What is slushygate and how does it link to sextortion in the States? What is the most impersonated brand when it comes to delivering phishing emails? And what the flip is nano-targeting?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by fan favourite Maria Varmazis.
Warning: This podcast may contain nuts, adult themes, and rude language.
No contortionists were hurt during the making of this episode.
Episode links:
- Memorandum of sentencing of Bryan Wilson - United States District Court Western District Court of Kentucky at Louisville.
- Accurint for Law Enforcement - LexisNexis.
- LexisNexis illegally collected and sold people's personal data, lawsuit alleges - CBS News.
- Ex-cop abused police tool in Snapshot sextortion plot that stole sexually explicit photos and videos - Bitdefender.
- Congress should consider enhancing protections around scores used to rank consumers (PDF) - Government Accountability Office.
- Online Shoppers Beware: Scammers Most Likely to Impersonate DHL - Check Point.
- Why Am I Seeing That Political Ad? Check Your ‘Trump Resistance’ Score - New York Times.
- I Got Access to My Secret Consumer Score. Now You Can Get Yours, Too - New York Times.
- Mixed Idioms.
- Apollo Remastered.
- Cosmic Background.
- Death of an Artist - Pushkin podcasts.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Sealit - Zero Trust Data Protection: protect, share, and monitor confidential emails and files - without passwords. Integrated with Gmail, Outlook, and file systems. Learn more and take advantage of Sealit's special offer to "Smashing Security" listeners.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. All right, Carole, these weren't brand new recruits.
CAROLE THERIAULT. Yeah, no, Maria, calm down. Everybody calm down. Jesus Christ, okay, yeah, calm the f*** down. What is going on this week? Well, Maria and I are having a great time.
GRAHAM. Smashing Security, episode 295. Slushy Gate, Sextortion and Nano Targeting with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 295. My name's Graham Cluley.
CAROLE. 295. I'm Carole Theriault. And Carole, we've got a special guest. Someone returns the show this week. It is...
MARIA VERMAISE. Maria Vermaise. Hi. Hi, everyone.
GRAHAM. Hi, Maria. Space correspondent on the Cyber Wire, of course, but I like to think that we discovered you. You didn't exist before you came on the Smashing Security podcast. Would that be fair to say?
MARIA. I was but a fetus. I was just a little fetus in the podcast world. Yes. Well, I mean, yeah, actually, you did discover me. So thank you for that. That's not a lie. Well done, Greg. That's pretty true, actually. Yeah, I've started doing the working on the Cyber Wire, their space correspondent, which is really cool. And last week I got to speak to some students at Amherst College about cybersecurity. And the reason I was invited there was because of this show. So, because they've heard me on Smashing. So, if your ears were burning last week, I was talking about the two of you quite a bit and how much I love you both.
CAROLE. It gulls me a little bit because I do a little work for the Cyber Wire. And I'm a UK correspondent, and she's in charge of the entire spatial universe.
GRAHAM. The infinity of space. All of space and time.
CAROLE. I'm in her vortex. I'm within her realm. She must be my leader.
MARIA. Yeah, they haven't made me the space and time correspondent yet, but I'm working on the time one.
GRAHAM. Only a matter of, well, time, I suppose.
MARIA. Meet me on Gallifrey.
CAROLE. Before we kick off, let's thank this week's sponsors, Bitwarden, Sealit and Collide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got? Well, I'm going to be getting slushy this week. Okay, and what about you, Maria? We're going to be talking about fishing. And I will be asking, what the flip is nano-targeting? All this and much more coming up on this episode of Smashing Security.
GRAHAM. Now, chums, have you ever been to Louisville in Kentucky? I have. Louisville, yes. Oh, is it Louisville, not Louisville? I am not a native of the area, but my understanding is it's preferred as Louisville, but that may be pretentious and I could be wrong. So, I don't know. It's so confusing because you get Meet Me in St. Louis. That's a different place. I know it's a different place, but I mean, what's going on? Anyway, in August 2018, something strange was happening in Louisville, Kentucky. It's known for Muhammad Ali, and it's the home of Kentucky Fried Chicken, of course.
CAROLE. KFC now, please. Thank you.
GRAHAM. But it was about to become notorious for something else, because people were calling up the cops. They were calling up the police and they had a complaint. They said, oh, I've been attacked in an unusual way. What? Attacked in an unusual way. In an unusual way. So let me explain what was going on. And for just over a year, from August 2018 onwards, two people were driving around Louisville, pretending to be Louisville Metro police officers. So they had all the gear. They were sort of disguised. They had the uniforms. They had the guns. They were not cops, presumably. They had... Carole, don't ruin the story. They had... That will get edited out. She anticipated your denouement. You're ruining my big reveal. They had all the gear. They had the uniforms. They had the guns. They had the donuts. They had the police radio. And they had beverages. Large beverages.
CAROLE. Is that a euphemism? Or are these big gulps? That sounds like a euphemism. So up and down. They have also mega gulps, just saying.
GRAHAM. Okay. You'd know. Up and down they would drive, looking for targets on the sidewalk or near the street. When they thought they'd identified someone, they'd pull out their police radios and they'd say, we've got 10-5, we've got a problem in Houston, the eagle has landed. Someone's thirsty on the sidewalk or we've got a thirsty fam situation. And do you know what they'd do then? They would throw their slushie, including the container, at the member of the public. What? Yeah, the drink would get thrown out of the car at these people. Sometimes it would actually be a car behind them. They may be in a convoy, right? So the first one goes, got someone thirsty on the street. And then the following car would actually throw out the slushy.
