PC manufacturer Acer might have received a $50 million ransom demand, a warning spreads on Facebook about a trick being used by hackers, and why are the City of London's police not happy about Sci Hub?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Alex Eckelberry.
Visit https://www.smashingsecurity.com/220 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Alex Eckelberry.
Sponsored By:
- 1Password: With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now.
- Sailpoint: SailPoint Identity Security can help you enable your business and manage the cyber risk associated with the explosion of technology access in the cloud enterprise – ensuring each worker has the right access to do their job – no more, no less.
- Gain unmatched visibility and intelligence while automating and accelerating the management of all user identities, entitlements, systems, data and cloud services.
Links:
- Hackers cannot post Facebook comments on your behalf without you seeing it — AFP Fact Check.
- Does a Facebook Hack 'Hurt and Offend' Friends? — Snopes.
- Stop sending mail you later regret — Gmail blog.
- April Fools Check: Did Google Really Release Mail Goggles? — TechCrunch.
- When was blinking invented?
- Computer giant Acer hit by $50 million ransomware attack — Bleeping Computer.
- Ransomware gang says it targets firms who have cyber insurance. And what’s more, it will hack insurance firms to identify them… — Graham Cluley.
- Is the staggeringly profitable business of scientific publishing bad for science? — The Guardian.
- Police warn students and universities of accessing an illegal website to download published scientific papers — City of London Police.
- Meet the pirate queen making academic papers free online — The Verge.
- Sci-Hub: How Does it Work? — The Scholarly Kitchen.
- Glitterbomb Trap Catches Phone Scammer (who gets arrested) — YouTube.
- After Life — Netflix.
- The One — Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
ALEX ECKELBERRY. My visage is used for a large variety of romance scams, and so I'm—
CAROLE THERIAULT. Are you kidding? Are you fucking kidding?
ROBOT. Smashing Security, Episode 220: Ransoms, Scandals, and Glitter Bombs with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 220. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And this week we are joined by a returning guest, but a guest returning from the mists of time. Can you believe almost to the minute it is 4 years?
CAROLE THERIAULT. Pre-Rona, pre-Brexit, pre-Trump.
GRAHAM CLULEY. Since we had Alex Eckelberry on the podcast. Alex, how are you? What have you been up to for the last 4 years? What's happened to the world?
CAROLE THERIAULT. Can you make it quick? Can you make it quick?
ALEX ECKELBERRY. Nah, nothing really. You know, it's been slow. It's slow, you know, so, but I'd love to be back at the show. And it is bizarre that we're at 4 years. I mean, almost to the day. It's actually very cool.
CAROLE THERIAULT. Is there anything you want to tell anybody about who you are and what you do and why they should care?
GRAHAM CLULEY. Yeah, well— Simply the last bit.
ALEX ECKELBERRY. Why they should care? I've been told I have a good radio voice. You do. Yeah, but so I, look, I've worked in security for, many, many years. And, you know, I had an antivirus software company, company called Sunbelt Software that's now Viper Security. I sit on the board of a company called Malwarebytes, which is a wonderful product, endpoint security. And, you know, I was also an early board member of a company called KnowBe4, which is a security awareness training company. So I've done a lot of work on the board side. Also was a board member of StopBadware, which is the originally Google-backed outfit to help with malware on the web. So, you know, look, I love security. I live it, eat it, breathe it. And I'm I'm definitely in the mix.
CAROLE THERIAULT. And you love the show, right?
ALEX ECKELBERRY. Well, I was going to say that of all the shows I listen to, this is not one of them.
CAROLE THERIAULT. So thanks to this week's sponsors, 1Password and SailPoint. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be sharing everyone a warning about Facebook.
CAROLE THERIAULT. Okay, fresh. Alex, what about you?
ALEX ECKELBERRY. Oh, I want to talk about evil, which is, you know, this ransomware as a service operation.
CAROLE THERIAULT. Cool. And I'm going to be asking whether academic research should be free for all and at what cost. So all this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, have you ever had a slightly rough night on the tiles? Have you been out partying? Maybe there you were at a security conference in Prague.
CAROLE THERIAULT. I never partied.
GRAHAM CLULEY. No, you didn't do that?
CAROLE THERIAULT. I never went out, never had fun.
GRAHAM CLULEY. Alex, have you ever maybe enjoyed yourself a little bit too much?
ALEX ECKELBERRY. You know, I—
GRAHAM CLULEY. Come home with a swollen head, as it were?
ALEX ECKELBERRY. I take the fifth. I take— I hear B vitamins and water helps, but maybe you have a better idea.
GRAHAM CLULEY. Well, maybe if you did return to your hotel room or to your home and you were slightly inebriated or the worst for wear, you may think, You know what I'm going to do? What I'm going to do right now, while my judgment is obviously slightly squiffy—
CAROLE THERIAULT. Massively impaired.
GRAHAM CLULEY. Massively impaired is I'm going to send a message to my boss, or I'm going to contact my ex-girlfriend or my ex-wife, and I'm going to tell her exactly what I think because I've worked out precisely what I mean to say.
CAROLE THERIAULT. Yeah. And you're kind of— you're feeling it and you're like, and I'm going to tell you something else, you mother fairy.
GRAHAM CLULEY. At that moment, at that moment, you believe you're Oscar Wilde.
CAROLE THERIAULT. I wouldn't know, but I imagine it's very, very clear that you feel you can handle that situation at that moment.
GRAHAM CLULEY. Yes, yes.
ALEX ECKELBERRY. Nothing could go wrong.
GRAHAM CLULEY. Nothing could go wrong. No, there's no way that anything could go wrong.
CAROLE THERIAULT. You're on top of the world!
GRAHAM CLULEY. Exactly. And obviously you then send a message and it's offensive or it's, you know, something which you later regret.
CAROLE THERIAULT. Can you have one? Can you give us an example of something?
GRAHAM CLULEY. Well, it's not something I've ever done.
CAROLE THERIAULT. No, no, but in your story, I'm presuming you have a story to back up this. This isn't for chit-chat.
