Listen early, and ad-free!

329: Pornhub, Barbie dolls, and can you trust a free TV?

Graham Cluley Carole Theriault Matt Davey

July 6, 2023

0:00

0:00 0:00

0:00

Transcript

This transcript was generated automatically, probably contains mistakes, and has not been manually verified.

Unknown

Smashing Security, Episode 329: Pornhub, Barbie Dolls, and Can You Trust a Free TV? With Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, Episode 329. My name's Graham Cluley.

CAROLE THERIAULT

And I'm Carole Theriault.

GRAHAM CLULEY

And this week on the show, Carole, we are joined by Matt Davey from 1Password's Random But Memorable podcast. Hi, Matt.

CAROLE THERIAULT

Hello. Welcome back. It's been a minute.

MATT DAVEY

It has. It's been a little while.

GRAHAM CLULEY

Pleasure to have you back. Lots of exciting things happening in the world of passwords and your podcast.

MATT DAVEY

Oh, absolutely. Yeah. Passkeys are pretty big at the moment.

GRAHAM CLULEY

So tell me, what are passkeys for anyone who hasn't heard about passkeys?

MATT DAVEY

So passkeys are basically a direct replacement for passwords built on FIDO standards. So they are essentially tokenized passwords that you can use on a bunch of websites.

Passkeys.directory will let you find out which ones. And they're all based on open standards and you can use them inside 1Password.

And it essentially replaces the need for two-factor and all of that stuff added on top, which is great.

GRAHAM CLULEY

Very interesting. Now, the only thing I have slight concern about passkeys is, is based upon this FIDO standard, and I was told you should never name your passwords after your dog.

CAROLE THERIAULT

Oh my God. I'm sorry for the dad jokes.

GRAHAM CLULEY

Kryll, save us.

CAROLE THERIAULT

Yes, I'm going to. Let's kick the show off. But first, let's thank this week's wonderful sponsors, Kolide and NordLayer. It's their support that help us give you this show for free.

Now, coming up in today's show, Graham, what do you got?

GRAHAM CLULEY

I'm gonna be talking all about how to protect your sexual preferences.

MATT DAVEY

Preferences.

CAROLE THERIAULT

Okay, Matt, what about you?

MATT DAVEY

I'm talking about is freemium hardware the future?

GRAHAM CLULEY

Ooh.

CAROLE THERIAULT

And I'm afraid we are gonna revisit those dark days of the 'rona, but it'll be interesting. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY

Now, chums, let me take you on a trip around the internet to one of the most popular, most visited websites in the world, Pornhub. Are you familiar with Pornhub, Matt Davey?

CAROLE THERIAULT

I thought you were going to say Wikipedia or something.

MATT DAVEY

Is it really one of the most visited websites in the world?

GRAHAM CLULEY

It is. More people visit Pornhub than Amazon or Reddit.

CAROLE THERIAULT

What?

GRAHAM CLULEY

Yes, it is.

CAROLE THERIAULT

Shut the front door. I don't believe it.

GRAHAM CLULEY

Cruel. I've done research on the internet. Always do your internet research. And I've discovered it's the 12th most visited website right now.

The top is Google and YouTube and Facebook.

A typical visitor, and there are about 2 billion people who visit Pornhub each month, they spend on average 7 minutes 40 seconds on the site, which I think is quite impressive really.

CAROLE THERIAULT

They have to find what they want to look at.

GRAHAM CLULEY

Oh, I see.

MATT DAVEY

There's a lot of searching, 7 minutes of searching, and then... The internal metrics that they must have as a company must be very confusing.

Because a lot of commercial websites have, right, okay, we want to make users stay on the website longer.

GRAHAM CLULEY

You want sticky users, don't you?

CAROLE THERIAULT

Get off literally and then leave.

GRAHAM CLULEY

Success perhaps is actually getting rid of people quite quickly.

CAROLE THERIAULT

Putting ads at really perfect moments just to keep them holding on.

GRAHAM CLULEY

One stat I saw was about their bounce rate. Now, mind boggles what that measures. 23.68%. I mean, I don't know. Snickers, Snickers, Snickers. There'll be a lot of that, Carole.

So a lot of people are spending an awful lot of internet time gawking at, of course, adult videos, which does mean that there's potentially a huge amount of data which could be being gathered by Pornhub about people's behaviors and their peccadillos, or maybe not their peccadillos, but at least their interests and their fetishes.

CAROLE THERIAULT

I'm glad I'm not an online perv now. Okay.

GRAHAM CLULEY

Right. Well, there is a bunch of Italian researchers and activists, they found some things which are concerning to them, and they have filed a complaint against Pornhub.

They say that Pornhub is behaving illegally in the way that it handles the data of millions of people.

And I thought, well, look, if this really is the 12th biggest website in the world, we should be talking about this because there is a chance that one or two of our listeners may go to the Pornhub website.

CAROLE THERIAULT

I'm shocked.

MATT DAVEY

I like the way that you're positioning this is that everybody wants this data. I personally do not want anything to do with this data.

I couldn't want to be further enough away from looking at analytics about this. I feel like—

CAROLE THERIAULT

Can you imagine the categories?

GRAHAM CLULEY

You wouldn't want to touch it with your bargepole, would you? No, you'd—

MATT DAVEY

I'm sure this is very valuable data. But my goodness.

GRAHAM CLULEY

Well, these researchers, they are crying foul, saying that Pornhub is not obeying GDPR rules.

CAROLE THERIAULT

Oh, there you go, my little sweetheart, GDPR.

