Google's down. Can't get to Google. It's gone kaputt, they said. And it had. Not google.com, but google.com.ar.

I'm just impressed they're using German.

What?

Yeah. Kaputt.

Oh, kaputt is German?

Well, famously, famously, there are quite a lot of Germans in Argentina.

But we don't like to talk about that.

Smashing Security, Episode 225: Master of Your Domain, Gripe Sites, and John Deere Farmageddon with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 225. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined this week by returning guest, it's Mark Stockley. Hello, Mark.

Hello.

The chicken guy.

The weirdo from the video stream.

He was not a weirdo. Weirdo!

It was a bit weird.

No, it was a bit weird.

It gave some people nightmares, let's be honest.

You're referring, of course, to the live Christmas special.

I am, yes. A while ago now, isn't it? Maybe it's time for us not to do one of them again.

Exactly. Now, Mark, is there anything you want to shout about or plug at this stage?

Can I do a hat tip to my beautiful wife? She and the company that she works for did some research into some fairly horrible WhatsApp-based stalking. Do you know when you use WhatsApp, it basically tells the mothership when you're online?

Uh-huh. Right.

And you think you can turn that off, but you can't. There are other things that you can turn off that are a lot like that. But there is actually an online status that you can't turn off. And what's happened is this ecosystem of apps and websites has grown up around this undocumented API that allows them to tell when other people are online. And so what's happening is that people are using these apps to try and work out if their partners are having affairs by putting in the phone numbers of their partner and the person they think they're having an affair with, and then comparing when they're online on WhatsApp.

Oh, for God's sake.

And it all sounds kind of a bit jovial and fun, but this is actually quite serious enabling of stalking behaviour.

So this isn't visible via the regular WhatsApp app, but is via the WhatsApp API.

So the API that the app uses— The app uses the API to tell—

Should we have her on, Mark?

Yeah, probably. Rather than you.

Because you don't really seem to—

I think we need to get Mrs. Stockley on here, 'cause she sounds smart.

She could probably describe this really well.

We'll put a link in the show notes.

Enough said. She impressed the pants off you.

Yes, she did.

Thanks to this week's sponsor, 1Password. Its support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Oh, I'm going to tell you about how Google got itself into a tango in Argentina.

OK. And Mark, what about you?

I am going to be talking about the most secure software company in the world.

And I'm gonna tell you just what the heck gripe sites are. All this and much more coming up on this episode of Smashing Security.

Now, chums, have you ever dreamt about being the supreme leader in a country? Maybe a little tinpot country, republic somewhere?

Why tinpot?

Well, you know, I'm— What country have you dreamt of being the Supreme Leader of?

Well, not a country, a planet, right?

Now, would you be Empress Eternal? Would you be dictator?

What—

I wouldn't

I wouldn't be a dictator. I'd probably be like a big hippie. It wouldn't work out very well.

It wouldn't work out very well, would it? Sometimes you need a rod of iron.

My eye would be off the ball.

Someone to keep an eye on all the minions, someone to zip around on a speedboat. Bestowing decrees. Well, forget all your dreams, Carole and Mark, because I'm going to crush them for you. be a dictator. It's very unlikely you will ever be the Supreme Leader. It's a life which is out of the reach of most of us. But what about having the number one website in a country? Wouldn't that be kind of— wouldn't that be a substitute?

Is this just a very long-winded way of you saying your website's doing quite well? You've noticed that the traffic on your website has gone up a little bit, and you're trying to convince us that in a way that makes you like the leader of a country. Okay. All right, Graham. All right, Graham. You're the leader of Grahamland.

I'll give you clue. I'll give you that if you have the number one website across the land in the digital sphere, you have some clout.

You have some clout.

You have some clout.

And what would be the number one website in a country?

Probably Google.

Google!

Ahahaha!

Imagine if you owned Google's website. Imagine the turmoil you could cause and the mischief and the power you would have. Well, one person who had that power is a chap called Nicolas Corona.

Ooh, unfortunate name.

He is a web designer based in Buenos Aires. 30 years old. I've seen some photographs of him. Appears he is the owner of a soul patch. And on Wednesday—

Not the owner, the sporter.

Okay, if you prefer.

The reason I'm laughing is not because I think soul patches are funny.

No, that's serious.

Because of the way that you said soul patch, I think gave away something of how you feel about soul patches.

Doesn't matter. I'm a big fan.

Am I warm?

I just think— Okay, I don't want to upset any of our listeners. But I think in these times of pandemic, when we're under lockdown, to be quite so meticulous with your facial hair as to leave the soul patch but get rid of the moustache seems like you've got too much time on your hands.

You know who has too much time on their hands worrying about such shit?

What?

You!

I agree with Graham. We should all just let our facial hair run free. Just like Graham and I do.

Yeah, exactly. It's so impressive.

On Wednesday last week, friends of Nicolas Corona WhatsApped him. They said, "Hey, buddy," they said, "Google's down. Can't get Google. It's gone kaput," they said. And it had. Not google.com, but google.com.ar. Right? Because there are lots of different Google websites.

