Newsflash!

Newsflash!

Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be arsed, please go to smashingsecurity.com/vote and vote for your favorite security podcast. So don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show. Smashing Security, Episode 276: Webcam Extortion, Michael Phish, and Food Foul-ups with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 276. My name is Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, we got someone who's returning to the show, a popular VIP.

No, it's me.

It's not them. It's me.

Oh, I read it as Maria. It actually says Mark. Mark Stockley. Hello, Mark.

Hi.

Thank you for joining us on the show again.

Thanks for having me back.

On the possibly award-winning show again, because we have won awards in the past and we're now up for another award. It's the EU Security Bloggers Awards.

Oh, that's high prestige.

They're coming up in June. There is an opportunity for the audience to vote as well.

What, our listeners, you mean?

Our listeners. Our listeners can vote if they wish for their favorite cybersecurity podcast. Sadly, Sticky Pickles isn't listed as one of the nominations this year. They were last year, of course.

Weren't you listed as one of the top cybersecurity blogs last year as well?

Oh yeah, we— oh, well, actually, Mark, funny you should say that, 'cause this year we are once again one of the top cybersecurity blogs as well as one of the top podcasts. So if people want to vote for us as one of their favorite cybersecurity blogs. That's great. We'd rather have the vote for the podcast though.

I think it would be hilarious if you won the blog category and you didn't win the podcast category. Come on, come on listeners, we can make this happen.

The way to vote, the way to vote is to just go to smashingsecurity.com/vote and that will redirect you to an awfully long Google Docs link where you can tell the organizers what your favorites are.

Yeah, obviously say us,

Yeah, obviously. Yeah. Otherwise you're dead to us.

No, not to me. Shall we get on with the show? And let's thank this week's sponsors, Collide, Rumble, and Good Access. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? dudes, you know.

I've got Michael Fish.

Am I supposed to know who that is?

We'll discuss that.

Okay. Mark, what about you?

I've got a story about all your worst fears coming true.

Oh, sounds hilarious. And I enter the world of food production. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, talking about all your worst fears coming true, you do know who Michael Fish is, don't you?

I don't think I do.

I know who Michael Fish is.

Of course you do. Everyone in Britain knows who Michael Fish is because for 30 years he was one of our most famous weathermen. Appearing on our television screens in a series of horrendous jumpers. But he became something of a celebrity for— What's your problem with jumpers?

What kind of jumpers?

Oh, well, these were quite, you know—

Colourful?

Colourful.

Good?

Just wasn't very much of a sex symbol. It's strange though, because he did have a punk group in 1985 who wrote a song called 'I Wish I Wish He Was Like Michael Fish'.

I wish, I wish he was like Michael Fish.

Michael Fish, Fish!

Rachel and Nikki sang that. You may remember Rachel and Nikki.

No.

John Kettley had

John Kettley was a weatherman. That's right. And so is Michael Fish. And so is Iain McCaskill. But yes, that's right. That was an even more popular song. Michael Fish's forecasts have even been sampled by The Prodigy.

a song as

Oh, really?

Yes. But none of this means anything to anyone outside of Britain because you don't know who Michael Fish is.

well, didn't he?

So you might be thinking, Graham, Graham, why are you talking about Michael Fish? Well, even if you're not British, you might know a Michael Fish. Maybe you were a student at the State University of New York at Plattsburgh, maybe between 2016 and 2019, because there was a guy there studying law called Michael Fish.

What, with the exact same name?

By the way, yes.

How is that possible?

I can't believe it.

I can't believe it.

Not spelt with a PH. He was a Michael F-Fish. A proper F fish.

Like fish.

Swimming in the water.

Just like, yes, actually coincidentally, spelt the same as fish you encounter in the sea. Now, Michael had a problem.

Was it jumpers?

Not just jumpers. No, Michael had a problem. This is Michael at the university now. We've moved on from the weatherman.

Okay, but he's got the same name, so it's very confusing.

It is confusing. I'm going to try and clarify throughout the story.

Can we just say 1 and 2? Number 1 and number 2?

I don't think there would be a lot of arguments as to which one was number 1 and which one was number 2. Michael Fish had a problem. He liked the ladies. Oh, it can be a tremendous, horrible problem, that one, can't it? Liking the ladies and wanting, for whatever reason, to occasionally have a little peek at the ladies, have a little look at the ladies. Maybe he had a girlfriend, maybe that wasn't quite enough for him, maybe he wanted to look at other ladies as well. I don't know, but—

What are you saying, he looked at porn and that's the problem?

Well, that's one of the solutions, Carole. If you are someone who likes to engage in the male gaze, then you might find different ways to— I don't know what that means. It's an artistic term. We like to look at the ladies. Now, there's different ways of handling this problem, right?

