202: The Wu-Tang Clan are Among Us

Voting machines are under the microscope, scammers are posing as rap stars, and American politician AOC isn't the only one who's been getting into the Among Us game.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by James Thomson.

Plus don't miss the first part of our featured interview with LastPass's Dalia Hamzeh.

Visit https://www.smashingsecurity.com/202 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guests: Dalia Hamzeh and James Thomson.

Sponsored By:

Support Smashing Security

Links:

Rapper scammers admit faking association with musical group in conspiracy to cheat hotels, bank, limo service — US Department of Justice.
This U.S. Election Could Be the Most Secure Yet. Here’s Why — The New York Times on YouTube.
Report: Ransomware disables Georgia county election database — AP.
Pity the nation: Americans’ choice of president on November 3 will affect Slovaks too. — Slovak Spectator article by James Thomson.
AOC’s Among Us livestream hints at Twitch’s political power — MIT Technology Review.
AOC makes explosive Twitch debut with over 435,000 Among Us viewers — Ars Technica.
A massive spam attack is ruining public 'Among Us' games — Engadget.
AOC Among Us FULL STREAM — YouTube.
Among Us Has A Cheating Problem — Kotaku.
Trump News Today | What The Fuck Just Happened Today?
‎WTF Just Happened Today — Apple Podcasts.
No Filter — Book by Sarah Frier.
Fake Instagram follower services slapped with lawsuit — HOTforSecurity.
From Our Own Correspondent — BBC Radio 4.
From Our Own Correspondent Podcast.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Privacy & Opt-Out: https://redcircle.com/privacy

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. Hi everybody, Carole Theriault here. This is a shout out from all of us at Smashing Security. That's Graham Cluley and I to all of you Patreon supporters for supporting us. It's amazing. This week, special mention goes to Jonathan Bowen, Jamie Schwendinger, Will Costin, John Nicholas, Richard Anand, Marvin 71, Stuart Settliff, Amber, Simon Yacan, and the hilarious I come from a land down under where beer does flow and men shunder. So thank you all for your support. It means the world. If you want to join these hilarious Patreon supporters, everything you need to know is on smashingsecurity.com/patreon. And know that we welcome you with open arms, socially distanced GoGoGadget arms. Okay, let's get this show on the road.

GRAHAM CLULEY. Do you actually know what What Wu-Tang means, as in the Wu-Tang Clan?

CAROLE THERIAULT. You can't say the word, can you? Wu-Tang Clan.

GRAHAM CLULEY. Yes, I'm saying that correctly.

CAROLE THERIAULT. It sounds like you're saying Wu-Tang Clang.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Oh no, but it has a G on the end.

CAROLE THERIAULT. No, it doesn't.

GRAHAM CLULEY. Yes, it does. It's Wu-Tang Clang.

CAROLE THERIAULT. Right.

JAMES THOMSON. No, no, no, Clang doesn't have a G on it.

GRAHAM CLULEY. Clang, Clang, okay, Wikipedia. Wikipedia.

JAMES THOMSON. Okay.

GRAHAM CLULEY. Jeez, we're trying to do a podcast here.

JAMES THOMSON. Wu-Tang Clan.

GRAHAM CLULEY. Oh, shit. Thank you.

CAROLE THERIAULT. Thank you very much.

UNKNOWN. Smashing Security, Episode 202: The Wu-Tang Clan Are Among Us, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 202. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And we're joined this week by a special guest, aren't we, Carole?

CAROLE THERIAULT. Yes, we are. Very good friend of mine and Brainiac and regular on the show, I'd say, Mr. James Thomson.

JAMES THOMSON. A friend of Graham's too, one would hope. But yes, hello.

GRAHAM CLULEY. Hello, James. So, James, you're stuck out in Slovakia. Well, I say stuck out, you actually live there, don't you?

JAMES THOMSON. I do, yes.

CAROLE THERIAULT. Yeah, but you're in lockdown right now, aren't you?

JAMES THOMSON. Well, yeah, it's a kind of half-assed lockdown where you're allowed to go to the shops and go to work and primary schools are still open.

CAROLE THERIAULT. Do all the shit stuff, but none of the fun stuff.

JAMES THOMSON. Yeah, exactly.

CAROLE THERIAULT. Yeah.

JAMES THOMSON. Everything's shut at 5 o'clock in the afternoon.

CAROLE THERIAULT. Well, thank God for us then.

GRAHAM CLULEY. We've livened up your day, haven't we?

JAMES THOMSON. You have. Thank you.

GRAHAM CLULEY. Carole, what's coming up on the show this week?

CAROLE THERIAULT. First, let's thank this week's sponsors, Recorded Future, LastPass, and Immersive Labs. Their support helps us give you this show for free. Now, coming up on today's show, Graham regales us with a story of scammers pretending to be rappers. James talks election voting machines, and I ask what politicians are doing on gaming platforms. Also, we have a fab interview with LastPass's Dalia Hamze. She's new to the show. She's a security engagement manager, and she talks frankly about how she got into security and gives us a few fresh ideas on how we can communicate it to others. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, we've all heard of identity theft, haven't we? We're all familiar with that?

CAROLE THERIAULT. No.

GRAHAM CLULEY. No? Never?

CAROLE THERIAULT. No. Have we talked about it before?

GRAHAM CLULEY. It was a rhetorical question. I wasn't really expecting you to answer. Oh, oh right.

CAROLE THERIAULT. I'll just shut up.

GRAHAM CLULEY. Sorry. In an untrue way. No, you can jump in if you want, Carole. But of course, identity theft's when someone pretends to be someone they're not with naughtiness and fraud in mind. But have you ever heard of people pretending to be a rap band? People who might pretend to be a rock group or some sort of artiste, but in fact they're not really seen the real thing.

CAROLE THERIAULT. No, have you?

GRAHAM CLULEY. Yes, I have, and I'm going to tell you about some right now.

CAROLE THERIAULT. Oh, okay, here we go.

GRAHAM CLULEY. I'm going to tell you about a couple of chaps. One of them, his name is— and these are their real names— Aaron Barnes Burpo. Come on, it's very juvenile to laugh at somebody's name.

JAMES THOMSON. I'm sorry, Graham, that is not anybody's name.

GRAHAM CLULEY. It is. Aaron Barnes Burpo. And Walker Washington. And these two chaps got into a little pickle. They got themselves into a sticky pickle because—

CAROLE THERIAULT. TM Carole Theriault.

GRAHAM CLULEY. What they found themselves doing was they rented a Rolls-Royce Phantom limousine. And having rented this Rolls-Royce Phantom limousine for a not inconsiderable amount of money— in fact, they actually spent nearly $60,000 renting this Rolls-Royce Phantom limousine.

CAROLE THERIAULT. For how long? Well, I'm—

JAMES THOMSON. Do you know, I've actually been in a Rolls-Royce phantom limousine before.

CAROLE THERIAULT. Yes, I have.

GRAHAM CLULEY. Was it with a couple of rappers?

CAROLE THERIAULT. A mutual friend of James and mine once came to my work and picked me up because he's a car journalist.

GRAHAM CLULEY. And—

JAMES THOMSON. Oh, I think I know who that is.

CAROLE THERIAULT. Uh-huh. And we went for lunch. And inside the logbook, it had already been driven by someone like Sophie Dahl. And Robbie Williams had rented it the week before.

GRAHAM CLULEY. Oh, I hope he cleaned up afterwards.

CAROLE THERIAULT. Yeah, I'm up with the big crew.

JAMES THOMSON. This is the kind of company we move in.

CAROLE THERIAULT. That's right.

GRAHAM CLULEY. Very impressive. Well, on this particular occasion, it was Messieurs Barnes-Burpo and Washington who took this limousine.

CAROLE THERIAULT. I would love to see their name in the book.

GRAHAM CLULEY. Well, that's interesting. Yes. What name would they put in the book? Because what they did was they pretended to be other people because they used other names. One of them pretended to work for Roc Nation. James, you're down with the kids. Are you familiar with Roc Nation? The music company run by Jay-Z?

JAMES THOMSON. I am as unfamiliar with Roc Nation as I am with Aaron Barnes' burpo.

CAROLE THERIAULT. James is very aware of Huey Lewis and the News. Other than that—

JAMES THOMSON. No, those heights have never been scaled since.

CAROLE THERIAULT. That's right.

GRAHAM CLULEY. Well, maybe you are more familiar with the Wu-Tang Clan. The Wu-Tang Clan, one of the—

JAMES THOMSON. Is that like the Wuhan Clan? Is that—

CAROLE THERIAULT. No.

GRAHAM CLULEY. No, it's— Do you actually know what Wu-Tang means? As in the Wu-Tang Clan?

