Listen early, and ad-free!

198: Chucky the coffee maker

With , , ,
September 30, 2020
Read the transcript

Coffee machines catching ransomware, Blacklight shines a torch on website tracking, and a woman is freaked out that a complete stranger can turn off her home's security system.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner.

And don't miss our featured interview with Greg Jensen from Oracle, who talks all about five free reports he has put together for listeners about cloud security.

Visit https://www.smashingsecurity.com/198 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Dave Bittner and Greg Jensen.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Hey everybody, Carole Theriault here. I just wanted to take a quick second to say thank you to just a few of our amazing Patreon supporters this week. Shout out goes to Evan, John Wilson, Tim DeRook, William Carlson, Andrew Davison, Colby Allred, Chris Pestle, Kazie S, Werner Oving, and Uli Muli. Thank you, all of you. Your donations help make this show happen. If you'd like to join this amazing community of Patreon supporters, you need only go to smashingsecurity.com/patreon. Now let's get this show on the road. I'm trying to find one with lots of tracking to see how we can see it.

GRAHAM CLULEY. Why don't you try— I haven't tried this one. I'm going to try TechCrunch.

CAROLE THERIAULT. Oh, Forbes.

DAVE BITTNER. Oh, Forbes.

GRAHAM CLULEY. Yes. Go for Forbes. Yes.

CAROLE THERIAULT. Forbes. Forbes.

GRAHAM CLULEY. Yes. Forbes. Let's see.

DAVE BITTNER. See, maybe we've created a new game here. Who can find the website with the most trackers?

GRAHAM CLULEY. Disappointingly few. I haven't got many on Forbes.

CAROLE THERIAULT. I got 3 ad trackers, 1 third-party cookie.

GRAHAM CLULEY. That's pathetic. Okay, let's try Daily Mail. The Daily Mail.

CAROLE THERIAULT. The Sun.

UNKNOWN. Okay, let's do this. Daily Mail. Daily Mail. Smashing Security, episode 198, Chucky the Coffee Maker, with Carole Theriault and Graham Cluley. Hello. Hello, and welcome to Smashing Security episode 198. My name's Graham Cluley.

CAROLE THERIAULT. Two more shows, Graham, till we hit the big 200. I'm Carole Theriault.

GRAHAM CLULEY. Don't build it up too much.

CAROLE THERIAULT. Well, it's going to be a huge epic number, if nothing else.

GRAHAM CLULEY. And we are joined this week by the hugely epic Dave Bittner from the CyberWire podcast. Hello, Dave. Hello there. Hurrah!

CAROLE THERIAULT. Hey, Dave.

GRAHAM CLULEY. Hi.

CAROLE THERIAULT. How are you?

DAVE BITTNER. Oh, I think like most people, we're hanging in there, making the most of a challenging situation that we all find ourselves in, no matter where in the world we may reside.

CAROLE THERIAULT. Yeah, things are cray cray in your country at the moment.

GRAHAM CLULEY. Are they? What's going on?

DAVE BITTNER. Oh, this and that, this and that. Not worth mentioning. Let's move on.

UNKNOWN GUEST. Yeah.

GRAHAM CLULEY. Carole, what's coming up on the show this week?

CAROLE THERIAULT. First, let's thank this week's sponsors, LastPass and Oracle. Their support helps us give you this show for free. Now, coming up on today's show, Graham talks about yet another one of his pet peeves, coffee. Dave has an easy peasy tip to reveal how websites spy on us, and I'll look into just how smart home smart security actually is. Also, I had a cozy chat with cloud security expert Greg Jensen from Oracle, who shares his expertise and a few freebies. So buckle up and listen up as we have all this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chum, Chums, I have an admission to make because it may come as a shock to you, but I have many, many vices, many things which have occasionally pulled me off the straight and narrow. But one of them—

CAROLE THERIAULT. what, like chess?

GRAHAM CLULEY. Well, yes, exactly.

DAVE BITTNER. He's a wild man.

CAROLE THERIAULT. Yeah, yeah, he went down the dark, dark path.

GRAHAM CLULEY. Oh hey, don't knock chess, right?

CAROLE THERIAULT. I'm not knocking chess.

GRAHAM CLULEY. Don't bash the bishop.

CAROLE THERIAULT. Hardly a vice.

GRAHAM CLULEY. It's, it's— well, you know, I, I'll tell you one of the things I don't have as a vice. I'm quite proud I don't have this vice, is I don't drink coffee. And frankly, I love drinking coffee. Do you really?

CAROLE THERIAULT. I actually feel sorry for you that you don't drink coffee.

GRAHAM CLULEY. Well, what exactly am I missing by not drinking coffee?

CAROLE THERIAULT. So, so much. That wonderful, wonderful feeling in the morning when you get to make it, the experience of making a beautiful coffee, that going— well, not now, but in the olden days, going out and meeting people for coffee and having a little gossy goss session.

GRAHAM CLULEY. Do you love the taste of mastic asphalt in the morning? Is that the thing which you live for, having that sort of taste? Why not just—

CAROLE THERIAULT. You're just a philistine.

GRAHAM CLULEY. Why not just lick the tarmac, Crow? Well, look, I'm also a busy man, which is another reason why I don't. Hardly.

DAVE BITTNER. I confess I also do not drink coffee.

GRAHAM CLULEY. Look at that, interesting.

CAROLE THERIAULT. Do you drink tea? Do you drink tea?

DAVE BITTNER. I will drink tea, but I prefer my caffeine delivered cold.

CAROLE THERIAULT. I thought you were going to say intravenously.

UNKNOWN GUEST. I was going to go, whoa.

DAVE BITTNER. Yeah, right. Hardcore. No, no. And every few years I get seduced by the smell of coffee. And so I will take a sip and then I'm reminded of just about how horrible it really does taste and put it off for a few more years. I'm good.

CAROLE THERIAULT. Listeners, help me out here. Okay. Coffee lovers, it's time to unite because my husband doesn't drink coffee either. I feel like I'm being surrounded.

GRAHAM CLULEY. I think this is interesting because in a recent survey, a very recent survey, it was found 3 out of 4 people don't drink coffee. So those would be me, Dave, and John.

DAVE BITTNER. No, there's a little peer pressure there, Carole.

CAROLE THERIAULT. Yeah. Yeah, I'm really— I normally fall to peer pressure. Graham will tell you. I really do follow the—

GRAHAM CLULEY. Can we please get back to the topic? Right. Because I do recognise you've just diverted us. I do recognise—

DAVE BITTNER. It's your fault, Carole.

CAROLE THERIAULT. Yeah, I know. It's always my fault.

GRAHAM CLULEY. Coffee plays a very important part on the internet, as you will recall. Back in 1991, the University of Cambridge set up the world's first webcam, pointed at a coffee cup.

CAROLE THERIAULT. I don't remember, but okay.

GRAHAM CLULEY. Well, it's famous, Carole. It's no longer live. The webpage is still there, but it hasn't been updated for about 20 years. But—

DAVE BITTNER. Two employees are in a standoff over whose turn it is to refill the coffee, and this has been going on for years.

GRAHAM CLULEY. Well, that's what they used it for. They used it to see if it was full. Right. And if it wasn't, 'cause no one wanted to go down and refill it. Anyway. Ever since, people have thought, wouldn't it be a great idea to connect coffee machines to the internet? And why not?

CAROLE THERIAULT. Who has thought?

GRAHAM CLULEY. Everybody, everybody, Carole. When the internet was invented, I'm sure, I'm sure, good old Tim. Everybody thought. So Tim, right, with the web and things, he was thinking of that.

CAROLE THERIAULT. Elon probably thought of this.

GRAHAM CLULEY. Yes, all of them, they've been thinking of it. And of course there've been diversions, there've been connected fridges and vacuum cleaners and toothbrushes and internet sex toys and things like that. And we know that all of them have performed perfectly without any problems, right? There've never been any trouble with any IoT devices connected to the internet, especially these things which you wouldn't normally associate with being connected to the internet. Well, one coffee maker manufacturer, which goes by the name of Smarter. That is the name of the company.