If you want—

If you want to look at ladies' boobs and their other bits, what are you going to do? What are you going to do? Carole, I'll ask you first. I don't know how interested you are in ladies' boobs and bits.

Well, you know, I'm a girl from the '70s, so I'm buy a mag.

Old school. I thought you were going to say you could just look at yourself and that would be satisfaction enough. But you'd actually go down to the newsagent and buy yourself a mag. Mark, would you go onto the internet rather than buying a jazz mag?

Well, I have heard that there is pornography available on the internet. Right, okay.

Well, he didn't do any of those things. He didn't even make a PowerPoint presentation to convince young women to reveal all to them, which is a technique I can tell you.

That works, does it?

Well, it hasn't worked yet. Hasn't worked yet. But I'm hoping at some point they'll be impressed with my clipart enough.

Do you think that that is because you haven't— you just haven't put the right slides together?

I think I haven't got the right builds. That's what I think it is. The right transitions. Something like that. If I really convinced— I mean, because we're told PowerPoint presentations can sell anything, haven't we? So why can't they sell the idea of, you know, a woman—

This conversation is going crazy.

Anyway, so what he did instead of all of those very reasonable ideas—

Michael Fish at the university.

Michael Fish. What he did was he hacked into the accounts of some of his classmates.

Okay.

Now, it wasn't any old classmates. It was just the female ones. So he very cleverly targeted just the ones he was interested in.

That's who we're talking about. Like accounts, like their math accounts or like—

Their email accounts.

Oh, right. Okay. Their email accounts.

Which presumably weren't protected by multifactor authentication. I don't know. I've— trust me, I've dug deep into this story. As you know, I always do a lot of research. I don't know if Michael Fish phished these guys to get their account details. I don't know how he did it. I don't know if he used malware.

But if he had, you'd love it.

I would love it.

You would love it, wouldn't you?

He could have

He could have done that. He could have got the common passwords off the internet. Could have used a password cracker, maybe. He might have written a PowerPoint presentation where he said, "People, I'm doing research into people's passwords. Please tell me your password." I don't know what he did.

tried 12345, right? So wait, so he's cracking into email for what reason?

Well—

Guess.

As a password, maybe. To look at— 'Cause I keep loads of nude pictures of myself in my email.

Of course.

Because that's what one does, right?

We all do that. We've all got lots of pictures of you in our email, Carole. As backups, in case you ever lose yours. So, Michael Fish, not the weatherman. The weatherman never did this. I have heard he's very litigious.

He just wears weird jumpers, according to you.

He broke into the accounts of over 100 female students. And once he had access to their accounts, he was able to get into their other accounts, their other online accounts, their social media accounts. And he was able to scoop up nude photos and movies of these young women.

Do they really keep that stuff on their social media accounts?

Well—

It just seems a bit weird to me.

I understand that direct messaging of pictures is a thing that the young people do.

Yeah. And also, some services might be backing up their photographs from their cameras as well. And if they gained access to those online accounts, they might be able to access them that way. So, all kinds of ghastliness there. So, he's scooping up nude photos and movies. I mean, that's ghastly really, isn't it? Imagine knowing that Michael Fish, not the weatherman, everyone would be completely comfortable with that. Imagine that Michael Fish had seen your private snaps.

Oh, no one knows who Michael Fish is. It's not like he's the hero of the university, presumably, or the college, or whatever we're talking about.

So which Michael Fish are you saying nobody knows?

I bet they know who he is now.

So no, but Kroll, if you just knew someone had seen your photos, that would be horrible, wouldn't it? So what did he do, right? He got this stash of nudes.

What's the first thing you think he does? Can we skip to the second thing that he does?

After the first thing—

After the first thing, which he then repeats several times.

He makes what, a website, a gallery for them all, for him to enjoy in his own private time. Am I close?

You're so close, but not quite.

Okay.

So obviously he did the obvious thing quite a lot, I imagine. And then he started trading the pictures with other people.

What is he, 12?

It's like Pokémon cards. Or collecting butterflies. No, he's not 12. He's in his 20s.

So yeah, he's 12, basically.

Yeah, he's mentally 12. And what's more, he got out his copy of Photoshop.

I was very worried there for a second.

He pulled out a copy of Photoshop and he created a collage.

An obsession wall.

Well, well.

Oh my God, he's a—

He took the photos, he made collages where he put the sexual images, the ones with the nudie stuff, alongside the innocuous Exactly.

Nice, nice. This guy's twisted.

He labeled each one with their full name. graduation photographs of these young women. And he shared those collections with other people who were appreciative of collages, including a chap called Nicholas Faber, who was sentenced last August to 3 years in prison.

