Kalashnikov unveils its "smart" shotgun, San Diego struggles with its street lights, and a researcher reveals how he found a way to hack every Tesla on the planet.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by David McClelland.
Visit https://www.smashingsecurity.com/196 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: David McClelland.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Immersive Labs: Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats.
- Check out their free ebook all about the MITRE ATT&CK framework, and how you can use it as part of your cyber skills strategy and improve your security posture by identifying weaknesses.
- Go to immersivelabs.com/smashing
Links:
- Kalashnikov smart shotgun - MP-155 Ultima.
- Kalashnikov reveals first Russian-made smart shotgun MP-155 Ultima — YouTube.
- Mike Jernigan, blind veteran, uses a TrackingPoint system to land a 300+ yard shot — YouTube.
- See how a self-aiming sniper rifle can be remotely hacked — Hot for Security.
- Tesla Network Vulnerability Report - 2017-03-24 (Annotated) — Google Docs.
- The Big Tesla Hack: A hacker gained control over the entire fleet, but fortunately he's a good guy — Electrek.
- Smart Streetlights Program — City of San Diego.
- Cops Tap Smart Streetlights Sparking Controversy and Legislation — IEEE Spectrum.
- Mayor orders San Diego's Smart Streetlights turned off until surveillance ordinance in place — The San Diego Union-Tribune.
- Mayor was right to shut off Smart Streetlights — The San Diego Union-Tribune.
- Hints of life on Venus — University of Manchester.
- "This Is Paris - The Real Story of Paris Hilton" — YouTube.
- “This is Paris” is a quixotic redemption story about what it means to be a human and a brand at once — Salon.com.
- Moriarty's Game: A Killer in the Hive.
- Castolog - a podcast recommendation podcast — That's Not Canon Productions.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hey everybody, it's that time again where we shout out to our favorite supporters, the Patreon supporters. This week, special mention goes to Alex Amarth, John Morris, Phil, Timothy Prindle, Aisha Kenmori Bish, Azam Shad, Sriram Datar, Danielle Kromek, Simon Cook, and Christopher Bonney. Now I think it is incredibly cool how diverse and international all our Patreon supporters sound. But I gotta say, I'm not seeing a lot of girl names. God, I'd love to see a few girl names here. That said, I love you boys. I love you all. Thank you so much for supporting Smashing Security. If you want to join this incredible club of people, check out our Patreon information and smashingsecurity.com/patreon. Okay, let's get this show on the road.
GRAHAM CLULEY. A couple of their reporters got hold of one of these guns, and they found that they could hack it remotely via Wi-Fi. And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target. So you'd have something in the aim, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
CAROLE THERIAULT. Maybe this This existed in the time of JFK, and this is why we have no idea to this day of who actually shot him.
GRAHAM CLULEY. Maybe they were aiming for Jackie. Yeah. And they hit John instead.
CAROLE THERIAULT. No one would aim for Jackie.
UNKNOWN. Smashing Security, Episode 196: Smart Guns, Smart Cars, and Smart Streetlights. Oh my. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 196. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we're joined this week by tech journalist and gadget guru, David McClelland.
DAVID MCCLELLAND. Hello, David. Hello, Graham. Hello, Carole. Good to speak to you both.
CAROLE THERIAULT. David, so glad you're back.
DAVID MCCLELLAND. Yay.
CAROLE THERIAULT. It's a big day today, day of recording, isn't it?
DAVID MCCLELLAND. It is for people in the consumer technology industry because it is the day where Apple announces its brand new toys for the holidays season. Although kind of exactly what they're going to announce is a little bit up for debate and we'll find out in a few hours' time as of the time of recording.
GRAHAM CLULEY. Yeah, so the funny thing here is that we put out the podcast at like, well, late night Wednesday UK time. And by the time anyone listens to this, it'll be all over the tech websites. So what would be nice is, can you give us your predictions? Then we can judge you next episode on your success. What do you think Cupertino is going to announce?
CAROLE THERIAULT. Name 3 things you think is going to be announced.
DAVID MCCLELLAND. Yeah. Oh, you're putting me on the spot there, aren't you? Thanks for that. So there's definitely, definitely, there's a very high confidence rate that there's going to be at least one new watch type device, probably a Series 6 Apple Watch of some description, and possibly a lower-end one as well. I say lower-end, something to compete with the likes of Fitbit, you know, in the kind of like £100-£200-odd category. So something like that. We also think there's going to be some new iPad announcements as well, but probably what may steal the headlines— and again, I'm saying this with the event being 4 hours away, and by the time this comes out, everyone will know whether I'm right or wrong already— but probably I think the big news will be what isn't announced. We don't think the next iPhone is going to be announced yet. Now, every year at this time of year, beginning of September, for the last goodness knows how many years, this has been the point at which Apple shows off its brand new smartphone. But it already said it's going to be a few weeks late with it for obvious reasons this year. So we think that it's not going to announce or fully reveal the iPhone. I suspect that there will be a tease of it and there will be a follow-up event either later in September or beginning of October because it's a virtual event. They're not having really anybody there. It's all being filmed in advance, we presume. So it doesn't really cost them loads more money in terms of flying journalists over. It's just an extra bit of filming on their part. So, you know, the more anticipation they can build up, all the better it is for their PR machine.
CAROLE THERIAULT. Mm-hmm. Okay.
GRAHAM CLULEY. They definitely want to get it out for the holidays, won't they?
DAVID MCCLELLAND. Oh yeah, absolutely. Along with, you know, they're hurting for money.
CAROLE THERIAULT. Is that why?
DAVID MCCLELLAND. Yeah, exactly. But along with all the rest of the devices, you know, they're talking about new in-ear kind of AirPod type things, but also it's their software services. Apple's going big on trying to make more money from the ones and zeros that it sells, so it might bundle up some stuff this year in terms of games and movies and whatever. So, uh, so yeah, watch this space, or if you're listening to this later on this week, you've already watched this space and you'll find out how inaccurate I am.
GRAHAM CLULEY. What do we got coming up in the show today, Carole?
CAROLE THERIAULT. First, let's thank this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. Now coming up on today's show. Graham looks at smart guns. Dave musks up and gives us a Tesla lesson. And I delve into the twisty turny smart streetlights snafu that happened in San Diego. This is crazy. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, you can probably already hear the jingle jangle of sleigh bells because it is under 100 days until Christmas.
CAROLE THERIAULT. Most kids will be getting coal this year, and be grateful.
DAVID MCCLELLAND. Why do sleighs have bells on them? Because surely the whole point of Santa is to be kind of fairly silent.
GRAHAM CLULEY. Yes, furtive.
