Hey everybody, Carole Theriault here. I just wanted to take a quick second to say thank you to just a few of our amazing Patreon supporters this week. Shout out goes to Evan, John Wilson, Tim DeRook, William Carlson, Andrew Davison, Colby Allred, Chris Pestle, Kazie S, Werner Oving, and Uli Muli. Thank you, all of you. Your donations help make this show happen. If you'd like to join this amazing community of Patreon supporters, you need only go to smashingsecurity.com/patreon. Now let's get this show on the road. I'm trying to find one with lots of tracking to see how we can see it.

Why don't you try— I haven't tried this one. I'm going to try TechCrunch.

Oh, Forbes.

Oh, Forbes.

Yes. Go for Forbes. Yes.

Forbes. Forbes.

Yes. Forbes. Let's see.

See, maybe we've created a new game here. Who can find the website with the most trackers?

Disappointingly few. I haven't got many on Forbes.

I got 3 ad trackers, 1 third-party cookie.

That's pathetic. Okay, let's try Daily Mail. The Daily Mail.

The Sun.

Okay, let's do this. Daily Mail. Daily Mail. Smashing Security, episode 198, Chucky the Coffee Maker, with Carole Theriault and Graham Cluley.

Hello. Hello, and welcome to Smashing Security episode 198. My name's Graham Cluley.

Two more shows, Graham, till we hit the big 200. I'm Carole Theriault.

Don't build it up too much.

Well, it's going to be a huge epic number, if nothing else.

And we are joined this week by the hugely epic Dave Bittner from the CyberWire podcast. Hello, Dave. Hello there. Hurrah!

Hey, Dave.

Hi.

How are you?

Oh, I think most people, we're hanging in there, making the most of a challenging situation that we all find ourselves in, no matter where in the world we may reside.

Yeah, things are crazy in your country at the moment.

Are they? What's going on?

Oh, this and that, this and that. Not worth mentioning. Let's move on.

Yeah.

First, let's thank this week's sponsors, LastPass and Oracle. Their support helps us give you this show for free. Now, coming up on today's show, Graham talks about yet another one of his pet peeves, coffee. Dave has an easy peasy tip to reveal how websites spy on us, and I'll look into just how smart home smart security actually is. Also, I had a cozy chat with cloud security expert Greg Jensen from Oracle, who shares his expertise and a few freebies. So buckle up and listen up as we have all this and much more coming up on this episode of Smashing Security.

Well, yes, exactly.

He's a wild man.

Yeah, yeah, he went down the dark, dark path.

Oh hey, don't knock chess, right?

I'm not knocking chess.

Don't bash the bishop.

Hardly a vice.

It's, it's— well, you know, I'll tell you one of the things I don't have as a vice. I'm quite proud I don't have this vice, is I don't drink coffee. And frankly, I love drinking coffee.

Do you really? I actually feel sorry for you that you don't drink coffee.

Well, what exactly am I missing by not drinking coffee?

So much. That wonderful, wonderful feeling in the morning when you get to make it, the experience of making a beautiful coffee, that going— well, not now, but in the olden days, going out and meeting people for coffee and having a little gossy goss session.

Do you love the taste of mastic asphalt in the morning? Is that the thing which you live for, having that sort of taste? Why not just—

You're just a philistine.

Why not just lick the tarmac, Carole? Well, look, I'm also a busy man, which is another reason why I don't. Hardly.

I confess I also do not drink coffee.

Look at that, interesting.

Do you drink tea?

I will drink tea, but I prefer my caffeine delivered cold.

I thought you were going to say intravenously.

I was going to go, whoa.

Yeah, right. Hardcore. No, no.

Carole, what's coming

And every few years I get seduced by the smell of coffee. And so I will take a sip and then I'm reminded of just about how horrible it really does taste and put it off for a few more years. I'm good.

Listeners, help me out here. Coffee lovers, it's time to unite because my husband doesn't drink coffee either. I feel like I'm being surrounded.

up on the Now, chums, I have an admission to make because it may come as a shock to you, but I have many, many vices, many things which have occasionally pulled me off the straight and narrow. But one of them— I think this is interesting because in a recent survey, a very recent survey, it was found 3 out of 4 people don't drink coffee. show this week? So those would be me, Dave, and John.

What, chess?

No, there's a little peer pressure there, Carole.

Yeah. Yeah, I'm really— I normally fall to peer pressure. Graham will tell you. I really do follow the—

Can we please get back to the topic? Right. Because I do recognise you've just diverted us.

It's your fault, Carole.

Yeah, I know. It's always my fault.

Coffee plays a very important part on the internet, as you will recall. Back in 1991, the University of Cambridge set up the world's first webcam, pointed at a coffee cup.

I don't remember, but okay.

Well, it's famous, Carole. It's no longer live. The webpage is still there, but it hasn't been updated for about 20 years.

Two employees are in a standoff over whose turn it is to refill the coffee, and this has been going on for years.

Well, that's what they used it for. They used it to see if it was full. Right. And if it wasn't, 'cause no one wanted to go down and refill it. Anyway. Ever since, people have thought, wouldn't it be a great idea to connect coffee machines to the internet? And why not?

Who has thought?

Everybody, everybody, Carole. When the internet was invented, I'm sure, I'm sure, good old Tim. Everybody thought. So Tim, right, with the web and things, he was thinking of that.

Elon probably thought of this.

Yes, all of them, they've been thinking of it. And of course there've been diversions, there've been connected fridges and vacuum cleaners and toothbrushes and internet sex toys and things like that. And we know that all of them have performed perfectly without any problems, right? There've never been any trouble with any IoT devices connected to the internet, especially these things which you wouldn't normally associate with being connected to the internet. Well, one coffee maker manufacturer, which goes by the name of Smarter. That is the name of the company.

Smarter Smart. Smarter Smart Coffee.

Hubris gets you every time.

Well, you can buy a Smarter coffee maker for $250. I don't know if that's a bargain or not.