GRAHAM CLULEY

You see what I did there, Carole? See, I started talking about pervy stuff on the internet, and then I—

CAROLE THERIAULT

Yeah, you hooked me in.

GRAHAM CLULEY

I've taken a U-turn. So I got you interested, and now I've gone down the very niche crevice of GDPR.

MATT DAVEY

To the real fetish of GDPR.

CAROLE THERIAULT

This is my Achilles heel of interest.

GRAHAM CLULEY

Come on, rule whatever it is. Is it Rule 34 on the internet?

CAROLE THERIAULT

Mm-hmm.

GRAHAM CLULEY

There probably is GDPR porn. There probably—

CAROLE THERIAULT

Oh god.

GRAHAM CLULEY

I mean, you get—

CAROLE THERIAULT

You just can't sully GDPR.

GRAHAM CLULEY

You get washing machine repair porn. You get—

CAROLE THERIAULT

Do you?

GRAHAM CLULEY

Real estate agent porn.

CAROLE THERIAULT

Do you?

GRAHAM CLULEY

Of course you do, Carole.

MATT DAVEY

This is an education.

CAROLE THERIAULT

Right?

GRAHAM CLULEY

Why is it me educating you on this? Yes, I believe, I believe.

CAROLE THERIAULT

Oh, suddenly now the words are coming in. I've heard, a good friend of mine said.

GRAHAM CLULEY

I've heard rumour that the typical scenario is someone comes around with a spanner to fix your washing machine and there'll be owner of the house, they'll say, oh, I like the way you're doing that.

CAROLE THERIAULT

Typically my husband, big hairy guy.

GRAHAM CLULEY

Right, you know, and anyway, so I'm thinking there probably is sort of porn involving GDPR auditors who come around to your company and say, Oh, there's some pretty hot data here or something which we need to—

CAROLE THERIAULT

Listen, feel free to send it in should you find it. Graham is very interested.

GRAHAM CLULEY

Send it to . Make sure she gets it, not me. Anyway, the issue is this. Apparently Pornhub doesn't make it easy to opt out of being tracked by cookies.

CAROLE THERIAULT

Great.

GRAHAM CLULEY

And apparently it isn't clear about what data it's sharing with third parties.

So there is this chap, this researcher in Italy who set up this group, which he's calling Stop Data Porn. His name is—

MATT DAVEY

That noise was just me opening up my personal laptop in order to follow the links that you've sent, because I'm not going to open that on my work computer.

GRAHAM CLULEY

His name is Alessandro Polidoro. And Alessandro Polidoro is a digital rights activist, and he's leading this legal action against Pornhub.

He says that the site has an algorithm which assigns you a sexual preference based upon the type of porn you watch.

CAROLE THERIAULT

You know, you just want to wank in private, really, don't you? Like, this is—

GRAHAM CLULEY

Hopefully, yes.

CAROLE THERIAULT

Yes, but right now, this information— okay, so they now know your sexual preference basically.

GRAHAM CLULEY

So if you are only interested in porn videos involving quantity surveyors, for instance, right, they will be able to say, okay, I will now serve that person up more quantity surveying porn.

Or if you're into, I don't know, porn which is reenactments of 1980s drama comedy Lovejoy involving a roguish Iain McShane with his mallet way back then.

Then you'll only get— well, I'm just giving examples, Carole. I'm trying to imagine what kind of porn there is. It isn't all washing machine related porn anyway.

So it's collecting all of this information and it's gathering this in order to show you the kind of porn you want. And it does this even if you don't log into the site.

Now, this was a surprise to me. It turns out you can actually log into pornography websites.

I don't know why you would log into pornography websites, but even if you don't log into pornography websites, it's still collecting this information.

Because apparently it is actually using cookies and collecting data, which is then saved in your browser's local storage.

So it's like your history or it's like the other information your browser is storing. And it's all being kept there. And you may not be aware that it's being kept there.

All these ID numbers of the things about you and what you like to watch on Pornhub is actually being collected according to these Italian researchers.

CAROLE THERIAULT

Okay. Sorry. So I don't know a lot about this, but say I, you know, you go and visit your whatever, your porn, your GDPR porn.

And most people, I'm guessing, if they don't want to get caught doing that afterwards, wipe their— what do they wipe on their computer? They'd wipe—

GRAHAM CLULEY

You might wipe your browser history. You might wipe your browser history, but you probably need to wipe other bits of data from your browser as well, your cookies.

Make sure any information that's stored about the website has been zapped as well.

CAROLE THERIAULT

And if I'd done all those things, would I still, would this information still be being collected?

GRAHAM CLULEY

Well, no, if you've properly wiped your browser, you know, if you've wiped it clean after you've done your business, then you should be fine.

So, essential sort of browser hygiene rules would help you.

CAROLE THERIAULT

I didn't know you knew so much about porn.

GRAHAM CLULEY

Well, no, it's more about general internet privacy, about how to clean up after yourself.

So, according to the Stop Data Porn Collective, they're a collective, they're an initiative, I don't know if they're a congress as well, according to the Stop Data Porn organization, this group of people, there's a lot of information which has been collected, and Pornhub is not being transparent about what it's collecting.

It's not giving you the option to opt out. And according to some researchers, it's probably unlikely the average user even reads Pornhub's privacy policy.

Now, I don't know about you guys, but I find that very, very unlikely. There's nothing more likely to get me in the mood.

I know this works for you as well, Carole, than reading a good privacy policy.

CAROLE THERIAULT

I love it.

GRAHAM CLULEY

Right, Matt? Are you keen to look at the terms and conditions?