I'm impressed they're using German. Yeah.

What?

Yeah. Well, famously, famously, there are quite a lot of Germans in Argentina.

Exactly, well—

But we don't like to talk about that.

Yeah.

It's good. The soul patch is just a disguise.

Exactly.

Can't have a moustache. That'll be a giveaway. Gotta get rid of the moustache.

Take it off, stick it on a couple of inches lower.

Ah, I think we all needed that little giggle there. Okay, carry on, Clew, you're doing great.

So google.com.ar, because there are lots of different Google websites, right? You can go to google.cn or google.com.hk if you fancy your Google with a Chinese flavour, right? Now, normally you'd shrug, you'd think, oh, big deal, right? Google's down, so what?

I'm not thinking that people are thinking, who cares? Because a lot of people have cloud drives in Google. There's a lot of work there. They wouldn't be able to get on with stuff.

It can be disruptive. It can be disruptive. But there might be something.

Okay. Thank you for giving that. Yeah, okay. Thank you for acknowledging that it could be slightly disruptive to, I don't know, 90% of small businesses.

Their laptop was on fire.

Yeah.

But you know.

Yeah.

Move on.

Yeah, go have lunch.

Go have lunch.

Get a restaurant.

Crack on with your day.

Yes.

Carry on with your work.

He went to NIC Argentina, the Network Information Centre. He went to their website. 'Cause he thought, I'll just look up the google.com.ar domain, he said. The NIC are the people who are responsible for controlling the Argentina country code domain. And to his surprise, he was greeted by a message saying that google.com.ar was available if he wanted it.

Dios mío!

In fact— Gott im Himmel!

Donner und Blitzen!

For a mere 270 pesos, right? Which is about $2.90 in American. For just a couple of dollars, he could buy google.com.ar. And so he did. He bought Google Argentina's domain name. Now, having bought it, what would you do if you acquired the domain?

Well, I'd declare myself King of Argentina, obviously.

Exactly.

Based on the precedent we set earlier.

Yeah.

I am God.

Yeah. Universal Thanos or something.

Well, he could have done something malicious, couldn't he? He could have pointed it to a malicious webpage, installed some malware. He could have sent it to a porn site, maybe through an affiliate link, and made himself some pesos that way. He could have created a webpage rammed full of Google ads, couldn't he? And made some money. Because imagine how much traffic a page like that's going to get.

Irony.

He could have sent it to Bing.com. Microsoft would have been pleased. Well, there's some mystery to how this all happened because it sounds like Google simply forgot to renew its domain and have let it expire. Yeah, but some people have dug around and they've said, no, no, no, no, no. They say Google.com.ar wasn't scheduled to expire until July. So Google had plenty of time to renew it. So there is a mystery as to how this happened. Did the NIC, did they somehow goof up and allow this domain to be acquired? Seems very peculiar and worrying because if Google didn't goof up, then presumably that means potentially this could happen to any number of other domains.

Yeah, but Google's kind of the biggest one, right? That's kind of— Oh, sure. I mean, it could happen to a mom-and-pop shop, but not many people would care.

Carole Theriault, let me translate for you. If this could happen to Google, this could happen to Graham Cluley. Okay, this is a serious matter. We need to get to the bottom of this because he's had a bit of a traffic spike. Okay? Can't afford for that to be ruined by some Nazi script kiddie with a soul patch buying up his domain.

You know him so well.

So we don't know how this happened. The NIC, they took the domain back. Having sold it to him for $2.90, they then thought, oh, hang on. Maybe they realised the mistake. Maybe Google got in touch, who knows? But they grabbed it back.

Can they do that?

Well, yes, they did. And they haven't paid him back his $2.90.

I think if it's Google's domain, yes, yes, they can do that. Because in a way, Google is a ruler of a country. Yeah. I was thinking when he bought it, actually, that's on the one hand, hey, this is fun. It's curious and interesting. And there's a great story here. And I can give it back to them like a bit of a hero. On the other hand, they're clearly going to want this. This is obviously a mistake and they're going to want it back. And if I remember correctly, Google has money and lawyers. So you're going to give it back to them.

Okay, I'm just— if you wanted to shitstorm in the situation, okay, what about this? So you buy the domain, then you put on hey, give money to the poor, feed the poor, something like this. Google then take it offline, then you've got a PR crisis on your hands because Google just shut you down even though you're trying to do a good thing.

Well, I think somebody actually did something similar a few years ago in Palestine.

Really?

Because there's a Google Palestine, in the same way as you said earlier, there's a Google everything else. And I believe that somebody did a DNS hijack. So they didn't actually hack Google Palestine. They managed to phish somebody who managed the domain name. They got control of Google Palestine and effectively redirected the traffic. Now, I think it was sort of a hacktivist script kiddie, kind of the usual.

Yeah. Oh, I'm reading about it right now. Apparently, according to the Washington Post, it was in objection to Google Maps labeling Palestinian territories as being Israeli.

