Special guest Geoff White can't resist using the podcast to promote his new book, "Crime Dot Com", but other than that we also discuss the creepy (and apparently legal) way websites can find out your email and postal address even if you don't give it to them, take a look at how the alleged Twitter hackers were identified, and learn about Fawkes - the technology fighting back at facial recognition.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by "Crime Dot Com" author Geoff White.
Visit https://www.smashingsecurity.com/190 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- A free chapter of Geoff's book, "Crime Dot Com"
- Start-Up Helps Conservative Websites Like the Daily Caller Store User Names, Postal Addresses of Anonymous Readers — Jezebel.
- Permission Shmarketing: How does GetEmails work? — YouTube.
- Some say we're criminals. Many say we're unethical. We think we're geniuses. But we're so, so bad... — YouTube.
- Three charged in massive Twitter hack, Bitcoin scam — KTVU.
- Three Individuals Charged For Alleged Roles In Twitter Hack — Department of Justice.
- Defund Facial Recognition Before It's Too Late — The Atlantic.
- 'Atlas of Surveillance' now provides searchable, interactive database of police surveillance — VentureBeat.
- Clearview AI—Yet Another Example of Why We Need A Ban on Law Enforcement Use of Face Recognition Now — Electronic Frontier Foundation.
- Facial Recognition Map.
- This Tool Could Protect Your Photos From Facial Recognition — The New York Times.
- Fawkes - Image "Cloaking" for Personal Privacy.
- Fawkes: Protecting Personal Privacy against Unauthorized Deep Learning Models (USENIX Security 2020) — YouTube.
- Rush Hour (puzzle) — Wikipedia.
- Rush Hour games — ThinkFun.
- How To Play: Rush Hour - by ThinkFun — YouTube.
- Unblock Me — iOS App Store.
- Origins - How the earth shaped human history — Lewis Dartnell.
- The Umbrella Academy — Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hey, everybody, it's Carole here. So this is just a short message to extend extreme thanks and gratitude to our Patreon supporters.
And this week, we would like to feature Hades, Nathan, Richard Wade, Tappelcall, Sean Reifschneider, Jamie White, Mark Norman, Teppotastic Gentib and Roman Busser. Thank you all of you. You help make Smashing Security what it is as all our Patreon supporters do. If you would like to join our Patreon community check out deets at smashingsecurity.com forward slash Patreon. Now let's get this show on the road.
GRAHAM CLULEY. By the way, Carole, OG. Do you know what OG stands for? No. I can impress you now. Okay. Original gangster. Okay, there you go. I found that out from my nine-year-old. There's a lot of that kind of lingo going on in our house at the moment.
GEOFF WHITE. Whoa, it's so fly out in Oxfordshire, isn't it? Fly with a PH.
GRAHAM. Smashing Security, episode 190. Twitter hack arrests, email bad behaviour, and forks versus facial recognition. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 190. My name's Graham Cluley.
And I'm Carole Theriault. And this week we are joined by a regular guest. But also now a published author. It's Geoff White. Hello, hello.
GEOFF. Not quite published. One week to go. Oh, sorry. Monday 10th, that's the big day. Yes, yes, yes. It's been a sort of very long pregnancy, a sort of elephantine pregnancy where they just…
GRAHAM. It's a frackload of work, isn't it?
GEOFF. It is, it is, yeah.
GRAHAM. And what has come out of the backside of this elephant is a book called Crime.com. Indeed. Are you comparing his book to elephant dung? No, I hope not, because if I am, then I've got a pile of elephant dung beside my bed. I have managed to get my paws on an early copy of it, which I'm really excited about. I've begun to read it. It's got some good yarns in there, hasn't it, Geoff?
GEOFF. Yarns is exactly, yes, basically this is written for techies, but also the general public. And for the general public, you have to tell them a yarn, you have to spin them a yarn and that's, you've spotted it. That's my exact tactic.
GRAHAM. Even as techies, like a yarn once in a while. And so it's all stories about cybercrime, the bad guys, the hacking groups, what they've been up to, what they've been doing, how they've been caught in some cases, and its impact on society as well.
GEOFF. Exactly that. Yes, it goes through the really early days, the hippie hackers of California. There's this amazing crossover with the hippies and the sort of psychedelic refugees and sort of early hacking culture. And it goes all the way through to the election manipulation and vote rigging and disinformation stuff of the present day, which I think that's sort of cutting edge type stuff. So yeah, it's a full survey of the cemetery.
GRAHAM. Yeah, perfect August read, right? Now, Geoff, if our listeners are interested in this, but just want a little taster, would you be able to give them a little tease or something?
GEOFF. I think I could see my way clear to that. Yes, I think I could. In fact, the final chapter, the one that's all about the election hacking and the disinformation stuff, would be a doozy. Let's do that.
GRAHAM. So we will put a link in our show notes, so you can go and read that final chapter. For free. Yes, at smashingsecurity.com slash crime.com. When I say crime.com, that hasn't got a dot. That's the word crime.com, as in Dorothy. And you'll be able to read the final chapter of Geoff's book. Fantastic.
CAROLE. And then you're going to love it so much, you're going to race to go buy it.
GRAHAM. Indeed. It'll be too big and important to come on this podcast again, Carl.