CAROLE THERIAULT. Smarter Smart. Smarter Smart Coffee.

DAVE BITTNER. Hubris gets you every time.

GRAHAM CLULEY. Well, you can buy a Smarter coffee maker for $250. I don't know if that's a bargain or not.

CAROLE THERIAULT. Well, I mean, coffee makers cost a lot of money. You can get espresso makers for a grand that are not connected to the internet.

GRAHAM CLULEY. A good one.

CAROLE THERIAULT. Yeah, yeah, a good one. Well, you can pay 5 grand.

GRAHAM CLULEY. You can spend a lot of money on, right? And they probably throw in— who's that chap who advertises them? Guy with the grey hair, the silver fox. You know the one.

CAROLE THERIAULT. Basin guy?

GRAHAM CLULEY. No, not that. No, George Clooney.

CAROLE THERIAULT. Oh, yes, yes, yes. Nespresso.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Not sure that's really coffee, but anyway. Okay. Alright.

GRAHAM CLULEY. Well, these smarter coffee makers, right? They caught the attention of a hacker called Evil Socket.

CAROLE THERIAULT. Okay, so he's up to a lot of good stuff.

GRAHAM CLULEY. Mr. and Mrs. Socket had a child, decided to call him Evil. So Evil Socket, he took one of these coffee makers 4 years ago, and he completely reverse engineered it. Worked out how it could be remotely accessed, and he showed how easy it was to send commands to make a cup of coffee, or use the filter instead of the beans in the grinder, and you know, keep coffee warmer for longer.

CAROLE THERIAULT. Jesus. It's like, wait, is he turning it into Chucky the coffee maker?

GRAHAM CLULEY. I don't think— He was putting actual axes or anything like that into them.

CAROLE THERIAULT. Chop off your hand as you come close.

DAVE BITTNER. Yeah, it'll spew hot water at you from across the room. Scalding hot water.

GRAHAM CLULEY. Anyway, he found out it was possible to do this. And the Smarter Company, they did respond because they produced a new version of their coffee machine, which fixed some of the bugs which he was able to exploit. But the problem was this. When you buy a coffee machine, particularly one which you might have spent a decent amount of money on, How often does it get updated? How often do you refresh it? And they weren't pushing out updates for the old one, so there weren't updates.

CAROLE THERIAULT. Sorry, I do have a question though that you haven't actually—

GRAHAM CLULEY. Oh yes, go ahead.

CAROLE THERIAULT. I mean, maybe you're coming to it, but I don't understand how this coffee maker is IoT in the least. What is IoT about this coffee maker? Everything you've said is normal.

GRAHAM CLULEY. Well, these devices you can control through apps or through the internet.

CAROLE THERIAULT. So you would be lying in bed, for example, and go, oh, I really need a cup of coffee.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. If only I'd put a mug under the coffee machine because I could actually make myself a cup, but I forgot to put a mug and it's not smart enough to go get one for me.

GRAHAM CLULEY. It's like the Goblin Teasmade or whatever it was called, that thing you would have next to your bed on an alarm clock and it'd go, "Ch-ch-ch-ch-ch-ch." See, that's much smarter.

CAROLE THERIAULT. Just put it near your bed. Right? Anyway, okay, carry on.

GRAHAM CLULEY. All right. So, they brought out a new version, right? And the question is, these appliances, how often are they updated? Typical fridge only gets replaced every 17 years apparently, but IoT, appliances might need to be updated more often than that, right? Especially if they're not receiving patches. Now, this week, a researcher with Avast, name of Martin Hron, that's Ron with a silent H, or maybe you do pronounce the H, Martin Hron, he decided to perform what he called a thought experiment with one of these older coffee machines. He was curious as to whether he could reverse engineer it himself and then exploit it.

CAROLE THERIAULT. So this is another person who's trying to reverse engineer, right?

GRAHAM CLULEY. This is another chap who's building upon the research which has been done in the past. LastPass.

CAROLE THERIAULT. Perfect.

GRAHAM CLULEY. And he discovered that these IoT-enabled smarter coffee machines were not checking that their firmware updates had been properly signed. And as a consequence, he was able to trick the coffee machine into installing a bogus unauthorized update.

CAROLE THERIAULT. And again, then your coffee machine goes psycho.

GRAHAM CLULEY. Well, but no, it doesn't.

CAROLE THERIAULT. It's like the worst thing ever.

GRAHAM CLULEY. Even if— no, it isn't the worst thing ever, Carole. Even if a coffee machine did go psycho, it hasn't got legs, it hasn't got wheels. It's not gonna chase you around. Well, not yet.

CAROLE THERIAULT. Exactly. Maybe that's what they'll have next. It'll be a coffee machine on wheels coming up to your bedroom going, "Would you like coffee?

DAVE BITTNER. I will make you coffee." It'll start teaming up with the toaster oven and the microwave, and next thing you know, you've got a droid running around the kitchen throwing knives at you.

GRAHAM CLULEY. Hey, did you see this week that Amazon thing where it's like they have an Amazon drone thing for inside your house?

DAVE BITTNER. Yes.

CAROLE THERIAULT. Jesus, what What do you mean?

GRAHAM CLULEY. It flies around trying to work out if anything dangerous is happening, and then presumably takes actions.

CAROLE THERIAULT. Are you fucking kidding me? No.

DAVE BITTNER. I said this has to be a joke, right? This is a joke.

CAROLE THERIAULT. Yeah, it's gotta be a joke. So you have a 3-year-old that throws a ball at the mother or something, because he's just throwing something, and the thing comes around and goes— and shoots it out of existence.

GRAHAM CLULEY. 30,000 volts. Tasered.

DAVE BITTNER. Please put down your weapon. You have 5 seconds to comply.

GRAHAM CLULEY. It's Skynet. Effectively, it's Skynet.

CAROLE THERIAULT. And people are inviting these into their home.

UNKNOWN GUEST. Oh.

GRAHAM CLULEY. Yes. So maybe the coffee machine will sprout wings or little propellers at some point. Maybe that'd be another one.

DAVE BITTNER. Could happen.

GRAHAM CLULEY. Anyway, so Martin Hron, he managed to install new firmware and he thought, oh, now I can install new firmware. What shall I do with it? And his first thought was crypto mining. He thought, well, maybe what I could do is I could use the processor on the coffee maker to grind away earning cryptocurrency. He said, would that be possible? And he reckons that's feasible, but because the speed of the chip's only 8 MHz, it's quite slow.

CAROLE THERIAULT. Okay, people are— this is showing us that even researchers are very bored in this bronetomics.

GRAHAM CLULEY. Or very stupid. Yes, bored. Let's call it bored. And then he thought, no, no, no, no, no. He said, no, not crypto mining. He said, let's not do that, let's do ransomware. And so he effectively wrote a ransomware proof of concept, and it doesn't encrypt your drinks. Instead, what it does is it locks up your coffee machine. So your machine is now beeping, it won't make coffee, it does occasionally spurt out hot water, and it displays on the screen, on the little panel, displays a little devil-like icon and a short message telling you to go to a link to unlock the coffee machine.

CAROLE THERIAULT. You know what, Mr. Martin Hron, you deserve a slap. Because, okay, maybe I don't just love coffee, maybe I am addicted to coffee, but tell you what, that would piss me off.

DAVE BITTNER. Well, that's the point, isn't it? Yeah, well, why?

CAROLE THERIAULT. Why? Because I bought it? I'm the victim of all his crap because he's upset with the people that made the coffee machine? Unfair.

GRAHAM CLULEY. So he reckons, so what he did was He could make the machine turn on its burner, spew out hot water, endlessly spin the grinder.

DAVE BITTNER. Oh my—

CAROLE THERIAULT. I would—

GRAHAM CLULEY. I mean, you would. And all the time it's beeping away. And so you might well pay. But of course, you're not going to pay more than $250 because you could just chuck it in the bin and replace it with another one.

CAROLE THERIAULT. Can you imagine calling the cops? I don't know what's going on. My coffee machine is possessed.