CAROLE THERIAULT. You can't say the word, can you? Wu-Tang Clan.

GRAHAM CLULEY. Yes, I'm saying that correctly.

CAROLE THERIAULT. It sounds like you're saying Wu-Tang Clang.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Oh no, but it has a G on the end.

CAROLE THERIAULT. No, it doesn't.

GRAHAM CLULEY. Yes, it does.

CAROLE THERIAULT. Oh, well, not in your notes.

GRAHAM CLULEY. Well, you shouldn't be reading my notes. It has a G on the end. At first, I thought it didn't have a G, but it has a G. It's Wu-Tang Clang.

JAMES THOMSON. No, no, no. Clang doesn't have a G on it.

GRAHAM CLULEY. Klang, klang, da. Okay, Wikipedia.

JAMES THOMSON. Wikipedia. Okay.

GRAHAM CLULEY. Jeez, we're trying to do a podcast here. 202 episodes. And now, is anyone else looking?

JAMES THOMSON. I'm looking. Wu-Tang Clan.

GRAHAM CLULEY. Oh, shit.

JAMES THOMSON. Thank you.

CAROLE THERIAULT. Thank you very much. This is where you say you were right, Kroll. I apologise.

GRAHAM CLULEY. You were right. What's confused me is that Tang has a G in it.

CAROLE THERIAULT. Yes, I— yes, I— yes. Wu-Tang Clan.

JAMES THOMSON. Yeah.

GRAHAM CLULEY. Okay, do you know what Wu-Tang means?

CAROLE THERIAULT. Wu-Tang? No.

GRAHAM CLULEY. Witty, unpredictable, talent, and natural game. So if you ever hear of the Wu-Tang Clan, that's what they are. Now, I'm quite familiar with these two, right? These two.

CAROLE THERIAULT. Sounds it.

GRAHAM CLULEY. I'm quite familiar with this group. And I'm a big fan actually of the Wu-Tang Clan, which people may not realise. I meant— I meant— The good old days of Method Man and Ghostface Killer and Inspector Deck. Remember that? James, remember Master Killer?

JAMES THOMSON. I have no idea what you're talking about.

GRAHAM CLULEY. And they haven't been the same since old Dirty Bastard passed away, have they?

JAMES THOMSON. Oh no, no, of course, now you mention him.

GRAHAM CLULEY. Yeah. Well, many's the time I've put fish scale on my decks and recognised the influence of big— Hang on, I'm sorry.

CAROLE THERIAULT. On your decks?

GRAHAM CLULEY. I'm reading this piece of paper. The influence of Big Daddy Kane. On their art. I'm lying, of course. I know nothing of the Wu-Tang Clan. My wife, however, does. I said to her, I'm going to be talking about the Wu-Tang Clan later. And she said, that's not how you say the name. But she did say that she had some of their CDs and she's regularly bopping around, jumping up and down like Zebedee, reeling off. And she told me some names of their famous songs. Like she said, there's a really good one, she said, called Dogshit. Anyway.

CAROLE THERIAULT. Did you listen to this dark shit song?

GRAHAM CLULEY. She did play a little bit of it. It was like a rap, so it's not really my cup of tea.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. But Aaron Barnes Burpo and Walker Washington.

CAROLE THERIAULT. Is that why you chose to tell this story, just because of their names?

GRAHAM CLULEY. They were arrested in February this year, right? And charged with conspiring to commit wire fraud and aggravated identity theft, presumably the aggravated identity theft of pretending to be the Wu-Tang Clan.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Now, you know how sometimes they say a crime is aggravated? Like, what is an aggravated identity theft?

CAROLE THERIAULT. I've never heard those two words together.

GRAHAM CLULEY. Have you not? Have you never heard of, like, an aggravated robbery or something like that?

JAMES THOMSON. Aggravated assault.

CAROLE THERIAULT. Yeah, aggravated assault. But aggravated identity theft. What do they do, rip off your name? Off your personality? Just—

GRAHAM CLULEY. I thought it it could be just someone very, very annoying pretending to be you, or exasperating, and they kept on pretending to be you. So I had to look it up. And so this is my little bit of education for everyone listening. Maybe everyone knows this. When a crime is aggravated, it just means it's a bit worse. So it's more serious than it would otherwise be. So that's why if you ever hear Americans talk about aggravated something—

CAROLE THERIAULT. So this is serious identity theft rather than crappy identity theft. Serious identity theft.

GRAHAM CLULEY. Exactly. And I imagine because of the amount of money involved, because they did obviously defraud quite a lot of money out of this limousine company because they didn't pay them real money. They just rolled in pretending to work for Jay-Z.

CAROLE THERIAULT. Oh, so this is what it's all about.

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. They just walked in, said, hey, we're the Wu-Tang Clan. Yeah, yeah, yeah, $60K. Yeah, yeah, yeah, yeah, no problem, throw in the champers. And then they went off and with the, you know, rapping in their car, and then they got the invoice and didn't pay it.

GRAHAM CLULEY. And then they've got this fancy limo, this Phantom Rolls-Royce.

CAROLE THERIAULT. How long did they have it for?

GRAHAM CLULEY. Oh, they had it for a while because they would—

JAMES THOMSON. About 6 months at that price, I would argue.

GRAHAM CLULEY. They were going from hotel to hotel using fake and stolen credit cards, booking hotel rooms. And it wasn't just them. They also had a posse. So they had men and women with them as well.

CAROLE THERIAULT. Well, to make them look more famous. You need the hangers-on.

GRAHAM CLULEY. To make it look like they're on entourage. So they would go, for instance, to the Georgian Terrace Hotel in Atlanta, and they booked like, you know, 10 rooms for all of these people. So they had some women, they had some men, some of them were homeless people who they'd hired to pretend to be bodyguards for them. And they were raking up huge bills in goods and services in cities— Atlanta, Nashville, across the southern states. And another hotel they went to, the Hyatt Regency in Atlanta, They walked away without paying its $39,000 tab. And they also hired some recording studios.

CAROLE THERIAULT. How do they not pay if they have stolen credit cards and the like?

GRAHAM CLULEY. Ah, well, you see, Crow, let me tell you what happens, right? What can happen is if you've got a stolen credit card, from what I've heard, what you can do is you can book in and quite often they'll say, oh, can we take an imprint of your credit card for $50 in case you use the minibar?

CAROLE THERIAULT. Yeah, yeah, of course.

GRAHAM CLULEY. And you go, yo, yo, yo, no problem, man. Take it.

CAROLE THERIAULT. Oh, there's your rap character.

GRAHAM CLULEY. And, and then of course you pay the big bill when you leave, don't you? But if you sneak out in the middle of the night, or if you're such a celebrity that they kind of, you kind of go, oh, put it on the account, you know, send it, send through the invoice to my company and we'll sort it out there.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Now you might be wondering how these guys were caught.

CAROLE THERIAULT. No, I'm wondering what this has to do with IT security.

GRAHAM CLULEY. Well, I've got—

JAMES THOMSON. Well, it's cryptocurrency, phishing, and Smashing Security.

GRAHAM CLULEY. Sorry?

JAMES THOMSON. Was it when they pronounced his name Jay-Z? Was that when the penny finally dropped?

GRAHAM CLULEY. What's wrong?

JAMES THOMSON. What?

GRAHAM CLULEY. It is Jay-Z.

JAMES THOMSON. Graham, even I know it's not Jay-Z.

CAROLE THERIAULT. It's too much, James. It's just, there's too many of them. You can't point out every single one.

GRAHAM CLULEY. So. How were they caught? Well, would you believe the receptionist at the Fairfield Inn in Augusta was suspicious when they checked in? He thought, hang on a minute, maybe he knew his rappers. I don't know. And so he questioned them a bit, and they tried to convince him that they were really members of the Wu-Tang Clan.

CAROLE THERIAULT. How would you— I would just test them with the lyrics.

GRAHAM CLULEY. Well, exactly. Exactly. So The receptionist asked them to sing for him.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And they said they couldn't do it without backing music. So what happened was they got out a ghetto blaster, put a track on, and these guys lip-synced to the music, pretending to be singing.

CAROLE THERIAULT. Oh, for God's sake.

GRAHAM CLULEY. And the receptionist spotted this.

CAROLE THERIAULT. Spotted that their lips weren't in perfect sync.

GRAHAM CLULEY. If they'd been Milli Vanilli, they'd have got away with it. Then it would have been slightly more convincing. But as it was, they found it slightly implausible. Actually, that isn't what happened. But I think, I think that's how I would have got it. That's what I'd have gotten. Instead, what the receptionist did was he rang up Jay-Z's company, Roc Music.

