Clearview AI receives something of a slap in the face, and who is wrestling over an internet wormhole?
All this and more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.
And don't miss our featured interview with Artur Kane of GoodAccess.
Visit https://www.smashingsecurity.com/274 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Artur Kane.
Sponsored By:
- GoodAccess: GoodAccess - Free Business Cloud VPN for up to 100 Users.
- Get a cloud VPN with strong network encryption and unprecedented online threat protection. No hardware. 100% free. Just create your team and enjoy GoodAccess forever.
- Rumble: Rumble, made by the creator of Metasploit, finds many devices connected to your network that other solutions miss, including orphaned machines running outdated operating systems.
- It can even tell you which machines are missing endpoint protection, from your local network to the cloud.
- Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run
- Kolide: At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
- Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
- Try Kolide Free for 14 Days; no credit card required.
Links:
- Carl Sagan - Cosmos - Space Travel — YouTube.
- Wormhole.com
- 'Tired' Carl Sagan Fan Sells Wormhole.com to Crypto Giant Jump for $50K After Lawsuit — Decrypt.
- ACLU vs Clearview AI — American Civil Liberties Union.
- Clearview AI Offered Free Trials To Police Around The World — Buzzfeed News.
- US State Privacy Legislation Tracker — IAPP.
- The Secretive Company That Might End Privacy as We Know It — The New York Times.
- In Big Win, Settlement Ensures Clearview AI Complies With Groundbreaking Illinois Biometric Privacy Law — American Civil Liberties Union
- OwlKitty — YouTube.
- Review: The Balldo Made Me Rethink Sex in the Most Absurd Way Possible — Wired.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. They couldn't believe their luck because they thought $50,000, brilliant, nothing, that's nothing, that's probably in the bottom of my shoe somewhere.
CAROLE THERIAULT. Hold on, yes it is.
UNKNOWN. There's probably someone snorting that in the corporate bathroom right now. Smashing Security, episode 274, Hands Off My Biometrics and a Wormhole Squirmish, with with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 274. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, this time on the show, we are joined by—
CAROLE THERIAULT. No one again.
GRAHAM CLULEY. Oh, for goodness' sake.
CAROLE THERIAULT. But it's not my fault this week.
GRAHAM CLULEY. And it's not my fault either.
CAROLE THERIAULT. It's the stupid guest's fault.
GRAHAM CLULEY. No. Well, no, it's his employer.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Who's unfortunately dumped a whole load of work on them at the last moment.
CAROLE THERIAULT. We will get them on at some point.
GRAHAM CLULEY. One day.
CAROLE THERIAULT. We are on our own, but we have a lot of content, so it'll be fine.
GRAHAM CLULEY. Cool.
CAROLE THERIAULT. Don't you think?
GRAHAM CLULEY. Of course it will. Of course it is. It's going to be marvelous.
CAROLE THERIAULT. Of course it will.
GRAHAM CLULEY. It'll probably be better, actually.
CAROLE THERIAULT. Probably. Now, why don't we thank this week's sponsors, Collide, Rumble, and Good Access? It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. I'm gonna be master of my own domain. Okay.
CAROLE THERIAULT. And I'm just gonna ask, how legal is the whole face printing thing? Plus, a fabulous featured interview with Artur Kane from Good Access, who's gonna explain anytime, anywhere secure remote access. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum chum, remember Carl Carl Sagan.
CAROLE THERIAULT. Remind me.
GRAHAM CLULEY. Astronomer, cosmologist, owner, I imagine, of a tweed jacket. You remember him? He had a kind of— Oh, I can't do a Carl Sagan impression.
CAROLE THERIAULT. Did he send a record into space?
GRAHAM CLULEY. He's put everything into space. He's no longer alive.
CAROLE THERIAULT. Right. Yeah, yeah.
GRAHAM CLULEY. He sort of made space popular. Before him, space, hardly anyone noticed it.
CAROLE THERIAULT. Okay, I may be wrong, but I seem to think that he's involved or created an album to communicate with aliens. And it was being played in space.
GRAHAM CLULEY. He might have done.
CAROLE THERIAULT. It may have been something completely different. A listener will correct me on Twitter.
GRAHAM CLULEY. He was an extraordinary American author and science communicator that everyone apart from you looked up to and admired.
CAROLE THERIAULT. Okay, well, I'm maybe too young. I suspect people my age and younger probably don't know him.
GRAHAM CLULEY. Anyway, he had fans around the world, including computer engineer Dick Merriman. And Dick Merriman, back in 1994, was watching Carl Sagan's famous TV show, which is called Cosmos, with his wife Linda. That's Dick's wife Linda, not Carl Sagan's wife. And now Carl Sagan, he wrote the book Contact in the mid-1980s. Is that the one with Jodie Foster? I've never seen it.
CAROLE THERIAULT. The movie, not the book.
GRAHAM CLULEY. Well, he wrote the book.
CAROLE THERIAULT. Right, right, right.
GRAHAM CLULEY. And it was then turned into a movie.
CAROLE THERIAULT. Yeah, I never read the book, but yeah, there was a movie with Steve Guttenberg.
GRAHAM CLULEY. Oh, okay. What, from Police Academy?
CAROLE THERIAULT. I think it's Sagan.
