This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. So here's what I'm thinking. I think I would find it quite hard to round up five poor kids. So you would just dress up the rich kids as poor people? Because that's what you would do. This is what I'm wondering. If I was desperate to get my files back, would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless? Would I be able to do that? Poor little Timmy. Tiny Tim, Tiny Tim on his crutches. That's right. Smashing Security, episode 277. Bad bots, cheeky ransoms and good deepfakes with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 277. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault. And this week, Carole, we are joined by a special guest, somebody who's been on the show before. It's our great pleasure. Drum roll, please, to announce the return of Ray Redacted. Hello, Ray.

---

RAY REDACTED. Hello, hello. It is good to be back.

---

CAROLE. Welcome, Ray. The crowd goes wild.

---

RAY. How are you doing? Thank you. Thank you very much. It's good to be back. It's been too long. But I have been listening, so I am up to speed.

---

GRAHAM. Good, because we would have tested you, obviously. Just to make sure. In what episode did Carole call Graham a dingbat?

---

RAY. 261 through 269. That was an eight episode run.

---

GRAHAM. Oh, yeah, it was, wasn't it? It was a bumper season that one.

---

CAROLE. We have a lot to cover today. Should we get the show on the road, boys?

---

GRAHAM. Sure thing. Let's thank this week's sponsors, Bitwarden and Collide. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. Oh, I'm going to be talking about ransom acts of kindness.

---

CAROLE. Okay, what about you, Ray?

---

RAY. I'm going to be talking about bad, bad bots, what you going to do?

---

CAROLE. And I'm going to be looking at some deepfake dramas all this and much more coming up on this episode of Smashing Security.

---

GRAHAM. Now chums, chums, ransomware, dun dun dun. I know it's in the news all the time, you can't stop talking about it, how many times we talked about this. There's been all kinds of weird ransomware, unusual things which ransomware has done. I remember a piece of ransomware called Popcorn Time. Sometimes I talk about it in presentations because it's quite unusual. It gives you an option. When it asks you to pay the money, it says, look, you can pay us the old-fashioned way. You can go and get yourself some Bitcoin and you can transfer the Bitcoin to us.

That's old-fashioned. That's old hat. Or if that's a bit too complicated to work out how to get hold of some Bitcoin, you can do it the nasty way. What you can do, they say, is here is a link. If you send this link to enough of your friends or family or work colleagues and you manage to trick them into infecting their own computers with the Popcorn Time ransomware and they end up paying, then you will get your data back for free.

---

RAY. So don't worry. Oh, my God. It's a pyramid scheme.

---

GRAHAM. Yeah. You've become an affiliate. You now have a second job. You're working now as part of the ransomware gang.

---

CAROLE. And everyone now has a sullied reputation a little bit that they keep private.

---

GRAHAM. So that was a good one, Popcorn Time. There's also one called N-Ransom. What that did was it displayed pictures of Thomas the Tank Engine. Not a euphemism. And what it did was it demanded you send 10 nude pictures of yourself as payment. Or if you're particularly keen to get the decryption key maybe only send five nude pictures, they might prefer that, I don't know. But yeah, a rather unusual piece of ransomware that. And there was ransomware was one which actually came with an embedded video arcade game, an old style arcade game. You had to reach a certain high score inside the game to decrypt your files.

So there's been all kinds of madness in the ransomware world, as well as the actual traditional infections demanding cryptocurrency. And there's now another strange oddity in the world of ransomware. And it's been discovered by a security firm called CloudSec. And they have called it the Goodwill ransomware.

---

RAY. Goodwill ransomware. Yeah. Okay. Not goodwill hunting or something like that. Educate me.

---

GRAHAM. Well, in many ways, it's pretty normal, right? It infects your Windows PCs. It encrypts your documents, your photographs, your videos, your databases, all of the data that you actually want. But rather than demanding thousands of dollars worth of cryptocurrency in exchange for the decryption key, the Goodwill ransomware wants you to do something else. It wants you to perform three acts of kindness.

---

CAROLE. Do they give me a list of what that is?

---

GRAHAM. Yes, they do. They don't only ask for three acts of kindness. They also ask you to record them on video and share the proof online as well as with the ransomware organizers in order to get your decryption key.

---

CAROLE. Okay, I've done a few acts of kindness just today. Can I just name some and you tell me if they'd fit in?

---

RAY. Now, Carole, it's not the humble brag virus.

---

CAROLE. This is pretty low bar here, I've got to say. I emptied the dishwasher. It doesn't just benefit me. There are other people living in this house. I made my co-worker a sandwich for lunch.

---

RAY. Wow, that's actually very kind. That's kind of two. What kind of sandwich did you make?

---

CAROLE. Tuna and organic cucumber.

---

RAY. Oh, that sounds good, actually. Yeah. So that doesn't count.

---

RAY. That counts as two, actually. I think we'll decrypt your files now. Well, no. Thanks. Hang on. Ray, what kind of criminal enterprise are you running? The sandwich is a very exceptional act of kindness.

---

GRAHAM. It's not that big, really. Well, I'll remember that, Graham. I think you've basically decrypted one GIF file.

---

CAROLE. As an artist, that probably would matter.