Yes.

So there you go. Mischief makers. And this isn't the only time.

Kaput.

So we've just seen this in Argentina. We've seen it in Palestine. In September 2015, a former Google employee called Sanmay Ved purchased google.com, the real google.com.

What?

For $12. He bought it. Get this bit. Oh, kaput is German? He bought the domain through Google's own domain registration service. Google Domains. Now, he perhaps wisely only owned it for 1 minute. 'Cause I think he realised quite—

Why is it wise?

Because—

It was sitting there on their domain!

He's gonna end up in court or something.

Fine! But he'd get a little pittance for his—

He was probably terrified. So he quickly reversed the transaction. He probably bought it thinking, "This won't happen. How can Google's own domain service allow me to buy its domain?" But it worked. And so he quickly turned—

Well, wouldn't he just sit back and wait for the phone call? Just, I would just sit and wait and just go— Google, I'll rent it to you. Don't worry. Don't panic.

I think I would redirect it to, let me Google that for you.

Oh, funny. Funny.

Funny. Funny. Now, Google paid him— and write this down— $6,006.13. 6-0-0-6.

Got it.

Have you got it?

Yeah.

Did you squint? Yeah?

No.

No, I get it.

Because if you squint a bit—

It's not boob 13, is it?

No, no, no.

So it was 6,006.

Yes, and 13 cents. Are we labouring this point too much? The point is, if you squint a bit, it says Google. Wow!

Oh my god, it does! Whoa!

That's how wacky those Google guys are. They ended up giving twice as much money to charity and things. It's not just Google. In 2003, Microsoft forgot to renew its Hotmail.co.uk domain, which was very alarming for the 17 people who were still using it.

I don't understand why if they screw up and don't register their own domains and someone scoops it up, I think fair play to them. I don't know why you'd be shitting yourself. I think you'd be sitting on the motherlode.

Do you think it's a responsible way to act as a citizen of the internet, Carole?

Yeah.

I think, well, I think you've told us quite a lot about yourself.

Okay. Well, wow, everyone. There you go. There's me. Denuded. Yeah.

Yeah.

The thing is, the thing is, it's actually really hard to lose control of a domain name. That's the thing that always confuses me in these stories. Because registrars, they generally have hold of this idea that you probably want to keep your domain name. And so the process is very rarely these days, you buy a domain name and then on a given date, that's it. What happens normally is that, you know, you buy a domain name and then months and months before it lapses, they're emailing you saying, "Your domain name is up for renewal in 3 months' time. Would you like to renew? Would you like to sign up for 50 years?" And then when you actually get to the date, most of them have some sort of a purgatory period. So they will often sort of reserve it for you for 3 months. So they kind of hold on to it anyway and keep it working. And then you just sort of pick up in arrears. And then even after that, there's often another period where they sort of put it in cold storage where you don't have it anymore. And I think you have to pay them a little bit extra, but they won't sell it to anyone else. Now, this depends on the top-level domain, you know, so maybe the rules are different for .ar than they are for .com or for .co.uk or what have you. But by and large, this is quite hard. And then, and that's aside from anything your own calendar reminders. Because if you're Google, you would think that's quite an important thing to keep ownership of.

I agree.

So it mystifies me that this ever happens. And I have never worked for a company that has had problems renewing domain names ever, apart from the one that we all work for.

No.

What sound was that? Let's not tell that story.

Oh, God. Mark!

Mark. Yes.

Over to you. What have you got for us?

I have got some great news.

Oh, good.

So, we can all go home.

We're already at home, Mark.

We haven't left home in about 18 months. But thanks.

You make a good point. Anyway, I guess what I'm saying is we could wrap up the podcast. Because we don't need to carry on, because I think computer security may have been solved.

Oh!

So, it looks as if somebody may have actually cracked the computer security problem. Finally! And yeah, exactly. And if they have, then we can all just stop banging on about computer security. Thank God. And we can do something else. Carole, you could— I don't know, you could go and start a podcast about difficult situations or something.

Good idea!

Graham! Graham, maybe you could mumble over some chess videos or something. I feel there's something in that. Anyway, I think I may have discovered the most secure software vendor in the world.

Okay, right.

Well, actually, it wasn't my discovery. It was a guy called Paul F. Roberts. So anyway, he wrote an article for Forbes a couple of weeks ago. So really, it was his discovery. But anyway, I read the article, so in a way. I am talking, of course, about the $120 billion Internet of Things supergiant John Deere.

Oh, tractors.

Yeah.

You say tractors.

Well, they do a lot of stuff. They're pretty big. I know they're big.

Yeah, when I say John Deere, you know, I think of very, very shiny green tractors. But when I say Internet of Things, what do you think of?

Alexa.

Toasters.

I think about shit gadgets. When I think of the Internet of Things. Shit gadgets I don't need.

Vacuums, things that, right, Graham?

Yeah.

Toothbrush.