MATT DAVEY

I mean, I'm currently skimming the research paper and I think it's probably about as, you know, similar wording, similar level of detail. Similar level of interest.

GRAHAM CLULEY

Right. So in Cyprus, which is where I think Pornhub's European headquarters is in Cyprus. Pornhub is owned by a company called MindGeek, which is based in Canada.

Carole, there you are.

CAROLE THERIAULT

Mm-hmm.

GRAHAM CLULEY

Their data protection regulator, the one in Cyprus, they are currently doing a full audit of Pornhub. Now, I don't know what that involves.

It's taken them a while, perhaps understandable reasons.

CAROLE THERIAULT

God, it's going to be a lot of sites. A lot of sites.

GRAHAM CLULEY

It's a lot of content up there. You know, so maybe they'll have to— who knows if they're getting distracted anyway.

Word is they're having a go and it's going to take them a couple of years to get through it all. But this does seem to be a problem on porn sites.

And that is my advice for gentle listeners of this podcast, is if you are visiting adult websites, beware, because in 2019, researchers analyzed 22,484 pornographic websites and found that 93% of them leak data to third parties.

CAROLE THERIAULT

Jesus Christ.

GRAHAM CLULEY

And round about half will suggest a gender or sexual identity that they believe can be linked to you.

So they are making assumptions, they are learning about you, and they are collecting information.

CAROLE THERIAULT

So I guess one of the ways you get around this is just use— share your account, share your Pornhub account or your computer with lots of users, right?

GRAHAM CLULEY

Oh, so if you're in a work environment, you mean?

CAROLE THERIAULT

Correct. If you're in the office, why not let the whole team use them?

GRAHAM CLULEY

Let everyone just chip in. Okay, we're gonna have a 10-minute break here, company-wide. Next 7 minutes 40 seconds, off you go. And then we'll get on with work afterwards.

Matt, you're being suspiciously quiet.

MATT DAVEY

Yes, on purpose. No, I'm just fascinated that the Monopolies Commission isn't more involved in this.

This MindGeek thing, I've Googled it again, and it seems they own half the internet. I mean, the shady side of the internet, but it seems they own half the internet.

GRAHAM CLULEY

Yeah, Pornhub is the biggest adult website they own, but I think they own a number of other sort of top adult websites as well.

MATT DAVEY

So I was just looking from the number of the traffic and the, you know, all that kind of stuff.

Facebook is in the news every other day about this kind of stuff that they're tracking and, you know, not respecting countries' guidelines and all this kind of stuff.

But I bet this is worse, but we just kind of don't talk about it.

GRAHAM CLULEY

Maybe that's it.

CAROLE THERIAULT

Yeah.

Can you imagine that the policy guy who's going to bring this, you know, to the House of Commons or whatever and say, look, I really want to add protection for all those people out there wanting to—

MATT DAVEY

You know, the sad thing is I absolutely can. I think that is a damaging statement to our government, but unfortunately I had to say it.

GRAHAM CLULEY

Matt, what do you have for us this week?

MATT DAVEY

Well, my first one is, Neil.fun has made a password game and it is one of the most infuriating things if you've not played it. I highly recommend it.

That's the fun thing that I want to bring.

GRAHAM CLULEY

But we'll put a link in the show notes. It's a great little online game, isn't it?

About choosing a password because normally you're on a page and it's telling you to choose a password for your account and it says use an alphanumeric or use an uppercase letter or you have to have— and it just gets crazier and crazier as you go along.

But it's good fun trying to satisfy all the criteria.

MATT DAVEY

The requirements are quite awful, yeah.

GRAHAM CLULEY

There was one point where it said put in an emoji of the current phase of the moon in your password.

So I found myself investigating what it was and trying to find the bloody emoji for it. Anyway, it's great fun.

MATT DAVEY

I think the owner of this website has even said that they haven't managed to actually complete this. I got as far as add the Wordle of the day into your password somehow.

And I was just like, I'm not going to another website, going to get the Wordle and then coming back and somehow working it into my password that already has to have a maximum number of characters.

So I'm going to have to delete it. And one of them was like, make the Roman numerals add up to a certain amount.

So I had to do that, and then there was already an I in one of the previous terms that I had to add in. So then I had to remove that I for a Roman numeral, and it was terrible.

CAROLE THERIAULT

Listeners, if you want to have a play right now, you can go see it. It's at neil.fun/password-game.

GRAHAM CLULEY

Good fun. Anyway, that wasn't the main thing.

MATT DAVEY

It wasn't. The slightly more depressing article that I wanted to talk about was there is a free TV, in the kind of dodgy sense of the word, TV that is available.

It looks pretty cool.

It actually has a secondary bar along the bottom that can, if you're wanting to watch a TV and watch it with someone remotely, you can actually have their image down on the bottom of this almost second TV bar at the bottom.

CAROLE THERIAULT

Oh.

MATT DAVEY

But the real usage of this, and it looks really good for a free TV. Completely free.

GRAHAM CLULEY

Yeah.

MATT DAVEY

Apart from not completely. And the bottom bar of it does have adverts in.

CAROLE THERIAULT

Okay.

GRAHAM CLULEY

So they're permanently visible while you're watching TV, I guess.

CAROLE THERIAULT

Yes.

MATT DAVEY

And also, you can't hang anything over that bottom bit or hide the bottom bit or disable it in any way or try and change the hardware for it.

CAROLE THERIAULT

How would they know if I put, I don't know, electrical tape across it?

MATT DAVEY

Because they've got light sensors built into it so that if you hang anything over it, they disable the other TV as well.