DAVID MCCLELLAND. You know, trying to kind of sneak around a little bit so kids don't see them. The last thing really he's gonna have is dirty great big jingle bells on his sleigh waking all the kids up. So I've always wondered that.
CAROLE THERIAULT. As he can fly and do everything that basically almost, you know, a god can do, I'm sure he can just go, "Bells, make no noise." Well, he must also be breaking the sound barrier as well.
GRAHAM CLULEY. Right. I mean, it is impressive what he does.
DAVID MCCLELLAND. You know, I once did something for Computing magazine when I did stuff with them. I had to pretend to be— and this was a 15-minute film— Santa's CIO. So I was being interviewed by the lovely Stuart Sumner, who was the editor of Computing magazine at the time. I had all of the facts and figures that we painstakingly researched about how fast Santa would have to be to go around the world, about the big data operation and analytics to make sure that, you know, it was all just-in-time delivered by the elves. It was a fascinating Fascinating story.
CAROLE THERIAULT. Did anyone ask you, as a CIO, how are you feeling about the security of an unknown person coming into everyone's house around the world?
GRAHAM CLULEY. What about GDPR and his list? Exactly!
DAVID MCCLELLAND. Oh, I know. I think as close to that, as close to that as we got was the fear of competition from the Easter Bunny.
GRAHAM CLULEY. Well, you might be wondering what to buy your loved ones for Christmas this year, and I think I've got the solution for you. For the man or woman who's had everything in the past, you will soon be able to grab a Kalashnikov smart shotgun, MP155 Ultima.
CAROLE THERIAULT. Is this what you want, Graham?
GRAHAM CLULEY. It's not necessarily what I want, but I think there will be some people who will watch this video of this gun and think, "Ooh, that's cool," because it is, of course, part of the Internet of Things.
CAROLE THERIAULT. An IoT smart gun.
GRAHAM CLULEY. Yes. And a Kalashnikov. You may have heard of those before, Carole.
CAROLE THERIAULT. Yes, yes.
GRAHAM CLULEY. Yes, right. So this is quite a serious bit of hardware. And as well as being all the general nasty things which guns do, it also will synchronize with your personal gadgets. So you—
CAROLE THERIAULT. With the new Apple iWatch.
GRAHAM CLULEY. Well, maybe, who knows? So maybe you'll be able to text people via Bluetooth in the vicinity. Before you shoot them, I don't know. Anyway, this Russian-made gun offers synchronization, as I said, with all your gadgets and gizmos.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Has a built-in computer, a Raspberry Pi. It has a video camera, so it will actually store on board on the camera.
CAROLE THERIAULT. Oops, I just shot someone. Delete, delete, delete.
GRAHAM CLULEY. Well, videos of, you know, what gets shot, of you in action. And it doesn't have to be you shooting a person. Because some people are quite keen on going hunting as well.
CAROLE THERIAULT. Okay, so I guess it makes it easier though, because you don't have to hold your iPhone and your gun at the same time when you're out shooting the cans in the back garden.
GRAHAM CLULEY. Yes, I found that quite complicated. Yes, yes.
CAROLE THERIAULT. Yes, cumbersome, cumbersome.
GRAHAM CLULEY. Yes, when I've been staking out the prairies in the wilds of Africa, when I've been out there in my pith helmet, it's been always difficult. Yes. It's actually quite difficult to get a Wi-Fi signal as well, but this thing will connect via Wi-Fi and Bluetooth. It's got a USB Type-C port. How cool is that?
DAVID MCCLELLAND. Oh yeah, USB-C. I mean, that's good. It could have been a micro USB, which would be really, really bad news.
GRAHAM CLULEY. Wouldn't you have hated that? Having to find a connector for a micro. Just think, for goodness sake, I've spent thousands and thousands on this gun. And, but yeah, but, and that will be for connecting to a full high definition camera. So FHD, you must know about that. Kind of thing.
CAROLE THERIAULT. I just need to know if it's 1080p. That's what my dad told me was really important.
GRAHAM CLULEY. I think the FHD is at least 1080p.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Okay. Yes. I don't think it's ultra high definition.
DAVID MCCLELLAND. No, that would be 4K, but no.
CAROLE THERIAULT. Right.
DAVID MCCLELLAND. Okay. Okay. So it's certainly a well-connected shotgun. Crikey.
CAROLE THERIAULT. Are you guys thinking this sounds fun? Because I'm not sure it's for me.
GRAHAM CLULEY. Yeah, I don't think it's for me.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. But it of course raises some interesting questions. I mean, it's no surprise that it comes out of Russia, of course. With all these cameras attached to it, because Russians do love their dashcams, don't they? They love to film as they're driving around. And more and more people around the world actually are doing that, aren't they? Whether it be on bicycles while they're cycling around or from their cars as well.
CAROLE THERIAULT. Yeah, you get a huge incentive to do so through insurance.
DAVID MCCLELLAND. Oh, do you?
CAROLE THERIAULT. Oh yeah, because say you have an accident and it's like a he said, he said, or she said, she said, you can go, well, show me the dashcams, dude. This person's at fault.
GRAHAM CLULEY. So would that also apply to my smart gun as well? So if If I had film of the accidental shooting, would I be able to take that?
CAROLE THERIAULT. Like Dick Cheney. Didn't Dick Cheney accidentally shoot somebody?
GRAHAM CLULEY. He was on a duck hunt, wasn't he?
CAROLE THERIAULT. That's right. And he obviously quacked. And yeah.
GRAHAM CLULEY. But if he'd had one of these, then maybe he'd be able to take that to the insurance company and said, look—
CAROLE THERIAULT. He looked like a duck. He sounded like a duck.
GRAHAM CLULEY. You have to be careful, of course, with anything which has a camera on it. You don't necessarily want to take selfies with this. I think that could be a problem.
DAVID MCCLELLAND. But you would be shooting yourself in the foot if that was the case.
GRAHAM CLULEY. Well, kaboom. Well, and now this actually, although it claims to be like one of the very first smart guns, I've done a little bit of digging around and I found this isn't the first smart gun because there are other guns which have been Wi-Fi enabled. And in some cases, there are companies who've even been developing smart bullets, which use guidance systems and computers to hit their targets. There is a company in the States called TrackingPoint, And TrackingPoint say that all you have to do is pull the trigger and their guns will automatically acquire the target. They will track the target. And it quotes what it calls its TTK value, which is its total time to kill of approximately 2.5 seconds. Now, I think these are primarily being used by hunters. Just to prove how easy it is to do this, they have a video of a guy who's obviously an army veteran who was blinded. And he uses a TrackingPoint gun to shoot a deer, but he doesn't know what he's pointing at, obviously.