That sort of stuff. Anyway, when you think about the Internet of Things, you actually have to think a bit bigger than that. You need to think about fleets of automated GPS-guided heavy farm machinery running millions of lines of code and passing terabytes of data back and forth with giant cloud data centres.

Let me say it, what could go wrong? This is the real Terminator scenario, isn't it? It's not sentient military robots. And they're scary. I grew up in the country.

And you are talking about North American combine harvesters, aren't you?

Yes.

Not tiny little British 5-storey combine harvesters. You are talking about the province-gobbling kind.

My understanding is that Canada and America are quite big. And they have big farms which grow food and things, right?

Some Canadian provinces are just one farm.

So, on these North American farms, they have combine harvesters, which are unmanned, I imagine, which are just sort of commanded, "Go drive that way." Whether they have seats or not.

And it's not just combine harvesters, it's tractors and other heavy farm machinery. They are all now things.

Right.

On the internet of things, they are part of this connected network. And there's a lot of data exchange. So companies like John Deere can hoover up all this data about what's happening where, and then they can actually say to the farmer or the farm machinery, "This is when you want to do stuff." Yeah. "This is when you want to plant, this is when you want to fertilise, this is when you want to—" Don't think, just do.

"Harvest." Yeah.

Yeah. Yeah.

Is it a bit like HP printers, which try and sign you up for this ink deal? I hope not.

Yeah, that sucks. That's really sad.

They get you subscribed to ink cartridges, and they tell you, "Oh, you're running a bit low on ink. We're gonna send you some more." Debit your credit card.

That sounds like one of those thought experiments. What if farm machinery was like HP printers? Oh well, we'd all starve. I'd like to harvest the corn today. I can't find the cornfield. But it's the same cornfield that you harvested yesterday. But I can't find it now. Where's it gone? Anyway, back to John Deere. As it happens, what I'm trying to say is John Deere is actually a very, very serious software vendor. And according to Roberts, it has never had a single publicly disclosed software vulnerability in any of its products. Not one, not ever. Thank you. Ding ding. Game over.

There were two little words there. There were two little words that caught my eye. Publicly disclosed.

Yep. No publicly disclosed security vulnerabilities. Ever. So computer security solved. We just need to ask John Deere what they're doing because it's amazing. And if we can all just do that, then we can go home. And I'm sorry that it means the end of this podcast, but, you know, it's a small price to pay.

And any security researcher who thinks he's found a vulnerability, if they'd like to take a really close look at this threshing machine, go on, lean in. Have a good look. Thank you. Let's reward you with a trip around the factory.

Here you are. Put your head right here.

I've just dropped my USB stick just about under those blades. Yes. Anyway, it's not just John Deere. So as you know, publicly disclosed vulnerabilities go in the Common Vulnerabilities and Exploits database, the CVE database. And John Deere, nothing in the CVE database. None of its major competitors do either. The whole sector got this thing sorted. So now, computer security, solved. Mm-hmm. How good is that? I mean, it's amazing. It's almost too good to be true.

Should we buy our computers from John Deere, maybe?

Oi, maybe! So as you know, computer security these days relies enormously on a community of security researchers that don't work for you. If you're a company, then actually you're massively reliant on the efforts either directly or indirectly of third-party security researchers, either because you use software that they have helped protect, or that software uses other software or libraries that they have helped protect, or because they're helping you directly either on a voluntary basis or for bug bounties or for whatever reason. But their involvement is enormously important to the functioning of the whole security ecosystem. But if you're a security researcher, how easy do you think it is to get hold of a $1 million combine harvester? In order to go looking for problems.

Ah, ah.

So they don't have the kit.

It's not an Android phone, is it? I mean, it probably is actually underneath all that metal. And the really worrying thing about that is when you talk about something like a million dollars. So is a million dollars an impediment to a freelance security researcher? Yes. Is $1 million a deterrent to a ransomware gang that has just successfully hoovered up $50 million ransom for a single attack? No, probably not. And what about a nation-state attacker? You know, the kind of attacker that was attacking the Indian power grid back in autumn of last year? Would a fleet of giant threshing blades be of interest to them? And would $1 million be a deterrent to them?

Probably not. So excuse me, guys, but you and Paul Roberts in this article, are you perhaps putting some ideas into the minds of evil folks? Is this responsible what you're doing? You've made an irresponsible disclosure of a potential— I'm sure John Deere has got this all covered. I'm sure they've got their own penetration testers and a brilliant team checking their systems all the time.

While you've been considering that, I'm trying— I'm racking my brains to remember that song. Didn't you guys in the UK have a song with carbine, combine harvesters?

They've got a lovely combine harvester.

The Wurzels.

So anyway, it goes on.

I think they were all rounded up by Operation Yewtree, by the way.