GRAHAM CLULEY. You make a lot of assumptions about my story.
CAROLE THERIAULT. Okay, sorry, sorry.
GRAHAM CLULEY. I think maybe you should wait and see.
CAROLE THERIAULT. Okay, sorry.
GRAHAM CLULEY. So, you know, you could send something maybe inappropriate. You know, you could criticise someone's food or their hairdo, how they have spinach stuck between their teeth on Zoom calls or whatever it is. You could send off some message or tell your wife that she has halitosis or who knows what.
CAROLE THERIAULT. What do you mean, like text them? What do you mean?
ALEX ECKELBERRY. Hmm?
CAROLE THERIAULT. What do you mean, like tell them, text them?
GRAHAM CLULEY. Well, you could send them an email maybe, or you could post a message. Maybe even worse than texting would be if you were to publish it publicly and tag them, like post it on Twitter or maybe post it on their Facebook wall and say, "You look fat in that dress." I don't know if, Alex, if you've ever been accused of looking a bit fat in a dress.
ALEX ECKELBERRY. Kilts?
CAROLE THERIAULT. Definitely a problem.
GRAHAM CLULEY. So word has begun to spread that there is a new way for hackers to hurt and insult Facebook users, and that's why I'm talking about this. As if it weren't painful enough carrying the stigma of being a Facebook user, it turns out that hackers can send hurtful comments to your Facebook contacts which look like you sent them or you posted them up on their wall, but And here's the sneaky bit. Your contacts can see the messages, but you can't see what you post. A bit like—
CAROLE THERIAULT. So you get a— oh God.
GRAHAM CLULEY. A bit like you can't see the offence when you texted or you called up someone or left them a voicemail when you were drunk. Yeah. Right? Because it's invisible to you. You can't see what's wrong with it. Well, similarly, you can't see what you've posted up on the Facebook.
CAROLE THERIAULT. Oh, I see what you've done there. Good analogy, Graham.
GRAHAM CLULEY. Right? Right.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So thousands of Facebook users are sharing this warning across the social network and asking their friends and loved ones to share it further across Facebook. Tell all your contacts that if they get an offensive or inappropriate message from you, it's not really you. Which I think is a rather fantastic alibi because you've now been given free rein to say whatever the hell you like to whoever you like.
CAROLE THERIAULT. Oh, okay, well, why don't you tell us your top 3?
GRAHAM CLULEY. Because—
CAROLE THERIAULT. no, come on, let's do this.
GRAHAM CLULEY. Well, I'm not on Face— Carole, are you on Facebook?
CAROLE THERIAULT. No, let's imagine we're— let's do it on Smashing Security. Okay, so what honest message do you want to send?
GRAHAM CLULEY. Well, it wouldn't have— well, I mean, well, I have— is there anything that you've ever wanted to say to a podcast co-host, Carole?
CAROLE THERIAULT. No, I'm not— I have no interest in any of this.
GRAHAM CLULEY. You're just saying that you now have got a free card.
CAROLE THERIAULT. Yeah, you've got a get-out-of-jail-free card, right?
GRAHAM CLULEY. Right. 'Cause you can say, "It wasn't me. I must have been hacked." So you can see me saying, "Your feet are very big," or something like that, but I can't see it. So it must have been a hacker.
CAROLE THERIAULT. I find that interesting. And also it means that when the person calls you up and goes, "WTF?" you can go, "What are you talking about?" You can say, "Oh, what, what, what, what?" Which is the best thing to do, right? What?
GRAHAM CLULEY. Alex, are you on Facebook at all?
ALEX ECKELBERRY. Yeah, but I always thought this had to do with those sunglass ads I would get from friends, and they would always say, "No, I wasn't hacked." But you're saying you could actually use this for other things.
GRAHAM CLULEY. You could use it for all kinds of things.
ALEX ECKELBERRY. Ray-Bans. I don't know why I keep getting Ray-Ban ads from friends that are, "Hey, I was hacked. Don't click on the Ray-Ban ad." I wouldn't click on the Ray-Ban ad anyway. I was looking for sunglasses. But yes, I am on Facebook and I can definitely see that situation.
GRAHAM CLULEY. And would you find it useful? Do you think you'd quite like occasionally to use this threat as a sort of alibi, as a cover for abusing people?
ALEX ECKELBERRY. Yeah, yeah. But you know, I think people will just do that anyway. I think we've seen that on Twitter. Somebody says something embarrassing and it's like, "Oh, I was hacked. I really didn't say this terrible thing." Well, this is true.
GRAHAM CLULEY. It's true. A lot of people do claim that they've been hacked when they haven't really. There's been a series of— I think I've lost count the number of times a rapper, for instance, has said something homophobic or misogynistic. And I think there've been some politicians who in the past have liked tweets by Pornhub and things like that, and then said, "Oh no, no, no, I didn't do that." Awkward.
CAROLE THERIAULT. It seems to me like there's a few options here though, right? So either there is some kind of threat going around, in which case Facebook should come clean pretty soon and go, "Whoa, this is happening." Or people are actually getting drunk, sending the messages, and then playing—
ALEX ECKELBERRY. Or—
CAROLE THERIAULT. Or—
GRAHAM CLULEY. There is another alternative.
CAROLE THERIAULT. Exactly. I think it's a hoax.
GRAHAM CLULEY. You are absolutely correct.
CAROLE THERIAULT. There was no other option.
GRAHAM CLULEY. Your warning is entirely bogus. I've fooled you. Well, I almost fooled you, apart from I didn't fool you. Because pivot, everyone. It's a pivot. It's a pivot in Smashing Security. We're pivoting now. We're pivoting. Right? Because the whole warning is absolute nonsense. People are spreading this message saying, "Oh my goodness, hackers are posting messages on walls. You'll see offensive things, but it's not been sent by you and you can't see it." Facebook has now come out and said, "No, no, no, this is all a load of old cobblers." Right? This isn't actually happening.