So at some point, he's got a magazine. And in the magazine, he's found an article called something like, "Are you a psychopath?" And then there's a list of tick boxes that you have to go through.

Yeah.

And he's just working his way down through the tick boxes. And he's now at number 15. He's just, tick, tick, tick, tick, tick, tick, tick, tick, tick, tick. Okay, if he blows up, what's he gonna do next?

We're fucked.

Yeah.

He.

Then he decides to create a physical version of this, where he puts their pictures on the wall and joins them together with pieces of red string. Is that what he's gonna do next, Graham?

I think that this is probably the way it was going.

Does he start leaving cryptic clues for the police officers who are always half a step behind him?

Like the Zodiac Killer.

Yes, like the Zodiac Killer.

A really nice guy.

Yeah.

Nice chap.

Another upstanding person with an interesting name.

Okay, so this little pig, Michael Fish, what happens to him?

Well, obviously he was causing some upset, embarrassment, stress, anxiety for any victims who found out that their images were being shared online or shared between these unpleasant people.

And probably rage as well, I would imagine.

Yeah, I would think so. But, you know, it could haunt you for years, this kind of thing. And they didn't know it was him.

They just knew someone had done this. They didn't know it was that Michael Fish who sits behind them in geology.

Yes, yes. And so eventually the security breach was discovered and the university spent thousands investigating the scale of the problem. They realized, oh my goodness, there's quite a lot of accounts which have been hacked here. They looked at the computer, the server logs, they reset passwords. It cost them thousands and thousands, and Fish was caught. I don't know exactly how he was caught.

Again, excellent research, Graham. I just want to commend you.

I haven't been able to find that out. I did do a lot of research into the other Michael Fish, which I think we can appreciate. So he obviously was there before a judge, right? And the case is going forward, and it's like, you've been a very naughty boy. You've done some highly unpleasant stuff.

Yeah, yeah, I'm sure that's exactly the words that the judge used. Naughty boy.

Yeah, and then the judge said, 'And is that jumper you're wearing made out of human hair?' Exactly.

Toenails.

Yeah. And, yeah, one of the things that judges like, of course, is they like to look at any mitigating circumstances, you know, whether they need to consider the ethics of the person, you know, what they've contributed to society. And so what Michael Fish did was he sent the judge a letter. In fact, he forged a letter. He forged a letter claiming to come from an aide to a US representative. And this US representative is someone who he'd actually volunteered for her election campaign back in 2016. He took a legitimate, genuine letter which said, oh yeah, he's a good bloke, he worked hard on the campaign, etc., etc. And he augmented the letter.

What do you mean augmented?

He added bits. He added extra paragraphs saying, even though he's been in a spot of trouble, you know, with the whole nudie picture thing. So he put forward this letter, and of course judges, it turns out, don't like receiving forged letters claiming that you have great integrity. And so he's currently also in a spot of trouble about that as well. He has now been jailed, so over 9 years in prison. In addition, after the prison sentence, he's been told he's not going to be allowed to go anywhere near computers for umpteen years. He's also got to pay tens of thousands of dollars to the university as well. But of course, it's all these poor women who still have to live with the knowledge that those photographs could still be circulating in collage form.

Well, yeah, that's the stress. The collage.

Yeah, okay.

I'm not saying that the collage bit is— the fact it was a collage is—

At least he didn't make a montage. At least he spared them that.

It wasn't macramé.

You know what you've done though in your story?

What? What have I done?

Is that from now on, every time I hear of the real Michael Fish, the weatherman, will think of this story. And you have basically sullied his name as well.

Why don't I—

You knit them together.

I seem to remember something about Michael Fish, the weatherman, which I wasn't able to find evidence of on Wikipedia. But I—

Again, excellent research.

Here's a thing I've made up about Michael Fish. Just saying. Hi, Graham. Wouldn't it be funny if Michael Fish—

I'm not saying he did anything illegal. I'm just saying he might fuck me. I'm just saying that.

What, here's Sheila with her graduation

No, I'm not. I'm not saying that. And that's because we're up for an award and we'd like you to vote for us and not get us into any legal trouble.

outfit on and all, here are

So let me say right now, Michael Fish, of all the weathermen, is one of them and a fine, upstanding fellow. Well done, Michael Fish. But not the American student who stole people's photographs.

her tits type thing? Okay.

On that note. Mark, what have you got for us this week?

I said in the intro, it's your worst fears.

Yeah.

Maybe not all of you. You're quite well-put-together human beings. Maybe it's not your very worst fear.

We just heard of Michael Fish, so, you know.

