Watch out for a whole different type of shoulder-surfing, researchers uncover the CostaRicto hackers-for-hire gang, and we take a peek at who is behind Parler.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Chris Cochran from the Hacker Valley Studio podcast.
Visit https://www.smashingsecurity.com/205 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Chris Cochran.
Sponsored By:
- Recorded Future: Recorded Future empowers your organization, revealing unknown threats before they impact your business, and helping your teams respond to alerts 10 times faster. How does it do this? By automatically collecting and analyzing intelligence from technical, open web, and dark web sources.
- For up-to-the-minute security intelligence that can help you make fast and confident security decisions, install the free browser extension Recorded Future Express.
- Get it now at smashingsecurity.com/recordedfuture
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Hackers could now know what people type on Zoom video call by evaluating the shoulder movement of users — Digital Information World.
- Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Inference Attacks — Cornell University.
- The CostaRicto Campaign: Cyber-Espionage Outsourced — BlackBerry.
- New stealthy hacker-for-hire group mimics state-backed attackers — Bleeping Computer.
- The conservative alternative to Twitter wants to be a place for free speech for all. It turns out, rules still apply — Washington Post.
- Parler: what you need to know about the 'free speech' Twitter alternative — The Conversation.
- What If Cambridge Analytica Owned Its Own Social Network? CA Backer Rebekah Mercer Admits She's A Co-Founder Of Parler — Techdirt.
- Hazel — Automated organization for your Mac from Noodlesoft.
- Make Noise — A creator's guide to podcasting and great audio storytelling by Eric Nuzum.
- Rendevous C'était un Rendez vous 1976 — YouTube.
- C'etait un Rendezvous, The Original Street Racing Video — YouTube documentary.
- C'était un rendez-vous — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hi everybody, Carole Theriault from Smashing Security here, and this is just a quick shout out to all you Patreon supporters that help us week in, week out make this show. This week, shout out goes to Mikey Wells, Raffaele the Doctor, Gepenst, Pavel Ponomarev, Jessica Orth, Nigel Scott, Martin Chapman, Yan Su, Xylar, and William Reddig. Huge thanks to you all. Especially those of you that make me use Google Translate to try and get your names right. Now, if you want to join this incredible group of people, you need only go to smashingsecurity.com/patreon. But if you're fine just as you are, we love you too. Stay safe, stay warm, remember to smile as often as you can. All right, let's get the show on the road.
GRAHAM CLULEY. And so if you were a bit of a rubbish country, I'm not going to name— What, like UK? We could.
CAROLE THERIAULT. I'm sorry, you're not a rubbish country. I was just like, which one? Which is a shit country, Graham?
GRAHAM CLULEY. Well, hang on, let me just look up our stats.
CHRIS COCHRAN. And with one listener.
UNKNOWN. Smashing Security, episode 205. Zoom password pinching and parlay problems with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 205. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Groom.
GRAHAM CLULEY. And we are— what? And we are joined this week by someone who's brand new to the podcast, but not new to security podcasts. It's Chris Cochran from the Hacker Valley Studio podcast.
CAROLE THERIAULT. Yay!
CHRIS COCHRAN. Hello, hello. How's it going?
CAROLE THERIAULT. Welcome, Chris.
CHRIS COCHRAN. Thank you. Glad to be here.
CAROLE THERIAULT. Chris, Smashing Security virgin.
CHRIS COCHRAN. Yes. You know, it's funny. I started podcasting about two years ago, and this was actually one of the first goals that I had was to be on the show.
CAROLE THERIAULT. Oh, wow.
CHRIS COCHRAN. No joke.
CAROLE THERIAULT. Well, you know, sit in your royal throne, darling, and enjoy it.
CHRIS COCHRAN. Love it. I'm going to take up every moment of time that I can and just bask in it.
GRAHAM CLULEY. And Hacker Valley Studios just celebrated, well, just a few weeks ago, its 100th episode, hasn't it? Well done. What an achievement.
CHRIS COCHRAN. Thank you. Thank you. Yeah, it's flown by, but I love every minute of it.
GRAHAM CLULEY. For those people who haven't heard the Hacker Valley Studio, how would you describe it?
CHRIS COCHRAN. Yeah. So Hacker Valley Studio, we're all about exploring the human condition to inspire folks to do their peak performance in cybersecurity. So really we look at the fringes of cybersecurity. Like, as you saw, we had Grandmaster Maurice Ashley on the podcast. So we talk about strategy and how to succeed and become somebody in the thing that you want to do.
CAROLE THERIAULT. Very cool.
GRAHAM CLULEY. I thought that's very cool you had a chess grandmaster on, because when we had Garry Kasparov on our show, all we did was ask him about Animal Crossing. So yeah, you made better use, I think, of Maurice.
CAROLE THERIAULT. He hadn't played, unfortunately.
GRAHAM CLULEY. Carole, what's coming up on the show this week?
CAROLE THERIAULT. Well, first, let's thank this week's sponsors, Recorded Future and LastPass. Their support helps us give you this show for free. Now, coming up on today's show, Graham tells us about an unusual way to steal passwords on a Zoom call. Chris talks about a mercenary hacker group, and I see why people are talking about social platform Parler. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, I want you to picture the scene. There you are. In the office and imagine maybe you have one actually. Imagine you had a business rival, an arch enemy in the office. Have you ever had an arch enemy in your office?
CHRIS COCHRAN. All the time.
GRAHAM CLULEY. Yeah. What, what sort of arch, what arch enemy did you have, Chris? I mean, don't name them obviously, but how did they, what was, what was going on with them?
