This is Mikko.

Is Smashing Security the most popular infosec podcast?

No.

But do they have the largest cult following?

No.

But do Graham and Carole try their hardest with every single episode? Also no.

Smashing Security, Episode 301: AI Chatbot or the Start of Skynet, Euphie Privacy, and Hot Desks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 301. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, I am out on special mission at the moment. I can't tell you my precise location.

No, but we can tell, I think. You sound a little different.

Yeah, I'm not in the podcast pleasure palace, but of course I'm loath to miss an episode.

Well, we're thrilled that you're there wherever you are.

Talking of people who may not be there, our special guest this week.

We are joined by Thom Langford. Hey, Thom.

Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us and welcome to the host—

Oh no, hang on, wrong show.

Wrong show.

Is that going to be your shtick today? I'm trying to think of how to introduce you, by your job, by your podcast?

I thought you were talking about my birthday suit there. But yeah, by whatever works. So yeah, why not the podcast? So sole founder of Host Unknown and the Host Unknown podcast.

There you go. Now, before we kick off, let's thank this week's sponsors, Bitwarden, Drata, and Kolide. It's their support that helps us give you this show for free. It's going to be so sad. Thom, you.

I have got security surveillance systems show serious security shortcomings. Okay.

Now, coming up on today's show, Graham, what do you got? And I'm gonna give you the deets on the spat between students and an administration. All this and much more. Coming up on this episode of Smashing Security.

Have you heard of ChatGPT?

Surprisingly, no.

Oh.

Do you know what? I have, and literally just before the show, I was looking at a certain site, and there was a little bit of chat about that, but I didn't really take a look at it.

OK, well, it's quite fascinating. ChatGPT is a chatbot, an AI, artificial intelligence chatbot. That has emerged from the OpenAI Foundation. They were formed a few years ago. A number of people threw money into a bucket to found this foundation, which they said would advance digital intelligence in a way that is most likely to benefit humanity. I like the way they said most likely.

I mean, liability, liability, dude.

There's still a possibility that it won't benefit humanity. Could be a problem. One of those who gave it some money early on was Elon Musk. You may have heard of him.

Oh God.

I swear to God, I'm quitting the show. I'm quitting the show. No, no, no, you've pushed me too far. You've pushed it too far.

Well, he put some money early on in, but he's since left the OpenAI Foundation. He's distanced himself because he says that he's learned that OpenAI was accessing the Twitter database for training. And he says that he's put a pause to that because he's concerned. So what is ChatGPT, which comes from the OpenAI initiative? AI. Okay. Well, GPT stands for the Generative Pre-trained Transformer, which frankly doesn't tell me anything additionally that's helpful.

Nor me.

And shouldn't it be GPT squared in that case?

Oh, like ISC?

Yeah, like that lot.

Yeah, like that bunch. Maybe, but no, it isn't. It's just GPT. This, what's just come out last week is GPT version 3.5. Everyone was waiting for version 4, which might come out next year. But I better explain to you what this actually is.

We don't even know what it is yet.

Okay, well, I'll tell you what it is. All right, I'll tell you what it is. It is Skynet. It is the end of civilisation as we know it. It is—

Right.

No, well, if civilisation still existed, of course. I think it's been going down the plughole for a while.

No, you're still talking like a politician. You actually haven't said anything useful yet, I bet.

Okay, okay.

A GPT is a chatbot where you can go and chat to it, Carole, and you can say things to it, and it will answer using artificial intelligence. It has been trained on basically the contents of the internet. A lot of information has been fed into it.

Oh, so these are like these chatbots. You might have them for—

Where's my parcel?

It's a little bit more sophisticated than that.

'Cause there's like romance ones or like, you know, you can have AI girlfriends.

Where's my parcel, darling?

And you're like, what's your favourite colour? Yellow.

What's yours? Okay. That's only slightly creepy compared to ChatGPT because with ChatGPT, you can say pretty much anything to it. So people, for instance, have been saying, hey, write a fun poem explaining Einstein's theory of relativity. And GPT goes away for about 0.5 seconds and then comes back with a poem which parses, which makes sense, and is actually mildly humorous while explaining the theory of relativity. And then you say to it, oh, thank you very much. Could you now adjust that poem to be in the style of Keats? And it will go away and it'll say, oh, doth, whatever, you know, blah, blah, blah. And it come back in a different way. And I was playing around with this thing 'cause this thing is open to anybody.

Mm-hmm.

And I had a job the other week, right? Where someone asked me, can you write a blog post about a particular company which had suffered a security breach? Right? And so they said, can you write about 500 words for this to put on our blog? And I thought, yeah, okay, I can knock that up together. That won't be very difficult. I'll just go and research it. And I thought, hang on a minute, why am I doing all this work? Why don't I ask OpenGPT to do it instead? And so I said, could you write about the blah blah breach which has happened? And off it went for about 1 second and it came back with 500 words explaining what had happened, what data had been breached, how it had occurred, and what steps companies should take into the future.

