Oh my goodness, Carole, when you go to a web page, right, people have not stuck little photographs and stickers onto your monitor, right? There are pixels. I didn't realize we had to make it this simple.

There are pixels. I'm glad you are mansplaining perfectly here. Carry on.

It appears I need to. It appears you don't understand how a monitor works.

Yeah.

Smashing Security, episode 239, TikTok Vigilantes. Sloppy IoT and Wikipedia Whoa with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 239. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we are joined this week by a returning special guest. It is Mr. John Hawes.

Hello.

Hi, John.

Hi, hi, hi.

Have you had any holidays?

I have, yes. I've been down to the seaside, been to visit family. Having some lovely time off.

Carole and I, we had a holiday, didn't we? We've been off for a couple of weeks.

A holiday from each other.

Yeah.

I don't think I'm sure. That's why I'm here. That's why I'm here.

Shout out to Karthik.

it's been long We should thank this week's sponsors, 1Password. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got? enough, actually, to be fair.

There are wild things going on at wiki wiki wah wah Wikipedia.

John, what about you?

I'm going to be talking about IoT sloppiness as usual.

Oh, and I'm heading to TikTok land. Wish me luck. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I'm going to name some people to you and I want you to tell me what you think links them all, okay?

But I'm sure

So, we've got Wiki Wiki Wa Wa Will Smith.

you were very First of all. Okay.

Is he still alive?

Yes, Will Smith, I think, is still alive, as far as I know.

I haven't followed his career very closely. I'm glad he's alive. I'm glad he's alive. He provided me a lot of joy when I was a kid. Prince of Bel-Air, right?

missed by all your fans.

Yeah, yeah, that's right.

The Fresh Prince.

Independence Day. Got me there.

Mm-hmm. We've got Jenny on the Block.

Yeah.

As well, Jennifer Lopez.

Yeah.

We got Robbie, Robbie, Robbie, re-ra, re-ra, De Niro. Robert De Niro.

What are you doing?

What?

Are they all really shit rappers?

And we got Terry Pratchett as well.

Whoa.

The late Terry Pratchett.

That's a kind of wild card though in the mix.

Well, what links them all? Any ideas at all? Nazis.

Whoa.

Well, I'm not saying they're Nazis.

I'm coming back from holiday, right? Two weeks off. And the story you decide to launch our return with in August.

All famous people are Nazis.

Oh my God.

No, no, they're not Nazis.

Have you been radicalized while I've been away?

Well, are they Nazis? Because where would you find out, right? If someone was a bit crazy...

I'm not sure that's an approved term anymore.

Oh, okay. Mel Gibson, right? If you wanted to find out if he was a bit peculiar or not, you would go on a site like Wikipedia, and maybe it would tell you that he is somewhat notorious.

Is that what you do?

Well, what would you do, John? I would probably ask a person first, if there was someone in the room with me, I would say, "Hey, Mel Gibson nutty."

Are you going to ask Joyce down the supermarket about Mel Gibson?

I might do, if that's who I was nearest at the time.

And you would trust her over the internet?

Not necessarily, but yes, I would obviously choose my person based on my level of trust in their wisdom.

Right.

Well, for a while over the weekend, if you looked up Robert De Niro, Jennifer Lopez, Will Smith, Terry Pratchett—

Funnily enough, I didn't—

Numerous, numerous other people, thousands of other people on Wikipedia, you would have been greeted by a great big Nazi swastika. You know, red, black, and white. Yes, on their profiles.

So their Wikipedia profile pages, which of course they never created themselves because that's not very cool.

I think it's not even allowed, is it?

I don't know if it is allowed or not, but it's certainly not cool, is it?

Right, okay, so they have absolutely nothing to do with this Wikipedia page that someone else created about them, which is, you know, yeah, and someone went on to deface them.

Well, let's find out exactly how they did it.

Okay.

Even poor old Joe Biden, President of the Universe, Sleepy Joe, he had his profile impacted this weekend. So Joe Biden, by this attack, which had this great big huge swastika. And some people worried. They thought, "Oh, could it be a virus that's spreading on Wikipedia? Might it be a virus which has infected Wikipedia entries? Or is it the computers of people accessing Wikipedia? Is it they who are actually seeing an image instead of the proper description of people's history and background and personal life and all the other details?"

I want to say okay, but I'm not following that. So you can carry on and maybe I'll catch up.

Sorry, what don't you understand?

How is it the people who are viewing the screens who have a defacement?

Well, if Graham had a sticker of a Nazi swastika on his screen, right, and he looked up a picture of Joe Biden, it would look like a swastika.

As long as it was in the right place on his screen.

Yes.

It filled up the entire profile. It was a huge— It was a huge, yeah, huge sticker.

Can we just say digital sticker or actual sticker?

Oh my goodness. So the internet, when you go to a web page, it's not— people have not stuck little photographs and stickers onto your monitor, right? There are pixels. I didn't realize we had to make it this simple.

There are pixels. I'm glad you are mansplaining perfectly here. Carry on.

It appears I need to. It appears you don't understand how a monitor works.

Yeah.

Or the internet works.

