So I've got two solutions to this. Why don't these glasses have some sort of scrolling dot matrix display at the top which says, "I am filming you, I am filming you, I'm filming you, I'm filming you." You could just tattoo it on their forehead. But more than that, what about visually impaired people and blind people? So shouldn't there also be an audio warning saying, "I'm a twat, I'm a twat, I've just come into the room, I'm a twat, I'm wearing Facebook glasses, I'm a twat." Hello, hello, and welcome to Smashing Security, Episode 244. My name's Graham Cluley.

And I'm Carole Theriault.

And this week, Carole, we're joined by returning guest, it's Mark Stockley. Hello, Mark.

Hello. The wonderful Mark. How are you? How are the chickens?

Chickens are— yeah, never mind your family. Thanks to this week's sponsor, 1Password. Its support helps us give you this show for free.

Well, I'll be asking the important question: can you trust your VPN's VPs?

And what about you, Mark?

I am going to be talking about Facebook's worst idea ever.

And I'll be talking about duping facial recognition. Can it be done? And all this and much more coming up on this episode of Smashing Security.

Now, chums, I bring to you news of a legal nature. It comes from the United States where the Department of Justice has just revealed that 3 former US intelligence personnel have admitted helping the United Arab Emirates get their hands on a series of zero-day exploits for the purposes of spying against people, including American targets.

Is this kind of the CIA wanted to know about someone internally, can't go to the FBI because they hate each other, so they get a third party to intercept and do it for them? Is that what this is?

I love your mind. I love your mind, Prof.

It's complicated, as they say.

You've just made it— I mean, as if world politics were complicated enough, you've taken it to a whole new level. Where the CIA is outsourcing spying against its own nation. They've taken that to an enemy country. No, that's not what's happening.

Okay.

What appears to be happening is the UAE, they had an operation called Project Raven.

Good name.

And what they did was they hired within Project Raven a number of people who used to work for US intelligence, and they said, "Could you join our clandestine hacking team? Could you possibly help us hack your fellow Americans with your knowledge?" And 3 people who used to work in US intelligence have now admitted that they've been doing this for the UAE. And those 3 people, I'll give you their names: Mark Bayer, Daniel Garricki, and Ryan Adams. They were senior managers at a UAE-based company called Dark Matter.

I can only think of two reasons why someone would do this. One, disgruntled. Two, wonga.

Or maybe disgruntled with their wonga.

Or disgruntled by their wonga.

Yeah.

Yes.

Well, yes.

I, for one, am shocked that spies have turned out to be untrustworthy.

It is astonishing, isn't it? Who'd have thought?

Duplicitous, they are. What? He said one thing and meant another.

And now he's gone to work for this foreign company, Dark Matter. And if you go to Dark Matter's website, by the way, they haven't got much in the way of a website. They've just got a holding page.

Is it dark?

It is. Yes. They've used some CSS. Do you have a black background? And it says they are dedicated to providing secure trusted and integrated cyber protection services to government agencies and businesses.

Yeah, but everyone says that.

Boilerplate. We do the good stuff.

They don't say they help governments spy on their enemies.

No effort at all into their website.

It's a cut and paste kind of thing.

It's dark.

Now, these three men, they are accused of integrating an exploit into a UAE hacking tool, a hacking tool called Karma. Karma, okay.

Well, that's ironic.

Yeah. Now, in early 2019, Reuters reported that Karma could basically give hackers access to your iPhones. All you had to do, it's a tool where you can upload loads of phone numbers or email addresses, and as if by magic, it would hoover up photos from the phones, emails, text messages. Users didn't have to click on anything. Last week we had Thom Langford talking about zero-click exploits. It's a bit like that. Get location information from people's iPhones. Only works against iPhones. Can't intercept phone calls, but clearly could cause a lot of mischief.

But you wouldn't even know it was on your phone. They're just kind of collecting all this stuff from you, hoovering it all up, and know everything about you. Yeah.

And the thing about iPhones is if you can successfully get on them, there's nothing on there that can detect you. Yeah. Because it's this complete walled garden, and you can't have antivirus or anything like that. So there's— You know, you hope that the great big wall that protects you holds up, but if it doesn't, then you have no idea, basically.

And targets include the Emir of Qatar, journalists, a senior Turkish official, a Nobel Peace Prize-winning human rights activist in Yemen. And it's claimed that these attacks, done with the Karma tool, they accessed compromising and sexually explicit photographs of some of their time.

How many people? How many people have sexually explicit photographs of themselves on their phone?

All of them.

Really?

Yes. Let's do a survey right now.

Mark?

No, obviously not.

No, obviously everyone apart from Mark.

But only 'cause I don't know how to work the camera.

No, but I just don't get it. Just in case you forget what your boobs look like?

You're of a generation, Carole, where you might want to take a photograph right now, Carole, so you can remember them in the future.

Ouch!

'Cause they're never gonna get any better than they are now. Ah, see, that's nice.

But that goes for all of us.