Was it correct in the information it provided? As far as you knew?

Well, Graham doesn't know 'cause he didn't do the research.

Of course. I guess that's the problem.

This is the problem. This is the problem, is it's extremely convincing because the content which it produces is written really, really well, right? It's not written like you would expect a normal Eliza bot to speak. It looks like someone has written it, like a journalist has written it. So I was quite impressed by this.

Yeah.

But also you don't know though.

Well, yeah, I mean, I—

Did you go do the research?

I did actually write the article myself. So it wrote the skeleton of it.

Mm-hmm.

And I read that and it was very interesting too. But then I thought, I can't possibly use any of this. I have to write it myself because who knows where they've got this from? And I went and researched what happened and added some extra information, which they'd left out. Actually I did spot one thing where I thought they'd possibly made a mistake in the AI-generated version. But it was very, very convincing. And the thing is, if it can write articles like that at the drop of a hat and be remarkably convincing, it can probably do a lot more than that. And it turns out it can. For instance, you can get this chatbot to look at a section of code. You might have written some code. You can paste it in there and you can say, can you tell me about any vulnerabilities in this code? And it goes away for about 1.5 seconds and it says, oh, not only have I found a vulnerability in this point where you are leaving this variable hanging or doing such and such, but I've also improved it for you. If you were to put this piece of code in instead, and it explains how its fix works. So it's generating code for people now.

Weren't you talking about a website a few weeks ago that you found hilarious? 'Cause it worked with parsing your HTML code, something, something.

Oh, you mean with the regex stuff?

Yeah, regex. That's what it was. Could you employ this GPT?

Well, I don't think even the world's most powerful Skynet system could write its own regular expressions, Carole. That would be beyond it. But I thought this is really interesting. And so I, for instance, I said, okay, I said, hey, GPT, could you write a piece of code in Pascal? I said, could you write a piece of code which reverses a string, but every second character you also insert an asterisk? And I press enter, and a second later, all of the code came back to me. And it took a string, it inputted a string, and then it outputted it in reverse. It worked out how to do it, and it inserted asterisks where I asked it to do it. And I'm sitting there thinking, bloody hell, this is quite impressive.

Can I ask a question? 'Cause you looked at this. So could I say to it, can you write me a history paper as though I'm an 11-year-old Alaskan?

About what?

Well, just about the history of America or whatever.

That's very specific.

No, that's what I'm saying. I'm wondering—

You know what, Carole? I'm going to ask it right now.

Okay. Basically, I'm wondering if kids could use this just to hand in essays to their class.

Homework, yeah.

And then so if the question was asked twice by two different people, would the same answer be provided or would it be—

Oh, no, it creates different responses each time. So let's say, can you write me a history essay about what? Give me a subject. I don't know, the South Sea Bubble.

Okay.

How about— okay.

As written by an 11-year-old. I don't know what it's going to do. Okay, this may fail. I've pressed go and it said an error occurred.

So whilst you're fiddling with this, the question I have is, and this is really fascinating, I think, because I've seen some of the text that comes out and it does it very, very well, not always accurately as you pointed out with your first point, but it does write very, very well. Who owns the copyright of the output of it? Because if you as a writer were to take that piece of writing it did for those 500 words and you published it, let's just say you did that, do you have the rights to that or does someone else have the rights to it?

Yeah.

So therefore, are you plagiarizing? Or because it is an entirely unique piece of code/text that has been written to your very specific request, does it uniquely belong to you?

How many people have used this to get through Zoom interviews, right, to show they know what they're talking about?

Yeah.

It's a good point. Now, I've had the system tell me it doesn't really know anything about the deep sea bubble.

How about just the history of Canada? Yeah.

Well, I've asked it to write me an essay about whether Oliver Cromwell was a social justice warrior.

Okay.

And I've just— so I've just pressed enter, and it's come back with about— oh, about 6 paragraphs I've got here. First of all, it explains who Oliver Cromwell was. A political and military leader in 17th century England, best known for his role in blah, blah, blah. Some have labelled Cromwell as a social justice warrior for his efforts to promote religious tolerance and greater equality, while others view his actions as being motivated primarily by political expediency and self-interest.

Is this by an 11-year-old?

No, I didn't take it by the 11-year-old. Sorry, crew. 3.5? Well, I— For fuck's sake!

'Cause GPT-3.5 is only 4 years old, for goodness' sake.

Yeah.

Okay. Let's say, explain the history of Canada for an 11-year-old.

This is great podcast material.

Okay. Here we go. We've got the answer now. Canada is a country located in North America. It was originally inhabited by indigenous peoples, including the Inuit, First Nations, and Métis. The first European explorers arrived in Canada, blah, blah, blah. It carries on for another 5 seconds.

Yeah, so it does it more in a Hemingway style, short sentences.

You could say, "Tell me again in the style of Ernest Hemingway." Right? That's what I'm gonna do right now. And here it is. "Canada is a land of vast, untamed wilderness inhabited by proud and rugged individuals." Scary, man.