GRAHAM CLULEY. You sure? No. Really?
CAROLE THERIAULT. It's just a podcast. Thank God it's not a test.
GRAHAM CLULEY. Go on. Okay.
CAROLE THERIAULT. People can look it up for themselves. Don't trust me.
GRAHAM CLULEY. Well, when Sagan wrote this book, he needed a way to transport Jodie Foster, who was playing the hero of the story, from Earth to a star which was 8 light years away, which obviously is an astronomically long distance. And what he used was the concept of a tunnel or a wormhole connecting distant locations in space and time. Quite fascinating thing if you're into all that Einstein kind of gubbins. Anyway.
CAROLE THERIAULT. Gubbins.
GRAHAM CLULEY. This idea of wormholes blew the mind of our hero of this particular story, Dick Merriman, who was watching this back in 1994. And he turned to his wife, he says, "I love the idea of a wormhole." "I'm gonna make me one." Yeah, well, no, you're absolutely right. He said, "We're gonna get a wormhole." Now, he wasn't able to make one in his backyard, unfortunately. It's not that easy.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. So he did the next best thing, and he did what no one had ever done on the internet before, which is he bought the internet domain wormhole.com. He owned wormhole.com, and that was back in 1994. The website wormhole.com continues to exist to this day. He didn't have any use for wormhole.com as a website. So he just put an image of a wormhole, a sort of cosmic image, on its single page. And there's a one-line description of what a wormhole is.
CAROLE THERIAULT. And he owns a wormhole.
GRAHAM CLULEY. And he owns the wormhole on the internet. Mm-hmm. But what he was able to do, of course, is owning the domain meant that he could set up his own wormhole.com email address that he and his wife have used ever since.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And Dick Merriman, He's now 79 years old, 'cause it was a long time ago when he did this. He's still using that email address, .
CAROLE THERIAULT. Fabulous.
GRAHAM CLULEY. Please don't be so childish. And he was probably feeling pretty pleased with himself, because if you purchase a vanity domain, if you purchase your own domain for your email, you don't have to go through any of that pain of getting your business cards reprinted, or when you switch from Hotmail to Yahoo to Gmail to ProtonMail or whatever.
CAROLE THERIAULT. Yeah, that's often the most biggest concern. A concern that we all face is getting our business cards changed. You're right.
GRAHAM CLULEY. So that is the end of the story. That's the end of it. That's the end of it.
CAROLE THERIAULT. It's like a normal story that you tell.
GRAHAM CLULEY. No, no, no. Shh, shh, shh. No, no. Not the end of a story. Not the end. Because there is more. There is more to tell with this story. Because 28 years after Dick bought the domain wormhole.com—
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. There are other people who are rather keen on owning it themselves. Enter an outfit called the Jump Trading Group.
CAROLE THERIAULT. Jump Trading Group.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Okay, this is crypto again, isn't it? Is this crypto?
GRAHAM CLULEY. Well, Jump do have a toe in the world of crypto, yes. Amongst other things.
CAROLE THERIAULT. You're obsessed with crypto.
GRAHAM CLULEY. The whole world is crypto, Chris.
CAROLE THERIAULT. I'm not.
GRAHAM CLULEY. Jump. Says that they are building the next frontier in crypto infrastructure. They are the firm that is a significant player in the decentralized finance space. And one of the things that they run is a crypto platform called—
CAROLE THERIAULT. Wormhole.
GRAHAM CLULEY. Wormhole.
CAROLE THERIAULT. And they want to own wormhole.com. So this is a domain fight.
GRAHAM CLULEY. Yeah, this is a domain fight. Now, you might have heard of this Wormhole company because earlier this year, It suffered a $320 million blockchain hack.
CAROLE THERIAULT. No, that's huge.
GRAHAM CLULEY. Yes, it was huge. But it's also— it was unlike just about every other crypto hack because after Wormhole got hacked, the people who lost all their money actually got their money back because Jump, the owners of Wormhole, did this extraordinary thing of replacing all the stolen funds because it has quite a lot of money in its back pocket. So it just, it didn't want to upset people. It didn't want them running off.
CAROLE THERIAULT. What?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. So they just said, oh, there's $320 million. No problem. Let me just get that outta my piggy bank.
GRAHAM CLULEY. Exactly. Which is pretty unusual, I think you'd agree.
CAROLE THERIAULT. Whoa. Yeah.
GRAHAM CLULEY. They replaced all the stolen funds.
CAROLE THERIAULT. I mean, it's the way it should be, but you know.
GRAHAM CLULEY. Right. Yeah. So I think it's fair to say that Jump and Wormhole the company have got a few quid.
CAROLE THERIAULT. No shit. Well, maybe not anymore.
GRAHAM CLULEY. Well. Had a few quid. But what they don't have is a good domain name because Wormhole the company hangs out at wormholenetwork.com.
CAROLE THERIAULT. Well, they could have probably done better than that. Like wormholee.
GRAHAM CLULEY. Wormhole with the O being a zero, maybe. Something like that. Anyway, Wormhole may be a hot name in the world of crypto, but anyone who visits, of course, wormhole.com sees Dirk Merriman's tribute to Carl Sagan and wormholes. Mm-hmm. Whereas Wormhole, the company, says, well, we are the best of blockchains. That's what you see when you go to their site.