Yes.

Anyway.

All of our boobs.

Boobs aside. Boobs aside.

I assume it's safest to just round up and say everyone's doing it. I mean, clearly not everyone is doing it, but I think enough people do it that you can just round up to everyone. But I mean, I find it— you go to all the trouble of hiring these ex-spies.

Yes.

And coming up with a zero-day for iPhones, which is, you know, I mean, it's not simple and it's certainly very, very expensive. And then you put this crazy spyware on there. And then you're "Haha, nude photos!" Well, exactly.

They're not— They heard of porn sites?

Mark, they're not doing it for a quick rub-a-dub-dub, right? That's not why they're getting the photos.

Oh!

Influence, isn't it? It's so you can—

Oh, it's blackmail.

A little bit of compromat. Yes.

Yeah.

Yeah. That's why they're doing it. Or they might want to see where you are in the world. They might want to see your emails and who you're talking to and that sort of thing.

Yeah, but you didn't mention those things.

No, I'm just talking about— You were like, "Haha, nudes!" Now, these three gentlemen who've been charged by the Department of Justice, I was interested. So they used to work for this company Dark Matter. What are they doing now, right?

I thought—

I know how to use LinkedIn.

Yeah, I know how to use LinkedIn. Exactly. So I went on LinkedIn and it turns out that these former US intelligence personnel knew better than to maintain a LinkedIn profile. So I wasn't able to find out much about Mark Bayer. So I didn't find out much about him, but the next guy, Ryan Adams. Have you heard of Ryan Adams at all?

Didn't he go on to have a successful singing career?

Exactly. Everything I do, I do it for you.

No, that's Bryan Adams. There's also a Ryan Adams.

Ryan Adams and Bryan Adams? Yeah. How's that allowed? What do you mean?

Well, Ryan obviously looked at Bryan and went, well, it worked for him.

Was it Twitter wouldn't allow him a B or something? Well, what's this? Someone called Ryan. As well as Brian. It shouldn't— it should be like actors. They should have to have different names, I think. Anyway, so I couldn't find out much about Ryan Adams, but the third guy, aha, Daniel Gericke.

Okay.

He's an interesting chap because he is currently working for a computer security company, specifically a company which is a well-known VPN company called ExpressVPN.

What, he's currently working for them?

Yes, Daniel Gericke has been hired since December 2019 as their CIO.

So the DOJ came out and said, hey, these three dudes have admitted to helping the UAE, nothing we can do about it, so they're just going to crack on?

Well, no, thanks for listening.

No, no, no, press release.

That's not what the DOJ press release says. It doesn't say nothing we can do about it.

They wish it did.

They've admitted their guilt.

Yeah.

And if they assist the authorities, then maybe they'll get off with a fine of a few million dollars.

Oh, okay.

So how do we know they're not already assisting the authorities?

Well, maybe they are.

Maybe there's kind of wink wink, if you assist us.

Mm-hmm. Well, so ExpressVPN CIO is this chap Daniel Gericke.

What's the I stand for?

What, the Daniel Gericke?

Yeah, not the I in the Daniel. No. What does— Oh, CIO.

Oh, I see. Chief Insecurity Officer, maybe. I don't know. Something like that. Anyway, ExpressVPN, if you go to their website, they describe themselves as first and foremost a privacy company, because of course VPNs are what you use.

Of course.

If you want to put all of your internet traffic through some company you've never heard of rather than through your ISP, right? And hope that they will treat your data with respect.

And to be fair, most of them say that's what they do, right? That they dump and flush the data, they keep nothing. They're your best friend, privacy buddies.

Yeah. Now ExpressVPN are an interesting company. Just this week, they were acquired by an Israeli firm called Kape Technologies for the small sum, just a trifle, $936 million.

Oh my God, they didn't even make it to a billion?

I know, pathetic, isn't it? They could have tried harder. Now, Kape Technologies, which has bought ExpressVPN, they used to call themselves Crossrider. Now, Crossrider was a rather unpleasant firm that injected ads into websites, sometimes removing the ads that the sites wanted to be there.

Ah, so the sort of thing you might want a VPN to protect against.

Exactly. The sort of thing that you don't— you wouldn't find particularly trustworthy. And you think that's a bit grubby.

Keep your friends close, your enemies closer, right?

Yeah. So they then pivoted from being an adware provider.

Pivot. Yeah.

To becoming some kind of security firm and a provider of VPN services. They renamed themselves Kape. They bought up CyberGhost, ZenMate, Private Internet Access, three big VPN companies, and they also bought two leading VPN review websites. So when you go—

This is fine. This is fine.

So you will find if you go to two particular very popular VPN review websites, they will typically recommend VPNs which are run by this company or under their umbrella.

It's just— okay. So, yeah.

So it's all a bit grubby. And if there wasn't enough grubbiness and controversy about ExpressVPN being acquired by Kape, we now have this revelation that ExpressVPN's CIO was not so very long ago helping the United Arab Emirates government hack Americans and activists and heads of state and journalists. And I have to say, would you really trust your VPN if they hired somebody like that?