---

GRAHAM. I don't think that's very good. Now, the Goodwill ransomware displays a message. In fact, it displays a multi-page message in its manifesto when it infects you. It says, "We're not hungry for money or wealth, but kindness. We want to make every person on the planet to be kind and want to give them a hard lesson to always help poor and needy people." So, Carole, I'm afraid your co-worker or emptying the dishwasher isn't good enough for them. They want you to take a deep breath, look around for all of those who need help.

So they give you some examples. The first request they make is for you to donate new clothes and blankets to the homeless. And they say, not only donate these clothes and blankets. But why do they have to be new? Well, they don't want your soiled underpants, do they?

---

CAROLE. No, but it's not helping the planet much by just buying stuff. I just think a lot of people have a lot of stuff that's in pretty good nick that they don't use.

---

GRAHAM. Well, maybe if you washed it beforehand. Of course. Another act of kindness, by the way, on the scoreboard. Thank you, Carole, for demonstrating human cleanliness and for washing before we're recording this podcast. And reducing waste, right? They want you to post the evidence of this on Facebook, Instagram, and WhatsApp to encourage others.

---

CAROLE. Yeah, spread the word. Spread the word of goodness.

---

GRAHAM. Spread the word. So that's the first thing. Ray, what clothes would you donate?

---

RAY. Well, I was actually going to go buy new clothes. I was following the instructions to the letter. I did not realize I got to bend the rules. But certainly jackets, socks, I believe, are very popular or very in-demand socks. And certainly clean new underwear, I think. I would think there would be a demand for that as well. Not the teabag thongs that you're envisioning with the jewelry.

---

GRAHAM. Let's move on to act number two. So once you've done that and you've shared it online with the appropriate hashtags and shared it with the criminal masterminds as well, we need to go on to the second act. And what this involves is finding five poor children under the age of 13 and taking them to Domino's, Pizza Hut or Kentucky Fried Chicken and allow them to order any food that they wish. What do we think of that?

---

CAROLE. I wonder how the parents are going to feel about that. Where's little Ricky? Where's little Ricky? Where does he go? So they're all down on the Mickey D's.

---

RAY. Kidnap five children and take them to the restaurant. It's a bit odd, isn't it? Random children. The brand placement seems a little bit conspicuous. They actually have mentioned the actual specific brands there.

---

CAROLE. Yes. I bet there's PR meetings going on right now going, "Can we make sure we are not involved in this in any way? Why were we named?"

---

GRAHAM. So you think maybe Domino's Pizza are a thing. Could someone in marketing be behind this ransomware? Are we doing this to drive sales?

---

RAY. Well, you know, it's really funny that you would say that because when the invasion in Ukraine happened and all those Conti ransomware group files leaked. First of all, it turned out that their inner workings was like a bad corporation. I mean, they had layers of hierarchy of management and they were using tools like EDR. But a lot of the employees thought they were working for a marketing company, an ad company. That's what they were told. So maybe it was for Pepsi, KFC, or Domino's.

---

GRAHAM. Thank goodness I'm no longer working for Disney. I'm working for the Conti ransomware gang. I can sleep soundly at night now.

---

CAROLE. So I've kidnapped five kids.

---

GRAHAM. Kidnapped five kids. I've gone shopping for people in the city that need it. And they want you to take selfies of you and the kids full of smiles, happy faces, build a beautiful Instagram story with these pictures, screenshot the bill, send an email to us, they say, with the link to get your files back.

And the final one involves providing financial assistance to those who need urgent medical help who can't afford to pay for it themselves. I imagine by the way that this is in America where I believe you have to pay to if you get hit by a car or something whereas most of the civilized world if you're badly injured you can just get treatment. But anyway, they are saying visit a nearby hospital, look around the crowd and you should be able to find some people who need money urgently for their treatment. And you have to go up to them and talk to them and say, "Hey, look, I'd like to help."

---

CAROLE. I'll take on the $300,000 hit. I'll take this on you.

---

GRAHAM. Again, take lots of selfies of them full of smiles and happy faces. Record audio while the whole conversation between you and them takes place and send it to the ransomware gang.

---

CAROLE. You see, I've got two issues here, I think.

Come on, let's hear it. Because I'm a bit of a do-gooder. So I think in principle, all their stuff is good. You know, yeah, look after the homeless, help people that need it, all that, you know, feed the people that need it. Absolutely.

I worry about their tactics to force me to do it on one, because it doesn't seem like a very nice thing to put ransomware on my machine. So it doesn't feel like they're eating their own cereal. Right? They're not eating their own Cheerios.

Are you a

---

RAY. good Samaritan if you have a gun pointed at your head? Right.

---

CAROLE. Right? And what are they good Samaritans by pointing the gun?

And number two, it also feels like they've offloaded a lot of the responsibility to me. Because if they were typical ransomware users, they would just take my money and then they could do all that stuff themselves.

Yes,

---

RAY. with the money. But Carole, I guarantee you that's probably an option.

They probably want you to look at this list of things that you have to do and go, okay, never mind. Here's 20 bitcoins. Just go away.

I don't hate you now. You gave me an opportunity. You gave me a choice that

---

CAROLE. I didn't even want in the first place.

---

GRAHAM. Yeah. It is peculiar, isn't it? So here's what I'm thinking.