No evidence, but yeah, more than likely. So the thing is, even if you could afford $1 million or $800,000 or whatever it is to get a piece of heavy farm machinery— Chump change, yeah— you could find yourself in court if you did. What? Because it turns out that when you buy a million-dollar piece of heavy farm equipment, you don't so much own it as have what John Deere calls an implied license to operate it. And there is an entire community of activists— I'm not going to go into it now, but there's a whole community of activists out there who will tell you that you don't have the right to repair your John Deere or other heavy farm machinery, which these days, you know, it's heavy farm machine wrapped around a computer and the software itself is extremely important to the operation of that machinery and to the business of John Deere, and it is protected by copyright law. And there's a whole legal fight going on, people trying to get the right to repair the equipment that they thought they have purchased. Now, there are arguments on both sides because I can see reasons why it might be a bad idea to let people hack their own giant killing blades. But it's a thing. So assuming you did manage to get your hands on the tracker and you didn't fall foul of the copyright lawyers, there is, according to security researchers, no way for you to report your findings, even if you did manage to find something.

Well, come on, you could just email the web admin or something.

Sure, sure, that always works. Speaking as an ex-web admin, let me tell you, I was on top of those emails. Now, as security researchers will find a way, and just a few weeks ago, a researcher who goes by the name Sick Codes revealed that they had signed up for a John Deere developer's account and had actually managed to report some bugs to John Deere, including one that allowed them to download the data of every owner of every single John Deere tractor in the world. Dun dun dun. A bit like I was explaining so beautifully with the WhatsApp situation earlier, what happens is these tractors use APIs to talk to the sort of John Deere mothership. And one of those APIs, you send it a VIN, a vehicle identification number, and it sends you the details of who owns that vehicle, like their name and their address and when their license started and all this kind of stuff. Lovely. Exactly. So they tried to report this thing in a number of different ways because there isn't an official way to report these bugs. As so often happens, the researchers actually try very hard to get in touch and they send emails, but they don't want to reveal sensitive information over email so that they're twittering and so on. They thought they were scammers. Yeah. Eventually, they did actually manage to get hold of somebody and that person said, "Go and submit the bug through our HackerOne account." Oh. Now, you've heard of HackerOne.

So they do have one.

Yeah. Is it HackerOne or Hackeroni? I heard somewhere it's supposed to say Hackeroni, which I refuse to do. Anyway, John Deere said, report it through our HackerOne account. So Sick Codes logs into the HackerOne account and it turns out there's only one security researcher registered on the HackerOne account. And it's them. And the HackerOne account was opened that day. Fancy that. So HackerOne is a bug bounty thing. You know, if you want to offer people bounties for finding bugs, you open a HackerOne account and they submit it through HackerOne and HackerOne do the brokering. And then eventually the researcher gets paid. So did they trump the—

Or there was just one researcher listed or was there?

There was one researcher listed because what had happened is the HackerOne account had been opened that day for the specific purpose of dealing with that one developer. And no bounty was being offered. So why was there a HackerOne account? Because the one thing the HackerOne account did have was a non-disclosure agreement attached to it. Oh. Oh my god, how—

That's quite smart and cunning, but awful.

So it looks an awful lot like an attempt to catch and kill the story. Yep.

Well, you screwed up on that one!

Sick Codes didn't sign up. They did find a way. To make their bug reports. They reported two bugs, and to their credit, John Deere actually fixed them rather quickly. And I mean, John Deere do employ security people, and they do say that they take security very seriously. Oh, that's— I've never heard that before. Oh, that's cool. But my takeaway on this is I think that there are two kinds of company in the world, or two kinds of industry sectors, really. There are those that have been absolutely raked over the coals by cybercriminals, and those that haven't. And the ones that look like they're doing really badly are just the ones that are in the process of being raked over the coals. And the ones that look like they're doing really well are the ones that just haven't been raked over the coals yet. And so obviously, what's happening here with John Deere just looks like all the other industries in the world, all the other companies in the world that have not yet had that encounter with serious cybercrime, which inevitably they will, sad to say. Wow. So we're going to have to carry on doing the podcast, guys.

Yeah, and until then, watch out for those fricking combine harvesters, kids.

You know what, I was thinking, how would I disclose to someone like John Deere that there was a problem with their tractors and their combine harvesters? And a thought occurred to me, if you can't reach them via Twitter or email or HackerOne, you could, you know, crop circles. Yeah. Maybe you could. Carole, have we got, have we done Carole's story yet? Or was that— No, no, no.

It just feels like it.

No, as usual, we just Right, question. Have you heard of gripe sites? If I say gripe sites, you go, oh yeah, I totally know what that is. had two men rabbit on

I assume it's some sort of absolutely like beyond the pale porn. Oh, okay.

I was thinking Twitter isn't just where people go to have a moan.

forever. No, it's good. It's a bit like Twitter. So these gripe sites, so-called gripe sites, have names like badgirlreports.date or bustedcheaters.com or worsthomewrecker.com. And most people haven't heard of these sites because they're actually not really designed for people per se. They're designed for computers to sniff out.

So is it like a computer is considering going on a date with another computer? It can look up VIC-20 and then meet the 500. Whether or not that computer is a good date.