CAROLE. And I'm not allowed to ask you whether these guys are legitimate cops or not.
GRAHAM. It's a very good question. Who are these guys? Oh, right. Now I could ask. Who are these folks? Well, they're not driving marked police cars, but it may surprise you to discover that they were actually policemen. And what's more, they were policemen who were also filming the assaults on their phones and sharing it with their mates. So more than 40 of these videos existed of policemen, not young policemen.
CAROLE. So they were in their bonafide cop cars with their bonafide guns and bonafide...
But they were not in uniform. Were they wearing that... Yeah, were they wearing your uniform? But
GRAHAM. They were in their uniform and they had all the gear and they had their police radios and their guns and everything else that police people carry in the United States.
MARIA. Did they skip that day of training where they're not supposed to do that?
I don't know.
CAROLE. Look, and there's a worker shortage, right?
So maybe training's being skipped through really quick.
GRAHAM. There's also a level of research which one does when compiling a story for Smashing Security.
CAROLE. Whoa, speak for yourself.
Speak for yourself.
GRAHAM. Anyway, so they were filming these things and they were sharing them with their cop buddies as well.
And you might think of these would be... So they were being dicks.
CAROLE. Okay, I'm making sure I understand that these guys were doing this.
Can you tell me this? Because I don't know of your level of research. Were they doing this during work hours or was this just a bit of fun on the side?
MARIA. What was the weather like the days they were doing this?
What was the music on their car radio?
GRAHAM. All right, calm down.
These weren't brand new recruits. Maria, calm down.
MARIA. Everybody calm down, Jesus Christ.
Okay, yep. I'm just very excited. Calm the fuck down.
GRAHAM. What is going on this week?
Well, Maria and I are having a great time.
MARIA. Well, I'm having a blast.
GRAHAM. Now, you might think, oh, these must be new cops.
These have been new cops who've been given new guns and new cars and new orders about throwing slushies out of the car, people in the street.
CAROLE. That's not what I was thinking.
Just throw those drinks. It's part of your job now.
GRAHAM. But one of these policemen was 40 years old and had spent 20 years in the Air Force.
He'd done tours of duty in Iraq and Kyrgyzstan. I don't know if those are places where you throw out slushies at people or not. The other was in his mid-30s. So they were actual cops. And it turns out this isn't the kind of thing which the Louisville police in Kentucky think is a good way to...
CAROLE. Shut the front door.
I know. It's a surprise.
GRAHAM. It's a surprise because all they were doing was helping people.
CAROLE. People were dehydrated on the street and they were parched.
GRAHAM. And let's face it, accidents happen.
I remember doing cybersecurity conferences in the past. I remember being on the trade show floor, you know, where they have all the booths. And this was back in the day when we had actual hard boxes full of software containing multiple floppy disks and they were pretty chunky kind of things and I remember having a little competition with people in the audience and there'd be someone probably quite a few meters back who'd put up their hand and answered a question. I would throw a box through the air and it would go into their eye, giving them a black eye. I figure, look, if you're going to come to a cyber security event, you're going to get hurt. Maybe if you're walking the street in Louisville and a police car comes by, expect a slushie in your gob. It may happen.
MARIA. Yeah, but usually when you get hurt at a cyber security conference, you've had too much to imbibe.
Or maybe your feet are tired from a lot of walking, something like that. Or Graham's curling rocks at you.
CAROLE. Yeah.
Imagine it'd be like a boomerang, a floppy disk.
GRAHAM. The thing is, I don't think you realize just quite how heavy these software boxes were.
Because when I worked at Dr. Solomon's, we basically produced something which looked like a hardback encyclopedia. Those things used to be quite big. It was hard. It had sharp edges. So it was quite hefty.
MARIA. Okay, how many disks were in that box, though?
How many?
GRAHAM. By the end, it was probably about half a dozen if we were on three and a half inch.
Anyway, listen, listen, listen, listen, listen. It turned out whoever's in charge of the cops in Louisville thought this was a bad thing. And so these cops were suspended for what they did. They were told you can't do that. We're going to have to investigate this.
CAROLE. Yes.
Oh, yes. Suspend them. Yes. With pay, of course.
GRAHAM. And they, well, they weren't allowed to be cops anymore.
They were told, no, no, you can't carry on doing this. You're going to have to leave and we'll investigate this, whether there's anything, any federal charges about throwing beverages at pedestrians out of the window.
CAROLE. Pretending to be cops.
GRAHAM. Well, they were cops.
They were cops. They weren't pretending to be cops. That's true. So in that way, they didn't commit a crime. Now, here's what you're probably wondering.
You've been wrong so far with all of the things I've been wondering. But anyway. If I've lost my job at the police force because I was helping people out with some slushies and filming things and squirting them in the face, what are you going to do with your time? Well, if you're one of these cops, 36-year-old Brian Wilson, not to be confused with anybody else called Brian Wilson, he was involved in this slushygate incident, as the media called it. And he thought, oh, what can I do to fill up my time? He thought, I know what. I'll become a sextortionist.
MARIA. What?
I had this... Not contortionist. I was like, what he wants to do in his private time is none of my business.
CAROLE. See, I had my theory in my head was he was going to become a YouTube star doing this, you know, with fake cop stuff and make more money that way and say, I don't want to go back.