I think I would find it quite hard to round up five poor kids.

---

CAROLE. Why? Could you live in a rich neighborhood?

Well, no, I don't have

---

GRAHAM. many people who live near me, right? I would have the proud.

So you would just dress up the rich kids as poor people. That's what you would do.

This is what I'm wondering. Oh, my God. If I was desperate to get my files back, would I think it's actually easier to go down the local amateur dramatics group and hire some people to pretend to be homeless.

You know, would I be able to do that? Or maybe Photoshop the Kentucky... Or little Timmy. Was it Timmy? Tiny Tim. Tiny Tim.

---

RAY. On his crutches. That's right.

And then right when you're negotiating with him, he whips out a Screen Actors Guild card and says, I need scale.

---

CAROLE. Why isn't one of the things there, can you give to one of these five recognized charities?

---

GRAHAM. Right. But maybe that's too easy.

Maybe they're saying giving charity just by clicking a button is too easy. And they want you to actually go and do something.

Okay, you do that and

---

CAROLE. also say online that you've done it. You know?

I don't know. Okay. Anyway, I don't know why I'm helping the ransomware guys.

I just don't agree with the ransomware in the first place.

Yeah, but again,

---

GRAHAM. it's a bit of a humble brag, Ray was saying earlier, isn't it?

To go online and say, I have just very generously given $100.

---

CAROLE. Oh, you're not saying I'm generous. You're saying I was forced by a ransomware gang.

---

GRAHAM. Normally, I would never donate the money. But in this exceptional circumstance, I am prepared to.

So I wonder if this might be the beginning of something.

---

RAY. Well, you'll know if you watch LinkedIn, because LinkedIn would become overrun with all these pictures and everyone would have five kids in their photo. Exactly five.

---

GRAHAM. Well, that's possible. But I'm also imagining some future Michael Douglas movie where there he is in the office.

I got hit by ransomware. He's an evil sort of trader or something.

Is he still alive? Yes, of course Michael Douglas is still alive.

I'm going to look. He did have an ailment. Which he said he got. Never mind. Yes. Never mind.

And.

---

CAROLE. You know, he is alive. He seems alive. 77.

---

GRAHAM. Anyway, so Michael Douglas, I can imagine him in a movie getting requested to do various.

What I'm picturing is some evil, crazy guy sending different commands to people who've been hit by the ransomware and he's getting them to do more and more insane things. You know, custard pie Bill Gates.

You

---

CAROLE. thought of this when you were having a poop or something, right?

---

GRAHAM. Tie Piers Morgan's shoelaces together. Something that.

I can imagine this happening.

---

CAROLE. Okay, well, good. You're perfectly sane.

Well, no.

---

GRAHAM. The world of cybersecurity is not sane, Carole. I'm just, here I am predicting the future.

I'm a soothsayer. And I am warning. Let the record show.

I am warning that this kind of ransom kindness madness could get out of hand and could become a big problem.

---

RAY. But why KFC? It just seems such a random list of, you know, it's not Chuck E. Cheese or, you know, something that's friendly for kids.

What

---

CAROLE. is Chuck E. Cheese?

It must be a kid run thing because not everywhere has. Maybe they're just thinking of international restaurants.

Yeah, we don't have Chuck E. Cheese here, whatever that is. We have a chubby chicken, though, in Oxford.

---

RAY. Oh, Graham, Chuck E. Cheese is this child horror show with animatronic puppets that sing to the children and they play arcade games.

And it definitely should be one of your stories one of these days.

Well,

---

GRAHAM. that sounds certainly more attractive than Kroll's Chicken with a Chubby.

Anyway. Ray, what have you got to talk to us about this week?

---

RAY. Well, Graham Carole, when you were children, were you taught that there were good bugs and bad bugs?

Did anyone ever try to classify bugs for you?

No, bugs were

---

GRAHAM. fine. Oh, no, I think, yeah, some bugs were pretty mean, yeah, pretty evil.

---

RAY. So here, deep in the heart of Texas, we were taught that certain bugs were good bugs and certain bugs were bad bugs. You didn't kill certain spiders because they would eat mosquitoes and you wouldn't kill certain snakes because they would do this or that. But everything was classified as either a good bug or a bad bug. And then it was only much later in life that you kind of realized that in an ecosystem, there's not really necessarily good and bad. It's just that everything is kind of in a reliance.

So, well, I don't know if you've been following the news lately, but there's this chap named Elon Musk that has been in the news with his takeover attempts of Twitter. And one of the things that he said, among the less bizarre things that he has said, was that he believes that there are many more bots on Twitter than Twitter has been willing to estimate and to say, right? And it really got me thinking. I started thinking, wow, I wonder how you could count those. How could you count those? How could you see those? I know there's a lot of tools out there that do that.

Well, it turns out there's a company on the internet that has been counting what they call bad bots and good bots for almost 10 years now. They have bot catchers all over the world and they're counting up bad bot activity. Now, your first question has got to be, well, what makes a bot a bad bot, right? We have bots from Google that crawl websites. We have bots that do things like price indexing for travel search engines, etc. Well, they define bad bots as bots that are evasive, deceptive, or malicious, okay?