DAVE BITTNER. Miss Theriault, we're going to have to ask you to stop calling us.

GRAHAM CLULEY. Exactly.

CAROLE THERIAULT. This is the 15th time this week.

GRAHAM CLULEY. They would think you're totally tinfoil brigade, wouldn't they? So you can just unplug the coffee machine, obviously. Or you could just stop drinking coffee, which might be a good thing. But then if everyone stopped drinking coffee because of this, industry could crumble. Society would be devastated. It would be end of times.

CAROLE THERIAULT. We're already there, darling. We're already there. I don't know if you've been paying attention to the news.

GRAHAM CLULEY. Only Dave and I, who've been strong enough to resist the lure of coffee, would survive.

DAVE BITTNER. At last, our time has come.

GRAHAM CLULEY. Emperor and Empress.

CAROLE THERIAULT. All the normal people are decimated, so—

DAVE BITTNER. It'll just be me and Graham playing chess together, just the two of us.

CAROLE THERIAULT. Adam and Adam.

GRAHAM CLULEY. Singing show tunes. Now you might be wondering, how do you infect a coffee machine? Well, you have to be quite close to it because you have to be on its Wi-Fi. You have to be on the same Wi-Fi. So you'd have to go to an office which you knew was using this make of coffee machine. Or a home which was, with your little phone to infect it. Or you could, in theory, infect the router, and then it would remotely infect the coffee. I'm not sure if anyone would actually bother doing this, to be honest.

CAROLE THERIAULT. Do you think any of our listeners have one of these?

GRAHAM CLULEY. Well, it's quite possible, yes. Martin Hron, we don't know if he listens.

CAROLE THERIAULT. Okay, I want to hear from somebody with one of these. I want to understand what the advantage is, why this is worth it. I just don't get it.

DAVE BITTNER. Is this a particular brand?

GRAHAM CLULEY. Well, this is the thing, of course. There are other coffee machines out there. Which maybe Martin Hron and EvilSocket haven't yet turned their attention to. But if they did, I wonder if they'd suffer similar problems. Now, normally with these kind of things, you think, well, just turn off the Wi-Fi, disconnect it, don't allow it to connect, don't give it your Wi-Fi password.

CAROLE THERIAULT. I guess that breaks it.

GRAHAM CLULEY. You'd think so, wouldn't you? But actually, with this particular machine, if you don't connect it to your local Wi-Fi, it is smart enough to say, oh, I'm not connected to Wi-Fi. I will start broadcasting my own Wi-Fi hotspot. Default username.

CAROLE THERIAULT. Oh.

GRAHAM CLULEY. Making it even easier for people to connect.

CAROLE THERIAULT. So you can have coffee even when your Wi-Fi's down is the idea, is what they were thinking originally.

GRAHAM CLULEY. Oh, I hadn't thought of that, Krill.

CAROLE THERIAULT. That's probably why they did it, but they didn't think about the fact—

GRAHAM CLULEY. Because if your Wi-Fi's down, then you'd need coffee, I suppose.

CAROLE THERIAULT. This is just a bad idea. What is wrong with a Boden plunger? What is wrong with a little old espresso maker, cafetière? What is wrong?

GRAHAM CLULEY. I don't know.

CAROLE THERIAULT. I'm just— yep. I'm on the other side now.

GRAHAM CLULEY. Alright. So I think, Carole, have we convinced you that coffee just isn't worth bothering with?

CAROLE THERIAULT. Yes, that was a very logical debate. And that is where we got to. I'm never going to drink coffee again, Graham.

GRAHAM CLULEY. Wow. You can share the throne with us. We'll budge up our buttocks to give you some room for yours. And we can rule the world. Excuse me? Because we will be—

CAROLE THERIAULT. Yeah, no, I'll leave that to you guys. You guys got this.

GRAHAM CLULEY. Dave, what's your story for us this week?

DAVE BITTNER. Well, you know, I think all of us growing up, we are familiar with black lights, right? Things glow under black light. I know certainly, Carole, you probably spent a lot of time out in the clubs and the discos dancing. What's he saying?

GRAHAM CLULEY. I've never heard of these things. What do you mean I'm familiar with these?

CAROLE THERIAULT. Yeah, I can tell you what I think it means.

DAVE BITTNER. Are you serious?

CAROLE THERIAULT. Yeah, it's either like the light in a dark room, or it would be ultraviolet lights.

DAVE BITTNER. Yeah, so I know, no, no, no, no, this is fascinating. You're actually not familiar with the term blacklight, is that right?

CAROLE THERIAULT. No, I don't think I am.

DAVE BITTNER. Huh, interesting. Maybe it's a on this side of the pond term. Well, a blacklight, yes, it is an ultraviolet light. So there are light bulbs that are blacklights, there are fluorescent lights that are blacklights, and it is a thing, like if you go through a, a carnival funhouse. It's the light that makes things glow. It makes your t-shirt glow.

GRAHAM CLULEY. Oh, yes, I've seen that, yes.

DAVE BITTNER. Right? You know what I'm talking about?

GRAHAM CLULEY. Right, yes.

DAVE BITTNER. Okay, that's a black light.

CAROLE THERIAULT. Aren't they used in CSIs for like, you know, discovering body fluids and that sort of thing?

DAVE BITTNER. Well, that's where we're headed, Carole Theriault.

GRAHAM CLULEY. Okay, okay, I'm listening. Newsround, Dave. Yes.

DAVE BITTNER. So, turns out that black lights are not only fun at a party, but they have this purpose that bodily fluids, including blood and other emissions fluoresce under black light. Earwax, right? That's exactly what I was thinking. So they fluoresce under black light, which means they glow under black light. So good word. Thank you very much. So, and this became all the rage probably about a decade ago. There were lots of TV shows that basically— and local news shows were taking their black light flashlights to local no-tell motels.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Stephen Stane.

DAVE BITTNER. Right. And just shining the light on everything. And they'd have a counter going of how many stains were all in the strangest places where the stains showed up. You know, how did the stain get on the ceiling fan?

GRAHAM CLULEY. I once stayed in a Days Inn Express outside Boston, I think, which was probably a prime candidate for this kind of thing. Slightly grubby.

DAVE BITTNER. Right. I think we've all been in suboptimal hotel rooms from time to time. And you don't want to think too much about the number of people who have shared that mattress before you. And you hope that the cleaning crew is vigilant. And at the very least, you have a fresh set of sheets on the bed.

GRAHAM CLULEY. But Carole and I, we know a chap who won't make a cup of tea from the kettle or iron his shirts with the iron which is supplied.

CAROLE THERIAULT. Ask why, Dave. Ask why.

GRAHAM CLULEY. Why?

DAVE BITTNER. Why is that?

GRAHAM CLULEY. Because he fears that they won't have used water in them. Someone might have used something else.

CAROLE THERIAULT. You know, he thinks people get lazy. They're pissed. They won't bother going to the loo, you know, that's 5 meters away. So they just take a wee.

GRAHAM CLULEY. How do you go in the iron, Crow? How do you go in the iron? That's not easy.

DAVE BITTNER. How do you know, Graham?

GRAHAM CLULEY. On you go, Dave, carry on, don't let us distract you.

DAVE BITTNER. Yes, let's move on. So it's just that kind of show, isn't it? So—

CAROLE THERIAULT. It's my fault.

DAVE BITTNER. Yes, so a blacklight is a useful tool for basically evaluating a crime scene. So, I tell you that to tell you this.

GRAHAM CLULEY. Yes.

DAVE BITTNER. There is a nonprofit news organization called The Markup, and they publish stories about tech things, privacy, and so on and so forth. They have developed a tool that they call Blacklight, and it is a real-time website privacy inspector. And so what you do is you put the website address in their little menu item there, and you hit the Scan Site button, and it will give you a report of how your site ranks in terms of the number of scanners and, and things that may compromise your privacy. Now, Graham, I know you were looking through the show notes and you loaded your own Graham Cluley site on here. How did you do?

GRAHAM CLULEY. I came up with a completely clean sheet, which isn't what I found at the Days Inn Express, I have to say.