GRAHAM CLULEY

Maybe you could put— Maybe if you're sat on your sofa and you have a coffee table in between you, if you angle it right—

MATT DAVEY

Oh yeah, yeah.

GRAHAM CLULEY

You could put something on the coffee table so it just blocks it out from your vision.

CAROLE THERIAULT

Graham's lying on his shoulders.

MATT DAVEY

But also, the things that you need, the settings for the TV, the volume change, the channel change, and the guide and all that kind of stuff, it all lives in that bottom display.

GRAHAM CLULEY

Oh, so that's clever.

MATT DAVEY

So they've kind of made it useful.

GRAHAM CLULEY

Damn them.

MATT DAVEY

But it is a scrolling ad bar as well. So it's constantly moving.

CAROLE THERIAULT

It doesn't talk at you, does it? It doesn't say, "You really want to buy this cleaning detergent." I mean, who knows where this is going?

MATT DAVEY

The manufacturers say if you try to degrade the TV experience, I think that means hack it, basically.

GRAHAM CLULEY

Right.

MATT DAVEY

Degrade is a loose term of the word there. We have the ability to deactivate the television. So that kind of intrigued me as well.

CAROLE THERIAULT

Because you have no rights, I guess, because it's free.

MATT DAVEY

Yeah, you are attaching this to your Wi-Fi. You are signing into it with all of your things. It's essentially a laptop these days, a television, right? It's essentially a computer.

So the amount of stuff that you're kind of handing over to this company on the basis of saving yourself, you know, a couple of hundred quid. I don't say that lightly.

TVs are getting really expensive these days. But how much is it actually worth?

And the interesting thing about this is I think there's a sign of things to come here if this is successful of essentially freemium hardware where already some things that you buy activity trackers or something, the thing that you buy has reduced cost because you're getting a subscription afterwards.

This is kind of similar to that, but in the fact that you are getting the TV for free and then you are the product.

You are watching it and that is what is getting the money and eyeballs and stuff.

GRAHAM CLULEY

This seems to be quite common in TVs to some extent. I've got a Samsung TV, it's a few years old.

And you know, if I go to the menu, there are some ads which pop up, which is quite irritating.

So what I had to do is I had to put something in, you know, my router or whatever to prevent access to those ad servers because I just found it irritating.

These things— so I'm blocking them that way and it hasn't prevented my TV from working. I paid for my TV.

It does get a lot of the TV companies are looking to monetise, and we've seen in the past TVs which have monitored what you watch and then send information back to the mothership in order to collect data from.

Has this TV also got a microphone and a camera?

MATT DAVEY

Microphone, camera, everything.

CAROLE THERIAULT

So you're almost the commodity as well. Oh, absolutely.

Yeah, it's not only that you're saying we're watching your ads, but we're also monitoring you and collecting when you watch, what you watch, how often you watch, where your eyeballs go.

GRAHAM CLULEY

We're broadcasting you direct to chat roulette.

MATT DAVEY

Oh, goodness. If you are most subjective to adverts during some sort of TV show that has fancy clothes in it or something, they can absolutely, you know, tell that.

CAROLE THERIAULT

I'm sitting there eating a bucket of ice cream, snarfling away, right? And it starts showing me ads for, I don't know, antacids or something.

GRAHAM CLULEY

So they're giving these away completely free?

MATT DAVEY

They are, but you do have to sign a terms of service.

And so there's a quote here on The Verge that says, if some people try to game and fraud against our terms of service, we'll kindly ask you to rectify the situation or return the device.

And of course, they can turn off the TV for you as well. The telly's— this thing is called the telly, which is very confusing because in the UK all tellies are called tellies.

Telly's terms of service previously mentioned a $500 credit card charge that would be enforced on anybody that violates the agreement without returning the TV hardware as well.

So, you know, it's free, but kind of not really.

CAROLE THERIAULT

Yeah.

GRAHAM CLULEY

Oh my goodness, I've got it. I know how to do this. I've worked it out. Okay, this is how we scam it, right? We get one of these TVs, we put it in a room on its own, and we turn it on.

We have a camera or a camera phone which is pointed just at the top half of the screen, the bit without the bar, and we stream that onto the internet, and that's what we watch.

Oh, we would have to— actually, there's no point in this, would there? Because we'd watch that on another TV. Okay, so we'd have a— Okay, forget everything I said.

MATT DAVEY

Also, can they use that camera to sense that you're in the room? And say that you're not actually watching it. There's a camera phone in front of the TV, right?

The article says that they won't use the camera for their business, but that's this one. I'm not really worried about this one. I'm worried about the next one that comes from this.

CAROLE THERIAULT

Yeah, this is the precedent. This is the candy just to test the market.

MATT DAVEY

I do kind of like the bottom screen thing. That is quite interesting to me.

GRAHAM CLULEY

If it didn't have ads on it, you mean?

MATT DAVEY

If it didn't have adverts on it, yeah.

CAROLE THERIAULT

What's— so you could watch what I wanted to watch? That kind of thing?

MATT DAVEY

I think one of the examples for the uses of the bottom screen, and this kind of drops the bottom out of my soul a little bit.

Parents watching the news on the primary display while their children play Flappy Bird on the bottom one.

CAROLE THERIAULT

Aha.

MATT DAVEY

That's one of the practical examples that they give.

CAROLE THERIAULT

Right.

GRAHAM CLULEY

Carole, what have you got for us this week?

CAROLE THERIAULT

So for my Smashing Security story this week, we need to cast our minds back to the dark Rona times.