CAROLE THERIAULT. And we got a lot of Wonga. Maybe not now, but we did. Yep.
GRAHAM CLULEY. Yes. Yeah. A lot of it's gone down the plug hole. Right. It's not the wormhole. Mm. So Wormhole obviously think there's a future in their business, and they really want to own the domain wormhole.com. Mm. So I've now set the scene. So I've taken 10 minutes. In June 2021, someone at Jump approached Dick Merriman via a third-party domain broker, and they made him an offer for wormhole.com.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Now, considering that they had $320 million burning a hole in their pockets not so very long ago, How much do you think they were prepared to pay for the domain?
CAROLE THERIAULT. No idea. I mean, it's a negotiation, right? This is a site that hasn't been touched in decades. Like, what would you offer?
GRAHAM CLULEY. $5,000? They offered $2,500. Dick Merriman, he got the request. He wasn't impressed. Mm-hmm. He thought, huh, $2,500. So he responded to the intermediary domain haggling service. And apparently he said, "The price for wormhole.com is a firm $50,000." He said that's what he was prepared to accept, he said. And Jump couldn't believe their luck, 'cause they thought, "$50,000." Brilliant. Nothing, that's nothing.
CAROLE THERIAULT. That's probably in the bottom of my shoe somewhere. Hold on, yes it is.
GRAHAM CLULEY. Yeah, there's probably someone snorting that in the corporate bathroom right now. Fantastic. So Wormhole, the company, pressed the button, say, accept, and the domain-brokering service marked the deal status as agreement reached, and the process of transferring the domain began from Dick to Wormhole. Uh-oh, no, oh, oh, it didn't. Because Dick Merriman, who over the course of some days kept receiving messages from the domain broker service, asking him to set up his account and initiate the transfer in exchange for the payment, he began to have second thoughts.
CAROLE THERIAULT. Oh.
SPEAKER_02. Yeah.
GRAHAM CLULEY. And by mid-July, having not responded for quite some time, he said, nope, sorry, changed my mind. This was too easy. I'm either leaving a lot of money on the table or this is a scam. Either way, not for sale. If you want to make a reasonable offer, then you're encouraged to do so.
CAROLE THERIAULT. OK, this annoys me, I think.
GRAHAM CLULEY. OK.
CAROLE THERIAULT. It annoys me because if you say to someone, what would you like for this? And they give you a number.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And you meet that number.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Shouldn't that be like, OK, we're all handshake, handshakes? But then, I don't know.
GRAHAM CLULEY. I mean, I think people have the right to say, "I've changed my mind," shouldn't they? It's difficult, isn't it?
CAROLE THERIAULT. Yeah, I totally— everyone should have a cooling-off period. I agree, actually. Everyone should have a cooling-off period of anything.
GRAHAM CLULEY. And let's remember, Dick, you know, I'm not saying—
CAROLE THERIAULT. But he signed everything and then said nothing for 6 weeks.
GRAHAM CLULEY. Yeah, I mean, he's— well, what he did was when he was first offered $2,500, he said, "No way, $50,000 or whatever, then we're talking." and they came back with $50,000, should he then have had to say, "Okay"?
CAROLE THERIAULT. No, because the way they would have tricked him, if they would have gone back and gone, "Ha ha ha, $50,000? Are you crazy? No way!" And then he would have gone, "Okay, what about $40,000?" And then you would have been on the train. They just bit too soon. It's just bad negotiation tactics, really. Anyway, okay, so he's twigged that there's maybe more money there.
GRAHAM CLULEY. So he thinks there's more money there.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And he's saying, "No, I'm not going to sell it for $50,000." 'You're either scamming me or I could be asking for a little more.' And then in a later email, he ups the price to $100,000 and then allegedly to $200,000. And Jump were getting annoyed because they wanted wormhole.com. So they threatened legal action for breach of contract. Mm-hmm. And they demanded that Dick had to honour the original message saying he would sell for $50,000. Mm-hmm. Interesting. Dick replies to them, "Good luck with that." He says, "It's $100,000 is what I'm after." So there's a bit of back and forth, bit of haggling. Jump's still not happy. They feel they're being messed around.
CAROLE THERIAULT. I mean, yeah, they're already $320 million out of pocket, so I get it, right?
GRAHAM CLULEY. That hack actually happened later. That hack happened this year. This is still mid-last year, right? Anyway, Dick isn't happy. Either because he doesn't want to lose his email address. Imagine the hassle of having to change it after so many years. He actually told the press, he said, "My email address is like family. It's been around so long." I mean, Dick, don't forget, he's 79 years old. And it's just him and his wife living in a town with a petting zoo. There's not much going on there, up against this huge corporation. And who have just filed a lawsuit against him. And demanding that he also pays their legal fees for all the damages they say that he's caused and the costs.
CAROLE THERIAULT. So now they're playing just— they're just going, let's just twist the knife. Okay, yeah, no, I don't like them anymore. I don't like Wormhole anymore.
GRAHAM CLULEY. Right, right. Now, Dick, according to media reports, he says he's now giving up. He spoke to a lawyer. The lawyer said, oh, I'm not interested in taking on this case. And so Dick has accepted he has to throw in the towel and accept, whether he likes it or not, the offer of $50,000. He says, "I'm tired. I'm not happy, but I'll take it." He did sign. Well—
CAROLE THERIAULT. And he didn't complain within a short period, a cooling-off period.