CAROLE THERIAULT. Okay, then what's the motivation? It's just for people to spread it? People to tell people of something fake? Like, that's the— what's— I don't understand.
GRAHAM CLULEY. This is the whole thing, Carole. This is the whole problem with disinformation generally, right? Is that people believe that they are being helpful to each other, that they believe, I found something out. I can help my pals. I can warn them about this as well.
CAROLE THERIAULT. I read a headline. I'm now an expert.
ALEX ECKELBERRY. How many times do we see the person posting, you know, from this point forward, all my information is copyrighted by the federal code, blah, blah, blah. You know, this is a hoax, dude.
GRAHAM CLULEY. Yes.
ALEX ECKELBERRY. Yeah, exactly.
GRAHAM CLULEY. If Facebook uses any of my data without first giving me so many dollars, it's just, oh, for goodness' sake. But yes, because you see Mimi, your friend Mimi, posting this message, you think, well, Mimi's lovely.
CAROLE THERIAULT. Yeah, I love Mimi.
GRAHAM CLULEY. You're right. So, and so you just, you just reshare her message. Maybe you type it up yourself. Maybe you go and talk about it at your online book club. Maybe you discuss it in other places off Facebook as well and say, oh, by the way, did you know, did you know? This is going on on Facebook. And so people are spreading this left, right, center, upwards, downwards. And it's like an old school hoax. In fact, this hoax, if you just spent a couple of minutes researching it before you shared it on with other people, you would have found it on Snopes, which has been debunking this particular claim since 2012. So it's been going around for a while.
ALEX ECKELBERRY. But then you get the thing that you put the Snopes article and then they go, no, no, no, Snopes is owned by George Soros or something like that. So you can't win. I just got in an argument on Facebook yesterday about somebody posted a huge picture of this tree that's 2.5 miles wide. It's a fossil and it went up 10 miles. What? And it's a picture of this, it looks like this giant tree. And I looked at it and I said, well, obviously you can't have a tree that goes up 10 miles. It makes no sense. You can't have a tree that's 2.5 miles wide. So of course this is like people, oh my God, when giants roamed the earth. I'm like, okay, so I do a quick Google search, find out it's some mesa in Tunisia. And then, you know, I say, guys, this is a mesa in Tunisia. I move on. Of course, how do you know? How do you know that for sure?
GRAHAM CLULEY. Because I use Google.
ALEX ECKELBERRY. I don't know.
GRAHAM CLULEY. Have you tried this, guys? Go to google.com. Listeners, try this as well, right? Go to google.com. Other search engines are available, but on this occasion—
CAROLE THERIAULT. We'll wait while you get yours.
GRAHAM CLULEY. And I want you— I want you to Google the phrase, "Who invented blinking?" Right? Who invented blinking? Put that into Google, and you will get the following answer. Alex, are you in front of a computer?
ALEX ECKELBERRY. Can you try that? Who invented blinking?
GRAHAM CLULEY. Who invented blinking? Oh. What does it say?
ALEX ECKELBERRY. Richard Blink. Blinking was invented in 1638 when Richard Blink tried to blink twice at the same time.
GRAHAM CLULEY. And this is an answer which Google has found on Alexa Answers for some reason. So you can't trust Google about that tree, can you? No. Maybe they're lying about it.
ALEX ECKELBERRY. No, exactly.
GRAHAM CLULEY. It's possible, isn't it?
ALEX ECKELBERRY. And also Soros is involved, I assure you.
GRAHAM CLULEY. Soros has got to be involved somehow, hasn't he? So.
CAROLE THERIAULT. Okay, but you know what? I kind of think it gives me hope for humanity. Oh really? The fact that all these people want to help other people by telling them. So the engine is working. It's just the start of the information being shite, right? The engine of communication is working fine. We can't blame that.
ALEX ECKELBERRY. Yeah.
CAROLE THERIAULT. It's just that the information was wrong.
GRAHAM CLULEY. Yeah, but good intentions, you know, aren't always—
ALEX ECKELBERRY. What, Graham?
CAROLE THERIAULT. What, is that why you never have any?
GRAHAM CLULEY. Oh, Carole, that was funny. I think maybe we should get a seatbelt for internet users. That they have to wear, you know, or something which just prevents them from— Well, something which stops— Do you remember back in 2008, right? This isn't just a Facebook problem, but email, as you mentioned. 2008, Google introduced a feature to Gmail called Mail Goggles. I think they got the name from beer goggles. So, you know, the experience when you go to a bar or something and you drink too much beer and suddenly everyone becomes 3 times more attractive. Than they are in reality.
CAROLE THERIAULT. Are you explaining the one thing that every fucking, fucking person in the entire universe knows?
GRAHAM CLULEY. But yes, go ahead. Now, with Mail Goggles on Gmail, if you enabled the feature, what it would do is it would ask you to complete a few simple maths problems in a limited period of time. So say 29 14 and things like that, right? Before it would send an email and it would activate automatically late at night on weekends when they thought you were most likely to be drunk emailing your ex-girlfriend or telling your boss what you thought of him. And maybe that was a good idea. And maybe we should have something like that on WhatsApp and Signal and Slack and everything else, just in case people are, you know, doing things before thinking.
CAROLE THERIAULT. Well, food for thought, Graham. Food for thought.
GRAHAM CLULEY. Thank you very much. Alex, what story have you got for us this week?
ALEX ECKELBERRY. Well, we all know what ransomware is, right? And it is a plague. And there's this one particularly vile piece of ransomware called REvil. The name is actually inspired by the Resident Evil movie series. And REvil is a ransomware as a service. So if you're an inspiring lowlife criminal, you can contact the REvil folks and say, "Hey, can I become an affiliate?" And then REvil will cut you in for part of the profits, and then you go off and try to hack into somebody. So—
CAROLE THERIAULT. Software as a service.