I know it sucks, but I am a big believer in looking back so we can see where we screwed up and maybe learn from it.

So if you were a medical professional during these dark days, you would have probably seen more dead bodies than hot coffees.

And if you were furloughed, you might've mastered the headstand or upped your sourdough game or found an ingenious place to hide your hundreds and hundreds of toilet rolls, right, Clue?

And this, for many of us, was all while not freaking out about how you'd make ends meet because many of us were able to get some government grant relief, right?

Some money, paycheck relief. And in order for us to keep getting those paychecks, the government targeted relief to businesses.

So in the US, for example, there was the Paycheck Protection Program, PPP. And this initiative was a significant part of the government's response to the COVID-19 pandemic.

And it seems in order to qualify, a business had to meet certain standards, like explaining the negative impact of COVID-19 on its business.

So, you know, they lost customers or staff were getting sick, that sort of stuff. And they'd need to certify things like testifying that employees would not lose their jobs.

But of course, the huge chief worry in all this for the government launching such a scheme was fraud.

So identification and verification was key to making sure that this was as financially efficient as possible. Right, and that's a lot of work, right?

It's who's going to manage this whole verification process?

GRAHAM CLULEY

Yeah.

CAROLE THERIAULT

So in the front row with hands raised super high and squealing, "me, me, me, me," you had the computer-savvy fintechs, okay?

These are modern digital financial services that pretty much do the same thing as traditional banks.

But fintech's big plus, and this is what they claimed, is that they were way more capable of quickly issuing these PPP loans than government agencies or traditional banks.

GRAHAM CLULEY

Right.

CAROLE THERIAULT

And one of the reasons was because they don't have legacy systems and they're by definition able to do things digitally very— I don't know how to say the word— agilely.

GRAHAM CLULEY

With agility.

CAROLE THERIAULT

With agility.

GRAHAM CLULEY

They're fast and loose, aren't they? Yeah, fast and loose.

MATT DAVEY

Yeah.

CAROLE THERIAULT

Yeah. So they can move fast, get the money to the right people securely and quickly because that was really important. People needed the cash. Businesses were going under really fast.

So this was music to the ears to the then-Trump government, right?

Depending on the lender and the type of application that you were applying for, you might be required to present a valid driver's license or a passport or other government-issued identification.

So businesses were often asked to provide their EIN number, which is issued by the Internal Revenue Service, right?

Maybe they'd have to fill in, show some tax forms, some payroll records, bank statements, that sort of thing.

Documents that would help you identify that business is making the request without any bullshit, right? They're being legit.

GRAHAM CLULEY

Yeah.

CAROLE THERIAULT

So this is why fintech companies, like Blue Acorn, Womply, or Womply and Cabbage lined up to serve as middlemen.

So their job was to help small business applicants complete the paperwork and process requests. And there was great money to be made here, right?

For every transaction, they get a processing fee. So just to give you an idea, Womply and Blue Acorn apparently ended up facilitating more than 1 in every 3 PPP loans in 2021.

And the US government gave out nearly about $790 billion in PPP loans, right between March 2020 and May 2021. So that's a huge amount of money that they were facilitating.

So we have the government dishing out huge chunks of change via fintechs to small businesses who have been verified and have proven their case through all their paperwork and applications.

However, come December 2022, more than 18 months later, fintechs are accused by the Select Subcommittee on the Coronavirus Crisis to have facilitated fraud in the Paycheck Protection Program.

So in March, NBC News opened an article with, quote, "They bought Lamborghinis, Ferraris, Bentleys, and Teslas.

Of course, lots of Teslas." Many who participated in what prosecutors are calling the largest fraud in U.S.

history, the theft of hundreds of billions of dollars in taxpayer money, couldn't resist purchasing luxury automobiles, also mansions, private jets, and swanky vacations.

Experts say the theft is as much as $80 billion or about 10%.

But just this week, the Messenger publication claims to have been sent some of the IDs that were used when requesting paycheck relief, requesting help from PPP.

And these were validated as authentic and genuine and received the pay relief as requested. And I thought I would share with you some components of these IDs on our shared document.

And you tell me what you see there.

MATT DAVEY

This is some properly in-depth investigative journalism. I like it.

CAROLE THERIAULT

Oh, am I being boring? No, no, no.

MATT DAVEY

I'm just more eagerly listening than speaking.

GRAHAM CLULEY

It's just, you know, I didn't probe Pornhub enough. Is that what you're—

CAROLE THERIAULT

Okay, so tell me what you see.

MATT DAVEY

Ah, well, I see the problem immediately.

CAROLE THERIAULT

Do you see the problem immediately?

MATT DAVEY

Yes.

CAROLE THERIAULT

What do you see?

MATT DAVEY

Those are not real people.

CAROLE THERIAULT

No.

MATT DAVEY

Those are definitely creepy statues of some kind.

GRAHAM CLULEY

What is this? Are these sex dolls? What are these? What are these things? They look—

CAROLE THERIAULT

They are dolls' faces.

GRAHAM CLULEY

Yes.

CAROLE THERIAULT

I mean, these guys, these scammers, could not have given a shit or been very bright to think that this would work. And yet it bleeding did, right? I mean, look at number 1.

It's a Barbie doll head with lots of makeup and a clearly plastic face.

MATT DAVEY

I was expecting AI. I really was. I was expecting some sort of Midjourney. It costs $10 a month. That's not a lot of effort. Just create me 5 generic-looking people.

GRAHAM CLULEY

Go to thispersondoesnotexist.com. Yeah. It's easy to get fake faces if you want them. But these are clearly not human faces.