GRAHAM. Carole, I actually wondered if that was the reason why they did all of this, whether they wanted to be the coolest social media cops and go viral.
MARIA. Were they shouting Worldstar when they were throwing these things? Like, Worldstar!
GRAHAM. Wordstar? What, the old word processor? Oh, never mind. Yeah, just don't.
So this chap, Brian Wilson, he became part of a plot to stalk and extort young women online. And he hired a hacker to break into people's Snapchat accounts and steal their naked photos and videos.
And now so far, so normal, right? People breaking into Snapchat, stealing videos of sexy, topless, whatever, videos of people.
MARIA. So to be clear, he's extorting people of sexual content. He is not doing sexual contortioning.
CAROLE. I misunderstood that too, actually, Maria. I really did.
GRAHAM. Okay, yes. Sextortion isn't... Yes, exactly.
Now, so far, so normal. But what makes this unusual is that, of course, he used to be a policeman and he exploited his background as a policeman when doing the hacks.
Because when he had been a policeman, he had had access to a police tool called Accurint. And Accurint is a rather controversial, powerful data gathering tool, which scoops up all kinds of information about people on the internet and makes all the links.
And, you know, delves into the dark web and onto social networks and finds out all kinds of stuff. Oh, this is who they are. This is where they live. This is what their mother's maiden name is.
And it's all public information, I'm sure, but it does it for you so you don't have to do the digging, right?
CAROLE. All cops had access to this or presumably at a certain level you could have access to this and it's pretty powerful?
GRAHAM. Exactly, he had had access to it and his passwords had not been revoked after Slushygate. So he was able to entertain himself by logging into Accurint for months and months and months gathering information.
Accurint claims to scan millions of websites, hundreds of social networking sites, makes all these links, clearly can be useful to law enforcement, but shouldn't be used by someone who's been throwing slushies at homeless people.
CAROLE. There's a big difference between being a sextortionist... I don't even like that word... someone who extorts people through sexual violence online and someone who throws a slushie at somebody. Yeah, he escalated it.
GRAHAM. I think I'd agree with that.
MARIA. Well, it's a classic story, though, of an organization forgetting to revoke credentials after somebody leaves or is suspended. I mean, I'm sure that's happened to the two of you because it's happened to me.
After I've left a job, I still have access to tools that I shouldn't.
GRAHAM. Yeah. So having grabbed rude photos, he would text the victims threatening to release them to their family, friends, co-workers.
We've actually got an exchange in the court documents as to what you say to people. He'd say, hey, I'm making you the focal point of this collage. Check out the pictures.
CAROLE. Oh, shame on this man. Shame.
GRAHAM. And they'd say, well, who are you? And they'd say, oh, do you mind if I post them? You know, I'm telling everyone I really love them.
How did you get these? And he'd say, oh, I'm going to send them to your grandparents. I'm going to post them up on Pornhub.
But, you know, we can keep this between ourselves if you promise to send me a few more pics. And that way we can both benefit.
He was an asshole. He called people dirty sluts, whores, and bitches. He wasn't very charming about this.
CAROLE. Oh, if he had been charming, I would have given him a pass, Graham. If he'd called them darling and pussycat. Said it nicely.
MARIA. You know, put a little bow on it.
GRAHAM. If he'd been like Colin Firth or Mr. Darcy and been terribly polite about it, I think it would be absolutely fine.
MARIA. Standing there in the rain looking a little bit sad.
GRAHAM. Oh, bless him. Or standing there covered in a slushie.
So, Brian Wilson deed actually send sexually explicit images to a victim's employer. Apparently, it almost resulted in her termination.
And some of his victims said they suffered real psychological trauma, as you can imagine. So, the good news, he's now been sentenced to a total of 30 months in a federal prison, which is more than the other chap who'd just done Slushygate.
So, this is, they combined the crimes.
CAROLE. He was a member of the police force when he was doing this. He was on suspension and he gets 30 months.
GRAHAM. I think he'd actually been let go. I think he wasn't just suspended at the time of the sextortion, but he was still using those credentials to access this system.
But yeah, it doesn't feel like a very big sentence to me.
CAROLE. I just feel compared to other sentences... I mean, hey, look, three days in jail would be a pretty horrific experience for most people. So, you know, I'm not putting, but it's just, you know, some people seem to get 25 to life for carrying a bit of junk in their pocket.
MARIA. These crimes are not taken seriously enough, that's for sure. They're like, oh, that sounds inconvenient that your naked pictures might have gotten leaked. Oh, well. Yeah, you deserve it or something because you took those photos in the first place.
GRAHAM. The other thing is, I don't understand why you would go to so much effort and hiring a hacker to help you. And you'd put all this energy into stealing people's Snapchat accounts and grabbing their photographs. Not to extort money out of them. Not to get sexual favours. But in order to get a hold of more photos. I mean, God knows what he was doing with them!
CAROLE. Oh, you know what he was doing with them. Come on!
GRAHAM. I think we know what he was doing with them.
CAROLE. I just mean perhaps he was going beyond that, maybe selling them. Maybe there was a little black market going on with the pictures he was collecting.
MARIA. It's a power trip. He knows that he's scaring people doing this and that he has a grip on them. It's the fear. It's the power over other people. I think he could have done it for no money and not even public consumption, supposedly, just to terrify the shit out of these women and to know that he had them.
GRAHAM. I think the power is the frisson, isn't it? Because it's not there's a shortage of pictures of naked ladies on the internet.