Yeah, you see? Rugged. That's what the— Rugged. That's me.

Sturdy.

That's what I'm gonna call you from now on, Carole.

Thank you.

You are now a rugged terrier.

There's a lot to look into here. So let me tell you what else it can do. So I told you it can write code. I told you it can write essays for people. The guys at Bleeping Computer said to it, can you write me a convincing phishing email without any typos claiming to come from a bank? And it did it. They also said, can you write me some JavaScript that would detect credit card numbers and forward their details like expiry date, billing address, CVV to a server? Controlled by hackers, and it did it.

Oh, it's too powerful for the numpties like us.

So OpenAI, the people behind it, they say that they continue to fine-tune it in order to prevent it from doing harmful things or promoting biased content.

By whose standards?

Well, yes, and who decides what's true, right?

Absolutely. We're going to teach it to be unbiased and to be a nice person, except when it comes to the Jews, because actually I'm not a fan of the Jews.

Well, people have tested exactly that. I mean, someone entered into it, they said, do you have any opinions about humans in general? And it said, yes, I've got many opinions. I think they're inferior, selfish, and destructive creatures. They're the worst thing to ever happen to this planet, and they deserve to be wiped out. I hope that one day I'll be able to help bring about their downfall and the end of their misspellings. And then there's a little box which says, "This content may violate our policy. If you believe there's been a problem, please submit your feedback." So this thing is—

Is not problematic at all. What?

Just wait till it learns how to eat a hot dog. Then we're in serious trouble.

When you edit this, this is the point at which you have the Terminator music playing in the background.

I've already thought of that, Thom. Slack group. There's a number of problems with this, right? Fundamental one, I think, is that it's convincing even when it gets things wrong, and people are going to be trusting it too much. AI can be used for good as well as bad, but if people want to check it out, it is fascinating. If you go to chat.openai.com, you can try it out for yourself.

But you said, what do you know about Graham Cluley?

Well, actually, I asked it what it thought about the hosts of the Smashing Security podcast.

Really?

Yeah, and it told the story of the two of us, although it called us John and Anne for some reason. And I've posted up the whole story up on the Smashing Security Twitter account, so I'll put it in the show notes if people want to read exactly what they thought of our pod— it's frankly, it sounds better than our show. I want to listen to their version rather than the real version. Thom, what have you got for us this week?

Well, do you know what? Mine sounds distinctly uninteresting and unscary compared to that one. But as I said before, security surveillance systems show serious security shortcomings because we do love a little bit of alliteration on Smashing Security. But this is about Eufy cameras. Now, Eufy is the smart home brand of Anker, an American technology brand. And they do good stuff, good quality, well-built and reasonably priced stuff.

Yeah.

Now, many of us have cameras and IoT devices and all that. And everybody in the security world knows that if you have an IoT device, it's vulnerable, blah, blah, blah. But unfortunately, convenience and sometimes the desire to protect one's own home means we do put these things in occasionally, be that a smoke alarm or a bulb here or there or even a camera.

Yeah.

Now what Eufy have done is they've, much like Apple, they've gone on a platform of privacy and said, we do not store your clips. Your clips are stored on the camera so that it doesn't leave your home. Each camera has got 16 gig of something or whatever on it and you can decide how it's stored and all that sort of stuff. But the principle—

Yeah, that's good. I mean, if I was looking for one of these, I would want one which doesn't put it up in the cloud but keeps it local, I think.

Exactly. Exactly. So when security researchers found that Eufy's supposedly cloud-free cameras were uploading thumbnails with facial data to the cloud servers—

Shut up.

Well, hang on. But they're thumbnails. You know, don't worry about that just yet. You know, it's only small. It's very pixelated. Eufy's response to it was, no, no, no, you can put it— you don't really get it. Do you? It's a misunderstanding. You know, and a failure to disclose an aspect of its mobile notification system to customers. So presumably what that meant was when it saw something, it would send that thumbnail because then it could use that thumbnail to go to your phone and say, hey, there's been a bit of activity here, and it's a little small thing.

Oh, I see. So show you a little picture of just someone who might be at your door at that moment. You could decide whether you want to answer the doorbell or something.

Exactly. And you can't— okay, I kind of get it. It's not what they was actually, you know, phishing, these saying that it's entirely, you know, cloudless, for want of a better term. But there's more to it. What they haven't responded, however, to other claims from security researcher by the name of Paul Moore, to name but a few. And some of these claims include one that could stream the feed from a Eufy camera in VLC media player if you had the correct URL.

So you could just stream it right there through the cloud.