Okay, but yeah. But as we heard in the previous story, and I don't know if you picked up on this, but it turns out that there's pornography on the internet.

Dun dun dun!

I've looked, never found anything. Never found a single thing. Very disappointing. Massively oversold, the internet.

So obviously the reason that we're sort of laughing awkwardly about this is 'cause there's a little bit of cultural stigma attached to the idea of self-pleasure. Unless your name's Michael Fish.

Are we going down the masturbation route now?

What the heck's going on with this show? Well, I was— I used the words self-pleasure. We all know what you mean.

You're talking about wanking. Okay, yes, yes, that's where we're going.

We are on Route 1 to Wankville. Okay? Strap in.

Just remember, this is the episode where we're encouraging people to vote for us.

Yeah.

Carry on.

Anyway, so, as you may have noticed, there's a bit of stigma attached to this act. And you're not the only one who's noticed, 'cause cybercriminals have noticed this as well. And one of the very simple and extremely popular ways that they have of making money from this sense of shame is that they will occasionally send people emails saying something like, I've got full control of your device and I've made a video of you watching porn. And when I say watching porn, obviously they don't just mean watching. They mean joining in enthusiastically, hand actions, audience participation, all that stuff. And then they threaten to send the video to all of your friends unless you pay them some money in bitcoin, of course.

Can I just say, if anyone threatened to send me a video of either of you doing this, I would not watch on my life. I would rather do anything else than watch that. No offense, I love you both very, very much.

No, I am a little bit offended by that, actually.

Well, you shouldn't be. Because just— I'm doing it out of respect. Just honestly. Okay, carry on.

So what you're saying is I should ask for my bitcoin back?

No.

So the key thing about these emails, and one of the reasons that they work, is that the criminals will often provide some sort of proof that they do indeed have full control of your device. Such as they might send you the email from your own email address.

Oh yes.

Or they might include a password that you have used for a website in the email.

Aha. So that you basically just shit bricks and then do what they say.

Yes. And then send bitcoin. Yeah.

But if you don't realise, that's easy to have gathered.

Yeah.

Or to do.

Neither of those two things are actually proof.

Yeah.

As Graham said, anyone can send you an email from your own address. It's one of the wonders of email. We've only had 50 years to fix it. We're working on it. It's fine.

We've got a lot of other things on our plates right now, guys.

Yeah, it's been a busy time. The internet, all that stuff.

We might fix the climate problem before we actually fix the internet.

I don't know. There's absolutely no chance of that, no.

Yeah.

Anyway, the one thing that they never do, the one thing they would never ever ever do, because they can't, is send you actual proof. So for me, as Carole Theriault was kind of saying, the real proof for me would be send the video.

Yeah, or at

Yeah.

Right? Show me my mug that was on the table at the time.

Let's see the O-face. But they're not gonna do that. Because actually, the reason they can't send proof is they don't have any. Because actually breaking into someone's computer and taking over the webcam is much, much harder than just saying— sending an email that says you've done that. But what if it wasn't that hard?

least a still of it.

Oh.

What if a website could turn on your webcam and video you without asking?

That would be uncool.

It makes me very smug that I don't take my clothes off in front of the computer.

Yes. Me too.

I think we're all pleased about that, Carole.

We're all joined together in a sense of smugness about not doing that. Now, there is an ethical hacker who specializes in browser add-ons. His name is Vladimir Palant. And he's been wondering the same thing. What if a website could turn on your webcam? And he's made some fairly alarming discoveries.

Dun dun dun!

So his focus is a browser extension called Screencastify, which is— It's just a typically awfully named thing, because everything has to have -ify on the end now. Because we've run out of Rs. 10 years ago, it'd be Screencasterr with an R on the end.

Yeah, Tinderrr.

There are no Rs left, so Screencastify. And it creates videos, and it's being used by at least 10 million people. We don't know how many people actually use it, because they stop counting at 10 million when you download extensions. So 10 million plus. And there are limits to what you can get browser extensions to do. You know, they're designed so that they can't take over the world. So according to Palant, what Screencastify does is it integrates with its own website in order to add video editing functionality. And that's a problem because it massively increases the number of people and organizations that you've got to trust because you think you're just trusting this browser extension, but actually you're not.

So is this a supply chain issue, effectively?

It is. It is a supply chain issue, but it's one of those, you know, supply chain is very buzzwordy at the moment, and this is a supply chain issue that is fundamental to the way that the web works. So fixing this is very hard.

Right.

So the Screencastify website, which integrates with this extension, can send messages to the extension, and those messages include things like start the webcam. And because you grant the extension permission to take pictures when you install it, it doesn't ask you for permission again. So you install it, it asks for permission, you say yes, it remembers that permission forever. So at any moment, the Screencastify website can send a message to your extension saying, turn on your webcam.

