Hey everybody, Carole Theriault here. This is our weekly shout-out to just a few of our very incredible Patreon supporters. This week, shout-out goes to Saskia Muller, John, Janice Fris Beinslev, E. July, Devin Branch, Stanley Karas, Oleg Skutsenya, Chuck Davis, Jeffrey Beauregard, and Peter Baird. Thank you. Having your support means the world to us, and we extend our extreme thanks. If you want to join this amazing community of Patreon supporters, all you got to do is go to smashingsecurity.com/patreon. All right, let's get this show on the road. See, it's all part of the, so they've got someone in PR working for them. They've got a campaign manager that has built this whole little thing up.

Yeah, I think it's a form of criminal social responsibility, you know, giving back.

CSR.

CSR.

Exactly. Smashing Security, episode 201: Robinhood, Flippy, and the web ad bubble with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 201. My name's Graham Cluley.

That has a nice ring to it. 200,000— I was gonna say 2001. 201. I'm Carole Theriault.

A podcast odyssey. And of course, Carole, we have just celebrated episode 200. Not only did we have a fab episode last week with Maria Vamarsis, but some people will have seen us live with their own eyes on our YouTube livestream.

Okay, Graham, you know what? It was quite fun. Do you know what it felt like to me, that livestream? It felt like one of my old house parties that I had in the olden days before many of us had children and got married and, you know, got important at work. Do you remember those days? It was a bit always crazy and you'd kind of come out of it going, how did that all happen? What, what, what? How has 7 hours gone by?

The only difference is that the police weren't called.

My house didn't burn down. There was no fire department. You're right.

We were half expecting that to happen though, all for us to be swatted and made a livestream. But we survived and we had some fantastic guests as well. Yeah. And you guys, any one of you who missed it, tsk, tsk, but you can see it. That's right. SmashingSecurity.com/live will take you there and you'll be able to see it and follow the live chat as well of the hundreds of people who were watching it at the time, which was really great to see so many folks. And Carole, we are joined this week by an extra special guest, aren't we?

Yes, a brand new guest to Smashing Security, Tim Hwang.

Tim, tell us about yourself. What do you do and why are you here?

Well, thanks for having me on the show. Yeah, my name is Tim Hwang. I'm a writer and researcher based in New York, and I'm just out with a new book entitled Subprime Attention Crisis, which basically argues that the money machine at the center of the internet may be total garbage when you take a close look at it.

Oh, we're going to talk about it during your section, aren't we, Tim?

I believe so.

Excellent.

So, Carole, what have we got coming up on the show this week?

Well, first, thanks to this week's sponsors, Recorded Future, LastPass, and Immersive Labs. Their support helps us give you this show for free. Now, coming up on today's show, Graham talks of a digital Robin Hood who may not be up to any good. Tim will be telling us just how we are getting manipulated online. And I'll introduce you to Flippy and Roar. You may want to stay at arm's length, though. Also, we have a great special interview with Levi Gundert, or Gundert, depending on from where you hail. He's a global intelligence guy at Recorded Future. And know what? Pretty smart, Graham. You should pay attention. All this and much more coming up on this episode of Smashing Security.

Chums, chums, I feel like bursting into song. What does this make you think? Robin Hood, Robin Hood, riding through the glen. Yes, I'm not going to give you all of the song. Because there are once again people on the internet who are robbing from the rich and giving to the poor, specifically.

Oh yeah, that happens all the time on the internet. Well, that's what's happening all the time.

Well, it happens, of course, in myth with Robin Hood, and maybe it is happening on the internet as well because a ransomware gang are targeting large corporate networks. They're encrypting data. They're asking for huge amounts of money with their ransom demands. That's not unusual in itself. But what's happening with this particular ransomware gang, a gang called the DarkSide Group?

Oh, serious.

Yeah, I know.

Serious name.

It's always a bit scary. I wonder if they have— do you think they do the kind of— what is it called? Not a brain fart. A word cloud.

A keyword word cloud.

Which is a brain fart, really, isn't it?

You know, to try and just coin two words together that sound spooky. DarkSide.

I don't know how you feel about this, Tim, but whenever I hear a cybercrime gang name, I'm a little bit disappointed that they're so unimaginative. It's always Dark This, or Dark Avenger, or one of these sort of World Wrestling Federation kind of names meant to instill fear in you, rather than Fluffy Unicorn.

Yeah, you don't think it should be— You think it should be more optimistic, a brighter name.

Yes, yes!

Rainbow and clouds.

Wouldn't that be better? Anyway, DarkSide, what they're doing is, of course, they are stealing gigabytes of sensitive data HR data, data from your finance department, your payroll details, business plans, even commercially sensitive information. They're giving you plenty of incentive to pay because your data isn't just encrypted and locked up away from you. They also run their own website on the dark web, accessible via the Tor browser, and they're publishing even press releases on that site. Just this week, they said they were only targeting profitable big companies. So, so far, nothing terribly unusual there. Most of that is stuff we've heard about before.

Graham, huddle, guys, huddle. I got a business idea. Seriously. Don't you think we should start peddling new identities, properly, right? So for people that are targeted by something like this and all their real data is put up, they need a new identity effectively to operate online. Otherwise, they're going to be pinned and prodded at every opportunity. To say, "Oh, well, weren't you hacked?" Or, "Oh, actually, your number's already been used by other people." Or, "Are you sure you're at where you say you are?" Right?

Oh, I see.

So we set up a new identity for them, sell it to them.

So you are actually saying the ultimate end user is the person who basically go on witness protection under your guard. That's the suggestion, not the company. Is that correct?

I'm just saying, if this were to happen to me, that's what I'd want to do.

Carole, you'll be changing your identity every couple of weeks as you're in another breach. You won't even be able to remember who you are. It'd cost you a fortune in new business cards. Imagine it, it'd be horrendous. You can't do that.

All right, well, call me Martha.

All right.

Well, what's odd is the DarkSide group, the ransomware gang, have issued a press release saying that they want to make the world a better place.

We are the world.

Now, how do you think, how do you think, other than doing a charity single, how do you think The DarkSide gang may want to make the world a better place. They're a ransomware gang. The obvious way, it seems to me, is they would announce they're no longer going to hack companies and install ransomware. That seems to me, if you really want to make the world a better place, stop committing cybercrime, right? That'd be a good idea. Anything else they could do? How about they were to install patches? How about if they were to secure the systems they hacked into? Would that be a better thing to do?

It would. Would they be able to leave a logo on the site that said, "Patched by DarkSide" or something. I don't know, Graham, I think that's actually kind of cute.

It's a bit if you're a gentleman art thief and you leave a monogrammed glove at the scene of the crimes, everyone knows that you've been there.

I suspect though, legally, it'll be a bit of a sticky pickle. Oh, sorry, just hung up.

Yeah, I think it still will be a crime ultimately.

Yeah. Yes, 'cause you're still hacking in. I mean, it's still not something you want.

It's still a little poor form, yeah.