Yeah.

Anyway, some people worried it could be a virus which had posted these things, or maybe it's the computers that had been infected as they were accessing them. All kinds of things. Some people said, oh, it's a troll. It's not actually happening at all. People just want others to go to their Wikipedia pages because when they went to look up Jennifer Lopez or Robert De Niro, they wouldn't see the "No Seaswallow" sticker.

So it was only some people were seeing it.

So was it people that were logged into a specific account?

Patience, patience.

Well, what, what, were we just supposed to shut up and listen to you the whole time? Or was this a discussion? Are we allowed to pontificate a bit? I'm just asking what happened.

It's really been lovely being on holiday, hasn't it?

I agree.

For a couple of weeks.

God, I don't know how much more long—

Guys, enjoy the show because who knows how long I will explain what's been going on. The fabulous thing about Wikipedia is also its weakness, isn't it? Anyone can pretty much edit pretty much anything.

Mm-hmm.

Right? John, I heard that you've in the past, you've updated entries on P.G. Wodehouse.

I have. I've done all kinds of things, yes.

Yeah?

Several towns that I've lived in.

Right. And mates.

Do you add Godzilla visited in 1920-something?

No, no, I try to keep it reasonably accurate.

Right.

Do you ever post something a little bit scurrilous and naughty and untrue?

No, I don't think I've done that personally. I have been in the room while other people were doing that kind of thing. I have raised a disapproving eyebrow.

Right. I have a Wikipedia page. Someone created a page about me. I don't like to brag, but they did. I didn't create it.

I'm sure you didn't. Did you pay them?

No, no, no.

Just checking.

It's very interesting because when someone creates a Wikipedia page, you can see what other pages they created. And the person who created my Wikipedia page also created pages about being a pickup artist and sort of methods men could use to pull female folks. Not pull them as in with a lasso.

I think they were creating that article as a part of their pickup technique.

Well, they haven't managed to pick me up yet. They haven't done that. But someone did post a fake fact about me on my Wikipedia page once. Someone posted that I'd fought in the Bay of Pigs.

Which—

Was that you, Carole?

It isn't true. For a number of reasons why I can confirm that definitely didn't happen.

Such as?

Such as I wasn't alive.

Are you sure? Are you sure?

Never been to Cuba.

You know. You do have small eyes though. So, you know.

What?

What?

Oh, you think this is another bay of— small-eyed pigs. Wow. Two weeks off. Anyway, sometimes inaccurate things are posted on Wikipedia, either intentionally, accidentally, or maliciously. Oh, I know what I wanted to ask you. Have either of you been to the Scottish version of Wikipedia?

What?

In the Scottish language?

In the Scottish language, yes. There are over 50,000 Wikipedia articles that someone has edited. It's administered by a chap who identifies as a Christian furry in America.

I am convinced that if I looked, I could find a Klingon version of Wikipedia.

Probably.

Right? So I'm not surprised.

Yeah.

That's actually a different language. Whereas the Scottish version of Wikipedia appears to have just been written sort of phonetically, like a drunken Scottish person.

A bit like, what was it? Trainspotting was. Trainspotting, it was written fairly—

All speaking in Scotch, isn't they?

Yeah.

Exactly.

But, aye, a village is a scotterd a brierd brook mactagata night and a bonnie hoots. It's all that kind of thing. Anyway, some people wanted the Scottish version of Wikipedia deleted. They said it appears to be just Wikipedia read in a broad Scottish accent. And they also claimed it had done more damage to the Scottish language than anyone else in history and is cultural vandalism on an unprecedented scale.

According to whom?

This is what people, people had said this.

Good sources. Yeah.

It still exists. It's still up there.

How did they choose which pages to translate?

I think they just started probably aardvark.

I mean, how would you start, Graham?

Yeah.

How would you start, John? You'd probably just go, you know, I'm really into pies.

Pie would be a good one. Pie.

Oh, it's either things that are related to Scotland in some way.

Aberdeen.

I think it'd be really fun to have a franglais one. You know?

Oh, may we?

Yeah.

Again, probably already out there.

Yeah.

Probably. Anyway, the point is anyone can create anything on Wikipedia and it survives really dependent on the community and whether they decide it's not cool. So this is why the Nazi imagery, the swastikas, began to appear on people's profiles. Well, there is a user called Xylophonist. I don't know if that's a real word. He created an account for himself, him or herself, on the 10th of August, and he made a few innocuous updates to Wikipedia entries, you know, said Godzilla has invaded my town or whatever, things which didn't look suspicious. And they had their account automatically confirmed after a few days, and then he went completely batshit crazy ape bonkers. This is what I call a sleeper attack. You come in soft, you come in slow. And then you go crazy.

And did what?

Well, what he did was he edited a template. So there are templates on Wikipedia. So you will have a template which is used for people's biography, right? Which will say—

Title, summary.

Yes. Children, spouse, personal, you know, something that, right? And that is used by over, well, tens of thousands, over 50,000 different Wikipedia pages. So what he did was he didn't go to all these individual Wikipedia pages.

Changed the CSS effectively.