CAROLE THERIAULT

Look at the eye size on number 1 and number 3. Literally, it's physically impossible for those eyes to be in that skull.

So scammers created fake identities with pictures of doll faces and other figurines to rip off the US's largest COVID-19 relief program.

This is according to the images of phony accounts that were given to government investigators and later obtained by The Messenger.

Now, of course, the use of these doll faces was not rife, so it is not responsible for the entire $80 billion that was taken, but it does underline just how lax security was.

GRAHAM CLULEY

And we aren't claiming that any of these dolls are the fraudsters, are they? They're all innocent.

MATT DAVEY

Oh, look at the bottom left. He's definitely been forced into it.

GRAHAM CLULEY

He looks like Frankenstein's monster. He looks like he's got a zip along the top of his head.

CAROLE THERIAULT

Now, Womply blamed a sub-vendor for approving the doll face ID photos, right? Of course, supply chain issue. We've heard it before.

But The Messenger also reports that despite its promises and a wide net of lenders, congressional investigators found that Womply was one of two companies that enabled the majority of PPP fraud, processing over $5 million in loans for itself.

GRAHAM CLULEY

Yeah.

CAROLE THERIAULT

Okay, for itself.

But the big problem here, and this is the big important point, is that although fintechs behave like banks and traditional depository institutions, they are not subject to banking regulations such as the Bank Secrecy Act, which would require them to implement certain processes and structures to ensure security and the soundness of their operations.

GRAHAM CLULEY

I think you're being a little bit unfair here, Carole.

Maybe these fintechs were actually protecting the privacy of individuals, and so they didn't use the individual's faces, but they made dolls which looked a bit like them.

CAROLE THERIAULT

On an actual fintech site, I quote, "the absence of a single regulator makes fintech agile and flexible for changes and adaptations.

Fintech companies don't have to follow rigorous guidelines, so it's easier for them to integrate new services and solutions." And, you know, apparently helps steal mountains of cash.

MATT DAVEY

I mean, Mrs. Cabbage Patch at the top there is perfectly happy with her banking applications.

CAROLE THERIAULT

God. So there you go. This is how you get your parsnips buttered, apparently, is just become a fintech and do whatever the fuck you want. Wow.

MATT DAVEY

I look forward to the following news story, which is one of these dolls with their arms upright in a Lamborghini driving off.

CAROLE THERIAULT

Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How?

If a device isn't compliant, the user can't log into your cloud apps until they fix the problem.

GRAHAM CLULEY

Problem.

CAROLE THERIAULT

It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance.

Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.

Insecure devices are logging into your company's apps, but there's nothing there to stop them.

Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.

The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked.

Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing.

That's kolide.com/smashing. And thanks to Kolide for sponsoring the show. Darknet, darkweb.

GRAHAM CLULEY

Today's podcast is also brought to you by NordLayer. Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.

As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.

Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.

Simply go to nordlayer.com/smashingsecurity and get 1 month free.

NordLayer is easy to start at, and it takes less than 10 minutes to onboard your entire business on a secure network.

NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.

And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.

So if you want to secure your business network, go to nordlayer.com/smashingsecurity to get your first month free. And thanks to NordLayer for supporting the show. And welcome back.

Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT

Pick of the Week. Say Pick of the Week.

MATT DAVEY

Oh, Pick of the Week.

GRAHAM CLULEY

Pick of the Week is the part of the show where everyone chooses something they like.

Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.

CAROLE THERIAULT

Better not be. Yeah.

GRAHAM CLULEY

Now, a few weeks ago I was very excited because I was told there was a new Indiana Jones movie coming out. And I remembered back in the '80s— Indiana.

MATT DAVEY

Indiana Jones.

GRAHAM CLULEY

Indiana— sorry, what's the problem? Indiana Jones. Indiana Jones. Yeah, what have I done wrong? I don't know.

CAROLE THERIAULT

Indiana. I don't know.

GRAHAM CLULEY

Oh, I always say Indiana. Anyway, so—

CAROLE THERIAULT

Tomato, tomato.

GRAHAM CLULEY

Anyway, Indiana Jones. And I remembered seeing Raiders of the Lost Ark and all those movies, late '70s, early '80s. Brilliant. I thought, this is great fun.

And so I was speaking to my son and I said, "You heard of Indiana Jones?" He said, "Yeah, Indiana Jones," he said.

But he said, "I've heard of it, never seen it." And I said, "Oh well, why don't we watch Raiders of the Lost Ark?" And we watched that the other night on the TV. He loved it.

He thought it was brilliant.

CAROLE THERIAULT

Brilliant. It is brilliant.

GRAHAM CLULEY

It was great. I really enjoyed it. And I said to him, "There's a new Indiana Jones movie coming out." And he went, "Indiana?" Called The Dial of Destiny.

And I said, "Why don't we watch all the Indiana Jones apart from that rubbish one involving the crystal skull and the aliens, and we'll have a great old time, and then we can go to the cinema, because I'm sure it's going to be good," I said.

Anyway, last weekend I went to the cinema and I saw Indiana Jones and the Dial of Destiny.

CAROLE THERIAULT

And your man's still in it, right? They wheeled him out.

GRAHAM CLULEY

Just about. Just about.

MATT DAVEY

So my bar is that Crystal Skull one, because that was just dire. Is it better than that?

GRAHAM CLULEY

I haven't seen the Crystal Skull one since it came out about 15 years ago. And I remember I hated it.

I have to say, what happened during Indiana Jones and the Dial of Destiny was I was there with my partner, and I realised that we were sort of looking around the room, and then we looked at each other and laughed.