Well, I mean, coffee makers cost a lot of money. You can get espresso makers for a grand that are not connected to the internet.

A good one.

Yeah, yeah, a good one. Well, you can pay 5 grand.

You can spend a lot of money on, right? And they probably throw in— who's that chap who advertises them? Guy with the grey hair, the silver fox. You know the one.

Basin guy?

No, not that. No, George Clooney.

Oh, yes, yes, yes. Nespresso.

Yeah.

Not sure that's really coffee, but anyway. Okay. Alright.

Well, these smarter coffee makers, right? They caught the attention of a hacker called Evil Socket.

Okay, so he's up to a lot of good stuff.

Mr. and Mrs. Socket had a child, decided to call him Evil. So Evil Socket, he took one of these coffee makers 4 years ago, and he completely reverse engineered it. Worked out how it could be remotely accessed, and he showed how easy it was to send commands to make a cup of coffee, or use the filter instead of the beans in the grinder, and you know, keep coffee warmer for longer.

Jesus. It's like, wait, is he turning it into Chucky the coffee maker?

I don't think— He was putting actual axes or anything into them.

Chop off your hand as you come close.

Yeah, it'll spew hot water at you from across the room. Scalding hot water.

Anyway, he found out it was possible to do this. And the Smarter Company, they did respond because they produced a new version of their coffee machine, which fixed some of the bugs which he was able to exploit. But the problem was this. When you buy a coffee machine, particularly one which you might have spent a decent amount of money on, how often does it get updated? How often do you refresh it? And they weren't pushing out updates for the old one, so there weren't updates.

Sorry, I do have a question though that you haven't actually—

Oh yes, go ahead.

I mean, maybe you're coming to it, but I don't understand how this coffee maker is IoT in the least. What is IoT about this coffee maker? Everything you've said is normal.

Well, these devices you can control through apps or through the internet.

So you would be lying in bed, for example, and go, oh, I really need a cup of coffee.

Yeah.

If only I'd put a mug under the coffee machine because I could actually make myself a cup, but I forgot to put a mug and it's not smart enough to go get one for me.

It's like the Goblin Teasmade or whatever it was called, that thing you would have next to your bed on an alarm clock and it'd go, "Ch-ch-ch-ch-ch-ch." See, that's much smarter.

Just put it near your bed. Right? Anyway, okay, carry on.

All right. So, they brought out a new version, right? And the question is, these appliances, how often are they updated? Typical fridge only gets replaced every 17 years apparently, but IoT appliances might need to be updated more often than that, right? Especially if they're not receiving patches. Now, this week, a researcher with Avast, name of Martin Hron, that's Ron with a silent H, or maybe you do pronounce the H, Martin Hron, he decided to perform what he called a thought experiment with one of these older coffee machines. He was curious as to whether he could reverse engineer it himself and then exploit it.

So this is another person who's trying to reverse engineer, right?

This is another chap who's building upon the research which has been done in the past. LastPass.

Perfect.

And he discovered that these IoT-enabled smarter coffee machines were not checking that their firmware updates had been properly signed. And as a consequence, he was able to trick the coffee machine into installing a bogus unauthorized update.

And again, then your coffee machine goes psycho.

Well, but no, it doesn't. Even if— no, it isn't the worst thing ever, Carole. Even if a coffee machine did go psycho, it hasn't got legs, it hasn't got wheels. It's not gonna chase you around. Well, not yet.

Exactly. Maybe that's what they'll have next. It'll be a coffee machine on wheels coming up to your bedroom going, "Would you coffee?"

"I will make you coffee." It'll start teaming up with the toaster oven and the microwave, and next thing you know, you've got a droid running around the kitchen throwing knives at you.

Hey, did you see this week that Amazon thing where it's they have an Amazon drone thing for inside your house?

Yes.

Jesus, what do you mean?

It flies around trying to work out if anything dangerous is happening, and then presumably takes actions.

Are you fucking kidding me? No.

I said this has to be a joke, right? This is a joke.

Yeah, it's gotta be a joke. So you have a 3-year-old that throws a ball at the mother or something, because he's just throwing something, and the thing comes around and goes— and shoots it out of existence.

30,000 volts. Tasered.

Please put down your weapon. You have 5 seconds to comply.

It's Skynet. Effectively, it's Skynet.

And people are inviting these into their home.

Oh.

Yes. So maybe the coffee machine will sprout wings or little propellers at some point. Maybe that'd be another one.

Could happen.

Anyway, so Martin Hron, he managed to install new firmware and he thought, oh, now I can install new firmware. What shall I do with it? And his first thought was crypto mining. He thought, well, maybe what I could do is I could use the processor on the coffee maker to grind away earning cryptocurrency. He said, would that be possible? And he reckons that's feasible, but because the speed of the chip's only 8 MHz, it's quite slow.

Okay, people are— this is showing us that even researchers are very bored in this pandemic.

Or very stupid. Yes, bored. Let's call it bored. And then he thought, no, no, no, no, no. He said, no, not crypto mining. He said, let's not do that, let's do ransomware. And so he effectively wrote a ransomware proof of concept, and it doesn't encrypt your drinks. Instead, what it does is it locks up your coffee machine. So your machine is now beeping, it won't make coffee, it does occasionally spurt out hot water, and it displays on the screen, on the little panel, displays a little devil-like icon and a short message telling you to go to a link to unlock the coffee machine.

You know what, Mr. Martin Hron, you deserve a slap. Because, okay, maybe I don't just love coffee, maybe I am addicted to coffee, but I tell you what, that would piss me off.

Well, that's the point, isn't it?

Yeah, well, why? Why? Because I bought it? I'm the victim of all his crap because he's upset with the people that made the coffee machine? Unfair.

So he reckons, so what he did was he could make the machine turn on its burner, spew out hot water, endlessly spin the grinder.

Oh my—

I would—

I mean, you would. And all the time it's beeping away. And so you might well pay. But of course, you're not going to pay more than $250 because you could just chuck it in the bin and replace it with another one.