Yeah, yeah, yes, exactly. He changed the template and that automagically updated all of these pages with Nazi swastikas.

So how did he get access to the template? Presumably changing the template is not something any Joe Schmo can do.

Well, it was.

Well, yes, it's Wikipedia. Anyone can edit it, right?

Well, popular templates ones used by profiles are supposed to be protected and only a chosen group of people. So trusted people.

Of course, because otherwise they could go in and change the font to 72-point, right? And go, have fun, everybody. You're welcome.

Well, no one had put any protection on this template.

Ah, sloppy.

So potentially they could have done something much more malicious than just displaying a rather obvious image. They could have put in something a little bit more subtle.

I don't know. I think I'd have a big problem with that if it were my page that I didn't create. And, you know, of course you'd have a problem with it.

I'm not saying you wouldn't have a problem with it, but at least it's obvious if the flag comes up.

So did they replace the entire template or was it just a part of it? So it still said real information underneath or something?

They put in a bit of code that said put a swastika on it. Put a swastika up and sort of covered most of the beginning of the profile.

Did they put little moustaches as well? Just to—

Toothbrush moustaches. No, I can see where you're— yeah, very clever. But it's not good. I mean, it's—

No, no, it's not good. It's like—

Let's stress that. It's not good. Don't do this. In some countries it would be illegal, I think, isn't it, to publish Nazi swastikas?

Almost certainly, yeah.

Swastikas, not cool. There's actually just a couple of months ago, an Austrian soldier, 29-year-old Austrian soldier, was sentenced to 19 months in prison for posting pictures online of a swastika.

Wow.

Yeah. Admittedly, it was tattooed onto his testicle, but even so.

I'm so glad that the internet got to see it though. That's really great.

Did that have an impact on the length of his sentence?

If it had been in his armpit, that would have been 21 months.

John, what's your story for us this week?

Yes, so I wanted to talk about IoT sloppiness once again. I think pretty much every time I've been on here before, I've covered some aspect of that kind of thing, although usually previously at the I say the adult end of the market.

Are we not going there today?

Well, no, I'm trying to avoid it. I think, I don't think since I've been on this show previously, I've ever had to use the word teledildonics.

There it goes again.

I'd like to carry on in that vein if possible. Now this is an entirely different kind of sloppiness.

Right.

In the past, pretty much all of the problems that we've seen with IoT stuff have tended to be mainly down to people who are hardware makers, not computer people. So they're saying, I'm making a fridge or a TV and I want it to be an IoT one. So I'm just going to slap in some kind of Wi-Fi connection and job done. And then of course you get security issues because they didn't really do it properly. They hardcoded passwords or they didn't encrypt the communications or something like that. People find out, they get hijacked. You end up with strangers shouting at your baby through the nanny cam or whatever.

Yeah. Or through the fridge. Buy milk!

Yeah. But yeah, so we usually, we get to the end of media, the advice is always just don't reinvent the wheel, let some expert somewhere create the module that you use for each.

Yeah, we tell that all the time.

Yeah, exactly. But this week we've seen the kind of flip side of that coin. So a blog post was put out just the other day, I think it was Monday, by a German research firm called IoT Inspector, and they found a bug. Well, a whole bunch of bugs in the code powering one of Realtek's Wi-Fi components.

Right.

I don't even know what Realtek is.

So Realtek is quite a big, multibillion-dollar Taiwanese hardware manufacturer.

So what, they make routers or what?

They make chips.

Okay.

Basically, these researchers found a series of bugs in this particular system-on-a-chip thing that Realtek was providing, which was being used for quite a wide range of devices. So it's mainly used in the networking world, so routers and modems and gateways and things like that. But it does seem to have been used also in quite a lot of other more IoT-type devices, so cameras and home lighting control systems, even toys. And these flaws seem to be pretty simple to exploit, should really be only accessible from the local network, but some of them seem to have been exposed to the wider internet because they weren't configured properly.

So what do these flaws allow people to do?

Well, you can basically hijack the device and get it to do anything you want.

Oh, so if you've bought an IoT device and it's not got the functionality which you want, this would be quite handy, wouldn't it? Because you'd be able to exploit it to add new features, maybe, as a user.

Yes. Yes.

Well, that's an interesting view, Graham. Interesting approach.

But presumably also someone malicious might be able to use this as well.

Yes, they could probably do all kinds of nasty things from cutting off your internet to turning off your lights, hijacking toys and things like that. They actually, the blog post points to someone else did some research on a, I think it was a toy tank.

Yeah.

Oh my God, I thought

Oh.

No, he always talks about that kind of stuff. I just assumed.

I did say I was going to try and avoid it this time.

Yeah, I know. But then you did mention it. you were talking adult toys

So I do apologize, John.

No, no. This guy, he's got this toy tank. And for some reason, they decided to set it up that it had its own Wi-Fi access point inside the toy. So you would connect to it on your mobile phone by joining its Wi-Fi with your phone.

because you always, okay. Okay.

So then you could control the little tank. You could drive it around. And they had a little camera that you could move up and down and things.

Oh, you could spy on people.

Yeah, quite.