GRAHAM CLULEY. He doesn't— Well, I don't know if there was a cooling-off period.
CAROLE THERIAULT. No, but there would— I mean, you could argue that there should be, right? That would have been maybe a legal—
GRAHAM CLULEY. He doesn't remember ever signing up for this domain brokering service, which maybe he did do. Years and years and years ago, just out of curiosity to see what people would offer him. Apparently Carl Sagan's estate once inquired about the domain as well, and he offered to give it to them for free 'cause he loves Carl Sagan. And then they decided they didn't want it after all. They wanted to use it for a particular project. But some people have suggested this domain could have sold for up to half a million dollars if properly negotiated. But it just feels, you know, When he said, "Oh, you know, oh, I don't accept $2,500, then we've got a deal," is that really a contract? Is that really him saying, "I will honor this regardless of who comes forward and offers to pay me $2,500"?
SPEAKER_02. Well, I don't think it was as—
CAROLE THERIAULT. like, they were on the phone or in person, right? Did he sign his name to something saying, "Yes, an agreement was reached"?
GRAHAM CLULEY. This would all have been on the internet. Would all have been online.
CAROLE THERIAULT. Well, then, yeah. If he put on his electronic signature, I don't know. Really, really great story, Graham. Great.
GRAHAM CLULEY. I just think you don't like old people.
CAROLE THERIAULT. Yes, that's my problem.
GRAHAM CLULEY. Well, I've noticed some things.
CAROLE THERIAULT. I just don't like you occasionally. It's different.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. You might remember, Graham, we discussed in the past facial recognition company Clearview AI.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah. For our listeners, this is the software database company of more than 3 billion+ images of faces scraped from websites like Facebook, Instagram, LinkedIn, Twitter, that sort of thing.
GRAHAM CLULEY. As I recall from past episodes, they had some kind of app which you could buy at a vast price or had special access to where you could go to a bar scan someone's face, you know, from across the room, and it would give you their name and all their social networking, and, you know, you'd know lots of information about people. It was horrible.
CAROLE THERIAULT. Yeah, yeah, literally you can present a picture of anybody and presto, it identifies the right person. In fact, the company claims that it's 100% accurate, although some reporters have witnessed the software misidentify some people.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I mean, can you identify identical twins? You know, Mr. Ton Phat of Clearview AI, can you?
GRAHAM CLULEY. Oh, that's a good point. And I once used one of those things where you upload your photograph and it says, "We will find your celebrity twin." So I was interested in that and I uploaded myself and it told me Henry Kissinger. Oh, really? Yes.
CAROLE THERIAULT. Oh my God, I wouldn't wanna know what it would give me. Anywho, back in 2020, Kashmir Hill of The New York Times, she published an alarming report alarming and damning piece about Clearview AI, how it's, you know, been peddled to police departments with 30-day free trials all over the country, how it was being misused by fat cats to identify pretty young things going about their business. And listeners might remember I got a bit riled, which is why I also covered the story a few weeks later here on Smashing Security. And basically the premise is, you know, Clearview is offering access to this database to private companies, wealthy individuals, federal, state, and local law law enforcement agencies. And the company claimed that through this enormous database, it could instantaneously identify people with unprecedented accuracy, enabling covert and remote surveillance of individuals on a massive scale. So, uh, scary much?
GRAHAM CLULEY. Yeah, it's terrifying, isn't it?
CAROLE THERIAULT. Terrifying. Yeah. So other people thought like us and thought this isn't great, like the ACLU of Illinois and friends. And many of these, the friends representing people who've been face-printed by Clearview without their consent. And they did something about this way back in 2020, and we have just had an update.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. But first, you just need to know, and I'm sorry, Graham, I know this is gonna be hard for you, okay? But I have to talk a little bit about how the law works in the States, okay?
GRAHAM CLULEY. Oh, thank goodness. I thought you were gonna say we have to talk about Piers Morgan or something.
CAROLE THERIAULT. No, no, no, no.
GRAHAM CLULEY. That was the first thought I had.
CAROLE THERIAULT. No, no, no, just so people understand. So, you know, we have like an international audience, And so basically in the States, some laws are federal and some are state-based, which is why you have things like, like jazz cigarettes being available in some states and legal in some states, whereas in other states you face jail time if you're caught with that on your person.
GRAHAM CLULEY. Right. Yeah.
CAROLE THERIAULT. And like privacy rights for individuals are similar. So some states like California, New York, Texas, Arkansas, Illinois, there's a few, have started introducing stronger legislation to curb tech companies from mishandling you know, or misusing or abusing personal info. And some states went even further to these privacy bills and put in a biometric privacy law.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. And Illinois was the first state to establish one, the Illinois Biometric Information Privacy Act, or BIPA.
GRAHAM CLULEY. How does— not living in the United States, I don't— I mean, I find it hard to get my head around these sort of two levels of laws and things. How does it happen? How does it work out with things like data? Because if there are very strict data protection laws in one particular state, or how much they need to keep you private, which aren't being applied in other states, presumably tech companies just have to go by the toughest legislation rather than thinking, oh well, because you live in Alaska, then we can do all kinds of great things with your data. But we— but do you see what I mean?