What?

And the video that it takes is saved to your Google Drive.

Okay.

But you can't use the extension without also giving it access to your Google Drive.

Oh boy.

So it can start a video recording and then it can snaffle the resulting video from your Google Drive because you've allowed it to do that. Now, that's fine, you say.

Yeah, we do say that.

Of course we're saying that.

Of course they wouldn't.

Because you know every individual at that company and you trust them all individually. They're all fine, upstanding people. Screencastify aren't going to just arbitrarily turn on

They've all given you a pinky swear to be good guys.

So that's all fine. Well, it's not actually that simple. your webcam and video while you're masturbating. Because as Carole was alluding to, modern websites are kind of collections of stuff from other websites. So the way that you add functionality to a website often is you just pull in some code from the other website and all the pulling in from other websites happens the minute you load a page in your browser. So you're pulling down code from Screencastify, but you're also pulling down code from other places as well. And any code that gets pulled into the Screencastify page also gets permission to trigger this API and the Screencastify website.

Okay.

The Screencastify website, it includes code from Webflow, Teachable, Atlassian, Netlify, Marketo, and Zendesk.

Sorry, can I just give a warning? If anyone feels affected by this and is driving a car right now, could they pull over if they're suddenly losing blood as they realize what might have happened to them? Just carry on. Sorry.

So just to recap. The Screencastify website can access your webcam at any time that it likes, but it also includes code from Webflow, Teachable, Atlassian, Netlify, Marketo, and Zendesk, which means they can as well. Yeah, that's fine, you say. Screencastify, Webflow, Teachable, Atlassian, Netlify, Marketo, and Zendesk aren't just going to arbitrarily turn on your webcam and video you while you're masturbating. I know all the people that work at those companies and I trust each one of them individually. They're all fine, upstanding people.

It's fine.

Well, unfortunately, it's not that simple at all, because the problem is actually bigger than that. So in the words of Vladimir Palant, with such a large attack surface, just meaning all these different websites, exploitable cross-site scripting vulnerabilities are to be expected, and these would give anyone the power to attack Screencastify users. And for anybody that didn't understand that, what that means is if the Screencastify website were discovered to have a particular type of vulnerability on it, that would create a route that allows any website to turn on your webcam without asking. All the crooks would have to do if they discovered this vulnerability is basically set up a trap where you get users to click on a link. And if you get them to click on a link, then their website, a little bit of their code gets included in the Screencastify website code. And because it's inside the Screencastify website code, it gets access to everything the Screencastify 'Can I ask if I can do?' And I don't know if you've noticed, but crooks generally don't have a problem getting people to click on links.

Well, I imagine if you're in a hurry in that situation, like say you've got 10 minutes before someone comes home, and you're presented with a number of dialogue boxes before you get to the main event, you would hurry through them, right?

10 minutes isn't a hurry, Carole, in this particular scenario. That's a very leisurely—

Oh yeah.

I imagine that you are correct, Carole, and that a theoretical person put in such a position would probably just hurriedly click through any dialog boxes. Yeah, yeah, yeah. Get me to the pictures. Yeah. Anyway, so I mean, this is theoretical, right? If such a vulnerability were to exist, then any website anyone in the world could video you. And so to prove the point of how bad that would be, Palant actually went and found one of those vulnerabilities.

Oh, so there is a vulnerability. This can be done.

There was. We bring to you news that the vulnerability which he discovered in February and reported to them has been fixed.

Right.

And they fixed it, to be fair to them, they fixed it very, very quickly.

I bet they frickin' did. Holy moly.

But I think the broader picture is, what happens in these situations is somebody like Palant comes along and he goes, what if?

Yeah.

All he's trying to do is proof of concept. So all he's trying to do is say, it would be bad if there was one of these vulnerabilities. I wonder if I can find one. Because if he can find one, then he's basically made his case in the most persuasive way possible. So he stops as soon— he's not going to find all of them. So there may well be others because he's done what he set out to do. And I will leave you with a quote from his article on this. So the question whether to keep using Screencastify at this point boils down to whether you trust Screencastify, Pendo, Webflow, Teachable, Atlassian, Netlify, Marketo, and Zendesk with access to your webcam and your Google Drive data. And it's all your Google Drive data, by the way, not just the videos dropped by this webcam. And whether you trust all of those parties to keep their web properties free of cross-site scripting vulnerabilities, because actually a cross-site scripting vulnerability in any of those websites would give crooks a route through to your webcam. If not, you should uninstall Screencastify ASAP.

It's time to introduce 3M to your webcam, right? Don't you think?

Tape it up.