What, take it across the road to the neighborhood?

Or access it remotely if there's someone who you want to snoop upon.

Right, drop it through the letterbox.

Well, or give it to them as a present, and then you could maybe hack it, and you could look up their dressing gown or something with your turret.

How fucking scary though, someone gives you one of these, you're like, "Oh, cute little military tank, how cutie cute cute." It is cute, isn't it, getting a military tank? And then it starts going apeshit like Chucky, right? In the middle of the night. Right? You suddenly wake up and it's on your chest. Like, jeez.

Well, yeah, I think so. In the case of that particular, this tank, I assume that the way, the reason they'd done it that way round, so rather than the tank connecting to your Wi-Fi, you have to connect to the tank's Wi-Fi. It's kind of a security feature. It means it can only be operated fairly locally. But this researcher guy, he'd obviously figured out how it all worked and then was trying to reverse engineer it so he could then connect it to the proper internet so then he can control the tank from anywhere. So yes.

Oh, I see. So he just thought, this tank is cool, I wish I could do this more remotely.

Mm-hmm.

Right.

Yeah, because I really want to see what my tank can do when I can't see it, when I'm 10 miles away.

Maybe it's a very cool tank.

Yeah, make me a cup of tea before I come home. Cool.

We are under lockdown at the moment, right? We all have to find— No, we're not.

We're actually not.

We are. Well, some of our listeners are. We are having to find new ways to entertain ourselves. And a tank, you know.

I know, just wouldn't you want to be able to see it rather than focus on its camera? Wouldn't you want it to be at your feet around your living room going, oh look, there's a cute tank going left, there's a cute tank going right?

Maybe you want to find out what your cat or dog get up to while you're out, and then you follow them with it.

Really?

Yes. If I had a cat, I would love to spy upon my cat.

Wow.

If I go out of the house, does it put on a smoking jacket?

No, it licks its privates and then sleeps, and then— I don't want to see that.

Well, that's not interested in that.

We should have taken a month off. I'm just saying.

Anyway, the tank is not perhaps the best example of this. It does affect, I think this is 200 devices, 65 different manufacturers. So most of the big names in networking. So Belkin, D-Link, Huawei, Netgear, obviously Realtek's own kit.

And they are just affected because they're using this chip, which they felt was created safely. So it's all this. Yeah. Okay, so they're all looking at the supplier going, WTF?

Well, yes, in a way. And as I say, that's— this is kind of the flip side of the let's not reinvent the wheel thing, that you kind of have to trust people to be the experts at what they're supposed to be the experts at. But also, I mean, the code is pretty open. It has to be pretty accessible because everybody that's using it has to be able to tweak it for their own requirements of whatever thing it is that they're building. Yeah, it's been around for quite a while and it seems nobody's really noticed these problems before. They seem to have been there for at least several years.

So if this problem is on the chips, is that right? It's actually on the chip.

I think it's the code that powers the—

So what are the chances of this problem actually getting fixed?

Well, no, the researchers did report it to Realtek and they've put out fixes and patches. But yeah, it's the case of with IoT devices, maybe less so with routers and things that, as opposed to toys and cameras, they're not always easy to update. Yeah. And even if they are, I would imagine a lot of users would never even think to update them and just think, oh, that's a thing. It stays that, it doesn't need to be patched regularly and things that. So yes, these things are likely to be lingering around for quite a long time.

And your typical consumer wouldn't know if it has a Realtek system inside it anyway, would they?

No, exactly. It's not there's Designed by Realtek.

No, it just says Tommy Tank.

Yeah, you know, or yeah, Belkin router.

And I doubt all the companies that have this problematic chip are telling all their users in a proactive way, hey dudes, we kind of screwed up, can you guys go through this really complicated way of updating?

They would do that. They'd be very, very open, proactive, wouldn't they?

Where did she go on holiday? Was it Mars?

Carole, what have you got for us this week?

Well, we three used to be close before the holidays. And so I feel—

Everything broke.

Everything broke. Yeah, everything broke. But I just had time to reflect, Graham. I had time to reflect. I just wanted to ask, have any of you ever been bullied, in real life or online?

Oh yes, I've been bullied.

Have you?

I had a podcast co-host who said I had piggy little eyes. That was quite upsetting.

I didn't say— I think I said little eyes, actually.

No, I sometimes got bullied at school because I was the only kid with a briefcase. No one else did, so, you know, I was considered posh. I was.

That is quite an odd thing to do, though.

Did you feel you were posh? I bet you felt superior to all the other kids as well with your briefcase.

Let's be honest, I mean, some of us are born to greatness.

And some of us carry a briefcase. That's what I always thought.

Did you have a monocle as well?

The cane?

One of those little pocket watches? Did you dress like The Mentalist at the age of 10?

In answer to the question, have I ever been bullied? I feel like I'm being bullied right now.