ALEX ECKELBERRY. It is exactly that. And the REvil folks, they even went so far as to have a blog, which they call with great irony, Happy Blog, where they post— it's literally what it's called— where they post examples of stolen data and then threaten to release the files if they don't get paid the ransom. So you get hacked and then they post a bunch of— they almost always hack corporate networks and they'll post a picture of here, we've got this spreadsheet of all your customers or your— this spreadsheet, whatever. And then of course that's public. Because of this happy blog, some very enterprising security researchers, including people at Bleeping Computer and a few other places, discovered that REvil is claiming they have attacked Acer and are demanding a $50 million extortion. Now, they put some leaked documents allegedly from Acer, including financial spreadsheets and bank balances and that sort of thing. And there's kind of this weird back and forth, and I guess some security researchers can kind of figure this out, that The REvil folks have actually been enterprising and are offering a 20% discount if they got it by March 17th, which of course has already passed. Now, it's up till March 28th to meet the demands. And after that, it goes double, $100 million. This is the biggest one we've seen from this group. I think last year, there was one for around $30 million. This is rough. Of course, Acer has said, in their defense, they've said there is an ongoing investigation and they're unable to comment. They haven't actually confirmed this. To their credit, this is still an ongoing situation.
GRAHAM CLULEY. It's what we call a brown alert in the industry, isn't it? That's what they're currently experiencing.
ALEX ECKELBERRY. Exactly.
CAROLE THERIAULT. Do you think they're going to pay?
ALEX ECKELBERRY. From what I can see, there is a negotiator. There's an interlocutor. Interlocutor.
CAROLE THERIAULT. Going, "Look, $10 million, guys.
ALEX ECKELBERRY. Come on, $10 million." It's exactly that according to this one website, that was actually— $10 million was proposed.
CAROLE THERIAULT. Oh, really? There you go. I can be a negotiator. Anyone need a— yeah, I'm there.
ALEX ECKELBERRY. Yeah, exactly. Now, and again, we don't really know much about what's going on back and forth. So, you know, again, we shall see what happens, but it's certainly a heck of a story. And, you know, it might have even come— we don't know this for sure, but it might have even come from this really nasty Exchange server exploit that's been going around.
CAROLE THERIAULT. Yeah, we covered it actually a few weeks ago. Exactly.
ALEX ECKELBERRY. Yeah. Oh, and so, you know, I mean, is Microsoft doing an out-of-band patch for Exchange Server? You know, if you're running Exchange Server, definitely get updated. So we don't know. Again, there's a lot of speculation, but, you know, it really goes to show, though, there's these holes that ransomware folks go after, and including, you know, Remote Desktop Protocol, which is how a lot of people enter remote networks. That's a bad one. You know, again, patch your systems, disable RDP, you know, get a security expert to audit your systems and check it, because when you get this stuff, it's, it's very bad.
GRAHAM CLULEY. Yeah. I wonder if Does ASaR cyber insurance? Because the REvil gang, there was an interview done with a member of the REvil gang in the last week or so, a chap going by the name Unknown. The guys at Recorded Future interviewed him. And one of the things which he said was that they target organizations that have cyber insurance because they presumably think they're more likely to pay up because they've already spent money on the insurance.
CAROLE THERIAULT. Yeah, they're not personally liable or whatever. They're not, yeah, they're not going to go get tanked.
GRAHAM CLULEY. And the fascinating thing about this is that the, the REvil gang claim that what they actually are doing is they're hacking the insurers first to get their customer base to find out who's insured. They then hack those who are insured, and then afterwards they hit the insurer as well. So it, it's quite clever and quite targeted, some of the things which they're doing right now.
CAROLE THERIAULT. And also insidious though, to the whole model of insurance, right?
ALEX ECKELBERRY. At the, at the end of the day, whether they're targeting insured companies or not, which by the way, I would not be surprised. Really, if you run a business and you're in IT and you're a smart person, there's some very basic things you can do to protect yourself against ransomware. There's plenty of good advice out there, but realize that it is a real issue. It was heartbreaking. A few years ago, I had a very close friend of mine who got hit with ransomware and he called me up and he had 3 servers. He's running an internet business. He got hit and it was a lot of money and it's terrible when it happens. So not to be a downer, but it's just, it's basic security. Put it in, put it in place, put it in hard. It's not like the world is coming to an end, but it's definitely when it happens, it's not something you want to have to experience.
GRAHAM CLULEY. Wise words from Alex there. Security, put it in, put it in hard. Good. Excellent.
ALEX ECKELBERRY. You know that, that's why they have me on Podsecurity Podcast.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. Right, so we're talking about Sci-Hub. Have you guys ever even heard of that?
GRAHAM CLULEY. Sci-Hub? How do you spell sci? As in, uh—
CAROLE THERIAULT. Like science, like S-C-I.
GRAHAM CLULEY. Oh, okay. Okay. All right.
CAROLE THERIAULT. Okay?
GRAHAM CLULEY. No, I haven't heard of that.
CAROLE THERIAULT. Okay, perfect, perfect, perfect. This weekend, I was like seeing these headlines, you know, police warn students to stay away from illegal and dangerous website Sci-Hub. Asking IT departments to block access to Sci-Hub on networks. And I'm like, oh, this is interesting, right? So I start doing a little digging.
GRAHAM CLULEY. Yeah, what is it?
CAROLE THERIAULT. Okay, so Sci-Hub, created in 2011, and it's a series of websites that basically gives visitors free access to published scientific papers.
GRAHAM CLULEY. Oh, right.
CAROLE THERIAULT. Any scientific discipline.
GRAHAM CLULEY. So if I published a scientific paper about, I don't know, my toenails or something.
CAROLE THERIAULT. Oh yeah, sure, your toenails.
GRAHAM CLULEY. I'm just looking at what I can see in front of me, and we're not directly— they're not on the tabletop. But anyway, but you know, but then other people could look that up and read about my research.