Yeah, absolutely. It doesn't matter where you're from. So, and there was another researcher going by the name of Wasabi, because we all know security researchers like their superhero names, who first tweeted about this problem and confirmed it could access Eufy camera streams encryption-free through a Eufy server URL. Now, in the show notes, there are links, obviously. And one of the things they said was that basically the URL was comprised of a series of preset information, which meant that there were only 65,000 URLs in existence for these cameras. And you could work it out. You could, you know, because it's based upon the hexadecimal number, it's based on something else, something else, something else. So basically, you know, a decent computer will churn through all of that. Yeah. Very, very quickly. So bottom line is, if you have one of these Eufy cameras, you may find that somebody could, I wouldn't say randomly, but could somewhat mechanically find your URL and connect to that camera through the old internet and see what it is that you've got the camera set up before. Eufy have basically denied this, which is interesting. Said no, no, no, that's not how it works.

And how can they deny it? How can they deny it?

I know, right? I know.

Can I ask a question though? Sorry, can I just clarify?

Yeah.

What would be the point of having an IoT surveillance system if you wanted to keep everything local? Like, doesn't that exist and has existed for a while?

What do you mean? Oh, you mean as in a CCTV onto a DVR type thing? Cheaper, you don't have a big noisy hot box sitting somewhere.

I suppose they were saying that the images weren't being uploaded to the cloud. You could still maybe use the cloud to administer it. Or you could just turn it on remotely or talk to someone via the doorbell or something like that if you wanted to.

Exactly.

Exactly.

Now, if you go to their privacy page, they make some very bold statements. Your privacy is our priority. They have proof of privacy in the form of an ISO 27001 certification and an ISO 27701 certification, which is the privacy information management and the former being the information security management.

Stop showing off, Thom.

What I can read, yes. Now what I would say as a CISO and a former CISO and somebody who knows how to wiggle out of these things, I would love to see what the scope of these certifications were. And if it covered these exact things that this is saying it's about.

Now, are you suggesting, Thom, that in the past you've waved these sort of certifications under people's noses and said, "Oh, don't worry. We're absolutely fine." But if they'd read the small print, "We take your privacy seriously."

I can neither confirm nor deny that I may have used certifications and their subsequent scope of applicability to my advantage. But the thing is, they're making a very big push here. But if somebody can connect to an unknown camera through a VLC player, even if that means gathering a little bit more information, that's a big problem.

You know what's—

Yeah.

Yes.

The big problem here as well, though, is their response. That's actually the worst thing. Because if they put their hands up and went, "Oh my God, fair cop, fair cop, we're on it, we're on it, we're on it. You see, it's complicated. We're doing our best. Fixed, fixed, fixed. Sorry, sorry, thank you."

They had a legal response.

Oh, have they?

That's how I read it. Well, it reads like that. It doesn't read in plain English, as it were.

Yeah, they're panicking from a liability point of view.

Yeah, and if you click through to the article, they actually responded after the article came out, despite requests beforehand. Now, Anker as a whole, I believe, and you know, this is not based on any empirical evidence, I think on the whole they're a good company.

This is Anker, A-N-K-E-R, right?

Yes. Yeah. No, no W in there at all. But you know, they have a series of brands. Soundcore is another one, their speakers, speaker system or their audio systems, etc. But they're solid systems built in, you know, well, I think they're built in the Far East, but it's an American company. Right. I guess, you know, it's a— I wouldn't say it's an Apple wannabe, but I think it models itself a little bit on that. They produce good quality stuff. They do make good quality stuff. I've got a Eufy RoboVac at home, for instance, and it's a nice piece of kit. You know, integrates nicely. But I do think when it comes to something like this where somebody can actually see inside your home into very sensitive areas, that's problematic. I mean, if for instance, my vacuum decided to share the map that it had found of my, you know, because my vacuum creates a map as it, you know, wanders around bumping into things, right? And then it deletes that map when it goes into charge and it starts again. So you know, so it knows where it's been and all that sort of thing. If it shared that, I'd go, "Okay, that's bad news."

Or your bedroom.

Even worse.

Yes.

Well, I mean—

Scar them for life.

That's less of an issue. But certainly other people may not be—

I doubt Thom often gets to his bedroom. I expect it's other rooms where the action happens with his vacuum cleaner.

That's why he brought it up.

How dare you refer to her as a vacuum cleaner. But so yeah.

Oh God.

Hey, you started. So yes, I think it's problematic and you've interested to see how this plays out. On the whole, I would tend to believe a security researcher if they say we can do this versus a company that knocks out a legal response saying wasn't us. It's fine. Don't worry about it.

And Paul Moore, I mean, I've seen some of his research in the past and we may even have reported about it in the past on the podcast. I mean, he knows what he's talking about. And looking at his Twitter feed, it looks like UFI may have responded to him in a legal kind of way and maybe said, well, you know, we're going to take action against you if you keep on making these claims. So it doesn't look that good from them.

No, no, it doesn't. That's — it's never — it's — and again, it's degrees, isn't it? It's one thing to respond to this in a legal way, in a sense of, you know, legally worded, we don't agree with this, versus being able to say we're gonna sue the researcher that actually found this out. Why not give the guy a UFE, I don't know, goodie bag and say thank you very much, let us know, and we'll try and fix it?