Tape it up.

And who knows how many other extensions there may be out there? Maybe they don't interact with your webcam, but they might access your Google Drive and maybe could be exploited or what needs to happen about this porn. Obviously, you need to cover your webcam before you go looking at porn and then you can be fairly confident. What you need is some sort of hardware gadget which plugs in via USB combined with a piece of software running. Tape up the camera. I've thought about this quite a lot combined with a piece of software running on your computer which detects erotic imagery on your computer and automatically turns off the webcam physically blocks it because obviously your hands are busy. You can't do it yourself.

Like a little robot arm comes out. Yes.

A robot arm.

Rolls some tape over the window.

Sounds good, Graham. TM that.

TM that. Carole, what have you got for us this week?

Well, I don't even know how to follow these two stories.

I think something about masturbation.

Graham, we're going to talk to you. So do you mind if I mention to our lovely listeners that you are on a bit of a health kick at the moment?

Oh, for God's sake. Now that's going to put the pressure on me to carry on, isn't it?

Well, whatever. It's good. Is that not good?

Sure.

Okay. And can I ask what kind of things you maybe have been doing? High level, high level, right?

I've been trying to eat more sensibly. I've been exercise biking, and I've been going for brisk walks.

Would you say sensibly means less?

What, less food?

Yeah.

Oh yeah, there's less food. And the food I am eating is the kind of food which allegedly is better for you.

Well, can I just say on behalf of the rest of the people on Earth that we thank you for your contribution?

Finally.

Because it turns out it just might have been super important that you did this. Because you see, there's a threat of a serious global food crisis at the moment.

I don't think you can pin that on me, Carole.

I'm not pinning it on you. I'm just saying—

You sort of, it doesn't sound like you were. You did a bit.

Do you know how some supermarkets say every penny counts, right? Or some straplines, it's like that.

But particularly Graham's. They count more than everyone else's.

Let's leave my pennies out of this, please.

Oh my God. So the global food supply is being hammered by a number of things, right? Do you want to name a few that can come off the top of your head?

There's a war going on in Ukraine. Right. Ukraine and Russia, 25% of the world's wheat is produced there. So that's a bit of a pickle. Yes.

That little pandemic thingy that we're still kind of recovering from.

There have been ransomware attacks on some big food supply companies in America in the last year or so.

Yes, there has. And the UN estimates that in the past year, global food prices have risen by almost by a third, fertilizer by more than half, and oil prices by two-thirds. And this company FoodLogistics say that while this is all horribly bad, there are some silver linings, as in technology is there to save us. So there's things like CAT, which stands for catastrophe modeling, which will help us predict weather conditions so that we can take preventative actions.

That's definitely what we should do about global warming. We'll just try and locate the ever smaller patch of livable space as it slowly dwindles and everything else goes crispy.

It can monitor conditions to help improve yields, reduced waste. There's also smart agricultural tech that promises to bring more automation, allowing for things like remote monitoring, less human labor, less human error, right? Less effort, more money, yada, yada, yada.

Yeah. But just to be clear, these devices that are going to free us up from human error are themselves made by humans, correct?

Mm-hmm.

Okay. And so these massively giant centralized systems, so instead of having the human error of, let's say, 10,000 separate farms, some of whom may have idiots running them, they're all going to use one piece of tech designed by a human.

Mm-hmm.

So it's just one system. It's just one big system. What if the human who makes it has an error?

Yes. Well, there is a new paper that came out. Researchers at Cambridge University are ringing the alarm bell, saying that using new AI technologies at scale, to Mark's point, holds huge risks that are not being properly considered. Now, as you say, a lot of us are going, oh God, of course that's the case. That's, you know, of course all industries, but there's so many industries out there that have not pulled up their so-called cyber bootstraps, right? And maybe they're excited about the possibilities of high returns, but they're not thinking hard enough about how to safeguard against bad stuff that might come their way. And in this paper, links in the show notes as always, the authors have come up with a catalog of risks that might be considered in the responsible development of AI for agriculture. Sorry, they raised the alarm about cyber attackers potentially causing disruption to commercial farms using AI by poisoning datasets or shutting down sprayers or making sprayers not be able to be shut down or autonomous drones, right? Robotic harvesters. There's so much of this stuff that we're dependent upon.

I think it's very important there that when we say drone in the context of farming, what we mean is an American-sized combine harvester.

Yeah.

Yeah? Yeah.

They're huge.

The hacker is not taking over your little quadcopter, your little $50 quadcopter. We're talking about a giant human threshing death machine.