CAROLE THERIAULT. Did you— no, no, but did you already know what they were going to look for and cleaned it up first?

GRAHAM CLULEY. No, no, no. I had no idea what blacklight was going to do, but it looks like it's looking for tracking pixels and all kinds of nastiness and whether keystrokes are being logged. And I also put some other pages into this, and I was quite surprised. Some sites, including some which you would consider to be security-related, are doing an awful lot of spying and sometimes creepy spying on their users.

DAVE BITTNER. Right. And one of the things that they, they point out in their, their write-up about this tool is that it's quite easy to inadvertently end up with trackers on your website. So, for example, if you're using the free version of Disqus. It's an easy way to add commenting on your site. If you're using the free version of that, well, the reason that it's free is because they, they insert ads, and those ads have trackers. And so there are all sorts of things like that where just by making use of a free tool, you may end up with a dozen or so trackers on your website and that you didn't mean to install. They went and scanned hundreds of sites and they found For example, I think there was a site that provided women's healthcare services, pregnancy services, and things like— things where privacy is a real concern, that were doing tracking that the organizations weren't necessarily aware of. They found a bank that was doing keylogging of username and passwords, and sending the username and password in the clear to a third-party organization.

GRAHAM CLULEY. [Speaker:TREVOR_BURRUS] What?

DAVE BITTNER. Yeah, they reached out. They reached out and let them know, and this was put to a stop. But yeah, so it just goes to show you never know. I like their own description here. They say, I like to think of Blacklight as a meat thermometer that you can stick into any website and get an instant reading on its level of creepiness.

CAROLE THERIAULT. See, I'm looking for websites right now while you're talking to try and find one. So I've now just hit on OKCupid. I thought That might be a good one with lots of tracking. I'm trying to find one with lots of tracking to see how we can see it.

GRAHAM CLULEY. Why don't you try— I haven't tried this one. I'm going to try TechCrunch because I think—

CAROLE THERIAULT. Oh, Forbes. Oh, Forbes.

GRAHAM CLULEY. Yes. Go for Forbes. Yes.

CAROLE THERIAULT. Forbes. Forbes.

DAVE BITTNER. I'm on it.

GRAHAM CLULEY. Yes. Forbes.

DAVE BITTNER. Forbes.

CAROLE THERIAULT. Oh.

GRAHAM CLULEY. Let's see.

DAVE BITTNER. See, maybe we've created a new game here. Who can find the website with the most trackers?

GRAHAM CLULEY. Oh, Forbes. Disappointingly few. I haven't got many on Forbes.

CAROLE THERIAULT. I got 3 ad trackers, 1 third-party cookie. That's pathetic.

GRAHAM CLULEY. OK. Daily Mail. The Daily Mail.

CAROLE THERIAULT. The Sun.

GRAHAM CLULEY. Okay, let's do this. Daily Mail.

CAROLE THERIAULT. Ooh!

GRAHAM CLULEY. Daily Mail.

CAROLE THERIAULT. Okay, The Sun. What do you have for The Daily Mail?

GRAHAM CLULEY. 22 trackers. Oh, you beat me.

CAROLE THERIAULT. 21 ad trackers on The Sun.

GRAHAM CLULEY. 7 third-party cookies.

CAROLE THERIAULT. How many? Okay, they definitely win.

DAVE BITTNER. Yeah. Whoa. New York Times has 10 ad trackers and 6 third-party cookies.

CAROLE THERIAULT. Yeah, it's nothing. It's peanuts.

GRAHAM CLULEY. Nah.

CAROLE THERIAULT. What about a porn site? Playboy?

GRAHAM CLULEY. I wouldn't know the name of any of those.

DAVE BITTNER. Yeah, me neither. Yeah.

CAROLE THERIAULT. Oh, it's taking a long time. It's obviously got interested in the pictures.

DAVE BITTNER. Your laptop bursts into flames.

GRAHAM CLULEY. Smashing Security. Oh no, we shouldn't look at that, just in case. We don't control it. We don't control it. Smashing Security. I'm gonna take all this out. Let's just have it. It's looking, it's searching. Wow.

CAROLE THERIAULT. Okay. Playboy.com, 10 ad trackers, 8 third-party cookies. Tells Facebook when you visit the site. Tells Google Analytics when You cross when you.

DAVE BITTNER. All right, I'm looking@smashing security.com.

GRAHAM CLULEY. moving on.

DAVE BITTNER. One ad tracker, one third party cookie. That's not bad.

GRAHAM CLULEY. I think Smashing Security does have discuss comments on it.

DAVE BITTNER. Yeah, that's probably what it is.

GRAHAM CLULEY. It may well be that I'm putting this little handy website in my bookmarks. Nice.

DAVE BITTNER. Yeah, so a handy tool to find out exactly what's going on with some of the websites that you frequent.

CAROLE THERIAULT. Can I just thank you, Dave, because some people would try and slip this in in the pick of the week section, even though it's clearly security related, and I think it's much smarter what you did, and I appreciate it.

GRAHAM CLULEY. Carole, what's your topic this week?

CAROLE THERIAULT. So it is said that every single second, some 100 IoT devices are connected to the internet.

GRAHAM CLULEY. Wow, golly.

CAROLE THERIAULT. Yeah, during the first quarter of 2019, 31% of US broadband households, I guess households that have broadband, owned smart speakers with personal assistants or home assistants. And if the total number of connected devices doesn't shock you, consider the amount of data these devices are expected to generate rate. So Cisco has estimated that nearly 850 zettabytes will be generated by all the people, machines, and things by 2021, 3 months from now. Now, a zettabyte is equal to about a trillion gigabytes, and 1 trillion seconds is equal to about 31,000 years, just to give you an idea of how much data we're talking here. A lot of data.

GRAHAM CLULEY. A little bit. More than you can get onto a 720K floppy.

CAROLE THERIAULT. Yeah. A bit more than you can get trying to break into a coffee machine.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And one of the areas that is on the rise is that of the smart home. According to Statista, the number of smart homes in the market worldwide is expected to be almost 500 million in 2025. And I suspect actually with the onslaught of COVID we're gonna smash through that prediction with ease. And one of the areas that I wanna talk about today in the smart home technology segment is the security element, the home security. This huge market expected to reach $8 billion in a few years, and it's growing at a clip. Literally, I think every 2 or 3 podcasts I listen to has some ad about how I have to live in a digital fortress to feel safe and secure in my house. Have you guys heard these?

DAVE BITTNER. Yeah, absolutely. Yes.

GRAHAM CLULEY. Yes. What do you mean?

CAROLE THERIAULT. Like ad spots kind of going, are you feeling safe at home? Why don't you try this service? We will monitor your home 24/7 and we'll have an alarm system.

GRAHAM CLULEY. Oh, really?

CAROLE THERIAULT. You've not? Oh, I hear them all the time.

DAVE BITTNER. Yeah.

GRAHAM CLULEY. So people are buying internet-enabled home security systems, or at least they're being advertised to left, right, and center.

CAROLE THERIAULT. Yeah, and it's a big market. They're really campaigning for it. And it's a scrappy market. So my first question here, the question I was hoping to answer is, is a smart home safer than a more traditionally secured home? So traditionally we're talking things like what? We're talking high fences, a dog perhaps.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Alarms that, you know, that just ring to annoy the neighbors enough that they call the cops? Isn't that the way it used to work in the old days?

GRAHAM CLULEY. In the case of my house, a moat and drawbridge filled with crocodiles. Yes.

CAROLE THERIAULT. And what else? You'd have motion lights, that kind of thing, right? There's all these kind of elements that kind of—

GRAHAM CLULEY. Ninjas.

CAROLE THERIAULT. Yes, of course. Yeah, you have the ninjas. Yeah, that's really good.

DAVE BITTNER. Cages that drop out of the sky.

CAROLE THERIAULT. And okay, and what do smart homes offer as far as you guys know that's different from all that? Like, they definitely have the video doorbells.

UNKNOWN GUEST. Yeah.

GRAHAM CLULEY. Well, I imagine it's some sort of app component so that you can watch yourself being burgled while you're out at the restaurant.