MARIA. I hear they're perhaps a little bit plentiful on the internet, but I haven't checked to verify. But yeah, no, it must have been a power trip. He's just an asshole. Yeah, a total asshole, exactly.
GRAHAM. Maria, what's your story for us this week?
MARIA. So I have a story about phishing and I wanted to have a little coffee talk about it.
GRAHAM. I'm a very busy person. I don't drink coffee. A tea chat. I'm more of a Pellegrino man, but okay, go ahead.
MARIA. Pellegrino, okay, that also works. Open up that bottle. So there's a blog post that just came out from Check Point and they published their top 10 list of who is the most imitated company for the purposes of phishing in Q3 2022 which is right now. And this is worldwide stats, so not America focused, not UK focused. So I'm curious who you think is the number one most imitated company is. Impersonated company in the world.
GRAHAM. In the world. Would it be someone eBay or Amazon?
CAROLE. I was thinking, isn't it the Alibaba one? Is that what it's called?
GRAHAM. Yeah, the Alibabas, yeah. Same idea, right? Isn't it of Amazon?
MARIA. I think that's a really good guess. I'm going to tell you both that neither of you are correct, but I'm going to give you a hint about who might be in the top. So think about what's going on in Q3, what's happening specifically end of Q4, what people might be getting ready for.
Christmas. So if somebody's getting ready for Christmas, what are they probably doing?
GRAHAM. Shopping. Ordering shit online. Not shit.
MARIA. Ordering lovely things online, yes. Lovely things. Fighting inflation with their hard-earned cash, if one can even do such a thing. So think about who might be purveying such goods.
GRAHAM. Alibaba, Amazon, eBay, we've mentioned these.
MARIA. So not them, not them. Actually getting those items directly to the persons of interest.
GRAHAM. Oh, UPS. You're on the right track.
DHL.
MARIA. Ding ding ding ding! It's DHL. DHL was the number one most imitated company for phishing purposes. 22% of all phishing attacks globally are using fake DHL emails. And apparently DHL was specifically the target of a huge phishing campaign especially over the summer, but they're still at the top of the list right now.
But I'm just curious who you think also on that list because nobody that you've mentioned is on there in the top 10.
GRAHAM. Banks? I don't see a bank. I do see a bank at number nine is HSBC.
PayPal? Good one. No PayPal.
What about charities?
MARIA. I feel you're going to be smacking yourself on the forehead when I tell you who the number two and three are, because I feel they're...
CAROLE. Oh, what about Netflix?
MARIA. They're number five at 5%. Oh, okay, well done, Carole.
GRAHAM. Oh, Apple. Gaming centers.
MARIA. Not Apple. I don't see Apple on here. PlayStation. No PlayStation.
Do you want me to tell you? Put you out of your misery?
GRAHAM. Yes.
MARIA. Number two at 16% is Microsoft.
GRAHAM. Oh, I've heard of them.
MARIA. Yeah, this little firm called Microsoft. And it's a lot of OneDrive, Microsoft OneDrive imitation emails.
GRAHAM. Oh, of course. Yeah, why didn't we think of that?
MARIA. I don't know. And number three at 11% is the previous top in Q1 and Q2, which is LinkedIn. Because everybody's looking for new jobs.
Bloody LinkedIn. And number four is Google.
GRAHAM. You say these things, Carole, we're imbeciles.
MARIA. Again, speak for yourself. I did number six is WeTransfer, so people who are getting something. I don't know what they're downloading on WeTransfer. Number seven is Walmart, so I don't know, do they ship globally? Number eight is WhatsApp, which I feel watch that space because there's been a whole bunch of fake WhatsApp imitators.
GRAHAM. So you say DHL's number one. If someone's sending me a physical item, DHL don't get told my email address, do they? So why would I be tricked into clicking on — I can understand if I was sending something that maybe they would have my email address, but I'm not the customer in a way, am I? I'm the person receiving the good sent by the person who dealt with DHL. I don't understand why people would fall for that one.
MARIA. Okay, so I have a few theories on DHL, but they are a little bit US-centric, admittedly. So I know that DHL is a huge purveyor of packages, but in the States, it's not. Because they only do, I think, international package delivery at this point. So to me, when I do get an email from DHL, because I opted in ages ago to get email notification, so that is a thing you can do. That, to me, indicates I've got something coming from abroad, which is, ooh, very exciting for me.
Exciting, exotic, yes.
GRAHAM. Yeah, it's not just your regular old Amazon delivery of oat milk or whatever. It's something — oh, somebody sent me something from somewhere else, and that can be exciting. Proper chocolate, maybe, from Europe.
MARIA. Maybe, yes. Something pleasant, which you can't get in — proper cheese, maybe, which you can't get in America either, can you?
GRAHAM. Hey! That's not true.
MARIA. You don't get proper cheese.
GRAHAM. Yes, you do. Do you? Yes! I will not stand for that blasphemy. Chocolate, yes, but not cheese. Cheese we've got. Not just government cheese. We've got other cheeses. I live near Vermont. I mean, come on.
MARIA. Exactly. And Canada, which also has cheese.
GRAHAM. Yeah.
MARIA. So to me, it's like, oh, there's something interesting arriving from DHL. And you can opt in to these packages — UPS, FedEx, DHL — you can opt into a thing that will tell you when you've got a package coming to you so you can tell them when to deliver it or to hold it for a bit. So it's a possibility. But I don't think people are even thinking of it that much. Maybe they're just going, ooh, package. I mean, it's working. If it's the number one most imitated brand right now for phishing purposes, it's probably because it's working, right?