And believe it or not, according to Imperva, about 42% of internet traffic in the last year wasn't human. And that's up from 40.8 in 2020. And human activities decreased by 2.5% to 57.7. Now, the reason that that's extremely unusual is because of the fact that we still have a hybrid workplace COVID kind of quarantine situation. And internet traffic has generally been going up significantly year over year, primarily because of video. So the bad bot traffic is outpacing the good human Netflix porn traffic, or whatever traffic that is.

---

GRAHAM. And this is the case even though there's been a marked increase in the number of people playing Wordle and things like that.

---

RAY. Absolutely, for sure. Well, there may be bots playing that. There may be bots playing that at this point. Oh, goodness. So this is why we always have to deal with all those captchas that say, you know, identify which shoe is a clown shoe or whatever that is. And they show you a bunch of pictures of feet or whatever. I don't know. Maybe I'm on different websites than you are.

But anyway, so OWASP is kind of the authority when it comes to things like this, has defined 21 different bad bot use cases in their automated threat handbook, which we will link in the notes. But Imperva has got these great statistics over time. And we've seen certain trends that have happened specifically because more and more legitimate traffic is mobile. And then when Apple put out their privacy changes a couple of years ago that affected companies like Meta and a lot of companies that were trying to do some advertising on that side, there was a big movement of that.

And then, of course, if you think about it, there's a thing online where they do shoe drops, like Kanye or somebody announces a new shoe. And the only way you can get it is to use a bot. So all of that bot activity is out there and it's kind of swelling up and down, primarily used for things like DDoS attacks and often is a precursor to more sophisticated attacks.

---

GRAHAM. Ray, you're going to have to backtrack a little bit because you're getting very technical for me. Kanye West does a shoe drop. Correct. And that's largely a bot. Did you mean it's largely a boot?

---

RAY. No. What does all this mean? When items are extremely scarce, people have written programs to try to defeat the limitations of that thing. So ticket scalping was the first killer app, right? They would set up these bots so that when the tickets went on sale at 9:01 a.m., the bots would grab up all the best seats, and they would pretend to be humans, and then basically the scalpers would resell those. Well, they do that with shoes now, too, because Kanye will drop a shoe that's MSRP is maybe $169, and they'll go for thousands. So people can actually rent bots to try to get shoes, to try to get tickets, or they can just simply outsource that.

So that's a difficult type of bot is for being able to defeat retail services. There's a lot of that with regards to travel. And notice the market increase in the number of mobile devices. And if you look on the internet and you type in bot farm, you will see pictures of people in certain countries where they'll have 128 mobile phones bolted together, all running a single program that basically are impersonating users. And it's just another indicator of the type of activity that is kind of out there.

Interestingly enough, just like happens all the time on internet research, there really wasn't anything in the Imperva reports or the OWASP report about social media bots, which is kind of when I got started interested in that side. And so there's kind of a raging debate. Is 20% — are 20% of Twitter users inauthentic? Is it 50%? Does it matter how often they're used? We all know there's definitely a bot problem on social media. But for the folks at Imperva, they actually point out that there's a lot more serious problems related to bad bots.

---

CAROLE. Right. So basically, one in two times you're on the internet, you're talking to a bot probably.

---

RAY. Well, in certain social and dating websites, it would be much, much higher than that. Right. Like if we think back to Ashley Madison, Ashley Madison was almost all bots. It was almost 100% users that were there to try to get more money from you.

---

GRAHAM. Fembots. Yes, all the women were actually robots, weren't they? They were cracking a look at. My goodness.

---

CAROLE. Yeah, but what do you think can be done? Do you think that we need to be more attentive, being aware that there's bots out there? Does it change our behavior in any way, do you think?

---

RAY. Well, I think that the folks from Imperva really talk about the level of severity of types of things. So obviously things that are data scraping or stealing credentials, that's a very serious issue that needs to not only be monitored, but also mitigated.

And they make recommendations for certain types of mitigation around proxies and things like that. But also they just think that awareness will drive a lot more. Awareness is sort of the very first step for that side, and especially with regards to account takeovers.

And you know, we talk a lot about multi-factor authentication circumvention. And a lot of these bots are now being designed specifically to look like they are the telecommunications company asking for those tokens.

And so just always remember, never give out your MFA token unsolicited. No company will ever ask you that without you requesting it first, right?

And then they also talk about the fact that when it comes to account takeovers, just like dwell time is extremely important in cyber breaches, detection of account takeovers is extremely important so you can shut it down.

---

GRAHAM. So we'd really be looking for websites and services to do a better job at determining inauthentic behavior, I think. I mean, the simplest way to do that is with things like CAPTCHAs.

But, of course, CAPTCHAs are quite irritating for the humans. And they're not — Yeah, but people are used to them now. I mean, Google doesn't all the time.

Well, you know, sometimes I have to reload, reload, because I can't work out what's what. And you know, is that bit of the traffic light?

---

RAY. Does the pole count as the traffic light? I've always wondered that. Is it the actual light or is it the pole too?

---

GRAHAM. Well, I always worry that am I feeding all this information? Am I making it easier for some evil artificial intelligence inside Google to identify the difference between a yacht or a zebra crossing or a traffic light, such that they will then ultimately be able to invade our cities.