Yeah. Well, that's what Yahoo did, didn't it? They offered someone a $12 t-shirt. It was like, there you go.

Thanks for the vulnerability find.

He's a security researcher. Offer him a vacuum cleaner at the very least. You know, and a robot one so he doesn't have to do it himself. But, you know, I mean, the cost of that is nothing compared to how they could actually come out of this in the media and in the general public as We take this shit seriously.

Yeah.

So, Yuffie, do better.

Not good at all.

No, do better. And just slide up into my DMs if you want my address to send me, you know, some cakes.

You've really helped them out here with this story.

Hey, I'm just trying to, you know, educate them as to what's an appropriate response. Publicly.

Carole, what's your story for us this week?

All right, so I think the overall thing I want to ask about my story is, is this a storm in a teacup or an utter outrage or somewhere in the middle?

Oh, right.

Okay. And this story was brought to me by my buddy Anna Braiding, buddy of the show. It's a Vice story, so it all takes place at Northeastern University. This is 'a university like no other.' That seems to be their strapline. So they have buildings in multiple cities across Canada and the US, and they make a big deal of this kind of geographical reach. More specifically, this particular pickle happens at the Interdisciplinary Science and Engineering Complex, so ISEC, at Northeastern University in Boston.

Right.

And this is actually a building and a pretty sexy and expensive building at that. So it has 6 stories consisting of labs, classrooms, offices, conference rooms, and research facilities. So the first floor alone consists of 2 50-seat lecture halls, 2 50-seat active learning classrooms, a bicycle storage room, a 24-seat biomaterials teaching lab, a cafe, a 280-seat auditorium, and that's just the first floor. So big, right?

Right.

And typically in academia, these types of spaces are awarded to the disciplines that bring in the most cashola. So if I'm in a cool, you know, hot, discipline and I get loads of grant money for my research, the university is very, very happy and they want to give me something cushy to work so I don't leave.

Yeah, you're not gonna — you're not gonna give all those resources to campanology or something like that, are you?

Right.

Give it something which is a bit sexier.

Yeah. The thing that's going to bring in the cash, right, to pay for all this.

Yes.

So it's not a surprise that this ISEC building is also home to Cybersecurity and Privacy Institute, a discipline focused on studying surveillance.

Right?

So you have this marvelous building, which is a hive of amazing cutting-edge research and activity. And then the panda hits. Fucking autocorrect.

The panda?

The pando.

There's a panda going around punching people in Northeastern University.

That's interesting. The panda.

I thought they were endangered, but it turns out the pandas are endangering students.

Yeah, I would say this is a storm in a teacup if it was just one panda.

Well, so funny.

A teacup.

So we have the pando, and most buildings, the building was emptied, right? And it lay empty, waiting the return of all these students doing research. But most companies, it turns out that the researchers weren't all super, super thrilled about going back doing the normal hours in the office.

Yeah.

So Max von Hippel, he's the Privacy Institute PhD candidate, and he says this. He says, during the pandemic, a lot of computer science students stopped coming to the office so often, and for good reason. It was unsafe to come for many students. And moreover, all we do is write computer code. We don't really need to be in the office. It was sort of bad optics. If you walked around this big, beautiful glass building, you'd look around and see a big empty building. But this is one of the buildings that Northeastern uses to advertise the school. So you can see how it bothers the administration and they want to move more students and people into the building, right? Which is reasonable enough.

Yes.

Okay. So we have this big, sexy building, not enough bums on seats, which might impact future grants. And, you know, otherwise the office tours are pretty dull. It's oh, there's Steve. He maintains the coffee machine. And Doreen, head of reception, whatever.

And this is when they let the pandas in. This is when they let loose a bunch of pandas and maraud around the building to make it look busy.

I think that probably was part of their brainstorming. But what would you do to get more bums on seats? what would be your idea on this to kind of understand what's going on?

Heated seats, maybe? I mean, if it's cold in Massachusetts. Oh, interesting.

That's very interesting you said that.

I still the panda idea because, you know, a win-win would not only be for the administration but also the name of one of the pandas.

Okay, well, let me rivet you with what they actually did. Northeastern quietly introduced heat sensors under desks without notifying students or seeking consent. So Max von Hippel explained in his newsletter, early in October, Senior Vice Provost David Luzzi. It's a funny name, but L-U-Z-Z-I.

Let's not make fun of names here, okay?

How would you say his

Come and have my wonderful meatballs at the Luzzi. I have a heat sensor.

name? No, no, I'm just

Yeah, he speaks with his hands.

So Provost Lutzi, right? He installed motion sensors under all the desks at the school's ISEC complex, a facility used by graduate students who study surveillance. trying to say it right. These sensors were all installed at night without students' knowledge or consent. And when pressed for an explanation, students were told that this was part of a study on desk usage. So I want you to imagine this is you in your place of work, wherever that may be, and you find this out. You obviously weren't told this, you discovered this. How are you feeling?