CAROLE THERIAULT. Over the years, I've learned to do a few things, and one of the things that I've really gotten into is hunting. This thing called TrackingPoint, it's an entire weapons system with a set of optics. For me, it enables me to hunt.
GRAHAM CLULEY. You know, it enables me to do something that I essentially wouldn't be able to do on my own.
DAVID MCCLELLAND. Down goes Brady!
CAROLE THERIAULT. Yeah, nice work, brother!
GRAHAM CLULEY. One shot, one kill. Very, very nice. Degree of difficulty off the scale.
CAROLE THERIAULT. Not bad for a guy with no eyesight. So there's a blind guy running around with a gun, shooting animals? Yes. In woods?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Okay, great. This is so great.
GRAHAM CLULEY. Now I was reading about this company, I thought, this freak, this rings a bell, this sort of of smart gun which they have here. And I remembered that back in 2015, because I wrote a story about it at the time, in 2015, Wired, a couple of their reporters got hold of one of these TrackingPoint guns, and they found that they could hack it remotely via Wi-Fi. And what they were able to do was not only a denial of service attack against the rifle to prevent it from shooting, but they could even get it to deliberately miss its target. So you'd have something in the aims, but the actual gun itself would fire slightly askew. They even managed to hit the target next to the one they were aiming for.
CAROLE THERIAULT. Maybe this existed in the time of JFK, and this is why we have no idea to this day of who actually shot him.
GRAHAM CLULEY. Maybe they were aiming for Jackie.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And they hit John instead.
CAROLE THERIAULT. No one would aim for Jackie.
GRAHAM CLULEY. So back then, there were these huge concerns about vulnerabilities in smart guns, because what if one of these manufacturers comes out with a gun and it's not easy to patch? It certainly wouldn't be easy to patch if you're out on the field, would it?
CAROLE THERIAULT. Tell you what, this would be a story for CSI. Remember the days? Magnify.
GRAHAM CLULEY. And imagine if you're in a tight situation, if you're chasing a ferret or an otter or whatever it is that you're hunting and— A ferret? Well, I don't know.
DAVID MCCLELLAND. I mean, so they run wild through Oxfordshire.
GRAHAM CLULEY. And imagine you can't shoot because you have to do a system update. What's going to happen then? What if you have to reboot and you're, you know, you're in a tight situation? It just seems It seems a bit crazy for me how much IoT and technology is integrating itself into everything. And if you have guns which are so computerised and able to guide and able to self-select and basically so good at shooting that a blind person can use them with 100% success, where is, where is the pleasure, if there indeed is any pleasure, from hunting? And where is the skill?
DAVID MCCLELLAND. Can I present a slightly opposing view, Graham?
GRAHAM CLULEY. Yes, well, you do live out in the wild these days, don't you?
DAVID MCCLELLAND. We had a squirrel running outside my office window the other day, but I wanted to stroke it, not shoot it.
CAROLE THERIAULT. That's one of the biggest animals in the UK, isn't it?
DAVID MCCLELLAND. Yes. So smart guns, you do a bit of searching around for smart guns and you find, like I say, a different view for this. And this is particularly with regards to guns that employ some kind of authentication built into them so that only an approved approved, authorized person is able to use that gun. So, for example, a gun that is stolen cannot be used by a criminal. A gun that is stolen from a law enforcement officer can only be used were it to be repatriated with that law enforcement officer, or accidental shootings can't take place as well. And I was reading around, there are some states where laws had actually been proposed that gun shops would have to sell a selection of smart guns with, whether it's a fingerprint reader or something like And some German firms came up with these, but they've reached kind of a bit of an impasse, really, and not been able to get any traction in the United States due to some pretty severe lobbying from the NRA. Now, I'm not going to get too much into the politics of guns and stuff, at risk of alienating too much of your listenership. But it does seem as though some of these ways to make guns safer, if that is even a thing, do seem to be being shot down before they're given a chance to be proved successful.
CAROLE THERIAULT. Yeah, look, I've never dealt with guns. I've never owned guns. I don't know anyone with guns. Like, I'm just out of my depth here. So I'm just staying quiet and—
GRAHAM CLULEY. You're staying quiet. Okay, so you won't be updating your Instagram from your clash, Nicole.
CAROLE THERIAULT. What's Instagram?
GRAHAM CLULEY. What is Instagram? You know, that is the right answer. Whenever someone mentions Instagram. Yeah. And leave it at that. David, what's your topic for us this week?
DAVID MCCLELLAND. Right then, so fasten your seatbelts, folks, and set your cyber satnavs for the oh-so-popular destination at the moment: Elon Musk's Tesla. So I've been listening to the show over the last few weeks because I'm genuinely a fan as well as a guest, and listening to John and, uh, and Jess, I've been listening to them, uh, speaking with interest about how connected cars continue to creep into the conversation around cybersecurity. Now, I'm not what you would call a petrolhead, but I have become a bit of an EV nut, if I'm honest.
GRAHAM CLULEY. Oh yeah, I seem to remember you bought an electric car, didn't you? And you had trouble getting it up your drive, I think.
DAVID MCCLELLAND. I'm sorry? No, but it wasn't it—
GRAHAM CLULEY. Steady. Wasn't it sort of a bit low on the ground or something? And you had to get it over a curb and—
DAVID MCCLELLAND. You're absolutely right. I had some pretty nasty problems getting my car onto my drive. I have found a sneaky angle, whereas if I come in at about 45 degrees and ride the curb next door to the dipped curb outside my drive, I can I can get my car on there. I have trouble getting it off again. But anyway, that's another story. That's another story. So I have developed an affinity with and a bit of a passion for electric vehicles. And it's also become a bit more of my day job as well, talking and writing about this stuff and this convergence of consumer tech, connected cars, and electric vehicles, and what the potential ramifications of that may be. So my interest was piqued when I came across this story last week. And it's not about hacking a single car, but instead about how a hacker, a tinkerer really, was able to compromise Tesla's mothership servers and gain remote access to, and be able to control Tesla's entire fleet of cars.
GRAHAM CLULEY. All of them?
CAROLE THERIAULT. It's like the Borg.
DAVID MCCLELLAND. Yes.
CAROLE THERIAULT. The Borg of Teslas.
GRAHAM CLULEY. It is.
