Do you want to know what my stipend is per day for just civic duty? Because they do give you a little wonga for the—

Oh, they pay you?

Yeah, they pay you.

Okay.

£32 a day.

£32 a day just for sitting on your ass.

My ass.

Eating sandwiches.

You don't eat sandwiches. You don't sit there eating popcorn in the court. Oh my God.

No. Smashing Security, episode 258.

Tesla I can't confirm or deny my responsibilities.

I'm looking forward to finding out what it's all about.

Well, when I can, I will. I'll share on the show.

Is it a legal case involving elephants being hidden under pots? Because—

Who told you?

After last week's episode, there's been a bit of blowback from the listeners.

Yeah, I love the listeners because I did the most horrific job in trying to explain it, although it was really funny. But yes, it was the Monty Hall goat. Listeners did a really good job explaining it. Thank you.

Thank you.

Thank you. And it turns out that you were wrong.

I was wrong and you were right, though it's pretty mind-bending, isn't it? So we are recording this episode early in the morning, earlier than we've ever done it before, because you've got to go to jury service. So let's get on with it, shall we?

But first, let's thank this week's sponsors, 1Password and Upticks. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Is it a big tease or a Tesla vulnerability?

And I am going to talk about celebrities, YouTubes, and those flipping NFTs. All this and much more coming up on this episode of Smashing Security.

Now, chum chum, Teslas, Tesla cars made by our good friend. Well, not by hand, made by him, I imagine. It's not. Can you imagine if they were?

What?

Maybe everyone assumes he does everything at the company. He's the one boring into the ground. He's the one making the cars, building the spaceships, inventing everything.

We thought that of Steve Jobs as well.

I suppose so. Yeah. Well, Teslas. Obviously, they are desirable cars for many people, cost lots of cash, do clever things, maybe a bit too clever for their own good. Perhaps. There is a hacker. Well, is he a hacker or is he a security researcher? You can decide for yourself. Based in Germany, he claims to have taken remote control of Tesla cars, allowing him to disable their sentry mode. In other words, their security, unlock doors, start the cars remotely, even spy on drivers because apparently Teslas have little internal cameras watching the driver. I don't know if that's to work out if someone's fallen asleep or what.

Oh my God. If there was a court case and you needed to know who was driving the car and it was unclear, you know, the cops could hit up, yeah, with a subpoena saying, can you just let us know?

Well, I don't know if it's all held locally. Maybe it isn't even stored. Who knows?

Who knows? Who knows?

Not us.

Yeah. I've never been in a Tesla actually.

No?

No.

No, I don't think I have either actually. Anyway, there is a chap. His name is David Columbo. And 19-year-old David Columbo.

19. Barely face fuzz.

He runs Columbo Security.

Wow. He's entrepreneurial.

Well, he may just set up a— I don't know how many people he employs.

I know, but 19. Most of them are smoking jazz cigarettes and—

Well, maybe when you were 19. I mean, I was writing computer games and doing bits and bobs. Anyway, HMRC may be listening. Let's not go into it. He says that he has found a way of gaining unauthorized access to more than 25 Tesla vehicles in several countries around the world.

Oh, several countries. See, I was thinking if they all had to be nearby or something. That's interesting.

No, no, no, no, no. This is all remote. This is all remote control. And so 25 vehicles in several countries, including Germany, Belgium, Finland, Denmark, the UK, the US of A, Canada.

What?

And China.

He went after Canadians?

There are Canadians with Teslas. Who'd have known it?

David Columbo. Okay.

Well, here's another thing. Just one more thing. He says that this problem isn't actually Tesla's fault, but instead the problem lies with vulnerabilities in a third-party app, which some Tesla drivers have downloaded and used.

So third parties can sometimes be part of a company's supply chain, right? So Tesla uses components from company X, and if that X component has a vulnerability, you may kind of say, hey Tesla, do your due diligence and check all the components and make sure they follow the rules. But this is an app that drivers have downloaded themselves?

That's right. It actually has no connection with Tesla at all.

Right, okay.