---

CAROLE. That's a really good point. I think you should start acting like some kind of animal or something. There's a guy actually in Japan who's paid, what?

---

GRAHAM. Oh, the collie dog man. Yes.

---

CAROLE. He decided he didn't want to be part of humanity anymore and he's now got himself a lifelike dog outfit. I think we should put it in the show notes.

It's really, really odd and weird. It's quite convincing. He's an authentic dog, though. He's a deepfake dog, which brings me to my topic.

Deepfakes. So back in 2019, Google published a blog piece called Contributing Data to Deepfake Detection Research.

And in it they talk about innovation and tech and how they've paid loads of actors and people to create a database for researchers to work from in terms of finding out about deepfakes and detecting deepfakes. And a quote from that is "since the field is moving quickly we'll add to this data set as deepfake technology evolves over time and you know we'll work with partners we firmly believe in supporting a thriving research community" yada yada yada.

So it came as a surprise to some of us that Google recently quietly banned deepfake projects on its Collaboratory or Colab service, putting an end to the large scale utilization of the platform's resources for this purpose. Now, for those who don't know about Colab, it's basically an online computing resource that allows researchers to run Python code directly through the browser.

So they can use free computing resources, right, including GPUs to power their projects. And it's meant to be used by researchers who need power that cost several thousands of dollars to help them reach their scientific goals, right?

---

GRAHAM. It's probably been used actually to run hordes and hordes of bots, isn't it? This is probably exactly how it's all happening.

---

CAROLE. Interesting, interesting, because Colab has a not allowed here list, okay? And it includes things like using a remote desktop or SSH, connecting to remote proxies, mining crypto, running DDoS or DoS attacks, password cracking, and using multiple accounts to work around access resource usage restrictions, okay? And they've added to that creating deepfakes.

So it's not known if Google performed this policy due to new ethical concerns or rampant abuse of its free computing resources, right? But says Bleeping Computer, there are reports that some users are exploiting the platform's free tier to create deepfake models at scale.

Okay, I'm not surprised by that or any of you. And this captured a significant amount of Colab's available resources for extended periods.

Now, of course, all of us know of the bad things that deepfake, it's known as synthetic media, right? We all know about the bad deepfakes out there. But I thought we could switch it up and look at some of the positive things that I've seen listed and see what we think of them.

Okay, so I'll start with this one. What about people with speech impediments or motor skill difficulties? Imagine being able to talk in your own voice to loved ones or colleagues even after losing your ability to speak.

Or if you're suffering from certain physical or mental disabilities, you could use synthetic avatars of you for online expression, you know, to be able to go, oh, here, this is what I wanted to say to you. Why do you always feed me the stupid, disgusting stuff, you know, or something?

---

GRAHAM. Well, we saw this actually a few weeks ago when I had a pick of the week, which was that Gerry Anderson documentary. And Gerry Anderson, of course, has been dead for a few years.

And his family, they had an audio recording of him being interviewed. But for the purposes of the movie, they wanted Gerry Anderson talking and they did a remarkable job through deepfake technology. And you were watching this thing and you completely forgot that it was synthetic media.

I mean, that's a good point. Better than animating him in the old Thunderbirds way with bits of string and sort of Weekend at Bernie's style.

---

CAROLE. Yeah. Think of Forrest Gump where he meets JFK and other historical figures. The creation of that scenario cost millions of dollars, right?

Whereas deepfake could democratize the cost of this VFX tech. And to make it a fraction of cost, which means that people can do cute deepfake videos.

I saw one, which was adorable, called Home Stallone, right? So it's they've somehow superimposed Stallone's face into Home Alone's video in the show notes. But, you know, and it's labeled as a deepfake and it's there for kind of a contribution to the arts, which I say would be actually, I think, quite valuable.

---

RAY. That use case kind of reminds me of when BitTorrent took off and there was a group of people that screamed and yelled that it was really just being used for Linux distributions. I'm sure that there is a few people that would use deepfakes for that.

But my concern is the percentage of positive use is probably a little bit outweighed by the percentage of negative and malicious.

---

GRAHAM. I'm feeling sorry for Sylvester Stallone's career, actually. I mean, there was a perfectly good job that he could have been hired to do. And instead, they deepfaked it.

Maybe that's quite bad news for actors. Maybe not for just Stallone, but other actors as well. And Google's the one who's making the most money out of it, right?

---

RAY. Carole, that's another interesting question I had is when they say we can't use these resources for these things, and these are GPUs, right? These are big farms of GPUs.

How can they tell the difference between password cracking and positive use of deepfakes? I mean, how would Google be able to monitor and tell what that is?

---

CAROLE. That is an excellent question and I have attached the FAQ for Google's Colab and explaining why it has restrictions and how it works and maybe the answer will be in there.

---

GRAHAM. They probably can't tell but if they find out later that's a good reason for kicking you out. Maybe if someone reports you or something.

---

CAROLE. What about helping the bereaved? Say if I died, Graham, right? Wouldn't you to have me?

---

RAY. Carole, we already have a mop and it has your name on it and your photo. And now all we need is recordings to go with the mop because the mop is a great dancing partner.

That's not very good at dinner, but that's our virtual Carole. We just need the voiceovers for you.