CAROLE. What's coming up on the show this week? First, thanks to this week's sponsor, LastPass. Their support helps us give you this show for free. Now, coming up on today's show, Graham looks at how sexy fox costumes could reveal your privates. Your privates? Geoff looks at the recent Twitter hack now that FBI indictments are out. And I look at some of the ways people are trying to combat surveillance tactics. All this and much more coming up on this episode of Smashing Security.
GRAHAM. Now, chums, imagine for a moment that you're interested in checking out a book, maybe. Maybe a book by a celebrated, newly published author. And you think, oh, I'd love to find out more about that book. I'll visit an online bookshop. But then you change your mind. Maybe you're distracted by something else, right? And then, maybe half an hour, an hour later, you receive an email saying, hey, we saw you visited our website. How would you feel? What? So what, have I given them my email address? Nope. I haven't logged in or anything that. I'm just perusing the shop. You haven't logged in, you haven't given them your email address, and yet they know you came to their website and they've contacted you via email.
GEOFF. Well, surely, I mean, if Google or Facebook have got a tracking code on the site, then they could tie that together with your email. So all that's technically possible. In fact, now you say it, I'm kind of surprised that we haven't crossed that Rubicon yet. Is that happening?
GRAHAM. Well, imagine this. Imagine you have a particularly niche porn interest. Maybe you're a bit of a furvert on the side and you decide to go and visit. Wait, what now? Furverts. You thought you'd say that in.
CAROLE. Explain what you mean, Graham.
GRAHAM. What's a furvert? I am reliably informed that furverts are people who like dressing up as furry animals, like mascots at a football game. and they get their kicks from these sort of things. I wonder
CAROLE. If I should make an outfit that looks like my husband because he's quite hairy.
GEOFF. He is. I think you must be a secret furvert. I can't figure out what would be more disturbing, Carole, if he found that attractive or unattractive.
GRAHAM. So imagine you visit this site. You get your fill of whatever it is you want and then you receive an email saying, "Hey, we see you're a bit of a furvert." Or it throws it back in your face?
Well, or says we've got even more of that kind of stuff. Why don't you come back sometime? If you had never given them your email address, you're going to be rather disturbed, right?
CAROLE. Yes, considerably. And also, of course, if someone's got your email address and you never gave it to them, there's the potential for doxing or blackmail or who knows what.
GRAHAM. You better tell me how they got our email addresses.
There's a fascinating article on Jezebel. Jezebel has written about an outfit called Get Emails, a startup. They claim to be the all new audience growth tool for publishers. And they say they can convert, listen up, Geoff White, they say they can convert anonymous website visitors into names, email addresses, and even their home addresses.
GEOFF. What? Book sales sorted. Post them out.
GRAHAM. You may need to write another chapter, Geoff. Incredibly, they claim they can do this for around about a third of all US web traffic.
GEOFF. Jeez.
GRAHAM. Their claims are impressive. Well, let's look a little bit more into this. They say that their service is already being used by... Do you know that chap Tucker Carlson on Fox News?
GEOFF. Dweeb.
GRAHAM. Well, he is one of the founders of a website, quite right-wing website, surprise you, won't it, called The Daily Caller. And that is one of the sites which is using exactly this technology right now. So potentially someone could find out if you're partial to particular political views as well.
CAROLE. I don't understand. Sorry, you've lost me. So how is the Daily Caller, this website run by Tucker Carlson, taking advantage of this technology?
GRAHAM. So they are a customer of this firm called Get Emails. Get Emails is run by a guy called Adam Robinson. He's a former Lehman Brothers employee and his girlfriend, Helen Sharp. And they've actually put together a video where they explain how their thing works. You can go and check that out on YouTube. I'll put in a link. But I can explain it in very simple terms.
How does this all work, most importantly? So there are lots of scammy kind of websites on the internet, surprise, surprise.
GEOFF. No.
GRAHAM. I know, it's a shock. So there are websites which will claim, oh, we can get you better health insurance or we can get you better car insurance. Just enter all your details here and we will go away and find an answer for you, right? And what you don't do when you fill out those, or what most people don't do, is they don't read all the terms and conditions and the privacy agreement.
The thing you mock me about every week.
CAROLE. Well, exactly. You're one of the unusual people who actually does that, Carole. But those sites will gather all that information and they're not really set up to sell you health insurance and car insurance. They might do that sometimes or refer you. But what they're really doing is creating a huge database of people's contact details. And they are then selling those to people. And that is all apparently legal because people chose to give their information and they agreed to the terms and conditions.
To be marketed at, presumably, yeah.
GRAHAM. I've always thought those sites, you know, insurance compare sites or mortgage compare sites. I think that's exactly what a lot of them are doing.
Yeah, I think some of them are legitimate and they're getting a cut, obviously, of the deals.
CAROLE. But they say we are sharing this with interested parties on purpose to get you the numbers you want, right? They have to share that information with third parties and they don't have to give you a list, you know, here are the exact people we're doing because it's changing all the time. And some of them might be very bona fide companies and some might be shady.
GRAHAM. Well, one of the companies which is buying this kind of information is this company GetEmails. And what they've done is they've generated MD5 hashes, so a checksum for all of those email addresses. And they reckon they've got around about half a billion now, and they're adding about one million more every day. And they say they've also partnered with mailing lists firms so that when folks click on a link in a newsletter and go to a website, a cookie can be set on their computer containing that MD5 checksum for their email address on their computer. And so what they're able to do is when you go to the Daily Caller website or another website which is running Get Email script, they can compare the hash in the checksum to the hash in GetEmail's database, which they've gathered from all of these sites around the world. And they've got all your other information, which you've filled in on that form.