CAROLE THERIAULT. Yes. And I guess the idea of that, you give it to the cops and then they'll be able to catch that burglar. Right?

DAVE BITTNER. Yeah. I think that these, they feed on people's anxiety. They are anxiety machines. Or they, because For example, I remember years ago when I was first out of college and we were all living in apartments and so on and so forth. I had a friend who was just super nervous that someone was going to come and steal his stuff to the point where we were out at dinner one time and he said, "Listen, I've really got to get back. When I left the apartment, there was someone out in the parking lot who I didn't recognize and I'm afraid—" I just gotta get back to check on my stuff. It's absurd. But my point is that I think by being able to monitor all of these things in real time, you kind of get hooked on that. Like, oh, let's look out to see what the camera's doing in the backyard. Okay, all clear. Someone walks by in front of your house and you get a ping on your phone. Who was that? Who was that? You can go look it up and see who it was. And so you get hooked on that.

CAROLE THERIAULT. Yeah, yeah, I've been on holiday with people who are like, oh, the cat lady should be arriving about now. Let's look in and see if she's arriving one time, since she's 5 minutes late.

DAVE BITTNER. Yeah, you know, yes, to that point, one of my neighbors went away for a while, and she hired my son to feed her cats. Right. And so, the first day, my son goes in, and he feeds the cats, he gives them the food, and he, you know, he pets them a little bit.

CAROLE THERIAULT. Heads to the underwear drawer, no kidding.

GRAHAM CLULEY. The next day he goes in, takes all his clothes off.

DAVE BITTNER. Right, does a little dance, gets down tonight. He feeds the cats, does what's expected of him, and he leaves. And he gets a call a little bit later from the woman, and she says, listen, according to my alarm system, you only spent 2 minutes in the house. That's not long enough. Yeah, we were talking about playing with my cat as well. Yeah. Right, yeah. So my son is like, Dad, what?

UNKNOWN GUEST. I don't understand.

DAVE BITTNER. I said, listen, just go in, feed the cats.

GRAHAM CLULEY. Read them a story.

DAVE BITTNER. Sit on the couch for 10 minutes, look through your phone. Tuck them in. And then leave, right? This was being asked of you, you know. But again, it's that anxiety. Like, the fact it was— the fact that she could monitor what was going on, I think that's what they're feeding into and trying— they're making money off of it.

CAROLE THERIAULT. Oh, totally. I even saw one of these sites in my research that offers watering plants, except it detects when it rains, so it doesn't do it then, so that a burglar— like, what, was burglars was going to check your lawn and go, oh, looks a bit dry, but he's not home? Like, so weird. Yeah. Yeah. We've heard tons of instances where it's failed the user, smart security, haven't we? Right. Where there's like loads of fails. There's like baby monitors being hacked and scaring the shit out of customers or Home Assistant inadvertently recording and storing those recordings. And it's just in my experience, every single one has a different configuration option list and a design, a different UI, making it super difficult for the average user And many people on these things identify themselves through their own email account, like their primary email account. And as we know, if they get compromised—

GRAHAM CLULEY. And probably they might, well, if they set a password at all, they're probably using something which they've used elsewhere on the internet. Yeah, exactly.

CAROLE THERIAULT. Apparently last year in 2019, there was 2 billion records were exposed in this massive smart home breach that affected the customers of a Chinese company called or Vibbo. And they didn't get much, don't worry. It was like email address, passwords, account reset codes, precision, geolocation, IP address, username, user ID, family name, family ID, smart device, device that accessed account, and scheduling information.

GRAHAM CLULEY. Inside leg measurement. Hardly anything. Talking about fostering fear and anxiety. No, no, no. As to what you've just been doing. Shouldn't we just say, don't worry about it. Yes, it's all the security features.

DAVE BITTNER. Isn't that the whole point of this show?

CAROLE THERIAULT. I'm not sure smart security is actually that smart. I think you just go back to more traditional methods. Anyway, listen to this anecdote, okay? So this drives my point home. So CBC, a Canadian broadcast company, published this article on Monday where this homeowner said she got a message from a stranger saying he had complete control over her home. And quote, as she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows, and told her he could track her when she left the house, all with a few clicks of the security company's app. Any idea what might have happened?

GRAHAM CLULEY. Um, no.

DAVE BITTNER. Was it an insider at the security company?

GRAHAM CLULEY. Oh, that's a good—

DAVE BITTNER. or, oh, you know what, maybe it was, um, Here's a guess. She went down to her local coffee shop because we know how dangerous that can be. Risking death. Yeah, so she signed up to be on their discount thing and she used the same email address and password as her home system. And the man behind the counter had a shine for her and so he went into the system and looked it up and that's how he had access to her home. That's my guess, Carole.

GRAHAM CLULEY. Is this a romantic novel you've been writing, Dave?

DAVE BITTNER. It'll be available by the end of the month.

CAROLE THERIAULT. Um, no, that's not what happened. So, uh, the guy used to own the house. Ah, but it gets even more interesting than that. He swore up and down that he made numerous calls to cancel the service weeks before she moved in, but somehow he still had access. Now, question number 2: why would this happen, do you think? Why would— if he's called Superior lots of times and said, "Come on, cancel this, cancel this," why would they be dragging their feet?

GRAHAM CLULEY. Well, because there's no money to be made from that.

DAVE BITTNER. Well, I think maybe the system wasn't designed with this in mind. Yeah, I think you're both right.

CAROLE THERIAULT. The problem is the cancellation policies. So people are like, "Oh, no, no, no, no, no. I think if you read your terms and conditions," Sorry, that ugly word rears its ugly head once again. But you will have seen in the fine print that you actually have to give us 60 days notice or 30 days notice or 45 days notice before we can cancel. So I'm afraid, sir, you're going to have to keep paying us until— but we've logged your request. Hmm. So it turns out that loads of people are trying to actually do the right thing, cancel their accounts in time, but the long cancellation period in the policy basically makes it impossible. Guess what? They don't cancel the account or his access, and the fallout is the same. He has complete control over a house that is now occupied fully by its new owner. The guy, after he told the owner and explained his whole situation, he contacted the provider and he was told, he said, "Again, I really want to have my access revoked." They said, "I'm sorry, you're going to have to wait still a few more days before we can cut you off." told them, quote, so you're going to give me access to somebody else's house? I literally could go on the app, I could watch them leave the house, I could walk up to the front door, unlock it, disarm the system, walk and steal everything in the place because an alarm company gave me access. And in 30 seconds, he was deactivated.

GRAHAM CLULEY. Well, I think they should have stood their ground. Could he not have shown some self-restraint if he was the only per— I mean, he was the person who had this access, and he knew he had this access, and he knew that access was wrong. And then he's like, oh look, I've been given I shouldn't have access. I shouldn't have access. And then he accesses it and then he shows that he can do it. Just don't use it. Just grow up, man. Why on earth are you doing this? Fiddling with someone else's back door?

CAROLE THERIAULT. The reason he's doing it is to try and tell people this is a serious problem and we need cancellation policies that fit in with the lifestyle that people actually like to leave their house and buy a new one occasionally.

GRAHAM CLULEY. Yeah, right. Well, you've drunk the Kool-Aid, haven't you? Because the problem is, you see, that if you're a bad guy who has access because you were the previous tenant, you're not going to tell the company, oh, by the way, can you cancel this? Are you? So that doesn't actually work. He's going to retain the access. So I don't understand. He's just given a scenario where he's a good guy who cares about this, who wants to cancel it, and they won't cancel it. I'm saying if you were a bad guy, you wouldn't request to cancel it.

CAROLE THERIAULT. All right. Welcome to Graham's Logic Show, everybody. And I'm going to leave it there.

DAVE BITTNER. I spoke with a, I spoke with a security researcher probably about a year ago, who had the same thing happen with a car that he sold. And he was able to, on his app, still get the GPS location of the car that was no longer his. He was able to unlock the car. He was able to remotely start the car.

CAROLE THERIAULT. I think he told us about it on the show, actually.

DAVE BITTNER. I think he did. Yeah, yeah, so, oof. Anyway, there you go.