Yeah, it is, I think. Well, this is what DarkSide are doing. What they're doing is they're not leaving behind a monogrammed glove or patching. What they're doing is they're taking the money which they managed to extort out of the hacked companies, and they're donating at least some of it to charity. According to a press release which they issued this week, they said, "We think that it's fair that some of the money the companies have paid us will go to charity. No matter how bad you think our work is, we are pleased to know that we have helped change someone's life. Today we sended— there's very bad grammar in this press release.

Oh, but come on, come on.

Today we sended the first donations.

Oh, it doesn't say— there's no numbers.

Well, actually, there are numbers.

Okay, give me numbers.

What they've done is they have donated $10,000.

Right.

To two different charities. So a total of $20,000.

Okay, so $20K. Yeah. Yeah. How much did they steal?

Well, we don't know exactly how much they steal, but quite often this gang have requested sums in the millions.

Right. Okay. So that's what I'm thinking. I'm thinking they may have given away 0.0001% of their stolen fortune.

Better than nothing, though, right?

And they want a high five?

Well, better than keeping all of it, isn't it? Or is it?

Tim, what do you think, man?

I think it looks pretty bad if that's the case.

Yeah.

You know, stealing millions of dollars and only giving a tiny bit away, it undercuts their message a little bit.

Well, how much does Geoff Bezos, given, for instance, right? You're gonna criticize these ransomware guys. They're only making a few million. He's making billions.

I'll criticize Geoff Bezos as well. Yeah, exactly.

Get in line. Do you know, just the other day, my other half was buying a book and he was on Amazon and I just said, do we have to buy it from Amazon? Couldn't we just go to our local Blackwells in Oxford and buy it there? And then he was like, of course, let's do it. And then there was the stumbling block of, oh, now we have to create an account on another website. But I think it's worth it anyway. So we're going to try and support businesses that do things well, like proper bookstores, proper grocery places.

All right.

Well, good for you.

Why not?

I think more and more people should perhaps consider doing that.

Yes, they should, Graham. They should.

Interesting.

You.

Anyway, charming. Anyway, these payments were made via a US-based service called The Giving Block. And this is a service which basically acts as a proxy for around about 67 different charities and nonprofits around the world. They claim that they give cryptocurrency millionaires a way to make charitable donations directly to nonprofits and benefit from tax incentives. And so you can do it kind of anonymously, although the two charities who got the money were Children International, who are obviously, you know, out to protect children and their families and communities around the world, and also a charity called The Water Project. Who are building reliable water systems across Africa. So you can donate to them directly, but these two donations were made via the Giving Block. And what's unclear at the moment is whether the Giving Block is able to tell who exactly gave that money. What we do know is the Giving Block tweeted. They actually tweeted before perhaps they realized that criminals had donated the money. Oh, someone's just made a very generous donation of $10,000 each to two lucky nonprofits. So I think they didn't realize it was a ransomware gang there.

Oh, yeah.

No, no, no doubt. No doubt. I imagine they're not in cahoots. That would be a bit of an uncomfortable situation to be in should that happen. But what I wonder, okay, so here's conspiracy hat, conspiracy hat.

Yes. Right.

And they may have claimed tax back for this donation. Bitcoin, in which case that's how you'd find them.

Maybe. Well, you do certainly get a receipt from the Giving Block. Whether it is their intention to use that when they make their tax statement or not is unclear.

You gotta pay tax.

Yeah. How do you report your profession on your taxes?

Yes.

Ransomware gang.

Exactly. But even if you make the money illegally, you still have to pay taxes. But I know that in the States is to be true.

That's right.

Yeah.

On your tax forms in the States, they ask you to report how much you've received in bribes over the year. And, you know, the IRS just wants its cut after all.

Exactly. We'll look the other way as long as you pay us up.

So I've got a couple of questions which have sprung to my mind while reading about this story in some of the news reports. And first one is, why is this gang giving to the poor? Why are they stealing from— well, we know why they're stealing from the rich. I think we worked that one out. But why are they making these donations to charity?

Digital crowd control.

What do you mean?

Well, it makes people think, oh, they're not that bad, right? So people don't get pissed off.

Oh, well, hang on, hang on. I think you're still going to be pissed off if you get hacked by a ransomware gang, even if they made donations.

Are they? I wanted to know, are they hacking individuals or are they hacking companies?

No, they target companies. They specifically target big companies. Exactly.

See, it's all part of the— So they've got someone in PR working for them. They've got a campaign manager that has built this whole little thing up.

Yeah, I think it's a form of criminal social responsibility. They're giving back.

CSR.

CSR.

CSR, exactly.

Well, I wonder if it's to alleviate their guilt so they can sleep a little bit easier at night, whether that's a thing which might be happening. I think it's important to remember that the victims of these corporate ransomware attacks, they're still made of individuals. There may be people who lose their jobs. There'll be people whose privacy is destroyed by email archives and so forth being published online. People might lose their jobs as a consequence of this.

I don't think anyone listening to this show thinks these guys are heroes, dude.

No, but I wonder why they're doing it. It seems weird. And the other thing is, what should the charities do? What's interesting is Children International, so one of the charities which received $10,000 from this ransomware gang, they say that they're going to return the money.

Mm-hmm.

Although it's not clear who they're going to return the money to. Right? Because they don't necessarily know.

I know, because then someone could come up and go, "Hey, it's mine. I gave that to you."

Well, I'm wondering, I mean, because we can't be certain where the cryptocurrency, where that particular cryptocurrency was stolen from. And so should it go back to the giving block? Should the money maybe be given to charity? Would we see one charity saying, "Well, look, we don't want this money, but we'll pass it on to another charity" because we feel bad about accepting. It's peculiar, isn't it? It's a bit like a big bag of cash arriving on your doorstep as a charity.

Did you look into these charities at all?

Yes. Okay, okay. Yeah, I'll put links in the show notes. They're legit charities, Carole. It's not great things.

I'm sniffing around. I'm using my little journo brain.

It's not the criminals laundering money.

I mean, I think if the criminals were really acting out of the goodness of their heart, they would've just donated the money and not announced it to anyone. Exactly. Right? By announcing it, they put all the charities in a hard spot where they have to return the money.

Oh, yeah, I agree. STFU if you want to give money.

CSR and STFU. I wonder whether they are, for some reason, publicising their gang, because of course this has got them some attention and maybe they're fed up of some of the other ransomware gangs.

It was even covered on Smashing Security, I heard.

Oh, for goodness' sake. I knew it would come back to this.

Well, you fell right in. You walked right in.

We've done all their dirty work for them. Yeah. Oh, my goodness.

Well, you did.

Oh, I better come up with a better story. Oh dear. Oh, well, let's move on. Let's move on.

Tim. Hello.

What do you want to talk to us about? What have you been up to and what's your area of interest?

Right. DarkSide. If they're in the

So I'm a researcher, as I mentioned, based in New York, and I've been involved in tech policy for a long time. Worked at Google and was part of a joint Harvard-MIT project on the ethics of AI.

millions, they obviously know their tax

And the thing I've been really into recently is very wonky. In fact, so wonky and boring that most people don't think about it on a day-to-day basis. And that topic is ads and programmatic advertising online and what it means for the future of the internet.

responsibilities wherever they are.