So Tesla don't endorse it, they don't use it, they haven't vetted the software. It's something someone else has taken which uses, I imagine, the Tesla API.

Does this have a name? Well, okay, sorry, sorry, I'm jumping ahead.

No, no, no, no, no, it's a good question because it's the obvious thing to ask is, well, what is this app? Well, the name is being withheld at the moment because the vulnerabilities still exist. So some of them are still being worked on and in an attempt to avoid other people finding out where the vulnerability is and maybe taking remote control of people's cars, it's not being shared by Columbo. Now, that's not to say that there aren't other people out there who've made some pretty educated guesses as to what this app is, but I'm not going to get into that on this particular show.

Yeah, it's kind of unusual if you're doing a responsible disclosure of a flaw to talk about it before it has been resolved.

Well, yes, it is. And that possibly has brought a little bit of unwanted attention as far as David Columbo's is concerned, because he did say, hey, you know, I found a way to remotely hack into Teslas. And some people are saying, aren't you hyping this up a bit? Are you doing this maybe to get more likes and follows?

Well, sure. Who doesn't do anything without wanting that stuff? You know?

Well, some people do. Some people—

Me.

Kroll, out of the goodness of their heart, will throw themselves into the British legal process. It's not like you're going to have a t-shirt saying, I sacrificed having a guest on my podcast.

Do you want to know what my stipend is per day for just the civic duty beauty because they do give you a little wonga for the—

Oh, they pay you?

Yeah, they pay you. You ready?

Okay.

£32 a day.

£32 a day just for sitting on your ass?

My ass.

Eating sandwiches?

You don't eat sandwiches.

You don't get your sushi out?

You don't sit there eating popcorn in the court. Chopsticks. Dropped my fork, sir.

You got your pot noodle, you fill it up with your kettle. Sorry about this. Got your percolator.

Oh my God. Just hold on a second. Oh my God. Okay, but we digress.

Anyway, you're absolutely right. So this isn't software which Tesla themselves use. It looks like this is an open source project. Someone wrote something which they thought would be handy. They shoved it up on the internet.

People thought cool.

Other people download it and they looked at the source code or whatever. Well, some people did. Presumably David Colombo looked at the source code and he found a vulnerability which meant he could get hold of other people's details and credentials in order to access their cars. Now, Colombo says, with this power, he isn't able to intervene and interfere with someone's driving, but—

It's only a matter of time.

So, he can't meddle with your steering, your acceleration, he can't hit the brakes, but he can tell the Tesla to start playing music at maximum volume or flash its lights or unlock the car. Or like we said, spy on people remotely.

You see, I would just want to know if I had that app.

Yeah.

Right? I have 15 apps from my Tesla. I need to know which one I need to dump. Well, you just don't drive till they sort it out. I don't know.

Or just don't use the app, you know, uninstall the app.

Yeah, but you don't know which app it is.

Right. And you don't know whether your data might be up in the cloud somewhere. And maybe just deleting the app doesn't actually fix the problem. Yeah.

This is annoying for Tesla owners.

Well. David Colombo wanted to warn people. You can tell that because if you go to his Twitter account, he says, is there any way to get the email address of a Tesla account when you have the vehicle ID, the serial number, or the VIN of the vehicle? Now, I imagine he's asking that because he does have access to the vehicle ID and the serial number. He wants to reach out to people and say, oi, I've been able to access your car and maybe you should stop using this app. But it looks like he isn't able to do that with just that information. So he, I believe, was desperately trying to find a way to inform the vulnerable drivers. He couldn't do it. So he's told Tesla and he's told the developer of this third-party app. But maybe, and I was thinking about this, maybe there's another way in which he could have warned people. Because if he can take over the stereo, maybe he could play a tune or something telling people their car was insecure.

Hello, this is your Tesla speaking. You have been using an app that means I can be remotely hijacked. Delete the app. Delete. Delete. Yeah.

Or take over the flashlight or flash a message in Morse code.

In Morse code. Or the horn.

The horn.

He could do a horn Morse code. Right.