CAROLE THERIAULT. Yeah, I totally see what you mean. And I think it's a complete nightmare. I think it is really a complete nightmare because every single state— but you know what I find odd is in In the UK, we have this thing called common law, which just means there is kind of some laws and some precedent, but we're going to leave it up to the judge to make a decision. It's like you don't really know the laws. Anyway, we digress. Okay. But you, so BIPA, you would be right to assume that BIPA requires companies to first notify, right, and get a written-up consent before they collect, capture, or obtain residents' biometric identifiers, right? So before they get fingerprints or face prints or iris scans, they need you saying, yeah, no problem with that.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Um, and there's a few other states that have a law similar to this, you know, but their own version. But Illinois is unique because it provides aggrieved parties with a private right of action. So other states rely on public authorities to bring an enforced action, but here you can be private. Okay, so the ACLU and the ACLU of Illinois and a bunch of others get on the bandwagon and make use of the Illinois BIPA to make a stink about Clearview's business practices.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And they filed a lawsuit on May 28, 2020, alleging violation of Illinois's residents privacy rights under the Illinois BIPA Act.
GRAHAM CLULEY. Okay, okay, yes. That sounds wonderful.
CAROLE THERIAULT. And two years go by.
GRAHAM CLULEY. What was that?
CAROLE THERIAULT. We've just received an upd. Right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. So this week, May 9th, a legal settlement was filed stipulating that as part of the settlement in ACLU versus Clearview AI, the company is now permanently banned from making its faceprint database available to most businesses and other private actors. So basically, your typical guy off the street or girl off the street can't just go and say, I'd like an account, please, and then have access to 3 billion faces. What's very cool about this is they somehow got it nationwide. So it's not just for Illinois, but nationwide they're going to be banned from doing this permanently.
GRAHAM CLULEY. So the police and co., they will be able to access this data still for law enforcement purposes, is that right?
CAROLE THERIAULT. Yes. So, so it's— the wording is very interesting, right, on how they— who is going to have access. So it's like certain businesses, most businesses, but they're not detailing which ones. But we do know that Clearview AI certainly boasts that they represent, or they have, 3,100 US agencies using their software, including FBI and the DOJ, right? Or the Department of Homeland Security. So, um, and what's also weird is on their website they still proudly boast— I mean, I know this just happened yesterday, but the website proudly boasts that Clearview AI search technology is lawful and constitutional. Even though it has been determined to be illegal in countries like Canada and Australia, 6 months ago, the UK, you know, ICO announced that it had found alleged serious breaches of the UK's data protection laws and issued a provisional notice to stop further processing of all personal data of the people of the UK and to delete it.
GRAHAM CLULEY. Yes, but if you're American, you probably think there's a lot of things you're allowed to do in Canada and Australia and the UK which are illegal back in the good old US of A, and they probably can't believe that we allow certain things. I don't know what, things like stretching owls or something, or juggling yogurts.
CAROLE THERIAULT. Yeah, I mean, I know there are some countries that are very, very excited about having this software, right? But it's kind of cool that some countries are banning it. And I don't know, I mean, what's good about this? I can see it identifying bodies that you can't identify might be a useful use. That's the only thing I can— finding family.
GRAHAM CLULEY. I've got bits of my body I'd like I love to identify. I can't work out what they might be.
CAROLE THERIAULT. Well, my pick of the week will help with that.
GRAHAM CLULEY. Oh, okay. Curious. I'll stay tuned. Do you know what assets are connected to your network? Most organizations don't. For your security program to be effective, you need an inventory of all your devices so you can make critical decisions fast. Well, Rumble was made by the creator of Metasploit, which explains why it finds many devices that other solutions miss, including orphaned machines running outdated operating systems. Quickly find systems affected by the latest security news. Just think of Log4j, SolarWinds, and Kaspersky. It can even tell you which machines are missing endpoint protection from your local network all the way to the cloud. Sign up for a free trial and build your asset inventory in minutes. Get your trial at rumble.run. That's rumble.run. And thanks to Rumble for supporting the show.
CAROLE THERIAULT. So we all know that users these days sometimes have to connect from an unsecured network using any device they have at hand, and companies have no control over the device applications, clouds, and the infrastructure that connects it all together. This rapid shift in online work created security gaps that bad actors used to the full. And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. This is why you need to check out GoodAccess. This is a global company based in the Czech Republic with a proven 10-year track record. They are a bunch of security enthusiasts dedicated to delivering anytime, anywhere secure remote access. For small and medium-sized businesses worldwide. And this begins with a free GoodAccess starter product for unlimited usage by up to 100 employees. Yes, you heard right, 100 employees. Learn more at smashingsecurity.com/goodaccess. And big thank yous to GoodAccess for sponsoring the show.
GRAHAM CLULEY. Collide sends employees important, timely, and relevant security recommendations their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Kolide, and thanks to Kolide for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, this week, my pick of the week was suggested to me by a loyal listener who goes by the name of Yogi.
CAROLE THERIAULT. Oh.
GRAHAM CLULEY. Who we both know, Carole.
CAROLE THERIAULT. Yes, is she a loyal listener?