---

CAROLE. And what about solving police investigations? So last week, actually, Dutch police created a deepfake video to appeal for info over a 2003 murder of a teenage boy.

And it's a world's first investigation using artificially manipulated footage. And it's this 13-year-old footballer who was shot dead in 2003, while throwing snowballs at his friends in a car park near Rotterdam metro station.

And at the time, they just thought, oh, wrong place, wrong time. But now they think there was an organized criminal fraud gang hanging out there. And they're hoping the deepfake video recreation of the boy's image and everything will help solve this cold case.

---

RAY. Prosecuting crimes on synthetic evidence sounds a lawyer's nightmare for me because they're actually making things up that aren't real and showing that video and saying, is this what happened, right?

---

CAROLE. I mean, this podcast, Graham, we could have synthesized media be able to translate us into different languages to make us more accessible internationally.

---

GRAHAM. I'd love to translate some of the sessions into English. That'd be helpful.

---

CAROLE. So, like most things, it's complicated, right? Because as you say, Ray, deepfakes are maybe not inherently bad as a tech, but I agree that right now we seem to have a lot more yucky examples than good examples out there.

I mean, we know this tech has been used for revenge, for political gain, for disruption, to induce shame, obedience, and even the EU put out a report to authorities advising them to get on the deepfake bus because it is ripe to become a staple tool in organized crime.

So how do you control this stuff? Well, it's the same as really all things tech — legislation, regulation, corporate policies saying you can't do this, and voluntary action from people on reporting it or making people aware of it, education, training like what we do.

We can call this "oh god we're doomed" then, and probably the most important is anti-deepfake tech, right? Which includes deepfake detection, content authentication, deepfake prevention, except now without Google's Colab, anti-deepfake tech might take a hit.

So, I don't know. It also says something to me, the Google kind of stepping out of this little mess.

Like, does it smell something that we don't smell? Why is it pulled out of this completely?

Because surely this isn't a really exciting, innovative time. And I understand it's very controversial, but we need to have anti-deepfake tech as well, don't we?

So if they're pulling out, I think maybe we're in for a rocky, deepfake ride. That sounds a bit dirty, actually.

---

RAY. Now, do you think that Matt Damon, when he made that Crypto.com Super Bowl commercial, do you think he could go back now and say, nope, that wasn't me, that was a deepfake and try to get plausible deniability around that?

---

CAROLE. Yeah, I wonder if actors are going to have to sign contracts saying, oh, and if you die during the making of this film, you let us use deepfake to continue the script. Exciting time.

Now, you all know that we are big fans of password managers at Smashing Security because it's an important tool for generating and saving secure credentials for every online account. Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments.

Bitwarden is transparent and secure using end-to-end and zero-knowledge encryption with source code that can be scrutinized. Now you can go to bitwarden.com slash smashing and try it for free across devices as an individual user, or you can start a free trial of a teams enterprise plan.

And the thing I like about this, a good password manager is robust and cost-effective, as it can radically improve your chances of staying safe online, all without requiring super high-tech expertise. Go to bitwarden.com slash smashing.

Start your free password manager trial today.

---

GRAHAM. Collide sends employees important, timely and relevant security recommendations for their Linux, Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.

So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide, enter your email when prompted and you will receive a free Collide goodie bag after your trial activates.

You can try Collide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com slash collide.

That's smashingsecurity.com slash K-O-L-I-D-E. And thanks to Collide for supporting the show.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick Of The Week.

Pick Of The Week. Pick Of The Week.

Pick Of The Week is the part of the show where everyone chooses something they like. That could be a funny story, a book, whether they've read a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. It doesn't have to be security-related necessarily.

Better not be. Well, my pick of the week this week is not security-related.

My pick of the week involves a certain situation which has arisen in my home. My young son, he is 12 years old.

No, he's not. He's 11 years old.

I was just going to say. Yeah, I'm not sure.

He's 11 years old. Round about that.

---

RAY. Is this the Father's Day episode by any chance?

---

GRAHAM. He has started playing Minecraft with some rather special friends of his from school. And he wants to chat to them at the same time.

And he was saying to me, Dad, Dad, can you set up Discord for me? Discord's cool.

I've heard about Discord. I've watched YouTube videos about Discord.

Does he talk like that? Yes, he does a bit.

And I said, well, I could, but then I'd have to get the other kids to set up Discord, and speaking to their parents is a nightmare because I'm not that nerdy and they're even less nerdy. And rather than setting up Discord or coordinating mobile phones with the parents and making a call, oh, it's just sort of a big pain in the neck.

I thought there has to be a simpler way for these kids to talk to each other, which ideally doesn't cost me any money and is zero effort.

---

CAROLE. And does not invade their privacy.

---

GRAHAM. Ridiculously, probably. That would be helpful as well. That was a smaller consideration, but yes, that would be good as well. So I found a service called talky.io, talk with a Y on the end, .io, and it's free.

You can do audio and video chat. There's nothing to download. You don't have to sign up. There's no payments required. They don't have any ads. They don't resell your information. It's to say they don't. They don't keep track of anything you're doing online.

They say they encrypt everything possible, and it's really easy. And what's the best thing about it from my son's point of view is while you're waiting for other people to join your room, you get to play a little video game or like a lunar lander kind of game where you have a spacecraft and go, pfft, pfft, outplying thrust.