GRAHAM. Yeah, I guess so.
MARIA. And what was interesting over the summer when they were the target of a lot of phishing attacks, to me anyway, was one of the attack vectors was actually referring people to a fake landing page where the phish was done through a fake chat bot.
GRAHAM. Whoa.
MARIA. Yeah. So it wasn't just, hey, put in your credit card information and oh, it doesn't work. Oh, shucks. There'd be a whole thing where you'd had to talk to the DHL assistant chat bot, which is how a lot of brands are talking to people now, right? If you've got an issue, they want you to talk to that little chat thingy in the lower right of your screen. And the chatbot would actually give responses that sort of made sense based on what the person was putting in. And then that would be what delivered the phish. So that, to me, was an interesting thing. I don't know if that's still happening right now in Q3, but that was happening over the summer.
So, yeah. Into the chatbots.
GRAHAM. Yes, an interesting, more sophisticated way of doing it, I suppose, isn't it?
MARIA. Yeah, it's adapting to the times. Because, again, I feel like for a lot of issues that I've had with my phone company or other things, it's almost always a chatbot that they want me to talk to first. They don't want me emailing. They don't want me calling. Use that damn chatbot.
GRAHAM. I've never used a chatbot yet.
MARIA. Yet. Yet. They might shunt you towards one one of these days.
GRAHAM. Yeah.
MARIA. Yeah. I guess we have to be careful of what's on that. So what's your advice, Maria? Space correspondent. Blast yourself into orbit and don't worry about these problems.
No. I mean, phishing works because it works, right? People keep doing it. We tell people not to click links and then we've got malicious chatbots. So everybody needs to still be as careful as they can. But I mean, even people who are very seasoned, sophisticated security types can and do fall for phishing attacks. So I don't think blaming users and being, you're dumb if you fell for it is going to help. So we all got to be careful. But, you know, just be wary of who's asking and for what. But don't beat yourself up if it happens to you, I guess.
I don't know if that's good advice. We all sound very troubled now.
GRAHAM. Oh, gosh. Yeah. Don't worry, I'll cheer us up.
CAROLE. Yeah. Cheer us up, please. Please.
Graham, what have you got for us this week?
GRAHAM. Okay. No, Graham. Graham.
Hello. I want you to cast your mind back. I think it's about eight years ago.
CAROLE. Oh, my God.
You and I met up with a UK-based corporate hotshot in a London members club.
GRAHAM. Oh, I know who you're talking about. Yes. Yes. Yes.
CAROLE. You know, Puffy Eye, Puffy Eye.
GRAHAM. That's his code name. Yes. No names.
CAROLE. And he talked excitedly about digital marketing based on location profiles. So I remember him, he was using a bassinet as an example. And he was, if you try to flog them on Facebook, the approach you would use in New York to try and get mothers to buy this bassinet was wildly different from the one that you would use if you were targeting mums in LA.
GRAHAM. What is a bassinet? Sorry, I'm...
CAROLE. Something you put babies in. Oh, like a crib? Little tiny baby, yep.
GRAHAM. A little baby, right, okay.
CAROLE. Yeah, teeny tiny baby, right? And this thing attached to the bed, and at the time it was new, and it was all cool. And in New York, you'd talk about how it benefited the mother, because the baby slept more soundly, so you'd get more sleep, etc., etc. And in LA, you'd talk about the organic materials and the safety features. And in Europe, you'd say
GRAHAM. How it benefited the father because the mother would be happy and that's happy wife, happy life.
CAROLE. And I remember when he was telling us this, going, whoa, that's crazy, you know. But boy, things have moved on at a pretty fast clip, okay. And now while we welcome our second unelected Prime Minister, Richie Rich Sunak, right?
The U.S. faces a fierce midterm election fight in a few weeks to elect new members of Congress. Is that right, Maria?
MARIA. Yep. You've got your finger on the pulse of what's going on over here.
It's great. Great times in America.
GRAHAM. Everything's going to be marvelous, isn't it? We could swap.
CAROLE. We could swap. It's really fun here, too.
MARIA. No, I know. It's just dumpster fire all the way down.
CAROLE. And now the reason this is a hot topic is there's a grab for the midterm elections, right? So there's a Senate race and there's six states that could make or break it for one party or the other.
And of course, there are many people out there, volunteers, employees, contractors, working their guts out so that you vote with their party, whichever one they're representing. And you know they hold rallies, go door to door, put up billboards, but they're also making huge strides through data mining, okay. So I'm going to pivot here for a moment, okay.
So we're going to go back to 2019. This was an article in the New York Times by Cashmere Hill and it's called "I Got Access My Consumer Score and You Can Get Yours Too," right? So it's a great article talking about these specialist data mining companies that have these consumer scores for you to help them better provide you access to the goods and services that they're trying to flog.
And the score might be something between 1 in 10, 1 in 100, whatever, right? And there's a variety of different data points. And prior to 2019, it was near impossible to get your hands on a report detailing what they knew about you. But that changed.
And in 2019, Hill put in a request for her consumer profile from a company called Sift.
MARIA. Sift.
CAROLE. And what return blew her mind. Let's see if it blows yours. Okay, I'll just read a few paragraphs here.
She goes, quote, "I got mined and I found it shocking. More than 400 pages long and it contained all the message I'd ever sent to hosts on Airbnb, years of Yelp delivery orders, a log of every time I'd opened Coinbase app on my phone. Many entries included detailed information about the devices I used to do these things, including my IP address at the time."