GRAHAM CLULEY. I think she's tuned into my past picks of the week and think I need some help. Okay. And what I've been recommended is a YouTube channel. Called Owl Kitty. I will put a link in the show notes. Kroll, you can check out Owl Kitty right now. Okay. Owl Kitty, real name Lizzie, is a black cat living in Portland, Oregon. And what Owl Kitty's owner does is he has very—
CAROLE THERIAULT. Adorable.
GRAHAM CLULEY. Very cleverly managed to integrate his cat into famous movie sequences. Presumably using some kind of green screen.
CAROLE THERIAULT. I would watch this film. Like, literally, it's like King Kong of cats.
GRAHAM CLULEY. Right, so what are you seeing, Krowl? What are you seeing?
CAROLE THERIAULT. I'm just watching a parody of Jurassic Park. So literally, it's like you've got this monstrous Jurassic Park-sized cat. I'm gonna go look, see if there's another.
GRAHAM CLULEY. So, yeah. So, regular movies, but with this person's cat. And I also saw some behind-the-scenes videos of how they make these, because obviously cats do not perform on demand. And it may take quite a few takes and some very clever techniques.
CAROLE THERIAULT. I love claws. Claws for jaws. Oh, Yogi, very good. You keep them coming. Graham did a whole year of board games once, so we need you.
GRAHAM CLULEY. There's a Fifty Shades of Grey.
CAROLE THERIAULT. Oh my God.
GRAHAM CLULEY. Titanic, all sorts. The Shining. Anyway, lots of fun. Owl Kitty is my pick of the week. Excellent. Carole, what's your pick of the week?
CAROLE THERIAULT. Oh, Graham. Okay. I have to ask you a sensitive question.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. It's about your danglers. I beg you. Do you think about them? Do you think about them regularly?
GRAHAM CLULEY. Are you talking about a medallion or something? I don't wear a medallion. Is that what you mean by dangler?
CAROLE THERIAULT. No, between your legs. Danglers. Do you have hopes and dreams for them?
GRAHAM CLULEY. Yes, yes.
CAROLE THERIAULT. What are they?
GRAHAM CLULEY. Big plans. I've always had big dreams, I tell you, as to what their future might be. Often not achieved, but it would—
CAROLE THERIAULT. But like what? What role do they play?
GRAHAM CLULEY. What role do they play? Well, they have a very important role. I use them every day. In a variety of ways, mostly— Are we talking about the same thing? I don't think so. What are you talking about?
CAROLE THERIAULT. What is your problem here?
GRAHAM CLULEY. What are you talking about? Put me out of my misery.
CAROLE THERIAULT. Your ballsack.
GRAHAM CLULEY. Oh, for God's sake, Crow. Really? Yes.
CAROLE THERIAULT. I said I was polite with the word.
GRAHAM CLULEY. What do you mean hopes and dreams for it? It's, you know—
CAROLE THERIAULT. Well, exactly. I think it's a very weird thing to say about that as well, right? I'm with you on that. What a weird question. Well, it turns out some people do. It seems that some people perhaps wonder if their danglers feel left out of the whole, you know, deep penetration testing activity that might go on north of their location. That's a bit security related.
GRAHAM CLULEY. But you know, is this a sex thing? Is this what you're talking about?
CAROLE THERIAULT. Yes, yes. Well, well, you tell me once you see it.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And, and someone decided that, you know, maybe they too could get in on some of that deep penetration testing activity. So I'm going to introduce you, without further ado, let me introduce you to what must be the most fantastical piece of erotic paraphernalia I've ever seen. The Balldo.
GRAHAM CLULEY. The Balldo.
CAROLE THERIAULT. The Balldo.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Okay. So check the link in the show notes. Let's have a look. And you can describe it to our listeners.
GRAHAM CLULEY. The world's first bull dildo. How does this work? So— Oh, I'm really confused.
CAROLE THERIAULT. So you have a piece of silicone shaped kind of like a torpedo.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. With two circular holes on either side of the shaft so you can smoosh in your orbs. Yes.
GRAHAM CLULEY. Wouldn't that be rather painful?
CAROLE THERIAULT. Well, yes, it turns out that yes, because journalist Eric Ravenscroft soft road tested this, and his findings were less than satisfactory. Let me give you a few quotes here from his road test.
GRAHAM CLULEY. Oh, I can see he scored it 2 out of 10. I wonder why it got 2.
CAROLE THERIAULT. Yes, 2 out of 10. This is from Wired. It's apparently, quote, it was challenging with an uncomfortably large girth, requires lubrication, which impedes the application process because, you know, the things slip out. And very awkward angles. So, can I just—
GRAHAM CLULEY. Journalists—
CAROLE THERIAULT. Get sent a lot of shit.
GRAHAM CLULEY. Journalists used to be like Woodward and Bernstein, right? They would investigate Watergate. They would bring down presidents. And The Wired have hired someone to put his cock and balls into a bit of pink silicone, smooshing them in.
CAROLE THERIAULT. Okay, this is not what I think happened. What I think happened is he gets to work, dum-da-dum-da-dum, going through the press releases, dum-da-dum-da-dum, "Bald-o, the world's first ball dildo." And he was like, "Hello," and then asked his editor if he could do it, wrote a great story that I actually really giggled at. I found it very fun. So if you want to read it, it's in Wired by Erica Ravenscroft. And the world's first ball dildo. And that is my pick of the week. He calls it a Dadaist interrogation of the very concept of pleasure.