GEOFF. Yeah, that's really interesting. So, I don't know, it's interesting because US law is obviously different to UK and European law. But there's just all sorts of legal issues with this. The idea is, you know, you give over the information for a particular purpose, you know, to get better car insurance, for example. The question would be, if I insert a clause saying, yeah, you're after better car insurance, but by the way, I'm going to keep your details handy and use it for this marketing exercise. Possibly you've got my consent. But if it's just to enter here for car insurance, and in some way, in the terms of conditions, there's a vague reference to being marketed at, I'm not sure what the UK and European rules would make of that, because it sounds like they're getting information for one purpose, but then using it for a quite different, but slightly related purpose. I don't know.
GRAHAM. Yeah, that's going to be my question. GDPR. You've put your finger on a very important point. And GetEmails admit that this isn't legal in Canada. It isn't legal in Europe. But it's 100% compliant with the US CAN Spam Act. God bless America. Under US law, you can send people unsolicited emails, as long as you give them an opt-out at the bottom. And they claim that all this collection of data is perfectly legitimate, and that's how they're doing it.
CAROLE. I don't understand how this works because I know that each state has its own privacy act they employ. Some of them are pretty strict, like California's one, and some are really, really weak. I don't understand whether the federal act supersedes those or, you know, just because it may fit in with the federal act doesn't mean they comply with California's privacy act. And what happens then?
GRAHAM. I don't know either. But all I can tell you is that GetEmails, they claim they're 100% legal for US consumers to do this. And if you go to their website, you find out it's not just the Daily Caller. There's also a fake news site called Western Journal. There's a trade publication focusing on stocks. There's a testimonial from a company called Newswire.com, which puts out press releases. They reckon within 60 seconds of putting the code on their website, they were getting hundreds of new contacts sent back to them. And you can see a legitimate need. I mean, I would flip out. Well, wouldn't you?
Exactly. If you got an email, you'd think, how many emails would I get? Think about it.
GEOFF. Well, you'd have to have a weekly digest, wouldn't you? You went to furry friends, then furberts, then furhies. It's basically spam. But it's interesting, you know, as you've described it, I was thinking, well, how does this work? And I thought, well, of course, it's obvious technically how it can work. And why haven't we, why has nobody tried to cross this Rubicon before? Obviously, in the UK and Europe, it doesn't sound like it'd be legal, but it makes perfect sense, you know, linking the cookie to the actual email address.
CAROLE. I'm not convinced. Just because they say they are 100% operating completely legally and are 100% compliant with US CanSpam Act and every other federal law and state law, well, prove it.
GEOFF. How is this different to the model of Facebook, where if I visit a website and Facebook's code's on it, and I then go to my Facebook page, the website that I visited that's got the Facebook code in it will then throw adverts at me on Facebook. Yeah, that's right. So to a certain extent, it's similar. It is similar.
CAROLE. Yes, but they're not sending you a private message on email. You know, they're not...
GRAHAM. It is similar to what Facebook is doing. It's somehow a little bit more intrusive and a little bit more creepy. Maybe just because we've just got used to Facebook acting like that. I don't know. The curious thing is these guys who are running the company, Adam and Helen and his girlfriend, Adam Robinson, his girlfriend, Helen Sharp. They seem to be reveling in the slight grubbiness of their operations. So they always address the legality issue. And they say, yeah, it is a bit creepy. It is a bit weird, but it's 100% legal. And I even found a video. So they've been making these short little videos in their homes, in their kitchen and wherever else, promoting their service. And I think they're trying to be as outrageous as possible. Maybe this is why they initially contacted Jezebel, asking Jezebel if they wanted the service. And then you covered it. Was knowing that they would cover it. And we've just covered it as well. But one of the videos which I'm now going to drive traffic to, for instance, is one where Helen is calling Adam a very, very naughty boy.
SPEAKER_00. So tell me, bad, bad boy, what does GetEmail do?
You put our script on your website and we identify 35% of your anonymous traffic and we give you email addresses you don't have on your list yet in real time.
CAROLE. Oh, that's so violating of people's privacy.
SPEAKER_00. It's 100% CanSpam compliant and CCPA compliant. It's totally legal in the USA.
CAROLE. Oh, that's so bad. Tell me more.
SPEAKER_00. We send records directly to your email marketing account so you can get people back to your website. It's under 20% of the cost of getting an email any other way. Click through to learn more. Click through to learn more.
GRAHAM. Maybe you want to check that out, and then you'll get a sense of what these two are like. Click on the link. What, me? It's better than watching a ferret video, girl.
GEOFF. And he used to work where? Lehman Brothers. Oh, of course. Well known for their high ethical standards, as I remember.
GRAHAM. So if they're not calling each other very, very naughty, bad, bad boys for what they're doing. And some of the videos are quite funny, but they're obviously designed to provoke a reaction and try and get their name out there as much as possible. There's some other ones where she dresses up as a sexy fox. This is not the sun. What?
CAROLE. Smashing security is not. What, are you trying to bring this down? It's an important, serious topic, this, Carole. Okay, why? Tell me why it's important and serious.