No, it's more like if just computers are seeing it, not people, many people might think, oh well, who cares? Well, I'm here to say you should care. So the problem is, say someone like me put something up on one of these sites about one of you, you might not all be feeling perky and gay because as soon something is posted on one of these sites, they mushroom out of control. They can get cross-posted across all of these sites. Now you think no one's reading this, so who cares? But the thing is, Google reads them and Bing reads them. And the upshot is that it can sink your online reputation in la stinky merde because these shitposts often rise to the swirly heights of the first page Google ranking.

So if you listed me, Carole, on terriblepodcasthosts.com, for instance, for my crimes against podcasting, then when people Googled my name, they would see that I'm a terrible podcaster.

Yeah. The New York Times, Kashmir Hill and Aaron Krolik, two journalists, investigative journalists at the New York Times in the tech sector, they did a bit of research. Okay. There's a bunch of links in the show notes. They have way more information. But effectively, this reporter team created a software program to download every post from a dozen of the most active complaint sites or gripe sites. They collected more than 150,000 posts. And then they set up a web crawler that searched Google and Bing for thousands of the people who had been attacked on these sites. And for about a third of them, the nasty posts appeared on the first page of their Google or Bing results. Yeah. Right. So basically you can't control it. Your reputation's in tatters at this stage. So what they decided to do, New York Times, is they wrote a shitpost that said that Aaron Krolik, one of the journos in this team, 'Aaron Krolik, New York, is an unqualified loser,' along with an awkward selfie. And they posted that up on one of the sites. And then they did a similar version of the same insult, but with unique watermarks to allow them to track if it showed up anywhere else.

That must have been a very awkward conversation in the office. They're like, imagine you're one of you two decided, okay, right. So for the benefit— What could we say? What could we say? For journalism. I will allow my name to be rubbished. What should we say?

Not his big fat— No, that's too much. Yeah, yeah, yeah.

You know, that was— Crikey. Didn't have to think about that, did you? No.com. Storing that up.

Then they both watched as a constellation of sites duplicated the creation of Iron Crow Lake, New York, is an unqualified loser. So if this happens to you, I mean, Graham, you've got a bit of an inflated reputation.

Carole, can I ask you a question first of all? Do you remember we did a story on our wonderful podcast some time back about one of these sites? And what they were doing was they were posting up, I think, images of people who'd been arrested. And the whole scam was that you could pay the website money to have your entry removed because they had your screenshot and it was appearing in the Google search engine. I mean, I'm just wondering, what is the motivation for the people who are running these sites? Are they always created with good intentions even though it then gets skewed, or is there actually some commercial evilness behind it?

Well, hold the phone because it might all become clear, but you're sniffing along the right trail. Okay, so this happens to you guys. So what do you do? Okay, so there's all this stuff. So you go and check out your online personality and you put in Graham the King Cluley, right, into Google and it says I'm a big fat—

Yeah, right, right.

So what do you do?

And it's on page one. Well, what I would do, yes, I would produce a whole load of content involving my name to try and push it off page one.

Exactly. You would counterattack to drown out the shitposts with legit posts.

Absolutely.

Is that what this is all about? That is what GrahamCluley.com is all about. Podcast, my website.

What are you trying to keep quiet, Graham?

So that would happen if someone did it just once, then got over it. What happens, however, in a lot of these situations is that the posts keep coming, right? So there's new posts all the time. Now, any other ideas of what you would do, Mark? Would you do the same thing? What would you do?

My first thought was actually to do the same thing, because there are these sort of reputation-cleaning companies that will try and do that. There's no guarantee that it's going to work, because they're using the same sort of technology and trying to reverse engineer what Google is thinking. So is there someone that you could— can you go to these sites and say, 'Can you remove me? You've made a mistake.' Or, 'Can you remove me if I explain the mistake by writing it on this stack of dollar bills?' Or could you make a DMCA complaint about the—

That's a good idea. Copyright of the image.

Yeah, yeah, yeah.

That's super smart. Great tip. Yeah, okay. Well, Mark, it's interesting because you talked about reputation management firms. This is a budding business. Okay, now traditionally, these were used by PR firms, right, to help organizations stay in the know. So for example, if someone was dissing a product or a service or your brand, your PR company would be, hey, we need to take action and try and salvage some stuff. But since individuals have been commoditized to the point of becoming brands themselves, this industry is helping out CEOs, celebs, influencers, you know, to manage fallout like this.

Are they the people that write the apologies for the influencers?

That's right. That's right. So the New York Times looked into this, wanting to figure out how these reputation firms actually remove these posts. Okay, but how much would you charge? So how much do you think it cost to remove Gunk?

Oh, this has got racket written all over it. So I'm gonna say $100,000. Ooh, much higher than the ones that they're able to get.

So one charged $750 or more per post removal. If someone shitposted you 100 million times, that would quickly add up to a lot of money.

Yeah, to a sum we're not going to add up now. Yeah, no.