She goes on. "Sift knew, for example, that I used my iPhone to order a chicken tikka masala, vegetable samosas, and garlic naan on Saturday night in April three years ago. It knew that I used my Apple laptop to sign into Coinbase in January 2017 to change my password. Sift knew about a nightmare Thanksgiving I had in California wine country as it captured my messages to the Airbnb host of a rental called Cloud9."
Mind blown or mind blasé?
GRAHAM. I wish I was more surprised by this. Yeah, I'm sort of more mind resigned, I think. There's been so much of this that you begin to get worn down, don't you? You begin to think, well, this is the norm, which it shouldn't be, of course.
We should be outraged. We should have pitchforks and blazing torches and walking in the street, but, you know.
CAROLE. But I think for 99.999% of us, what we assume they're collecting, I think it's vastly huger and much bigger than we can ever even imagine. And if knowledge is power, then profiling data is, you know, the mecca.
So let's move back to the midterms, which are coming, okay?
MARIA. They sure are.
CAROLE. A new article in New York Times talks about government representatives taking advantages of the vast reach of these data mining companies to mobilize what they call desirable voters. And they do this through voter scores and voter profiles.
GRAHAM. Rather than the undesirables.
CAROLE. Desirable. Well, yeah, you don't want them. You want to mobilize the undesirables.
There's something that, wasn't it?
MARIA. The deplorables? I think that's the one.
Something that, yes. Desirables versus deplorables. Gotcha.
CAROLE. So, as you probably can guess, voter scores are intended to predict the likelihood that an individual agrees or disagrees with a particular party or political stance, right? Like a belief in gun control. Or they might also be used to predict a person's likelihood of voting.
GRAHAM. Has bought red baseball cap. That kind of thing, yeah.
CAROLE. Gets way more granular than that. So to your point, Graham, things there are voting on hot button issues like racial resentment scores, trans athletes should not participate scores, and even UFOs distrust government scores.
GRAHAM. There are a lot of illegal aliens out there, aren't there?
CAROLE. Yeah. Lots more information in New York Times. Links in the show notes. Okay, so all these scores help make up a voter profile. So let's say that I'm one of these firms tasked with finding out how people in a particular state think about legalizing jazz cigarettes. Okay, because let's say that my party wants to use that as maybe part of its platform.
You mean cannabis, marijuana.
Right, Mary Jane, whatever. Mary Jane, whatever the kids call it these days. So first I might want to get some voter profiles. So I would first use commercially available data like you were talking about earlier in your story, Graham.
So I would want to find out the net worth, the education level, the occupation, the home value, the number of children in one's household, gun ownership, pet ownership, political donations, hobbies, habits, cooking, woodworking, gambling, smoking, whatever. You know, things that you can purchase from data aggregators like customer loyalty card records, for example.
GRAHAM. Would some of that information indicate whether you are likely to be pro-drugs? So, for instance, if you had bought a terrapin once, that suggested you must be on drugs because one day it's going to be absolutely huge and taking over your living room.
CAROLE. Kind of, Graham, kind of. Because once I've got this whole glut of information that I can legally get my hands on, I can then survey a representative sample of voters, some as large as 150 million strong.
Jeez, yep. Scoring respondents based on their views on marijuana legalization. I would then apply machine learning to identify common characteristics. Oh, there's that phrase again. Calculate the scores on each topic for each voter profile so I can build voter profiles and create groups that are likely to respond desirably to my messaging.
So back to my little Mary Jane example, I want to identify which desirable voters in my camp want to hear about my plans to legalize weed. Right, there may be some that are into that, but there may be others that aren't. But they're both still potential voters for me. But I can bury the message for those that don't like it and really call it to the floor for those that do.
GRAHAM. So you could send campaign leaflets about legalizing certain drugs, for instance, to the people who are keen on that. And maybe those leaflets could also double up if they rolled them up, they could make an enormous spliff.
CAROLE. I was wondering why you're saying leaflets. Yeah, it's also online. It's all the ads that you might be seeing across the internet.
And then you could smoke your leaflet as a doobie. Got them from the 70s, can you tell? Right, okay. So the upshot of all this is that these voter scores and profiles make it much easier for candidates to surgically, and this word was used and I love it, surgically. Surgically target messages to mobilize the most receptive voters into voting.
So a few little concerns that I thought. Yeah, is this bad? Is this bad, Carole? Yeah, is this bad? What do you think? Actually, I'll turn to you guys. What do you think could go wrong?
MARIA. Okay, they could make a wrong assumption about somebody, but they're doing that anyway when they sort of broadly leaflet as it is. So I am always getting political text messages, phone calls, flyers on my door, flyers in the mail for political parties with whom I would never vote if my life depended on it, which in two years it might.
GRAHAM. So you would like it to be more targeted?
MARIA. No, I don't want any of this shit. I want them to leave me alone. The thing that I really hate is I get political messages that are hyper-targeted at my deceased father to me. Yeah, which is really dark every time I get an email to my dad.
So it's like, whatever they're doing, it's definitely not correct. So I don't know, if this meant that I got less of this crap, then I'd be, I don't want to say I'd be okay with it, but I want less. I'm getting just inundated and I don't even live in a battleground state. My family that do, it's absolutely relentless. So I don't know, I'm exhausted from all of it, to be honest.