Mm-hmm. But, you know, you have to also think about the little guys too, right? For example, there's a guy that the BBC was talking to that was trialing an autonomous asparagus harvesting robot, right, called Sprout. And the farmer says, you know, there's a real risk that people anywhere in the world could try and take control of these machines to get them to do whatever those people want or just prevent them from operating. So someone could potentially drive Sprout into a hedge or a ditch or prevent it from working at all. So they say they're working with security research to address any vulnerabilities, but I'm imagining there are thousands, nay, tens of thousands of companies that are going, "Hey, food's a big deal. Let's come up with some automatic cool ways and let's race out the door before our competitors."

And yeah, who cares about the pen test dudes? And if Sprout can harvest broccoli, maybe it can also harvest humans.

Asparagus.

If Sprout can harvest asparagus, maybe it can also harvest humans.

Yes, Graham, again, really excellent insight. And to your point, Mark, a farmer—

That's how Terminator started.

With an asparagus picker. Yeah.

So you said, Graham, it's not we've not seen attacks, right, in the industry. Was it— there was the meat processing plant, JBS?

JBS, yeah.

Yeah. And they had millions of dollars in ransom they paid to resolve the attack. And there was also this top agricultural firm, AGCO, was hit by a ransomware attack that affected production. And that was this month.

And the FBI actually put out a warning in the last month or so, saying to the entire agricultural sector, be very, very wary of ransomware attacks in your planting and harvesting seasons. Because they think that the ransomware attackers are— they're basically always looking for more leverage. And if you have a very short time window in which to do some of your most important economic activity, e.g., planting and harvesting, then you're very vulnerable to ransomware. And ransomware attackers are very good at picking the worst moments, so they'll often run the ransomware at night, for example, or at a weekend or on a public holiday, because they've been sat in your computers for months sometimes. So they're just well able to choose, okay, what's the absolute worst moment to attack you, so that your calculation about whether to pay them or not is fraught with urgency.

Yeah, and I really feel for the people in this industry at the moment, because they are not necessarily experts in cybersecurity and encryption and all this stuff, right? And they don't necessarily have very strong ties to that community, and yet they're trying to stay alive and produce food. And these are— things are coming to them saying that we can 3x what you produce now, or we can do this and we can do that, and the cost will be way little. And yeah, the Cambridge researchers suggest that ethical hackers should help companies uncover any security failings during the development phase. So, do you think that's enough?

Well, that sounds like a good idea, but will an ethical hacker have access to some multi-million-pound tractor of death in order to find out if the vulnerability's there?

Yeah, if they do get access to it, then I think that's when they say, "Hello?

I got in." Yeah, but you might need one in your backyard to tinker around with it, find out where the problems are.

Yeah.

Are the companies, are the agricultural companies going to actually bring in ethical hackers and say, "Look, we want you to try and break this.

Here you go, here's the equipment, see what you can do." I wonder if government bodies should set up a slush fund for ethical hackers to throttle the tech and uncover issues, right? And that you could kind of run it through that route so that you don't put the onus on these individual farmers or whatever, right, to try and manage this horrible, complicated problem.

Yeah, it seems to me

Yeah.

Because if food supply isn't a national security issue, then I don't know what is. that whatever works, it's all

Yeah, because it's super important to us all. And well, not for Graham right now, but you know.

Even if you're a self-interested government, people aren't going to miss too many meals before they start rioting. But we seem to be doomed to repeat the same cycle with each form of new tech. So there's always a gold rush. of the above, basically. And my rule of thumb is, if your industry hasn't been absolutely turned over by security problems, just wait, then you probably have all sorts of latent security issues. So there's always a sense of complacency that, okay, well, that hasn't affected us, therefore we're okay. You are simply on the wrong side of that big problem. And you haven't recognized it yet. And I think agriculture is getting there, but it's been through a huge transition in the last 10 years. It's basically gone from dumb devices to smart devices. And that sort of speed, you only do that if you make speed the most important thing. And the easiest thing to miss out when you do that is security, unfortunately.

Yes.

Well, thank you for that very fun end.

Do you know what assets are connected to your network? Most organizations don't. For your security program to be effective, you need an inventory of all your devices so you can make critical decisions fast. Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems. Quickly find systems affected by the latest security news. Just think of Log4j, SolarWinds, and Kaspersky. It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud. Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.

So we all know that users these days sometimes have to connect from an unsecured network using any device they have at hand, and companies have no control over the device applications, clouds, and the infrastructure that connects it all together. This rapid shift in online work created security gaps that bad actors use to the full. And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out GoodAccess. This is a global company based in the Czech Republic with a proven 10-year track record. They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access for small and medium-sized businesses worldwide. And this begins with a free GoodAccess starter product for unlimited usage by up to 100 employees. Yes, you heard right, 100 employees. Learn more at smashingsecurity.com/goodaccess. And big thank yous to GoodAccess for sponsoring the show.