CAROLE THERIAULT. Yeah, exactly. Now this site was created by this Kazakhstani-based computer programmer called Alexandra Elbakyan, okay? And she was born in the mid-'80s, and no surprise, she seems to be a super strong supporter of the whole open access movement, OA, for short. And it's like basically this set of principles where basically research outputs are distributed free of cost and without barriers. So anyone can access it anytime.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. So, so okay, so before we get into it, like, do you— what do you think of that as a, as a general sense? Like, do you think research should just be made available? Or do you think—
ALEX ECKELBERRY. So I've actually experienced this because I'm a fiend for, you know, reading these types of things, especially during COVID you know, you're just, you're sitting at home and you want to learn more about this And I certainly ran into this where I would start to Google, you know, various epidemiological studies and that sort of thing, just understand what we were dealing with. And of course you do hit the, uh, the, the, the paywalls. Now, whose economic benefit? I don't know if the researchers are getting— I mean, if somebody at Stanford or Harvard or, you know, or, or even my, you know, local, you know, University of Florida here is doing a, a, a, a, you know, some postdoctoral research on, on, you know, some sort virus strain, I don't think they're getting paid for that, right? And so there's, there's some economic interest on these, on these aggregators of data, and but there's a value to what they do. They manage a peer review process, they manage how people, you know, get the data disseminated, they ensure that the data is vetted, there's an editorial process.
GRAHAM CLULEY. So you—
ALEX ECKELBERRY. we have to respect that, but the actual research itself is in many cases coming out of public dollars, right? So It's a tough one.
CAROLE THERIAULT. No, no, you're exactly right. So, not everyone is a fan of this because me, in principle, I am totally a fan of this. I think information, once vetted, should be made accessible to everyone rather than all the junk we have available, like, to wade through a pile of shit to get anything valuable on the internet. And there's companies, like publishing companies like Elsevier, who make their cash by providing paid access to research, like, exactly as you said. So, on average, Elsevier will charge $31.50 per paper for access. Access, whereas repository outfits like Sci-Hub will offer them for free. Okay. And Elbakyan's whole position is taxes pay for universities, universities produce research, they then pay publishing companies to publish the research, and then they have to pay to access said research and research from other universities or science labs. And that's a big problem with someone who supports open access, because it's a very different model, isn't it? All this to say, Sci-Hub and Elsevier are not the best buddies.
GRAHAM CLULEY. Elsevier aren't going to be sponsoring our podcast anytime soon, are they?
ALEX ECKELBERRY. Yeah, I guess we just lost them.
CAROLE THERIAULT. And problem number 2 is Sci-Hub got really, really, really big, really, really fast, okay? So for context, just know that Facebook managed 6 million users in its first year. Okay. So in 2017, 6 years after Sci-Hub had launched, it had 70 million papers represented. That's two-thirds of all published scientific research available.
GRAHAM CLULEY. They just scooped them up and made them accessible.
ALEX ECKELBERRY. Wow.
CAROLE THERIAULT. And today it's now 80% of the current available scientific papers out there. Okay. Now listen to this volume of data. Is roughly 2.5 times the size of Wikipedia.
GRAHAM CLULEY. Oh my goodness. So you can imagine why many people might want to use that site.
CAROLE THERIAULT. Well, exactly. If you're a student and you're doing some research and you need to learn about something, what better place than this? It's a juggernaut of a site, but there is a little issue. Let me get to that in a sec. So she's basically saying, fuck you, academic publishers, right? I don't think you should be putting a paywall here. And she also has a ginormous amount of clout because She's got a lot of articles up there. So, I was like, how— I'm sure you're wondering the same thing. Like, how did she scoop them all up, right? They are behind paywalls. So, let me tell you how it works. This is based on the Scholarly Kitchen. So, let's say you want to learn about something. You may do a Google search and you would see Sci-Hub pop up somewhere. You would click on Sci-Hub and a captcha would show up to verify that you're not a bot, of course. Ironic, but there you go. Now Sci-Hub works with a repository called Library Genesis, or LibGen, and that is basically where all its research sits. You put a copy in, it then puts the request to LibGen. LibGen, if it has the research you're looking for, it then sends you a copy. However, if it does not have a copy in LibGen, then it uses multiple institutional access systems Okay, to search across publisher platforms like Elsevier perhaps and others, bypassing any access control barriers, and it retrieves a copy of the item. It delivers a copy to the user who requests it, and it stores a copy in LibGen so it's easier to serve up next time. So effectively, it's stealing the research and making it available to all.
GRAHAM CLULEY. So these papers aren't necessarily hosted on Sci-Hub's own servers, but it will, it finds a way of giving you a link where you can access them. Is that right?
CAROLE THERIAULT. No, no, no. It downloads it, gives you a copy, right? Because you've asked for it. But it also keeps it in its LibGen. So it grows every time you search for something new. Like, basically like Google, for every search it can add or, you know, add or use something that it already has. And during this whole process, Sci-Hub asked for donations. Which is how it makes its money. Bitcoins are preferred. So you can see why Elsevier are very pissed, right? And they've been pissed for a while.
GRAHAM CLULEY. So they're grabbing the credentials of maybe legitimate students and staff at a university to then use the university's own search engine.
CAROLE THERIAULT. So it's not really search engine. Every university has logins to these publishing firms, right? So that they can access the research and they have authentication processes to go through in order to access that research. And authorities in the US and the UK are saying that Sci-Hub uses techniques like phishing to get a hold of these legit authentication logins to get into these research papers, and then using them to scoop up the research. And this is where it gets kind of interesting, because obviously we can all understand why Elsevier and other publishing firms are really pissed off, because it's cutting off— it's hitting their business model. Now, of course, Elbakyan strongly denies this, right? She says that it mostly came from exploiting libraries and university subscriptions, saying that she gained access to around 400 universities that way. And she says also that many academics have offered in their login information. But, you know, 2.5 times the size of Wikipedia.
GRAHAM CLULEY. Well, why would anyone give their login information to Sci-Hub knowingly and consciously?
CAROLE THERIAULT. A, because you want lots of people to read your frickin' paper. Maybe. And they might be pissed off that it cost a fuckton of money to access this research normally.
GRAHAM CLULEY. Is that a metric fuckton or a regular fuckton?