DAVID MCCLELLAND. It is a little bit, and it's a little bit scary, but— and that's probably why this one occurred to me as being quite interesting. So what happened? Well, okay, so this actually happened, for full disclosure, about 3 years ago, but the story's only just gone public after the hacker, one Jason Hughes, or WK057 as he goes by. He shared online a vulnerability report that he sent to Tesla engineers. And I've shared a Google Doc of that report with some excellent explanatory notes that are very revealing. And there's also a good write-up of this in a popular EV site called Electrek, both interesting reads. In a nutshell though, this Jason was already somebody who likes to tinker with cars and tinker with Teslas. And he made a few bobs here and there with some simple bug bounties that Tesla was offering. So for example, many electric chargers are online so that drivers can see either in their car or using an app which chargers are available, which one of them are offline. I speak from experience, very handy when running low on juice or electrons, I guess, because unlike filling up a combustion engine car, charging an EV isn't a 5-minute job, takes some planning. Now, Tesla EV charging points are online, but information about them is a little bit sketchy, or at least it was at the time. So what, what this Jason fella does, he had to poke around to see if he could make charger information easier to access. And guess what? He found some holes in the public-facing Tesla Supercharger Central server and was able to scrape data for every charger in the world every few minutes. So what do you do? You post your findings on your nearest Tesla forum. And as proof that staff do lurk in these places, yeah, somebody from Tesla Tesla got in touch. In fact, within 20 minutes of posting, he was on a conference call with the head of software security at Tesla.
GRAHAM CLULEY. Wow.
DAVID MCCLELLAND. Quite a ride.
CAROLE THERIAULT. That's incredible.
DAVID MCCLELLAND. I'm sure. And they asked him to please stop sharing this Supercharger data, and they paid him a $5,000 bug bounty. Not a bad little earner.
GRAHAM CLULEY. But hang on. So that's revealed where all the Tesla chargers are around the world and some information about them. That doesn't seize control of all the Teslas in the world, does it?
DAVID MCCLELLAND. No, exactly. It did give him some insight into how Tesla's online services work, and having, you know, received a nice bit of pocket money, he decided to delve in a little bit further. So he found some further Tesla servers lurking on the internet, and he discovered that they really weren't the most secure. And he stumbled across— imagine you're just having a bit of a snoop around— he stumbled across an image of a server called Mothership. Now, if you're poking around on a network and find a server called called Mothership, chances are you've kind of struck gold as a hacker.
CAROLE THERIAULT. Yeah, everything.
DAVID MCCLELLAND. Yeah, exactly. And it turns out this Mothership was Tesla's home server. Any remote commands or any diagnostic information for Tesla's customer fleet all go through this server. So long story short, like I say, the vulnerability report goes into this in some really good detail. He was able to pretend to see any car in Tesla's fleet. He could see information about any car, its location, its temperature, its range, whether it was locked or not. And he was able to send commands to it. All he needed was the VIN, the vehicle identification number, a bit like a MAC address on a computer, I guess. But he had access to all of those too, because also on the mothership was what Tesla called its Tesla Dex, its Rolodex. So entire fleet, entire inventory of vehicles was there. So I mentioned he was able control the cars. So specifically, one of the functions he was able to trigger was the Summon feature. Now this lets drivers remotely move their cars forwards or backwards a few meters so they can get into or out of tight parking spaces. Very handy. Probably not that helpful for my drive though. Now, our tinkerer, again, he's good. He's a tinkerer. He's not a bad guy. He's a good guy. He compiled all of this information, and because he's got the bat phone now to Tesla's security team, he drops them a line.
CAROLE THERIAULT. Presses the button. Yeah, yeah, exactly.
DAVID MCCLELLAND. Within minutes they had him on the phone. And the story in Electric, it describes how our man Jason, he asked Tesla's head of security there and then, who's in California, to give him the VIN of any nearby Tesla. So he just went out to the parking lot, picked a Tesla, got the VIN for it, and Jason immediately, from where he was somewhere in North Carolina, he was able to issue the summon command and move it forward by a few feet.
GRAHAM CLULEY. Wow.
DAVID MCCLELLAND. How scary is that?
CAROLE THERIAULT. I'm really surprised they only gave him 5K, actually.
DAVID MCCLELLAND. Well, well, well, okay. So for this one, sadly for Jason, he didn't walk away with a free Tesla, but he did walk away with a 50K bug bounty. And I understand that the Tesla team pulled a few late nights to fix the chain of bugs in their servers. And they've certainly upped their bug bounties since then.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You know what? They should have given him a Tesla because they want him to test the ruddy thing and get in touch with them.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. It's worth giving him a free car.
DAVID MCCLELLAND. So to wrap this up, I should add that this all took place in 2017. The vulnerability is long behind them. But Tesla does appear to have improved its cybersecurity stance since then and actively engages with white hat hackers like this Jason fella. It's big at conferences. It does bring its cars along to hacking competitions and encourages people to go ahead and hack them. And it offers some really substantial bug bounties as well. I think I saw something like £900,000 for someone who could hack a Tesla Model 3. So all in all, I think this is actually a really good story because nothing is ever—
CAROLE THERIAULT. You'd be annoyed if you were Jason if they're now offering 90 grand.
DAVID MCCLELLAND. Well, yeah, okay.
CAROLE THERIAULT. You know, and you're like, yeah, no worries, I got my 5K here, I'm happy.
DAVID MCCLELLAND. I don't know what he's done since, but it does seem to me that Tesla is kind of being open, accessible, going about security in a relatively healthy manner, and certainly engaging with the community and rewarding them for, you know, helping with its work. So I think that's a good story. Certainly a cautionary tale about what can happen when you're lashing your cars together at such rate. Remember, Tesla only put its first tires on its tarmac back in 2014, 2015. So by 2016 or '17, I'm sure there's a lot of code that's relatively immature still kicking around. Fingers crossed for any Tesla owners out there, which I'm not one, that they, that they do keep on top of this security.
CAROLE THERIAULT. Graham, how are you feeling right now? Talking about your, you have a little bromance with Elon, don't you?
GRAHAM CLULEY. What are you talking about?
CAROLE THERIAULT. Well, we know. You like Elon.
GRAHAM CLULEY. No, not really. Where's the schoolyard?
CAROLE THERIAULT. You know how like, you know, people in the schoolyard, you know, if someone kind of had a crush on you, they kind of hit you occasionally.
GRAHAM CLULEY. I remember a lot of people hitting me, yes, at school. I don't think they all had a bromance with me. Kroll, what have you got for us this week?
CAROLE THERIAULT. This week, well, I've got a title for us actually before I start. Smart guns, smart cars, and smart streetlights. Oh my, seems we're all talking IoT today.
GRAHAM CLULEY. So hang on, let me make a note of that so I don't forget. Smart guns.
CAROLE THERIAULT. Well, okay, I'll be able to remember when we edit, dude.
GRAHAM CLULEY. Oh, okay. All right, all right.