Well, he obviously knows what he's doing.

Which is pretty much ExpressVPN's point of view. They have posted it on their blog. They say, oh yeah, we knew about his background. We knew that he provided counter-terrorism intelligence both to the United States and while employed to Dark Matter to the UAE. But it says we didn't know the details of what he got up to or any of his classified activities. Well, blow me down with a feather, they sure do know now. So what is ExpressVPN actually doing about this?

Putting out a press release saying we're very proud to have him on board.

Yes, and publishing a blog post. What they're not doing is they're not saying they're firing him. They appear to be keeping him. And they think that this is going to go down a storm with their customers.

I suspect he locked himself into a very beautiful contract saying, "If you decide to get rid of me, you need to give me mucho, mucho wonga." Because I think that they probably sat down for the meeting and he said, "Before you fire me, I just want to show you this very interesting thing I found on the internet." I found some images. Yeah.

Which appear to be even taken on some of your phones.

Is that you?

Are those your knockers? Is that what that is?

Is that a bottle washer?

I can't really tell, it's so close. It's like an episode of Naked Attraction.

So ExpressVPN, they say they are simply harnessing the firepower of our adversaries. Aww. And that's how we protect our customers better.

Who's the PR whiz kid that came up with this?

Yeah, by applying his background and expertise, Daniel has been central in helping ExpressVPN protect our customers. And it says it has controls in place in case he turns out to be a bit of a bad egg. So just rest assured, you know.

I wonder who created those controls.

Mark, what have you got for us this week?

I have got the worst thing Facebook has ever done.

That is big boots to fill, Mark Stockley.

I mean, they've gone pretty low before.

This is— I mean, this is a personal opinion, so we'll see where you guys end up. But my story is about Facebook's new product, which is called Ray-Ban Stories.

Oh. Okay, I know nothing about this at all.

Nothing.

Nada.

It is— yeah, Mark, I'm with you. It is the worst thing ever.

Okay.

I'm gonna love it. This takes a bit of scene setting. I know that will come as a shock to you.

I love a scene set.

Let's take some scene— So bear with me as we set the scene. So when you were a child, did you ever own a pair of spy glasses? They're spectacles with mirrors on the inside. And if I remember correctly, I think half the lens is taken up with the mirror, so that you can look behind you and you can spy on somebody without them knowing?

I did. I had those. They're quite cool. Yes, you could watch people behind you.

Yes. So they were always sold in the backs of comics. Anyway, the point of my scene setting is that by the time you reach adulthood, at least in the English-speaking Western world, I reckon you're probably fully indoctrinated into the idea that spectacles are the perfect place to mount discreet surveillance equipment.

Right.

And there's a reason for that. It's because they are. Okay? And you don't have to take my word for it, and you don't have to believe the comics, but there actually are surveillance glasses, and I went and found some this morning. They're sold on websites that are given names like spying equipment. There's no pretense about what they are, and they're all the same. They're basically innocent-looking glasses that have got cameras in them so that you can record people, but they don't know that they're being recorded. So all of which is to say, yeah, so you reach adulthood and you've kind of culturally indoctrinated into the idea that spy glasses are a thing, or they could be a thing, and you could be spied on by someone with spy glasses and you wouldn't know it. You might be getting the idea that this is a form factor that doesn't completely engender trust, and you'd be right. And actually, we know this for a fact because somebody actually tried it a few years ago.

Oh yeah.

Do you remember Google Glass?

Of course.

Whatever happened to Google?

I've tried them before.

Really?

Did you try Google Glass, Carole?

Did you get beaten up?

They're ridiculous.

Only glassholes wear them.

'Cause you take little pictures with it. You just press a little button on the side and it takes snapshots.

They were really dorky looking, weren't they? They made you look like a ball.

He was wearing toe sandals, right? So, you know, he—

Were they equipped with cameras as well?

Probably.

Yeah, but that doesn't matter, 'cause then you just get fantastic pictures of other people's feet, wouldn't you?

Okay, crack on, crack on.

So, I mean, as you spelled out, Google Glass was basically glasses made by Google that had a camera on them. And they were kind of an Android phone in the form of a pair of glasses. But they, a really interesting thing happened with Google Glass. It seemed to sort of step over a line that we didn't know we had because there was a huge backlash to it. I'm not sure they ever even got out of beta, but loads and loads of people had them. I think Google was doing a big sort of research project to see what would happen. And what happened was they got banned from a load of places. So they got banned from movie theaters and strip clubs and basically anywhere you don't want someone filming your intellectual property. They got banned from hospitals. Warning signs went up in restaurants and bars, cafes. And as Graham said, it got its own insult, glassholes. I never heard that.

I actually thought, Graham, you were a little clever there.