CAROLE THERIAULT. Big-ass fuckton.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So huge brouhaha ensues, and Sci-Hub end up getting sued successfully twice by US-based publishers. This happened both in 2015 and in 2017, but the site continues to operate. Because it's in Russia, outside US jurisdiction. PayPal blackballed them as well, but now they use bitcoin. So it's kind of like the WikiLeaks of science research. Do you think it's kind of like that? It's like we're publishing information that's not ours for the benefit of all.
GRAHAM CLULEY. But they've also allegedly, according to the UK police at least, they've also grabbed people's login credentials and passwords, and presumably they are storing them in some fashion on their servers. And do we have any confidence that that is being done safely and securely?
CAROLE THERIAULT. Do we have that with any company, to be fair?
GRAHAM CLULEY. Yeah, but this is—
CAROLE THERIAULT. Yeah, I know, I mean, but, you know, I mean, you know. Anywho, the City of London Police late last week issued a press statement saying students stay away from the site. IT guys at universities block access to Sci-Hub as well because A, it's an illegal A, illegal site, and B, they operate in a way that is deemed dangerous. I'd love to know what they mean by illegal site though. I mean, I think, is it just like Pirate Bay?
GRAHAM CLULEY. Description you've given me, the website is illegally accessing without proper authorization, the servers of universities and accessing material there. So it doesn't have legitimate authorization to do that. So it is doing things which appear to be illegal. So there's a simple solution here. Well, I say simple, it's not that simple, but there is a solution to this, which is two-factor authentication. If these universities had two-factor authentication rather than simply username and password, then the username and password won't be able to be abused by Sci-Hub, as the police are alleging, because that magic 6-digit token or whatever would be changing every 30 seconds. So the legitimate student would be able to enter it, But it would be useless for Sci-Hub, right? Yeah.
CAROLE THERIAULT. And you also think if this phishing shit is going on, you—
GRAHAM CLULEY. I think phishing shit, by the way, I think that's a different name for caviar.
ALEX ECKELBERRY. Yeah.
CAROLE THERIAULT. Basically, the takeaway is whether you're pro or against open access as a concept, right? If you were a student, make sure you have a long and unique password for all your accounts. Okay. That's just an easy no-brainer. And put on two-factor authentication if at all possible. Two, this site is considered illegal, and I'm not sure exactly what that means for you as a visitor of those sites, okay? And I did try and look, so, but I think that means be very careful before you visit the site or share links to it. I saw a number of articles about people saying, would it be illegal to share a link to an illegal site, right? Even if you don't go to the site, like it's, you know, there's a whole legal quagmire there.
GRAHAM CLULEY. Yeah, and I think the other thing that universities could do perhaps, if people are accessing this from the university campus rather than from their home, so it depends on where you are being a student, is of course you could block access to this site.
CAROLE THERIAULT. They keep repeating that, like, that's what you could do as the IT people is to block access to the site. You can also go to archive.org, that's A-R-X-I-V dot org, that's currently the largest legal source of open access papers. So that one at least is legal. And you know what, ask the person who wrote the paper. 9 times out of 10 they'll just say, "Oh yeah, I'm so delighted, here you go." Done.
ALEX ECKELBERRY. You know, it's actually— the point you make is very valid there. I actually had a COVID paper that I was very curious about, about the vaccine, and I just emailed the author and I said, you know, I have some questions on this. He's a professor at a major university. He emails me back and answers my question. So it's not like it's all ivory tower. A lot of these folks are accessible. And, you know, a lot of these people are in this field because they want to help.
CAROLE THERIAULT. Yes, totally.
GRAHAM CLULEY. I had my first vaccine jab last week, actually. It was great. I had the Oxford AstraZeneca one. No side effects at all. I'm completely—
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. No, it was all right, really. Well, let's move on.
CAROLE THERIAULT. Okay, pop quiz. How do you get the highest level of privacy without sacrificing convenience. Choosing 1Password for your business, that's how. It offers end-to-end encryption you can count on. You get auto-lock and manual lock for the 1Password app, multifactor authentication, safe autofill on secure websites, privacy cards, and loads more. Plus, if you switch to 1Password, you can receive its switching bundle. It includes a subscription credit towards your current password manager, hands-on migration support, and free family accounts for every single member of your team. Go to smashingsecurity.com/1password. And thanks to 1Password for sponsoring the show. You know you can't do business without technology, and you also know you can't securely access technology without identity security. Enter SailPoint, identity security for the cloud enterprise. It enables access and protects businesses with automated, managed, and governed access in real time with with AI-enhanced visibility and controls. SailPoint lets companies run with speed, security, and scale in a cloud-critical, threat-intensive world. Plus, it tracks usage and enforces policies for all users, apps, and data continuously. Want to learn more? I bet you do. Check out smashingsecurity.com/sailpoint. That's smashingsecurity.com/sailpoint. /salepoint. And thanks to SailPoint for supporting the show.
GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
ALEX ECKELBERRY. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Should not be.
GRAHAM CLULEY. Well, my pick of the week this week is a little bit cybersecurity-oriented, I'm afraid, but it is also quite entertaining. It's all to do with phone scammers. Now, are you familiar with the YouTuber Mark Rober? He is a YouTube star. He's got gazillions of subscribers, including my 10-year-old son. He's famous for making videos about obstacle courses for ninja squirrels. Filling swimming pools with jelly. And also he did a great video a couple of weeks ago about the Perseverance Mars rover, which actually he had worked on. He'd worked on a pre— some previous Mars rover type thing. So he knows all about the science as well. He is a social media star and does some great videos. Quite entertaining.
CAROLE THERIAULT. Are you jealous of him?
GRAHAM CLULEY. Yes, completely.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Now, one of the things he's done in the past is he has produced a glitter bomb trap. Which he has devised himself, contains a camera inside it, and it explodes with lots of glitter, and it records people and even sprays fart smell over people who steal packages from people's doors. So what happens is the Amazon driver comes along, he dumps something on your porch, and then a criminal comes along walking down the road, an opportunist, and thinks, oh, I'll have that. They take it, and then he records, and these videos come out, and they're covered in glitter so the police know who they were, right? So he's done that in the past.