GRAHAM CLULEY. Oh, call me Dada. All right. Well, I have questions, none of which I want to ask on the podcast.
CAROLE THERIAULT. I have not tested it. So you may want to email Eric.
GRAHAM CLULEY. I imagine, Carole, you would find it hard to test. I would hope. Well, thank goodness at the very least that there are vendors out there who like to sponsor our podcast.
CAROLE THERIAULT. I had this really interesting chat all about VPNs with Artur Kane of Good Access. Check it out. Shall we crack on and see how we do?
SPEAKER_02. Let's do this.
CAROLE THERIAULT. Okay. So Artur Kane is a chief marketing officer at Good Access. This is Good Access is a global company based in the Czech Republic with 10+ years on the market. And this team at Good Access is made up of 50 security enthusiasts dedicating themselves to delivering anytime, anywhere secure remote access. Very warm welcome to you, Artur. Thanks for coming on the show.
SPEAKER_02. My pleasure. Great to talk to you finally, Carole. How are you today?
CAROLE THERIAULT. I'm great, thank you. I think you're the first interviewee that's ever asked me that. So thank you very much.
SPEAKER_02. Well, let's make sure that we're all comfortable in our seats here.
CAROLE THERIAULT. Now, we are going to chat about all things VPNs. But first, maybe we should start with the work landscape and how it's changed from your perspective.
SPEAKER_02. Well, it's changed tremendously over the past few years, obviously, since the pandemic kicked in. Most of the workers left the office and started working from home. And immediately companies had to respond and sort of become more digital than ever and make sure all these workers and consultants can access their systems from remote and at the same time be protected. And if the company wasn't ready for that, they had to do quite a lot to, from day one, be able to operate as usual. And so what we see a lot is most of these workers and remote consultants, they tend to use use whichever device is at their hand. And suddenly companies lost control over the endpoints and devices that workers use to access critical systems, which increases the potential of data loss, data breach, and, and other risks.
CAROLE THERIAULT. You totally right, because you've got workers working from home, they may be using their own machines, they're tunneling in God knows how into the network, they're plugging in their own IoT devices and plugging into their own home network. So it's kind of a nightmare for the IT guy in charge, I imagine.
SPEAKER_02. And, you know, not all companies have IT guys and girls, right? So smaller companies, especially, you know, software developers and marketing consultancy firms, they don't always have IT department to take care of these things. So it's often, you know, business C-level owner, co-founder who suddenly needs to, you know, step into the role of IT guy and do this stuff.
CAROLE THERIAULT. Exactly. Okay. So you've got these smaller companies with maybe less IT savviness available. What does this whole new landscape mean for privacy and security at the company?
SPEAKER_02. I would actually start to explain the VPN landscape if you allow me.
CAROLE THERIAULT. Please do.
SPEAKER_02. Most of us know VPNs from the ads on YouTube, you know, telling us that we should protect ourselves and anonymize what we do on the internet and evade surveillance. But VPN has been here for decades, and bigger companies with their IT departments, with their systems hosted in data centers or more recently clouds, had to find a way how to create a secure tunnel which is encrypted to access these systems remotely. And VPNs, they served this way for many years. For decades now. The main problem with traditional VPNs, while they establish the point-to-site secure remote access, they usually tend to give free access to whichever site the user is connecting to. So once they get access to the VPN, to the tunnel, they can go to the data center and exploit anything that's in there. So in modern approach to VPNs, and modern approach to how do we secure network traffic, privacy, and data over the public internet, the concept of zero trust emerged. And zero trust essentially means not providing access to everyone everywhere, but do a use case or role-based access to whichever specific data and systems they need for their work, crucially, and lowering the potential of the business breach, if that makes sense.
CAROLE THERIAULT. Right. So you're, what you're saying is, as well, like zero trust means like, just do not trust that the network is safe.
SPEAKER_02. That's right. And do not trust the user unless they authenticate, unless they provide their identity, unless you provide sufficient rights to do whichever job they need to do necessarily, but not more than that. We can layer the security into, I would say, network, application, data, and users. So on the data side, definitely, We need to check changes, we need to log access to the data for post-compromise analysis. We also need to check for malicious code. But then at the same time, when we don't have the pattern or the database of known codes which antiviruses and IDPS systems use, we check for anomalies in the traffic and strange patterns that may indicate a potential security breach or an attacker trying to Right.
CAROLE THERIAULT. Okay. Okay. So, let's, uh, maybe we can pivot here. So, imagine I'm a small company, right? And I'm listening to you and I'm going, yeah, I'm not, I'm sure I'm a bit exposed in the stuff I do. You know, what would be my next steps? How would I go about establishing that and making this work? Is it complicated? Do I need an IT guy? How does it work?
SPEAKER_02. So, what I suggest to smaller companies is to focus on technologies who, who, uh, cover most of their use case in a, in a single dashboard. So, Instead of trying to deploy VPN for remote access and then working on firewall rules to restrict access and the network access control and then securing endpoints, what modern VPNs delivered from cloud as a service offer is that you sign in, create your team, you add users in there, they download client applications. With their client applications, they can get access to whichever systems they need based on zero trust principles. They're also protected from online threats, which means they carry their security, whichever device they use and wherever they connect from. It shouldn't be that hard. If it is, it's probably not the tool for you.