Well, interesting. Most bullying these days happens online, right? It's cyberbullying. No longer do you get pummeled after school, you know, or have your lunch money stolen. This day it's your reputation gets trashed for all your friends and family to see. And the bigger the platform, it seems, the more bullying there seems to be. And that kind of makes sense. Now, Facebook has been overtaken, if I can say it that way, by TikTok in terms of downloads. TikTok is now the most popular app, apparently. And just last week, TikTok came out saying that they've added some additional privacy features for kids between the ages of 16, 17, so young adults, I should say. And the biggie of these is that the account will be set to private by default if that is your age group.

Okay.

And this is to slowly ease them into an online interaction situation. What's ironic about that is I would say most 16, 17-year-olds are 8,000 times brighter than we over-the-hillers when it comes to things like TikTok, right? And settings and stuff like that. But anyway. But some people think that TikTok should be doing more. And among these is a group that goes by the name The Great Londini.

Londini? It sounds like a magician.

It's a mashup of Houdini and Linux, apparently.

Oh, okay. Right.

These are masked fellows or fellow. I don't know. According to The Insider, the group has a website, Twitter account, and YouTube page where it posts examples of what it said it's capable of accomplishing. And TikTok, it's its main exposé platform. And through its work, which we're gonna get to in a second, the Great Londini Group has amassed a few million followers. Last I saw was 2.3 million. Okay? And it's quite a short time. That's a lot.

Okay, lovely.

So you hear that, right? Joyful, positive content. And I want you— I'm going to ask John, if you're a masked individual—

Masked as in I'm not revealing my face, as if I've gone to the shops or something, Zorro or something like that, you know. Oh, Batman mask.

You're hiding your identity.

Yeah.

So, so what outfit do you think you would don? You want to keep your identity private, but you want to promote joyful, positive content.

Maybe a Teletubby?

Oh yes, that's a very— oh, which one? Which one? Tinky Winky?

I don't think John's Tinky Winky.

Yes, whoever's the tallest one, I think. Probably going to have to hunch up a bit either way.

Graham, can you better that? I don't think anyone could.

I don't know the names of any other Teletubbies, so no, I can't beat that.

Okay, well, I'm going to show you the outfit they chose to wear. Ooh, ooh. Could you describe it, Graham, do you think?

That doesn't look like good, positive fun. I'm seeing a man who seems to be wearing some sort of hoodie, but he has a sort of scary, Joker-like smile.

Yeah.

White face. And it looks like his eyes have been scooped out.

Gouged out.

Yes. Well, it's absolutely petrifying.

It is, right? And it does have a bit of an anonymous feel to it.

It does. Yeah. But worse.

The BBC wrote about this appearance saying the masked man in the black hoodie speaks straight into the camera with an electronically distorted voice. He looks and sounds straight out of a horror movie. So I don't understand how that ties up with joyful, positive content. So right away I'm thinking this is a bit weird.

Yeah, that is odd.

It's a bit odd.

Well, people get their joy in different ways.

Okay, true. I've met many, many people recently who have surprised me in how they get to enjoy. But anywho, the gist of this group is this, right? They troll TikTok and hunt down cyberbullies and disclose their identities in these short clips.

Oh, so they're vigilantes.

They're vigilantes. And from what I read and saw, these guys play a clip of a bullied person reacting to the nasty comment that was sent to them, and then reveal the username of the bully. The one that the bully tried to keep private.

Sorry, I'm a bit confused now.

So you put out a podcast and then I went to you and said, you shit, clearly you have small eyes, right? Hashtag small eyes.

Doesn't really matter on a podcast, can I point out.

No, it doesn't. You've chosen your career very wisely. But no, but say I did that, but I wouldn't want to identify myself, so I might create another username. I might create a different identity.

Really? I've never heard of them before.

Right, a sock puppet account. And what these guys do is identify, saying that sock puppet account actually belonged to Carole, and identify me for all the world to see. And the Great Londini's page

How?

Right.

Ah, so how do they do that? How do they—

Yeah, we're going to get there in a second. Okay, now first, they have a catchphrase, right, for every time they do this. on TikTok, the strapline is It seems to be, we say stupid game, stupid prize.

That's not a great catchphrase.

It's not very catchy.

That's not as good as "it's magic" or "you're like this but not a lot." For a magician like the Londini, I think they need to work on that.

joyful, positive content. Okay, so in one video, let me just give you an example of how it works, right? Because maybe you'll change your mind. So in one video, this masked person gestures to an abusive comment left on a woman's TikTok account. He says, "If a stranger said this comment to your daughter, mother, sister, wife, what would you do? We say stupid game, stupid prize." Stupid catchphrase.

It's a terrible catchphrase. It's really not going to catch on, is it?

Well, 2 million people, 2.3 million people are signing up, seem to want to know what's going to happen next.

Stupid game, stupid prize. That's the—

Yeah.

Okay.

Yeah.

All right.

So the masked rep of this group, the Great Londinis, right, had an interview with BBC and they said, we're taking social media back from the bullies, pedophiles, scammers, and trolls.

Right.

So question is, how is this group able to out these people, right? So I did a little digging, and really the best comes from this BBC article, and there's not a lot here. So they say, if you troll, you may think you can safely hide behind an anonymous account name, but Londini works on the premise that he can discover your real identity within 7 to 8 clicks. That's it.