CAROLE THERIAULT. So he's basically a vigilante taking the law into his own hands. He's doing him fair. Glitterifying the—
ALEX ECKELBERRY. The video is schadenfreude. I've watched that video. It is total schadenfreude. It's like, yeah.
GRAHAM CLULEY. So the latest video from him, which has come out in the last week, targets not these people who steal the actual parcels, but instead it targets phone scammers. So the people who ring up little old ladies and trick them into— well, the specific confidence trick is they ring you up, they say, "We owe you a refund for something or other," and then they trick the little old lady into believing they've been given maybe $20,000 rather than $200.
CAROLE THERIAULT. Is it always a lady, or do guys get fooled? Are they too smart?
GRAHAM CLULEY. Can happen to guys as well.
CAROLE THERIAULT. Okay, I just want to make sure. Yeah.
GRAHAM CLULEY. But it principally happens, it appears, to people who are elderly, who are particularly susceptible to this. So the scam is, you accidentally, you believe that you've had $20,000 put into your account because you can see it on your online bank account, and the scammer has remotely accessed your computer and has changed the appearance of what's on your screen. And then the phone scammer says, "Oh, I'm going to lose my job, this is disastrous." but we can fix this. Can you mail me back via UPS or FedEx the difference? So please send me $19,000 or whatever it is to make up for it. Right. And people do this. People put huge amounts of money in the post. Now, what Roba did was he intercepted with the help of some other fantastic YouTubers who fight phone scammers like Jim Browning. He intercepted some of these calls. Told the people who were about to be scammed about what was going to happen. And in the place of the parcel they were going to send, instead sent a parcel with a glitter bomb inside it. So it didn't have money inside, it had a glitter bomb instead. And so—
CAROLE THERIAULT. And a remote camera.
GRAHAM CLULEY. With a remote camera and GPS and everything else.
CAROLE THERIAULT. And you love it, right? You love it.
GRAHAM CLULEY. You've got to check out the video. It's quite entertaining.
CAROLE THERIAULT. You know what? Your birthday's coming up and— I'm going to give you two presents.
GRAHAM CLULEY. Anyway, go and check it out. Links in the show notes. Alex, what have you got as your pick of the week?
ALEX ECKELBERRY. I love it. I love it. Well, I mean, the scams online are wicked. Unbelievable. And I mean, you know, there was my daughter was shopping for some, some car or some— she was shopping for a golf cart. Cart. Uh, and, and, you know, there's this incredible deal on the golf cart. Of course, you contact this person, well, they want to contact you offline, and then there's all this stuff. And of course, you're, you're going to end up having to send some money to somebody that you're never going to get anything for. So be careful out there.
GRAHAM CLULEY. Uh, yeah.
ALEX ECKELBERRY. And, you know, I, I just got a bizarre little side note. My, my visage is used for a large variety of romance scams. And so I'm—
CAROLE THERIAULT. are you kidding? Are you fucking kidding?
ALEX ECKELBERRY. Yeah, yeah. So I get— I get—
GRAHAM CLULEY. Alex, you— you— Alex, you are a good-looking— you're a good-looking fellow.
ALEX ECKELBERRY. Oh no, no, no, this is— this is bad. No, it— it targets a particular woman of a certain age. Um, let's be honest. But I get these— I get these— I honestly— all joking— I get these heart-wrenching, heart-wrenching Texts or people—
CAROLE THERIAULT. this one woman, you know, emailed me, said, I'm sorry, your phone number is included.
GRAHAM CLULEY. Oh, what? Hang on, do they do a reverse image search and find you?
ALEX ECKELBERRY. They do a reverse— they find me. And then like this one woman, she emails me, she got me, she got my Gmail address for some reason, and she goes, I'm sorry that you had to, you know, you just no longer talk to me and you've broken up with me. And I emailed her back, I have no idea what you're talking about. Yeah, the scammer took her for something like, you know, $9,000. I mean, but it happens routinely, and, and You bastard, Alex.
GRAHAM CLULEY. You bastard.
ALEX ECKELBERRY. I know, exactly. I actually— apparently I adopted a woman, an Indian adopt woman's child in Indonesia. So yeah, yeah, yeah, yeah. No, this is, this is, this is real. I mean, I've got— this happens to me literally on a constant basis.
CAROLE THERIAULT. I think I would feel like I'd feel phantom guilt even though it had nothing to do with me. Yeah, just for existing.
ALEX ECKELBERRY. 100%. I feel—
CAROLE THERIAULT. and being you.
ALEX ECKELBERRY. I feel awful.
GRAHAM CLULEY. That's what he tells Mrs. Eckelberry. Sorry.
ALEX ECKELBERRY. Anyway, yeah, but, uh, you know, I, I, I, I, I have to blame myself for, you know, listen, obviously I posted pictures of myself, uh, online on Facebook, so I've had to, you know, get my—
CAROLE THERIAULT. Are you nude in these?
GRAHAM CLULEY. No, in the Speedos? Is it?
ALEX ECKELBERRY. No, no, this is budgie smugglers.
CAROLE THERIAULT. No. Okay, if you're not sending romantic Fabio-like pictures of you, like in the, you know, like Tarzan getup or something.
ALEX ECKELBERRY. Yeah, yeah, no, that was, that was definitely when I was in my 20s, and those pictures, uh, you know, maybe it's like the Garry Kasparov photo shoot in Playboy.
GRAHAM CLULEY. Maybe it's like that. They're all at it. The hairy shoulders.
ALEX ECKELBERRY. Garry Kasparov had a photo shoot in Playboy?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Yeah. He was on our show recently.
GRAHAM CLULEY. Yeah. Okay.
ALEX ECKELBERRY. Well, that's something I needed to— really didn't need to know, but thank you. So yeah, anyway, this does happen. These romance scams are out there. I don't know why we got into them. We're talking about scams But this is something that is— I mean, you know, we could do a show on this because apparently I've become an expert.