Can you imagine calling the cops? I don't know what's going on. My coffee machine is possessed.

Miss Theriault, we're going to have to ask you to stop calling us.

Exactly.

This is the 15th time this week.

They would think you're totally tinfoil brigade, wouldn't they? So you can just unplug the coffee machine, obviously. Or you could just stop drinking coffee, which might be a good thing. But then if everyone stopped drinking coffee because of this, industry could crumble. Society would be devastated. It would be end of times.

We're already there, darling. We're already there. I don't know if you've been paying attention to the news.

Only Dave and I, who've been strong enough to resist the lure of coffee, would survive.

At last, our time has come.

Emperor and Empress.

All the normal people are decimated, so—

It'll just be me and Graham playing chess together, just the two of us.

Adam and Adam. Singing show tunes. Now you might be wondering, how do you infect a coffee machine? Do you think any of our listeners have one of these?

Well, it's quite possible, yes. Martin Hron, we don't know if he listens.

Okay, I want to hear from somebody with one of these. I want to understand what the advantage is, why this is worth it. I just don't get it.

Is this a particular brand?

Well, this is the thing, of course. There are other coffee machines out there. Which maybe Martin Hron and EvilSocket haven't yet turned their attention to. But if they did, I wonder if they'd suffer similar problems. Now, normally with these kind of things, you think, well, just turn off the Wi-Fi, disconnect it, don't allow it to connect, don't give it your Wi-Fi password.

I guess that breaks it. You'd think so, wouldn't you? But actually, with this particular machine, if you don't connect it to your local Wi-Fi, it is smart enough to say, oh, I'm not connected to Wi-Fi. Oh.

Making it even easier for people to connect.

So you can have coffee even when your Wi-Fi's down is the idea, is what they were thinking originally.

Oh, I hadn't thought of that, Krill.

That's probably why they did it, but they didn't think about the fact—

Because if your Wi-Fi's down, then you'd need coffee, I suppose.

This is just a bad idea. What is wrong with a Boden plunger? What is wrong with a little old espresso maker, cafetière? What is wrong? It's the worst thing ever.

I don't know.

I'm just— yep. I'm on the other side now.

Alright. So I think, Carole, have we convinced you that coffee just isn't worth bothering with?

Yes, that was a very logical debate. And that is where we got to. I'm never going to drink coffee again, Graham.

Wow. You can share the throne with us. We'll budge up our buttocks to give you some room for yours. And we can rule the world. Excuse me? Because we will be—

Yeah, no, I'll leave that to you guys. You guys got this.

Dave, what's your story for us this week?

Well, you know, I think all of us growing up, we are familiar with black lights, right? Things glow under black light. I know certainly, Carole, you probably spent a lot of time out in the clubs and the discos dancing. What's he saying?

I've never heard of these things. What do you mean I'm familiar with these?

Yeah, I can tell you what I think it means.

Are you serious?

Yeah, it's either the light in a dark room, or it would be ultraviolet lights.

Yeah, so I know, no, no, no, no, this is fascinating. You're actually not familiar with the term blacklight, is that right?

No, I don't think I am.

Huh, interesting. Maybe it's a on this side of the pond term. Well, a blacklight, yes, it is an ultraviolet light. So there are light bulbs that are blacklights, there are fluorescent lights that are blacklights, and it is a thing — if you go through a carnival funhouse, it's the light that makes things glow. It makes your t-shirt glow.

Oh, yes, I've seen that, yes.

Right? You know what I'm talking about?

Right, yes.

Okay, that's a black light.

Aren't they used in CSIs for discovering body fluids and that sort of thing?

Well, that's where we're headed, Carole Theriault.

Okay, okay, I'm listening. Newsround, Dave. Yes.

So, turns out that black lights are not only fun at a party, but they have this purpose that bodily fluids, including blood and other emissions fluoresce under black light. Earwax, right? That's exactly what I was thinking. So they fluoresce under black light, which means they glow under black light. So good word. Thank you very much. So, and this became all the rage probably about a decade ago. There were lots of TV shows that basically— and local news shows were taking their black light flashlights to local no-tell motels.

Yeah.

Stephen Stane.

Right. And just shining the light on everything. And they'd have a counter going of how many stains were all in the strangest places where the stains showed up. You know, how did the stain get on the ceiling fan?

I once stayed in a Days Inn Express outside Boston, I think, which was probably a prime candidate for this kind of thing. Slightly grubby.

Right. I think we've all been in suboptimal hotel rooms from time to time. And you don't want to think too much about the number of people who have shared that mattress before you. And you hope that the cleaning crew is vigilant. And at the very least, you have a fresh set of sheets on the bed.

But Carole and I, we know a chap who won't make a cup of tea from the kettle or iron his shirts with the iron which is supplied.

Ask why, Dave. Ask why.

Why?

Why is that?

Because he fears that they won't have used water in them. Someone might have used something else.

You know, he thinks people get lazy. They're pissed. They won't bother going to the loo, you know, that's 5 metres away. So they just take a wee.

How do you go in the

How do you know, Graham?

On you go, Dave, carry on, don't let us distract you. iron, Crow? How do you go

Yes, let's move on. So it's just that kind of show, isn't it? So—

It's my fault.

Yes, so a blacklight is a useful tool

Yes. in the iron? That's not easy.

for basically evaluating a crime scene. There is a nonprofit news organization called The Markup, and they publish stories about tech things, privacy, and so on and so forth. They have developed a tool that they call Blacklight, and it is a real-time website privacy inspector. So, I tell you that to tell you this. And so what you do is you put the website address in their little menu item there, and you hit the Scan Site button, and it will give you a report of how your site ranks in terms of the number of scanners and things that may compromise your privacy. Now, Graham, I know you were looking through the show notes and you loaded your own Graham Cluley site on here. How did you do?

I came up with a completely clean sheet, which isn't what I found at the Days Inn Express, I have to say.

Did you— no, no, but did you already know what they were going to look for and cleaned it up first?