And at one point she leant over and said, "Shall we just go? Shall we just go home?" And I said, "Yeah, let's go." Because it was—

CAROLE THERIAULT

And what, you left your son there?

GRAHAM CLULEY

No, no, no, he wasn't there. We didn't take him with us. He's gonna see it another time. But it was just me and her. I would've done.

I often will be at the cinema and decide to go home, leaving my son there if he's watching the Mario movie or something like that.

CAROLE THERIAULT

The Emoji movie, yeah.

GRAHAM CLULEY

This movie is— Now, I'd warned her in advance. I said, "I've heard a little spoiler that the ending is particularly catastrophic." We didn't get as far as the last 10 minutes.

CAROLE THERIAULT

You walked out, eh? Both of you.

GRAHAM CLULEY

We really walked out. And to be honest, I think my life is the better for it, because it was horrendous.

So, my pick of the week this week is anything other than Indiana Jones and the Dial of Destiny. Anything else, you will be—

CAROLE THERIAULT

Even Face/Off? Face/Off?

GRAHAM CLULEY

Face/Off with John Woo and John Travolta and Nicholas— Brilliant! Brilliant bit of Face/Off. Much more entertaining than this movie. Okay, okay.

And that's despite Dial of Destiny including Phoebe Waller-Bridge, who obviously we love from Fleabag, and she's terrific. But this is not— this is not good. It's not good.

And so Anything Else is my pick of the week. Sorry to be negative.

MATT DAVEY

Oh, I'm very disappointed about that.

GRAHAM CLULEY

I wanted to save people's money because that cost me about £24 to go and see that rubbish. So I don't want anyone else wasting their money like that.

Matt, what's your pick of the week? Or maybe non-pick of the week?

MATT DAVEY

Well, obviously, I'm gonna pick, for example, the Random and Memorable Podcast. You can go and catch up on all 110 episodes now. Somehow, we've been allowed to do 110 episodes.

CAROLE THERIAULT

Congratulations.

GRAHAM CLULEY

That's a great achievement. Well done.

MATT DAVEY

Thanks. Yeah, it's good to have a hobby that is also your job. And I feel like that is the energy that we bring to that podcast.

But my actual pick of the week is Jury Duty, the TV show on Amazon Prime. I explain this TV show.

It's got some bad reviews and some good reviews, but I explain it as essentially it's The Office where they do kind of pieces to camera and it's a general sitcom, except one of the people is not an actor in it.

One of the people is real and they build this kind of court case around them. And that person doesn't know that everyone else is an actor, right?

GRAHAM CLULEY

Oh, doesn't have a clue. No.

MATT DAVEY

And you can genuinely see that in the end when they kind of debrief and tell this guy all of this was completely fake.

CAROLE THERIAULT

He's gonna have PTSD for the rest of his life.

MATT DAVEY

They celebrate him 'cause he made such good decisions. Honestly, I feel like the mischievous side of me would kind of try and mess with them a bit, but they didn't.

They played this everybody, the actors between themselves, and then it's just him kind of being the audience and being going, "What the heck is going on?

Is this my life?" The absurdity. James Marsden is also in it, who is in a bunch of movies, Sonic and The Notebook and that type of thing. He was also in Westworld.

GRAHAM CLULEY

Right.

MATT DAVEY

He is playing a caricature of himself with a giant ego. Which is also brilliant.

GRAHAM CLULEY

So when I heard you were going to choose this, I hadn't heard of this show, but I went and watched some clips on YouTube.

And there is the clip of this actor guy, James Marsden, sort of saying, look, maybe I should be excused because I'm going to be a distraction because I'm famous, because I've been in these movies.

And the judge didn't recognise him. And I didn't recognise him either. I thought, I don't know who this guy is. So I wouldn't have listened to him either.

But it is quite, from the bits I've seen, this is quite fun. I quite like it.

And the central guy, the guy who isn't an actor, the guy who's effectively being duped, does seem like a—

MATT DAVEY

Yeah, they basically give him not moral choices, but slightly on the side of that. And the interesting thing is to see him really care for the people around him.

He is definitely the hero of that show. I think they picked it really well.

CAROLE THERIAULT

Is he Canadian? Is he Canadian?

MATT DAVEY

I think it's all set in America.

GRAHAM CLULEY

But this goes on for weeks, doesn't it? So he was in a hotel, he was disconnected from the internet.

MATT DAVEY

He couldn't Google any of these people. Yeah, they sequestered the jury.

GRAHAM CLULEY

Wow.

MATT DAVEY

Which was a brilliant little addition to it, which makes them all stay in a hotel. And just the weirdness of it all is just so brilliant.

And the plot orchestration of how they architect all the plot points and lead him into them is just— it's beautiful. It really is very well done.

CAROLE THERIAULT

Okay, I'm putting it on my watch list. This is my kind of— I hate that I like this though, because it's like, we love watching people being duped. We're addicted to it.

You know, but I am too. I just don't know why we're just—

GRAHAM CLULEY

I'm not sure it's making fun of it. I've only seen little clips.

MATT DAVEY

Yeah, no, it definitely paints him as the hero. This isn't Trigger Happy TV where you're just looking for people's reaction.

CAROLE THERIAULT

Yeah. Okay, I'll watch it. I'll watch it on your recommendation, Matt.

GRAHAM CLULEY

And the name of the show again, Matt, is?

MATT DAVEY

Jury Duty.

GRAHAM CLULEY

Jury Duty on Amazon Prime. Fantastic. Carole, what's your pick of the week?