Or, and I thought this was genius, he could send a direction remotely to the sat nav telling the car, because these are cars which are able to drive themselves, right, to reroute and go to a billboard telling them about their vulnerability. Wouldn't that be cool?

Yeah, because he can totally get billboards up across the world in all the appropriate countries.

If anyone could do that, Colombo could.

Okay, you might be confounding the Columbos here. So interesting story, there seems to be— I wonder why he didn't go to Tesla right away, because Tesla would of course have access to all the information of all the drivers. They may be able to go, we can pinpoint who is running this app. We can maybe get involved in disabling the app.

He has reached out to Tesla. And it's unclear exactly what they've done so far. But hopefully, in the short term, something will occur. But at the moment, it looks like this particular app has been made available, is configured incorrectly, insecurely, which means that people are leaking their details.

Yeah, the joys and pains of having a flash car. Well, exactly. That's why you shouldn't have a flash car. With my two little feets.

Okay, your Fiats. Carole, we don't have a guest this week because, well, for the reasons we've already explained. So what's your story?

Ah, Graham, you beautiful bastard.

I beg your pardon. What?

This is how YouTube personality Philip DeFranco addresses his 6-point-something million subscribers. Now, I've never listened to him until I just started doing research for this show. And honestly, I'm not sure his daily YouTube output is for me. I mean, he's in the gaming world through and through, someone might be in the security world or the pest control world, right? And I don't know if he's got himself sped up or not, but you might want to check this out, listeners. For me, he was just going, you know, that's how they all talk, Carole, on YouTube. It's really fast and furious, right?

Vin Diesel. Yeah.

Sup, you beautiful bastards! Welcome back to the Philip DeFranco Show. It is Monday. Val Garcia, the CEO of the program, saying Philip DeFranco is just one of the many celeb YouTubers who are complaining about something. And this is not about the shedload of celebrity NFTs that have been recently hitting the market. Have you seen that?

Do you know who did one? Garry Kasparov.

Wow, you must be feeling weird.

I feel very conflicted. Friend of the show, Garry Kasparov.

Do you know what though, in this new world, I think it's okay not to love every single element of a person, you know? You can just go, I don't agree with that, but Garry's still my buddy, right?

Okay, yeah, yeah. And then you've got Snoop Dogg, okay, who's not a friend of the show. It's called A Journey with the Dog, right? Right.

Or a photo from your socials and then slapped it up as an NFT for sale.

Well, isn't that exactly what Mark Stockley did at the end of last year? He took a photo of both of us.

Right, exactly. Did we say, yes, you can use our faces?

No, no.

If someone goes and buys that for 10 million whatever coins, are we getting a cut of that?

I'm pretty sure no one paid any money for it, but yes.

Well, people buy a lot of weird shit in this world. You never know. Happening to other people, right? So some person or persons decided that a really great NFT would be today's hot gaming YouTubers. So without their consent, these YouTube gamers have had their likeness stolen and turned into an NFT where they don't profit.

Okay.

Now these NFTs were slapped up for auction on OpenSea, one of the NFT trading platforms. And get this, you know what the link is for this NFT?

No, I don't.

The unique URL is actually the blasted YouTube channel where these gamers go on about their forays into—

The blasted YouTube channel? What do you mean the YouTube channel?

To the YouTube channel.

Oh, I thought that's the name of a YouTube channel. I'm sorry.

No, no, no. So that is your asset, the YouTube channel.

So if I had a YouTube channel called Unmentionable Nonsense, I would go to OpenSea and the Unmentionable Nonsense URL would be of some swine selling an NFT of me talking or screenshot of me from my YouTube channel. Well, you would see the picture first, right? You would see the card if you want. I try not to think of Trumps, but yes.

Okay. And then if you clicked on it, you would maybe go, sometimes it goes

Okay.

to just a page, a web URL with a JPEG on it. Now, these celeb YouTube folk in the gamey world are not best pleased with this situation, right? So we've got YouTuber James Stephanie Sterling and Catacaris. And in this case it goes to the YouTube channel of the actual YouTuber. They've been tweeting their disapproval. One wrote, "At least, at least if you stole my shit and tried to sell it off, make it a t-shirt, a mug, a clock, a thing that you can use and enjoy. Shilling off a profile picture for a collection you can just make yourself on Facebook photo albums, honestly, a new level of pathetic."