Okay. Is it that these dumb TikTok users are using the same username on TikTok as they're using on Facebook, YouTube? Or, and so he just does a Google.

It takes probably two clicks for most of them.

It's pretty minimal anonymity there.

Yeah, it's kind of packaged as a Robin Hood-y kind of thing, isn't it?

Yeah.

It's kind of like, don't be a dick online because they might come after you. And this group made up of volunteers, apparently with mixed military, cybersecurity, and ethical hacking experience, are taking it into their own hands to clean up TikTok. And the reason they say they're doing this is because they say TikTok is not doing enough.

Right. Well, I thought TikTok did generally a pretty good job of keeping out unwanted content, maybe not so much in text comments, but in videos. I mean, they do have the benefits of 20 years of Chinese surveillance to work on. I think that their number of bad stuff getting through is way better than everybody else.

So this whole thing is called moderation vigilantism, apparently, right?

I've got a bit of a problem— I'm not terribly comfortable with it, to be honest. I mean, because what happens when they screw up and they identify the wrong Long John Hawes, which always happens.

And what do you think is happening to all the people that they're outing? They're being bullied.

Bullied by this 2 million— yeah, rabble.

The group say, look, we really don't condone that, we don't condone that, but I just think this is very convenient for them.

Yeah, we don't condone that,

Yeah.

Can you explain to me, where are they communicating this? Is this in YouTube videos or is this on TikTok?

They're on YouTube, Instagram, TikTok.

Presumably TikTok can just shut down their account.

but here are their names and addresses.

Ah, very interesting, Graham. So the Great Londini's had 9 accounts permanently deleted by TikTok, and the 10th has been suspended several times. The platform rules Londini has been accused of breaking have varied from online harassment and bullying to even violent extremism. But Londini, of course, the Great Londini, contests this, contests all this saying, until every bully, racist, and scammer is off the app, we're going nowhere. So yeah, so I was kind of thinking ethics time, right? Like, I kind of have a problem with a self-appointed vigilante.

Yeah. Well, who should appoint them? Well, TikTok.

Ideally.

That would be great, actually. Yeah.

If there's bad things happening on their platform, they should sort it out themselves.

I just don't like his mask. I think they're showing a lack of a sense of humor, and it just makes me think it's a bunch of virgins, quite frankly.

Yeah, I wouldn't want to be a 13-year-old seeing that face.

No.

Do you remember a thing called the News Bunny?

No.

It was like this weird sort of cable television channel which wasn't doing very well. It probably launched about 25, 30 years ago. And they didn't have any viewers, so they had a weather girl who took her clothes off while she was telling the weather in a desperation attempt to get—

Oh, funny that you remember it, not me.

But most famously, they had a news bunny, which was someone who was wearing a bunny costume and would hop onto the set, who would do a thumbs up or thumbs down depending on whether it was good news or bad news behind the news presenter. And I think if the great Londini was dressed up like a magical bunny, I would feel much more— I'd just feel much more warm about it and comfortable. I just don't like all this faux sort of spookiness.

Presumably the idea is that the scary face is there to scare the bullies. If you turned up to a bully dressed up as a bunny and said, oh dear, thumbs down, that's not going to put them off.

Well, I don't really understand why there's 2.3 million people watching this, right? I just think this reeks a little bit of self-serving, build my army, right? And potentially dangerous. However, however, yes, the whole existence of these guys underlines a serious point in my view. I have a real problem with these big social networks that are like, oh, what can we do? There's so many million videos, we don't know how to cope. Well, then don't serve that much content if you can't handle it. Like, slow down. Stop making a buck off everybody's free content that they're providing you and think about how you can protect the system.

What's an interest? That's an interesting idea, Carole. So what you could have is something like TikTok where they say, we will accept this many videos posted per day. And once we've hit the limit about 3 o'clock in the morning, well, no, maybe at that point they can say, look, we've got our allocation for the day, but if you really want to post your video, you have to pay $5 per video.

Oh, that would be good. But interesting idea. Interesting idea. TM.

TM. Trademark.

It's all yours. It's all yours.

Oh my, oh my.

I just wonder though, like, would you, Graham, you know, if I started getting bullied online, would you put on a mask and a latex suit to protect me? Like, you know, because if

Or Teletubby outfit and fake six-pack?

Actually, don't— I just pictured it. Don't answer. Just don't say anything. Just, just don't. they're good, then great, but

Lovely listeners, we may have been on vacation, but this is no time for slouching and taking it easy when it comes to your security. Around 80% of business data breaches result from weak or reused passwords. Using 1Password in your company can close the gaps in your security, combat shadow IT, and help your workers stay both productive and secure wherever they are. With the right tools and the right mindset, you can create a culture with 1Password where your employees feel empowered to share responsibility for security risk management.

they shouldn't be self-appointed.

Everyone needs to be on board, working together to stay protected. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for sponsoring the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to— It's called Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

It really better not be. It's August.

Well, my Pick of the Week this week is not security-related. My Pick of the Week, John, was chosen with you in mind because you're a bit of a movie buff, aren't you?

I am indeed.