CAROLE THERIAULT. So be careful, guys. Read your terms and conditions. And maybe smart security ain't that smart yet.

GRAHAM CLULEY. So, can I just add one suggestion as how this could be improved? So, shouldn't there be a way for the new owner of the property to override the contract of the previous owner?

CAROLE THERIAULT. No, definitely not. I don't think that's the right thing at all. No, if you are— Of course they should. Yes. Of course.

GRAHAM CLULEY. There should be legislation in place. Please use your sarcasm on me.

CAROLE THERIAULT. There should be legislation in place that says, oh, wow, a house these days days isn't just bricks and mortar, it's all the technological gizmo fibzo that goes with it, like your smart fridge or your smart coffee maker, potentially, if they've left it behind, or the security, because that's all going to be hardwired, a lot of it. You're not going to take that with you as you leave.

DAVE BITTNER. Let me ask you this. When you have purchased a home, did you— and the old owner, you're at the settlement table and the home is now yours and they hand over the keys. Did you then have all the locks changed, or did you trust that the old owner was giving you all the keys?

CAROLE THERIAULT. No, I got burgled, so I had to change all the locks. For real? Yeah. The big problem with being burgled is the mess they make. So if you had a clean burglar that just came in and said, look, I'm really sorry, I stole your computer because I'm starving, and thank you very much, goodbye.

GRAHAM CLULEY. Oh, but your burglar left you a little gift, didn't they? No, no, no. I thought they left a little calling card in the middle of the carpet. Is that someone else that happened to? Oh, sorry, I imagined.

CAROLE THERIAULT. No one, as far as I know, has ever shat in my carpet.

DAVE BITTNER. Well, have you tested it with a blacklight?

GRAHAM CLULEY. I can't believe it's still been all these years and you haven't found it yet. This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So, whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.

CAROLE THERIAULT. Do you ever lie awake at night wondering whether you're doing enough to protect all that sensitive information that resides on the corporate cloud? Well, you're not alone, but thankfully the cloud security experts at Oracle are here to help. You see, they've made available to Smashing Security listeners 5 reports that deep dive into different security issues all pertaining to the cloud. You can access these for free at smashingsecurity.com/oracle. That's smashingsecurity.com/oracle. And thanks to Oracle for sponsoring the show. And welcome back.

GRAHAM CLULEY. And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

DAVE BITTNER. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Now, my pick of the week this week, well, I am going to draw my— actually, Dave, you love a bit of music. I do, yes. So what I'm going to do is I'm going to sing the opening line from a song and see if you can carry it on.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Music was my first love and it will be my last. So what key was that? Do you not know this song, Duncan? I do not.

DAVE BITTNER. No, it's not really.

CAROLE THERIAULT. I don't know it either. Well, not so far. Really?

GRAHAM CLULEY. Music of the future. I wanted him to go, hi. And music of the— Let me start again. Well, my pick of the week this week is all about music. And specifically, it is a YouTube channel called You Can't Unhear This. Now, you might be curious as to what You Can't Unhear This is all about. It is about the quirks in some songs. And specifically, the channel owner seems to have focused on Beatles songs, although he may branch out in the future as well, because there are little curios locked away in some of these songs. Things which, once you have heard them, you never miss them again. So it may be an incorrect note, or it may be, for instance, if you're listening to Strawberry Fields, which famously is two tracks sort of edited together at one particular point. It goes from a track and then it goes to one which is being played at a different speed, and it's beautifully done. Or if you've heard the song Hey Jude, you know Hey Jude, which apparently Paul McCartney has now sung over, I think, 66,000 times during his career. So someone's worked out how many Hey Judes he's— how many na na na na's he said. There is a point in Hey Jude when he's singing where you forking hell in the background. And once you've heard it, you can't mistake it. But that's a song which is played all the time. And people, it sort of drifted past them.

CAROLE THERIAULT. Is that very exciting when you hear those?

GRAHAM CLULEY. It's— I find it quite interesting. And there are also questions like, for instance, at the end of All You Need Is Love, there is a bit as it's going out where someone sings, she loves you. Yeah, yeah, yeah. Like that at the end of All You Need Is Love. And there's been long debate— is it John or is it Paul singing? And this guy goes into forensic detail, including video footage, to work out exactly what happened. And it's— it is genuinely quite fascinating, the true story of who said that and how it— are you not going to tell us as well? No, you're going to have to watch the link.

CAROLE THERIAULT. I'm not watching it. Then you will never know.

GRAHAM CLULEY. And I'll never know. And for the rest of your life you will wonder and you will think—

CAROLE THERIAULT. yes, I will. I wonder. It'll eat me alive. This is the beginning of the end.

DAVE BITTNER. There'll be emptiness.

GRAHAM CLULEY. You're thinking there's a piece of information Graham knows, which I don't. And you will suffer. And you will wake up in a cold sweat when you're 74 years old thinking, "If only." No gaslighting or anything, everybody. "If only he had told me that." And that is why this is mine and not Carole's Pick of the Week. You can't unhear this on YouTube. Fucking hell. Dave, what's your Pick of the Week?

DAVE BITTNER. My pick of the week is from the folks over at ProPublica. And I am a fan of interesting design online. It so rarely happens that you get actually really good design, design being part of conveying information. And I think this is a really good example of that. This is a story they published. It's called New Climate Maps Show a Transformed United States. And I apologize for this being US-centric, but it also has to do with Canada. So there you go. So what this is, is a story about how climate change is going to affect where people live and, and perhaps more importantly, where food is grown throughout North America. And as you scroll through, it shows you a live map that's changing as the information scrolls by, and it shows you where people live and where food is grown, and as the climate continues to warm, which seems to be the track that we're on, how that will affect things. And the bottom line is that things are going to move north. People are going to have to move out of the American South because it's going to be too hot for people to live there comfortably, hot and dry. Well, hang on a moment.

GRAHAM CLULEY. What are the Canadians going to think about all these Americans moving north?

DAVE BITTNER. Well, that's— I was thinking, you know, I'm sure there's someone in Washington who has their invasion plan that they're working on right now, because when the time comes—

CAROLE THERIAULT. I think there probably is. Yeah. Yeah.

DAVE BITTNER. In fact, I'm sure there is. There's— I've read stories about how the US does have an invasion plan for Canada just in case.

CAROLE THERIAULT. I mean, I hate to quote South Park, but they had an episode where Canada had a wall, right? And try it. Yeah. So I don't know. I don't know.

DAVE BITTNER. Maybe, maybe he was thinking on the wrong border. But the breadbasket may move north into Canada where, as things are better able to be grown there. Now, selfishly, I was looking at this in my own, my home state of Maryland where I live. Where I live seems to be in the green zone, but you have to consider that all those people living south of us who are gonna have to go somewhere, they're gonna be heading north. And so what I've been wondering is, is now the time to buy up cheap farmland in West Virginia, which can be had for practically nothing at all? As these people move north, they're gonna have to have places to go. So should you be buying up cheap land in places like that and maybe in Canada because over the next few decades—

CAROLE THERIAULT. Capitalize on the poor starving people that are trying to get away from the burning sun.

DAVE BITTNER. You always put your spin on things, Carole. Always put your spin on things. Little Miss Sunshine there. I can always count on you. Right? Am I right, Graham?

GRAHAM CLULEY. Am I right? You are. You are right. She loves all this.

DAVE BITTNER. So serious stuff. This article is definitely worth a look, and it's beautifully put together, which makes the information that much much easier to understand. So highly recommended over on ProPublica. We'll have a link in the show notes, right? Absolutely. And that is my pick of the week.

GRAHAM CLULEY. Brilliant. Krow, what's your pick of the week?

CAROLE THERIAULT. Okay. Do you guys know Hank the Cowdog?

GRAHAM CLULEY. Not intimately. You know what it means? No. Who is Hank the Cowdog?

CAROLE THERIAULT. If I say, "It's me again, Hank the Cowdog," that means nothing to either of you.

GRAHAM CLULEY. Is Hank a name or a verb?