The thing that really stuck out about Google Glass for me was there were actually films. I can't remember if they were filmed by the people wearing the Google Glass, I think they were, of people beating them up for wearing Google Glass because you couldn't tell if you were being filmed. So if somebody walked into a crowded bar wearing Google Glass, there was a kind of non-zero chance that actually they were gonna get set upon. Yeah. So the form factor, that thing that we've all been programmed into, you know, we already understand spy glasses, you know, you might be having spy glasses, that was definitely a problem. But it probably also didn't help that it was Google that was doing it, because nobody trusts Google, right?

I don't understand this term form factor.

Just the form of spectacles. So the—

Oh—

Just the shape, right?

Oh, the shape of the glass. Yeah.

The shape. I see. Okay. Got you.

Carole, imagine you're in a pub and two people walk in. One of them is wearing Google Glass and the other one is Michael Bublé.

Mm-hmm.

Which one are you going to punch first? That's what you have to ask yourself.

Well, I wouldn't punch the person with the glasses. It's probably going to be uploaded directly to the cloud.

Oh, okay. So for that reason, you're going to punch Michael Bublé, beloved of middle-aged women around the world.

He's not! Don't insult women!

Well, I know a middle-aged woman who is quite keen on him. Friend of the show, Yogi. Is she middle-aged? I don't know.

She's not middle-aged. That's why I'm dying over here. Mark, please save him.

So, what I was trying to say was the fact of the existence of spy glasses is itself a problem. But attaching that to the name Google, I think, is probably really because nobody trusts Google, right? Now, can you think of another company out there that people might trust even less than Google?

Ding, ding, ding, ding, ding! Facebook.

Carole, could you think of anyone?

No, I think I have to agree. I mean, I can think of lots actually, but yeah, probably Facebook.

Well, I think it's really interesting that you have both identified Facebook, because clearly Facebook itself couldn't. Because it has decided to pretend that Google Glass never happened. And it has invented something that has all the things that people hated about Google Glass, only it's made by a company that people hate the same, if not more. So what could possibly go wrong? So these glasses, by the way, they look like normal glasses and they've got a couple of 5-megapixel cameras in them.

They look like Ray-Bans, don't they? They're Ray-Bans sunglasses.

Well, they look like Ray-Bans because they are Ray-Bans. Because it's possible that somebody at Facebook did actually put Google and Glass together and figure out that attaching Facebook to spy glasses might not go down brilliantly. So what they've done is they've done a partnership with Luxottica, who are the people that make Ray-Bans, and they've left their name off it. So they're called Ray-Ban Stories.

Oh, so they don't say Facebook on them? No.

I'm looking right now. So there's this little kind of button on the side. Is that where you take pictures and do all your crap?

No, no, the button turns it on and off.

Right. Do you have to touch it?

It can be voice activated, Carole. You can say, "Facebook, start filming," and it'll start filming.

But that'd be fun for everyone else, wouldn't it? Film that, Facebook. Anyway, I think this collaboration with Ray-Ban is really interesting because, you know, obviously Facebook is trying to launder its name by attaching it to Ray-Ban. But I'm not sure that Ray-Ban has completely thought this through. That's some heavy lifting. Is Ray-Ban going to elevate Facebook, or is Facebook going to sink Ray-Ban?

I'm gonna go look at Ray-Ban stock pricing, stock prices, just to see if they hit some trouble.

So there's a few interesting things, I think, with these glasses. I mean, I'm not naturally a violent person, and I wouldn't normally hit someone or break their nose, but there is something—

This is a bit 'I'm not a racist, but'—

But there is something about someone wearing Google Glass, for instance, which kind of makes you want to do it. And it's not just that they're spying on you or might be spying on you. But there's something a bit dorky about it. And just you look a bit of a twat. I really don't like that you're spying on me. These ones from Facebook/Ray-Ban aren't as offensive looking.

No, they look like Ray-Bans.

But what they're doing

But what they look like is the spy glasses on the spying equipment website.

Right.

The only other one, the really high-profile one out there is the Snapchat. I can't remember what they're called.

Oh yes, I remember.

But I mean, they look kind of ridiculous. You're absolutely meant to see that someone is filming you. It's got this sort of big circle of LEDs going, and the lenses are really big.

is really upsetting.

But the Ray-Bans look just like the spy glasses, although they do have a little tiny LED on them. Although there's already various privacy bodies are kind of going, "Well, how big is that LED?"

Is that really enough? Well, and why doesn't the LED flash, right? It's a solid light.

It's like a rangefinder.

On the other side, right, for the other eye, there should be a flashlight so that you can just get really perfect lighting, right? A bit like Orbital in concert.

So what's going to upset people is that people might be filming them without their permission, right? And indeed, they may not realise that they're being filmed because there is this little LED, but who's going to notice that anyway? Otherwise, the glasses look fairly normal. It's not flashing.

But also, I shouldn't have to watch a Facebook product video to learn that there's an LED, right? To understand that if somebody walks into a room and has camera lenses in their glasses, that I should expect to see an LED, and that if I don't see an LED, I'm not being filmed.

Yeah.