Well, I didn't know that they were stealing YouTubers' shit and putting it up on NFT, but I suppose that is the natural progression of things. We did have that woman who reportedly was bottling her farts, didn't we?

Yes, we didn't talk about her. Do you want to?

Well, actually, I think it's been debunked.

Really?

I will put a link in the show notes. Friend of the show, Chris Stokel-Walker, he wrote a piece all about it. He looked into the farts in the bottles NFT story quite closely.

And it turns out it was a bunch of hot air.

I will put a link in the show notes. It's a good bit of reporting by him. Okay, excellent. I would love to read that.

She is a writer for a video game developed by Sony Santa Monica Studio and a personality in the gaming YouTube media space. And according to Pedestrian TV, someone apparently used a photo of her without her permission to make an NFT with a trademarked porn logo. Oh, so she's young, she's cute, and they've kind of sexed her up or something and without her permission.

That's really bad.

Yeah. And on Sunday, she said on Twitter that she'd been informed that a porn site had used a photo of her to make an NFT with their trademarked logo to profit off it.

Right.

And she says they never asked for any permission. And she claims— this is where it kills me— she explains that the photo was a picture taken to promote her position as an award presenter for a prestigious gaming awards ceremony. Now, can you imagine your head, right, from a photo from an awards event, right, where you're accepting an award or going to give out an award cropped onto a nude adult pic?

My head has been pasted onto pornographic images before.

What?

Oh yeah.

By you?

No, not by me. No, no, no, no, no, no. By some sort of troll on Facebook. Someone wanted to, it was, it was most unpleasant actually.

All right, you weren't given, you weren't given a six-pack and a few biceps?

Well, no, no, no, that was unpleasant. It was that, that I don't want to put everyone off their breakfast frankly by describing what else was in there.

Yes, no, please stop, please stop, please stop. I once had a picture of me receiving an award, and one of my fastenings for the area was undone. So basically, I had my pants on show. Mortifying.

So was this real? Or was this done with Photoshop? Oh, I see.

No, no, really.

Yeah, right.

I'm just saying when one gets awards sometimes—

Check whether everything's done up.

Check your zips.

Right.

Tuck in your shirt, check your zip. So the online marketplace is OpenSea, right? They now say they're worth $13.3 billion following a new investment of $300 million. So they're making wonga.

So they're doing nicely out of it. Is there any way to sort of complain to them? So if you see that something which belongs to you, such as your brand, for instance, is being abused on the site, can you complain to them and get the listing taken down?

My understanding, right from looking at this stuff, is NFTs are really, really unregulated and there are no real protections. We've talked before about, you know, people taking people's faces, do I have to copyright my voice and my likeness to have a legal leg to stand on? In other worlds, that doesn't happen. If someone took my face and put it on a billboard without my consent, there are places I can go to complain about that. But what do you do in the NFT world? So The Gamer who covered this story asked OpenSea for comment about all this NFT malarkey, and they published this reply. OpenSea supports an open and creative ecosystem in which people have greater freedom and ownership over digital items of all kinds. One of our operating principles is to support creators and their audiences by deterring theft and plagiarism on our platform. Good, you're thinking, right?

Yeah, yeah, yeah.

To that end, it is against our policy to sell NFTs using plagiarized content, which we regularly enforce in various ways. Including delisting and in some instances banning accounts, as was the case in this instance where Alana Pearce's face was put on with a porn name.

Right.

So they've banned that account apparently. And we are actively expanding our efforts across customer support, trust and safety. And so as people are slamming up gazillions of NFTs to try to make a quick buck, they are saying, don't worry, we've got the manpower to manage this and we're ramping it up because, hey, we just got some funding.

Of course they've got the manpower. Of course they have. Yeah.

