude, domain name, so I'm gonna have to be careful. The website is called whythebeepwasibreached.com. And if you go to why the—
MARIA VARMAZIS. I think it's why the fuck was I breached.
GRAHAM CLULEY. Oh yes, that's correct.
CAROLE THERIAULT. I don't know what his problem is.
MARIA VARMAZIS. Like, it's fuck.
CAROLE THERIAULT. Yeah, it's not hard to say.
GRAHAM CLULEY. If you go to that website, whythefuckwasibreached.com, then you will be given a randomly generated explanation as to why your company was hacked. And this is very useful if you're in a disaster recovery situation where you are having to put together a press statement or a statement for your customers, and you need to very rapidly explain why you lost all their Social Security numbers, or why your password was password, or the Amazon buckets which you set up wasn't protected by anything like a password or anything like that. That, then this is what you can use. And so, uh, so it's quite—
CAROLE THERIAULT. I'm looking at it now, it's quite funny. For the first one that came up for me, yep, right, on why the fuck was I breached, um, says the fucking competition used advanced techniques to force us to release this report. We have since worked with law enforcement so it can never happen again. And then underneath it says Equifax already fucking used that one. See, these are taken from real, from real life breaches.
GRAHAM CLULEY. I, I think not.
MARIA VARMAZIS. No. Can I read you mine? Because it's definitely not. It's, uh, 'The fucking hacking activists used nefarious techniques to do something, but we aren't quite sure what it is.
GRAHAM CLULEY. But since we have hired external consultants, it will never happen again.' So the button which says Equifax already fucking used that one, that is if you need another one. So then you click on that to say it's already been used by Equifax. Though it's not saying Equifax have actually used it.
CAROLE THERIAULT. You know what, it would make colorful language for Equifax. You know, even you can't use it.
GRAHAM CLULEY. It could have distracted attention from their actual data breach, couldn't it, if they had used a quote like that. Go. So that is whythebeepwasibreached.com, and that is my pick of the week.
MARIA VARMAZIS. Funny, you said fucking throughout the story, but then you bleeped yourself again.
GRAHAM CLULEY. Just saving Crow the effort.
MARIA VARMAZIS. Oh, I see, I see.
CAROLE THERIAULT. Okay, he knows I won't bother.
GRAHAM CLULEY. Maria, what's your pick of the week?
MARIA VARMAZIS. My pick of the week has nothing to do with Equifax. It has everything to do with Richard Nixon.
GRAHAM CLULEY. Yes. Richard Milhous Nixon.
MARIA VARMAZIS. Yes, Richard Nixon.
CAROLE THERIAULT. Yeah, he's a big fan, Graham.
GRAHAM CLULEY. Well, not as much as Roger Stone. I haven't gone that far. I don't have the big tattoo on my ass.
MARIA VARMAZIS. You don't have the tattoo?
SPEAKER_03. No.
MARIA VARMAZIS. Shame. No, no, no, no shame.
CAROLE THERIAULT. I wonder if he makes it talk by flexing his muscles.
MARIA VARMAZIS. Let's think about that a little more.
CAROLE THERIAULT. No, let's not.
MARIA VARMAZIS. Let's just think about it. Okay. So I am actually talking about Richard Nixon and deepfakes. Deepfakes. And not Deep Throat, but deepfakes.
CAROLE THERIAULT. Haha.
MARIA VARMAZIS. All right, so yeah, I'm good. It's good. So MIT researchers use deepfake technologies combined with the acting know-how of a Nixon impersonator to bring a famous speech that never happened to life. So the famous speech that never happened is the one that was written should the Apollo 11 astronauts not return from the moon. Oh, which I, I don't know if you know, but his speechwriters did prepare that speech should that tragedy happen.
GRAHAM CLULEY. Happen, which is a good thing because it would be a terrible thing to sort of make up off the cuff, wouldn't it?
MARIA VARMAZIS. Right.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. And, you know, remembering how it was— and not that I was alive then, but I mean, there was a very good chance that they might not return. So it was just being prepared for a very sad, uh, thing that could happen. So there was— there is a legitimate speech. You can read it. It's easily available. However, Nixon never recorded a TV version of himself in front of the cameras reading it. But the MIT researchers made that happen. So they took a video of him, I think his resignation speech actually, plus the actor helping them get the cadence of the speech right, and deepfake technology. They mashed it all together and you would swear Nixon had prerecorded this and it went live.