No, no, no. I had no idea what blacklight was going to do, but it looks like it's looking for tracking pixels and all kinds of nastiness and whether keystrokes are being logged. And I also put some other pages into this, and I was quite surprised. Some sites, including some which you would consider to be security-related, are doing an awful lot of spying and sometimes creepy spying on their users.

Right. And one of the things that they point out in their write-up about this tool is that it's quite easy to inadvertently end up with trackers on your website. So, for example, if you're using the free version of Disqus. It's an easy way to add commenting on your site. If you're using the free version of that, well, the reason that it's free is because they insert ads, and those ads have trackers. And so there are all sorts of things where just by making use of a free tool, you may end up with a dozen or so trackers on your website that you didn't mean to install. They went and scanned hundreds of sites and they found For example, I think there was a site that provided women's healthcare services, pregnancy services, and things where privacy is a real concern, that were doing tracking that the organizations weren't necessarily aware of. They found a bank that was doing keylogging of username and passwords, and sending the username and password in the clear to a third-party organization.

What?

Yeah, they reached out. They reached out and let them know, and this was put to a stop. But yeah, so it just goes to show you never know. I like their own description here. They say, I like to think of Blacklight as a meat thermometer that you can stick into any website and get an instant reading on its level of creepiness.

See, I'm looking for websites right now while you're talking to try and find one. So I've now just hit on OKCupid. I thought that might be a good one with lots of tracking. I'm trying to find one with lots of tracking to see how we can see it.

Why don't you try— I haven't tried this one. I'm going to try TechCrunch because I think—

Oh, Forbes. Oh, Forbes.

Yes. Go for Forbes. Yes.

Forbes. Forbes.

I'm on it.

Yes. Forbes.

Forbes.

Oh.

Let's see.

See, maybe we've created a new game here. Who can find the website with the most trackers?

Oh, Forbes. Disappointingly few. I haven't got many on Forbes.

I got 3 ad trackers, 1 third-party cookie. That's pathetic.

OK. Daily Mail. The Daily Mail.

The Sun.

Okay, let's do this. Daily Mail.

Ooh!

Daily Mail.

Okay, The Sun. What do you have for The Daily Mail?

22 trackers. Oh, you beat me.

21 ad trackers on The Sun.

7 third-party cookies.

How many? Okay, they definitely win.

Yeah. Whoa. New York Times has 10 ad trackers and 6 third-party cookies.

Yeah, it's nothing. It's peanuts.

Nah.

What about a porn site? Playboy?

I wouldn't know the name of any of those.

Yeah, me neither. Yeah.

Oh, it's taking a long time. It's obviously got interested in the pictures.

Your laptop bursts into flames.

Smashing Security. Oh no, we shouldn't look at that, just in case. We don't control it. We don't control it. Smashing Security. I'm gonna take all this out. Let's just have it. It's looking, it's searching. Wow.

Okay. Playboy.com, 10 ad trackers, 8 third-party cookies. Tells Facebook when you visit the site. Tells Google Analytics when you cross when you.

All right, I'm looking at smashingsecurity.com.

Moving on.

One ad tracker, one third party cookie. That's not bad.

I think Smashing Security does have discuss comments on it.

Yeah, that's probably what it is.

It may well be that I'm putting this little handy website in my bookmarks. Nice.

Yeah, so a handy tool to find out exactly what's going on with some of the websites that you frequent.

Can I just thank you, Dave, because some people would try and slip this in in the pick of the week section, even though it's clearly security related, and I think it's much smarter what you did, and I appreciate it.

Carole, what's your topic this week?

So it is said that every single second, some 100 IoT devices are connected to the internet.

Wow, golly.

Yeah, during the first quarter of 2019, 31% of US broadband households, I guess households that have broadband, owned smart speakers with personal assistants or home assistants. And if the total number of connected devices doesn't shock you, consider the amount of data these devices are expected to generate. So Cisco has estimated that nearly 850 zettabytes will be generated by all the people, machines, and things by 2021, 3 months from now. Now, a zettabyte is equal to about a trillion gigabytes, and 1 trillion seconds is equal to about 31,000 years, just to give you an idea of how much data we're talking here. A lot of data.

A little bit. More than you can get onto a 720K floppy.

Yeah. A bit more than

Yeah.

And one of the areas that is on the rise is that of the smart home. According to Statista, the number of smart homes in the market worldwide is expected to be almost 500 million in 2025. you can get trying to And I suspect actually with the onslaught of COVID we're gonna smash through that prediction with ease. And one of the areas that I wanna talk about today in the smart home technology segment is the security element, the home security. This huge market expected to reach $8 billion in a few years, and it's growing at a clip. Literally, I think every 2 or 3 podcasts I listen to has some ad about how I have to live in a digital fortress to feel safe and secure in my house. break into a coffee machine. Have you guys heard these?

Yeah, absolutely. Yes.

Yes. What do you mean?

Ad spots kind of going, are you feeling safe at home? Why don't you try this service? We will monitor your home 24/7 and we'll have an alarm system.

Oh, really?

You've not? Oh, I hear them all the time.

Yeah.

So people are buying internet-enabled home security systems, or at least they're being advertised to left, right, and center.

Yeah, and it's a big market. They're really campaigning for it. And it's a scrappy market. So my first question here, the question I was hoping to answer is, is a smart home safer than a more traditionally secured home? So traditionally we're talking things like what? We're talking high fences, a dog perhaps.

Yes.

Alarms that, you know, that just ring to annoy the neighbors enough that they call the cops? Isn't that the way it used to work in the old days?

In the case of my house, a moat and drawbridge filled with crocodiles. Yes.

And what else? You'd have motion lights, that kind of thing, right? There's all these kind of elements that kind of—

Ninjas.

Yes, of course. Yeah, you have the ninjas. Yeah, that's really good.

Cages that drop out of the sky.

And okay, and what do smart homes offer as far as you guys know that's different from all that? They definitely have the video doorbells.

Yeah.

Well, I imagine it's some sort of app component so that you can watch yourself being burgled while you're out at the restaurant.