Have we not learned from Facebook that that's really, really hard to do?

And actually, anyway, or if there's no incentive for the company really to do it properly and put the resources behind it, which is probably the case with Facebook. Yeah.

Yeah. Now, at the time of writing, Alana Pierce has had her images removed from OpenSea, although the other ones that we've mentioned are still up there for purchase. So that quote could either be hot air or they better put their money where their mouth is, right? And up their game.

To sum up, are you suggesting that the internet has let us down again?

Listen, you beautiful bastard. Okay, I'll never call you that again. Okay? Never.

Never. Start the year off right with 1Password University. Our chums at 1Password have always been about helping you stay protected, private, and productive, whether you use its password manager or not. With 1Password University, they are putting their many years of security expertise to work, creating fun, dynamic, and free learning resources for people of all skill levels. So start off 2022 right and learn how to make the most of your 1Password account features, find out how to build a culture of security in your workplace, or discover why reusing the same password across multiple accounts puts you at risk. Learn at your own pace and discover how to form an entire ecosystem of tools and tactics that can help you stay safe on the internet. Whether you're a business leader or a home user, 1Password University has a free course for you. Go on, check it out now. Find out more. Try 1Password University for free at www.smashingsecurity.com/university.

We are also sponsored by Uptycs. Uptycs is a cloud-native security analytics platform built to protect the modern attack surface. Uptycs zeros in on blind spots that are preventing you from identifying and responding to existing threats and vulnerabilities in your ecosystem. Plus, Uptycs normalizes telemetry across macOS, Linux, and Windows, and containers, records system activity for historical investigation even when no alert has fired, and enables you to build complex custom detections. In short, Uptycs provides observability across both cloud workloads and endpoints in a single centralized platform. Visit smashingsecurity.com/uptycs. That's U-P-T-Y-C-S to learn more about its cloud-native security analytics platform. And thanks to Uptycs for sponsoring the show.

And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Better not be.

I was hoping if I said that quickly enough, I might sound like that YouTuber. Is he faster than that?

Way faster. You have to go watch him and just see. I just—

Okay. Well, my pick of the week this week is not security related. My pick of the week is a rather handy website. Carole, I would like you to open a browser and maybe listeners at home, if you're not currently driving or controlling a lawnmower, and go to a website called cleanup.pictures. Cleanup is all one word.

Yeah, cleanup.pictures.

Mm-hmm. Okay.

I'm there.

This is a very clever little tool which allows you to upload an image, a photograph, for instance. Maybe you've had your photograph taken at a wedding and your Uncle Arthur is there and you don't like your Uncle Arthur and you feel that he's ruined the picture or he's photobombed it or something like that. Maybe you'd like to take him out of the picture. Well, with cleanup.pictures, you can do that easily.

Have you tried this?

Yes, I've tried it. You try it right now.

Okay.

There's some examples there. If you choose one of those images.

Oh, right, right. Okay. Good idea. And I've got a brush size and I want to remove something. So I just—

That's right. So what you're doing is you are just doodling over the thing which you want to remove. And via the power of artificial intelligence, and maybe some additional assistance from a big technology company.

Oh.

What you will find is it does a pretty darn good job of filling it in with whatever should have been there instead. And in my testing, it does it really well.

Okay. Yeah, that's not bad.

Can you describe what you've done?

I've chosen a running shoe, right? So.

Oh, okay.

Right. I've started a shoe and I'm going to get rid of the laces. I'm just going to try and do. So I'm just zigzagging across the laces on the shoe with this eraser brush.

It's magic. I did that one. I got rid of the label, the brand. Oh, that's what—

The laces have disappeared. Huh. Have you done this with two faces? Because that would be interesting. Okay, I'm gonna get rid I imagine people who've maybe had a really nice picture of themselves, but they're next to their jerky ex, right? You just want to erase them out of the pic.

Hang on, let me just— let me just find a picture of you and me. Let's see. Graham and Carole. Here it is.

of the brand.

Okay. I've got a picture. I'm uploading it into here.

Take your time. It's not I've got to go to court today.