CAROLE THERIAULT. But, uh, you know, really, it's that good, eh?
MARIA VARMAZIS. It's super convincing. Uh, and so the speech is real, but he never read it. But you would think he did after watching this. So there's a link. Um, it's, I think, a fascinating story, especially with this year being the 50th anniversary and all that. Um, I just, I was so, so fascinated by— I had this link as a tab open for weeks knowing I was coming on this show. I was like, I'm saving it, I'm saving it for this show because I thought it was super cool. So there you go.
CAROLE THERIAULT. Do you know, uh, I think just today I read that China has now banned deepfakes.
MARIA VARMAZIS. Good luck.
GRAHAM CLULEY. Oh yeah, that's the problem, hasn't it?
CAROLE THERIAULT. Yeah, no, but it's interesting if it will, because, you know, you don't really want to get nabbed by the Chinese authorities, really.
GRAHAM CLULEY. I suppose even if they can't actually stop it happening, what they can do is wield a great big cricket bat so anyone who does use them will get into serious trouble. Maybe that's the point.
CAROLE THERIAULT. I'm just looking it up right now to make sure I'm not lying.
MARIA VARMAZIS. I mean, I also have personally banned deepfakes, but you know, that word hasn't gotten out yet.
CAROLE THERIAULT. Yeah, so 3 days ago, China makes it a criminal offense to publish deepfakes or fake news.
MARIA VARMAZIS. Oh, interesting to see how that'll work out. Interesting. Huh?
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. I have a feeling I'll be hearing that one stateside soon.
GRAHAM CLULEY. Yes. Everyone been told about that? Carole, what's your pick of the week?
CAROLE THERIAULT. Okay. Mine is really a game for you guys. Because, you know, this is radio. And often I'm talking about things that have no sound. So I thought, actually, why don't we just have a little game? And this all comes from the website Mental Floss, which has a few cool little facts, interesting. It's a good place to go waste time if you've got 5 minutes between meetings. So the game we're gonna play is which of these classic toys came first. Ready?
GRAHAM CLULEY. Okay. All right.
CAROLE THERIAULT. Okay. And I don't know the answers. I don't know the answers. Okay.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Hula hoop or Frisbee?
GRAHAM CLULEY. Oh, I would think hula hoop came first.
MARIA VARMAZIS. Um, I, I would guess Frisbee. Me too.
CAROLE THERIAULT. It's a lot harder to make a hoop. What would you make it out of? Cane? I'm gonna say Frisbee.
GRAHAM CLULEY. Okay, what's the answer?
MARIA VARMAZIS. Oh, Frisbee!
CAROLE THERIAULT. Okay, next. Barbie or G.I. Joe?
GRAHAM CLULEY. G.I. Joe.
CAROLE THERIAULT. Oh, I thought Barbie. Okay, what do you say?
GRAHAM CLULEY. They're both American. I haven't got a clue.
CAROLE THERIAULT. Uh, oh, because you got one wrong.
GRAHAM CLULEY. Action Man over here. Well, I didn't have Cindy, obviously.
CAROLE THERIAULT. Which came first?
GRAHAM CLULEY. Which came first? Uh, well, I, I, I'm gonna say G.I.
CAROLE THERIAULT. G.I.
GRAHAM CLULEY. Joe, because presumably that's Second World War.
CAROLE THERIAULT. No, Barbie. What?
MARIA VARMAZIS. I would not say.
CAROLE THERIAULT. Yeah, Barbie's, uh, 1959 debut beat G.I. Joe's march to toy shelves in 1964. So 5 years between.
GRAHAM CLULEY. Oh my goodness.
MARIA VARMAZIS. Well, I, I thought for sure G.I. Joe's a World War II. I knew Barbie was around the '60s or 1960. Yeah.
CAROLE THERIAULT. Okay, this is one probably more for Maria. Pound Puppies.
GRAHAM CLULEY. What?