So just to be clear, programmatic advertising as compared to regular sort of, I guess you'd call it static advertising. What's the difference? What is programmatic advertising?

Basically, when I say advertising, a lot of people always think about shows like Mad Men or the old days of advertising, a bunch of men smoking in a room saying somewhat offensive things, basically.

Heaven.

And what's interesting is that the modern-day world of online advertising looks nothing like that. In fact, it looks a lot more like the New York Stock Exchange, right, or the NASDAQ. Basically, you have these vast marketplaces where algorithms are trading attention in split-second intervals, millions and billions of times a day. And this way of doing advertising, to buy and sell advertising, is referred to as programmatic advertising in the industry.

Okay. And so you are saying that this doesn't actually work?

Yeah. Tell us how it doesn't work. Tell us what you discovered in researching your book.

Yeah. So I think it's really fascinating, maybe by point of personal background. So I used to work at Google, as I mentioned, and it's interesting—

Now, excuse me, Google, what do they do?

Oh, they're a small search company based out in California.

With a sideline, quite a large sideline in advertising. What was that, Google? Google.

Yes, that's right. You know, I think the fascinating thing is the power of advertising is almost taken as a given, right? We have all this data about people. We can target a message exactly where people are most vulnerable and get them to buy something, right? And what's interesting is I think even when you talk to people who are really critical of the tech industry, they tend to buy the same thing. They say, oh my God, Mark Zuckerberg, he's got a mind control ray, right? He can reach into our brains and control what we think. And intuitively, maybe an argument that makes sense, which is, okay, we have lots of data about people, we can target these messages, why wouldn't it be very influential? And I think there's two maybe stories that I'll tell that I think you might find interesting. So the first one is in 2017, Procter & Gamble, which is one of the biggest advertisers in the world, decided that it was going to cut out a little bit from its digital advertising budget, about $200 million out of its digital advertising budget. And they— They had chump change, right? Compared to a ransomware gang, this is way more money. And what's fascinating is that they reported just a year later that there was absolutely no change to their bottom line, right? That no change in sales occurred. In fact, they even announced that some of the cost efficiencies meant that their advertising was reaching about 10% more people than it usually did.

Because people still need washing powder and the rest of it. They're going to buy it regardless, right?

That's right. What's fascinating is, in many cases, some of the academic experiments that I've done on this, it suggests that all this data, what it really gets you is the ability to advertise to people who would have already bought your product anyways, right? And so it ultimately ends up being a lot of wasted money. But you don't even have to get to the question of whether or not ads are effective or not. Google even came out with a study a few years back that suggested close to 60% of ads are never even seen on the internet. They're delivered, but you know, they're below the fold or they're hidden or, you know, they're otherwise placed in a place that people don't notice.

60%?

Imagine any other market where 50% of things don't actually work. It's amazing that it works at all.

So the web page is rendering these things, but because you're looking at the top of the web page, because you haven't necessarily scrolled down, that's extraordinary, isn't it?

Yeah. Do you feel that ad blockers are causing any impact in this market, or is it completely unrelated?

Sure. Yeah, ad blockers are a really big portion of the worry in the advertising market. There's actually an amazing quote, which I can't read in just a second from, you know, the representative of the online advertising industry. Because I think they are very worried that, you know, ad blocking is up on browsers, ad blocking is up on phones, and it really is cramping the ability for these ad businesses to actually buy and sell ads. And so, you know, one of the things I talk about in the book is, is this a big bubble, right? And at some point, is it going to pop? And one way you could imagine it popping is basically, you know, essentially sufficient numbers of people blocking ads to the point where the market actually can't function anymore.

Right.

So what happens then? I mean, in a way, I have to say, being part of the tech cyber industry or whatever, I'm really quite proud that people started using ad blockers seriously. But I suspect that that's misplaced. I think the reason people use ad blockers is because the ads are fucking annoying, right? And they got so overwhelmed by them, they had to just do something. And they talked to the one person in their family that knew about tech and got it set up.

Because the advertisers got so desperate to get people's attention, didn't they? I think they went kind of overboard, a lot of them, with how those ads began to appear. And of course, they're slowing down your browser too.

Yeah, and some of them, some of the ad companies now are, you know, they're entering a kind of unholy alliance with some of the ad blockers. Where, you know, ultimately what they're doing is they're paying the ad blockers to let their ads through. And so ironically, some of these ad blocker companies have become ad networks onto themselves, right? But I think that that's, in some ways, I think that is an exception rather than the rule in the space. I think the overall story that you see when you look at the data is that ad blocking is up all over the place.

So what's the future for advertising? Do you think it's digital automated ads that are the problem and we have to go back old school? Yeah, I mean, there's a lot of money, right? There's a lot of money being wasted if all this is what you're saying is, you know.

Yeah. And one way of looking at it is just the world of ad fraud or click fraud, right? So this is a scam in which you try to basically pull money out of the advertising ecosystem by creating a device farm that clicks on ads or watches YouTube videos every day. And I think the size of the fraud there is Forrester Research Company came out with a report a few years back where it was about 56% of display ads, that traffic is all fraud basically. You know, some people have said to this book, they say, oh, well, is the main thing I need to worry about just that Mark Zuckerberg has less billion dollars if this market crashes? And I always point out that there's just so much on the internet that relies on ads to subsidize.

It, right?

You know, we can talk first about just media and journalism in general, right? Which is very, very dependent on the system. But you think about things like Google Apps, right? Like Google Sheets, Google Docs, right? Those are all subsidized by ads. I used to work in AI, right? And a lot of the labs doing the most cutting-edge research in machine learning are loss leaders for those companies, right? They're being subsidized by the ad business. And so I do think that if there was a problem in this market, we would see ripple effects in many places that we wouldn't expect.

That's a really good point, isn't it? And what I find interesting though, as well as that, is also we hear all the time about this huge amount of data which is being collected by these big tech companies about us. But you are saying it's not actually helping sell stuff. It's not actually as effective as we imagined. Is that right? I mean, would they be just as successful if they weren't specifically trying to target us with these ads, do you think?

Yeah, so this really begs the question, right? I was on a panel last week where someone said, so why are we building this enormous surveillance infrastructure if the whole thing doesn't work at all? And it is right, Graham? You know, there's a professor by the name of Alessandro Acquisti that's been doing some really interesting research into, okay, do ads that are targeted with cookies work better or worse than ads that are not targeted, right? And what he finds is effectively it's the same. It's really at the margin that this makes a difference. And it's partially because the data is not very good. A lot of it is very faulty. But there's also just a question about whether or not all this targeting really gets you to get a message to the person at a point where they're ready to buy. So I think there are a lot of questions about this data. I think one of the reasons it's been collected, one of the reasons we've built this system, is for a long time, the digital advertising industry has wanted to show that it is better than earlier generations of ads, right? Oh, we're better than billboards. Oh, we're better than magazines. Oh, we're better than television. And one way of proving that is they collect lots and lots of data. And I think there's a certain bit of theater with that data that has kind of incentivized this collection, even though it may not actually amount to much in the end.