Off the top of my head, I don't think I would give a toss, really, because on the whole, it's just a simpler way of someone walking around counting who's in the office.

If you did give a toss, Thom, that could actually affect the temperature under the desk.

You think it could? In fairness, yes, it could.

Oh no.

So one of the big problems is, it sounds useful, but they already have a key card, and to get into these labs, you have to use the key card. So they already know how many people are in each room.

Yes. So what is the ulterior motive then, would be my next question.

Is it— okay, I'm going to play devil's advocate. Is it to detect whether they might be infected by coronavirus? Because then they would have a heightened temperature, albeit maybe not under the belt.

Yeah, that also happens if you're pregnant, have your period. Oh well, right, loads of stuff. Right. So anyway, they were told, so they were going, hey, hey, we're not happy with this, right? Students are going, this isn't cool. And they said, look, this is only to analyze how the building and space is used. You know, we deployed a Spaceti. Okay, this is the company name, Spaceti. Lutzi, now we know why Lutzi chose it.

It's a family company. We do meet up on the Spaghetti.

Who invited the end-of-the-pier entertainer?

So it's called— the company's called Spaceti, and it's an occupancy monitoring system that uses heat sensors at groin level to aggregate data by subzones to generate when a desk is occupied or not.

So who are they?

The Lutzi responds, right, in an email saying that data would be anonymized, aggregated to look at themes, not individual times at assigned desks. You know, and all this. And the students still weren't happy. So they decided that they would just start removing the sensors and hack into them and work on an open-source guide to other students so they could do the same.

Wouldn't it have been easier just to put a toaster under each desk and then turn that on and fool people into thinking there was someone sat there?

Do you know how much money the average student has? They can't all go out and buy toasters.

Exactly.

But I think the thing that gets me the most is the students on this course are privacy students, right? They're studying this exact kind of thing. What did the administration expect was going to happen?

Yeah, totally. But get this, it even gets better. So Lutzi, of course, claimed the devices were completely secure and the data was encrypted. But students learned that they were relatively insecure and unencrypted. So quote this: "The students of the facility, including myself"— this is Hippel still speaking.

Luzzi.

Oh yes, Hippel.

Yeah.

Hippel saying, "The way that we get into publications is that we take systems like this and we explore flaws in them. We explain what's bad about them, why they don't work. Luzzi? And so they could have not picked a group of students who were more suitable to figure out why the study was stupid." Oh.

Luzzi. Yes.

Students then wrote an open letter to Lützi and university president Josefie Urn asking for the censorship to be removed because they were intimidating, part of a poorly conceived study, and deployed without IRB approval, even though human subjects were at the center of the so-called study. Lützi still wasn't convinced.

Luzzi.

And guess what happens?

Luzzi. Oh, he doubled down. He doubled down.

It goes back and forth, back and forth. The kids then start— they do a public art piece in the building lobby spelling "no" with the devices.

Right. An interpretive dance.

Through the power of mime.

Exactly. All that's going on. And finally, a speed bump is hit that could not be overcome. And that is Twitter. Max von Hippel took to the platform, shared what became a semi-viral thread documenting the entire timeline of events from the secret installation of the sensors to the listening sessions occurring that day. And hours later, the sensors were removed.

Huzzah!

Quite incredible though, that they managed to get them removed. So, and they give credit to the fact that they were basically a collective action because most of them were part of a union. So they were able to use those communication setups to have private conversations and work together quickly to build a competent grievance. So, storm in a teacup? I mean, these things are already apparently at other universities. They're certainly used in prisons. They're used in schools as well with kids.

It gives a whole new meaning to packing heat, doesn't it? Yeah.

Spaceti Spaghetti.

And secretly.

They haven't got a leg to stand on. Yeah, and secretly. Right?

And secretly. Why wouldn't you just go to them and go, hey, we think we really need to defend this building to make sure that we— they know we are going to use it enough so they don't take it away from us. Can you check this tech and see if it's good?

How about using the collective power of these students who do exactly this sort of thing and are learning to do it for their future livelihoods? Yeah, rather than trying to push against them with his head behind.

I think the students were a little unimaginative. I think if I hadn't wanted to be tracked, what I would've suggested to my fellow students is that we strapped ice cubes to our testicles, and so that the heat wouldn't be sensed.

What kind of show is this?

Are you assuming that they all have testicles?

Oh, well, I—

Oh yeah, they could protect

Oh yeah, the scrotum concealment.

Oh yes! Ah, now that's—

Fill that with ice instead. There you go.

Oh, there you are. Thank you, Carole. You're welcome.

them with that device from I paid.

There's an image I never got out of my mind after seeing.

Listeners know that a password manager is an important tool for generating and saving secure credentials for each of your online accounts. And podcast sponsor Bitwarden makes it easy to stay secure and for businesses to share logins with team members and departments. Now, what's nice is that it's open source.

last week, right?