CAROLE THERIAULT. Or My Little Pony.
MARIA VARMAZIS. I have no idea.
GRAHAM CLULEY. I've never heard of that.
CAROLE THERIAULT. You don't remember? I do. That's probably my—
MARIA VARMAZIS. no, I remember for both of them, but I, I never— I only had— okay, uh, My Little Pony.
CAROLE THERIAULT. I'm gonna— yeah, I'm gonna go Pound Puppies. Oh, you're right, My Little Pony. My Little Pony toys were introduced in 1983.
MARIA VARMAZIS. Yeah, I didn't have many toys as a kid.
CAROLE THERIAULT. Plush Pound Puppies were released in— oh, they released the next year. I think that counts. Yeah. Okay, last one: Slinky or Silly Putty? Oh.
SPEAKER_03. Oh.
GRAHAM CLULEY. Ah, now. I seem to, I've a vague recollection about how the Slinky was created. And it was, it was, I think I'm going to say Slinky.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. I think Slinky is earlier.
CAROLE THERIAULT. Yes. Slinky first tumbled around in 1945. The rubber goop used to make Silly Putty was invented around the same time. It didn't appear until 1949. 1950. There you go. Hmm, okay, there you go. Anyway, so this is on mentalfloss.com. They have a few little games and interesting facts worth a gander if you're bored. Um, thank you very much.
GRAHAM CLULEY. Are they stealing our data? This sounds a bit like a Facebook quiz.
CAROLE THERIAULT. Yeah, tell me about it.
MARIA VARMAZIS. Do you have to log in?
CAROLE THERIAULT. No, no, no, of course not. And I'm on a very locked-down browser.
MARIA VARMAZIS. It's asking me to put in my Social Security number. I mean, is that normal? I guess he needs my Social Security number to take this great quiz about toys.
CAROLE THERIAULT. Hmm.
GRAHAM CLULEY. How's Mental Floss making money? What's going on? Is it ad supported? Oh, lovely.
CAROLE THERIAULT. Well, Grim, people have to make money somehow.
GRAHAM CLULEY. Well, yeah, but couldn't they do something decent like install some malware on your computer, which opens up a residential proxy for VPN to use?
CAROLE THERIAULT. That's nice. Bingo, bingo.
GRAHAM CLULEY. And on the With that smooth move, we've just about wrapped it up for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARIA VARMAZIS. Twitter still works. I'm still there. So @MariaVarmazis, I think, is my handle. I think so. Yeah, I'm on Twitter.
GRAHAM CLULEY. Cool. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And you can also join the discussion on our subreddit. So if you're on Reddit, Reddit, go and look up Smashing Security.
CAROLE THERIAULT. High five, wondrous listeners! Thank you for listening, supporting us on Patreon, and giving us shoutouts. It all helps so freaking much. And thank you once again to this week's Smashing Security sponsor, LastPass. That support helps us give you this show for free. And remember, we've got some other content coming. Stay tuned.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye!
CAROLE THERIAULT. Rachael, hello again. Thank you for joining us. Hello.
SPEAKER_03. Thank you so much for having me.
CAROLE THERIAULT. I love when you come on, and today I am super excited about this topic because, as you know, this is a topic that I'm not I'm not super duper comfortable with, but I am desperate to learn more, and that is biometrics. So I am hoping you can kind of talk me through what it actually means.
SPEAKER_03. I think that it's finally the year of biometrics, you know, for, you know, thank you Apple and Android and all of the consumer technology that's out there. But I think it's a good time to talk about biometrics and figure out like where do you stand, get a sense of what biometrics are and really what are you giving up when you're using, if you're giving up anything when you're using them to give you access to your phone or applications, personal or business.
CAROLE THERIAULT. Okay. So what are biometrics? Let's just take it right back to basics.