Yes. And I guess the idea of that, you give it to the cops and then they'll be able to catch that burglar. Right?

Yeah. I think that these, they feed on people's anxiety. They are anxiety machines. For example, I remember years ago when I was first out of college and we were all living in apartments and so on and so forth. I had a friend who was just super nervous that someone was going to come and steal his stuff to the point where we were out at dinner one time and he said, "Listen, I've really got to get back. When I left the apartment, there was someone out in the parking lot who I didn't recognize and I'm afraid—" I just gotta get back to check on my stuff. It's absurd. But my point is that I think by being able to monitor all of these things in real time, you kind of get hooked on that. Oh, let's look out to see what the camera's doing in the backyard. Okay, all clear. Someone walks by in front of your house and you get a ping on your phone. Who was that? Who was that? You can go look it up and see who it was. And so you get hooked on that.

Yeah, yeah, I've been on holiday with people who are oh, the cat lady should be arriving about now. Let's look in and see if she's arriving one time, since she's 5 minutes late.

Yeah, you know, yes, to that point, one of my neighbors went away for a while, and she hired my son to feed her cats. And so, the first day, my son goes in, and he feeds the cats, he gives them the food, and he, you know, he pets them a little bit.

Heads to the underwear drawer, no kidding.

The next day he goes in, takes all his clothes off.

Right, does a little dance, gets down tonight. He feeds the cats, does what's expected of him, and he leaves. And he gets a call a little bit later from the woman, and she says, listen, according to my alarm system, you only spent 2 minutes in the house. That's not long enough. Yeah, we were talking about playing with my cat as well. Yeah. So my son is Dad, what?

I don't understand.

I said, listen, just go in, feed the cats.

Read them a story.

Sit on the couch for 10 minutes, look through your phone. Tuck them in and then leave, right? This was being asked of you, you know. But again, it's that anxiety — the fact that she could monitor what was going on, I think that's what they're feeding into and they're making money off of it. Oh, totally. I even saw one of these sites in my research that offers watering plants, except it detects when it rains, so it doesn't do it then, so that a burglar — what, was burglars going to check your lawn and go, "Oh, looks a bit dry, but he's not home?"

We've heard tons of instances where it's failed the user, smart security, haven't we? There's loads of fails. There's baby monitors being hacked and scaring the shit out of customers or Home Assistant inadvertently recording and storing those recordings. And it's just in my experience, every single one has a different configuration option list and a design, a different UI, making it super difficult for the average user. And many people on these things identify themselves through their own email account, their primary email account. And as we know, if they get compromised—

And probably they might, well, if they set a password at all, they're probably using something which they've used elsewhere on the internet.

Yeah, exactly. Apparently last year in 2019, there was 2 billion records were exposed in this massive smart home breach that affected the customers of a Chinese company called Orvibo. And they didn't get much, don't worry. It was email address, passwords, account reset codes, precision geolocation, IP address, username, user ID, family name, family ID, smart device, device that accessed account, and scheduling information.

Inside leg measurement. Hardly anything. Talking about fostering fear and anxiety. Shouldn't we just say, don't worry about it?

Isn't that the whole point of this show?

I'm not sure smart security is actually that smart. I think you just go back to more traditional methods. Anyway, listen to this anecdote, okay? So this drives my point home. So CBC, a Canadian broadcast company, published this article on Monday where this homeowner said she got a message from a stranger saying he had complete control over her home. And quote, as she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows, and told her he could track her when she left the house, all with a few clicks of the security company's app. Any idea what might have happened?

No.

Was it an insider at the security company?

Oh, that's a good— Is this a romantic novel you've been writing, Dave?

It'll be available by the end of the month.

No, that's not what happened. So the guy used to own the house. But it gets even more interesting than that. He swore up and down that he made numerous calls to cancel the service weeks before she moved in, but somehow he still had access. Now, question number two: why would this happen, do you think? Why would — if he's called Superior lots of times and said, "Come on, cancel this, cancel this," why would they be dragging their feet?

Well, because there's no money to be made from that.

Well, I think maybe the system wasn't designed with this in mind. Yeah, I think you're both right.

The problem is the cancellation policies. So people are like, "Oh, no, no, no, no, no. I think if you read your terms and conditions," Sorry, that ugly word rears its ugly head once again. But you will have seen in the fine print that you actually have to give us 60 days notice or 30 days notice or 45 days notice before we can cancel. So I'm afraid, sir, you're going to have to keep paying us until— but we've logged your request. So it turns out that loads of people are trying to actually do the right thing, cancel their accounts in time, but the long cancellation period in the policy basically makes it impossible. Guess what? They don't cancel the account or his access, and the fallout is the same. He has complete control over a house that is now occupied fully by its new owner. The guy, after he told the owner and explained his whole situation, he contacted the provider and he was told, he said, "Again, I really want to have my access revoked."

Well, I think they should have stood their ground. Could he not have shown some self-restraint if he was the only per— I mean, he was the person who had this access, and he knew he had this access, and he knew that access was wrong. And then he's oh look, I've been given I shouldn't have access. I shouldn't have access. And then he accesses it and then he shows that he can do it. Just don't use it. Just grow up, man. Why on earth are you doing this? Fiddling with someone else's back door?

The reason he's doing it is to try and tell people this is a serious problem and we need cancellation policies that fit in with the lifestyle that people actually leave their house and buy a new one occasionally.

Yeah, right. Well, you've drunk the Kool-Aid, haven't you? Because the problem is, you see, that if you're a bad guy who has access because you were the previous tenant, you're not going to tell the company, "Oh, by the way, can you cancel this?" are you? So that doesn't actually work. He's going to retain the access. So I don't understand. He's just given a scenario where he's a good guy who cares about this, who wants to cancel it, and they won't cancel it. I'm saying if you were a bad guy, you wouldn't request to cancel it.

All right. Welcome to Graham's Logic Show, everybody. And I'm going to leave it there.

I spoke with a security researcher probably about a year ago, who had the same thing happen with a car that he sold. And he was able to, on his app, still get the GPS location of the car that was no longer his. He was able to unlock the car. He was able to remotely start the car.

I think he

I think he did. Yeah, yeah, so, oof. Anyway, there you go.

So be careful, guys. Read your terms and conditions. And maybe smart security ain't that smart yet. told us about

So, can I just add one suggestion as how this could be improved?

it on the show, actually.

So, shouldn't there be a way for the new owner of the property to override the contract of the previous owner?

No, definitely not. I don't think that's the right thing at all. No, if you are— Of course they should. Yes. Of course.

There should be legislation in

There should be legislation in place that says, oh, wow, a house these days isn't just bricks and mortar, it's all the technological gizmo fibzo that goes with it, like your smart fridge or your smart coffee maker, potentially, if they've left it behind, or the security, because that's all going to be hardwired, a lot of it. You're not going to take that with you as you leave.

place. Please use your sarcasm on me.

Let me ask you this. When you have purchased a home, did you— and the old owner, you're at the settlement table and the home is now yours and they hand over the keys. Did you then have all the locks changed, or did you trust that the old owner was giving you all the keys?

No, I got burgled, so I had to change all the locks. For real? Yeah. The big problem with being burgled is the mess they make. So if you had a clean burglar that just came in and said, look, I'm really sorry, I stole your computer because I'm starving, and thank you very much, goodbye.

Oh, but your burglar left you a little gift, didn't they? No, no, no. I thought they left a little calling card in the middle of the carpet. Is that someone else that happened to? Oh, sorry, I imagined.

No one, as far as I know, has ever shat in my carpet.

Well, have you tested it with a blacklight?

I can't believe it's still been all these years and you haven't found it yet. This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So, whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.

Do you ever lie awake at night wondering whether you're doing enough to protect all that sensitive information that resides on the corporate cloud? Well, you're not alone, but thankfully the cloud security experts at Oracle are here to help. You see, they've made available to Smashing Security listeners 5 reports that deep dive into different security issues all pertaining to the cloud. You can access these for free at smashingsecurity.com/oracle. That's smashingsecurity.com/oracle. And thanks to Oracle for sponsoring the show. And welcome back.

And you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Now, my pick of the week this week, well, I am going to draw my— actually, Dave, you love a bit of music. I do, yes. So what I'm going to do is I'm going to sing the opening line from a song and see if you can carry it on.

Okay.

Music was my first love and it will be my last. So what key was that? Do you not know this song, Duncan? I do not.

No, it's not really.

I don't know it either. Well, not so far. Really?

Music of the future. I wanted him to go, hi. And music of the— Let me start again. Well, my pick of the week this week is all about music. And specifically, it is a YouTube channel called You Can't Unhear This. Now, you might be curious as to what You Can't Unhear This is all about. It is about the quirks in some songs. And specifically, the channel owner seems to have focused on Beatles songs, although he may branch out in the future as well, because there are little curios locked away in some of these songs. Things which, once you have heard them, you never miss them again. So it may be an incorrect note, or it may be, for instance, if you're listening to Strawberry Fields, which famously is two tracks sort of edited together at one particular point. It goes from a track and then it goes to one which is being played at a different speed, and it's beautifully done. Or if you've heard the song Hey Jude, you know Hey Jude, which apparently Paul McCartney has now sung over, I think, 66,000 times during his career. So someone's worked out how many Hey Judes he's— how many na na na na's he said. There is a point in Hey Jude when he's singing where you hear "fucking hell" in the background. And once you've heard it, you can't mistake it. But that's a song which is played all the time and people, it sort of drifted past them.

Is that very exciting when you hear those?

It's— I find it quite interesting. And there are also questions like, for instance, at the end of All You Need Is Love, there is a bit as it's going out where someone sings, "She loves you, yeah, yeah, yeah" at the end of All You Need Is Love. And there's been long debate— is it John or is it Paul singing? And this guy goes into forensic detail, including video footage, to work out exactly what happened. And it's— it is genuinely quite fascinating, the true story of who said that and how it— are you going to tell us as well? No, you're going to have to watch the link.

I'm not watching it. Then you will never know.

And I'll never know. And for the rest of your life you will wonder and you will think—

Yes, I will. I wonder. It'll eat me alive. This is the beginning of the end.

There'll be emptiness.

You're thinking there's a piece of information Graham knows, which I don't. And you will suffer. And you will wake up in a cold sweat when you're 74 years old thinking, "If only." No gaslighting or anything, everybody. "If only he had told me that." You Can't Unhear This on YouTube. Dave, what's your Pick of the Week?

My pick of the week is from the folks over at ProPublica. And I am a fan of interesting design online. It so rarely happens that you get actually really good design, design being part of conveying information. And I think this is a really good example of that. This is a story they published. It's called New Climate Maps Show a Transformed United States. And I apologize for this being US-centric, but it also has to do with Canada, so there you go. So what this is, is a story about how climate change is going to affect where people live and, perhaps more importantly, where food is grown throughout North America. And as you scroll through, it shows you a live map that's changing as the information scrolls by, and it shows you where people live and where food is grown, and as the climate continues to warm, which seems to be the track that we're on, how that will affect things. And the bottom line is that things are going to move north. People are going to have to move out of the American South because it's going to be too hot for people to live there comfortably, hot and dry.

Well, hang on a moment. What are the Canadians going to think about all these Americans moving north?

Well, that's— I was thinking, you know, I'm sure there's someone in Washington who has their invasion plan that they're working on right now, because when the time comes—

I think there probably is. Yeah. Yeah.

In fact, I'm sure there is. There's— I've read stories about how the US does have an invasion plan for Canada just in case.

I mean, I hate to quote South Park, but they had an episode where Canada had a wall, right? And try it. Yeah. So I don't know. I don't know.

Maybe he was thinking on the wrong border. But the breadbasket may move north into Canada where, as things are better able to be grown there. Now, selfishly, I was looking at this in my own, my home state of Maryland where I live. Where I live seems to be in the green zone, but you have to consider that all those people living south of us who are gonna have to go somewhere, they're gonna be heading north. And so what I've been wondering is, is now the time to buy up cheap farmland in West Virginia, which can be had for practically nothing at all? As these people move north, they're gonna have to have places to go. Or, you know what, maybe it was — here's a guess. She went down to her local coffee shop because we know how dangerous that can be, risking death. So should you be buying up cheap land in places like that and maybe in Canada because over the next few decades— So she signed up to be on their discount thing and she used the same email address and password as her home system. And the man behind the counter had a shine for her so he went into the system and looked it up and that's how he had access to her home. That's my guess, Carole.

Capitalize on the poor starving people that are trying to get away from the burning sun.

You always put your spin on things, Carole. Always put your spin on things. Little Miss Sunshine there. I can always count on you. Right? Am I right, Graham?

Am I right? You are. You are right. She loves all this.

So serious stuff. This article is definitely worth a look, and it's beautifully put together, which makes the information that much easier to understand. So highly recommended over on ProPublica. We'll have a link in the show notes, right?

Okay. Do you guys know Hank the Cowdog?

Absolutely. And that is my pick of the week.

Not intimately. You know what it means? No. Who is Hank the Cowdog?

If I say, "It's me again, Hank the Cowdog," that means nothing to either of you.

Is Hank a name or a verb?

Hank is the name. Okay. So this is the opening statement of the start of over 74 children's books by John R. Erickson. And he sold more than 10 million copies worldwide. Hank the Cowdog is the self-declared head of ranch security. There, I've done it again.

Oh, you've done it right.

We need a little klaxon. Jesus.

Do as I say, not as I do.

Hank the Cowdog is the self-declared head of ranch security. He finds himself smack dab in the middle of a host of tangled mysteries and capers that span the universe of the Texas Panhandle cattle ranch Hank calls home. It's the longest sentence in the world. So basically, he's the head of ranch security, and he gets up to all kinds of mischief and mysteries. This multi-winning collection of books has become a brand new podcast, which came at the beginning of this month.

Have you listened to the podcast?

Yes, I have.

You have listened to it? Oh, okay.

Yes, I have. Because do you know who plays Hank the Cowdog in this podcast?

Oh, this could be fun to guess. Is it Joe Pesci?

Christopher Walken?

Who else is there?

We could make this a Patreon special. Keep going.

Paul McCartney?

It's none other than Matthew McConaughey. What is your problem, gentlemen?

Don't tell me you like him. I love him. He's a bit sleazy. Why is he sleazy? He's just a bit.

They're just— they're— what, because he's hot?

Yes. Well, girls might think he is. I think— And he's a really good actor?

Hot in a— In a poorly groomed kind of way. Did you watch True Detective? I can't imagine he smells very good.

Whereas podcasters who don't drink coffee smell magnificent.

Well, both of you are just old, conventionally boring old farts, okay? It's great. They are narrated, but there's an overlay of serious, exciting drama. It's fun, it's crazy, it's wonderful, and it's for kids primarily. So this is a podcast that you will enjoy if you like Matthew McConaughey, unlike these two dozos. And you should take a listen and try it out. So you can find it, it's called Hank the Cowdog. You can find it wherever you get your podcasts.

Do you all have the series of commercials that he's in for cars over here? No. Okay, we do. They're insufferable.

Oh yeah, the god, the guy's trying to make a living. What a twat.

Well, on that Matthew McConaughey type note. Oh, Carole, we've got a featured interview this week, haven't we? Yes, we do.

Let's just dive right in. So today we have Greg Jensen of Oracle. Now he is the main guy when it comes to cloud. One of many. How do I say your title? Your titles in technology are so long. They are. Tell me your title. Tell me, you'll be better at it than I am.

Senior Director of Cloud Security at Oracle.

Okay, well that's good because we want to talk cloud because Oracle, well first is one of the big boys out there really. I mean, everyone's heard of Oracle. Have you been there a long time?

You know, I've been here a few years. I'd like to say a long time, but there's always people that have been here longer.

I know. I was at a company once for 15 years and there were still people that said, "15? I was there 20." So you can never win. Yeah, yeah.

I've been here about 8 years. Wow. And what's it like?

What's it like working at Oracle?

Well, you know, Oracle is one of those companies that they give you a rope long enough to climb and succeed. And so it's a very fun organization to really find some amazing projects to attach yourself to. And grow within. Over the last 8 years, we've seen the cloud really kick in, and it's been an amazing time just for me personally, just being able to see this big movement of cloud within our customers, within my own team, and be able to see this big wave move.

See, this is why I'm so excited that you're here, because the other day when we were talking and just prepping for this interview and having a chit-chat, we were talking a bit about migration trends. And I know that LinkedIn put out some numbers about that, but effectively. Yeah. What we're seeing is what people are actually, you know, because of this pandemic are actually moving locations. Yeah.

They really nailed down, at least in the US, that they show that many people in the large cities are really migrating away and they're moving to these smaller, lower-cost cities. What's really, I think, enabled a lot of this is key drivers of work from home has really allowed a lot of this. Employers that allow their employees to have that flexibility to work anywhere they want, anytime they want, then that's just, I think, a great benefit. I've been able to have the whole 25-some years I've been in this industry, I've been able to work anywhere I've wanted, and that's been a great benefit for me. And that's a great quality of life, which is amazing. And really, for a lot of companies and employees, that's really what's held them back has been technology. But now employers now have the ability to use modern technologies to take everyday employees that have, whether you're in payroll, whether you're in more ordinary blue-collar positions or whatever, you're in HR positions, whatever it might be, and be able to do these positions from home and what underpins that are these digital transformation type technologies that are underpinned by cloud. That's what, that's a really exciting type of capability today. I think Shared Responsibility, to be honest. All of these focus on cloud and that journey to the cloud. I would say it's probably a toss-up between the shared responsibility and the CISA report, because everything starts with understanding the role of shared responsibility, and that's where everyone seems to fall flat.

I think there is a, yeah, ignorance is bliss as to a

This is kind of Greg's position on things, but we really see this data in our new cloud threat report, the Oracle and KPMG Cloud Threat Report. We see this data really backed up in this report that we put out each year. But the data really shows that as businesses are moving to the cloud, those that have kind of a cloud-leaning position with this digital transformation, they've really had a leg up now with the challenges that we're seeing here in 2020. And those that have had a bit more of a conservative approach to cloud, we really see that they're now going to have a challenge as they're now getting through 2020 and getting into 2021. And I can't tell you how many times I present to people and I get that weird look of, "Yeah, that is a problem. We don't know our role of shared responsibility."

certain point. So Carole, I pasted in your, pasted in the YouTube

With this climate of, hey, can we support the work-from-home body? Can we support the demands of the modern buyer? Whether you're a mom-and-pop that have a new business model requirement of selling in a way that they've never had to sell before, or you're a new restaurant chain that, hey, we've always required people to sit in a chair to consume our food, and now I have to somehow get you to buy food online and I have to deliver it to you. Wait, that's a new way of selling my goods and services. Can you talk to us off to the side here? How do we get educated on this? Something like SaaS, you have the least responsibility in SaaS, and that's the area where customers have the most confusion.

link to Matthew McConaughey's Lincoln MKZ commercials compilation.

So it gets worse every year. So this is our third year right now of doing our report series, and the data is getting worse each year.

Brilliant. Carole, what's your pick of the week?

Yeah, it's like a huge period, a shift of change. I mean, New York and San Francisco are no longer the coveted destinations they once were. If you think about the average workers, they've worked for these employers for years and they've had the protections of security operations and processes that have investments of thousands, if not hundreds of thousands and maybe millions of dollars worth of investments behind them. Sitting behind firewall environments, you know, if you think old school firewall environments and access control technologies and monitoring technologies that are worth a tremendous amount of money.

Okay, so you're a cloud expert and there's all these people now that suddenly are taking the cloud seriously. They may have been using the cloud till now, but now they're 100% reliant upon it for their business operations. So what would be the 3 things you would ask them to really take seriously to help them make sure that they're managing their stuff correctly? 92% of businesses don't feel confident in their own ability to secure their cloud infrastructure now, 92%. I think that's a sign that businesses felt pretty good at one point in cloud, but they don't feel confident in their own ability in cloud. That's all part of training. Yes, well, you guys have at Oracle pulled together a bunch of resources, one of which is on shared responsibility. Just maybe just give us the list of 5 reports that are going to be made available by you.

Yeah, so we've got our first report, which is our main report, the Oracle and KPMG Cloud Threat Report. We followed that with the report on shared responsibility. And so that report is available as well. We also have a report that we've released on cloud risk and business fraud. And then coming up here soon, we have our annual CISA report that we'll be releasing. And so collectively, these five reports, they are all pulled from basically interviewing 750 global respondents. So these are key cyber decision makers that we hit in these global markets. Basically understand what are the challenges and risks? What are they dealing with? What's failed and what's worked? And we really pull this together into a variety of different report types that really hit conversation points. And so some reports really work for certain types of personas within the business.

Okay. So you must have one favorite report in all of those. So I keep telling people, shared responsibility is a bit like two people—it takes two people to drive the car, you know. One person is steering the wheel, the other person's on the gas and the brake.

Yeah, I think the best analogy I've had is shared responsibility is like owning a car versus renting a car versus having an Uber. And really, in a rideshare, you still have to look at a license plate and verify the car you're getting into and be safe when you get in and out of it and don't do things that you should and shouldn't do in the backseat of that car. You still have responsibility. Yeah, that's a really good point. I've not thought about it that way. We are, yes. And the great thing that I would say on these, Oracle's written on the front cover, KPMG is our partner, they're written on the cover but these are not used to promote Oracle and KPMG services. And you know, that is a really amazing thing. And I wish other technology and security firms would do that because it's a time of unease for a lot of people and a lot of organizations out there. Any support they can have on the right way and the right approach from trusted providers is amazing. Oh, really appreciate it. Thank you so much for all the time today. You guys have done a tremendous job, I think, in the industry. And I think, you know, keep doing what you guys are doing. And of course, in regards to the reports, extend any feedback to me if you guys find it interesting. I'm available online on Twitter and LinkedIn. Brilliant. That's fab. That's right.

Well, that I think apart from the end bit, which was a bit rude to be honest, I think the rest of that was excellent. Really good points. Well made. Did you enjoy that, Dave?

It was great. Yeah, absolutely. Good info.

Who do you think in answer to the question, was it me or—

Oh, I have to go with Carole Theriault.

Boom. Oh, for goodness sake. Well, that just about wraps it up for Dave Bittner's appearances on Smashing Security, and it just about wraps it up for the show as well. You can find me on Twitter. It's @bittner, B-I-T-T-N-E-R.

Yeah, you might even hear me there too. Yes. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G, and you can join our Smashing Security subreddit as well. Socially responsible hip shimmies to you all for listening, supporting the show via Patreon, and sharing this podcast with your people. Also, high five to this week's Smashing Security Sponsors: LastPass and Oracle. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio, bye-bye.

Bye-bye. Bye-bye.

Can I tell you something interesting about black light now that I know it's called black light? If you go somewhere where there are things scorpions, because they glow in the light. And we have friends, and if you shine it on their walls, it is crawling with these tiny little baby scorpions. Not ones that would hurt you, you know, they just live out in the rocks. But wow. Very amazing.

Okay, let's check this out. Oh, he's such a, he's a real poser.

No, he is. Well, Graham, I would date him and I wouldn't date you. So he's just the worst.

And he likes to do that kind of Southern drawl as well. It's like you doing that stupid British thing. He won't be from the South soon, according to Dave. He'll be from Maryland chomping on a cookie.

Yeah. Hey there. Yeah. So your boyfriend's not giving you what you need, right? That must be pretty tough. Yeah, come on.