And if I turn my back, I'm not going to see the LED anyway.

So why don't they— so I've got two solutions to this. Why don't these glasses have some sort of scrolling dot matrix display at the top which says, "I am filming you." I'm filming you, I'm filming you. They could just tattoo it on their forehead. But more than that, what about visually impaired people and blind people? Don't they have a right not to be filmed and photographed by someone wearing these glasses? So shouldn't there also be an audio warning saying, "I'm a twat, I'm a twat, I've just come into the room, I'm a twat, I'm wearing Facebook glasses, I'm a twat." Is this the promo launch video?

So this is an actual product. This isn't a joke. This isn't a deleted April Fools' Day.

No, this product is on sale right now. But the launch video, I mean, I love it and I hate it at the same time. It's one of those so bad it's good videos. So I want you to imagine that you're Facebook and you've decided your name's a bit toxic or, you know, you need to up your cool because Facebook is decidedly not cool. And you've landed a partnership with Ray-Ban. And you've made sure the Ray-Ban name is on it. And you're going to do a cool launch video to get your product going. I want you to choose somebody really cool to be on your video. Who are you going to put on the video, Carole?

I knew you were going here.

I have no idea.

Mark Zuckerberg, obviously. Obviously.

Oh no. The most relaxed, natural person on earth, Mark Zuckerberg. Carole, what have you got for us this week?

So we have a perfect storm a-brewin'. And tell me if you agree with this concept, right? So COVID has made us much more wary about touching stuff we don't need to touch. Do you guys keep sanitation gel in the car, for example?

On the car?

In the car.

Oh, sorry, that's a step too far.

Just smear it all over your vehicle. When you go to the market or whatever, the supermarket or whatever, you don't paw all the oranges as you might have pre-COVID in order to find the juiciest ones. You might kind of go, I'm going to use my eyes to just pick the ones that I want so that I don't, you know.

Yeah, right.

Am I being crazy?

No, not at all. I was just imagining you smooshing an orange into your eye for some reason. Then I realized you meant looking at them.

You just don't touch as much. I don't think, Graham, you and I have hugged in, I don't know, years probably.

Yeah, yeah, it's been great. Okay, and also I haven't had a cold in two years. Literally, that must be a total record.

I mean, so I've just had a horrible cold.

Yeah, but you have kids.

Exactly. I hadn't realized how much I had enjoyed not having colds. And then, but it kind of, you know, it's like the germs have been saving it up. So when you finally get one, it's like, not a normal cold.

A lot of people have talked about this, saying that they're getting a lot less colds, and so they want to avoid that. So I don't know, think about it now. So now, post-pandemic times, certainly, well, currently in the UK, you know, with quotation marks.

We have big quotation marks.

Yeah, I agree. I agree. People need to get from A to B, you know, for work or to pick up their kids or all the things. And, you know, maybe some people are going to gyms and, you know, people are now looking to facial recognition to help them process people like hotel chains or gyms. And how do you feel about these people, say, you know, maybe even public spaces like local government? How do you feel about these people having your facial recognition information or data, or data points, and them storing that. Does that make you feel, so similar to Mark's story, how do you feel about that? Is that good, or do you not care?

Is it too late? Well, I have full confidence in the powers that be, storing such information securely and only using it appropriately. I'm sure it would never come to any harm and would never fall into the wrong hands. So, no problems here.

I agree with Graham. I think after three decades of nobody having their data breached and everybody understanding perfectly, you know, how to secure systems and keep data safe, we can all rest easy that no bad will come of this.

I cannot wait to use those quotes out of context. Who needs Lyrebird?

So I think the thing that really disturbs me about these sorts of systems is not even so much who's going to store it or whether or not going to store it safely. It's that the more complex you make things, the more unintended consequences you have.

Yes.

I think that's what's happening with facial recognition now, is there was an initial sort of burst of enthusiasm for it, and loads and loads of police forces around the world all embraced this technology. And then there's a lag, and then you start to see the unintended consequences. And the fact that so many of these things rely on machine learning, which is, you know, prone to whatever bias you have in the material it's trained on. Because it's, it's, you know, it's a machine that learns. You give it examples of the things you want it to spot, and it spots them, you know, whether it's faces or whatever.

I don't think anyone would say though it's not in its nascent age, so to speak, right? So I would agree, it's totally, you know, I believe that it's completely probably biased, you know, to an nth extent because the samples have not been representative of the world in any way. But as they use it more, I can imagine the argument being used, well, look, if you can use it in all these places everywhere across the world internationally, our data will become very accurate. Which raises a second problem, which is public, or rather the users of facial recognition. See, isn't that weird to say that if it's in a public domain that you're a user of facial recognition? But you have not consented to being scanned, right? So similar to Mark's story, you've not said okay.

Well, you might have done.

But I don't think my face should be like a license plate.

There might be a little sign on the outside of the building saying, by entering here, you agree that we will be using facial recognition and we'll be doing X, Y, and Z.