CAROLE THERIAULT. What was on speed dial?

GRAHAM CLULEY. Yeah, yeah, if you're in— if, yeah, of course you would be. If you're a swanky hotel, you've probably— you're prepared for this. Rang them up and said, hey Jay, these guys claim they work for you, claim they're the Wu-Tang Clan.

CAROLE THERIAULT. Clan?

GRAHAM CLULEY. And they said, no, Oh, for goodness' sake, can't they just change their name? It's really difficult. And they said the booking is absolutely nothing to do with us. And so they were caught. So the whole point of this story is about what happens when your credit card details get stolen. You might think they've been stolen by some lowlife to score a deal. Down some dark alleyway. But in fact, they might end up in the hands of someone who's planning to perpetrate a Wu-Tang scam. And so—

CAROLE THERIAULT. I think that was his punchline.

GRAHAM CLULEY. And so these guys have been nabbed. They've now pleaded guilty to conspiracy to commit wire fraud. They face up to, get this, they face up to 20 years in prison.

CAROLE THERIAULT. Presumably because of the amount of money that they racked up.

GRAHAM CLULEY. It's quite hefty, isn't it? The guys who are homeless, the homeless bodyguards, they've got away scot-free. And I think that's a little bit unfair, because those guys, if they're really homeless— 20 years, you know, I don't know what it's like in a federal prison. I imagine it's not very pleasant. But even so, something to think about. So that is—

CAROLE THERIAULT. Okay, can I just, uh—

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. So as a person whose credit card details might be stolen, say I were someone who had been caught up in this little rigmarole, I probably wouldn't have to pay out, right? It would be the credit card company that would have to pay out on that.

GRAHAM CLULEY. Well, hopefully, yes, indeed. Yes. But Carole, you have to understand that even if the credit card company pay out, we all end up paying in the end.

CAROLE THERIAULT. Yeah, no, thanks. Thanks for that.

GRAHAM CLULEY. Right? No, but it's an important point, isn't it? It's not as as though there aren't victims of this and we all suffer as a result of these kinds of scams. Stop claiming this is a victimless crime because it's not, is it?

CAROLE THERIAULT. Well, I don't know. I mean, I don't think it's a victimless crime. I just think from a view of someone whose credit card might be stolen, you'd be worried more about being liable in these instances, right? And I guess that's what I'd be wondering. Like, I'm sure you've done that research, so. What do our listeners need to take away from this?

GRAHAM CLULEY. Well, what I think you need to take away is that you always need to be suspicious of fraudsters. You have to keep your eyes open for people who might claim to be someone that they are not. And you may encounter them in real life, you may encounter them in your inbox. And don't be so dazzled by the fact that you believe you have a celebrity, for instance, booking a room with you. That you won't question them. So don't be afraid to question. Don't be afraid to double-check. Don't be afraid like this receptionist at the Fairfield Inn in Augusta wasn't afraid to ring up rock music and confirm that they really were who they claimed to be.

CAROLE THERIAULT. And who do they claim to be?

GRAHAM CLULEY. The Wu Tang Clan.

CAROLE THERIAULT. Very good. Well done, Graham. You got it.

JAMES THOMSON. Honestly, I think this guy had a good enough name to begin with. I don't know why he was impersonating other people.

GRAHAM CLULEY. Aaron Barnes Burpo. James, what story have you got for us this week?

JAMES THOMSON. Well, as you may be aware, uh, the Americans are holding a presidential election next week, and I am always in awe of the fact that Americans love tech. I mean, how else can you explain voting machines? Now, you might be aware that when Americans go to vote for the most part, they do not put a cross in a box in the method, you know, with which we are familiar, but they go and either prod a computer screen or in some cases pull a lever. You might recall that back in 2000, there was a disputed presidential election which came down to a few hundred votes in Florida.

GRAHAM CLULEY. The hanging chads.

JAMES THOMSON. Exactly, the hanging chads. But not just the hanging chads, the dimpled chads, the pregnant chads, the open and closed There was a whole kind of lexicon that developed out of this crisis, which was partly to do with— well, there was a whole series of issues, but one of it was bad ballot paper design and also these devices that people used to punch holes in cards. In the wake of that fiasco, they decided to upgrade their voting systems. And they gave the states who are responsible for holding elections in the United States, the individual states, a huge dollop of cash, billions of dollars to upgrade their voting systems, and they all went out and bought the most astonishing collection of digital— well, I don't know, I don't know, this is a family show, I don't want to offend people.

GRAHAM CLULEY. No families listen to this.

JAMES THOMSON. Digital dogshit, if you will. Of course, yes, in the style of the Wu-Tang Clan, or Klan even.

CAROLE THERIAULT. Klan.

JAMES THOMSON. Thank you. Now, This means that there are now several states in the US where if the aging computers that they bought 20 years ago fall over, or the Russians manage to hack them, there is no paper record of how people voted. That's to say, you go into the booth, you press on a screen.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Yeah.

JAMES THOMSON. It goes, "Thank you very much, you may now leave." And there is no record other than in the guts of this creaking Windows XP-fired machine.

CAROLE THERIAULT. Oh, can't even print out logs.

JAMES THOMSON. There is nada. Well, the voters see nothing. I'm sure at some point in the process they can print some log out, but basically it's, uh, you're relying on this, um, on this technology.

CAROLE THERIAULT. Do nobody else? I mean, you're right, in the UK we certainly don't have voting machines.

GRAHAM CLULEY. We've got a very sophisticated— I mean, it's worth saying to our American audience, we have a very sophisticated system in operation here in the United Kingdom where on election day you take your dog to a church hall. You are asked for your name. You're then notably not asked for any identification whatsoever because we're British and thus trustworthy. And they give you a little stubby pencil and you go into a cubicle and you just mark a name, don't you, and say, this is the one I'd quite like, thank you very much.

CAROLE THERIAULT. Are you marking this? Are you marking this?

GRAHAM CLULEY. No, I'm so— I think it's a remarkable system. And then there are these wonderful people who stay up until 3 o'clock that morning counting up all the pieces of paper.

JAMES THOMSON. Yeah, it's kind of like the book. It's a kind of unimprovable technology because—

GRAHAM CLULEY. It's hack-proof really, isn't it? The way we do it in the UK.

JAMES THOMSON. Look, I mean, back in the 18th and 19th centuries, there was plenty of electoral fraud, but to arrange electoral fraud using a paper-based system now just is impossibly expensive. You just require too many people and too many physical resources. And yet these machines are a gift to people who either want to screw up your electoral system or else to cast doubt on the electoral system. And as you might be aware, there has been a lot of casting of doubt lately.

GRAHAM CLULEY. Come, come.

JAMES THOMSON. But the amazing thing is that in the wake of the last election, obviously there was a lot of concern because of the alleged Russian hacking of, well, the attention economy, but also allegations that there have been attempts to hack electoral systems. And so there's actually a rather good New York Times video in which they've explored the security of the electoral system in the US. And it comes to a sort of positive conclusion, moderately, that this US election could be the most secure yet. But in the course of it, they interview some of the people responsible for the system, including the wonderfully named Dana de Beauvoir, who is the— yeah, she's no Barnes Burpo, but still, you've got to respect a name like that. And she's the county clerk of Travis County, Texas. Which is one of these places you've never heard of but has a million people living in it. And she said that with all of this federal money they got 20 years ago, they asked their voters what they wanted and the voters told them that the most important thing was to have a paper trail. It was like, well, you know, duh. And before that they'd been using these machines which left no record. But instead of just deciding to use paper ballots, they went on a 15-year search for voting machines that print out the result of you having pressed a screen. Now, I can't quite work out, although I don't claim to have any inside knowledge of the American electoral system, why you can't just cut the computer out of this equation. Why does there have to be a digital middleman in this process? Now, I know that in America when they go to vote, they go to vote on about 300 different things at the same time. There's the presidency, there's in some places the Senate, there's always a congressional election, there's local council, there's governors, there's dog catchers, you name it. Judges even. I mean, They elect judges, don't ask me how that works. But the problem is that there's this mishmash of systems, almost all of which rely at some level on a machine either to vote with or to count the votes or to do various other things during the process. And a lot of these are horribly underprotected and the New York Times reporter David Sanger who focuses mostly on intelligence issues says the real danger here is not a major hack, although that can't be ruled out, that somebody might try to get into the system and change all of the totals, because there's normally ways to check if someone's just screwed with a few numbers in the system. The problem is more of what's called a perception hack, which is where you just go in, you cause a few little screw-ups here and there, and then you get your Twitter bot armies to go in hard and say, that's it, the whole thing is corrupted, you can't trust the result. So all I can say is thank goodness no one is trying to undermine confidence in the result. Oh, oh wait.