CAROLE THERIAULT. Hank is the name. Okay. So this is the opening statement of the start of over 74 children's books by John R. Erickson. And he sold more than 10 million copies worldwide. Hank the Cowdog is the self-declared head of ranch security. There, I've done it again.

GRAHAM CLULEY. Oh, you've done it right.

CAROLE THERIAULT. Eh, eh, we need a little claxon. Jesus.

DAVE BITTNER. Do as I say, not as I do.

CAROLE THERIAULT. Hank the Cowdog is the self-declared head of ranch security. He finds himself smack dab in the middle of a host of tangled mysteries and capers that span the universe of the Texas Panhandle cattle ranch Hank calls home. It's the longest sentence in the world. So basically, he's the head of ranch security, and he gets up to all kinds of mischiefs and mysteries. And, uh— This multi-winning collection of books has become a brand new podcast, which came at the beginning of this month.

GRAHAM CLULEY. Have you listened to the podcast?

CAROLE THERIAULT. Yes, I have.

GRAHAM CLULEY. You have listened to it? Oh, okay.

CAROLE THERIAULT. Yes, I have. Because do you know who plays Hank the Cowdog in this podcast?

GRAHAM CLULEY. Oh, this could be fun to guess. Is it Joe Pesci?

DAVE BITTNER. Nope. Okay. Christopher Walken?

GRAHAM CLULEY. Nope. Who else is there?

CAROLE THERIAULT. We could make this a Patreon special. Keep going.

DAVE BITTNER. Paul McCartney?

CAROLE THERIAULT. It's none other than Matthew McConaughey. What is your problem, gentlemen?

GRAHAM CLULEY. Don't tell me you like him. I love him. He's a bit sleazy. Why is he sleazy? He's just a bit.

CAROLE THERIAULT. They're just— they're— what, because he's hot?

GRAHAM CLULEY. Yes. Well, girls might think he is. I think— And he's a really good actor?

DAVE BITTNER. Hot in a— In a poorly groomed kind of way. Did you watch True Detectives? I can't imagine he smells very good.

GRAHAM CLULEY. Whereas podcasters who don't drink coffee smell magnificent.

CAROLE THERIAULT. Well, both of you are just old, conventionally boring old farts, okay? It's great. They are narrated, but there's an overlay of serious, exciting drama. It's fun, it's crazy, it's wonderful, and it's It's for kids primarily. So this is a podcast that you will enjoy if you like Matthew McConaughey, unlike these two dozos. And you should take a listen and try it out. So you can find it, it's called Hank the Cowdog. You can find it wherever you get your podcasts.

DAVE BITTNER. Do you all have the series of commercials that he's in for Cars over here? No. Okay, we do. They're insufferable.

CAROLE THERIAULT. Oh yeah, the god, the guy's trying to make a living. What a twat.

GRAHAM CLULEY. Well, on that Matthew McConaughey type note. Oh, Carole, we've got a featured interview this week, haven't we? Yes, we do.

CAROLE THERIAULT. Let's just dive right in. So today we have Greg Jensen of Oracle. Now he is the main guy when it comes to cloud. One of many. How do I say your title? Your titles, titles in technology are so long. They are. Tell me your title. Tell me, you'll be better at it than I am.

UNKNOWN GUEST. Senior Director of Cloud Security at Oracle.

CAROLE THERIAULT. Okay, well that's good cuz we wanna talk cloud because, uh, Oracle, well first is one of the big boys out there really. I mean, everyone's heard of Oracle. Have you been there a long time?

UNKNOWN GUEST. You know, I've been here a few years. I'd like to say a long time, but there's always people that have been here longer.

CAROLE THERIAULT. I know. I was at a company once for 15 years and there were still people that said, "15? I was there 20." So you can never win. Yeah, yeah.

UNKNOWN GUEST. I've been here about 8 years. Wow. And what's it like?

CAROLE THERIAULT. What's it like working at Oracle?

UNKNOWN GUEST. Well, you know, Oracle is one of those companies that they give you a rope long enough to climb and succeed. And so it's a very fun organization to really find some amazing projects to attach yourself to. And grow within. Over the last 8 years, we've seen the cloud really kick in, and it's been an amazing time just for me personally, just being, being able to see this big movement of cloud within our customers, within my own team, and be able to see this big wave move.

CAROLE THERIAULT. See, this is why I'm so excited that you're here, because the other day when we were talking and just prepping for this interview and having a chit-chat, we were talking a bit about migration trends. And I know that LinkedIn put out some numbers about that, but if Effectively. Yeah. What we're seeing is what people are actually, you know, because of this pandemic are actually moving locations. Yeah.

UNKNOWN GUEST. They really nailed down, at least in the US, that they show that many people in the large cities are really migrating away and they're moving to these smaller, lower-cost cities. What's really, I think, enabled a lot of this is key drivers of work from home has really allowed a lot of this. Employers that allow their employees to have that flexibility to work anywhere they want, anytime they want, then that's just, I think, a great benefit. I've been able to have the whole 25-some years I've been in this industry, I've been able to work anywhere I've wanted, and that's been a great benefit for me. And that's a great quality of life, which is amazing. And really, for a lot of companies and employees, that's really what's held them back has been technology. But now employers now have the ability to use modern technologies to take everyday employees that have, whether you're in payroll, whether you're in more ordinary blue-collar positions or whatever, you're in HR positions, whatever it might be, and be able to do these positions from home and what underpins that are these digital transformation type technologies that are underpinned by cloud. Mm-hmm. That's what, that's a really exciting type of capability today. This is kind of Greg's position on things, but we really see this data in our new cloud threat report, the Oracle and KPMG Cloud Threat Report. We see this data really backed up in this report that we put out each year. But the data really shows that as businesses are moving to the cloud, those that have kind of a cloud-leaning position with this digital transformation, they've really had a leg up now with the challenges that we're seeing here in 2020. Yeah. And those that have had a bit more of a conservative approach to cloud, we really see that they're now going to have a challenge as they're now getting through 2020 and getting into 2021. With this climate of, hey, can we support the work-from-home body? Can we support the demands of the modern buyer? Whether you're a mom-and-pop that have a new business model requirement of selling in a way that they've never had to sell before, or you're a new restaurant chain that, hey, we've always required people to sit in a chair to consume our food, and now I have to somehow get you to buy food online and I have to deliver it to you. Wait, that's a new way of selling my goods and services.

CAROLE THERIAULT. Yeah, it's like a huge period, a shift of change. I mean, New York and San Francisco are no longer the coveted destinations they once were. That's right. And rents are going down because people are leaving. Yeah. And I think you're right. I think because of cloud, right? Because of cloud technology and because of course the impetus that the pandemic brought on, people are like, I don't have to live with a million people around me all the time. I actually can maybe go somewhere else. Else and actually keep my job. What, how does that impact cloud technology for you as a provider of it? Like how, how does it change the, the advice that you give people? What are the concerns you have?

UNKNOWN GUEST. If you think about the average workers, they've worked in it for these employers for years and they've had the protections of security operations and processes that have investments of thousands, if not hundreds of thousands and maybe millions of dollars worth of investments behind them. Sitting behind firewall environments, you know, if you think old school firewall environments and access control technologies and monitoring technologies that are worth a tremendous amount of money. And now they're sitting at home behind a broadband connection with a $39 router. I'm laughing, but it's a nervous laugh because I'm sitting at home and I'm turning around, I'm looking at my $39 router. So it's something that now we really look to our cloud providers and we think, hey, you got us? You got us covered? That's now the question we have to ask our cloud providers, that, hey, in this day and age, you know, a lot of businesses are— we're doing away with VPN and we're looking at secure cloud enablement as the solution. And we have to ask those questions, you know, you got us, right? And then the data that's now being exchanged, You got us, right? And, and that's a legitimate question. You know, we talk about cloud service providers, but it's really a partnership that we're having to work with now. We have to develop as a business, we have to develop partnerships with these cloud providers and really ensure that whether you're a consumer or a business, when you work with these cloud providers, you have to work together and make sure that each are doing their part to ensure that the data is being managed correctly. I think that's the trap that a lot of people fall in, to be honest.