Okay, but what if your local government decides to do it across the city?

Yeah.

In a shopping mall, I suppose, you know, and how big should that sign be? Does it— can it be like in 10-point font, like near the door where they say CCTV in action?

As long as it's about the same size as the one which tells people who are wearing Google Glass or Facebook Ray-Bans to fuck off, then I'm happy.

So anywho, not everyone's happy about facial recognition, as we've learned. So there's a few researchers out there trying to push the boundaries and see if it's possible to dupe facial recognition. Now, we talked a little bit about this in episode 168, where we talked about CV Dazzle. This was an artist who explored how fashion could be used as a camouflage from face detection technology. Now, one of the arguments at the time was, okay, cool, but people will see you coming a mile off with, you know, that sort of razor-haired— basically structures in front of your face to mask your actual—

Yes. See, CV Dazzle, they sort of had crazy haircuts and things, didn't they? And bizarre makeup.

Exactly. Now, there's been a recent new study that I wanted to share with you to see if you thought this was more legit or not. So Motherboard covered this. This is where researchers found a rather easy way to bypass facial recognition technology. And according to their own reports, it's pretty darn successful. And they used makeup.

When you say they used makeup, do you mean like Justin Trudeau uses makeup or some other sort of—

Hey, hey, hey, hey, hey, come on. What happened with the elections yesterday? I haven't looked yet.

He got in.

Did he?

Yep, still has a minority. Snigger. I don't mean on that, I mean in Parliament.

Okay, okay.

Sorry, but being a man, I'm sure Mark can agree with this, we're not big fans of Justin Trudeau.

Okay, why? He's too hot?

Yeah, yeah, he's too bloody hot.

Basically, yes.

Yeah, he's too hot, he's tall, handsome.

He's young, he's powerful.

Yeah.

Okay, this is what Motherboard wrote about this research. In their experiment, the researchers defined 20 participants as blacklisted individuals, right, on the facial recognition software so that their identification would be flagged by the system when recognized. Makes sense. So I say if Graham Cluley— here's his pic, you know, this guy comes through— flat, you know, alert, alert, lock all doors, no, no, right?

Yeah.

Then they used a selfie app called YouCam Makeup to digitally apply makeup to the facial images according to the heat map.

Right.

Which targets the most identifiable regions of their face.

So when you said makeup, I assumed you meant makeup. Well, how does the—

Oh no, she meant makeup, Mark. She didn't mean makeup.

Okay. I've sent you guys a link. And here, let me give you the timestamps just so you can quickly see the looks that can be created by— oh my God. So what it says on this video is how to become a TikTok e-girl with just a few taps, right? And you can go through a few of the looks there. This is how you glow up your YouCam makeup.

Oh, I see. So adds makeup virtually to your little video thing. So if I was doing a TikTok dance—

I'm not sure I'd call any of these things makeup though. I don't know if you saw the one where she's actually wearing clouds across her nose. So we have the look, the sweetheart look, which has hearts across her nose as though they're like, you know, I don't know, Pippi Longstocking's freckles. And then you've got clouds, desert, sandy glow look. I'd love— you should show your daughter, Mark, and see if she thinks this is amazing or horrific.

She's already very well versed in this, I'm sure. I'm just— I'm amused by the idea of trying to dodge facial recognition by wearing clouds in front of your face. I mean, I think that's a fantastic idea. I'm just wondering how you maintain the clouds.

Yes, well, here's part 2. So I'm thinking, hmm, this is going to be fairly obvious to people if Graham Cluley walked down the street with a bunch of clouds over his nose and eyes.

I wouldn't walk down the street like that. I'd sashay.

Sashay. But then I got it wrong because, quote, a makeup artist then emulated the digital makeup from YouCam Makeup onto the participants, but using natural pigmented looking makeup in order to test the target model's ability to identify them in a realistic situation. So, so the one with the clouds, for example, across the face, they would put them all in flesh tones across your face. Oh. Yes. They say they did it in different lighting and they had two or three different cameras set up along a hallway. There is a YouTube video. Let me send it to you guys so you can take a look, and I will put it in the show notes for our listeners.

Maybe CCTV cameras use that special wavelength of light that reveals weapons and pants. Yeah.

So here it says this. It says participants wearing the makeup walk through a hallway to see whether they could be detected by a facial recognition system. The hallway was equipped with two live cameras that streamed to the MTCNN face detector, and the researchers evaluated the system's ability to identify the participant.

I'm a little bit confused about why they had to do clouds. Is this actually just a really elaborate advert for some makeup app? They could have just done wacky lines.

No, I think that's exactly it. They can do any different type of pattern. All it needs to do is obfuscate the face in a way changes the heat map of the face, at least as far as I understand it. So apparently this is the findings, and this is maybe a little bit interesting. So no makeup at all, right? Like you guys walk around every day. Participants were detected in almost 50, so 47, 48% of the captured frames. So basically 1 in 2 frames would be able to recognize who you were. Okay. And this is you being already alerted on the system as someone they don't want to let through. Right. So your picture's already been uploaded to the system. If they wore random makeup like many women do, it drops to only a third of the frames from about half to a third just wearing random makeup.

Just when you say random, do you mean just normal patterns of lipstick?

Yeah, I guess. I guess. Yeah. And using the researchers' method of applying makeup to the highly identifiable parts of the attacker's face, they were only recognized in 1.2% of the frames. Wow.

So makeup can bugger up facial recognition systems is what they found.

And that is probably due to the biases instilled in the current algorithmic, you know, backlog, right, back catalog. Because if they were mostly white men, middle-aged white men, or, you know, young white men then, and most of them wouldn't be wearing makeup.

Can I ask a question?

Mm-hmm.

So my question is this, right? You know how they have controls and provisions to prevent people from buying lots of fertilizer in case they create a fertilizer bomb, or munitions, or, you know, big knives and things like that, you know, in case you're going to cause some sort of terrorist outrage? Should they similarly be policing makeup counters inside department stores in case some dodgy folks can buy too much slap and begin to— because if people who normally wouldn't buy those kind of products suddenly begin to buy them, you might begin to say, well, whoa, whoa, whoa, whoa, what, what do you want this for?

What I find interesting is that Dolly Parton is circumnavigating the future. She wears a lot of slap and she's going to get through everywhere.

Can I say, I just love that—

'Cause I'll just be unrecognizable.

I love that fact that you've used the words Dolly Parton and circumnavigating at the same time. It had a sudden— created a sudden image for me in my head.

Why? It's not circumcision. No!

Goodness me. I think Graham was thinking more about orbiting globes.

Thanks to this week's sponsor, 1Password. Did you know around 80% of business data breaches result from weak or reused passwords? Well, using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are. With the right tools, the right mindset, you can create a culture inside your company where your employees feel empowered to share responsibility for security risk management. 1Password makes the secure thing to do the easiest thing to do by letting your employees stay secure without slowing them down. For employees, 1Password makes it easy to play their part in personal security and by extension company and customer security too. So what are you waiting for? Find out more. Try 1Password for free for 14 days. All you got to do is go to 1password.com/techtalks. And thanks to the team at 1Password for supporting the show. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related. You know, under lockdown we've all taken on new little hobbies and things. Eating. And one thing which I have returned to is I bought a book a while ago by a chap called James Rhodes. And James Rhodes is a pianist. He's also a public speaker. He's an interesting chap with a troubled background. Which I'll let you read about because it'll bring down the tone of the show. But he has written a book called How to Play the Piano where he says he can teach anybody, provided they have two hands and ten fingers, how to play Bach's Prelude in C Major No. 1 within about 5 or 6 weeks.

So I hope now you are going to play the piano for us. So I'm ready for this, Graham. This is an absolute treat. Without further ado... Ladies and gentlemen... What was it called?

Prelude No. 1, C major.

So basically the key that the piano is tuned to at all times.

Yes.

Yes.

Now, I can't play all of it. As you can hear right now, I can't play all of it. But I can play about the first 30 seconds. That's because I haven't really been doing my homework. I'm supposed to spend 45 minutes a day.

How long have you had this book?

I've had the book about 2 years.

Yeah, I've had it about 2 years. So he said 6 weeks.

He said 6 weeks.

And you've had it for 2 years and you've learned 30 seconds of it.

That's— Meanwhile, I learned to become a painter.

Anyway, it's a great book. And I've also recently— well, for some of those 2 years, can I say, I didn't have access to a piano. Which rather stunted my ability.

I would have given you my— I would have lent you my keyboard. Yeah.

Well, thank you for mentioning that now.

We didn't ask.

But your keyboard doesn't have enough keys on it.

Oh, that's right. You bitch. It only has 2.5 octaves. Yeah.

So I have recently purchased an electronic keyboard with weighted keys, which is rather good and rather affordable. And if anyone else is in the same position as me and wants a little bit more tinkle-tonkling in their life, then I can recommend the Yamaha P45. Better— yes, better pianos are out there, but it's rather splendid, and that's why I've been using it. Links in the show notes. We can both find out about the book, watch James Rhodes speak about music, or indeed find the keyboard. And that is my pick of the week.

And you'll never have to listen to Graham play again. No, Graham, you're great. I think it's great. You should do more of it. You should do half an hour a day.

Come on.

I should.

Yes, I should. Discipline. Art is good.

Yeah, I know. Mark, what's your pick of the week?

My pick of the week is a book called Origins. It's by Lewis Dartnell. Now, anybody way back when I— on a previous episode where you invited me on, I mentioned The Knowledge, which was Lewis Dartnell's first book, and that was the book where he basically said this is how you reboot civilization. This is the technology that you would need to acquire after an apocalypse in this order. And it was really a kind of grand tour of humanity's technological evolution. And he wrote that book and he took a step back and he went, no, I don't think I've covered enough ground. It wasn't really big enough. So he's decided to write another book which covers a bit more ground, and it's literally The Origin of Everything. It's a fascinating book and it's all about how things like tectonic movement of the Earth's— the plates around the Earth and the variations in the Earth's orbit and wobble and things like that affected the evolution of life on Earth and the development of humanity. So why did humans develop big brains when they developed big brains and that sort of thing. And probably my favorite thing from the book so far is just the fact that all of human civilization, the entire thing, the whole decision to kind of settle down, domesticating animals, growing crops, industry, all of that kind of stuff is happening in a pause between ice ages, that we're actually living in an era of enormous ice ages that last for hundreds of thousands of years with brief pauses in between them. And we're about 12,000 years into a 15,000-year pause between ice ages. So it's that kind of stuff. Big stuff.

Do they talk about chickens?

We haven't got to the chickens chapter yet. I'm about halfway through this, but I'm looking forward to that tremendously. Yes, as we know, chickens are dinosaurs, and if you doubt me, then just come and visit my chickens.

This is great. My husband will love this. I've put it in my basket in buying it for him, and as he never listens to the show, it will be a surprise.

Carole, what's your pick of the week this week?

Mine's great. It's called Lifelines, Radio 4 series, now in its 5th series, and it's 15-minute episodes. So you kind of sit on the shoulder of actress Sarah Ridgeway, who plays this character called Carrie, who is a call handler in an ambulance control room. It's awesome, guys.

Oh my God.

So each episode deals with a single or a series of calls to the 999 ambulance, and she handles the calls. So we're kind of listening in on all her calls. And I think part of the joy of it is you also get these little flash glimpses into her daily life, you know, say trouble at home or whatever. And then you can see how it impacts how she deals with callers. And dealing with callers is helping victims of an emergency. Are you okay? Do you want to have a sip of water?

I've run out of water. Carry on.

Okay, I'm almost done. Sorry, I go— See, this is how Graham hurries me through my bits. This is how he makes me less relevant on the show. He gets tired by the end.

He's getting old, Carole.

I know, I know. And it's always—

Yeah, it's always a long hour, hour and a half. It's, you know, at his age, that's a lot.

But, you know, you see how she handles, helps victims, but also spots time wasters and some criminals. It's all fiction, but it's gripping. I mainlined it like a podcast addict. You know, I made a whole Middle Eastern feast while listening to 3 series without interruption, which was a perfect afternoon. Over the weekend. So where do you get it? You Brits are lucky, you can find it, the entire back catalog, on BBC Sounds. And the rest of you can hear a snippet for free on the podcast, BBC podcast called Drama of the Week. Last week, Lifelines was in the feed, which is how I actually spotted the show, and I'd never heard of it before.

So, so you spotted it last week?

Yes.

And you've mainlined 3 series.

Well, they're 15 minutes, right? And there's maybe 6 episodes per series. So yeah, and I made dinner for about— I made it. I made homemade falafel, hummus.

Yeah, it makes sense. I've watched a whole load of Married at First Sight UK in the last week or so, which is similarly highbrow.

What did you

What did I make? I made a bit of noise on the piano.

But only 30 seconds. make while you

Yeah.

I love it. Lifelines, Pick of the Week, BBC Sounds, or Drama of the Week podcast, wherever you get your podcasts, check it out. It's great.

Well, we've had some terrific picks of the week this week. Mark, your book sounds fascinating.

were doing that?

Carole, your drama thing sounds all right. And— The piano, however, wins, I think.

Yeah, sounds— that sounded better than your piano. 6 weeks.

And that just about wraps it up for this week.

6 weeks to learn it, and you've learnt 30 seconds in 2 years.

I'm sure lots of our listeners would love to follow you online, Mark, and see what you have to say for yourself. What's the best way for folks to do that?

You can follow me on Twitter. I'm @MarkStockley. Phishing.

Thanks to this week's episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 243 episodes, check out smashingsecurity.com.

Simple. And you can follow us on Twitter @SmashInSecurity, no G, Twitter doesn't allow us to have a G. Until next time, cheerio, bye-bye, bye-bye. And we've also got a Smashing Security subreddit. And don't forget to ensure you never miss another episode.

Okay, I'm gonna find this picture of this girl and delete it from my phone because— no, but Mark, thank you, because you're right, it's absolutely appalling.

Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.

It's fucking appalling.

So why did you take the photo again?

She had cool hair and I was taking the picture for a friend who was looking to get her hair cut and didn't know how to do it. And I said, oh my God, that would look perfect on her. Let me grab a picture. Oh, I'm too embarrassed to go up to her and ask if I can take a picture of her face, so I'll do it surreptitiously. And then I— then I sent the picture. I sent the picture. Yes, I did. This is like a little— okay, I have to admit, this was 15 years ago, or 10 years ago. 10 years ago, when, you know, it'd be everywhere by now.

That's like 10 years in privacy years. Yeah, 10. No, that's like 150 years.

150. 10,000 years.

Yeah, yeah.