SPEAKER_03. Cool. So biometrics, I think the first things that we think about are things like your fingerprint or your face, you know, Face ID. There's also another piece that'll be important as part of this conversation. And those are actually called behavioral biometrics. So, some of you guys might be familiar with things like keystrokes. You know, how do you usually type? You know, how do you usually type on the computer versus on the phone? Or, you know, your gait. Have you been walking normally over the past amount of time that it makes sense that this is you? All of those things are really being enabled by different telemetry that's on the phone or on the computer. So, biometrics really break down into two things. One are the things that really are who you are, and then the other half are things like how you behave. And it's really the how you are that we're spending a lot of time working on now as we get into, you know, our mobile devices and things along those lines.
CAROLE THERIAULT. Right. So let me just— just to recap, so make sure I'm following you fully. You've got your kind of almost physical traits, so your fingerprint, your face print, all that stuff that helps identify who you are. And then you've got how you behave. So that's interesting. So I obviously display certain characteristics when I walk or when I type or when I do anything. And that is the information you're looking to collect to try and help identify a person. Is that right?
SPEAKER_03. We're more advanced right now on the physical attributes. I think it's those behavioral attributes that as we bring in and we use the more— the telemetry on the different devices, processes that are going to enable us to ensure that those physical attributes maintain. They almost become like a second factor.
CAROLE THERIAULT. But I've always thought of biometrics in more of the what elements I have, like fingerprints, like who I am. I've not thought about it in terms of behavior, because where I'm uncomfortable with biometrics is the idea that we only have one set of prints or, you know, one face. And while there are companies that you trust to manage that data very carefully, there's going to be a time when companies that are maybe less trustworthy can also get access to that information. And what then? Or what if someone gets breached? And then, you know, you can't change your face.
SPEAKER_03. No, or at least without costing a lot of money.
CAROLE THERIAULT. Yeah.
SPEAKER_03. No, it's true. Everybody's just being their best selves.
CAROLE THERIAULT. But this idea of behavioral biometrics somehow not as invasive because behavior you can change, or is this behavior so deeply ingrained? Is that the idea that it is very difficult to fake?
SPEAKER_03. Well, I think that, you know, it is something that is how you behave. And so to change it consistently, it's like changing any habit. You have to walk differently, you have to type differently. And I think that's one thing that really understanding those patterns makes it even harder for people to be able to leverage biometrics. So, So, I think our perspective would be these wouldn't be the only sources for biometric data, but really they'd be additional sources with the physical elements as well.
CAROLE THERIAULT. Right. Okay. Because I was going to ask, my next question was going to be, so what happens if I hurt my hand? In fact, I recently had tendonitis in my index. I couldn't use my index finger at all for like two months, which makes typing quite difficult, turns out. And I am sure that my typing pattern changed dramatically during that period. Period. So if you were just relying on that, that would be a big problem because you'd be like, this is in Carole.
SPEAKER_03. Exactly. Broken ankle. Yeah, any of those things. And I think that's one of the other elements. In the end, I'm not sure biometrics in and of itself as a single point is going to be everything that you need for accessing all applications. It is part of a multiple-factor authentication. And so it could be that you're using your face, but behind the scenes you're using some other kinds of sort of behavioral-based or adaptive authentication like location and things along those lines. Or you might even be still, you know, be logging into something that you have, so you're using your fingerprint on a phone, so they know that you have the device. So you're still using the concept of multifactor authentication, ensuring that you can get that access. But in doing it in a secure way.
CAROLE THERIAULT. You know, putting my cybersecurity hat on, I can see why this is so sexy to so many companies because, you know, fraud and fake identities are a big problem for lots of companies. Everyone would like to eradicate the problem. And the best way, I guess, to do that is to ensure that the user is indeed the user. And being able to use hundreds of different data points across those three elements, so what you are, what you have, and what was the other one?
SPEAKER_03. What you know, what you have, and who you are. Those are the three different pieces there.
CAROLE THERIAULT. So that's the idea behind it, being able to use data from those three areas, build you a very reliable authentication service.
SPEAKER_03. There is this creepiness factor. I'll admit it. And I was reading the latest Gartner report on biometrics, and Alan even calls it out as creepiness, which I got a huge kick out of just seeing Like, literally the section is labeled creepiness. So look, let's acknowledge it. There is something odd about being able to be recognized so quickly, so easily, and, you know, using your fingerprint for that or your face. But also when you look out there, people are ready for it. There's a report that recently came out, 70% of consumers want to expand their use of biometrics. And in prepping for this podcast, we did a Twitter poll. To our LastPass users.