CAROLE THERIAULT. Okay, so you're a cloud expert and there's all these people now that suddenly are taking the cloud seriously. They may have been using the cloud till now, but now they're like 100% reliant upon it for their business operations. So what would be the 3 things you would ask them to really take seriously as a kind of to to help them make sure that they're managing their stuff correctly.

UNKNOWN GUEST. 92% of businesses don't feel confident in their own ability to secure their cloud infrastructure now, 92%. I think that's a sign that businesses felt pretty good at one point in cloud, but they don't feel confident in their own ability in cloud. And that there's a difference there. You can trust cloud, but you don't trust yourself. So that's, I think, a sign of the rash of breaches in 2019 VPN. So, I think this is not a time to let your foot off the gas. It's a time to actually analyze, are you putting your foot on the right pedal right now? And to start looking at your processes. Start walking through them right now because more than ever, you have more at risk because of your distributed workforce. So, and not just workforce, your partnerships and your supply chains, everything is now distributed. So, not only that, look at your culture. Culture of security first. We can put all the budget in the world at the problem. We could go buy all the greatest security solutions on the planet, buy from the greatest vendors in the world. But if you don't have a culture of security first, it's all in vain. It doesn't matter. And then really start working on a security-first culture. When it comes to your staffing. Because right now we still are working with, with a staffing shortage in IT or in the area of security. It's hard to find qualified staff in security. We need to work on rigorous training programs and work on how we retain those, the staff that we have today. And that includes an understanding of shared responsibility.

CAROLE THERIAULT. That's all part of of training. Yes, well, you guys have at Oracle pulled together a bunch of resources, one of which is on shared responsibility. Just maybe just give us like the list of 5 reports that are going to be made available by you.

UNKNOWN GUEST. Yeah, so we've got our first report, which is our main report, the Oracle and KPMG Cloud Threat Report. We followed that with the report on shared responsibility. And so that report is available as well. We also have a report that we've released on cloud risk and business fraud. And then coming up here soon, we have our annual CISA report that we'll be releasing. And so collectively, these 5 reports, they are all pulled from basically interviewing 750 global respondents. So these are key cyber decision makers that we hit in these global markets. Right. Basically understand what are the challenges and risks What are they dealing with? What's failed and what's worked? And we really pull this together into a variety of different report types that really hit conversation points. And so some reports really work for certain types of personas within the business.

CAROLE THERIAULT. Mm-hmm. Okay. So you must have one favorite report in all of those.

UNKNOWN GUEST. I think Shared Responsibility, to be honest. All of these focus on cloud and that journey to the cloud. I would say it's probably a toss-up between the shared responsibility and the CISA report, because everything starts with understanding the role of shared responsibility, and that's where everyone seems to fall flat. And I can't tell you how many times I present to people and I get that weird look of, "Yeah, that is a problem. We don't know our role of shared responsibility." Great question. We don't know. Can you talk to us off to the side here? How do we get educated on this? That. Something like SaaS, you have the least responsibility in SaaS, and that's the area where customers have the most confusion. So it, and it gets worse every year. So this is our third year right now of doing our report series, and the, the data is getting worse each year.

CAROLE THERIAULT. So I keep telling people, like, shared responsibility is a bit like two people— it takes two people to drive the car, you know. One person is steering the wheel, the other person's on the gas and the brake. And if you don't trust each other and know whose Who's responsible for what? It can get pretty awful pretty quickly.

UNKNOWN GUEST. Yeah, I think the best analogy I've had is shared responsibility is like owning a car versus renting a car versus having an Uber. And really, in a rideshare, you still have to look at a license plate and verify the car you're getting into and be safe when you get in and out of it and don't do things that you should and shouldn't do in the backseat of that car. You still have responsibility.

CAROLE THERIAULT. Yeah, that's a really good point. I've not thought about it that way. So there's these 5 papers. Now you are going to make these available without a gate to our Smashing Security listeners, is that right?

UNKNOWN GUEST. We are, yes. And the great thing that I would say on these, Oracle's written on the front cover, KPMG is our partner, they're written on the COVID but these are not used to promote Oracle and KPMG services. We're trying to extend our knowledge and our leading practices in areas such as data security, but this is not used as a platform to promote our services. It's just to promote good leading practices and good health.

CAROLE THERIAULT. And you know, that is a really amazing thing. And I wish other technology and security firms would do that because it's a time where of unease for a lot of people and a lot of organizations out there. Any support they can have on the right way and the right approach from trusted providers is amazing. So thank you on behalf of everybody. Now, our listeners, you will have access to all these reports by visiting smashingsecurity.com/oracle. You can choose which report is your favorite. So, take a look at the 5 reports and let us know so we can share that information with Greg. Greg, thank you so much for coming on the show. This was the Senior Director of Cloud Security at Oracle. And thank you for sharing your insights. It's been fascinating.

UNKNOWN GUEST. Oh, really appreciate it. Thank you so much for all the time today. You guys have done a tremendous job, I think, in the industry. And I think, you know, keep doing what you guys are doing. And of course, in regards to the reports, extend any feedback to me if you guys find it interesting. I'm available online on Twitter and LinkedIn.

CAROLE THERIAULT. Brilliant. That's fab. Do you mind if I ask you something else? Can you just let me know who you think is funnier on the show? Is it Graham or is it me? It's just, you You know, we're just trying to do a bit of a poll and yeah, you see, I wasn't even trying to be funny there and you laughed. I got to be the winner.

UNKNOWN GUEST. That's right.

GRAHAM CLULEY. Well, that I think apart from the end bit, which was a bit rude to be honest, I think the rest of that was excellent. Really good points. Well made. Did you enjoy that, Dave?

DAVE BITTNER. It was great. Yeah, absolutely. Good info.

GRAHAM CLULEY. Who do you think in answer to the question, was it me or Oh, I have to go with Carole Theriault.

DAVE BITTNER. Boom.

GRAHAM CLULEY. Oh, for goodness sake. Well, that just about wraps it up for Dave Bittner's appearances on Smashing Security, and it just about wraps it up for the show as well. Dave, I'm sure lots of our listeners would like to follow you online. What's the best way for folks to do that?

DAVE BITTNER. You can find me on Twitter. It's @bittner, B-I-T-T-N-E-R. Beyond that, go to thecyberwire.com. You can find all of my fine podcasts.

CAROLE THERIAULT. Yeah, you might even hear me there too.

GRAHAM CLULEY. Yes. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G, and you can join our Smashing Security subreddit as well. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Spotify, Pocket Casts, or Apple Podcasts.

CAROLE THERIAULT. Socially responsible hip shimmies to you all for listening, supporting the show via Patreon, and sharing this podcast with your people. Also, high five to this week's Smashing Security Sponsors: LastPass and Oracle. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

DAVE BITTNER. Bye-bye. Bye-bye.

CAROLE THERIAULT. Um, can I tell you something interesting about black light now that I know it's called black light? If you go somewhere where there are things like, um, yeah, scorpions, because they glow in the light. And we have friends, and if you shine it on their walls, it is crawling with these tiny little baby scorpions. Not ones that would hurt you, you know, they just live out in the rocks. But wow. Very amazing.

DAVE BITTNER. I think there is a, yeah, ignorance is bliss as to a certain point. So Carole, I pasted in your, pasted in the YouTube link to Matthew McConaughey's Lincoln MKZ commercials compilation.

GRAHAM CLULEY. Okay, let's check this out. Oh, he's such a, he's a real poser.

CAROLE THERIAULT. No, he is. Well, Graham, I would date him and I wouldn't date you. So he's just the worst.

GRAHAM CLULEY. And he likes to do that kind of Southern drawl as well. It's like you doing that stupid British thing. He won't be from the South soon, according to Dave. He'll be from Maryland chomping on a cookie.

DAVE BITTNER. Yeah. Hey there. Yeah. Yeah. So your boyfriend's not giving you what you need, right? That must be pretty— must be pretty tough. Uh, yeah, come on.

-- TRANSCRIPT ENDS --