CAROLE THERIAULT. And these machines are all connected. I wonder why the machines have to actually be connected to each other. Why can't they just be standalone and then—

JAMES THOMSON. Well, the irony is that the oldest ones that date back more than 20 years, they're not actually internet-enabled. So in a way, they are actually safer. But the problem with those, of course, is that they're running on ancient hardware and software, which, you know, under severe pressure might well give way. And then with these machines that don't keep a paper record, that's it. You've lost all the votes. There's no other record anywhere. I mean, of course, we've seen in the last few weeks, there have been, I think now, 60 million people have voted early in the US. And that's partly because they, for no very good reason, but mainly because of the propaganda of one side, a certain Donald J. Trump, not that the mail-in ballots aren't correct, but that they won't be validated in the same way. So they've actually been queuing up. You might've seen these amazing videos of people queuing for hours on end just to vote early so that that they know that their ballot has gone into the box and can't be later kind of ruled invalid.

CAROLE THERIAULT. I can't understand that either. How can there be lineups like so far ahead of the election? Because there's so few stations? Or because it takes so long to fill in the 80,000 different things they have to fill in for all the different—

GRAHAM CLULEY. I think a lot of the places where you can make your vote have been shut down, haven't they? There's an absence of opportunity. So we might, for instance, have to drive up to Chester if we wanted to vote here in Oxford.

CAROLE THERIAULT. I would have to walk across the street.

GRAHAM CLULEY. Well, yeah, but I'm saying if we had a similar situation to what's going on in America, you may require quite a trip.

JAMES THOMSON. Yeah, there have been a series of efforts to— well, I mean, these are allegations, but I think they're pretty well substantiated— to limit access to voting. And it's worse in some states than others, but like Graham says, in Britain, if you want to vote, you just toddle off down to the local primary school or the church hall, and in every village or town there is somewhere to vote.

GRAHAM CLULEY. You know what could solve all these security issues? Issues though with voting machines, and I think they need to introduce— maybe they need to get the blockchain involved.

JAMES THOMSON. Oh God.

CAROLE THERIAULT. Or pen and paper. When we go back old school, I'm, you know—

JAMES THOMSON. That is my proposal.

CAROLE THERIAULT. Luddites unite.

GRAHAM CLULEY. But you know, this is the thing which has impressed me of American elections in the past, is that at certain, like 10 o'clock at night or 11 o'clock or whatever, they suddenly announce lots of different states and what the vote is. And I guess it's because of these machines, whereas here in the UK you may have to wait until 6 o'clock the next morning.

CAROLE THERIAULT. Oh, you'll be waiting this here, honey?

GRAHAM CLULEY. Well, presumably we will be waiting maybe for a week or two, and what's going to happen in the meantime?

JAMES THOMSON. It could be longer. I mean, if there's disputes over mail-in ballots.

GRAHAM CLULEY. So, James, this is our last podcast before Election Day USA. Can you make any predictions? Are there going to be some shenanigans, do you think? Or will it all be plain smooth sailing?

JAMES THOMSON. I think I can— I think I'd confidently predict there will be shenanigans. I mean, there have been shenanigans for the last 4 years, so the idea that there won't be next week is kind of implausible. The question is whether there's just a kind of tidal wave.

CAROLE THERIAULT. Oh, don't worry, Kanye's probably gonna win it.

JAMES THOMSON. That's my call. I thought old Dirty Bastard was on the ballot too until his unfortunate demise.

GRAHAM CLULEY. Not been the same since.

CAROLE THERIAULT. No.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Oh, well, I'm staying on the political track, but just taking a left turn here.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. So, as we've been saying, all eyes are on America right now, politically speaking. You know, it's a crazy situation to think pandemic Pandemic plus volatile elections, it's a crazy ride. With the pandemic, most of us are staying home way more than normal. And so how does a politician get their messages across? We've been seeing a few different people representing various parties take to the digital motorways to do this. And one of the interesting places politicians have been showing up is the gaming world. So two weeks ago on Animal Crossing, Nintendo Switch game we've talked about before on the show, the Biden launched its own island called Biden HQ, featuring a Biden avatar in aviators who only says, "No malarkey." And interestingly, the island had a shop and a voting area with text codes for players to sign up to vote and buy in-game merchandise that would benefit the campaign. And this, when it was launched, was streamed to hundreds of thousands live on Amazon-owned Twitch. And then again, last Tuesday, we saw two US Congress members, Alexandria Ocasio-Cortez and Ilhan Omar, take to Twitch's very popular game called Among Us. Do you guys ever heard of it?

GRAHAM CLULEY. Oh, Among Us, yes.

CAROLE THERIAULT. Yeah, see, I haven't. I hadn't at all.

GRAHAM CLULEY. Oh, Among Us is huge, Krow. I haven't played it. I know it came out probably a year or two ago, but it became huge this summer.

CAROLE THERIAULT. That's right. That's right.

GRAHAM CLULEY. When some popular YouTube streamers started to play it, and then everyone is playing it.

CAROLE THERIAULT. Exactly right.

GRAHAM CLULEY. It's like a whodunit on a spaceship or something where you go around with a funny character trying to work out who the baddie is.

JAMES THOMSON. Is it like Jet Set Willy?

CAROLE THERIAULT. It reminded me a bit of that game Mafia we used to play, Graham, you know?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Someone is kind of tapped on the shoulder to be the bad guy in the crew and you have to try and identify who that is, is basically what seems to be going on. Now anyway, AOC, as we'll call her, Alexandria Ocasio-Cortez, AOC, 4 minutes into her Twitch game, she admits she's no gamer, right? So it's not like she's a diehard gamer and this is her space. This is in her wheelhouse. And she didn't just kind of do a kind of fly-by-the-seat-of-her-pants kind of public affair. You know, when a politician shows up, does a quick shimmy, yells a few things, shakes a few babies, kisses— Oh, I did that wrong.

GRAHAM CLULEY. Shakes a few babies?

CAROLE THERIAULT. Shakes a few babies, kisses a few hands. You know what I mean?

JAMES THOMSON. Carole, you're not supposed to do that. Don't shake the babies. Maybe.

CAROLE THERIAULT. That's why I'm not a politician. She played not for 5, 10 minutes, but for 3.5 hours. And during this entire time was utterly engaged in the game. Like she was totally engaged and she was totally engaging to watch.

GRAHAM CLULEY. I watched it.

CAROLE THERIAULT. Did you watch all of it?

GRAHAM CLULEY. No, I didn't. I didn't watch all of it, but I saw some of it. Yeah.

JAMES THOMSON. Can I ask, as a spokesperson for somebody who knows nothing about computer games, is this one of these games that you can start playing relatively easily as opposed to some of these, you know, these ones sometimes they talk about these esports games and And there's a shot of these kids playing these games and it's just completely baffling to anyone who doesn't know how these games work.

GRAHAM CLULEY. Yeah, it's not one of those, you could definitely play Among Us.

JAMES THOMSON. Yeah, right, right.

CAROLE THERIAULT. It's like a party game. Like you play with other people and you can play in the same, like, you know, if we were hanging out together, we could play together, you and I, or we could get remote players and Graham could join us and other people. And you have like a spaceship, you're preparing it for departure, you know, with your crew.

JAMES THOMSON. So AOC could just dive straight in and just play a game.

CAROLE THERIAULT. Right, and she called like certain big high-profile gamers to come and be on her team, right? So she was playing with a lot of the hotshots in the Twitchosphere and the Among Usphere.

JAMES THOMSON. As they call it.

CAROLE THERIAULT. As they call it. Now, this is, as Graham said, one of the hottest games in the US. Worldwide in September alone, can you guess how many times it was downloaded?

GRAHAM CLULEY. Is it more or less than 2,000?

CAROLE THERIAULT. It's more than 2,000.

GRAHAM CLULEY. I never want to go in too high, you see, because that ruins your—

JAMES THOMSON. Oh, I don't know.

CAROLE THERIAULT. Try. Just go high.

GRAHAM CLULEY. Was it more or less than 1 million?

CAROLE THERIAULT. It was downloaded nearly 84 million times in one month.

GRAHAM CLULEY. By Jove.

CAROLE THERIAULT. Yeah. Big. Yeah. Her own stream attracted at one point more than 400,000 viewers. Right now, of course, you can go see this. This was just for the live show. And this was making— this made it the third most popular stream on the site. So not bad for a first try.

GRAHAM CLULEY. And she's now like one of the most followed Twitch streamers who exists, I believe.

CAROLE THERIAULT. Yeah, she came in hot and fast. Yeah, she's— that's how I want to join a new industry, I tell you.