Yeah. Well, my pick of the week is Nestflix. Not Netflix. Nestflix.

Is that when you don't want to Netflix and chill, but Netflix and get married?

Well, let me explain. Well, very good. Let me explain what it is. It is a website. Hangs out at nestflix.fun.

Fun.

Yes.

Fun. It is a parody version of Netflix. And so it looks like Netflix. And what it does is it shows you fake movies and TV series which were created for actual movies and TV series. So, you know, when you're watching a TV show and the characters in the TV show watch a programme or a movie within the TV show.

Whoa.

A fictional TV or movie.

Yes.

Right?

Yes, yes, yes.

That is what is on Nestflix. So it's videos and movies which are nested within other.

Can you give me an actual example?

Like on Rik and Morty where they have the interdimensional cable.

Best TV ever.

Hundreds of TV shows in there.

Okay, let's look that up right now.

Okay.

So I'm looking up Rik and Morty and they've got loads. So there are shows called, there's one called Ball Fondlers. So I'm going to Nestflix. I'm going to search

Ball Fondlers, yes.

Baby Legs. How Did I Get Here? Last Will and Testament. up, so you can search on there for the genuine show. Man Car. When Walked— Anyway, there's a whole bunch of them here. And then you can go to a page for Baby Legs, for instance. And it says Baby Legs is a good detective, but not good enough because of his baby legs. So his chief is partnering him up with regular legs. I see, it's like a— Well, now maybe this will get you checking out Nestflix.

And do they have the actual show, or is it just sort of the intro page?

They have pictures. And I think in some— I think I saw in some cases they may actually link to little YouTube clips.

Can you look up Harrison Ford?

Okay, let's try that. I don't know if you can look up actors.

I know, let's just see.

Harrison Ford.

No, that hasn't worked.

I just didn't want to embarrass Geoff Goldblum by getting a zero result. You see? Excellent pick of the week, Clue.

Yeah. Well, check it out.

I will.

You can also contribute your own shows to it, but it does appear there are hundreds and hundreds up there. So the rules for inclusion on Nestflix, it has to be fictional. It can't be if people are watching a real film inside the show and it must have actual footage, not just be mentioned in the dialogue. There you go. So that is my pick of the week, Nestflix. Go and check it out.

Sounds a lot of fun.

Hmm.

John, what's your pick of the week?

My pick of the week is a documentary series. It's also on Netflix. It's called The Movies That Made Us. And season 1 actually came out in 2019. It totally passed me by at the time. But they covered 4 classic movies: Dirty Dancing, Ghostbusters, Die Hard, and Home Alone. And Series 2 just came out a couple of weeks ago, I think, and with a fresh set of movies from pretty much the same period. I'm assuming that the people who made it are in their 40s, early 50s perhaps, and they're very much focused on '80s, early '90s movies.

Did you learn anything watching it?

Well, yes, totally. I mean, it's a cute little show. It's a bit cheesy tone, and there's lots of well-known information in there. I obviously started as a diehard fan. That's where I went first. And there was stuff that I knew, everybody knows that the role of John McClane was originally offered to Frank Sinatra. That's right.

Rik and Morty's very, very good. I knew that. Of course I knew that.

You knew that, did you, Carole?

Of course I knew that.

Yeah, you know why you knew that, Carole?

No.

Because it was my Pick of the Week in episode 159. The Movies That Made Us, and we talked about Die Hard. I'm sorry, John. You have broken one of the most important rules of Smashing Security.

Ignore him. He just didn't have a long enough holiday.

You have repeated a Pick of the Week from another episode.

It's the first time this has happened.

Series 2 came out 2 weeks ago.

Oh, you got away with it.

Yes. So Series 2, for example, features Back to the Future. And I was not aware that the first month of shooting Back to the Future, the star was Eric Stoltz.

That's right.

Eric Stoltz?

Yeah.

The redhead maverick?

Yeah.

And they decided he was rubbish, and so they brought in Michael J.

Fox. Yes, he took it too seriously.

I question his acting ability, really. And I was a big fan of Eric Stoltz, because wasn't he in some kind of wonderful—

Yes.

Right?

Isn't he the chap in mask as well?

Yes, also. Yeah. So another interesting fact about Back to the Future, the original script, Doc Brown had a pet orangutan. I don't know if it was for budgetary reasons or just because it was crazy. They replaced it with a dog.

Was it that one which

Was it Clyde?

Yeah.

I think that may have been what inspired the idea. And the time machine was a fridge in the back of a truck, not in a car at all.

used to hang out with Clint Eastwood?

I would have liked that better, I think.

It doesn't have many of the big stars, but it has a lot of great interviews with the backroom people, you know, the writers and producers and the techies. And the Jurassic Park one, which is also part of season 2. It's very interesting because they were talking to the guys who basically invented CGI.

Wow.

Were very, very proud of that.

I remember seeing that in the theater. I came out of there blown away.

Yeah, pretty cool.

Yeah.

But yeah, for me, I think most interesting thing for me is that pretty much as all of these things show, most movies pretty much accidental. It's not that things have been sort of very carefully planned out and that's why they come out great. But normally it's always, you know, budget constraints or time or, you know, somebody wasn't available and somehow everything comes together just right in the end.