You can go and find out more. Yeah, run, guys, run.

I think you're losing your mind slowly, Clue.

Kolide sends employees important, timely, and relevant security recommendations for their Linux, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. K-o-l-i-d-e. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Kolide Smashing Security for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

Please don't be.

Now, I remember some years ago attending a dinner party with Carole Theriault. And yes, you weren't the host. Someone else was the host. There were a number of us there. And I think maybe the party wasn't quite lively enough for you. You weren't finding it quite interesting enough. And so you suddenly decided, okay, I'm gonna, I'm gonna, you know, I'm gonna get, I'm gonna zhush things up a bit.

I don't even know which one this is.

I'm gonna zhush. I'm gonna, oh, what can I do to make this interesting? No, no, on this occasion, you announced your intention to marry a horse. And I was reminded of this. It did make for an interesting evening.

I was browsing the internet.

This was even before the internet got crazy, but I think I just did it just to have a philosophical argument of why would that be a bad idea.

I'd like to introduce you all to Bernard. I'm sorry for his table manners. Anyway, so—

Have you discovered a website with some? Sadly not.

I haven't found the horse dating website. Horse human dating website.

Yeah, that's what I meant. That's what I meant.

Rule 34.

I bet it exists. But what I did find is something that's going on in Iceland where they have a campaign called 'Out Horse Your Email.' So rather than outsource, you see what they did there? Awfully clever. No. So rather than outsource your email. So the idea is this, they want Icelandic horses to help people with their out-of-office messages when they go on vacation, because it can be very stressful creating an out-of-office message.

Okay.

And so what they've done in Iceland is they have trained 3 horses to write your out-of-office message for you.

What?

They created a giant keyboard, which the horses stride across, creating the words.

The words? The words? Do you think words is the right?

Well, they're written in Horsish, you know. They're not written in English or Icelandic. Let's not stress the horses too much. But apparently some of them claim to be trained in corporate buzzwords or be particularly assertive. I have signed up for this, but I'm not out of the office at the moment. But it has created an out-of-office message for me. It's not entirely intelligible, what the horses have created. Others are described as a fast typer but might take a nap. Anyway, you can go.

Is that just because it's in Icelandic?

I'll put the link in the show notes. It might be. Maybe it is Icelandic. Maybe it is Icelandic. Maybe that's why I don't understand it. I don't know. But certainly an interesting initiative coming from Iceland, which I thought I would share with our audience.

Well, it's one of the effects of some of the activities we talked about earlier.

And it's all about out-horsing your email. Mark, what's your pick of the week? So mine is bees. Bees. So while we're busy working out how to live on the smaller patch of the Earth that's livable and farming it with robots that are all going to kill us, you may have noticed that there are fewer bees and people are a bit worried about this. And I was a bit worried about this a few years ago, so I thought, what, is there anything I can do in my garden that will help the bees? Wow. And then at the end of the season, you gather up your cardboard tubes, you send them back to Mason Bees UK, they check— So they soak them in water, they unfurl, they take out the cocoons, they check them for disease, they make sure everything's healthy, they remove any parasites. And then in the spring, they return the same number of cocoons that you bought in the first place. Cool. So your excess bees each year go to new people. Oh, that's very cool.

What a cool idea to buy it for a school as well. That's super clever.

Well, I did mention it for the credit for, you know, Mark the hero.

It does seem rather more worthy than my Icelandic horses right in my out of office email messages.

Don't worry, mine's not worthy.

Okay, Carole, what's your pick of the week? Mine is for my fellow lovers of audio drama. So Graham, feel free to snooze. So BBC Four, one of the most consistent producers of high-caliber audio dramas that I've come across anyway, have a podcast called Limelight.

I have a question.

Yes.

Why did they send a fencer?

Well, there's a few scenes inside where her skills become very important.

They needed a fence made.

It's just that I feel like I have managed to get through life thus far without needing to call upon any sword fighting skills.

Yeah, but you probably have used the internet in ways that you wouldn't want recorded. So, you know, swings and roundabouts.

Wow.

Wow. Lovely way to treat the guest, Carole. I do apologize, Mark. You can find my webcam footage on Google Drive. But if you can't find that, you can find me on Twitter @MarkStockley. And you can follow us on Twitter @SmashingSecurity, no G. Twitter allows us to have a G, and there's also a Smashing Security subreddit. And huge thank you to this episode's sponsors, Kolide, Good Access, and Rumble, and to our wonderful Patreon community. It's thanks to them all that this show is free.

Until next time, cheerio. Bye-bye.

Bye-bye. Bye.