GRAHAM. Because I don't think people are aware that companies are able to get so much personal information, which they never gave those websites. Oh, and this
CAROLE. is just the fun factor now, kind of going. This is the thing that they're doing
GRAHAM. to get people to sign up with them. And more and more companies are beginning to sign up with them.
CAROLE. Well, I'm sure they're going to send you a thank you hamper for mentioning them on the show and helping build
GRAHAM. their credibility. This week's sponsors get emails. So,
GEOFF. Geoff, what have you got for us this week? I'm just increasingly intrigued by the Twitter hack. I was intrigued when it happened, obviously. And now we've had two complaints come out from the FBI and three people charged in the US, including one person who comes from the UK, but is charged in the US. And it's just the detail in the criminal complaints is fascinating. I'm so glad you're covering this because I've not followed the story this week at all. So when it happened, frankly, you know, okay, you've got access, seemingly back-end access to Twitter. That's a huge amount of power. And whoever did it used it for a fairly crap Bitcoin get-rich-quick scheme. And as soon as I saw that, I thought, oh God, Bitcoin get-rich-quick scheme, using Twitter hacks, this is going to be youngsters. And so when the arrests came out, the charges came out, they are 17, 18 and 22, I think, from memory. And I thought, oh, that's skewing a bit old for what I thought was going to happen. So people don't realize there's this whole community of Twitter hackers. And it's kids who are just obsessed with personalized number plates on their cars. And they trade for thousands of dollars, these accounts, particularly what I call OG accounts. So at 123 or at XYZ or at ABC. But it's weird to describe because, as I say, the trade around this is really, really febrile. And also because a lot of it's teenagers, they're all doxing each other and trying to hack each other's accounts. And when one of them pays one for the account, it doesn't come through. They blaze them on Twitter. So there's all this stuff going on. So as soon as I saw Twitter and Bitcoin, I thought, okay, potentially juvenile culprits here, not exactly organized crime geniuses. So yes, three charges have been laid. The 17-year-old officially can't be named. The FBI hasn't named them, although they are named elsewhere on the web, weirdly by the people who are charging that person in Florida, because in Florida, a 17-year-old could end up being charged as an adult. But what's interesting is that inside the criminal complaints is this massive detail which the FBI always put out as to how they actually found these guys. This is obviously subjudice. It's subject to legal proceedings. So these are allegations at the moment, but they followed the breadcrumb trail along. So there was a Discord chat in which two people were discussing. One person claimed to be an employee of Twitter and person number two said, oh, great, can you get me access to these accounts? And person number one said, yes, what's the price? And they negotiated back and forth. So very early on, there was this confusion as to whether the Twitter hack was because there was an insider at Twitter or whether it was somebody that hacked. And I think,
CAROLE. Graham, you thought that might be the outcome.
GRAHAM. It was an early theory, that's right, that there could be an insider who'd either had their account hijacked and their credentials stolen, which I think is what they're now leaning towards. It makes sense as well. Or whether it was someone knowingly assisting the hackers.
GEOFF. So looking at this chat, you could understand why a complicit insider was the theory. Twitter obviously said, no, this was phishing and seemed to be pouring cold water on that. What's interesting is the FBI have charged the buyer, if you like, of this service, the other side of the chat, who is saying, hey, can you get me this account? I'll pay you X amount. But they haven't named the person who claimed to be a Twitter insider. So we don't know whether that person yet is actually a Twitter insider or not. Interesting, interesting. But then what happens is, so the person who's buying the Twitter accounts and buying access to this says, oh, here's my Bitcoin address. So what's the next step for the FBI? They find where the wallet address has been set up. It's a cryptocurrency exchange. And they say, well, okay, here's a subpoena. Who set up this wallet address? And you get through a few more steps. And of course, as anybody who's recently experimented with cryptocurrency, they ask for your passport or your driver's license. So sure enough, the cryptocurrency exchange says, oh, here's the driver's license that was used to set up this account. And that's allegedly led to arrest number one, charge number one.
GRAHAM. Which is kind of crazy. I mean, even though they're teenagers, you would think if you're asked for something like that, if you're setting up a cryptocurrency wallet for criminal purposes, the first thing you do is you probably go and buy some fake ID, right? A fake passport at the fake passport
GEOFF. shop? Right. Fake passport to us. Because you're 17? A, the OPSEC was not exactly spectacularly high the whole way along. B, as Carole points out, they're 17. But C, also, I'm not sure whether this wallet address was originally set up for crime. It was just – and this is the thing, you know, if you look back at the Silk Road case actually years ago, Ross Ulbricht originally didn't set up his email addresses for criminal purposes. It's just later on when he was later in the criminal purposes, he reused that early email address. So remembering what ID you attached to what in the past is actually quite difficult.
Other thing that's interesting about this is they start to unravel this. Then there's this issue of okay there's a forum called OG Users so OG are these Twitter accounts at one two three at ABC and so on right, by the way Carole OG, do you know what OG is?
GRAHAM. I can impress you now. Oh gosh okay, original gangster. Okay there you go, I found that out from my nine year old who's very. You sure he's right?
Yeah no I do, I think there's also OP as well as the other one is. What's OP? Overpowering or something, yes. But there's a lot of that kind of lingo going on in our house at the moment.