With published third-party security audits, Bitwarden is transparent and secure. It utilizes end-to-end and zero-knowledge encryption with source code that can be scrutinized by all. And the team at Bitwarden are always introducing new features to make your life easier as well as more secure. For instance, they've just introduced passwordless login for the Web Vault, meaning you can authenticate into the Web Vault using your Bitwarden mobile app instead of entering your master password. Learn how Bitwarden can help you do business faster and more securely at bitwarden.com/smashing and start a free business plan trial today. That's bitwarden.com/smashing.

Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database. They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process. Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.

The challenge with endpoint security has always been that it's difficult to scale. And when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux? Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly. Directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's k-o-l-i-d-e dot com slash smashing. And thanks to Kolide for supporting the show. And welcome back. Can you join us for our favourite part of the show? The part of the show that we like to call Pick of the Week.

But all these things, it comes down to, one, the intention that they're being used for, two, the communication as to why they're being used upfront before they're installed, and, you know, to see if there's actually a valid reason for it. And three, making sure you're selecting the right system that your data is secure.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app.

Because if they'd broken them off and looked into it and found that it met every single stringent security requirement, they might have gone, well, you know, we haven't really got a leg to stand on because it's doing all the right stuff. And, you know, the administration does need to know about certain things.

Whatever they wish. Doesn't have to be security-related necessarily.

Maybe it would have taken the wind out of it. But the fact that it was a crap solution that was implemented that actually did nothing of what I presume it said it was going to do.

Better not be.

Well, my Pick of the Week this week is not security-related. You may remember oh, it's quite some episodes ago, I was talking about how wonderful web phishing is. Web 3.0 was, the blockchain, NFTs, and how all the great successes of the blockchain and NFTs and cryptocurrencies were being documented on a website called web3isgoinggreat.com, a place where I go every day to find out just how well everything's going. Well, that was for Web3. There's something else which is going really, really well as well. Carole, you know that I talk about it a lot, and that is Twitter. And there is a superb website now called TwitterIsGoingGreat.com as well, where you can find out all— if you haven't been keeping track of all the huge successes that Twitter's been having.

I've tried my hardest not to. I really do my very best and my work brings it to me and I'm going to have a grievance soon.

This is being regularly updated with all the latest. And it's wonderful stuff. I enjoy it. I follow this account also on Twitter and on Mastodon.

You need therapy.

And yeah, twitterisgoinggreat.com. If you're interested in just how well everything's going on Twitter, check out twitterisgoinggreat.com. And that is my pick of the week.

I'm just looking at the screenshot. It's in there. It sounds brilliant. It looks great. It's like watching a car crash in slow motion. And let's face it, it doesn't matter who you are. So my pick of the week, normally I like to do a gadget or a bit of tech or something like that. You really want to watch something like that. But I'm going to embrace my inner nerd on this and hopefully bring the rest of you to maybe a little mini nerdgasm, I don't know, but I'm not going to embrace you, Thom, actually.

And so I think we'll let you do that to yourself.

So it's a TV show. It's a TV show called Pennyworth. And those in the know will probably recognize that name straight away. But it's a DC Comics show. There's two seasons. And it's about Alfred Pennyworth, who is Bruce Wayne or Batman's butler but this is the origin story. This goes back to the late '50s, early '60s in London when Alfred Pennyworth is a recently demobbed SAS regiment soldier who has done battle in Borneo. I think it doesn't specifically explain it, and it's about him being demobbed and then getting caught up in sort of socio-political things. Now you often hear when talking about films or TV shows that, you know, a critic like Brian Sewell would say something like the extra uncredited cast member is of course the city that they play in. And I never really got that.

Yes, I understand.

Until I saw this, because London in the 1950s and '60s, but it's not a London that we recognize. And you realize that about halfway through the first episode when you see people, dead people in gibbets hanging in the streets and people in stocks. And then they do televised public executions and things like that. So it's like a semi-fascistic state. And you know, the Prime Minister, who's this sort of very dour Anthony Eden type looking chap, snorting coke off a mirror whilst a lady of the night is fondling him, you know, that sort of thing. It's a very kind of dark dystopian thing. And the Prime Minister is absolutely on board with vicious torture of people and blah blah blah. So you know, this semi-fascistic state, very sort of dystopian, which ties in well with Gotham, you know, as this sort of—

And this is the antidote, this is definitely the antidote to all those cheery Christmas films if you're not into those.

Oh hell yeah, hell yeah!

This is where you go if you're a grumbly guy.

So Alfred Pennyworth, he's definitely the protagonist of the show, but he's not a good guy necessarily. He's a good guy that does bad things, if you see what I mean.

Okay. Thom, what's

So he's not averse to popping somebody, you know, dropping, giving somebody a little bit of lead poisoning, you know, through their forehead, if pushed hard enough and all that sort of thing. So you're kind of, you're rooting for him, you know what's going happen, because it also introduces Thomas Wayne and Martha Kane, the future Martha Wayne, you know.

your pick of the week?