CAROLE THERIAULT. So back in the before times, 2017, San Diego announced a revolutionary smart streetlight project. The idea was to replace all the power-hungry streetlights with more efficient LED Streetlights.
GRAHAM CLULEY. I hate LED streetlights.
CAROLE THERIAULT. It's interesting because, you know, they replaced the yellow glow of the city's like old sodium vapor street lamps with these efficient new LED lights. Well, you know, you may not like the light, but they use 60% less energy.
GRAHAM CLULEY. We have a problem with a streetlight outside our bedroom. And the council won't— they've orientated it in such a way that it lights up our entire house. And our bedrooms rather than the road. And we are constantly in communication with them saying, "No, don't do that." I have that too.
CAROLE THERIAULT. I just have a blackout blind.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So this was a big deal for San Diego because the city was reportedly broke at the time. So this saving of, you know, using 60% less energy looked huge. According to GE, this, GE were the original San Diego partner in this project or the parent company in this project. The city ended up replacing more than 35,000 lights lights, yielding an estimated $2.2 million savings per year. So big buts for a poor city.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. However, there were some hurdles. When a traditional light bulb stops working, it just burns out, right? A LED light bulb doesn't burn out, it just degrades over time. Hence, there's this argument for smart streetlight systems, right? This way, the city could monitor the LEDs and then replace them before they got dangerously dim. Makes sense. But you know, you guys know function creep. Function creep is exciting. And San Diego Smart Streetlights ended up not just reporting a request for a bulb replacement. And while they look like any of your typical streetlights from down far away, they sport a number of tiny data-hoovering sensors called nodes. So let me just share with you all the stuff that is found in some of these super smart light bulbs.
DAVID MCCLELLAND. That very word, node, it covers so many sins.
CAROLE THERIAULT. So I'll read this out and you guys, I wanna, I would like to ask you guys, okay, imagine you're the God of San Diego, right? What would you do with this functionality? What kind of stuff do you imagine people doing just from this information? So inside these streetlights, you will reportedly find an Intel Atom processor, half a terabyte of storage, Bluetooth and Wi-Fi radios, two 1080p video cameras, two acoustical sensors, and environmental sensors that monitor temperature, pressure, humidity, vibration, magnetic fields, and much of the data is processed on the node. So this is what they call edge processing.
GRAHAM CLULEY. There's quite a lot of information you've dumped on us there, Carole. So we've got connectivity, we've got lots and lots of storage, we've got cameras.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. We've also got microphones from the sound of things, acoustical sensors.
CAROLE THERIAULT. Sounds like a mic to me.
GRAHAM CLULEY. Environmental sensors as well. So it can— weather, magnetic fields, if there's an earthquake going on, some vibration. I think the primary way I would use something like this is, of course, to stop dog fouling when people are taking their dogs for a walk. And they go—
CAROLE THERIAULT. would you tie your Kalashnikov to the actual smart light?
GRAHAM CLULEY. I think the streetlight can sense—
CAROLE THERIAULT. and threaten the owner.
GRAHAM CLULEY. Sense if it's— yes, well, let's see.
CAROLE THERIAULT. Threaten the owner that doesn't poop and scoop.
GRAHAM CLULEY. Right, exactly. And then they could eliminated.
CAROLE THERIAULT. I don't want to live in your country.
GRAHAM CLULEY. Maybe just tranquilized or something, you know, just— or given a little— doesn't have to be lethal. But wow.
CAROLE THERIAULT. Yeah, right now you see I put a picture in there of what it actually looks like. And you know, it just has all these little nodes. You see all these little— these antennae sticking out everywhere.
GRAHAM CLULEY. And then it looks quite menacing.
CAROLE THERIAULT. Yeah. Well, it's not going to be that close, right? They're going to be pretty high up. Now, these data-collecting nodes connect to a GE operating system, right? And this was to process all the metadata collected by the sensors. And according to GE, these smart streetlights were there to help San Diego become the largest municipal Internet of Things network in the US. I mean, literally, you can get real-time data on anything, vehicles, pedestrians, bicycle traffic, everything.
GRAHAM CLULEY. Oh, you know what I'd want? You know what I'd I would like this to somehow tie in with a, like, UPS or DHL delivery service, because at the moment, what happens is, when you get one of those emails saying, oh, we're going to deliver, you know, sometime by the end of the day, and you're not, you're not really sure, you know, can I pop out or not? Can I pop out? I actually now have to make a great big palaver about leaving the house and pretending to leave the house. Like, oh, I'm just putting my coat on. I'm going to go out. Together in order to hide behind the dustbins, because I know as soon as I leave the house they're going to deliver the item. So I'll basically be in a, you know, I'll be hidden away in the garden ready to pounce. But if something like this was operating, I could find out in advance they're in my street, they're coming close, do not leave the premises, right? Because this sort of thing would be able to look at vehicles, it'd be able to look up license plates, I And, you know, with it—
CAROLE THERIAULT. Oh yeah, totally.
GRAHAM CLULEY. There's a lot of smartness here, which, you know, potentially all that big data could be used in interesting, cool ways as well as naughty ways.
CAROLE THERIAULT. Well, yeah, and the city was hoping for that. They anonymized all the information and then hoped that app developers would kind of say, hey, this is cool, we can jump on board with this and develop a cool app. And, you know, and contribute to the bright connected future that San Diego aspired to. Unfortunately, it turns out that very few independent app developers took them up on this offer. Offer. So there's that. Back in 2017, the San Diego Deputy CEO said, I see streetlights as the platform to transform our communities. They help connect us to our citizens, provide a future where we are better able to understand our neighborhoods and give them services they want. And this is how they basically marketed it across the city. So we're now 3 years on from, uh, this 2017, uh, you know, yeah, how's it all going? Yeah, it must be great. Must be utopia.
GRAHAM CLULEY. Must be wonderful, right?
CAROLE THERIAULT. I mean, it's one of the smartest cities in the USA. What could possibly have gone wrong? Well, two fascinating things that I was able to kind of put my finger on. So, okay, this is a little complicated, so if I— if it's too much, just stop me and I'll clarify, but it is worth listening to. Okay?
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So GE Current, okay, that's a name of a subsidiary of GE, and they were the original San Diego City partner, right? So GE Current is who supplied the smart streetlights and used and managed it under this thing called CityIQ. Okay, so you have GE Current, they're the partner of the city. And as part of the deal with GE Current, they ran the cloud-based analytics of all the sensor data on the platform, the CityIQ platform. But get this, the cloud operator rather than the city owned any algorithms derived from the data.
GRAHAM CLULEY. What do you mean by that, owned algorithms to run?