CAROLE THERIAULT. Tell me, how is Good Access making an offer for helping people get started with VPN?
SPEAKER_02. So we believe that, and our driving force of everything we do is believe that if businesses want to empower their users with secure and we call it anytime, anywhere access to their digital assets, they should be able to do it with no hassle. And in line with that, we recently launched our free version, which is free for up to 100 users, no limitations in terms of bandwidth, speed. There are no ads in there. It's really what we give away to the world for making us happy and making us part of it for the last 14 years. So the easiest thing is to go and create an account, get your 100 users in there. You get online threat protection wherever you browse and whichever sites you go to, and you get secured access to your company resources with that. Of course, if you want to go higher and need to control identity-based zero-trust access, etc., we have paid plans. So just make sure to check whichever features and use cases are for for you.
CAROLE THERIAULT. So some people I've heard say, oh, people only use VPNs if they're up to bad stuff, like streaming stuff they shouldn't be streaming and all this. What do you say to that?
SPEAKER_02. That they are right. Uh, most of the VPN market, uh, is consumer VPNs, and many of those consumers are bad actors who are trying to evade surveillance, who are trying to anonymize their service, who are trying to access applications or services that are otherwise not allowed or operating in their country. And consumer VPNs, they create encrypted connections that conceal their identity, location, and information. They provide this sort of anonymity to individual users, and they do use it to bypass content restrictions, etc. This is not the use case for business VPNs. Business VPNs create private connections that complete data privacy and sort of conceal sensitive business data from online threats and unsecure public networks, etc. So what we do is to check whether you are a company before we give you the free product. And then we also check for activities such as abuse. So I do not recommend to use BitTorrent when connected to business VPN. It is a potential security threat to the company operating the VPN. So we help them in the way that we report them such activities.
CAROLE THERIAULT. Right. Okay. So this is definitely not for the home market. This is definitely for small and medium-sized businesses and as well as enterprise businesses, depending on what requirements they have.
SPEAKER_02. That is very much correct, Carole. And if you're an enterprise and you're not into paying for a system integrator to do all your IT for you and you want to do it yourselves, you want to spend more time in strategic activities rather than operating standard technologies like VPN or access control. Good Access is definitely the right product for you.
CAROLE THERIAULT. Fantastic. Is there anything else that you want to touch upon?
SPEAKER_02. I just want to say that I do really appreciate everything you do here in Smashing Security. I think you're absolutely the greatest in, you know, spreading the word about what security really means, not trying to necessarily scare everyone, on with the number of ransomware and breaches, etc., but giving them practical information in, you know, their day-to-day operations. So, so if there's something to, to, to leave with, I'm not going to push any more of Good Access and just want to appreciate what you do.
CAROLE THERIAULT. Wow, that's very kind. Now, listeners, as Artur has told us, he does have this fab giveaway if you are a small business. So please visit smashingsecurity.com/goodaccess. That's smashingsecurity.com/goodaccess. Smashingsecurity.com/goodaccess and try the Good Access VPN for free for up to 100 users. No limitations, no ads, no tracking. Artur Kane, thank you so much for coming on Smashing Security. It's been a pleasure.
SPEAKER_02. Thank you so much for having me. It, uh, likewise, and hopefully we'll talk soon.
CAROLE THERIAULT. Fantastic.
GRAHAM CLULEY. Oh, that was really interesting. Well done, Carole, and thank you, Artur, for coming on the show as Well, and it just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And massive shout out to this episode's sponsors, Kolide, GoodAccess, and Rumble, and of course to our wonderful Patreon community. It's thanks to them all this show's free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 273 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye.
CAROLE THERIAULT. Do you want to redo the beginning of my pick of the week?
GRAHAM CLULEY. Why? What did I say?
CAROLE THERIAULT. Because you had no idea. Were you— did you really not know what I was talking about?
GRAHAM CLULEY. No, I hadn't clicked on it. I couldn't understand. So, so, with the ball dome, you actually put your balls—
CAROLE THERIAULT. You shove your testes into that hole.
GRAHAM CLULEY. And that then goes into your sexual partner as well as your penis.
CAROLE THERIAULT. Well, whatever order— No, not your penis.
GRAHAM CLULEY. What?
CAROLE THERIAULT. Not your penis. Your penis is just lying around.
GRAHAM CLULEY. What?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. What, off the dining room table? Where have you left your penis? Have you ever had sex? You can't detach your penis. We're not octopuses or something. Or seahorses. Who— What's the animal which— I don't— Actually, I'm not sure any animal detaches its penis. I'm—
CAROLE THERIAULT. No, there is one. There is one.
GRAHAM CLULEY. Is there?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Does it have its own little outboard motor or something for getting around? It breaks off.
CAROLE THERIAULT. It just breaks it off and goes, "I'm bored now. Bye. You can keep it. Keep the change. Keep the tip." Oh my goodness.
GRAHAM CLULEY. Let's just stop recording.
-- TRANSCRIPT ENDS --