GEOFF. Whoa, it's so fly out in Oxfordshire, isn't it? Fly with a PH. Do you spell Oxfordshire with like two zeros instead of two? It's Oxford, O-X-P-H-O-R-D. Classy.
Anyway, so OG Users is the forum where a lot of these guys hang out trading Twitter accounts, OG Users got hacked a while ago, presumably by a rival site, and the database of OG Users was leaked. And this includes a lot of stuff, email addresses, IP addresses, and so on. So the FBI starts sniffing around some of the people who are involved in this Twitter hack, allegedly, and they have a copy of the leaked database.
So they start looking up the users on OG Users who were involved in this, and they start coming out with email addresses, IP addresses, and so on. And what I find fascinating is cybercriminals have been hacking into websites and leaking databases for years. What they haven't realized is they think that they're doing that as a criminal act for other criminals, but now it raises the prospect that the FBI and other law enforcement agencies are using this like a sort of Google search engine. So when they get a suspect in a case, they can go after them. Amazing.
It is, actually. They've turned some of the criminals' tools potentially, allegedly.
CAROLE. The road to good intentions. No matter what they are, it can always flip.
GEOFF. Exactly. But I mean, they made a hundred grand, I think, in Bitcoin out of this scam.
CAROLE. I can't even believe that because I'm not surprised they're 17 based on the messages they put out on Twitter. Graham tried to profess that loads of people fell for it. And I was looking at them going, really?
GEOFF. The original hacks were cryptocurrency exchanges. So I think Binance is one of the Twitter accounts that was affected. Binance, interesting pronunciation. We've covered that, Carole. Just say.
Binance. Exactly.
GRAHAM. Binance. Some people think it's like Beyoncé.
CAROLE. Some people think it was Beyoncé.
GEOFF. But anyway, so then obviously they end up getting into like Barack Obama and all these people. So obviously that's going to, you know, nobody's going to believe Barack Obama's like, hey, I'm into Bitcoin now. I'll double your money. I'm a tech god. Had they stuck with the cryptocurrency exchanges, they might have more luck.
Me and my buddy Musky. But anyway, so this is yet to be heard. But obviously, nobody's guilty until they've proven guilty. So we'll see where this happens. But I suspect when these youngsters come to court, it'll be, which presumably will happen. They must be bricking themselves.
GRAHAM. Well, one of them is based in the UK, isn't he? Yes, yes, yes. Yeah, he's in Bognor Regis. Glamorous Bognor Regis. Oh, Bognor Regis.
And I wonder whether the Americans will want to get their hands on him or not.
CAROLE. Well, Bojo's standing in between that, so.
GRAHAM. Chlorinated chicken, get emails, and the kid from Bognor Regis.
GEOFF. Those were our three demands. Fervent emails. Chlorinated chicken and that kid from Bognor Regis. And then we're done. Then we're done. You can sign off on that. That's it.
GRAHAM. Carole, what's your story for us this week?
CAROLE. Okay, so we start back in June. Now, in June, IBM made the rather surprising announcement that it would stop selling, researching, or developing facial recognition services. And we were all like, whoa, that's a big deal. And then Amazon and Microsoft kind of followed similar suit, right?
And this was largely due to pressure related to increased visibility of unwarranted police brutality. So these were all good first steps for these big firms. But there is a firm here that should be listed and isn't. And that is Clearview AI, a company we've mentioned a number of times on this podcast.
But a quick refresher. So this is a company that has scraped billions of faces off the web from sites like Facebook, Twitter, LinkedIn, Google, etc., etc., etc., and made them available to places like law enforcement. So any pick of a person you have, you could just drop it into the Clearview AI app, and presto, here are all their images of that person that have been scraped. If you click on one that's LinkedIn, you'll get to their LinkedIn profile. If it's a Facebook one, you go to the Facebook profile.
GRAHAM. And it was incredible. It wasn't available on the iPhone App Store, but I know they made it available to some influencers, for instance, in those early days. Yep. And people would show it off in restaurants or things. It's like, oh, you fancy that girl over there? Let me tell you what her name is. And you take a picture. I mean, really scary, creepy stuff.
CAROLE. So I went and looked at their website just to see how they're handling this, right? And you know what their slogan is front and center? Computer vision for safer world, which I don't even know what it means. Computer vision for safer world. But anyway, that's true of—
GRAHAM. Most mission statements, though. You can't really understand what they're saying.
CAROLE. Yeah. So they're very strongly pushing. They're saying they're a research tool used by law enforcement agencies to identify perps and victims of crime. And, you know, it's helped track down hundreds of at-large criminals, including pedophiles, terrorists, and sex traffickers.
Already, I'm really annoyed with the inflammatory language here, right? There's a lot of words that are basically saying, without us, you know, the world is going to go to shit. And, you know, you're reading this and you're thinking, I wonder what the Electronic Frontier Foundation, the EFF, think about this.
They must be totally on board, right? So I just put in Clearview AI and EFF to see what would come up. And the first thing that came up was an article called, "Yet Another Example Why We Need a Ban on Law Enforcement Use of Facial Recognition."
So reading on that, there are two big arguments as to why facial recognition is considered scary, because some people are thinking, what's the big deal? In the States, in Canada, at least, real estate people, for example, put their actual mugs and their full names on billboards across the city crooning about their real estate prowess, right?