So while you're waiting for people, you can sort of move it around the screen and try and land it properly. And it's really easy to use and has so far worked for them.

---

CAROLE. Cool. I've just read the privacy policy and it looks good.

Oh, wow. That's quick. All they grab is, yeah. Well, just their privacy policy. But it's quite tightly written, actually. I think

---

GRAHAM. that they're doing it because there's some sort of web development team. And they're doing this basically as an advert for their services.

So if you wanted to have maybe a corporate chat video thing, they would be able to roll you out one and all the rest of it. So I think that's the reason why they've done this. But it

---

RAY. worked very well. It's always a good question whenever you come across a domain name that ends in .io and has a kind of catchy name and declares that they don't advertise or keep any logs.

You always wonder, how do they monetize? Am I the product?

---

CAROLE. They also say that they welcome anyone reporting any bugs and you will receive a detailed response within 48 hours, which is quite refreshing to see that in a privacy policy. Anyway,

---

GRAHAM. so far, no problems with it. And the kids are able to chat to each other while they're giving each other cornflowers or messing around with redstone or whatever it is that they do in Minecraft.

And so talky.io is my pick of the week. Ray, what's your pick of the week?

---

RAY. Well, my pick of the week, Graham. Yes. Well, let me just ask you this question.

When you are at home alone, or maybe perhaps not alone, and you've got a nice glass of wine and some good music on. I'm uncomfortable. Are you excited about the possibility that you might be experiencing piloerection? I'm so uncomfortable.

---

GRAHAM. Well, I don't drink wine, so I think it's even less likely I'd have a piloerection if I was drinking wine. So I'm not used to alcohol and things.

But, you know, what's a piloerection, Ray, dare I ask?

---

RAY. So, piloerection is actually a physiological and physical response that you probably know more by the term of goosebumps. And humans often experience this as part of something that scientists call frisson, which is derived from the French term of a sudden feeling or sensation of excitement, emotion, or thrill.

Now, at Queen Mary University in London, a group of scientists set out, and I'm going to try to say these names, but it was led by Remy de Florian and Marcus Pierce. And they set out to try to find what it is about certain types of music that give you that frisson or that piloerection.

And they found music from people like Johnny Cash, Metallica, Celine Dion, Mozart, and built out a list of songs that are likely to give you chills, in certain parts of the song or certain parts, you kind of always get goosebumps. These are the songs that you typically turn up really loud in the car.

---

GRAHAM. Oh, so this is a playlist which doesn't include Michael Buble, for instance.

---

RAY. That sounds great. No, I don't know that we need to take a cheap shot at Michael Buble at this point in time, but certainly we'll publish the list.

---

GRAHAM. I think we do.

---

RAY. No, we do.

---

CAROLE. I think we do. I think we do. We do.

---

RAY. But what these scientists were interested in is they were interested in what's the difference between two songs that are back-to-back on the same album, and one of them, you know, gives you this frisson or this chills. And it's almost universal, by the way.

These are not highly individualized. Really? No. These have a very common set.

So they looked at a little bit less than a thousand songs. And they identified 715 that are likely to give you chills. And they published it to Spotify. So it's a Spotify playlist that actually has these songs on them.

---

CAROLE. Okay. So now we have to worry about freaking drivers listening to this playlist whilst driving along and going, oh, oh, all the time.

---

RAY. Well, it is actually called a skin orgasm. That is actually called a skin orgasm. But I left that part out because I felt like it was a little bit too racy for this.

---

CAROLE. Yeah, good job.

---

GRAHAM. Good job. Good that you didn't mention the skin orgasm.

---

RAY. Well done on the whole dimension. But it also includes parts of movies. If you think about speeches.

I mean, the classic example for Americans is probably the Rocky theme. Because, you know, right when he starts to get up, you know, that Rocky, you kind of get behind it or whatever. Queen as well, I'm sure, is up there.

But they're particularly fascinated in which songs are able to bring this and which aren't. And if you look through this playlist, by the way, and someone was kind enough to convert it to Apple Music and other formats as well. But if you look at this playlist, you're going to see a lot of songs you recognize and you'll know immediately.

Oh, yes, I know that part of that song that gives everybody the piloerection for song, right?

---

CAROLE. Are they trying to figure out the sonograph or the wavelength that does it? Is it, you know, are they able to isolate it to certain beats or something?

---

RAY REDACTED. They do look at tempo and they do look at cadence and they do look at... But one of the most interesting explanations is something that musicologist David Huron calls contrastive valence theory, in which when your feelings are suddenly contrasted. So you start off feeling really bad and then you feel really good and then you get stronger and stronger and stronger. And then there's really no peak to that. There's a lot of that in Broadway show tunes, right? When they reach that type of these piece. So your brain can either be...

---

GRAHAM. Of course, life is shit.

---

RAY REDACTED. Of course, life is shit. Of course, life is shit.

---

GRAHAM. Of course, life is shit. Of course, life is shit. Of course, life is shit.

---

RAY REDACTED. That kind of thing. Is that your auto-tune plug-in there or no?

---

GRAHAM. Did you get any chills at that moment?