GRAHAM CLULEY. I think we should. I think we should. Yeah, specifically, why have we done all the rest of this show? It should all have been about Alex Eckelberry, the romance scam.
CAROLE THERIAULT. Let's re-record.
ALEX ECKELBERRY. Yeah, it's humiliating. Please, please, please.
GRAHAM CLULEY. Fall in for a romance scam with Alex Eckelberry's face. Carole, what's your pick of the week?
CAROLE THERIAULT. Okay, well, mine is definitely not security related. My pick of the week is a new Netflix show that I know you've watched, Graham. I know you know what this is, and I know, yeah, you've got some issues because it's called The One. Yes, and it has a very similar premise to the Amazon show which I reviewed a few weeks ago, and I can't remember the name of—
GRAHAM CLULEY. Soulmates.
CAROLE THERIAULT. Soulmates, exactly. Similar to that one, uh, but a little bit different. So This one's like love and lies kind of spiral out of control where when this DNA researcher discovers a way to find the perfect love, like the one true love, and then creates this bold new matchmaking service. So that's like the premise as you open, right? And the whole first episode is like she's at the top of her, you know, find your number one love game. And, you know, she's the CEO of the company.
GRAHAM CLULEY. She's like Elon Musk or the CEO of the company.
CAROLE THERIAULT. Yeah, she's like Elon Musk.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. But then a body's recovered from the Thames, and it's someone she knows, and the cops are sniffing around. And you've got founders, and you got all kinds of action-packed type deception stuff. And it's— but I found it a very solid piece of entertainment, you know? Graham?
GRAHAM CLULEY. Well, I think the premise was quite fun, because I have watched this on your recommendation. The premise was quite fun, which was imagine a world where you can sign up for a service, and it will tell you the one person you are guaranteed to fall in love with and they will fall in love with you on a biological level.
CAROLE THERIAULT. Were you hoping they would have like a little questionnaire at the end or something?
GRAHAM CLULEY. No, I just, I thought, oh, that could be fun because imagine how that would change the world if that were to happen and people would get divorced and, you know, all the melancholy if your true one love got crushed by a steamroller or something. You know, I thought, oh, this could be interesting. But what a load of old cobblers it was watching this show. I'm sorry, Carl.
CAROLE THERIAULT. It was, I was getting so annoyed by So it made you feel something, check.
GRAHAM CLULEY. It did.
ALEX ECKELBERRY. Annoyance?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Well, anything, anything at this point.
GRAHAM CLULEY. I seem to remember I was halfway through episode 2 when I texted you and I said, does this get any better? Is it worth watching anymore? And you said, oh yes, there's going to be twists and turns. And so I watched all ruddy 8 episodes. Yeah. And I— okay, I don't want to be— I don't want to slag off your pick of the week.
CAROLE THERIAULT. Oh, well, no, you haven't done that yet. No.
GRAHAM CLULEY. But it wasn't for me. It wasn't for me. I have to say, I found some of the plotting absolutely ridiculous. And I was just—
CAROLE THERIAULT. This from a Doctor Who fan.
GRAHAM CLULEY. I spent a lot of my time just going, "That wouldn't happen." From a Doctor Who fan.
ALEX ECKELBERRY. Yeah, but Doctor Who's different. That's about time travel, which we know occurs.
CAROLE THERIAULT. You get garbage cans turned upside down coming after you. And that could happen. That could happen. The plunger is coming at you. The whisk. Oh no, not the whisk. Okay. Anyway, I thought it was great. She has excellent clothing. If nothing else, guys, watch for the stylish, stylish, stylish Rebecca Webb. And I thought it was great.
ALEX ECKELBERRY. And Graham, can we watch it together? Look at the dresses and stuff?
CAROLE THERIAULT. It's on Netflix. It's called The One. Choose your side, Graham or Karl.
GRAHAM CLULEY. Yeah, that's all I can say. They'll quit after episode 2, I'm sure.
ALEX ECKELBERRY. Yeah, well, you know, if you're gonna throw out a movie, I'm just gonna throw out one. I'm gonna say Afterlife with Ricky Gervais is delightful.
CAROLE THERIAULT. Oh yes, I've not watched all of it. Is it good?
ALEX ECKELBERRY. Oh, it's so delightful. It's just like very, very— a lot, a lot of heart. Mm-hmm. Good show.
GRAHAM CLULEY. Well, on that note, we've just about wrapped it up for this week. Alex, I'm sure lots of our listeners would love to follow you online, maybe get into a romantic relationship with you.
CAROLE THERIAULT. Get your phone number.
ALEX ECKELBERRY. 555. @AlexEckelberry on Twitter. So @AlexEckelberry. Okay.
GRAHAM CLULEY. Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have G. And we're also on Reddit. Just look for the Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app. And if you want to do something for the show, Sure, you could become a patron, but you know, hey, that's going to cost some money. Maybe just tell your friends about Smashing Security. Spread the word. That's one of the best ways in which you can help us.
CAROLE THERIAULT. But hey, listen, you already help us by listening to the show. Special thanks go out to 1Password and SailPoint, as well to all our Patreon supporters. All these people help make this show free for all. For additional information on any of the stories we've covered here, sponsorship details and the entire back catalog of 219 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
ALEX ECKELBERRY. Bye.
GRAHAM CLULEY. Oh, what, you're not going to say bye, Alex?
CAROLE THERIAULT. Oh, God.
GRAHAM CLULEY. It's just a bit antisocial.
ALEX ECKELBERRY. Bye. Well, it's always hard when you're on someone else's podcast. You don't always know the rules. You kind of just—
GRAHAM CLULEY. I don't know. We're just teasing you.
ALEX ECKELBERRY. Okay, so bye-bye-bye.
GRAHAM CLULEY. Take 2.
ALEX ECKELBERRY. Take 3. Bye-bye-bye. You can see me on the internet.
-- TRANSCRIPT ENDS --