And people on social media, I mean, we all have somewhere where we're publicly billboarding about ourselves. So what's the big deal with the surveillance aspect?
So the two big arguments, one is that it's going to disrupt relationships between enforcers and communities. And I think we can all look and see the disruptions that have happened in the States in the last few months and see that that is indeed happening.
And imagine women who are outside in public and they could get snapped and cyber stalked by someone with this app, just go tappity tap, tap, tap on their phone. Yeah, it's very creepy.
The other big argument is that democracy is threatened, right? There are countless studies that show that people who think the government is eavesdropping or watching them alter their behavior to avoid scrutiny. So it means people don't speak out because they're afraid of being identified, targeted, hunted down, whatever.
So those are the two big camps of argument. Now, the problem is, it's not just authorities that have access to the software. You mentioned earlier, you know, these rich guys in clubs were using it.
The New York Times did a big expose on that. But it's companies like Macy's and the NBA and that little known company called Best Buy, right? Why are they using this software?
Ultimately, the main problem here is there's not nearly enough legislative oversight, right? Let alone understanding of its power from our federal authorities.
But there's evidence of people getting fed up with waiting for legislation. And they're taking privacy screwing mass surveillance into their own hands. Okay. So I've got two that I want to—
GRAHAM. Introduce you to. So these are people who, because legislation is taking so long, they're looking for ways to mess up facial recognition.
CAROLE. Not just mess up, but redress the balance of power. Okay. So one is something that the EFF put together called the Atlas of Surveillance. Okay. And this is a database of surveillance technologies across the US.
And just this week, this Atlas of Surveillance has been updated to include searchable, it's a searchable interactive database. And you can now see which cops are using body cameras, drones, automated license plate readers, Ring Neighbors apps, camera registries.
I don't know, if you looked in your neighborhood, right? And you saw that the cops were using all these facial recognition-y software and predictive policing measures, would you feel happy?
GEOFF. In a word, no. But anybody who's seen my previous output on facial recognition won't be surprised by that answer.
GRAHAM. Yeah, I was about to say, you've been quite outspoken on this, haven't you, in the past, Geoff?
GEOFF. I created a website called facialrecognitionmap.com, which is an online record of all, as far as I know, all the facial recognition uses going on in the UK. And I just find with this, you know, when Facebook was formed and we all merrily upload our pictures to our Facebook profiles, it just shows you the unintended consequences that come down the line.
You say, oh, what's the problem? What's the problem? And then suddenly it's, well, yes, you can basically be snapped in the street and somebody can stalk you and find out what your name is and where you live and who your friends are just by pointing a phone at you.
That's the genuine potential consequence now. So yeah, it's fascinating.
CAROLE. It is. One of the findings from this atlas of surveillance was the US had 130 law enforcement tech hubs that are able to process real-time surveillance data. That's kind of scary, eh?
You're thinking you're in a neighborhood in the States, you want to know what cops are doing or you want to know what the authorities are doing. This is a good site to go and find out what your local cops are up to.
Here's another wackier approach, okay? It's called an image cloaking device. They called it Fawkes, after Guy Fawkes.
And this comes from a recently published paper from the University of Chicago. Okay, so here's the gist.
Is it a balaclava? It's so great.
Okay, at a high level, Fawkes takes your personal images and makes tiny pixel level changes that are invisible to the human eye in a process they call image cloaking. Okay, so you can use these cloaked photos as you normally would.
You share them with your friends, put them on social, print them, whatever. And you just use them you would any other photo.
The difference, however, is that when someone tries to use these photos to build a facial recognition model, the cloaked images will teach the model a highly distorted version of what it thinks you look like. And they claim it's 100% effective.
GRAHAM. So the photos still look like you. Okay, that is very good.
CAROLE. So I was thinking you know we could take tiny little bits of Piers Morgan right, Clue, tiny little bits of him and put his little pixels into your face, maybe a few Thom Hanks right?
GRAHAM. We're both quite handsome. Oh don't bring Thom into it, okay so.
CAROLE. New York Times journalist Kashmir Hill wrote about this. She tested it so she goes to test the tool.
I asked the team to cloak some images of me and my family. I then uploaded the originals and the cloaked images to my Facebook to see if I fooled the social network's facial recognition system.
It worked. Facebook tagged me in the original photo, but it did not recognize me in the cloaked version.
However, the changes to the photo were noticeable to the naked eye. In the altered image I look ghoulish.
My three-year-old daughter sprouted what looked facial hair, and my husband appeared to have a black eye. Now, apparently, later on in the article, they talk about how they really amped it all the way up just to make sure it would work completely for her stuff.
But still, there's an issue, right? Just a small one.
Well, yeah, because the whole problem with people sharing stuff on Insta and on Facebook is to look fantastic and have the most perfect life ever. They don't want to have hair coming out of their eyeballs.
So then the New York Times went to the Clearview CEO, right, to find out what his views are of the Fawkes data poisoning approach. And he said, there are billions of unmodified photos on the internet, all of them on different domain names.
In practice, it's almost certainly too late to perfect technology Fawkes and deploy it at scale. And you know what, I think he's probably right.
That's why we need legislation. It's we've all become celebrities and you know these police and corporations are the paparazzi constantly hounding us to turn a dime.
You're totally right. Hey but it's not that bad right, you can flip those frowns upside down we can just go to Zoom can't we and share our deepest darkest secrets and no one's ever going to know about any of those.