And apparently for the New York Times, because they did it against 5 different sites, and then of course that got replicated across — apparently they were in the ballpark of $20K to clean up his loseriness. So interesting fact, to your point, it seems to get a post removed even the reputation companies do something that you suggested, they pay a bit of wonga. So if you are a reputation management firm, you pay this admin fee to the gripe site's webmaster. See, apparently they answer when you're offering them money, the web guy.

Are they sat one chair across? They're going to some little web interface and typing in a credit card number. And then when they finish typing it in, a little pop-up appears on the monitor of the guy sat next to them.

So basically, you've got these — yeah, you got someone shitposting about you. You go to a management firm and say, hey dude, get rid of these posts for me. Here's $10K, $20K, whatever, you know? And then they just go and give half of it to the gripe firm. And then everyone's quiet, right? And problem goes away. Do you think the problem goes away at that point?

Well, these things always end. What happens?

What do you think happens? What do you think happens?

Well, now the gripe site has learnt that that particular person results in them getting paid to have their profile taken down. So they wait a little, they wait a week or two and then put it up again, I would imagine. Apparently a few months. Carole, what have you

But yeah, whoa, behold, you're absolutely right. The posts reappear. So one disgruntled customer said he'd paid $4,000 in 2019 to remove two negative posts. And months later, he said copies of the post began to reappear online. And guess what? He suspected the reputation management company for being responsible. Well, yeah. I'm shocked.

got for us?

I'm shocked. Duh.

So if you go read this, if you go read the New York Times story, which is quite interesting, they were able to make this quite nice tie between one of these big reputation management firms and gripe sites. And their names are listed across different company letterings and papers and documents across firms. So yeah, so it sucks. It sucks. Right? So it seems these companies are running sites that produce slander and then running sites that make money by removing the slander.

And they probably don't even have to decide who to put in, do they? I mean, there probably are enough people in the world who are annoyed enough with a bunch of other people that they'll go to these sites and go, well, I don't like Geoff Simmons. And then Geoff Simmons mushrooms everywhere. And if he doesn't notice and doesn't care, it doesn't go anywhere. But if they put in, you know, Carole Theriault and that goes everywhere and you care about it, then they've got a — yeah, you know, as Graham said, now they know.

Yeah. So 3 months after the experiment started for the New York Times, Aaron, the journalist loser, who he's now known by, right?

The lucky volunteer, yes.

You should hear what they call him in the office.

His search results are suffering, right? Now, Bing has helpfully recommended adding loser to a search when you look for Aaron Krolik. And when you Googled his name, cheater news was the top of the image results. So yeah, that sucks. So what do you do? What can you do?

Is all this stuff outranking the story that he wrote about it?

What you can do is not work for the New York Times and volunteer to have your name slandered in this fashion.

I think that's the lesson I've learned. Maybe they give him a bonus. Maybe, maybe, you know what, Aaron, ask for a little kickback there. So there's not much you can do, but what you can do is you can fill out a Google gripe form. That's what I'm calling it. I have a link in the show notes, and you basically request there that Google not list these posts in its search results. And it mostly works, but it is less effective for images, which is a problem in our Instaland and Facebook world. But maybe, Graham, this is where your DMCA request to claim copyright on the image is very clever. Now, there is a big but in all this. This is where an attacker or a slanderer does it continually, day in, day out, constantly flooding the sites with bad shit about you. Well, there are—

Speaking as someone who's written some code, I feel like this is— You could do this. You could do this to millions of people all at the same time, all the time.

But you know, in a way that would help almost because then— I suppose it would, yes. Right? Because then everyone would be like, oh, and maybe deepfakes will help with this kind of shit. 'Cause then you could just go, oh yeah, deepfake.

'Cause just everything's garbage. Everything's a fake. Nothing is reliable.

Deepfake, schmeekfake. Yeah. Trust no one! Yeah. Yeah.

1Password is the most trusted enterprise password manager, and the number one solution for easily and securely managing all of the secrets your team uses every day. But machines have secrets too. These secrets give humans and machines access to other machines. They're how a database admin accesses a database, or an app accesses another app. 1Password has just launched Secrets Automation, a new way to secure, orchestrate, and manage your company's infrastructure secrets. So now you can protect all of your company's most vulnerable secrets in one place. Find out more at 1password.com/secrets. And thanks to 1Password for supporting the show. And welcome back. If you join us on our favorite part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Well, for the past few weeks, I have been recommending video games. This week, yes. Well, this week it's not a video game. This is a tabletop game, which I've been playing with my son, and it's got a rather artistic bent. It is called Micro Macro Crime City. And it's not like any game I've ever seen before, but it's rather fascinating. So, let me try and describe it.

Week. Pick of the Week.