CAROLE. And think about it. So good point, Maria. So they get the information wrong, let's say. Very wrong in my case. Yeah, right. And let's say that information does get into the wrong hands, like an employer for an agent, whatever.
And also this pseudo anonymized, I don't know if I can use that term here, but it feels to me pseudo anonymized data, right? Because there's so many data points. I think you can practically just say, and that's you. You know, you could have a game show on this.
MARIA. You know, this reminds me of something. Can I just go on a little tangent?
Yeah, please.
Yeah, this reminds me of back when a lot of us were much more active on Facebook, maybe five, six years ago, personally. And there was an option where you could see what ad attributes Facebook had assigned to you based on what you had read and clicked. And I remember taking it, I think actually it was, maybe it wasn't that long ago, because I want to say that you actually told me about this.
And I dug into it and it was like everything they had assigned to me was wrong. It was wildly off. And I heard the same thing from a lot of people that they would say based on what you read or click like on or whatever, they would say, oh, we think we know how you would vote or a political party. And a lot of people is super, super wrong.
CAROLE. So, yeah. And then you're like, okay, so that's why people are trying to predict elections are getting it.
MARIA. Yeah, I don't know. But it's just like there's an element of based on certain data, people who like this kind of food or watch this kind of show tend to vote this way. And I know in broad strokes that might track, but maybe I'm just a corner case.
CAROLE. The other thing that bugs me on this, you know, if you think back to Cambridge Analytica and that whole drama of Facebook and them secretly gathering information through forms and stuff and unsuspecting users to target them with ads. Like, isn't the government kind of doing the same thing right now?
Oh, they absolutely are doing the same thing. Government Accountability Office, they came out with reports saying, maybe we need to put some regulations in place here. It feels less like wooing to me now in terms of getting someone into a party, but more like duping. And I don't like that.
MARIA. It'll never happen. It'll never happen because the folks that were in the private sector, they get money to go to the public sector and fix this stuff. And then they kind of bounce back and forth.
And anything that gives politicians more money in their pockets. Sorry, I'm so cynical. But at least in the States, I have zero trust that it'll happen.
Yeah, now I have hope. I have hope.
Oh, that's nice. What's that feel like?
GRAHAM. Hang on a minute. I can see a positive in all this, right? Because it's a real nuisance having to go down to the polling station to vote every few years.
If they know this much about us, could they just leave us out of the whole voting process? Could they just not look at all the data and say, well, he's obviously a Tory. He's Labour. You know, they're a Republican. They're a Democrat. They're an Independent. We don't even have to bother him. Let's not bother him with voting. We've got this.
And they could just work it all out. They just build an algorithm.
MARIA. Who needs representative government when we have AI? Right.
GRAHAM. Exactly. I think we've solved the problem there. Fantastic.
MARIA. Can't be any worse than what we have now, right?
GRAHAM. We all know that data is the most important asset of any business, and the value and usage of information makes data very tempting to thieves. With Sealit, however, you can protect, share, and monitor confidential emails and files without passwords, and it's all integrated with Gmail, Outlook, and file systems.
Deploy Sealit across your organisation within minutes and achieve peace of mind thanks to its end-to-end encryption that relies on the zero-trust security model. Get the right tool to own your data and gain great Sealit benefits.
Plus, Sealit is offering a very special deal for all Smashing Security listeners. Anyone who signs up for the professional plan before 2nd December 2022 can grab 30% off Sealit for a year. And if you sign up to Sealit, listeners can also grab a free Sealit signature no trust t-shirt.
Check out more about Sealit and take advantage of these offers at smashingsecurity.com slash sealit at smashingsecurity.com slash S-E-A-L-I-T. And thanks to Sealit for supporting the show.
CAROLE. Bitwarden's open source password manager that is trusted by millions of individuals, teams and organizations around the world, has just announced its October release. And it is chock full of goodies, which include password protected encrypted export, which allows you to export your vault in an encrypted format using the password of your choice.
Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you. They're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser.
Want to try these features out? I don't blame you. Visit bitwarden.com forward slash smashing. That's bitwarden.com forward slash smashing. And thank you to Bitwarden for sponsoring the show.
GRAHAM. The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows and Linux?
Well, you get Collide. Collide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Collide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Collide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce.
Visit collide.com slash smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com slash smashing. And thanks to Collide for supporting the show.
And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone can choose something they like. It could be a funny story, that book they've read, TV show, movie, record, podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be. Well, my pick of the week this week is not security related.
Excellent. My pick of the week this week is all about idioms, but idioms which have gone wrong.
Someone has. Now, this is a problem that we can face here on the podcast because sometimes we're just shooting our mouths off, talking a whole load of cobblers, and you just stumble over your words and you're saying something and it doesn't really make sense.
Oh, I do it all the time. Thankfully, the Mixed Idioms website at mixedidioms.co.uk are collecting such malapropisms.
That's a big word for you, Graham. It was. I took a good run up at it, but I think I did it all right. Yes.
MARIA. Malapropisms, a great word. Yes, love that word.
GRAHAM. So if you've ever danced a flamingo.
CAROLE. Instead of flamenco, I guess, yeah.
GRAHAM. Right. If you're worried about the worst case Ontario. Worst case scenario, yeah. If you've got a baby in the oven. Or if you've told someone to get rich or try dying, then you might well enjoy this collection of malapropisms, egg corns, mondegreens, Escher sentences, mixed idioms and malifors.
MARIA. Maybe a spoonerism in there somewhere?