Depends who's on the other end of the Zoom conversation doesn't it? Or who's decided to Zoom bomb you.
So yeah, fun old world right now. It's a digital wild west.
GRAHAM. So right now, your best advice for avoiding facial recognition is to wear a sombrero or something that.
GEOFF. Well, wear your coronavirus masks. One thing that I've never figured out about facial recognition is that they largely rely on pupils.
Basically, the pupils are super reflective and most of them, not all, but most of them rely on pupils. Aviator shades, mirrored shades.
It's the one question I've forgotten to ask all the facial recognition people. Does it work with mirrored shades?
Some of them do nose and chin and all that kind of thing. But again, if you've got a mask and mirrored shades on these days, I reckon you're good to go.
CAROLE. I love a pair of aviator mirrored shades. I'm going to get us a pair.
GEOFF. Thom Cruise, Top Gun. Oh, no, no, don't bring him up.
CAROLE. Hey, you IT security guys out there, I know that you have a tough job. If you want to increase security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass.
Oh, and the rest of you out there, don't freak out. There's a free password manager for home use.
Check it out at smashingsecurity.com/lastpass.
GRAHAM. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week.
The week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. Doesn't have to be security related necessarily.
It better not be. And I have been trying to play some games, because of course it's August now, summer holidays. And I've been trying to play some games with my son, which are not video games, but old fashioned, good old board games.
Oh, have you? Yes. And so I have found a game which is called Rush Hour, which is similar to a wooden block game called Klotski, if you've ever seen Klotski, which I believe a version of it did ship in a Microsoft Windows Entertainment pack many years ago.
So Rush Hour is a sliding block puzzle game invented by a guy called Nob Yoshigahara in the 1970s. It's produced by Think Fun Games.
This is a physical game. And it's played on a six by six grid. And you have little cars, vehicles and lorries of different sizes.
And they're all jam packed. It's like a traffic jam or imagine a really crowded car park. And what you have to do is just slide cars back and forth. You can't go around corners. You can't turn them.
So just going left, right or up and down. You have to maneuver them in order to get your car out of the car park.
How does a car move horizontally? Well, let me explain so some of them are placed perpendicularly to the others so they're all going forwards and backwards but some are sort of north south and others are east west yeah.
GEOFF. This sounds like you know every Saturday in the IKEA car park before lockdown for me. I don't know how is this entertainment?
GRAHAM. Oh, it's so much fun because, of course, you start with really easy puzzles. So it gives you about 60 or so little puzzles with layouts, which you can put them in. And you start with these and you think, this is a doddle.
CAROLE. Oh, this is like Unblock Me.
GRAHAM. Yes, exactly. I was about to say.
CAROLE. Yes, we should have just said that at the beginning. Everyone knows Unblock Me.
GRAHAM. Oh, do they? Well, anyway, so there was allegedly a Rush Hour app for Android and iOS, but I can't find them any longer. So the closest I found is Unblock Me, as you mentioned.
Which is for iOS, and I'm sure there are similar ones for Android as well. We're putting a link to Unblock Me, so you can check it out if you're a cheapskate. But I've had a lot of fun with this, and some of them are extremely complicated.
Is your son having fun? Surprisingly, yes. Oh! This has been the big shock to me.
This morning, he ran upstairs. I was in bed snoring away. He said, Dad, Dad, Dad, I've finally done number 23.
Does he really speak like that? Pretty much. He wants to come on the podcast to promote his YouTube channel. I'm not sure if he's ready yet. Maybe for episode 200.
You don't think he's ready yet? Nine. Nine? Maybe he is.
GEOFF. Do it now. Do it now because in a few years' time, you'll be begging to go on his YouTube channel. He'll be like, not yet, Daddy.
CAROLE. Not now, when you're 65.
GRAHAM. Anyway, my recommendation is Rush Hour, or if you can't get hold of a copy of that, you can get the digital equivalent, which is Unblock Me. And it's good fun. Good brain. You're thinking logically, you know. It's visualization and it's quite a clever little game.
I enjoy it. Great. Cool. And that is why it's my pick of the week.
GEOFF. Geoff, what is your pick of the week? Pick of the week, I guess at the moment, there's a book I'm reading, which is amazing. Amazing book called Origins. It's written by a guy called Lewis Dartnell, who's an astrobiologist of all things.
I've no idea what the fuck that means.
CAROLE. I was going to say, like aliens?
GEOFF. Astrobiologist, and your eyes just glaze over and go, yeah, okay. This book basically is how geography and geology and our geological history of the world has basically shaped everything about us. You can trace everything, all of our entire current existence, you can trace it all back to the geological age-old shifts and stuff.
So, you know, the reason we have family units, the reason, Graham, you have a kid who wakes you up early in the morning with information about games, is because of the Panama Canal. So basically, the Panama Canal used to be open, that gap between North and South America. And so warm water from the Pacific would go to the Atlantic.
And that closed that gap before we opened up the Panama Canal. The Atlantic got colder. Africa started to dry out. And the trees started to die.
So we came down from the trees and instead of working on all fours, we started to walk upright. And when you walk upright, your pelvic bones have to come together to support your body. And because your pelvic bones come together, the amount of baby you can push out between the pelvic bones reduces.