I once had a boss— well, boss's boss's boss— but they lived and breathed data, and my team had to collect it. And you know, I seriously, it was probably 80/20, right? And I suspect then when they manipulated it, it got to 80/20 again. By the time it got to whatever stakeholder had asked for it, I'm sure the stuff was so far off the real point, you know? The whole thing, I agree. I felt the artifice. And this is, you know, thinking back 15 years ago.

Let me understand, Carole. So you're saying that other people were sort of summarizing your data in order to present it better to their bosses?

Yeah, I'm grabbing data and picking and choosing the data that I want my boss to be happy with. Then my boss picks and chooses the numbers they want to make them look good.

Yeah.

And then their boss, and it goes all up to CEO who goes, "Wow, my life is fantastic. This is great." And it's just the whole thing just a pile of shit. Like, why wouldn't you just go to the person who's doing the web and going, is everything okay or not okay? You know, like, just ask. I agree.

I mean, one fascinating story that I've been watching, which is relevant to I'm sure a lot of people who listen to your podcast, is the British privacy regulator just came out with its final report on the Cambridge Analytica scandal. Yes. Right. And I think one of the most interesting takeaways from that report was the conclusion that for all of the data Cambridge Analytica had and for all their claims of the power of psychographic advertising it's actually unclear whether or not any of their messaging made a difference, right? And I think there's one way of looking at it, which is, okay, no harm, no foul. I actually take the other position, which is there's even more reason why we should be uncomfortable about this, right? That like it's a privacy intrusion, but it's also a meaningless privacy intrusion ultimately.

Yes. We're going to be like, you know, my parents or my grandparents used to watch World War II films all the time when I was young.

Yeah.

We're going to be those people. Watching the history of misinformation, right? The bubble that happened during our youth. This is not now, don't worry guys. Graham, maybe 10 years. Tim, me, that'll be 40, 50 years.

Thank you very much. Ouch.

Yeah.

I'm wondering if the Russians are going to go to Cambridge Analytica having read your book and want some of their money back. And say, look, this didn't work as well as we hoped.

That's right. I mean, it's relevant to, you know, it is relevant to this current discussion that we're having around disinformation. And I think a lot of the empirical evidence that we have from, say, the 2016 US presidential election is that there's a really big question as to whether or not any of this Russian interference actually influenced votes. Now, that's a different question from whether or not it's bad for democracy, corrosive to institutions. But maybe we should think about this in a way that doesn't rely on, again, advertising being this mind control, right?

Yeah, they should just be wonderful business partners to work with and align with their business views.

It sounds to me web advertising has got a problem. People are installing ad blockers, you know, they don't they being tracked online. Maybe there's some other kind of promotion which people could do. Maybe something which an ad blocker doesn't stop, a podcast perhaps. Maybe some of that money should be redirected and siphoned towards quality podcasts. Do you think that would be?

I do. But don't you find sometimes digital ads, you know, when they're we, for example, work with sponsors, right? And we have sponsored ads where we read things out. So it's the same voices, but there's a lot of podcasts out there who have this digital kind of inclusion of ads. And sometimes the sound's way louder or the voice is very different.

And I do think the advertising industry in one way of reading their current actions, which are let's get advertising into everything else, right? Let's get it into audio. Let's get it into apps. In some ways, it's the scent of desperation, right? They want to expand their business into places that aren't being so corroded by ad blocking, ad fraud, and so on and so forth. You know, the problem though is that search and display advertising, it really is a financial rocket ship, right? We don't have anything else that scales in the same way. And so there's a question that even if these other forms of advertising, you know, are effective, are good, are free from the problems that plague the existing system, whether or not it will be enough really to kind of make up the difference.

Well, I'll tell you what, we wouldn't be able to make this show without our sponsors. You know, so that's the other side of it is there's going to be a lot of businesses and a lot of people that are dependent upon some of the funding that comes from that.

Yeah. And I think it's part of my worry too, is again, I'm not worried about whether or not Mark Zuckerberg has one less mansion, right? I am worried about— Oh my God. Yeah, I know it's very harsh of me to say that, but, you know, I'm worried about, you know, I mean, the COVID-related downturn in the media right now is a great example of this. We have an ecosystem which is so brittle that even the most apparently stable, long-standing media entities can't even retain their staff for two months of a downturn. That strikes me as a structural issue for sure that I worry a lot about.

Yeah, true that.

I'll tell you what I worry about. I worry about irritating, annoying, jarring voices coming onto our podcast and ruining everything. What's your story this week, Sweet?

Whoa, how long you been planning that one? At least 2 minutes, right? At least 2 minutes. Okay, so I'm a big fan of the old American-style hamburger, you know, like a big protein slab, right, with all the veggies and the sauces and the perfect bread bun thingy. It's a true thing of beauty. It can be. You just slap a little baby poutine on the side, and that's me, heaven.

A baby poutine?

What's a baby poutine? Poutine. Oh, poutine. Delicious.

Yeah. I was not aware of that phraseology. Oh, really? Poutine? No, that would just be crazy.

Yeah, exactly. I thought she was talking about Vladimir Putin in a nappy.

Vladimir Poutine. Yeah.

All right.

Yeah. And part of the fun of eating a burger in my mind is doing it in a bona fide diner. You know, the kind you see like there's that, you know, horrible US food show. What's it called? This beefy guy with the platinum hair. Cutting him hair, and he drives around in his little hairdresser car.

He just stuffs himself full of food. Is it Man Versus Food?

Diners, Drive-Ins, and Dives or something like that. Anyway, he goes around and meets these real proper chefs, middle of nowhere chefs, like burger joint chefs. But it's like a calling to these people. It's a craft. It's an art form making a great burger. I make a great burger. And I'll tell you what, it's like high-end art. It is. It is. One of your best guesses. My question to you, my question to you both, can robots create art? Okay, meet Flippy. Meet Flippy, the first autonomous robotic kitchen assistant.

What?

That can learn from its surroundings and acquire new skills over time.

This sounds like the kind of thing that some crazy AI expert at Google would have dreamt up. And is this your latest initiative, Tim?

Yeah, no comment.

I know what you're picturing, right? I don't want to burst your bubble here, right? Because Miso Robotics, the people behind Flippy, didn't make Flippy look like a stereotypical Burger Master, right? You're not going to confuse him with Bob from Bob's Burgers, which is about the cutest burger cartoon chef ever. But no, this is basically an arm. It's an arm on a trolley. It cooks perfectly every time and boasts 100,000 continuous uptime hours, can work a grill or a fryer, recognizes and monitors food items. Switches between cleaning and cooking. It's all cloud-based, which is really cool, and monitors and learns and complies with health standards, works with people. In other words, it's a way cheaper, way more reliable, way more efficient option to hiring a human being, it seems.

Yes, but you don't have that human touch, do you? Oh, I agree. Were you with me? Yes, I've been to the Yotel.

Right?

Oh, yes. Yes.

Yes, didn't we go and stay there because it had this huge arm that put your suitcases away?

There was a robot valet, wasn't it? It took your suitcase and went—

Yeah, Tim, you must have seen it. You live in New York.

Oh yes, I've actually, I think I've walked by it. That name sounded really familiar, but yeah, yeah, no, no, I know what you're talking about.