CAROLE THERIAULT

Okay, I have to give a little background for my pick of the week. I got new windows a few years ago now, and they were a little bit bigger and heavier than the previous ones.

And basically, after they were put in, they were glorious, but they made a mess of our render, what Americans call stucco across the pond.

Now, the problem with rendered or stuccoed houses is they need maintenance, right? You have to paint them and check for cracks and fill it in. And not my idea of fun or talent.

You know, we went around and looked for a renderer, and we couldn't find one for love or money, right?

I was even trying to pimp out my husband, you know, a date with him, but even that didn't— So long story short—

GRAHAM CLULEY

Hello, you surprised me.

CAROLE THERIAULT

My husband panicking found an incredible solution, right?

GRAHAM CLULEY

My baby was panicking.

CAROLE THERIAULT

And it was called spray cork rendering or spray cork stucco. And the stuff is awesome, okay? So you basically, you can apply it over anything that you would paint.

So you could put it over stucco, you could put it over steel, plaster, aluminum, wood, brick, vinyl, shingles, anything and helps to regulate temperature, resistant to abrasion, salty air, fungus, mold.

It's environmentally cool, right? Because it's 80% cork granules, 20% water-based paint, and you apply it with a spray gun that's compressed air, right? Or electricity.

And cork is completely renewable and it's non-toxic. I can go on and on and on.

GRAHAM CLULEY

And that's why we're sponsored this week by—

CAROLE THERIAULT

No, it's just really cool.

GRAHAM CLULEY

Right.

CAROLE THERIAULT

It took about a week to put up, which is also amazing because I've seen houses take forever to get even just painted. And Kevin McLeod from Grand Designs even gives it a thumbs up.

So we used a company called Corksawl, but I'm sure there's other reputable ones around in your neck of the woods. This was in the UK. We got it done around Easter.

The house looks so much smarter. So my pick of the week is spray cork rendering or stuccoing. It's very cool.

GRAHAM CLULEY

Very cool. Wow.

MATT DAVEY

That's left field, but I love it.

CAROLE THERIAULT

It's great. I know it's left field. You can even— I want to do it inside my bathroom instead of tiling it. Just stucco, just spray cork the inside of the bathtub area.

MATT DAVEY

I am actually genuinely tempted to do this in my garage because I have unfinished walls in the garage and this would be pretty good.

CAROLE THERIAULT

I have links in the show notes and you can even do it yourself totally. They literally all— Ah.

GRAHAM CLULEY

And it feels nice, doesn't it, Carole? It's kind of, yeah.

CAROLE THERIAULT

It's got a little bit of a sponge to it, but it feels solid. And they just basically covered all the windows and all the sides and the pipes and then just spray-gunned it.

So anyway, check it out. Very cool stuff.

GRAHAM CLULEY

Well, that just about wraps up the show for this week. Matt, thanks very much for joining us.

I'm sure lots of our listeners would like to follow you online and find out what you're up to. What's the best way for folks to do that?

MATT DAVEY

I am on Mastodon, Matt Davey, and I guess I'm on social.lol. I think you have to say, I'm not really on Twitter anymore. But you can follow 1Password on Twitter at just @1Password.

GRAHAM CLULEY

Terrific. And you can follow us on Twitter at Smashing Security, no G to Twitter @matt_davey, and we also have a Mastodon presence.

And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Pocket Casts, Apple Podcasts, and Spotify.

CAROLE THERIAULT

And big, big thank yous to this episode's sponsors, Kolide and NordLayer. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 328 episodes, check out smashingsecurity.com.

GRAHAM CLULEY

Until next time, cheerio. Bye-bye.

CAROLE THERIAULT

Bye-bye.

MATT DAVEY

Thanks for having me.

CAROLE THERIAULT

Bye. Thank you, Matt. Brilliant. It was fun.

GRAHAM CLULEY

Thanks so much, Matt. Really appreciate you coming along. Great stories. Terrific Pick of the Week.

MATT DAVEY

Yes, watch it. It's great.

GRAHAM CLULEY

Yeah, I will do. I'm going to start tonight.

EPISODE DESCRIPTION:

Just how much do porn websites know about your sexual peccadillos? How are Barbie dolls involved in identity scams? And would you trust a completely free telly?

Oh, and Graham has some opinions to share about "Indiana Jones and the Dial of Destiny".

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Matt Davey from the "Random but Memorable" podcast.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Pornhub Is Being Accused of Illegal Data Collection - Wired.
StopDataPorn brings Pornhub to court for abusing users’ personal data with GDPR complaints - StopDataPorn.
The Password Game - Neal.fun.
The True Cost of a Free TV - Wired.
Telly dual-screen TV first look: it’s free and may be the future - The Verge.
Swindlers Used Barbie Dolls to Rob COVID Relief Program - The Messenger.
How rampant abuse by fintech fueled covid relief fraud - The Washington Post.
'Biggest fraud in a generation': The looting of the Covid relief plan known as PPP - NBC News.
"We Are Not the Fraud Police": How Fintechs Facilitated Fraud in the Paycheck Protection Program - Fox News.
‘The Dial Of Destiny’ Is Now The Worst-Reviewed ‘Indiana Jones’ Movie - Forbes.
“Jury Duty” TV series - Wikipedia.
“Jury Duty” trailer - YouTube.
Spray Cork: What Is It? - Build with Rise.
CorkSol.
Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

Sponsored by:

Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
NordLayer – NordLayer safeguards your company’s network, securing and protecting remote workforces as well as business data. It can even help you ensure security compliance. Get your first month free.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy