I quite like getting ID checked. I was—

Does that happen often, Stillgrim?

Not often, because I don't often buy alcohol because I don't drink.

But you feel that people think you're under 18?

Well, yeah, it has happened occasionally. Yes.

Right.

People have thought that I—

We all believe you. And the third is intoxication.

Smashing Security, Episode 286: Hackers Doxxed, Pornhub Probs, and Co-op Security Measures with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 286. My name's Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, who are we joined by?

The glorious Maria Varmazis is here with us. Hi, Maria.

Hi.

Welcome. It's been a while.

It has. Good to talk to you both. Thanks for having me back on.

Well, we had to have you on. Before we took our summer break, because we're going to be taking a few weeks off. Don't panic, everybody. We're not going to be going forever, but this is our last show for a few weeks.

It's more than a few weeks. It's the month. We're right now, it's the 4th of August. We'll be back on the 1st of September. It's a month. It's going to be a glorious month.

After you're done talking to me, you're just I can't do this anymore. Need to go and take a break.

No, no, no. We have to edit first and then get the show out.

Oh, okay.

And then do some socials and then say sayonara.

So if you don't want to miss us, make sure that you subscribe in your favorite podcast app. Always do that, and then you definitely won't miss us when we return.

Now, how about we thank this week's sponsors, Bitdefender and Gigamon? It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be

A lawsuit that could change the internet forever.

Forever. Forever. Oh my God. Ransomware, we're hitting UK convenience stores. All this and much more coming up on this episode of Smashing Security.

talking about doxxing. Now, chums, I've got a question for you. Is it ever right to dox people?

Can you define dox?

Yeah, what are we talking about as doxxing?

Oh, okay. So dox, by doxxing, I mean releasing publicly or posting on Twitter someone's name, their address, their date of birth, people who didn't want that sort of information made public. Other personal information. Is that ever acceptable? Any, you know, any situations when it's all right to do that?

I feel there's a trick question here.

Yeah, I'm a little on my heels. No.

Obviously the answer is no, but you're saying ever, ever, and you're giving us 10 seconds to figure it out.

Is there a gotcha in there?

What if they are members of a ransomware gang that's attacked hospitals and businesses? Is it then all right to release publicly their names and addresses and dates of birth and send people round with torches and pitchforks.

It might be fine to tell the authorities, for example, Interpol or that kind of thing. But maybe I wouldn't. Yeah, no, I wouldn't.

What if you feel that when you pass the information on to the authorities, it just goes into a black hole and—

Oh, it's time to take things into our own hands.

Yeah, you know, it's like you just think, oh, for goodness' sake, nothing's ever happening. We know who these people are. They're opening up.

Doxxing. Maria, what about you? We're not getting any information.

We need Batman. Yeah.

Yeah. Then it's a bit of a gray area, isn't it then? Because you begin to think, well, maybe, maybe it would be useful. Maybe not. Anyway, there's been an interesting couple of interviews published on Vice and CyberScoop with a security researcher who goes by the name of— now goes by— now because you know what people are like on the internet with their silly leet speak names, changing Es to 3s and As to 4s. Excuse me, is that silly?

I'm sure the name Pancake was already used somewhere else.

Is it Pancake or is it Pancake3? Has he got a pan full of—

Pancakey.

And there's been a number of Pancakes already.

Like 3 pancakey.

Yeah, I like that. Oh, it's pancake. Yeah, pancake stack.

You think it's pancake? All right, it probably is. They had their Twitter account suspended because they posted the name, the date of birth, the passport information, of someone who they believe to be the developer of the Predator, the thief information-stealing malware. So they posted this up.

On Twitter.

So they shared it with the entire world willy-nilly.

That's right.

Okay.

Although they said this information is public anyway, you know, it's there. If you go looking for it, you may well find it yourself. But yeah, so they posted this up and Twitter didn't like it. Twitter suspended their account.

Didn't think those leopards would eat their face, did they? No.

Yeah, they—

What?

Hello?

You don't know about the leopards eating your face? No.

Is this another meme? Are you serious?

You are the queen of—

No.

You're the queen of meme.

I love how I get mocked for my lack of digital knowledge. No, no, I don't mind. I don't mind. It's not a mock. It's my genuine surprise. I don't realize that the stuff I'm saying is that memey. It may not be, listeners.

So it's the leopard, the party of people, leopards eating people's face. You didn't think that consequence was gonna come around and bite you in the butt.

Oh, I see.

It's not good to dox, and you thought if you doxed for good reasons, it'd be okay, but you know, suddenly Twitter's like, you can't dox anybody. Leopards eating your face. Okay.

Okay, okay, okay, I understand. I understand.

Sorry.

So anyway, so they, I think I understand. Kroll, you can explain it to me later. So anyway, after this happened, one of Pancake3's followers, they said, you know, oh, look, if Twitter keep on suspending your account, why don't you go and create a newsletter on Substack? You know, maybe you can even monetize it at some point in the future. They can publish what you like about the hackers up there. Twitter can't stop you. You can just link to the page on Substack maybe. And so they started doing that and they created a newsletter called Who's Behind the Keyboard. Posting details of ransomware affiliates, initial access brokers. They named two of the— do you remember in January, the Russians arrested some of the REvil ransomware gang and everyone was a bit surprised by that because Russia historically had never really cared that much about stopping ransomware gangs. And then there was a thought, well, maybe they want the hackers on their side before they go and invade Ukraine, perhaps. But anyway, so this chap, I don't know if he's a chap, Pancake3, whatever their gender may be, they posted some of the identities of these people in the REvil ransomware gang.

Pancake3, yeah.

Anyway, Pancake3 or Pancake, I don't know. They haven't revealed their own identity for perhaps obvious reasons.

Along with their address, their postcode?

Yeah.

So all of this information, once again.

And they're sure this information is really real? It's not just sort of, you know—

But they've made it their mission to out hackers. And it's got them into something of a pickle. Well, they think it is. They've done their analysis online. They've done some open-source intelligence. They've checked out social media accounts. Pancake3, who has a Twitter account called Pancake3Stack. They found pictures of people hanging out in front of nice cars and smiling in front of a camera. Therefore, they must be a hacker. And they post the information. Now that, perhaps unsurprisingly, as soon as that got reported in the media, Substack shut the newsletter down as well. So you won't be able to find the "Who's Behind the Keyboard" newsletter anymore. It's been a nuisance, really.

We're talking about all these things that nobody can go and check out. This stuff once existed, you can't see it. Just believe us on this, okay.

But did Julian Assange in his WikiLeaks heyday, did he, he did this? He published identities, community of people. And there was a lot of information that was very personal that was getting out by his way.

But Julian Assange was running his own website, wasn't he? He was running his own website and presumably had some sort of bulletproof hosting, and he didn't have people who were able to easily shut it down, or he had sympathetic web hosts. And so off he could go.

Yeah. And it's really worked out for him. I know, but you know, if you're a serious investigative journalist and you launch this huge article, you don't kind of go, and the guy lives at 265 Smith Street.

Why not?

Because they will probably get attacked or vilified, or it puts them in danger. It's irresponsible.

Is that in the public interest to know that information? That's the question, right?

Well, it might put the shit up the bad guys, might scare the willies out of them.

That's where it is, Graham.

No sense in hiding. Yes, okay, that's true. But it might—

It doesn't go the other way, as far as I know.

It might scare them. It might scare them and think, oh crumbs, maybe I should stop infecting hospitals and endangering lives. Or move house. Yes, and someone else live here.

Or stop being a piece of shit criminal. I don't know.

Yeah, exactly. So they're thinking, well, maybe we'll take the gloves off. I don't know. According to Pancake3, people don't really like their real-life identity being posted on the internet, especially criminals. He said to reporters, "Uncovering the person behind the keyboard, the person responsible for crimes, is my ultimate goal. I feel like too many of these people think they're invisible or invincible, but they're not." So, my question to you is, is doxxing really helpful to the authorities? Does it really help them? Or might it actually give the criminals a heads-up? Because if you were investigating someone, if you did believe that you'd get some assistance from the local law enforcement, then maybe you don't want someone sounding off and naming names and addresses because it may cause them to flee or think, you know, I'll destroy some evidence.

You kind of intimated at the beginning of your story that Pancake or Pancake3 went to the authorities and didn't get a good response. Is that the fact in this, or—

I don't know if that is the case, but certainly I have heard that said by security researchers in the past. They feel very frustrated.

Sure, but we don't know if that applies to this case, right?

So anything actually happened as a result of this?

Well, also, it's also glad-handing, right? So if I decided to bring this information to the authorities and I got an automated response saying, thank you for your submission, and then nothing.

We'll get to it, never. Yeah, right.

I would not be— Item in checkout. Yes.

I wouldn't, I would feel, yeah, I feel shortchanged. I'd feel like, look, I've done something big and I need a bit of a pat on the you know, pat on the back or, you know, give me some information or something.

But it doesn't actually help anything. Like it might make you feel good, but it actually doesn't. Yeah, it means I won't go on Twitter frustrated that no one's listening. Yeah.

But you've got to be careful. Okay, imagine that maybe I'm being a crazy conspiracist like you, Carole. But if I were a cyber criminal worried that the authorities might be on my tail and I knew that if I gave the authorities some information, they would begin to give me a heads up, say, oh yeah, we're getting really close to him. We're going to raid his house now. Next Wednesday, I might actually submit some information about my gang. So, oh yeah, yeah, he's having a fantastic time now. It's really, really going terribly well for him.

No, I'm not— I'm not suggesting in order to find out what they're doing. Okay, I just think you would say, come in for an interview, let's hear everything you have to say, thank you very much, we're taking this very, very seriously, we'll be in touch in 3 to 6 months, watch this space, right?

Fantastic. So Pancake3, or pancake if you prefer, I prefer to think of Pancake3.

But that doesn't happen, is my point, right? So that's why—

They believe that posting the information can help point the authorities in the right direction. And they say that it's appealing to name names, even if the authorities in the hacker's home country, Russia, don't do anything about it.

Yeah, because this stuff can take years, right?

Yes.

Yeah, it can take years.

It may be though that Pancake never went down this route and decided to go, these guys piss me off, I have some information, let's share it with the world and see what happens.

And potentially they could have got it wrong and be sending people in the wrong direction, as you've said, you know, that an innocent person could be victimized.

Yeah, that— does that ever happen with doxxing? Never. Never. That never happens with doxxing. Never have I heard of such a thing.

The other problem here is that Pancake might get doxxed in return because he's not messing with— well.

This is a very interesting thing, Rob, because some of the cybercriminals have started responding to Pancake3, Pancake, and saying, we're not very happy with what you did, and you better watch out because unless you delete the information you've published, we're going to go after your family and friends, and we have the resources to find out who you are and make your life very difficult. And apparently Pancake3 has deleted some of his past posts.

And no one has got it. No one's copied and pasted that info anywhere. Of course not.

There's no paste bin hanging around with that info.

Generally, I think you don't really want the amateurs publicly naming and shaming people, do you? Because it can go badly wrong, as we've all seen 100 million times before. It's generally best left to the authorities.

I don't think anyone should shame, right? Who's anyone to shame? But anyway.

Shame can be useful sometimes.

Shame.

Shame.

Shame. Shame. Pancake3, not the first person to dox criminals in 2017. And since 2017, a mysterious personal group known as the Intrusion Truth has been exposing the real identities of people behind Chinese hacking operations, hacks that have stolen intellectual property from Western businesses and scientific institutions. And one of their most notorious pieces of doxxing occurred after the US Department of Justice indicted someone — the US Department of Justice, they didn't publish the person's name. They just said MSS Officer 1, but Intrusion Truth believed it to be an individual called Ren Yuntao. And after they announced that, someone created a Twitter account under the name Ren Yuntao, and they sent a tweet to the security researchers trying to find them and identify them. And what they sent them was an image of Lionel Richie.

Singing, "Hello." "Is it me you're looking for?" Exactly. "I can see it in your eyes." Never misses.

Never misses. "I can see your smile."

Maria, what's your

Okay, I'm really excited by this one.

Yeah, it's going to be a little dark. I'm going to warn you, this is going to be a little dark — just brace yourself, okay? So I don't know if you've heard of this popular website.

story for us this week?

It's called Pornhub. Have you heard of it?

I heard of it, never seen it.

I find it very strange because I've never found the hubs of vehicles that sexually alluring, so I've never been tempted. It sounds like a niche fetish site for autoeroticists.

Yeah.

Pornhub Cats. Okay. Yeah. Well, there's this one for humans. It's called Pornhub. And I don't know if you're aware, but it relies on user-generated content, a.k.a. stuff that people — videos that people upload themselves. They don't use actors or whatever. It's just people upload stuff to it. So as with many user-generated content sites like YouTube or pick anything on the internet nowadays, they don't slash can't really moderate or monitor what's being uploaded.

Yeah.

And in a revelation that probably surprises nobody, there are a lot of abuse videos being hosted on Pornhub and similar websites, including of children. Sorry, I told you this was gonna get a little dark. And many of these porn hosting websites, they're very adamant that they are zero tolerance for any kind of abuse content and that they've done all they can to put a stop to it. But alas, the problem continues. So we're going to go back in time for a second to 2014. There's a reason for this.

Yeah.

Sad flashback.

Oh, God.

Yeah. Sorry. As I told you, this is going to get a little dark, but then I'm going somewhere with this. Just hang on. In 2014, a video of a 13-year-old was uploaded to the site. And I'm going to be very general because I don't want to make everybody super sad. This video, she had a really hard time getting removed from Pornhub. She actually, after weeks of trying, ended up pretending to be her own mother in contacting Pornhub to be like, hey, this is exploitation material, it needs to be taken down. Jesus.

You would expect a website like Pornhub, if they're told something is of someone who's clearly underage, that they'd be right onto that because I mean, they are a big commercial business.

Yeah, just take it down first and then review it instead of being like, we'll get back to you.

Yeah. Or simply if anyone says something is illegal, yep, we'll delete it immediately because it's not like they haven't got 100 million other videos they can make money from.

True, sure.

But then you also get into the waters of someone trying to effectively dock someone else's Pornhub career by saying there's lots of stuff there, and if it's just automatically deleted—

Well, yeah, maybe not automatic, but you would expect them to be quite quick to deal with that.

I want to talk about a lawsuit that, Pretty quickly, yeah. So it took a couple weeks for this young person's terrible video to come down, but not before it had nearly 3.2 million views. some slight hyperbole, but maybe not really, could So fast forward years later, as you might imagine, the victim has gone through hell because of this. She's gone through unimaginable pain. actually change the internet. And all the while, while that video was online, the parent company of Pornhub, which is Montreal-based MindGeek, was making money from the ads it was serving against that video. So the victim has sued not only MindGeek but also the payment card processors, in this case Visa, saying that they've all made money from child abuse videos.

That's an interesting approach.

Yes, because suing the parent company is one thing, but the payment processor— that's the part where I was like, that is interesting. So I should note, this is an important little additional note. In 2020, a huge investigative story by the New York Times came out about Pornhub and how it doesn't do nearly enough to stop abuse content. And right after that story came out, I want to say it was December 2020, both Visa and MasterCard immediately cut off Pornhub. And suddenly MindGeek pulled about 80% of its content.

I do remember that. Okay.

Yeah, yeah, yeah. But can I just say, 80% of its content gone almost overnight?

Which makes you just go, uh-oh, because obviously they just pulled everything that they weren't sure of.

80% though.

Yeah, so I'm sure they've still got enough to keep people occupied.

So are we clear on how MindGeek is making money off this stuff? They're serving ads, so this stuff is all free, but they have ads against it.

It's the same as a YouTube video, for instance, right? You watch a video, you've got ads that are plugged in there. The uploader has no control on what ads those are, but they get a cut, and so does the provider.

Is it that the people advertising are using Visa and MasterCard to pay Pornhub for their ads? Because I imagine the regular users, if we call it that, of Pornhub, they're not entering their credit card details, are they?

Of course they are.

Really?

What do you think they're putting in?

What, are they giving them cash on the table, meaning cafes?

I think most of it's free, isn't it? Isn't that the way the internet works?

Right, so yeah, there's ads that are making money, and those ads are then, yeah, the—

So that's where the payment is coming from. It's not coming from viewers, it's coming from the advertisers.

I wouldn't be surprised, and maybe some of our more sophisticated listeners, there's probably some sort of premium thing people can buy. Of course there is. But, you know.

I'm just feigning ignorance. Obviously I know all about gold and platinum accounts and the rest of it. Okay, well there you go.

Listeners, now you know, in case you didn't know. But yeah, it's mostly ads.

Hope that fooled everyone.

Yeah. So when this lawsuit came up, the one against both MindGeek and Visa, Visa immediately sought to be dismissed from the— just leave us out of this. They said surely they're not responsible for that abuse content, and that by merely being the payment card processor, they haven't conspired to support this awful stuff. Obviously they don't want to support anything terrible like that.

We didn't know. We could have— we know, we thought it was just legit stuff.

Yeah, yeah. And, you know, zero tolerance, and also surely you can't be asking us to police every single little thing that all of our merchants do. That would be impossible. And Visa said that any decision that allows them to be sued in this case would possibly change the payments industry as we know it, because it would be almost impossible for them to do their job if they're also required to police all the content that the merchants are trying to sell online.

No, but it's really interesting because how much cash are they making from illegal transactions? Is effectively the question, right?

Well, they're saying none, obviously.

And they're saying, we don't know, we don't know, we don't know.

And obviously if we knew it was illegal, we wouldn't be supporting it. Yeah, right.

But we choose not to know. We're not doing anything to find out. In fact, we argue the fact that you even think we ought to.

Yeah. So just this week, just a few days ago actually, the judge in this case— and it's being tried in California— the judge disagreed with Visa and said that Visa can indeed be sued because they credibly knew that MindGeek websites were likely hosting abuse videos and yet continued to allow MindGeek to use them as a payments processor, or in other words, make money.

Yeah.

So here's a little quote from the judge. I'll read that in my best judgey voice. "Visa lent to MindGeek a much-needed tool, its payment network, with the alleged knowledge that there was a wealth of monetized child porn on MindGeek's websites. It knowingly provided the tool used to complete the crime." And one of the data points that the judge actually mentioned was that 2020 article when it came out. It said that basically since Visa immediately cut ties once there was some publicity shined on it, then they probably knew a lot more than they were letting on.

So yeah, so organizations that fight human trafficking and child abuse online, this is a big win for them. They've been wanting to do this for a long time. This is a great thing. And the reason I'm— I don't think this is that much hyperbole is that this could have huge repercussions for not just pornography, but how liable are the payments processors for being used in any illegal activity? And how closely are they going to be looking at their merchants from now on for anything that could be possibly skirting the line?

Well, yeah, I mean, I've never thought about this before, but it makes sense that these— you know, card payments, whilst, you know, obviously there's bitcoin and stuff going on as well, I'm sure is used massively for all kinds of crap.

Yeah. And there's still— let me just be clear, this judgment says that Visa can be sued. They haven't been successfully sued yet, so there hasn't been— so who knows, who knows what could happen here. But if this goes through and Visa actually is— there's punitive charges against Visa that go through, I mean, we could start seeing things being really cut off online in terms of what kind of stuff is okay to be paid for with credit card and what isn't. I mean, I think you've covered this before, Carole, about sex workers online having a hard time and stuff. Maybe I'm imagining this. Yeah, yeah. And they've been saying for years they're consenting adults, you know, everything is above the board, and they can't get— they can't find a home online for their kind of stuff. And I'm not thinking it's just things like that. It could be a whole swath of stuff that could be affected by this. So, yeah, I'm fascinated by this and would be very curious to see where it goes.

Likely to keep the lawyers busy for years and years, I would think, before— you can imagine lots of appeals and counter appeals.

We have to remember this was the 13-year-old girl that was exploited who's bringing this forward, right, as well. It's not just some guy. She's only about 20 now. Yeah, she's older. But yeah, but still, you know, she's coming at it from that angle.

And I believe she's one of 34 plaintiffs, to be clear. So she's not the only one. Wow. Yeah. And of course 34 is probably a drop in the bucket. So again, anything to slow down child abuse online is great.

Someone at Visa and MasterCard are loosening their ties right now.

Yeah, yeah. Smiggle.

Carole, what you got for us this week?

Okay, we're starting with a scene, okay? Now you both have roles. Graham, your role comes in first. So you work in a convenience store in the UK, like maybe your local co-op, right? Maybe actually you could describe what a co-op is for Maria and, you know, listeners outside the UK, actually.

Oh, a co-op is a supermarket, fairly sort of cheap and cheerful sort of supermarket.

Small.

Often quite small. That's right. Yeah. Not America. Oh my goodness, I've been to American supermarkets. It's going to a whole different country, isn't it? You've got different time zones in some of them. It's something bonkers.

Yeah, exactly.

It's just everything's stacked. It's you can buy 900 toilet rolls at once. It's just—

We do our choices, it's true.

Yeah, we don't have that sort of insanity. But yeah, no.

It's the place I tend to go to, 'cause they're open late often, right? So it's the place where, you know, at 9 o'clock you're about to make your last cup of tea of the evening. You have no milk. You're, "I'll just dash to the Co-op, get myself my milk." Or I'll get cereal in the morning.

We have co-ops here. They're very different from what you're describing. So co-ops here are usually very small, locally run, often farmer market type things.

Yeah. A cooperative. Yes.

Yeah, yeah, yeah, yeah. So, okay. We have those too, but yeah.

The origins of the co-op are similar to that, but yes. Okay.

Yeah. And it's grown up over the years and become a kind of a business. Anyway, Graham, you have the night shift. At the co-op, right?

Yes.

You're on your own and, you know, there's a few customers. You're ringing up a few purchases, you're stocking some shelves, you know, playing on your phone a bit. And then Maria, you, Maria, swaggers in.

I swagger in.

Yeah. You're wearing all black Lycra, right?

Oh, goodness.

She's pointing something from her pocket, her hands in her pocket, and she's pointing something and it looks sharp. And she says, "Listen carefully. Give me all the money in the till, plus an egg and cress sandwich." I love an egg and cress sandwich.

"I'm really hungry. I just rode 70 miles. I'm so hungry."

"Do it now, and there's no need to get stabbed." She's kind of pointing at the pokey thing in her pocket. Okay, so what do you do?

So, I'm worried it could be a gun. Which country are we in here? Are we in the UK?

You're in the UK. The co-op. You're in your local co-op.

So it's a knife. Okay.

It's not gonna be a gun, no. It's probably a—

A sharp pencil.

A sharp pencil or something. Yes, a sharp pencil or something that. A loaded finger, maybe.

Something that I've whittled down into a point, yes.

Yes.

Yeah.

Okay, so, well, you know, I'll tell you, what do you— Well, you can have an egg and cress sandwich. That's fine. You can go to the checkout and self-checkout if you—

And she wants all the money in the till?

All the money in the till. Well, okay, we've got £12.93, 'cause it is the night shift. We haven't got very much in there.

People pay by cards these days.

Exactly.

Yeah, exactly. Cashless society. I'm terribly sorry. I mean, we— But yes, I'd be nice. Is she a bit sexy? I mean, I know Maria is, but you sort of said that she's a bit va-va-voom, sort of all dressed in black.

You're worried for your life because of the pointy pencil, and you're worried about va-va-voomness.

I think my Pornhub story has kind of influenced how this is going. I know!

It's just something. I've just come to check out your tail. Let's see how it works.

Cutscene.

So uncomfortable right now.

I know. Why did you do this, Carole?

I'm talking about a freaking burglary in a convenience store. Okay? I did not add a layer of love.

Stranger things have happened.

Okay, okay. Let's say one more. Maria comes in. Okay? This time she's with her badass gang of miscreants.

No, no. I don't want anything with a group.

A bunch of 5-year-olds. Yes.

They call themselves the Woodlice because they can get in anywhere.

What?

They've got themselves a wig light.

They might be able to get in anywhere, but if you turn them on their backs, they're useless. They just curl up. Is this the Sharks and the Jets?

Listen, my name's Maria, okay? Maria. It's gonna happen.

Okay, so, alright, so they've come in as a gang. They're clicking their fingers, right? They're choreographed.

They're amazing ballet dancers. I don't know how that happens.

And this gang, right? They're walking down an aisle and they're tossing things on the floor. Bang goes, you know, the Patak's sauces. Bang goes the Branston pickle, right? And they're just acting big toughies. Okay? What do you do? You're working there all on your own.

I'm now petrified 'cause there's a group of them and they're gonna do their ballet moves on me. They're gonna do some modern ballet.

We're gonna start throwing you in the air and making you twirl.

Yes.

They're gonna do some Bernstein at me. So I'm you know, look, you're in trouble. Group. Please take whatever you want, just leave me alone.

Leave me alone. Get out. I'm closing my eyes.

This is no longer sexy, right? I brought it home.

I made it real. Yeah, well, I know we've talked about this once before, but violence and abuse towards shopkeepers and staff remain on the rise in the UK. Numbers are not great. So the House of Commons report published in June 2021 opens with this introduction: The last 5 years has seen a shocking rise in attacks on retail workers. The Association of Convenience Stores, the ACS, found that 89% of individuals working in local shops had experienced some form of abuse. Yeah, yeah, 89%.

Surprised me.

It's horrible.

Yeah, really surprised me at all.

No, that's 9 out of 10.

People are vile. I mean, that's obviously— it's not all going to be robberies and things, but yeah, people are rude and abusive, especially the past few years.

I don't know if that's happening in the UK, but over here it's been, I went to a Burger King for the first time in decades a couple weeks ago because I was on the road, and there was a sign at the cashier that they had clearly printed up themselves saying, you know, we're trying to do the best we can, we're really short-staffed, please do not yell at us, or something that.

Yeah.

God, that was necessary, that they had to print that. It's just so depressing. So no, it doesn't surprise me at all.

And another report, this British retail group, they name the three primary triggers that cause this violent or abusive behavior. And it's basically encountering theft, so someone trying to steal from them. Age-restricted sales, so people, gangs of kids trying to get alcohol and intimidating the shopkeeper into giving it even though they're underage and can't prove that they're above age.

I quite like getting ID checked. I was ID checked.

Does that happen often, Stilgrim?

Not often, because I don't often buy alcohol because I don't drink. But—

You feel that people think you're under 18?

Well, I didn't understand the question, but yeah, it has happened occasionally, yes.

Right.

People have thought that I— Well, or at least they've made me produce some sort of evidence.

We all believe you. And the third is intoxicating.

Maybe they're just flattering me. Maybe it's just part of the charm offensive by a shop.

Oh, we got to do this for this guy.

Otherwise, he gets all sad.

Exactly.

He looks a bit sad and lonely. Let's just do an age check on him.

Make him feel better. Yeah.

Okay. And the third, so we have encountering theft, age-restricted sales, and then it's intoxicated persons, right? So people coming in pissed up to the gills, causing issues. Dear me. According to the ACS, Association of Convenience Stores, there's been major investments in three areas. Can you guess what the three things they might put in to try and stop this kind of behavior?

Here. Most cameras.

Yep.

Some sort of physical division separating the worker from the customer.

Yes, that is in some places. It's a perspex glass. I'm not— you know, a sheet. I'm not sure. Yeah, there's intruder alarms. So of course a lot of these thefts can happen after hours when there's not staff in there.

Alligators.

Yes, or security staff.

Oh, obviously. Yes, alligators. Yes.

But some convenience stores are taking a new approach, and the privacy advocates at Big Brother's Privacy Campaign Group are not happy. And it centers around the Co-op, the chain you've just been describing, Graham. Now, the problem seems to be, according to the BBC, that the Co-op is using facial identification systems called FaceWatch. Now, FaceWatch is not Clearview AI, where it scans the face of everyone that walks in with the aim of identifying everyone against, you know, this big scraped database of all of us, billions against people, nor is it taking snaps and comparing it against convicted criminals or people, robbers or known burglars and robbers that have been convicted of crimes.

Can I guess what it's doing?

Yes. Yes, you can.

Is it using some artificial intelligence to analyze whether your eyes might be too close together or whether your eyebrows are too bushy or you look a bit— you're wearing a loud t-shirt?

What's wrong with bushy eyebrows?

Well, I've got bushy eyebrows, but I'm doing the problem.

Well, no, it's a little different than that. So it's interesting. So I want you to think about, is this a good thing or a bad thing? Okay, so what they've done is they take a snap of everyone that walks into the store and then they match the identity against a select list of people that are known to the Co-op as a person who has stolen from its shops or been violent. A spokesperson told the BBC it's a list of people for which the business had evidence of criminal or antisocial behaviour.

Ooh, okay.

Is that a bad thing? I mean, pubs and things, they might have a list of people, "You're banned. You can't come back here in the Queen Vic." You know, they might have a list of people who aren't allowed to come over the threshold. Surely Co-op can say, "Well, I'm afraid you appear to be on our list of wronguns." So you may not be—

But they're taking a picture of every single person that goes in, but arguably you might say that's what CCTV does as well.

Yeah, yeah.

Although is that all right? I don't know. Oh my goodness, even now I'm sort of saying, yeah, yeah. It's because this slippery slope of us thinking that's acceptable all the time.

But— Yeah, do these people have social credits that we— I mean, where—

Yeah, it's interesting. So, you know, if Maria had entered your make-believe Co-op, you know, the system would've taken a pic of her, and then the system would've alerted you that you were dealing with someone who had caused problems before.

I'd have saved it to my special folder.

Don't be gross, sir.

What?

You're the shop guy. You're the shop guy. I'm the shop guy, yes. And you know that Maria's in the shop, and you know that she's a badass. You know that you don't want her there. You then have to go up—

Wait, if I'm a badass, why do you not want me there?

Because you're gonna ruin all the Branston pickle jars, right? And so, you're then, Graham, to go up to her and say, "Can I help you?" In a way to alert that you're aware of her presence in the shop. So, you're putting yourself in danger. So, I'm not sure how this helps individuals.

I'm coming out from behind the perspex screen, unless I have a tannoy, and say, "Would the Greek-looking girl in aisle 4 please know that—" With the sharp thing in your hand.

"I'm available for—" And how long do they keep all the pictures for of people? Do they just dump them right away? What if their database— is their database shared amongst many Co-op places, right? Or is it just for that particular shop? So is there a central database? Is it protected?

A lot of questions. Do you have the answers to these questions?

No. No, I do not.

Gigamon is the leading deep observability company. It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks. Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis. So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. And thanks to Gigamon for supporting the show.

Bitwarden is an open-source, cross-platform password manager trusted by used by millions of individuals, teams, and organizations worldwide for secure password storage and sharing. Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards. This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan bitwarden.com/smashing. That's bitwarden.com/smashing. Or you can try it free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.

Cameras, ones that don't have a potato for resolution. Yes.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. It's a bit sad. Oh, fun. Great. But also, I mean, it's, you know, well, no, it's a Pick of the Week in honor of an amazing life and an amazing entertainer, because I am going to spend a couple of minutes just praising the tremendous, the fabulous, and the sadly now deceased Bernard Cribbins. Bernard Cribbins was an actor. He was in movies with Peter Sellers in the '60s.

Week. Pick of the Week.

He was in some of the Carry On movies. He used to be a singer. You had a famous song called 'Right Said Fred' back in the day, not to be confused with 'I'm Too Sexy' and the terrible things that happened with that duo. But anyway, we won't go into that. He was in The Railway Children, a terrific drama set in— was it Edwardian times?— of Jenny Agatha. Which was a mainstay of British childhood. Anyway, I loved it. And he was the voice of the Wombles. Ah! And if you are a fan of Fawlty Towers, and you remember the episode of the hotel inspectors, he had the tricky job, but he achieved it magnificently, of actually upstaging John Cleese. He played a guest who actually sold spoons. Oh my gosh.

Okay, didn't realize that was him. Yeah, me neither. Oh my gosh. That was Bernard Cribbins.

Wow, okay. More recently, if you are a genre fan of things like Doctor Who, you may remember that he played the character of Wilf.

That's how I know him the most.

The father of Donna Noble. And way back in the '60s, he was actually in a Doctor Who movie where it was the Daleks' invasion of Earth. Earth, 2150 AD. Bernard Cribbins. Okay, I've reeled off a whole load of things, but to be honest, anyone over the age of 30, definitely in Britain, knows who Bernard Cribbins is. And he was magnificent. He was lovely. He was charming. He did kids' TV programs. He did— used to do this show called Jackanory where he'd read stories. I think he actually did more of them than anybody else. He was really prolific on that front. And he died at the age of 93, just a few days ago.

That's a pretty good run, though. Come on. A good run, absolutely. But he was a charming fellow.

David Warner was, yes, incredible. Yes, he was.

Yep. He was the chap who— was it, "How many lights are there?" or something?

Yes, yes. My favorite thing about him in that episode, the "There Are Four Lights" episode, is apparently he got the script a day or two before that episode. He didn't know— he basically just was reading off of cue cards for that entire episode, and he still killed it playing against Patrick Stewart. I mean, how amazing are those two episodes?

They're just fantastic. So, I'm remembering both Bernard Cribbins and David Warner. I couldn't decide between them. I'll include some links in the show notes where you can read about both of them and the tremendous work which they did. And two great British institutions who've had an impact on the world and in the world of science fiction as well. So that is my pick of the week. Let's remember and raise a glass to Bernard Cribbins and David Warner.

Amen to that. Mm-hmm.

Maria, what's your pick of the week?

So my pick of the week is space-related. It's called Webb Compare. Have you heard of this little thing called the James Webb Space Telescope?

Tell us about it, Maria. What do you know about it?

Well, it's this awesome telescope about a million miles from Earth, and it's taking some of the deepest— actually, the deepest photos of space that have ever been taken. So they're incredible. Yeah, they are absolutely amazing. If you don't care a lick about space, it's basically we're going back to look at the beginning of time and space itself with some of these photos. They're absolutely insane and unbelievable.

You look at them and you think, nah, come on, come on.

You think it's a piece of art, don't you? Really? Yeah, yeah.

No, it's all real data. So if you don't know anything about space stuff and you're just, well, what is the big deal about this new telescope? Why was it in the news a few weeks ago? Who cares? Go to webbcompare.com. Webb Compare. Webb has two Bs. And it does— you can swipe through, see what the Hubble Telescope photos were back in the '90s, and then swipe and you can see what Webb is showing us. And this is a project by John Christensen. This was his little pet project. It's amazing what he did. Some of y'all might know I was actually at NASA a couple weeks ago. I was there when we saw—

You were?

I was there. I got to go to be at NASA Goddard Center. I was in the room. It was one of the best experiences of my life. And when I was in the room when a lot of the NASA scientists saw these images for the first time as well, and to hear them go, wow, and then, oh, that's a galaxy, that's a galaxy. These images are beautiful, but they're also real data. And we're seeing all sorts of stuff that we didn't know was there before. And this website, Webb Compare, if you don't care anything about space, you just want to look at pretty pictures, that's the one to go to. It's just fantastic. It is brilliant.

Maria, it's amazing that you actually got to be there as well at this extraordinary moment in history, really, as to what we're seeing. Was it because you've been a guest on the Smashing Security podcast that you managed to get an invite? Is that how it happened?

I did drop a few names and they said, we love the show. So, you know, they rolled out the red carpet for me. Yeah, it was an amazing experience. And the Webb Telescope is an international effort and it's just amazing to see what humanity can achieve when we all work together.

So yeah, fantastic.

I've just had a look at the website and the images are quite astonishing.

And there's actually a new image that was dropped an hour ago of something called the Cartwheel Nebula. So that might be added to this website anytime soon, by the time— maybe by the time this episode comes out. So more new gorgeous images coming out, and they all just are going to blow your mind.

Yeah, no, it's absolutely amazing. Definitely worth a look, amazing.

Yeah, Carole, what's your pick of the week, the last pick of the week before we take our summer break?

Yes, well, my pick of the week this week is Maria, our Maria. She did not mention it yet, but she is about to do the Pan Mass Challenge, a 2-day, 200-mile bike ride, all in aid of fighting cancer, particularly those that affect children. And this is all for the Dana-Farber Institute. Over to you, Maria, tell us about it. Oh, thank you, Carole.

This Pan Mass Challenge is a big bike ride, but it's a fundraiser, really. And 100% of everything I fundraise goes towards cancer research. So the Dana-Farber Cancer Institute does a lot of its research, not just for pediatric cancers, but also for really rare cancers. So a lot of the cancers that are very deadly that maybe don't get as much attention, this is what they're studying. And the Pan Mass Challenge has raised over half a billion dollars.

Fundraiser in the United States, and it is also one of the most successful in the world in terms of how much money it has raised.

And largest in the United States of any charity?

A fundraiser, not charity, a fundraiser. So yeah, that's astonishing.

My goodness, it's huge.

And it's sad because I know many people who have been riding this for decades, and the hope was that it wouldn't be necessary anymore. Because that's really the hope, is that we don't have to keep doing this to raise money. But as long as it's needed and as long as these funds help, and it does— this raises, I think, 60% of the Dana-Farber Cancer Institute's yearly budget. So it's a massive, massive amount of money.

Because it was founded way

There's a whole page on the PMC website where you can see just exactly what cancer research has been funded by the PMC and what a real difference it has made.

back in 1980. It's an amazing cause, and you are trying to fundraise for it, which is amazing. Now we did talk about this on a previous show, and many Smashing listeners got involved and donated money, and you are so close to your goal. In 1980, yeah, it's the largest. So how much left do you have?

I would love to get $600 more, and I have to give a huge thank you to Smashing Security listeners because after the last time we mentioned it, I can say this very, very confidently, I raised most of my money from Smashing Security listeners. Wow, you guys! And it was like, it's not that people were necessarily giving humongous amounts of money, it was a lot of small donations, but it really adds up. So that's really— I'm so grateful.

And there's probably a few of them out there that heard the last episode and were like, oh, I've got to do this but then the kids started barking or something, as they do. And you know, you just couldn't, you know, and you just forgot about it because there's 8 billion other things you gotta worry about. So if you're listening to the show and you're thinking, yeah, yeah, I like Maria, I gotta do this, and you know, you should help her get to her goal because 200 miles.

Yeah, so what's the link? What's the link if we want to donate, Maria?

The link is bit.ly/MariaPMC, all lowercase. You can also go to pmc.org and look for Maria Varmazis. You can search for a ride, or you can find me that way too. But yeah, I have until October 1st to raise funds, even though the ride is August 6th and 7th. They give us a little time after the ride to continue to raise money. So if you're hearing this and you're like, oh, she's done the ride already, I'm still raising money. I would love to just get $600 more bucks to get me to my finish line.

Let's smash that goal, listeners!

That would be amazing. And I just— I'm so, so, so grateful to Sophos for letting me talk about this, and to our listeners who've been so generous. It means a lot to me.

Well, we support you guys. You know where to go. Say it one more time, Maria.

bit.ly/MariaPMC, all lowercase.

And you start your ride when?

August 6th at about 5:30 in the morning.

Okay, everyone pray for her. Everyone pray for Maria.

Please pray that the weather's good and that it's not too hot and there's no thunderstorms. I'll be watching. Smashing. Yeah, should be fun.

May your buttocks not be raw at the end of that. That's what Graham's worried about.

It's the least of my worries. Heat exhaustion is my big worry. Keep hydrated. Yeah, had to run in with that. Yeah, I had almost a faint of heat exhaustion two weeks ago on a training ride, so yeah.

Oh my goodness, people, listen to the woman. You've gotta support her. I'm killing myself. bit.ly/MariaPMC. Go on.

Boom! We love you. Yes. Goodness.

Well, good luck with your ride. And to everyone else participating in such a worthy cause. And that just about wraps up the podcast for this week. And until we return in early September, Maria, I'm sure lots of our listeners would love to follow you online, find out how you got on, on the race.

It's a ride, not a race.

Oh yes, yes.

I will be one of the slowest riders, to be clear. I'm not very fast.

What's the best way for folks to find out how you got on?

Yeah, follow me on Twitter @mvarmazis. M-V-A-R-M-A-Z-I-S. I'll try to live tweet as much as I can at my rest stops.

You can— yeah, don't crash, don't crash.

No, no, not while I'm riding, but there are rest stops, so I'll be like, hey, I'm alive, thumbs up!

And you can follow us on Twitter @SmashingSecurity, no G, Twitter and LastPass have G. And we also have a Smashing Security subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.

And a huge, huge shout out to this episode's sponsors, Bitdefender and Gigamon, and to our wonderful Patreon community. And to you too, listeners. It's thanks to all of you that this show is free. For episode show notes, sponsor information, guest list, and the entire back catalog of more than 284 episodes. You won't get bored. Check out smashingsecurity.com. Until next time, cheerio.

Bye-bye. Bye, see you soon.

Bye, and have a lovely holiday.

I have champagne in the fridge.

You've earned a nice break. Enjoy it.

I can't drink it till tomorrow, until the show is done though. Oh, you're so close. Fantastic. Maria, don't die.

I won't die. I've been training for it for 8 months now, so I'm pretty confident I can cross the finish line. Thank you. Yeah, it's gonna be the hardest thing I've ever physically done. So, well, just recall childbirth. It's different. I don't know, it feels different. There's different muscles being used. I mean,