It's in Midtown somewhere.

I've never seen it in action, but I have wondered what the big arm was for.

Well, I hardly did as well, because while I was there, it broke down constantly, right? So you literally, there was no human to take your bags from you. You had to wait in this huge line and the thing would get stuck, or the bag was too big to go through the gap, or the thing was turned off accidentally. And it was just ridiculous.

I mean, people are always worried about robots replacing jobs, but now there's two jobs, right? There's the valet and then there's the person who has to fix the valet robot.

Now, Flippy's been around for a few years and actually made a few headlines.

Right.

Back in 2017, Lisa Fass, who's been on Smashing Security before, she wrote on Naked Security that Flippy could literally flip 2,000 burgers a day. And back then that caused a problem because human workers couldn't keep up with it.

Oh, I see. So there are other people on the production line. Yeah. So they're flipping the burgers. Couldn't they have got it to do other things to slow it down? I don't know, trying to mine cryptocurrency or something? I'm very grateful you brought a security angle 'cause I have very little security to talk about this time. So thank you very much, Graham. Flippy isn't gonna get hacked? Flippy doesn't have a vulnerability?

Don't worry, move over Flippy, make way for Roar, the second generation Flippy.

Oh, right.

This is another robot arm, but it's on a rail. Literally letting the robot arm swoosh from cooking station to cooking station, a bit like, you know, Thom Cruise in his underpants in Risky Business sliding across the wood floor.

Well, I hope not like that. That's quite—

Kind of like that, but not really. Thom Cruise is gross. It's not my guy. He's not my guy. He's no Geoff. He's no Geffy Geoff Geoff.

There goes our chances of getting him on the podcast.

Ah, good. Don't— you're not invited.

Good.

Yeah.

So Roar, Flippy's daddy, can prep hundreds of orders in an hour thanks to a combination of cameras, safety scanners. It can obtain frozen food and cook it without assistance from any human team member. Right. And don't worry, right? It alerts all the workers when orders are ready to be served, right? Can you just hear it? Shelley, please pick your order. Shelley, please pick up your order. Shelley, now, please. Shelley, Shelley, I'll need to tell management. Shelley, Shelley, now, now.

You say don't worry. I am worried. Where's Flippy's? Oh no, this one's raw. Where's Roar's job satisfaction coming from? One day he's gonna get fed up of flipping 2,000 burgers an hour and take over the world.

Exactly. Now listen, Roar can cook chicken tenders, chicken wings, tater tots, French fries, waffle fries, chicken sticks, potato wedges, corn dogs, popcorn, shrimp, chicken, and onion rings. That's it.

God bless America.

It's so amazing. So you have all these connected smart robots that work with hot oil and fryers connected to the internet. And I focused on Flippy and Roar and the food industry, but really there are few industries out there that aren't considering how they can robotize their services because it's cheaper, more efficient, more reliable than all us humans. And you know me, so lady doom and gloom, I'm thinking Flippy's getting a lot of press here, right? Their privacy agreement is laughably small.

Yes, but when you order a burger from Flippy, you're not giving it your date of birth, presumably, are you? You're not giving it sensitive information. All you're saying is, can I have a burger, please?

Well, okay. That's true. Maybe you're not dating him.

I don't know what you do when you go into a burger joint.

You have to log in, actually. And there's a password requirement.

Here's my phone number, says Carole. She says to the burger man.

You have to turn on two-factor authentication to just get a burger.

So anyway, I'm looking around and I'm looking for something that I've never looked for before, which was robotics and IT security. Basically, as I predicted or as I thought, robots are just like any other device in the whole wide world. So I'm saying to the robotics industry, which is obviously on a growth path right now, what with pandemic, loads of people don't wanna be maybe working in hot kitchens. Companies are trying to think, how can I keep business going? 'Cause people gotta eat. And the robotics industry is on a growth, but I say take heed, guys, take heed. As you're all chomping at the bit to get your wares out, you know, and secure all those mega contracts so you can sell up and go buy Geoff Bezos's neighboring mansion, you've got to take security seriously because you're now dealing with things like oil, like restaurants where people are hanging out. What if they start juggling the oil, for example?

Oh, oh, like Thom Cruise in Cocktail. That's the, that's the Thom Cruise movie you're thinking of now.

People are thinking, oh Carole, you're being crazy. It's not like anyone ever hacked Tesla or anything like that. It's not like anyone ever hacked anyone that actually takes security seriously and got away with it.

I think it's a fantastic idea. Let's get robots to make the food for us so that we forget how to make a decent burger. Let's give them naked flames and oil and tell them to get on with it. And let's, most importantly, let's connect them to the internet. What could possibly go wrong?

And the thing is, you can make, there's win-win on all sides. It's cheaper for the restaurant. By landslides. I think it costs $30,000 a year to run, and then you've got a running fee. So $30,000 all out and then a running fee per year, SaaS fee.

Until your restaurant burns down, of course. Yes.

Yeah.

And then the way they're taking on, you know, us folk, us people that are feeling a bit maybe a bit short in the wallet these days since work has been maybe a bit drier than it has been in previous years, they're offering the $3 burger because they can afford to do that because they don't have to pay staff.

I think you're thinking too small, Carole. I think getting robots to make all these burgers isn't good enough. I think we need to start making robots to eat the burgers for us. Why should we have to get up and go to a burger joint? Why can't we get a robot to do that for us?

I always wonder if they have funny voices or if they talk, right? Because I had Waze on my phone for a bit, which is kind of bought by Google now. Oh, thanks, Tim. He's not there anymore.

Yeah, to be clear, I don't work at the company anymore.

I know, but I'm just, you know, you're just going to be our—

Everyone makes mistakes.

And on my Waze, right, it was my GPS to get me from A to B. I used to put it into Elvis mode and there would be some, right? So I'm imagining these robot arms, people are going to get bored of them and they're going to want them to have better personalities. And then you're going to hear, you're going to hear, you know, maybe you'll have Graham in one of the arms.

I don't think if you've got Elvis the robot making the burgers for you that you're actually going to get more burgers delivered to the customers. I think Elvis will be consuming them.

The robot will feed itself, then it's perfect. Yeah.

Okay. We better stop before we go and descend further into the pit of crazy.

Yeah.

Smashing Security is sponsored this week by Recorded Future. They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster. Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and dark web sources. Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express. Go and grab it now at smashingsecurity.com/recordedfuture.

This episode of Smashing Security is also sponsored by Immersive Labs. They have created a free ebook.

This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves.

It's called Aligning Cyber Skills to the MITRE ATT&CK Framework. The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity security skill strategy.

LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more.

It literally is a go-to framework. Learn more at immersivelabs.com/smashing.

And thanks to LastPass for supporting the show. And welcome back. Can you join us on our favorite part of the show?

And thanks to Immersive Labs for sponsoring the show.

The part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is... This is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

Week. Pick of the Week. Better not be.

Well, my pick of the week this week is not security-related, but of course we've all been having the strangest year imaginable, have we not? Our lives have been turned upside down. And one of the things that some people are missing, well, I wonder if you chaps are missing it as well, is flying. Do you miss getting in an aeroplane and pootling around?