CAROLE THERIAULT. They kind of run the show.
GRAHAM CLULEY. Oh, I see. Right. Okay, so they're basically, they're tied in with GE Currents.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Rather awkward getting away from them if they wanted to. Right.
CAROLE THERIAULT. Okay, good. Twist number 1: GE Currents was then acquired last year by private equity firm called American Industrial Partners. So at this point—
GRAHAM CLULEY. which I, I see, I thought you were going to say someone like the People's Liberation Army of China, so at least it's—
CAROLE THERIAULT. oh, at least the name is palatable Okay, well, good, good. So at this point, all this cloud-based algorithms and the operator, this was run by American Industrial Partners. Twist number 2, American Industrial Partners sells off the CityIQ platform in May to Ubiquiti, a Florida manufacturer of streetlight sensors and software. The American Industrial Partners kept the LED lighting side of the operation. So they kind of divided up the kind of surveillance and the lighting.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So the problem now is who the frick owns the data? So that's one big pickle they're dealing with. Problem number two, okay, who has access to the data is the next question. So if we fast forward a year on to 2018, right, from when it was first introduced in San Diego.
GRAHAM CLULEY. This is the data that's stored in the cloud. Yes. That we're debating again.
CAROLE THERIAULT. Well, now we're like, who's access, yeah, who accesses all the data? All these nodes are hoovering up all this data and it's going into a centralized place. Realize somewhere who has access to that data. So a year after the installation, in August, a cop investigating a murder in San Diego's Gaslamp Quarter looks up and sees the smart streetlight, and he realizes the streetlight's video cameras have a perfect view of the crime scene, one unavailable from the variety of security cameras that were around the area, right?
DAVID MCCLELLAND. Yeah.
CAROLE THERIAULT. So according to IEE Spectrum— sorry, IEE Spectrum— it turns out that the video video, it was still stored on the street lamp. It's deleted after 5 days, but for 5 days it sits there live. And GE Current were able to pull it up from its cloud servers and then forward it over to the police department. And it was clear from that point that some of the video could help solve crimes. And the city felt it had an obligation to turn over that information when there was a major crime. So this is the view from the city of San Diego at the time.
GRAHAM CLULEY. What a shame the crime wasn't committed with one of these smart guns I was telling you about, because that might have captured some video.
CAROLE THERIAULT. They would have captured each other.
GRAHAM CLULEY. And it might also have taken the fingerprint of the assailant, who was— see, I'm just— oh my God, I'm a genius.
CAROLE THERIAULT. Okay. The next, the following year, 2019, the police department adopt a formal policy around the use of streetlight data and stated that video and audio may be accessed exclusively for law enforcement purposes. With the police department as the custodian of the records. The city sustainability department, this is like the home of the whole streetlight program, did not have access to the crime-related data.
GRAHAM CLULEY. So the police are policing their access to the data.
DAVID MCCLELLAND. Yeah.
CAROLE THERIAULT. Is that right? They're saying, we have access to this information, no one else can see it. And that's how we're gonna roll with these. Thank you very much, City of San Diego, for putting this up.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Now, early this year, 2020, data from the police department indicated that video from streetlights was up to 175 cases in the first 18 months of the police department's use. So, and this was just, uh, announced. No one really knew this was happening, right? So this all came out, uh, earlier this year, and people were like, what? And in the list, it included murderers, sexual assault, kidnapping, things, but it also included vandalism and illegal, like, dumping. It's called— I feel weird saying that word in English. How do I say, like—
GRAHAM CLULEY. yeah, when you— it's tipping, isn't it?
CAROLE THERIAULT. Tipping. Yeah. Or dumping. Fly tipping.
DAVID MCCLELLAND. Yeah.
CAROLE THERIAULT. Yeah. So it also includes vandalism and illegal fly tipping, or what they call dumping. Okay. Which caused— in the dumping bit, in the vandalism bit— caused activists to go, uh, is that actually what you would call a serious crime? Now you have two sides. One side saying control and surveillance creep is bound to happen, so they have unfettered access, and why would they call illegal dumping a serious crime?
GRAHAM CLULEY. There are all kinds of different crimes though, aren't there? I mean, it is very difficult to work out which ones are the serious ones, which ones aren't. I heard today about a guy who regularly has to force his electric vehicle to go up on the curb in order to get onto his drive properly in possibly a dangerous way. Way. Is that the kind of thing which a streetlight could spot?
DAVID MCCLELLAND. I hope so.
CAROLE THERIAULT. What do you think about all this, David? Do you think there should be legislation in place before they put these lights into action?
DAVID MCCLELLAND. Yeah, and I think that's exactly it, because you spoke earlier in this story about the number of times that the data or the control of the data or the stuff that collects that data, that the number of times that changed hands or was allowed to change hands. So if there were a contract or if there there were something in place at the beginning that would maintain the sanctity of that data for its original purpose in some way, notwithstanding mergers and acquisitions and sales, then I think that would protect everyone's interests and the original intent of that installation a lot better. But I mean, who knows who this stuff could have been sold to? It's ended up with law enforcement. There are some other pretty rotten places that that data could have ended up, could still end up as well.
CAROLE THERIAULT. Yep, totally. Cops' retort, you know, this whole thing about the illegal dumping, right? But the retort from the cops was they don't monitor their feeds. The dumping incident involved a truckload of concrete that blocked vehicles from entering and exiting a parking garage used by the FBI employees, and therefore, in their view, qualified as a serious situation.
GRAHAM CLULEY. That does sound like a serious dump. Yeah, please, David, come on. Always lower in the town.
CAROLE THERIAULT. The city has now decided to take the videos offline, right? So the street cameras currently have been turned off until they can figure out something that works. But this also fits in with their whole contract fiasco that's going on under the waters. They're now dealing with a company called Ubiquia, and they now own and manage the technology and manage the algorithms and the data. So they need to hammer out a new contract.
GRAHAM CLULEY. I wonder if there are any limitations on that company deciding to sell to someone overseas, for instance.
CAROLE THERIAULT. I can't believe a city would not think of, in any contract, to have a clause that prevents a business supplier from throwing you through the hoops through an unforeseen sale. It's like, sorry, I know I agreed to do this, but oh yeah, no, we had to sell, so you're now dealing with Joe Blow here. You didn't have a— you didn't know? He didn't— like, I just think it's crazy.
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. Well, what if like you come on next week and it's Dave here instead of me? I just said, oh sorry, I sold my part to Dave. Five figures.
GRAHAM CLULEY. I'm so sorry, David.
DAVID MCCLELLAND. I'll pay you forward.