GRAHAM CLULEY. Do you think she might give up her political career now?

CAROLE THERIAULT. I mean, she's certainly got this on the back burner now, doesn't she? Now, Twitch isn't just used for the Dems. Republicans have a few channels too. The Republican convention was streamed on the platform a couple of months ago. And Donald Trump has his own account.

JAMES THOMSON. The best is yet to come.

CAROLE THERIAULT. Yes, the best is yet. Oh my God.

GRAHAM CLULEY. Was that as popular as AOC playing Among Us?

JAMES THOMSON. There's a market for that stuff, Graham.

GRAHAM CLULEY. I would quite like to see Mike Pence or William Barr. I'd like to see them playing Metal Gear Solid or something like that on Twitch to attract the kids. That'd be great, wouldn't it?

CAROLE THERIAULT. Okay, so whilst the Republicans have been on these channels, they haven't used it in the gaming sphere. They kind of do it to show off latest video campaigns or new segments that are favorable or that sort of thing.

GRAHAM CLULEY. Yeah, boring.

CAROLE THERIAULT. As this is a security show, right? I'm going to get to it. So two days after AOC and Omar's Twitch game was streamed, Among Us was hit by a spam attack.

GRAHAM CLULEY. Ooh.

CAROLE THERIAULT. And it affected most of the gaming community that were playing online according to Engadget. So it started two days later on Thursday evening, players in public matches found their game chats. So you have this kind of chat where you can chat with the other players, started broadcasting new messages demanding that users subscribe to a YouTube channel called Eris Loei. Loris.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Now, in various permutations of the messages which were being dumped and spammed out on these public broadcast messages, Loris threatens to hack your device or blow up your phone if you don't subscribe to his YouTube channel.

GRAHAM CLULEY. I'm imagining they're about 14 years old, is that right?

CAROLE THERIAULT. And it concluded with an unrelated Trump 2020 at the end. So, you know, God, if it were MAGA 2020, it would have been much way funnier, actually.

GRAHAM CLULEY. Because that's the way to motivate someone to vote a particular direction, isn't it? Is to spam them constantly and tell them to visit your YouTube channel.

CAROLE THERIAULT. Well, I have another theory. So, okay, so basically this, this Eris Loris, with the help of a dozen or so volunteers, claims to have hit as many as 1.5 million games affecting around 5 million players. And I mean, look, if I was looking around today, the Among Us subreddit is filled with threads dedicated to this situation, right? You go to Twitter and you see hundreds of messages too. So things like, okay, what the hell just happened? I'm in Among Us lobby. Next thing I know, the entire lobby is black and the chat is spammed, subscribe to Eris Lewis on YouTube. Do you have any clue? And they're asking the developers of the game Among Us, which is InnerSloth, who I think are quite a small company. Don't take all my lines away from me. Oh, I'm sorry, you've researched this already.

GRAHAM CLULEY. Okay, shush.

CAROLE THERIAULT. Now, if you play Among Us today, People are all over chatting about this, and it was bad. The creator of the game, InnerSloth, tweeted people asking them to stop playing the game until the problem was resolved. And they ended up pushing out an emergency server update to try and mitigate the problem. But there are still some people complaining on Twitter about it today, which is 4 days later. So maybe there's latency in the rollout. But one of the big problems is no matter how amazingly dedicated the Among Us dev team, InnerSloth, is they're only a 3-person band. And as you were saying, it was released 2 years ago. And by when did they have millions in play? It was this summer that it went crazy with the pandemic. So millions and millions of people started playing after some streamers were like, hey, this is cool. And yet they haven't built their team. So how can a handful of developers manage such an environment? Government. Like, it doesn't scale if shit hits the fan, and I don't know if that's very responsible.

JAMES THOMSON. Can I ask a Luddite question? Yeah. How can this guy screw up your phone just from you playing a game you downloaded on it?

CAROLE THERIAULT. But the game, I think, uses your phone as well, right? So I don't know if it can screw up your phone other than just make it spam, spam, spam, spam. You probably ruined just the game.

JAMES THOMSON. Okay, well, that's a small loss. I think I can just delete that game.

GRAHAM CLULEY. I might be wrong. I didn't think there was even a smartphone version of No, no, no, there definitely is Android and iOS.

CAROLE THERIAULT. Oh, is there? You can play it on all of them, yeah.

GRAHAM CLULEY. Oh, okay.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Surprised my son hasn't already downloaded it then.

CAROLE THERIAULT. So meanwhile, so right, so these guys have 3 people and seeing how they handled it, watching how quickly they tried to manage this problem was good, but this is not the first time Among Us has been hit by some kind of crap. There's lots of complaints online about, hey, people have workarounds or people are cheating. And there's this 3-person band trying to handle it all. Now, meanwhile, gaming publication Kotaku reached out to this Aris Loris, who claimed responsibility for the spamming spree. And like many hackers, he says he does not regret pissing off a boatload of players, 'cause that was his goal.

GRAHAM CLULEY. Oh, so he admits it was him?

JAMES THOMSON. Yeah.

CAROLE THERIAULT. And if you go see his Twitter, it is, you know, when you were saying earlier, someone says, oh, he sounds like a 14-year-old guy?

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. I think you might be right. I think you might be right. There's huge, huge threads on Twitter, all him responding to everybody. So really enjoyed the day, it seems.

GRAHAM CLULEY. How do you know from that that he's 14? Is he like posting pictures of Heather Locklear or something?

JAMES THOMSON. No, no, no.

CAROLE THERIAULT. I'm just guessing from the way he talked and the way he was responding to people. I didn't get a feeling of a very mature mind.

GRAHAM CLULEY. I see.

CAROLE THERIAULT. I may be wrong. I may be wrong. He's not my bud bud. So he says, so according to Kotaku, He said, I was curious to see what would happen and personally found it funny. The anger and hatred is the part that makes it funny. If you care about a game and are willing to go and spam dislike some random dude on the internet because you can't play it for 3 minutes, it's stupid. So he's claiming, I just ruined your game for a bit. What's your big deal? But users are not happy. People have even been giving online thumbs up to people trying to dox this Eris Loris. So this is where people try and reveal his identity and personal information online so people can make his life hell. Please don't do this, folks. Even if he totally ruined your game, please don't do this. And someone's even already put something up on Urban Dictionary about Eris Loris. Quote, a fat nobody who hacks innocent people Among Us games for clout. Oh, my game is botted by Eris Loris. So there you go.

GRAHAM CLULEY. Charming.

JAMES THOMSON. I think I'd rather work burpo into that line than for us.

GRAHAM CLULEY. Aaron Barnes Burpo.

CAROLE THERIAULT. Okay, but just, you know, just because we're on the political slant here, what's kind of interesting is that political parties can't raise money in these campaigns by saying, hey, you know, advertising, you know, you know, give us cash. But they can sell, like in Animal Crossing, they can sell these kind of virtual clothing or, I don't know, campaign stuff, and for that money it can go to the campaign. So it's kind of like a weird workaround of how you can fund the campaign. Bitcoin.

GRAHAM CLULEY. Bizarre.

JAMES THOMSON. It is bizarre.

CAROLE THERIAULT. It is bizarre. But like huge audience, 400,000. That's bigger than a rally.

GRAHAM CLULEY. Is America just crazy?

CAROLE THERIAULT. Oh, you don't think you're going to see BoJo on one of these next election cycle?

JAMES THOMSON. God, heaven forbid.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Tell me about it.

GRAHAM CLULEY. Smashing Security is sponsored this week by Recorded Future. They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster. Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and darkweb sources. Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express. Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture.

CAROLE THERIAULT. This episode of Smashing Security is also sponsored by Immersive Labs. They have created a free ebook. It's called Aligning Cyber Skills to the MITRE ATT&CK Framework. The idea behind this free ebook is it gives you a guided tour of how the MITRE ATT&CK framework can totally simplify and strengthen your cybersecurity skill strategy. It literally is a go-to framework. Learn more at immersive labs.com/smashing. And thanks to Immersive Labs for sponsoring the show.

GRAHAM CLULEY. This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

JAMES THOMSON. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, book that they've read, TV show, movie, record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Now, I've noticed that both of you have been quite political today, whereas I have kept my nose clean and have not dared to put my foot into the quagmire that is American politics.

CAROLE THERIAULT. No, you told us about a non-existent band called Clue Clang Clang.

GRAHAM CLULEY. Sounds like someone dropping a whole load food of pans and pots in the kitchen, doesn't it?

JAMES THOMSON. A bag of spammers.