---

RAY REDACTED. Yeah, yeah. I did not. I'm having pilo erectile dysfunction over here. But anyway, so yeah, so they had this very fascinating scientific article. It has a lot of observations about anger and emotions. It has this playlist of 715 songs that you can drop into your MP3 player and listen to. Now, it is very heavy on classical music, but even the pop songs from the 50s and 60s, you'll recognize most of them and be able to identify why they were songs of frisson.

---

CAROLE. We should have a frisson off with our listeners to see whoever listens to it, how many frissons. They've said write down how many frissons they get for a session of 10 songs and see who can win.

---

GRAHAM. You can't have too many frissons in a day. I think you'll be exhausted. I think you have to be careful what we advise our listeners to do. Maybe, yeah. Ration yourself, folks. Carole, what's your pick of the week?

---

CAROLE. We're ready for a trifecta of great picks of the week this week because I have a fab one. It's new to me, totally love it. Graham, I did send it to you to watch. Have you watched a bit of it?

---

GRAHAM. I have, yes.

---

CAROLE. Okay, so it's a short series called Zen Motoring and it stars this PE teacher, Ogmias, who also is a battle rap champ. And I have links in the show notes for you to check out. And a battle rap is basically a rap roast where you tear a new one out of your opponent with spicy rhymes and stuff like that. Yeah, yeah. It's cool. It's cool. Yeah. And Ogmias here started doing a YouTube effort labeled Zen Motoring. And it makes this crazy cocktail. It's like a cocktail of what? ASMR whisperings. There's definitely that. And it's against this, I don't know, driving around London as viewed from the dash cam. And you might think, oh, wow, he's zooming through the town really fast. But no, no, no. It's all chill. It's zen. It's ASMR.

---

GRAHAM. Wow. It is. It's very chilled out. It's wonderful, actually, to watch. So it's dash cam footage. But rather than being, oh, get out of my way. None of that. It's oh, watch out for that cyclist there. Oh, maybe the blue van in front of me could have moved, but maybe I'll give him a little friendly beep.

---

CAROLE. Yeah. Every pause is narrated, right? Every single pause. Because in London, if you don't know, there is a lot of traffic. We have a ton of traffic here. So every sight is absorbed, appreciated. I think he stops in a cul-de-sac to watch an Amazon robot struggle with the high curb. You slow to allow a pigeon cross the road. You congratulate yourself for noticing a pedestrian about to cross from behind a parked van. And we celebrate this thing that actually has changed now my life. Which is when he's driving with his dash cam, he's letting pedestrians walk across and they wave. And he gets a kind of free saw for double or even the triple wave, which he says is the mecca. Because if you go to four waves, it starts looking a little sarcastic. So three is the most you can get as an honest, authentic wave from someone passing a road. So I've been trying it because I've been on foot a lot in Oxford. So I've been trying to do the triple wave. It's not easy to do. It's not easy to do. But it's making me, and people seem to like it. So, you know, just adding a bit of Zen to the roads in England would not be a bad thing. So I loved it. You loved it, Graham?

---

GRAHAM. I loved it as well. And I love that he, yeah, he does compliment people when they do a double wave or you said, even a triple wave. And I think that is a random act of kindness that we should encourage on this podcast.

---

CAROLE. Absolutely. Exactly.

---

RAY REDACTED. It might fulfill one of your ransomware objectives there too as well, right?

---

CAROLE. Yeah, I was just gonna say he doesn't need ransomware to do it. We could just do it on our own because we're good, lovely people.

---

GRAHAM. So Carole, is this a TV show as well?

---

CAROLE. Yes, it's on YouTube. It started on YouTube and there's a TV show on BBC and the episodes are, I don't think they're identical. I think just from looking on the YouTube ones, and I was kind of going through them quickly because I've already watched them on the BBC, there were certain things that were missing that were on the BBC one. So I think the fuller experience, I'd watch both. I'm going to watch the YouTube ones. I want to see, right? So I would say check it out. It is a really fun wonderful experience and it's comedy at a really fresh form. Zen motoring. You can find it on YouTube and on BBC. We have the links in the show notes and that is my pick of the week.

---

RAY. Now Carole, do you think that if this was extremely successful there might be an American version where we just drive all over the place, cut people off and give them the finger? Totally.

---

GRAHAM. Marvelous. Well, that just about wraps it up for this week.

Ray, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

---

RAY. Oh, they can follow me at rayredacted.com. That's R-A-Y-R-E-D-A-C-T-E-D dot com.

---

GRAHAM. Super duper. And you can follow us on Twitter at Smash Insecurity. No G. Twitter would not have a G.

And there's also a Smash Insecurity subreddit. Don't forget to ensure you never miss another episode. You know how to do that. You follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Overcast.

---

CAROLE. And huge thank you to this episode's sponsors, Bitwarden and Collide, and to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 276 episodes, check out smashingsecurity.com.

---

GRAHAM. Until next time, cheerio. Bye-bye. Bye.

---

CAROLE. I'm Ray you may want to say bye bye bye there we go perfect oh we're gonna have a rainbow it's raining and sunny.

---

GRAHAM. Woohoo! Double rainbow all the way.

---

CAROLE. Yeah, that gives me frisson. What can it mean?

-- TRANSCRIPT ENDS --