MARIA VARMAZIS. Oh, cool.
GRAHAM CLULEY. Yeah.
SPEAKER_03. So we asked a couple of questions. First, just a poll asking about, hey, you know, how many of you are using Face ID or Touch to log into applications? And we found that 60% of them are using it to log into some apps, 22% all apps, and then the remainder, 18%, aren't using it yet. So that's 82% of people who are using biometrics in some way in every part of their life. Life.
CAROLE THERIAULT. And do you think that's because it's so convenient as well and it's so fast?
SPEAKER_03. Oh, definitely. I mean, I think when you look at it, there are probably 3 things. One is speed. I mean, you can just get into things much faster. So your phone, your computer, your apps, but also just you don't have to think about the password anymore. Literally, you just don't have to worry about it. And that takes a huge weight off your shoulders. And then for some, even just on the end user level, there is a concept where it is more secure because if somebody does have my password, then they can't use it. I mean, they have to like take my finger to get this.
CAROLE THERIAULT. If they're that determined.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. I'm going to fight for my finger, I think.
MARIA VARMAZIS. Yeah.
SPEAKER_03. Biometric data has to be protected. And there are a lot of different ways to do it, and companies are doing it. You know, keeping it on the phone in a separate piece of hardware, like a SIM card, separate SIM card, or a separate, like, trusted computing module. Keeping it centralized, it's always encrypted if it's, you know, either place, you know, distributing it between a phone and a central place. I mean, it has to be, it definitely has to to be secure. But when a business is evaluating, sort of just focusing on staying with passwords or with biometrics, I do think it's important to realize that when data is stolen, it is much easier for people to be able to take a password and then replay that. You know, for biometrics, if you're able to get through it, if you're able to reconstruct it, you know, it isn't about then like typing in the password. There are a lot of different things you need to be able to do to use bad. So as we talked about before, security isn't like black and white. Security is just getting better, more secure, tightening that. And I think that's what biometrics does, is it, it makes things more secure. It tightens and eliminates sort of the attack surface even more than you would if you were just using passwords.
CAROLE THERIAULT. Yes. And also biometric, as you say, is on a technological journey as well, because two years ago you were hearing about, you know, facial recognition going wrong. But that's not a problem that we're seeing a lot today. That's not hitting the headlines on a regular basis, is it?
SPEAKER_03. No, it isn't. And there's never going to be zero.
CAROLE THERIAULT. There's not— there's always glitches.
SPEAKER_03. Yeah, there will be glitches. And a lot— and that's why things like behavioral biometrics coming up, they can really provide that sort of backup for the physical too. So, you know, ensuring that as you're working, you are who you say you are as well. And I think it is interesting to think about like, where is biometrics going? You know, where could they even be going with the— I mean, they've made huge leaps in acceptance over the past few years. I mean, 10 years from now, are we talking about like embeddable, embedded hardware devices in parts of us? You know, where they're using our heartbeat or any of those, you know, real deep physical factors to be able to say who we say we are.
CAROLE THERIAULT. It's interesting and scary though. See, it is creepy.
SPEAKER_03. It is creepy. And you know what, I'd say it's like Blade Runner, except did you already see that we're already past the date where Blade Runner was set? So like, we are living in the future.
CAROLE THERIAULT. Yeah, yeah, yeah. Blade Runner future.
SPEAKER_03. Uh-huh.
CAROLE THERIAULT. God, I just wish I looked like Daryl Hannah.
SPEAKER_03. It could do those cartwheels.
CAROLE THERIAULT. What else did you ask on your polls? What else did you hear from your Twitter users?
SPEAKER_03. So, it was interesting. So, they gave some feedback when we were just asking like, what do they think about biometrics? And it was pretty positive. Some people were saying like, I really can't wait until this happens, bring it on. A Twitter follower was mentioning that they specifically see it as a complementary means. So, they're looking at it as, you know, one of multiple factors. And it's interesting, one follower, Super Mario, was saying that he thinks that you have to be careful because, you know, you can be sleeping and your fingerprints are still available and suggested that we put in, or, you know, that vendors make sure— I think he said Apple does this, which I did not know— that your biometrics can only be available for a certain amount of time. So only when I'm awake, because, you know, you don't want want a certain somebody using your fingerprint to get into your phone when you don't want them to.