GRAHAM CLULEY. Well, I'm now going to put my foot very much in it because I'm going to go political because my pick of the week today is a website and a podcast and a newsletter called What the Fuck Just Happened Today. Oh, and this—

CAROLE THERIAULT. we can't censor that one because otherwise no one will know how to get there.

GRAHAM CLULEY. Well, the name of the podcast, presumably because Apple objected to the F word, is WTFJTT. WTF just happened today, if you want to look that up.

JAMES THOMSON. And for your amusement, that is actually a word in Slovak.

CAROLE THERIAULT. WTF?

JAMES THOMSON. People actually say here, WTF.

CAROLE THERIAULT. WTF.

GRAHAM CLULEY. Oh, that's so lovely. Yeah. Chummy. Well, the whole purpose of this website and this podcast is, I don't know if you've noticed, there's quite a lot of political news and quite a lot of crazy shit is happening all the time. Time. Sometimes from the UK, quite a lot of the time from America. Now—

CAROLE THERIAULT. A few other places as well.

GRAHAM CLULEY. I know, but this particular website seems to devote itself to what is happening in the Americas of USA. And what they do is they distill the day's events. And so they give you a quick, maybe 5-minute summary of what has happened. And the beauty of this, of course, is that you don't have to watch some cable news for hours and hours where they're endlessly re-interviewing experts and commentators to pontificate about something that's happened. And then you have journalists who are interviewing other journalists going on, going on, going on forever and ever and ever. You just think this is ridiculous. There's too much of this.

CAROLE THERIAULT. You're the only one of the three of us that does that.

GRAHAM CLULEY. Does what?

CAROLE THERIAULT. Watches TV and watches news. You're a bit like Trump yourself. You're always watching the press and always watching the news, aren't you?

GRAHAM CLULEY. You.

CAROLE THERIAULT. So are you trying to alleviate that? Are you like, you'd actually just read this instead?

GRAHAM CLULEY. I'm trying to address the problem, which clearly I have, which is an obsession with US politics for the last 4 years or so. And so I'm hoping things are going to come to an end and I'll be able to move on. But maybe what part of my weaning process is the WTF Just Happened Today podcast.

CAROLE THERIAULT. It's very cheery. The first thing on the page today is that there's 82,600 cases, a new daily record for coronavirus in the United States. So that's fun.

GRAHAM CLULEY. There you go.

CAROLE THERIAULT. Yeah, great pick of the week.

GRAHAM CLULEY. So, well, you know, you just, you get the facts, you get some links, and there you go. And then you can move on and get on with the rest of your life. And that is why it is my pick of the week.

CAROLE THERIAULT. Dun dun.

GRAHAM CLULEY. James, what's your pick of the week?

JAMES THOMSON. Okay. How many people do you think are on Instagram?

CAROLE THERIAULT. I don't know.

GRAHAM CLULEY. 100 million?

CAROLE THERIAULT. Oh, more than that. 500 million?

JAMES THOMSON. No, a billion. Yeah, over a billion. Somewhere over a billion. But how many followers do you think you need on average on Instagram to make a living from, you know, brand sponsorship, from companies giving you money or products to on your feed?

CAROLE THERIAULT. How many followers? Does it work by followers, I'm guessing?

JAMES THOMSON. Yeah, yeah. How many, ballpark?

CAROLE THERIAULT. Right, 10,000.

GRAHAM CLULEY. Would it be all right if you had one follower, but it was someone who was very, very rich indeed?

JAMES THOMSON. Or had a stolen credit card like Aaron Barnes and Burpo? Yes.

CAROLE THERIAULT. Or had multiple personality disorder and had different entry for each one.

GRAHAM CLULEY. Tell us, how many followers do you need to make money?

JAMES THOMSON. The ballpark figure is around 50,000 followers.

CAROLE THERIAULT. Oh, okay. I thought 10.

GRAHAM CLULEY. Okay, so—

CAROLE THERIAULT. Oh, I'm getting close. I'm getting close.

GRAHAM CLULEY. But it depends on guess where you are.

JAMES THOMSON. Look, if you're here, then you could probably get by on about 10 or 20, but in a big country, probably 50 to 100. But this is the, this is the astonishing thing. How many Instagrammers do you think have 50,000 followers at least?

CAROLE THERIAULT. How? Okay, so there's, there's a billion of accounts, billion of them.

GRAHAM CLULEY. Yep. I'm gonna say a thousand. No, more than that. I'm going to say 50,000.

JAMES THOMSON. So, Carole, your guess is 1,000?

GRAHAM CLULEY. Yeah.

JAMES THOMSON. Out of a billion, you think 1,000 have 50,000 followers? Graham, yours is— what was it? 200,000?

GRAHAM CLULEY. Yes, 200,000. That's what I'm saying. Yes, I said 50, but I'm now saying 200.

JAMES THOMSON. You're out, Graham, but only by 3 orders of magnitude. Because the answer, according to Sarah Fryer, who is the author of a book called No Filter, about Instagram, and which is the kind of definitive account of Instagram currently, was published a couple of months ago. The answer is 200 million.

GRAHAM CLULEY. What?

CAROLE THERIAULT. 200 million? Okay, so bots, body, bot, bot, bot.

GRAHAM CLULEY. Yeah, exactly.

JAMES THOMSON. It's the only way that I can make sense of this claim, but I've read the book and she drops it in there, and it's credited to a market research company, hang on, called Dovetail. But it hasn't been challenged anywhere, and I've— and I've, um—

CAROLE THERIAULT. I think you should challenge it. You do it here.

JAMES THOMSON. Yeah, but you need evidence to challenge it. They, they are using Instagram figures. Now, of course, one would guess that, that, yeah, a lot of that is bots, but even, even on the, the face of it, that would suggest that if each of these people who have 50,000 followers were, were tweeting, or whatever you call it when you send an Instagram message, once a week, 200 million of them are going out to eat. All of their 50,000 1,000 followers once a week. You're up in the trillions. You're up in the trillions in terms of the number of these Instagram tweets flying around.

GRAHAM CLULEY. And this is quite interesting to me because I wrote an article in the last week about a couple of companies who Facebook are suing because they've been running fake follower services. And so they've been selling their services for like, you know, $30 per week to artificially inflate your number of followers and the likes which you get. And of course, all these people who are desperate to be an Instagram influencer, they want to have big numbers to say to advertisers, oh, look how popular I am. And I, I wonder whether all of these people are doing it and it's basically inflation which is going on. Everyone wants to be up above the rest.

CAROLE THERIAULT. And so the people who are actually making the money are the people who are running the bots and selling that I think they should stop looking at how many people happen upon something as opposed to how many people, like it would be nice, for example, even in podcast land, if we could say, oh, how many people have dropped in and listened to one show and then gone on, you know, versus those that decided, oh yeah, I'm going to stick with these guys.

GRAHAM CLULEY. But you also do get ad, you just do get bots who do ad click fraud though, don't you? Which, so who will click on these links and will, might appear to people to be the genuine genuine people interested in a service or product.

CAROLE THERIAULT. Exactly. So there you go. So are you on Instagram, James?

JAMES THOMSON. I think I might be very soon if all I need is 50,000 followers to make a living. But what will I, what will I influence people about? That's what I want to know. I'm sure I can think of something.

GRAHAM CLULEY. I've got, I think I've got about 127 followers on Instagram. I'm doing jolly well.

CAROLE THERIAULT. Does it make you feel good to have that?

GRAHAM CLULEY. Oh, I've just looked, 174 4. Woohoo! Yes, I don't really have anything to post, you see, because I don't want to post pictures of myself because I don't want to put people off their lunch.

CAROLE THERIAULT. Are you hoping to be an influencer? Is that what you're working on?

GRAHAM CLULEY. I would love it. I would. Oh, wouldn't that be wonderful just to hang out with Aaron Burpo Bot or whatever his name was and Walker Washington and Old Dirty Dog. And I can't remember their names now. Yeah, wouldn't that be fantastic? I think it'd be marvellous.

JAMES THOMSON. Dame de Beauvoir.

GRAHAM CLULEY. Oh, marvellous. Okay, so your recommendation, what is this book, is it?

JAMES THOMSON. Yeah, I would, I mean, I would give it a look. It's actually a very well-written book and it's an interesting subject.

CAROLE THERIAULT. Give us the title again, would you?

JAMES THOMSON. It's called No Filter and it's by Sarah Fryer and I've dropped a link in, so there'll be a link in the program notes.

GRAHAM CLULEY. Marvellous. Carole, You're not on Instagram, but you have for us a Pick of the Week.

CAROLE THERIAULT. Yes, as I have for the last 200 episodes or so, 170. I don't know when we started doing Pick of the Week. This is an oldie but a goodie radio program from Radio 4 that you and all three of us know very well from our own correspondent, F-O-O-C.