As a regular writer on Sticky Pickles, I can attest to that.

Yeah.

Yeah.

I mean, this podcast is obviously very planned, but some things are happy accidents, aren't they? It's good that we put a lot of planning into this, which is why we never repeat a Pick of the Week episode 159. But, well, I don't think it was season 2.

It was season 2. I think you should get on.

Carole, what's your pick of the week?

Mine is School of Life, which I shared with you earlier this month, Graham, before we went on holiday. Now, School of Life, just for those who don't know, offers advice on life issues. I think it's the easiest way to say it. It was founded by a number of smart people in 2008 and is now staffed by a bunch of people like psychotherapists, artists, educators, philosophers, all manner of people. And they kind of focus on the everyday stuff. So work issues, family issues, love issues, sex issues, friend issues, the whole gamut. Something I discovered over my break was their YouTube channel. It never occurred to me to look there. But once I did, I found this treasure trove of solid video essays on how we live and what we do well and what we do badly and how we can get over the shit we're bad at, I guess. Graham, I sent it to you for a few issues that you were facing.

I did. You sent me a link to the latest video, which is a self-hatred questionnaire, which does it mention piggy little eyes?

I didn't say piggy. I just said little.

Well, that's the self part, right? Did you hate yourself less?

Yeah. How's the me loving me thing going? I was going to give an example of one for our listeners, right? So there's one called How to Be a Good Listener, right? Which, Graham, I know you started with.

Yuck, yuck, yuck, yuck, yuck.

So the reason people don't listen to other people is they think talking about me is fun, talking about you is boring, therefore I'll just talk about me and that'll be a much better conversation as far as I'm concerned, right? But apparently, according to the video, the real pleasure about talking about ourselves is figuring out who we are and what we're all about, right? So it's basically self-clarification stuff like, oh yeah, I guess I do believe that, or I guess I think that, or whatever. And you don't get that from talking because you know all the stuff you're saying, but actually you can get it from listening to stories of others. And there's proof of that because people read books and drama all the time. They kind of listen to challenges and successes and go, oh yeah, that's what I would do, or that's not what I would do, or whatever, and kind of find their way in the world. But the difference is editing, isn't it, Graham?

Yes.

The way to do it is you can edit people by asking the right questions and getting them out of their funk of boring. Now I'm going to tell you what the funk of boring involves. Okay, so you guys can watch out when you tell stories. Number 1, factual elements. You know, it was a Friday, not a Saturday.

I was wearing the blue shoes. You were not.

Not the yellow shoes. It was the blue shoes. Don't you remember? Okay, all that stuff. No one cares. No one cares. Number two, people are very scared. They'll tell a story, but then they get afraid when they're telling it because they're oh, maybe I'm revealing too much of myself now. So then they pull back and get into superficial land and kind of get boring, go, yeah, well, and then, you know, yeah, so yeah.

And it all sorted itself out. And yeah, you don't need to go into that. Anyway, no, but seriously, they're very approachable, easy, accessible,

It sorted itself out anyway. What about you, Janine? Anyway, I'll put a few of my favorite ones in the show notes. Check them out.

and interesting little videos. They're quite— I quite enjoyed Terrific.

They're great.

Yeah.

They're great.

Well, that just about wraps it up for this week. John, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Oh no, they can't do that. I'm on holiday.

it. I did quite enjoy perusing it.

One of our only guests does not want to be followed. You know, praise be.

And you can follow us though on Twitter at Smashing Security, no G. Twitter doesn't ask to have a G. And you can also join our Smashing Security subreddit. And don't forget to make sure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Spotify, Google Podcasts, and Apple Podcasts.

More importantly, let's thank this episode's sponsor, 1Password, and our wonderful Patreon community. Thanks to them, this show is free for all. And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 300— not 300, 238 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye-bye. Feels like 300, you know.

There you go, we've done it. We went on holiday and we returned. What's that noise?

It's me taking my sock off my microphone.

John, keep your sock on.

I don't want to get it stretched.

All right, Keith, what kind of show do you think we're running here?

Hey everybody, it's Carole Theriault here. We missed you guys. We didn't miss everything about this show, but we certainly missed you guys. You know, when you go on holiday and you do this weekly show that people expect, you kind of live in fear that people are going to forget about you or not like that you take a break. But instead, we have the best listeners ever. We got some amazing reviews, three of which I want to highlight. From Smashing PSU saying, number one podcast in my heart. And they say, if you are the slightest bit interested in tech, check it out. You will not regret it. Thank you, Smashing PSU. We also got one from MK Knitter that says they've been listening to us for just three months now, and they say they love our Canadian and across-the-pond humor. They went on to mention water sports in their review, so I'm going to skip that bit. And finally, I want to mention Duc de Vierzon from France who says, love this show. Keep up the positive attitude. This show always makes me smile, especially on the trip to work in the car. Brilliant. Thank you, Duke. Thank you, all of you, for your reviews, for listening, for putting up with us while we go on holiday. Until next week.