Oh yeah, that was the highlight of my life.

Was it?

Oh yeah, no, I loved that. I loved flying over to Vancouver from the UK on the 11-hour flight over. So awesome. You have this little mini TV and this tiny little chair and yes, awesome.

Well, well, Carole, do not fear.

Okay.

Because there is a new, I guess you can call it a game. It's a flight simulator. It claims to be the most accurate flight simulator that you have ever experienced. It's called Airplane Mode, and it delivers all the thrills of a real-time, 6-hour commercial airline flight.

What?

In coach class. In coach class. But you do have a window seat. So what this does, you know, in a normal flight simulator, it assumes you're the pilot. But it's not I'm missing being the pilot, right? Because I never sat in the front. They never let me do that. No, airplane mode recreates the monotony of sitting in a cramped seat with rubbish food in real time. So you can travel for 6 hours between, I don't know, JFK in New York near you, Tim, to Reykjavík. Or you can go on a two-and-a-half-hour journey from JFK to Nova Scotia.

For people that are missing their old cosmopolitan lifestyle.

Some people loved all that, right? And once you're on board with this game, there'll be random delays, turbulence, bad Wi-Fi, occasional screaming babies. You can look— you think I'm joking? This is for real. It's real. I'm going to put—

How long did you play it for? Honest, honest pinky swear.

I haven't actually played it yet, but I've seen it costs under £10 on Steam. I'm going to put a link in and I'll—

Oh, right. You're not willing to spend the tenner, but you're hoping our listeners should spend the tenner for you, you cheat.

Well, you can, if you get bored after a couple of hours, you can start exploring the pocket on the back of the seat in front of you. And it's got an airport airline information card, flight safety video, you can watch in-flight magazine, you can order booze. Now there's a slight problem because this simulation, it seems, from what I've read, it suffered from some bugs.

Oh God.

Which means that on some PCs, airplane mode has literally been crashing, which hopefully isn't the kind of thing which would happen in real life.

It's not a very

It's not a very fun joke. It's true. There's bugs in it. But other than that, they're working on the bugs. It just happens on some PCs.

But they're still collecting a tenner.

But they're still collecting a tenner. You can follow the developers up on Steam. And there's a video as well. I've linked to a video if you want to find out some more.

fun joke, Graham. I like the screenshot you put in of the tray food meal. I might actually make that my phone backdrop.

Is that?

Just that tray, the pixelated tray of the shitty croissant and the shitty peas and the shitty salad with the shitty fricking water.

I was gonna say it won't be the same without actually having a ginger ale and some terrible pretzels.

Yeah, that's right. The worst pretzels on Earth.

But you know, there are people who really love flights.

Who?

No, there are.

Name me one.

You remember when we weren't allowed to fly places, right? We weren't allowed to fly to America, whereas now we don't allow Americans to fly to us. But they had some flights which were just going over the Bay of Biscay and back. So they'd take off from Heathrow, go around a little bit, and then come back. And some people would book these things just because they enjoyed going on a flight. It wasn't to be in the front. So I think for them, this might be the perfect COVID-safe way of experiencing an airplane flight. So my pick of the week is the game Airplane Mode. I haven't played it, but maybe some of you can tell me what it's like.

You are outrageous.

Well, no, I don't have to have played it. I just find it amusing. Amusing is enough for me, and it tickled me enough to make it my pick of the week. So there you go. Tim, what's your pick of the week?

My pick of the week is very, very, very not security related. It's a little bit of an odd story that I'm not sure even if it's well known within Britain, but around the 1930s, there was a family in the Isle of Man that claimed to be haunted by a talking mongoose named Geoff. And my friend told me this story, and the Wikipedia page is incredible, and I suggest anyone check it out. But a number of years ago, the MIT Press put out a book which is an exhaustive investigation of the talking mongoose, and the book is entitled Geoff! The Strange Tale of an Extra Special Talking Mongoose.

Brilliant. Now, can you give us any highlights? Is it funny if you ever looked at this?

It's exhaustive. It's very detailed. But yeah, it's a very strange story. Apparently multiple investigators went to the Isle of Man and confirmed that there was, for a period of time, a "talking mongoose" or "man weasel," as it was referred to in the British papers at the time. And it's still unresolved, and the author actually went to go investigate it. And it's sort of a paranormal investigation story, but probably in the most absurd way possible.

So I haven't read the book, because you've only just told me about it, but I've just checked out the Wikipedia page, and it looks very interesting. Geoff, this mongoose, sometimes assumed the role of a cat.

Yes. Yeah, it was a shape-shifting mongoose.

Right. Well, all the best kind of talking mongooses are.

That's what I would expect, actually. Yes. It's typical in these cases.

Yeah. And the owners of this house used to feed it biscuits and chocolates and bananas. And they would—

Isn't it weird that MIT spends funding on such a thing?

I mean, they must be cutting-edge research.

You know what I like. This looks absolutely fascinating. Well, I think that's a good pick of the week, Tim. Have to look into that some more. Carole, what's your pick of the week?

All right. Well, mine's a little bit adulty. So you kids or you people that are a little uncomfortable, turn off now.

You mean it's dirty? Do you mean adult as in rude?

Might be.

Smutty.

So this is really for all those about you that have a daily commute still. And you want it to be a little more exciting, a little more risqué. And for you, I would suggest a podcast, not Sticky Pickles, which you've already subscribed to and you're planning to—

Sorry, what is Sticky Pickles? I'm not quite aware of what Sticky Pickles is.

It's a podcast that, you know, guest of the show Anna Breeding and I do. It's the second podcast. Where we discuss sticky dilemmas.

Oh, excellent.

And watch the other person try and wiggle out of them. What, in first class?

It's great.

So you're not recommending Sticky Pickles again this week? Not this week, because I did it last week.

Right. But I'm obviously— you know, I slipped it in there, didn't I?

Right.

Get what I see. But this is another one. This one has a much more celeb-y main voice, that of Demi Moore. Now, I think I've got a pretty good radio voice, but I bow at the voice prowess of the Lady Demi Moore. And it's just, how does she craft that voice? The podcast is called Dirty Diana. It's from Q Code. And Diana is played by Moore. It's also— she produces it. And Diana's a little frustrated. Home life's a bit shit. Work life's a bit shit. And she's kind of— I know she sounds like a bit of a control freak. So, of course, to escape from her carefully curated life and dying marriage, Diana secretly runs an erotic side hustle where she meets and records other women's intimate and often a little more fantasy these. Now, I can't say it's not rude.

Clearing your throat. What was that?

Well, look, after 3 minutes of listening to the first episode, I was blushing. Oh, but in order to give you guys a proper endorsement, unlike Graham, I forced my way all the way to the end. I actually freaking listened to all of it.

I don't think I'd make it to the end of this. Correct. Last a couple of minutes.

I was beet red without— The storyline's very good, the acting's very good, the pace is very good, and it's dirty. And it will definitely give your commute a je ne sais quoi.

Sorry, can I just clarify? Are you actually just promoting porn now on our podcast? Is that what this is? Audio porn from Demi Moore?

Tim's being very quiet.