JAMES THOMSON. FOOC, as it's known in the BBC.

CAROLE THERIAULT. Is it really? Yeah. I didn't know it'd been going for 50 years.

GRAHAM CLULEY. Oh, yeah.

CAROLE THERIAULT. That blew my mind.

JAMES THOMSON. Yeah.

CAROLE THERIAULT. Anyway, so currently hosted by the brilliant Kate Aidy. And it's basically a show that happens every week where correspondents or journalists or writers from every corner of the world report on stories behind the headlines. That's how they pitch it. And the stories often have a very strong human element, don't they? So, and they go everywhere. Like, so they'll go to South Africa, I think was this week, or they'll be in Thailand or Bhutan or Japan or Armenia. Romania, and you just get this kind of, I don't know, snapshot of daily life of what's going on in that particular location. I mean, you guys listen to this, or do you?

GRAHAM CLULEY. Oh yeah, it's like a long-form essay, isn't it? It's not reporting, but it is wonderful.

CAROLE THERIAULT. Well, it is reporting.

GRAHAM CLULEY. Well, it is reporting, but it's not like they're going and interviewing people and they've edited it all together. It is the correspondent basically as though they they were writing a letter or writing an essay.

JAMES THOMSON. Is the correspondence kind of recollection or rumination on something that they've seen or witnessed or experienced or what's going on in the country that they're based in?

CAROLE THERIAULT. Yeah. So like you might be there, there's one like a 40-course Chinese banquet. A writer was there and was able to write about that whole experience or someone who swam with sharks or someone who experienced zero gravity. So these are all kind of interesting elements and you have a kind first-person account of what that was like. Is that fair?

JAMES THOMSON. Yes.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Kroll, is this available as a podcast?

CAROLE THERIAULT. Yes, it is. So you can get it. It's available both on the World Service, so everyone can get it from there, or it's available in the UK on the Beeb, on Radio 4. It's also available as a podcast. And I recommend it because this is a very calming news program because it's not focused so much on the crazy. It's more focused on the human element. And I don't know, just It's a breath of fresh air in these crazy times. So check it out from our own correspondent from the BBC.

JAMES THOMSON. Hear, hear. That is a great recommendation.

CAROLE THERIAULT. Thank you. I think it is too.

GRAHAM CLULEY. Well done, Carole. Very good pick of the week.

CAROLE THERIAULT. Mm-hmm.

GRAHAM CLULEY. Marvelous. Now, I know what else is quite good is that you've been speaking, haven't you, to our chums at LastPass?

CAROLE THERIAULT. Yes. So Dalia Hamze from LastPass, she and I had a very good chat. Chat, and you can listen to it right now. Well, actually, you're going to be listening to part 1 because it was such a good chat. We talked for way more than half an hour, so we've cut it into 2. So part 1 this week, part 2 next week. Enjoy. Hey, Dahlia. This is Dahlia, everybody. She's a senior security engagement manager with LogMeIn, or what people also know as LastPass. And obviously, like the rest of us, she wasn't born in the cybersecurity world, right? So when did you first get into cybersecurity, Dahlia? So I graduate college and I'm like, I'm going to be my own boss. And I start selling Uh, I, I used to go around to like different stores and get designer clothes and things like that, um, at discount prices, and I would sell them on eBay. And I had this store, it was called Dahlia's Delights. Uh, don't tell anybody, even though I think everyone's gonna hear that now. And, um, I loved eBay, right? I was an eBay enthusiast. And so I randomly get this job offer one day for— I think I was getting paid like, I don't know, $11 an hour using— with some consulting firm that was like, hey, do you want to like process paperwork you work and eBay is your account? I was like, absolutely I do. And so, uh, my hope was maybe eBay will hire me. Well, it actually happened, and I was, uh, managing their budget and doing some administrative work for them. Moved out to California. It was for their information security team. And so I remember I moved to California, I'm day one on the job, and people are talking about SIMs and servers and DLP and firewalls. I I think it's hilarious when people in our industry think that there's no jargon. It is really revolting, isn't it? Like, you don't understand a word when you first walk into this. I mean, the number of acronyms that I heard on day one, I actually cried on my way home because I was like, what did I get myself into? Yeah. I mean, I genuinely have no idea where I am. This was a huge mistake, right? But there is a lot of, of jargon and things. So now, like, fast forward about 6 months. And I'm starting to kind of, you know, get a little bit of the hang, right? I mean, I feel like I'm 10 years in the engagement space and I still don't fully grasp it, but, so I'm 6 months in, I'm getting the hang of it. And I realize that we're doing, now this is to our engineer and developer community, right? So, security is trying to say, hey, like, we need to patch and guys, we need to take these vulnerabilities seriously and all this different stuff, right? Secure coding. [Speaker] Right, right, right. [Speaker] And so, they do this series and it's like 10 people show up and I'm like, oh my God, because the presentation is painfully boring. And so I was like, hey, can I take this over and offer some ideas? And that's when I realized I took it over and I started saying like, you know what's sexy? Let's talk about other people's breaches and then relate it back to here. One of my favorite ones that I got approval to do, I don't know how, was the Ashley Madison breach and going through the kill chain of what we think may have happened. Smashing Security happened, uh, we had like 400 people show up for that. And so then I realized, wait, this could be something like— I'm really interested in this. How do we translate security for the everyday? I mean, well, for every day now, that, that's really my focus. But how do you make other people interested in it? Yeah, but you had to learn on your feet, I guess, right? Because if you were kind of working in that area and you suddenly said, look, let me take this over, you suddenly have to kind of learn all that info? Did you come into this world kind of understanding like things like, you know, unique passwords or safe passwords or long passwords or good passwords and all these kind of things? Oh, definitely not. No, no, no. So, what I do is I find my allies and people on the team and I mean, it's really about relationship building in this specific role. I think if you're a security awareness officer, if you do the engagement side of the house, you don't have to be the expert at everything, but you need to find the experts and you need to make good friends with them, right? And then help their agenda. They have things they want to communicate. And so I try to make sure that, you know, it's a two-way relationship. I'm not constantly asking them to present for me and that's it, right? Like, hey, what do you guys have to get out? Like, is there, is there a behavior change you're looking for from either, you know, anybody in the company or external? And so, it's definitely a very symbiotic relationship, I should say. You know, I totally, totally get that because I feel that was basically my career as well. If I look back now at what I did, I think my job was to take the very, very smart technical information that was being given to us by our researchers and somehow figure out a way to communicate it to the general public in a way that would make them understand what what was the threat, what was important, and what they could do about it. Is that, is that a fair way of saying what you're doing now? I think 100%, yeah. And it's hard, right? Because different people digest information differently. And so we know that depending on the generation maybe you're born in, some people prefer to read, you know, millennials and— God, I don't even know the ones after that. I think I just hit— Zed Gen, I think. All right, yeah, there's other ones, right? I think in theory I'm a millennial, But if you ask my little sister, who's 10 years my junior, she's like, that's logistics. You're definitely not. You just happen to fall. It's like when you fall into the birthday a year before, so you graduate a year earlier. But people digest depending on the industry you're in. Like, do you like to read? Do you like your information in short snippet videos? Some people like to, like to get in, you know, they're visual learners. Some people are hands-on learners. Personally, for me, if I, if I can't see it, feel it, and do it myself, it's hard for me to understand it, right? So you really have to accommodate. Oh, so you're not a podcast junkie then, because some people love podcasts and some people like my brother, one of my brothers is like, I really can't actually absorb information that way. So I have one podcast. It's a personal one I listen to. I don't know if my friends at LastPass or LogMeIn would appreciate if I said what that was. I'll tell you offline, Carole. It's a great podcast. But when it comes to like education and And for security, let's say, it's really hard for me to understand like a security concept or a technical concept unless I can actually like see it, feel it, get my hands dirty in it type thing. Mm. Yeah. Yeah. So, okay, so that's— so you're basically trying to identify how people learn and then package the messages they need to learn in a way that's easy for them to digest. Like you're just trying to, you know, grease the wheels. Expect, you know, to make sure they get the message as clearly as possible. That's it. Yeah. And, and different, all sorts of different mediums. Yep. And I mean, I think too, whatever channel, communication channel that as security professionals we try to use, I think there's one thing, um, that they should all have in common, right? When it comes to the messaging, we love to kind of put the fear, uh, security professionals, sometimes we put the fear in, if you do this, things are going to crash and burn. And I think, um, sometimes taking a different approach, and I don't say security professionals as an all-inclusive, um, but I think sometimes it's taking the approach of like, here's one or two quick simple things that you can do, like little bite-sized pieces of digestible information, right? And not the whole, the whole gamut. So like focus on one thing, like is it passwords, you know, is it whatever it may be, and, and just like one or two easy things that, that our end user can do at home or at work or whatever it may be. We are so cut from the same cloth. You know, even last year I did a talk to a bunch of security awareness professionals. I used the example of your car breaking down. You know, I built a big story, but the idea was your car breaks down, you go to a mechanic, and the mechanic kind of looks at your car and goes, and then just rabbets off for, you know, 30 minutes about everything that could be wrong with your car. And literally, if that happens to me, I just go blank. Like, my brain just turns to mush. I'm not interested in. It's almost like I want to find a new mechanic. And so I totally get the mechanic you want is someone to go, what's the problem? This is what you need to do about it. Right. And bite-sized. I'm totally with you on that. Yep. And that's actually a great— I might have to steal that. I love that. I love using the car. Spread the word. Because everybody has a car or has been in a car. So I love that. Again, relatable, right? Easy. Um, to understand. Everybody's been there. I love that. Yeah, totally. Okay, so, so maybe we can dive in because, you know, our listeners here are thinking— some of them are thinking, okay, what are these bite-sized tips, Dahlia? So the message actually that I probably would have shared pre-COVID is going to be a little different today. So, you know, given that most of us are now working from home, home security, right? Securing your home network, which actually then really is securing your corporate confidential information as well. Like, there, there's a blurred line there now. And so I would say that if just a— if you're like, where do I start? I don't know what security is, and I don't know how to— like, I don't, I don't know about any of this. My first suggestion would be let's take a look at your home, your home technology, your home Wi-Fi, your, your router, even your personal computers. Are all of these things up to date? So for our listeners, those little those annoying pop-ups that say, "Would you like to update this now?" Just do it. I know it's really important. They're really important. You know, listeners, remember when you were little and your mom would say, "No, you really need to wear a coat 'cause it's really cold outside." And you're like, "I don't wanna wear a coat." And you're like, "I know you don't wanna wear a coat, darling. You really need to wear a coat 'cause it's really cold outside." It's that kind of message. Just do it. Trust us, please. Yes, for end users, if you don't know what all of those updates include, there are these vulnerabilities or these gaps and holes in the technology. And every time they put a, push out a software update, a lot of times it's filling, it's saying, hey, we realize that somebody can actually break in. They can, you know, can compromise your personal information. And so those updates aren't to be annoying. They're really there to keep you secure. And sometimes they typically come with new fancy shiny features. So I would say update, update, update. Now on your Wi-Fi routers, there's websites that you can, uh, Google how to update that, um, your like modems and things like that. You won't— that's not going to give you a pop-up, so you have to be a little proactive there. But I'd say get your home, your home network secure. That'd be my first one. Actually, you're making a really good point. So the reason that Dalia has to say that is because everyone has a different type of router, right? And they all have their own configuration options on it, which makes our jobs, really difficult to try and give super clear advice. But the trick is to go see what configuration options they offer you and try and set it to be as secure as possible without totally impacting your usability. So, you're trying to be as safe as you can, same way as you are in a car. You put a seatbelt on, you use your brake, right? So, it's the same kind of thing with configuration options. So, don't assume that the default options are the safest options. Oh no, you know what, Carole, thank you, because you just brought me to, uh, a second point. You said the word default, uh, default passwords. So a lot of times, go to whatever local, uh, here in the US it's Best Buy. Yeah, yep. Um, and you go and you get a brand new Wi-Fi, uh, router modem, and you set it up. A lot of times they have these default credentials, which is your, you know, your login and your password. Let's say it's admin for the password and admin for your login. These, if you don't change that, these passwords are actually posted on the manuals, um, online. Like if let's say you lose your paper manual, you buy this thing and then you want to go online. So everybody knows that this is the password, um, so anybody can in theory break into your, your network. So, um, changing default credentials— Carole, you said the word default and I was like, that's the word I was looking for. We're on the same Wavelength. Yes, I love it. Um, so change the default credentials. That is so important. Um, so, so important because really your password is your first step, um, your first line of defense into anything, really, any account that you have. Yeah, seriously. Yeah. So now we, we've got the router set up, uh, people have changed their default password and settings, they've made sure it's up to date. What's next on the list? Now, this is when we get into the could be anything, right? You're right. So what about all these IoT devices around the house? Like, surely we got to focus on those as well. This is where we get those blurred lines. So as— oh, my dog's like, I don't want us to talk about that. They have, you know, some beef with the doggy next door. They like to talk to each other sometimes back and forth. Yeah. They're like, yo, you stuck indoors?