So you have to give birth to a younger child, which means when babies are born, they need looking after. So mummies and daddies have to look after the little baby. So basically the reason we have a family unit is thanks to Panama.
It's full of stuff like that. It's the most amazing book. It's incredible stuff.
CAROLE. As a woman, I don't think any lady out there would want to give birth to a bigger baby.
GEOFF. Well, exactly. Exactly.
CAROLE. You might do if you had a wider pelvis.
GRAHAM. Yeah. No. No. I don't think anyone would be like, yeah, yeah, give me a 40 pounder.
But it might be a kind of match. Don't you think
GRAHAM. That if men were the ones who gave birth, they would be bragging about the size of them? It's like the Olympics.
GEOFF. It's true. You don't see women on Instagram "You just had a kid, it's eight pounds something, yes, get in there!" Or get out of there, as it were. But exactly, you might have men, it might be a different story. That's hilarious. Okay.
CAROLE. Cool, so that sounds fascinating astrobiology. You'll tell us what that is next time.
GRAHAM. Very nice, Carole. What's your pick of the week?
CAROLE. Okay, so mine is season two of Umbrella Academy. It just came out on Netflix. Did any of you watch the first season?
GRAHAM. What is an Umbrella Academy?
CAROLE. It's a TV series. Right. And it revolves around a dysfunctional family of adopted sibling superheroes.
GRAHAM. It was bloody superheroes, isn't it?
CAROLE. No, no, it's dark. It's dark. It's dark. Now they reunite to solve the mystery of their dad's death and the threat of, of course, impending apocalypse. Apocalypse. Apocalypse. Apocalypse. Yeah. So okay, so the academy is led by the monocle. He purchases seven of the 43 superhero babies that are apparently born on this particular day and creates the Umbrella Academy. Anyone famous in this? Yes, there's loads of famous people, but I don't pay attention to that. Of course, no, there are loads. Literally my husband's like "Oh wow, wow, wow, wow." I don't even know. I don't know anybody. But yes, and good acting. But what I love is they've kind of done some movie pastiches that you'll recognize. So there's some really great kind of Hitchcock styled shots. And they've just paid attention to like the composition of images. And it really shows. And I like that a lot. And it's also a bit dark and quite clever. And it's not kind of cutesy wootsy. It's got a real edge to it. And it's from a comic book. It was a comic book first published in 2008, written by Gerard Way and illustrated by Gabriel Bá. And it looks awesome. I haven't read it yet, but it's on my list, Graham.
GRAHAM. Birthday, just saying. All right, I noted, right.
CAROLE. So dark, clever superhero mystery thriller is what I'd say.
GRAHAM. So people are in it include Ellen Page. Remember her from Juno? Yes, that's right, yes. And also Mary J. Blige apparently is in it. Yes, she is in it. So see, I did know that. I just didn't remember. Blige. Actually, Blige.
Yeah, Graham. Of course.
GEOFF. And you thought you were fly out in Oxfordshire. Oxfordshire.
CAROLE. Graham, fly. Right. So if this sounds like it's your thing, check it out. I don't think you'll be disappointed. Umbrella Academy, Netflix, season one and two are now available.
GRAHAM. Well, that just about wraps it up for this week. Although I've got a little shout out to do. First of all, I was contacted by a chap called Julius out in the Philippines, who is teaching InfoSec to some of the kids out there. And it turns out what they really like to do is listen to the Smashing Security podcast. Can you believe that? It's one of the projects they've been doing. And they were put into teams. And one of the teams —
CAROLE. Is he a lazy teacher?
GRAHAM. One of the teams at the De La Salle University in Manila, they have named their team Team Graham Cluley. They're going to lose. I've been asked to give a little shout out to Erica Chan, Miles Chan, Shireen Ching and Stanley C. I think I apologize if I got your names wrong. Thank you for listening from me and Carole and Geoff, of course.
GEOFF. But also, if they're in the Philippines, they will — not to plug my book again — but there are two entire chapters in which the Philippines and its hackers feature strongly. So guys, if you're out there, it's available on Amazon.com as well.
GRAHAM. And keep your noses clean, kids, so that you don't end up in Geoff's next book. Now, Geoff, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
GEOFF. Best way's on Twitter. I am Geoff — Geoff with a G — G-E-O-F-F — White, like the color, and numbers 247, because I'm Geoff White all day, all week.
GRAHAM. And you can follow us on Twitter at Smashing Security, no G, Twitter and so to G. And you can also join our Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Apple Podcasts, Spotify or Pocket Casts.
CAROLE. And a big thank you for listening, supporting us and sharing our work with friends, family and even enemies. Also high five to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out SmashingSecurity.com for past episodes, sponsorship details, and a free chapter of Geoff's new book.
GRAHAM. Until next time, cheerio. Bye-bye. Bye. Bye. Geoff, I was sort of Googling your facial recognition stuff as we were talking about, because I remembered you had done some sort of website. You've got an article where it's called "Accuracy and Facial Recognition," but you've spelled it "fecognition" in the title. I've just sent you a link so you can — oh, oh gosh, okay, all right, okay, that's useful, yeah.
CAROLE. That Graham, Graham's very good at the shit sandwiches. He what he meant to say was really, really good website, notice a tiny, tiny typo, I'll send it to you by email, amazing site, amazing work. The shit sandwich, I love that.
-- TRANSCRIPT ENDS --