CAROLE THERIAULT. So many of us now working from home for the first time, IT administrators as well as employees. So you want to make everyone's life a little bit safer? Look into LastPass. For admins, you get a centralized dashboard to administer all the integrations and the policies in the reporting. Plus, you get a vault for every single user. And users, you have these cool functions like autosave and autofill, or organizing notes and documents, or helping you manage your work and personal life separately. Check it out at smashingsecurity.com/lastpass. And remember, home users, you can use it at home for free. More info at smashingsecurity.com/lastpass. LastPass.
GRAHAM CLULEY. Attacks and breaches are sadly a fact of life. They happen. What's most important is how well your organization responds, and technology isn't really enough. Your staff must be ready too. Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats. Check out their free ebook all about the MITRE ATT&CK framework and how you can use it as a part of your cyber skills strategy. Phishing, and improve your security posture by identifying weaknesses. Go to immersive-labs.com/smashing right now to download your free ebook. That's immersive-labs.com/smashing. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
DAVID MCCLELLAND. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses a saint they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, this week scientists believe that they have found evidence of life on Venus.
CAROLE THERIAULT. I know, it's crazy. It's crazy.
GRAHAM CLULEY. Amazing news. But forget about that because Paris Hilton has got a new video out on the internet. Internet. And it's— what?
CAROLE THERIAULT. Who is Paris Hilton?
GRAHAM CLULEY. Hmm? Who's Paris Hilton? Is that like who— what's Instagram?
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Paris Hilton is— I've always had a sneaking regard for Paris Hilton. This is what I'm going to share with you now. I've— I don't know quite when it happened, but I remember seeing Paris Hilton doing her airhead bit on some TV show once.
CAROLE THERIAULT. The Hilton heiress.
GRAHAM CLULEY. That's right. Yes. I think she's the granddaughter Right. Baron Hilton.
CAROLE THERIAULT. One of the first world socialites.
GRAHAM CLULEY. Well, she, a real influencer. And, uh, of, and she was, I believe Kim Kardashian was her personal assistant for a while or something, something like that. Anyway, but yes, Paris Hilton had a reality TV show in, I guess, the '90s or something like that, right? And whenever it was. Uh, there is now a documentary on YouTube called This Is Paris, all about Paris Hilton. Which she sponsors.
CAROLE THERIAULT. How many people are destroyed and so depressed? They go in thinking, I'll hear about the Arc de Triomphe. I'll hear about the Eiffel Tower. Champs-Élysées. Oh no.
GRAHAM CLULEY. Hi everybody. Well, interesting that you go, hi everybody, because one of the revelations, of course, is that Paris Hilton doesn't actually talk like that.
CAROLE THERIAULT. Oh, right.
GRAHAM CLULEY. And Paris Hilton has, as I suspected for some years, been pretending to be an airhead bimbo with a squeaky voice. And of course, she's actually an incredibly successful entrepreneur who's dashing around and has her finger in many pies and is making herself quite a mint from perpetuating this image.
CAROLE THERIAULT. So she's a bit like you then?
GRAHAM CLULEY. No, she's not. Well, I don't have a squeaky voice, do I? I've been watching this. I must admit, I haven't finished watching it yet. I'm about halfway through because it's only just came out yesterday at the time of recording.
DAVID MCCLELLAND. I think it's a YouTube original, isn't it?
GRAHAM CLULEY. It is, yes.
CAROLE THERIAULT. What does that mean?
GRAHAM CLULEY. I think YouTube probably have paid for it.
CAROLE THERIAULT. And then what, we watch it for free on YouTube?
GRAHAM CLULEY. You go to YouTube, then you see YouTube ads, I guess. But I think YouTube is trying to set it up. So you may know more about this, David, than me. I think it's trying to set itself up as another, one of these subscription services. Because I think you can pay YouTube, can't you, for content.
DAVID MCCLELLAND. Yes, you can, and you can skip adverts. It's got a music service as well. But given that every tech firm out there is trying to turn into a media outlet and a content creator, from obviously Apple and Netflix and so on, yeah, Google's trying to get in on the act, or Alphabet's trying to get on the act with YouTube as well. And I watched the first 5 or 10 minutes of this when you shared the link earlier on, Graham. And yeah, I was pleasantly surprised. And that first point that you make about, you know, what is her voice? I think they very cleverly play on that in the intro sequence to it where she goes into a recording studio and goes, hi everybody! And she starts speaking in half a dozen different voices saying, what is my voice? What is my voice? What is my voice? You know, I thought it was very knowing and very self-referential, but it was quite intriguing nonetheless. So I suspect I will watch a bit more of it, but I know my wife will watch all of it.
GRAHAM CLULEY. I think it's— what I've seen, I think it's actually surprisingly good and deep. You do get the impression that— I mean, we've all had bad things happen to us in our past, right? Everyone's had some kind of trauma, I think. But she does seem to have had some particularly traumatic events happen to her, which are touched upon in the—
CAROLE THERIAULT. Like no hotel towels?
GRAHAM CLULEY. No, you see—
CAROLE THERIAULT. Serious stuff. So you've fallen for her?
GRAHAM CLULEY. No, I haven't fallen for her. No, no. I just think she is a person. I think that's important to remember about these people who are often pilloried online.
CAROLE THERIAULT. Just like Elon. Yeah.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Yeah. Totally.
GRAHAM CLULEY. You get the impression life is not all roses being Paris Hilton, and you do end up with a different impression of her. And so for that, I think this is worth watching. So the—
CAROLE THERIAULT. Maybe I'll try and see if my impression changes.
GRAHAM CLULEY. It's called This Is Paris. Yeah.
CAROLE THERIAULT. Not the city.
DAVID MCCLELLAND. No.
CAROLE THERIAULT. But she feels she's as big as the city, so she could just say that.
GRAHAM CLULEY. David, I'm just ignoring you now.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Because you're—
DAVID MCCLELLAND. What's new?
GRAHAM CLULEY. Clearly you feel threatened by Paris Hilton.
CAROLE THERIAULT. Yeah, that's it.
GRAHAM CLULEY. I'm probably your— What was her name of her friend? Something Richie. Lionel Richie's daughter. I can't remember.
DAVID MCCLELLAND. I'm—
GRAHAM CLULEY. Anyway.
CAROLE THERIAULT. Nicole?
GRAHAM CLULEY. There was— Or was it Nikki? Nikki Richie?
CAROLE THERIAULT. I can't remember. That way he'll always remember.
GRAHAM CLULEY. Oh, wouldn't it be great if Lionel Richie was your Hello!
CAROLE THERIAULT. Every morning.
GRAHAM CLULEY. David, quickly, quickly, what's your pick of the week?