GRAHAM CLULEY. Yeah, I am.

CAROLE THERIAULT. I'm stuck indoors. Socks, yeah, it does suck. Here's the challenge, especially now as people are working from home. To your earlier point, we have different devices. So you might be an Android user, you might be an Apple user, you have gaming systems. I mean, there's a million things. I mean, our refrigerators talk to us now and tell us if we're out of milk, right? I don't have one of those super fancy ones, but I mean, there's a ton of IoT devices. And as a security organization, there's two things. We can't infringe on our employees' personal privacy, right? So, all we can do, and you don't want to push and say, like, "You guys have to do these requirements. It's your home, what you decide to do with your things." But a lot of times, if let's say your fridge or your Alexa or your phone is connected to your Wi-Fi, which is connected to to your, your work machine, your corporate laptop, that's where the conflict of interest, that's where things start to get a little sticky. So here's what I would say is that offer the resources for people, put it somewhere public, like as simple as it sounds, find those websites that give everybody instructions on how to update. Pick 20 of the most common IoT devices you think you'd find in someone's house. I know Samsung does a lot of smart devices. You know, of course, Amazon and Google and all of those things. But I would say make it easy for the end user and kind of do that legwork for them. Because if you say, hey, just we gave you a site with all of the resources you need to find your, your device and figure out how to update it, I think that would be helpful. Totally. So there you go, people. That is part One from Dalia Hamze. She is a security awareness professional at LogMeIn, and you will hear from her again next week with part two on what are the best tips to help you secure your home environment.

GRAHAM CLULEY. Oh, that was excellent. I enjoyed that.

CAROLE THERIAULT. I knew you'd like her voice. I don't know why you've decided she'd do it with a bit more—

GRAHAM CLULEY. Oh, that was great, Carole. Good one. Excellent. Well done. I enjoyed that. Thank you, Dahlia. Oh, she's gone. Well, that just about wraps it up for this week. James, I'm sure lots of our listeners would love to find out more about what you're up to. Do you have any social media presence whatsoever?

JAMES THOMSON. Nada.

GRAHAM CLULEY. Not at all. I love it.

CAROLE THERIAULT. How do we How does he live, eh, Graham? How does he live?

GRAHAM CLULEY. Well, apparently he's on Instagram, you know.

JAMES THOMSON. I will be soon, don't worry.

GRAHAM CLULEY. Everyone will have to follow us on Twitter @SmashInSecurity, no G. Twitter allows to have a G. And you can also join the Smashing Security subreddit. And don't forget, if you want to help the show, tell your friends about it. Tell them that you enjoy Smashing Security and recommend that they subscribe in Apple Podcasts, Spotify, or Pocket Podcasts.

CAROLE THERIAULT. Yeah, Graham's getting a little nervous that my other podcast is getting a bit too many likes.

GRAHAM CLULEY. Well, what's the name of your other podcast, Carole?

CAROLE THERIAULT. I don't even think we need to repeat it. Sticky Pickles. You already said it already anyway. Thank you, peeps, for listening each week, supporting our work, sharing it with your bud buds, and of course, high five to this week's Smashing Security sponsors: Recorded Future, Immersive Labs, and of course, LastPass. Their support helps us big time in giving you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

CAROLE THERIAULT. Bye-bye. Thank you, guys. We're a little, uh, we were a little subdued this week, eh guys?

GRAHAM CLULEY. We were.

CAROLE THERIAULT. I think it's because the clock's changed in Europe. I think we're all a little bit more tired than we normally would be.

GRAHAM CLULEY. It's got really— I'm in my little office and it's, it is so dark and I'm not used to it being so dark. And of course I've got no lights on other than the—

CAROLE THERIAULT. Maybe we just need digital hugs from people. Maybe we were just being a little too lonely and lockdown-y.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah. All right, well, good luck with the elections, everyone.

GRAHAM CLULEY. Yeah. You want a digital hug?

JAMES THOMSON. Yeah, you're gonna— if he wins, we're gonna get a digital punch in the face. So yeah, you better hope so.

-- TRANSCRIPT ENDS --

202: The Wu-Tang Clan are Among Us

Transcript +