This took an unexpected turn.

Anyway, so— So my dirty pick of the week. Did you see that in our YouTube thing? Someone called it pick of the week. Someone, some of the commenters, with Ds, which I really liked. Anyway, so my dirty pick of the week is Dirty Diana, a podcast from Q Code. Check it out if you dare.

On that filthy bombshell, I think it's time to go to our featured interview, which this week is with that chap from Recorded Future, isn't it?

Levi Gundert.

Yes, guys, this is really interesting. Seriously, you're going to love it. You're going to love it. Listen up. So Levi Gundert, or Gundert, right? Well, how do you— what do you say? What do you say if you were being asked your name? I don't know, say in English. SPEAKER_03. I think in England, I go with the Americanized version. It's Gundert. But if I'm in Germany, I think it has to be sort of that hard guttural Gundert.

Well, Levi Gundert is a senior vice president of global intelligence and a pod god for Recorded Future. My first question is global intelligence of what? So what does Recorded Future do? Just give us a bit of background, would you? SPEAKER_03. Yeah, absolutely. So I have to tell you this story really quickly because I find it amusing. So we were in— I was in London last year with Recorded Future doing a bit of work in our London office, and I was fortunate my family came with me. And I have three sometimes charming children. And we were sitting there one night at the table after work, and we were playing cards, and I had a business card sitting on the table. And my 9-year-old, he reaches over to grab a card off deck and he looks at my business card and he stops sort of frozen. And all of a sudden he yells and he goes, you're the senior vice president of global intelligence? And I was, yeah, that's my title, dude. That's what I do.

In charge of the entire world. Boy, he's in for a disappointment. But you know what? He still has respect because Recorded Future does some cool stuff. Tell us a bit about the cool stuff you guys do. SPEAKER_03. Yeah. So when you think about threat intelligence, I think the best way to think about it is if you want really up-to-date, real-time news on financial markets, you go to a Bloomberg terminal. And the coolest thing about Recorded Future is it's a product. So it's software as a service, or SaaS as we like to say in inside speak. And it is real-time threat intelligence for the world, just like Bloomberg is for financials. It's very much what Recorded Future is. And so we take all kinds of data, unstructured data, structured data. And we do sourcing and collection of it, aggregation of it, analysis of it to really present something that's very consumable and very easy to do something with. And we do that through a product. And so it's really from the inception of Recorded Future, some very smart guys in Sweden with PhDs got together and figured out the technology behind it. But in the end, it's really this incredibly powerful product that brings threat intelligence to hundreds and hundreds of clients around the world that need that to be able to better secure their organizations and ultimately reduce risk.

So what would be a typical client when they come to you at the first time and they've heard about you? What kind of questions, what are they asking for from you? They're like, we don't know what's going on and we want to know before it happens.

Is that kind of the kind of question you might ask? If we sort of understand how a phishing attack works, then when we see one that shows up in our inbox and purports to be from Apple or Netflix or whatever it may be, we sort of understand when there's something misspelled in the email that, oh, that's a phishing attack and we delete that and move on. Well, for companies, there's so much exposure. They have so many technical assets and they're continuing to build out digital transformation strategies that sort of expand the technology landscape. And with that comes increased exposure and increased risk. So the whole point with threat intelligence is being able to be proactive, to understand how adversaries and actors operate so that you can sort of make the countermove right before the attack actually happens. And that's really philosophically the whole point behind threat intelligence. And it's really become so critical vertical. We have so many clients now at Recorded Future that it's sort of industry vertical agnostic. We have clients in food and beverage, we have clients in aviation, in public sector, in healthcare, financial services, because everyone understands that it's table stakes. So regardless of what you do and the widgets that you produce, security becomes a very basic requirement to actually be able to run any sort of business these days.

Can I ask maybe a contentious question?

I love contentious questions. Let's go there.

Okay. So let's say my digital space that I want to protect, whatever that may be, if I compare it to my house and I think about my house being under threat and people keep telling me threats are coming, threats are everywhere, but they don't tell me whether it's coming by air, through the window, via the front door, via my back garden, whatever. So I'm constantly building fences and alarms and having floodlights everywhere to try and protect me from an unknown unknown. But if you have the intelligence to know, look, there's a guy in your neighborhood, he's coming through windows that are left open, watch yourself. That information can make your job way easier as a homeowner. So my contentious question is, are people actually coming to you to really simplify their job? Because maybe they just need a little break, right? Because they're going to know where to look with the information you give them.

Yeah, it's a good analogy. And I think if we wanted to play that out, really what businesses are dealing with today is an army of people that come down the street at night and they try every door on your car, they try every door and window on the house, and that's sort of one wave, right? And then there's a second wave or third wave of people that come down the street, and there's less of them, but they're more advanced. And so they will open a storm sewer grate and put an amphibious drone in there, and it will follow some pipes and pop up out of your toilet in the bathroom. I think as you say in the UK, the loo. And it will steal something or it will spy on you, and you won't necessarily know it's there. So, the problem is the volume of threats and the volume of actors that perpetrate those threats only increases. And so, it is really for companies to try to understand, yes, we understand that people are testing the doors and testing the windows, but it just goes so much further than that. The complexity with which and the speed with which adversaries move means that if you don't understand those tactics, you don't understand the tools and infrastructure they're using, that they're using drones, that they're using crowbars, that they're using other types of technology, then it becomes very hard to think about how you're actually going to defend against it.

Well, yeah, how can you build a strategy if you don't know what you're dealing with? Makes perfect sense. Yeah. Do you mind if we switch gears to The Record?

Oh, please.

So for our listeners, The Record is this news site from Recorded Future. What's your strapline? How do you—

Yeah, so it's an independent media property is the official label for it. And the address is therecord.media. Adam Janowski, he is the editor-in-chief. And I'm a huge fan of Adam. We actually do a podcast together. The podcast is called Off the Record. And I'm having a lot of fun doing that with Adam. We're co-hosts. And we have a ton of fun. But the real work that Adam's doing is On the Record. And as I said, it's really an independent property and Adam is really looking at new and unique takes on security events. And a lot of it is supported by Recorded Future in terms of analysis and some of the researchers we have within the team at Recorded Future. But it is very much its own vehicle. Cool, and it's very exciting.

You should be super proud of it. No, I did a similar site. This is hot. You guys are talking about topics that we wouldn't have touched with a 10-foot pole, and that's really exciting. And I think it's also because you've got some serious journalist backbone behind it, don't you?

Yeah, you guys did a great job with Smashing Security, and I think it's very much in that same vein.

Well, thank you. We had a good time. We didn't sleep a lot, but we worked hard.

Naturally. No, of course, it comes with the territory. But you put out a great product, and I think, you know, it very much was sort of trailblazing. I think for Recorded Future, we realized that there are a lot of stories that need to be told, but we can't always use PR firms and we can't always be pushing on media companies to necessarily align with what we think is important. So Adam is independent, but he is looking for those angles and he is looking for the unique stories to tell. I think it's just a great opportunity. And yeah, it's very exciting.

So tell me some stories that you guys are focusing on.