Yeah. Yeah. Yeah. Right. Okay. Okay. I'm uploading it. Here we both are. I'm going to see if I can erase you.

Oh, I really thought maybe he'll erase himself.

Sitting on some steps.

Oh my God. It's the only picture we took together. It was 15 years old.

Okay. It looks I'm sitting next to a ghost after I've removed it. It looks this. It didn't work that brilliantly on that particular picture. But what happens if I remove my head? Okay. It looks something from a David Cronenberg movie now.

It's if I die first,

I've just removed my head.

that's what I'll do. Okay, so maybe your sales pitch wasn't that great. Maybe it's not so good at removing people from a picture, but maybe just tiny items. I'll just haunt you.

No, no, no. It's very clever. It's very, very clever. I think it's worked quite well.

I think it'd be fun.

Yeah. I think people should check it out because certainly there are times when you need an image, but you need to change it slightly and you may not have the Photoshop prowess. And so you might want to use a tool this. So check out cleanup.pictures. And that is my pick of the week.

Hey, and listeners, celebrate that it's not a board game, you know.

Oh, nice.

No, it's quite cool. Well done, Graham.

Carole, what's your pick of the week?

Well, mine is also a kind of time waster because it turns out when you do civic duty, there is a lot of waiting around.

Right. Right.

Right? So I somehow landed on this drawing, I don't know, project, a bit like Pictionary. Someone gives you a word and you have to try and draw it, but you're trying to get an AI to guess what you're drawing. And you only have 20 seconds to pull it together. Graham, I think you've done one.

I have. I'm going to actually play it right now.

Okay.

All right. So here I'm at quickdraw.withgoogle.com. Let's draw, it says. All right, let's do it. Draw a fireplace in under 20 seconds, it says. Okay, so let's try this. So I'm going to draw a little square here.

Square or door or hat or sandwich or—

It's not a sandwich.

I see computer.

Computer. Dishwasher or truck.

What? Fire truck. Put the flames in the middle. Or fire hydrant or lantern.

Oh.

I have no clue what you're drawing. It had no clue what I was drawing. Sorry, I couldn't get it. I see square or cherry.

Oh, I know it's purse. It got it.

Hey, there you go. You drew a square with a handle. Well done.

So it's quite clever, this, isn't it?

Yes, it does attack you with words, as you can hear, right? It attacks as you go, which kind of can put you off your flow a bit. And it might be easier, I think, if you find this difficult, just mute the sound. Then you can just do it within the time frame without it going, it's a purse, it's a plane, it's a Superman, it's a, you know.

So what are they doing with this data? Because it's Google, you do have to think that this might be some plan to sort of take over the planet and destroy all the humans, don't you?

Yeah, I had reached my boredom threshold maxed out, so I then decided I'm fine with it. Turns out that's how they get you to do anything in the world. Okay. So, you know, if it sounds like your thing and you're interested in seeing how an AI can recognize what you draw, check out Quickdraw.

Quickdraw.withgoogle.com.

And that is my pick of the week.

So one of the things I find interesting about this is if you go to quickdraw.withgoogle.com/data, they talk about the 50 million drawings which they've collected. And they have all these words and you can click on, for instance, hot dog, and you can see 160,000 hot dogs drawn by real people. And they've open sourced this. So if other people want to view what people have drawn for different words, it's quite interesting. Do you know what? I missed that little data link. Yeah. Anyway, it's kind of cool. Even if you don't want to play, it's kind of cool to look at the data. Right. So no elephants this week. That's a relief for me, at least. And it's just about time. That about wraps up the show. You can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G, and we're also on Reddit in the Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Spotify, Overcast, and Apple Podcasts.

And high five to our episode sponsors, 1Password and Upticks, and of course to our wonderful Patreon community. It's thanks to you all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 257 episodes, check out smashingsecurity.com.

Until next time, when maybe we'll have a guest. Carole, do you think your jury service will be over?

My toes and fingers are crossed, although that won't make walking very easy, but yes.

Until next time, cheerio. Bye-bye, bye.