DAVID MCCLELLAND. Right, Carole, brace yourself. Okay, braced. This one is security related. Trust me, trust me, please, please, please, it is in the very best possible way. So you may have noticed over the last few years that escape rooms have been very popular, as have quizzes that mix real-world exploration with fantasy. So not just Pokémon Go. I've done some of these in the past where you and a team of buddies become detectives and you have to solve a crime against the clock by following clues planted in real places across the city centre. We did one on the South Bank of London fairly recently. Good fun. Yeah, really, really good fun until COVID hit and kind of put the kibosh on all of that. But one of the firms behind these experiences Hidden City has just released an immersive game, they call it, that still creates this buzz of physical exploration and collaborative gaming with your buddies, but it works absolutely perfectly in lockdown. So it's called Moriarty's Game: A Killer in the Hive, and you are a detective in a security operation, and you are guiding a frontline on-the-ground investigator as she tracks down on a crime network following leads that you're giving her. It's ingenious, and it really— it feels genuinely immersive because you're using CCTV, you're making calls to contacts on your mobile, you're leaving voicemails to people, and there's some really clever speech recognition stuff that makes that bit work. Um, you're even hacking into home security systems using images on people's Twitter accounts and so on. It creates a real drama, a real sense of achievement, and you do feel as though with a bit of willing suspension of disbelief, you're doing this for real.
CAROLE THERIAULT. I like it.
DAVID MCCLELLAND. It's great. I've posted a link. Have a look at the video in there, because I think that does quite a good job of selling it. We did it a couple of weeks ago with some friends, and it works very well if you and your team are in the same room. But the genius is it also works if lockdown means you're in different places, because you will get the same messages on your mobile. You all are told to go to the same CCTV addresses on the internet. On. So real hats off to Hidden City for this, because it surprised— genuinely surprised me no end that something like this could work so well, be so immersive, and so much fun. And that is why Moriarty's Game: A Killer in the Hive is my pick of the week.
CAROLE THERIAULT. Is it for adults or for kids or for all?
DAVID MCCLELLAND. I would say— I don't recall there being anything that would mean that children would be, yeah, I don't think there's anything in there that means it wouldn't be safe for children. From what I recall, it all seems there's no profanity in there. But certainly, you know, there was me and a bunch of similarly aged chaps and chabettes, and we had a great fun, great time.
CAROLE THERIAULT. Cool.
GRAHAM CLULEY. Sounds a lot of fun. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, my pick of the week. Now, as you all know, I am a pod addict, right? A podcast addict. But I always have problems finding new solid recommendations. And I use Reddit, and I look around, and I find lists from people. But it can be hard, right? Because I tend to shy away from social media pool parties, right? So I don't get that drip, drip, drip of new news. Anyway, so I found this just by chance. I happened to be just zooming around, looking around for a new podcast to just check out. And I found this one called Castology. And this is where 3 hosts, uh, Liz, Nick, and Zane, um, and I think they're all based in Australia, they discuss podcasts and give us their takes on it. So the format's really cool. They each find a podcast to recommend to the others. They may think the others might like it or not like it, but they think it's worthy of a listen. And then everyone listens, and then the following week everyone kind of reports back. So every week you have a new recommendation from one of them, and then you have a 3 kind of reviews from everybody and what they thought about it.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And there's— I've gone through their list. I've probably listened about 3 or 4 shows so far. I've gone through their list and I've listened to probably 50, 60% of what, uh, they, they talk about. So that's really exciting because I can kind of get a little taste of a new pod without diving in.
GRAHAM CLULEY. And how do they find out about new podcasts? Do listeners suggest them to them?
CAROLE THERIAULT. Well, yes. And you know what? Do you know what? I actually submitted ours to be reviewed by them. I don't know if they'll— I don't know if they'll do it.
GRAHAM CLULEY. No pressure.
CAROLE THERIAULT. I don't know if they'll do it. Well, right, who knows. What I I like about them is they don't just sit there and wax lyrical about every single podcast, because that would be boring, right? Sometimes one of them likes it and the other just— the other two just do not dig it at all, or two of them like it and the other one doesn't, right? So it's— I think that's kind of interesting and it's a bit edgy. So we'll see if they cover— we'll see who they like better.
GRAHAM CLULEY. Graham, can I stress that I would like it if all three of them liked our podcast?
CAROLE THERIAULT. Well, they might.
GRAHAM CLULEY. Just giving them a plug.
CAROLE THERIAULT. I just want to know who they like better. We haven't given them a Graham.
GRAHAM CLULEY. We have a Graham Cluley. Oh, for goodness sake.
CAROLE THERIAULT. Yes. So I want to know who they like better.
GRAHAM CLULEY. What a meanie.
CAROLE THERIAULT. So the podcast is called Castology. Castology. Get it wherever you get your podcast. Check it out. It's worth it.
GRAHAM CLULEY. I've heard it's excellent. I don't think it's as worth it. I've heard it's really, really good.
CAROLE THERIAULT. You'll never quit.
GRAHAM CLULEY. And that just about wraps it up for this week. David, I'm sure lots of our listeners would love to follow you online, see what you're up to. What's the best way for folks to do that?
DAVID MCCLELLAND. Probably hook up with me on Twitter @DavidMcClelland, all the C's, couple of vowels chucked in for good measure.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and on Reddit, just look for the Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Overcast, Apple Podcasts, Spotify, Pocket Casts, and you'll never miss another.
CAROLE THERIAULT. Socially responsible air kisses to you all for listening, supporting the show via Patreon, and sharing this podcast with your people. Also, hi High five to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Bye.
GRAHAM CLULEY. Bye-bye.
CAROLE THERIAULT. Uh, David, can I ask you a question?
GRAHAM CLULEY. Yeah, far away.
CAROLE THERIAULT. So I grew up in the country and you live in the country now, um, but is it country enough that you, uh, play with your children cow patty bingo?
GRAHAM CLULEY. What's cow patty bingo?
CAROLE THERIAULT. You kind of divide up a, a field of cows, like you divide up in quadrants, right? And everyone owns a quadrant and owns some areas. And then as a cow goes and it goes into one of your own quadrants, you get You get a point. Summer fun.
DAVID MCCLELLAND. I don't think I have played that. Cow tipping, perhaps, but that's an entire podcast in itself.
CAROLE THERIAULT. That doesn't exist. I think that's an urban myth.
DAVID MCCLELLAND. I don't know. I feel as though maybe I should have played it. It's one of those memories that I have that I don't really know if it's real or not.
CAROLE THERIAULT. Well, maybe it's a Canadian thing.
GRAHAM CLULEY. Who knows?
-- TRANSCRIPT ENDS --