We do talk a lot about ransomware on the podcast because ransomware has just been so top of mind for CSOs and really even CEOs because of the potential for loss and disrupting operations. So, you know, that is one topic that's really not going away. And we've sort of seen this whole ecosystem develop around ransomware. Where they're not just locking systems and encrypting data, but of course stealing data and trying to ransom the data or even engaging in these denial of service attacks where they try and take a site or a company network offline. So it's really become this full ecosystem and it's sort of interesting, not just looking at the responses that businesses are taking in terms of, do we pay the ransom? And that really is a business decision. But also all the actors and adversaries that are sort of selling what we call unauthorized access into these companies to begin with, or hacking these companies and then selling it to people that then push their ransomware. So it's kind of been this whole ecosystem development over the last 18 months that we've really been exploring quite a bit.

So can we touch upon politics maybe? Because you guys are pretty brave in terms of what topics you'll talk about. So we have some serious elections coming up in the US particularly, and we are getting the question at Smashing Security, people asking like, how do I know, like, you know, what should I look out for? I know that bad guys are going to try and disrupt this.

Yeah. So obviously it's a pretty big deal here in the US. And we know that what we call the Big Four—so Russia, China, Iran, North Korea—3 of those 4 have a pretty determined interest in some sort of disruption of election. And it's really hard. And I think I actually am going to turn the question around to you a little bit because I love to ask reporters especially, how do consumers of news, how do they do any sort of validation when they're looking at a social media post and they click on the link to look at the story? How do they know it's valid? How do they know that it's actually factually based and that it doesn't contain deepfake images or a completely fabricated story?

I agree with you. I think it's really—I think it's near impossible. I mean, whilst not formally, over two decades of working in the industry, I feel I've got a pretty good nose for that sort of thing. And I'll still get caught out in terms of finding a news post, getting clickjacked. The headline gets me and the graphic looks very similar to graphics that might be used on say something like The Economist or the BBC or something—you know, one of the places I might go to. And I won't check the URL because I'll be like, "Ooh, ooh, this looks hot." And then there I am in it reading some garbage. So the average user, it scares me to death when I watch them on a computer. If I work with—you know, I have a book club, right? And there's a lot of more senior people in the book club. And, you know, we do a lot of tech support for that book club. And I love saying, "Just show me how you work for a bit. Just show me how you go about, do your online shop." And just watching them, you know, flail around with the mouse and hitting the wrong things and not realizing that that has impact is very scary. But hey, they're filling their house with IoT tea, right? So because it makes life more convenient. So there's this real push-pull right now that's happening.

Yeah, it's so true. That is so true. And I think there is that tension between we want everything now and we want it to work and we want it to be tailored, but we're also starting to realize that we need a little privacy too. And, you know, Apple lately has been on a real ad campaign kick, you know, touting the privacy features of their hardware. And I think it does resonate with a lot of people. And right now with the election, disinformation and information operations are a very real thing. And we learned this 4 years ago. And Russia in particular is very adept at not just generating fake content that they're then very good at propagating, but they're also very good at jumping on existing threads, whether it be some sort of conspiracy theory or whether it be completely fabricated. They are very good at taking that and amplifying it, especially within social media circles. But the other interesting thing we've seen at Recorded Future is that criminals are also getting in on the game. So it's not just actors that receive, for lack of a better word, a Russian government paycheck through one means or another. It's actually criminals acting on their own that recognized that disinformation is actually a capability that they can sell to businesses that want to essentially throw shade on a competitor. And we have actually done the research and we've actually seen the results. And it is incredible. I mean, they will write articles, they will get in place with media outlets and publications. They will get the advertising done. They will get the social media propagation done. They can do deepfake videos and images.

Yeah. SPEAKER_03. And I, you It's a machine. Yeah. SPEAKER_03. The fact of the matter is you have to be careful about what you read and what you view in terms of internalizing it. know, this is the fun right here. You know, you have to do the due diligence to question everything. And unfortunately, that's the new reality. Fortunately, you're doing this podcast and I think podcasts are great because it's an opportunity to actually talk and think and offer perspectives, and it's not the 30-second soundbite, you know, and it's not designed to be consumable and propagated through social media.

And you can change your mind. Like in the last podcast, I changed my mind. My immediate reaction to the end of the story, I actually went, you know what, I've changed my mind. Like, you know, you've made really good arguments, and I was able to do that in a period of 10, whatever, 15 minutes. And that's so refreshing. SPEAKER_03. It's good you're not a politician. Oh no, God, thank God. I think the world is grateful as well. Levi Gundert, I've had a really lovely chat with you. Thank you so much for coming on Smashing Security. SPEAKER_03. Oh, this has been great. This is fabulous. Thanks so much for the time. Now, listeners, you know what to do. You should, one, check out Recorded Future's free Express browser extension, which you can find all the information at smashingsecurity.com/recordedfuture. If you want to read the Recorded Future blog, check out therecord.media. And lastly, check out Levi's podcast, Off the Record, wherever you get your podcasts. So you're going to give us the real juice then on the podcast? SPEAKER_03. Yeah, I think we try to. I mean, we do. Adam and I, you know, we try to open the kimono a little bit in terms of sources and methods and some of the things you don't necessarily see.

I've subscribed. I listened to a few in prep to chat with you, and I was like, this is good, I'm in. So you've got definitely one more listener. SPEAKER_03. Oh, thank you. Coming from you, that's a huge compliment for a very fly-by-night operation. Oh, you're smooth. Now, who's funnier, Graham or me? I just keep asking everyone. SPEAKER_03. That's an unanswerable question, but I think that you both as a tandem and a tag team do a wonderful job. Oh, wimp.

That was very good, Carole. That was— I quite enjoyed it.

You sound surprised.

No, I'm surprised that you tried to goad him into saying who was his favorite co-host of Smashing Security, and he wussed out.

He's so slick.

Now, that really does just about wrap it up for this week. Tim, I'm sure lots of our listeners would love to follow you online, find out more about you, and indeed read your book as well, Subprime Attention Crisis: Advertising and the Time Bomb at the Heart of the Internet. Where should they go to find out more about you and to check out the book?

Sure, absolutely. So I'm most active on Twitter, and so I'm @TimHwang, T-I-M-H-W-A-N-G, if you'd like to find out more about the book and see random tweets about talking mongooses.

Fantastic. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And also we have a Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.

Yeah, and question for you all, should we have a Discord? Should we? Hip wiggles to all of you fabulous listeners while you think about that. Thank you for listening to us each week, supporting our work, sharing with your friends, etc. Of course, shout out to this week's Smashing Security sponsors: Recorded Future, Immersive Labs, and of course LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio, bye-bye, bye-bye, goodbye.

Do you know, Clue, what's your sexiest voice, Graham?

My sexiest voice? That's the one I've been using for the last 58 minutes. What do you mean, what's my sexiest voice? This is as sexy as it— Seriously, I can't turn this on any more than it already is.

Okay, so this is on.

It's almost too much.

Thank you. Thank you, Tim.

I think I tap into mine when I do my Cher impression.

What, when you turn back time? Yeah.

If I could turn back time. See, sexy.

So was that me or was that you doing that voice?