In the box, you get this enormous black and white line drawing of a map, sort of isometric view of a city. And there's all these little characters walking around the city in their cars and going into shops or drinking in the bars, etc. And so there's lots and lots of little detail which you may not notice at first, particularly if you've got bad eyesight like me and need a magnifying glass. And what you soon realize is that there are crimes being committed on the map. So you might see a body, or you might see a car crash, or you might see someone who's being held up with a gun. And as you look at the map, you see these little characters and you can see where they've previously been. So you can sort of plot where they've moved throughout the city over time. And so the idea of the game is to solve mysteries and bank robberies and so forth, because you can see, oh, they met them and they got a crowbar and they poisoned his drink or something like that. It's really quite fun. There is a demo link which I've included. So if anyone wants to try before you buy, normally this isn't an online game, but there is a sort of version we can zoom in on the map and see if you can solve the clues.

This is sounding a bit like Grand Theft Auto in board game form, is that?

So if we look now, I can tell you that 21.43% of the McDonald's ice cream machines in San Jose are currently unavailable.

But I see what you've done. I saw that. I know what you're up to. You're promoting your ruddy podcast.

Yeah.

Someone's died under a piano.

I found that. Oh, yes. Oh, I remember the piano case. Yeah, I had to work out who was responsible for that. And a number of other—

Oh, people are smoking jazz cigarettes. I didn't know it was that type of party.

Some of the deaths are a little bit gruesome, but I don't think it's going to give anyone any nightmares. My son really enjoyed it. He's been loving solving the mysteries on this game. Maybe, maybe a little bit like that, which actually possibly leads to—

But with all the excitement removed.

No, Mark, I think you would appreciate this, as you're a bit of an artist yourself.

Famous in my house for my love of board games. Well, that's it, because you can begin to sort of work out motives for people and why they did various things. It is very clever.

I just found a superhero outfit on a clothesline. Ah, yes. Well, yes, because you have to at one point identify who dresses up as the superhero. Yeah, well found. Ah, well, mine's more a pick of the minute than pick of the week. I found this this morning and it tickled me. Yes, that's true. I know that. They're always broken. Yeah, there's a whole thing. There are internet memes and all sorts, which I didn't realize. Someone has decided, somebody's created a website called McBroken.com. So I think this started last year. Is that possible?

Because I remember seeing this. Yes, I think it was October 2020. I only found it this morning.

I remember this, and I can't believe how big it's got. Because when I first looked at it, it was quite— you know, they just started. So, wow. Very cool. Unavailable is the word though, because I imagine that cleaning the ice cream machine is a pig.

Ah, so you think they're deliberately disabled? No, no, no, no, that's not the case. I mean, it is the case, but that's not it. So you only have to clean them every 2 weeks. That's kind of gross, isn't it? Very cool. On that savory note, Carole, what's your pick of the week? So last week, I was listening to Hidden Brain, and they had a shrink on there that said that young kids laugh 300 times a day, and it takes an adult 3 months to laugh that much, you know, and you just think that's frickin' sad. 3 months? Yeah, I bet they laugh, you know, everyone laughs listening to this podcast, and that's it until the next podcast. That's how low it is.

Sorry, I was too busy looking at the website. I never believed Tupac was dead, it says.

Yes, I was trying to work out that one. Let me try this one. So girl 1, right? This reminds me a little bit of— I can't remember if it's on Facebook or Twitter or something. There's something called Overheard at Waitrose. Oh, I like that. Which is a British phenomenon.

Yeah, it's like a posh middle class— it's a bit like a ghetto. Yeah, yeah, the rough end of town Waitrose.

Okay, and this is my favorite one. So this is on a sister site. Coworker 1: I wasn't that drunk by that point. I mean, I was sober enough to realize that they were branding each other's asses with cookie cutters. The boss says, sure, Coworker 1: No, legit, sticking the cookie cutters in the fire and branding each other's asses. And then coworker 2 pipes up: Can you imagine shacking up with someone with an inverted Christmas tree pointing right up your pooper? What I mean is check Overheard in New York. So if you're bored and you want a bit more laughter in your life, check out Sticky Pickles.

Well, excellent. Well, on that cultural note, I think we've just about wrapped up the show for this week. Mark, I'm sure plenty of fellows would love to follow you online. What is the best way to do that?

Well, don't Google me unless you want to follow the other guy. But if you want to follow me, go straight to Twitter, go look for Mark Stockley on Twitter, but don't use an underscore or anything because there's a much more famous person who's got an underscore in their name.

All right. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And we're also on Reddit. Just look for Smashing Security up there. And don't forget, ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts. Oh, and while you're there, maybe you'd like to give us a nice review rather than say something horrible about us. You know, just if you like us. Who's saying horrible things? I think it might have been Thom Langford. I don't know. Someone went up there, said something derogatory at some point.

This is how you do reputation management, is it? Now, where were we?

I just think maybe if you do like us, let's swamp the negativity with lots of good stuff. So go and say something nice about us on our comments. Clean our reputation.

Big fat thank you to this episode's sponsor, 1Password. LastPassword, and to our wonderful Patreon community. It's thanks to them all that this show is free. And for episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 224 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye-bye. Bye. Bye.

And hey, if you're still there, just know that Graham's right. Reviews help a bucketload. So if you like the show and you listen this far, just go to the review page, say something nice. It'll make both of our days. And huge thank you.