GRAHAM. There quite possibly is, yes, a queer old dean in there as well. Who knows? You could well get one of them in there too. Some of it's quite funny because I mean I don't know if you've ever listened to a song and you've been very very wrong about the words.
MARIA. Yes oh yes yeah dancing.
GRAHAM. Queen young and sweet only seven teeth. Every time you go away you take a piece of meat with you. So these are all documented up on this website. And I think it's rather fun. And that is why mixedidioms.co.uk is my pick of the week. Maria, what's your pick of the week?
MARIA. Mine is space related. I know. Big surprise. It wasn't intentional, actually.
It's for a book that I just bought for myself. And I'm recommending it to anyone else who might be interested in this kind of thing. This book is called Apollo Remastered. And if you are a space nerd, you probably already know about it. If you are really into photography, this actually also might be of interest to you.
Because this book, if you don't want to buy the book, go to the website, ApolloRemastered.com, and read about how they made this project. So Andy Saunders, who's an amazing photographer and a photo restorer, worked with NASA to basically rescan and remaster a lot of the original film that was taken from the moon landings, which has been in frozen storage for 50 years. So basically a lot of the images that we've seen from that historical landing, they were sort of scanned and processed at the time with the technology that was available at the time. And we've just sort of reused those images since then. But we obviously have much better scanning technology now and a lot more things that we can do with film.
I'm not a film buff, so apologies, people who know more about this than me. But he basically re-scanned, re-processed some of the stuff. And I think he did some processing with film. I don't know. Read the project page. It's really fascinating. And the images are crystal clear. You've never seen the pictures like this before.
And he also looked at some of the film, the actual moving film that the astronauts took and got some stills from those that we've never seen before. So I think for people who like space stuff, they'd be interested in this. This is a huge coffee table book. But even if you're just really into photography, the project page where they describe how they remastered all this and got this film out of frozen storage in Houston. I thought that was really cool.
CAROLE. And you can buy prints on the website as well. So they're from 165 quid in England. But yeah, so you can actually purchase from there too if you want to print it. So that's amazing photography.
GRAHAM. Maria, I really like this. I think it's great. I'm rather obsessed with photographs of the moon. In fact, I follow a chap called Cosmic Background online. He has a website, cosmicbackground.io. He hasn't been up in space like NASA, or indeed you, but he has a decent telescope in his back garden and he takes incredible photographs of the moon in extraordinary detail on the sun and the planets and I'm rather obsessed with it all. So I will check this out. This sounds like a terrific book and a great website. Yeah, these photos,
MARIA. we've seen them all before, but not like this. It's like high def, basically. So I really hope everyone just give it a look. It's really fascinating.
CAROLE. The cool thing technology's done for us.
GRAHAM. There you go. Carole, what's your pick of the week?
CAROLE. My pick of the week this week is a podcast from Pushkin called Death of an Artist. Have either of you heard it?
GRAHAM. I have not.
MARIA. No.
CAROLE. It centers on two artists, a Cuban refugee called Ana Mendieta. And she was a cutting edge body artist, probably best known for her Silhouetta series, where she inserts her own silhouette into landscapes. It's amazing stuff. And she's no wallflower, does some incredibly disturbing, important scenes revolving around women, sexual violence in the mid 70s, some big stuff. And we should be enjoying her work today, but we cannot because she died rather dramatically. And the question is, did she throw herself from a, I think, 16th floor New York balcony? Or did her husband, artist Carl Andre of Minimalist Little Squares, if you've been to MoMA, you'll see a load of those, did he shove her off in a fit of pique?
GRAHAM. Oh crumbs.
CAROLE. And so we hear of their work in the podcast, I think it's six episodes, but you hear about Anna's work and you hear about Carl's work. You hear about their relationship. You hear about the art world at the time. You hear about the murder, sorry, death, and how the art world was split in two and remains split in two. For those that think that Anna was murdered and those that support Carl and think it was a tragedy. So the story is fascinating. It's really nicely produced, as most of the things from Pushkin are. And it's told exceptionally well by Helen Molesworth, who was the chief curator of the Museum of Contemporary Art, MOCA, in Los Angeles, where she was until 2018 when she was abruptly fired.
GRAHAM. Oh, I thought you were going to say she was pushed off a building as well. Might have been a serial artist. Spoilers.
CAROLE. But I think because she got free of that role, she was able to tell this story because she didn't have pressure from other people to not tell the story. So she speaks about this whole drama of being fired and the whole drama between these two artists and what happened and what she thinks. And I found the whole thing rather moving and I heartily recommend it. So that is called Death of an Artist from Pushkin.
GRAHAM. Sounds like an all good podcast. Cool. Well, that just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online, find out what you're up to. What is the best way for folks to do that?
MARIA. Well, they can continue to follow me on Twitter at Mvarmazis while Twitter still exists if Elon Musk allows it to. Or you can listen to me on the Cyber Wire and wherever fine podcasts are found.
GRAHAM. And you can follow us on Twitter at Smashing Security. No G, Twitter at last have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify and Google Podcasts.
CAROLE. And huge, huge shout out to our episode sponsors, Collide, Bitwarden and Sealit. And to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalog of more than 294 episodes. Check out smashingsecurity.com.
GRAHAM. Until next time. Cheerio.
CAROLE. Bye bye.
MARIA. Bye bye.
GRAHAM. Bye. I'll see you next time. Thank you.
-- TRANSCRIPT ENDS --