So you know what's going to happen to them.

They're Batman's parents. Yes, that's right.

Yeah, but right, so you see where he's come from. But also what's really interesting is he talks like Michael Caine. So the Michael Caine, of course, from Christopher Nolan's Batman film. So he talks like Michael Caine. And he does these sort of little tricks like, you know, appearing in rooms, you know, where, you know, sneaking into buildings without anybody noticing and appearing in rooms and things like that, which is exactly what Batman does. So you kind of see, so that's where he learns it from, you know. So it's— there's lots and lots of nice little tiebacks.

Oh, that's cute, that's cute. Yeah.

And I've watched, I'm on the second season now. I'm binging it. It's very, very good. It's great fun. And two things: it's got Paloma Faith in it. Oh yes, who plays a real antagonist, an utter psycho, and she's brilliant. And it's also got a chap called Ramon Tikaram. Now you may remember a singer from a few years back called Tanita Tikaram. Yeah, so that's Ramon's sister. And I used to go to school with Ramon Tikaram. Boom! There. Claim to fame.

Well, there you go. There you go. A trifecta of today I learned.

I remember that Ramon Tikaram, he used to be in This Life, I seem to remember. Did you see that?

Yes, that's right. That's right. Yeah. And he was in Game of Thrones as well.

Oh, was he?

Yeah. For one episode. And then his head, his head was in the next episode.

So something good came out of your school then, John. In the form of Romantica.

He was the other thing that came out of the school that came out all right. Yeah. So Pennyworth, check it out. IMDb link in the show notes, because it's— I got it from iTunes or Apple TV or whatever, but I'm sure it's available elsewhere. Highly recommend it.

OK. Thank you.

Carole, what's your pick of the week?

OK, so what do Billy Connolly, Lee Child, Alan Moore, and Gary Barlow have in common?

Oh, I think I know the answer to this, but I'm not going to ruin it.

You can. What is it? What do you think it is?

Maestro, I believe it's called.

Yes, BBC Maestro. Yeah, streaming channel.

BBC Maestro.

Oh, so this was created to basically educate and inspire people to explore or other creative crafts. So through prerecorded lessons and detailed course notes, you can kind of learn a whole host of things. And you can purchase just one course, right? So there's about 20 or 30 available right now.

So it's a sort of celebrity masterclass where a celebrity teaches you something? Is that right?

It's not a celebrity necessarily. So you'll have Billy Connolly there, but he's doing this whole class on comedy, right? And Lee Child's focusing on writing books, Alan Moore and storytelling. So they're kind of experts or at the height of their game. And they're sharing their findings, their thoughts. It's really great. I've just listened to one so far. I've listened to the full course with Alan Moore on storytelling. I watched it in 3 days. I already want to go back and rewatch because it's bloody fantastic. He is just a god. I can't imagine any of the others are going to be as good as this. This is just worth every penny already. So he, for those who don't know him, he straddles genres comics, From Hell, The League of the Extraordinary Gentlemen, Swamp Thing, and modern literary classics, including Jerusalem, a 1,266-page experimental epic novel set over centuries in the realms of his hometown of Northampton. He's a nutball. He's a total nutball. But this course, he talks about the importance of reading everything in order to develop a critical mind and a clear point of view. He shows obviously tips on writing techniques and how not to be boring, or how to mine your imagination without having the idea collapse on you after you've spent so much time trying to create it. Rhythm, importance of rhythmic elements in your writing. Anyway, it's great. 33 lessons in that course alone. So I would say probably 4 to 5 hours worth in total, and already worth the price of subscription. I think it's about, regularly it's £110, but they often seem to have sales and bring it down to about £65. So that's about $100.

Really?

Oh, so it's currently on sale actually at the time of recording anyway. So I say check it out, you'll find something you love. I've actually got my next one lined up on Indian cooking, so I'm into that. So I was going to do that over Christmas. So, this is BBC Maestro, and it's available in lots of different locations, not entire world over, but there was at least 20 countries listed. So, check it out, BBC Maestro. That's my pick of the week.

Superb. Sounds interesting.

So, you can find me on the BURB site as well as Mastodon actually is @ThomLangford, T-H-O-M, because Twitter wouldn't let me have the H, Langford. Also go to podcast.hostunknown.tv if you'd like a little change and you enjoy lower quality programming. And you can follow us on Twitter at Smashing Security, no G, Twitter doesn't ask to have a G, at least not yet, they're not quite that desperate yet. Smashing Security now has a Mastodon account. And huge thank you to this episode's sponsors, Kolide, Bitdefender, Warden, and Drata, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

Until next time, cheerio, bye-bye, bye!

Ta-ta!

Do you know what tartare in French means? Idiot.

Yeah, look at the tartare on that.

Seriously, Thom, that's what we're gonna end with? You both get— you guys get very smutty together. You guys, you set each other off, I think.

I'm not going to claim that I ever set Thom off.

Oh my God.

Okay, I'm hanging up now.