CAROLE THERIAULT. I haven't even thought of that. And that is a really, really good point.
SPEAKER_03. But see, that's the thing. The more it gets out there, the more different ideas and challenges are going to be coming and moving forward too.
MARIA VARMAZIS. Right.
SPEAKER_03. And it isn't that those should be seen as blockers. I think it's how do we solve for them? Yeah.
CAROLE THERIAULT. It's almost like almost slaloming down a ski hill. You have to kind of pay pay attention to these things and not barrel over them, but actually be graceful and go around the mogul.
MARIA VARMAZIS. Yeah.
SPEAKER_03. And one of the users, I'll say Emmett, Emmett S., he put this awesome video up of a hedgehog gaining access to an early Apple phone with their handprint. So, you know, I think we're far past that right now. But I I think that's still what some people are thinking about where you can put your pet in and they'll know it's you or they'll mistake you for you. But I do think we've improved far past that yet, but it definitely gave me a chuckle. So thank you, Emmett.
CAROLE THERIAULT. So once again, if I'm summing this up correctly, it's a little bit of the kind of push me, pull you between privacy and security. And behavioral biometrics and indeed biometrics offer an extra layer of security. Security, which is something where a lot of us are in dire need for because, you know, it's daily that we read of huge breaches.
SPEAKER_03. I think that's true. There's one other point I want to make. We've talked a lot about user acceptance in our past conversations.
CAROLE THERIAULT. Yeah.
SPEAKER_03. About it's great if you have security, but it doesn't really matter if your users aren't going to use it or use it poorly or complain about it the whole time. And I think that this is a time when you really look at generations and you see how people are growing up with technology. And there's a desire to have more biometrics, to have this ease. And so I think it's up to us as companies and it's up to, you know, our business customers to figure out how do we make that as easy as possible for the employees or even your customers. Because if they want it and it ends up being more secure, we should figure out how we deliver it. You know, there are a lot of great companies out there who are putting together some amazing things to help under, you know, pin together the infrastructure for biometrics.
MARIA VARMAZIS. Hallelujah.
SPEAKER_03. Yeah. And so, you know, I'm sure we'll be leveraging a lot of those different standards, but also trying to work with other companies to make sure that we can bring the best solutions forward.
CAROLE THERIAULT. Rachael, anything else to add?
SPEAKER_03. No, that's great. Thank you so much.
CAROLE THERIAULT. Well, all I have to say now is happy Christmas.
SPEAKER_03. Happy Christmas.
CAROLE THERIAULT. Or Merry Christmas.
SPEAKER_03. You can say happy Christmas. I'm bilingual. Can you say, say Christmas, or do people say Happy holidays. No, you can—
CAROLE THERIAULT. we—
SPEAKER_03. I say both.
CAROLE THERIAULT. Merry winter.
MARIA VARMAZIS. Merry—
SPEAKER_03. and now we're gonna disagree.
GRAHAM CLULEY. Bye.
CAROLE THERIAULT. I wonder how long you can do that for.
MARIA VARMAZIS. Probably not so much because I have a cold right now, but on a normal occasion—
CAROLE THERIAULT. bye bye. I bet you're a good singer, Maria.
MARIA VARMAZIS. I am.
CAROLE THERIAULT. You You got a good key.
MARIA VARMAZIS. Yeah, I can tell. I am.
CAROLE THERIAULT. Yeah, yeah, I'm a good singer.
MARIA VARMAZIS. Yeah, I'm okay. I'm all right. Yeah, you're great.
CAROLE THERIAULT. You're a really good singer. What is that?
MARIA VARMAZIS. Is there a fly in the room?
CAROLE THERIAULT. Oh my gosh, did we get it?
MARIA VARMAZIS. Did we kill it? Is it dead?
CAROLE THERIAULT. Still recording.
GRAHAM CLULEY. Oh, I'm gonna hit stop.
-- TRANSCRIPT ENDS --