CHRIS COCHRAN. Yeah, it's usually children because I was a dancer. I'm serious. I was the dancer and I did a dance competition and Hang on a moment.
GRAHAM CLULEY. You were a professional dancer?
CHRIS COCHRAN. I was.
CAROLE THERIAULT. Do you mean like a funk dancer? Do you mean like a ballet dancer?
CHRIS COCHRAN. Street dance. Yeah. So funk style.
GRAHAM CLULEY. Oh my goodness.
CHRIS COCHRAN. And I did a competition and I was killing the game. It was fantastic. I knew I was going to win. And then they let a little girl in the competition. And like inside, I just knew that was the end for me. And she could have done whatever she wanted to. She could have sat on the stage, sucked her thumb, and then she would've destroyed me. But she actually did phenomenal. And I was like, okay, at least I lost to a great dancer. But yeah.
GRAHAM CLULEY. Wow. So, Carole, have you ever had enemies in the office?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Do you wanna give us any details? Anyone I know?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Right, okay.
CAROLE THERIAULT. You know them quite intimately.
GRAHAM CLULEY. I know them very well, Carole.
CAROLE THERIAULT. No, no.
GRAHAM CLULEY. Well, sometimes bitter rivalries do brew up, don't they, in the office? And you might want to get the better of them. Right? You might want to maybe steal some information or have the upper hand against your work nemesis, but maybe they're wise to phishing attacks. Maybe they don't click on your malicious links. Maybe they haven't chosen dumb passwords. What are you going to do to get better than them? To drag yourself ahead of them? Because there they are, brown-nosing up to your boss all the time, smarming away, "Mm, mm, mm," every week on the catch-up call with the rest of the team.
CAROLE THERIAULT. "Oh, and you know what else that I did? I'll tell you. Let me list all my achievements this week." That kind of person?
GRAHAM CLULEY. That kind of person. You do that so well, Kroll. If only you could get the better of them. If only you could find out their dirty secrets or sneak an advantage.
CAROLE THERIAULT. Are you talking about a whack job?
GRAHAM CLULEY. See what they're— No, no, no, no, no. Okay, good. If you could just see what they were planning to present, then you could steal their thunder. You could get in before them. It's like, "Ahahaha!" So what you need, what you need is their password, right? So imagine you're in that mentality.
CAROLE THERIAULT. And you decide, I want to get illegal. Okay, carry on.
GRAHAM CLULEY. And I want to get illegal. I'm prepared to break some rules.
CAROLE THERIAULT. And laws.
GRAHAM CLULEY. Yeah. So how are you going to get it? Because they're not going to click on your phishing link. They haven't chosen a dumb password. They're not going to install malware. And you're all working remotely. You don't even have access to their computer. But the one thing which brings you together each week is a Zoom call or a Skype call or a Hangout. —or a house party, or whatever it is.
CAROLE THERIAULT. Well, I think before that I would have probably gone and visited their social media, lurked around their LinkedIn and stuff like that, maybe. If my goal was to try and find their password. Alright.
GRAHAM CLULEY. Well, I'm going to give you a different method. Okay. Because researchers have been exploring how to steal someone's password via a video call, and it's entirely app independent. Doesn't matter which video calling system you're using. They say there's a chance you could find out their password just by having a video call. Now, it ain't easy, right?
CAROLE THERIAULT. It's not. I'm just waiting to hear it before I— It's not easy. Yeah, I can't wait to hear this. Okay, so just from a video call, just a video call.
GRAHAM CLULEY. Yes. And these researchers, they're not dumbos, Krul.
CAROLE THERIAULT. These— I don't even know where they're from yet. You haven't said.
GRAHAM CLULEY. They're from the University of Texas at San Antonio and the University of Oklahoma.
CAROLE THERIAULT. Shout out to the guys and the girls there. Yeah.
GRAHAM CLULEY. They have worked out how to steal people's passwords using a video call. Okay. And obviously, security in video conferencing systems has been under the spotlight because of Zoom. There's now end-to-end encryption, so calls can't be intercepted or eavesdropped upon. People have got strong passwords, multifactor authentication.
CAROLE THERIAULT. It's like an episode of Horizon, you know, like they're gonna tell you like the big reveal and they always wait to the 50th minute to say, "And this is why." You're excited, aren't you? This is what's happening right now. Okay, carry on.
GRAHAM CLULEY. You're excited, right? Yeah. So. Drum roll. Things like end-to-end encryption, That doesn't actually help you if your adversary is present on the other end of the video call. So if you're having a legitimate video call with someone, it doesn't matter that the conversation's encrypted because you can see what they're doing.
CAROLE THERIAULT. And they could record you and they can see what you're doing behind you.
GRAHAM CLULEY. Yeah. Right. Right. So. Okay.
CAROLE THERIAULT. That's not the reveal. Okay. Are you ready?
GRAHAM CLULEY. Are you ready for me to reveal what the technique is?
CHRIS COCHRAN. I'm excited.
GRAHAM CLULEY. It is exciting, isn't it? These researchers at these American universities, they've been looking into people's typing styles and they said, There's 3 methods. You can split all types of typist into 3 groups. There's the hunter and pecker is sort of, uh, which button do I press now? There's the touch typing sort. You just obviously use the keyboard a lot. And there's hybrid, which basically means they couldn't think of a third, but it's like a mishmash of the others because some characters you can't do easily, like the hash symbol, right? That's always difficult for me working out what key combination I have to press or a pipe or something like that. So there's hybrid, there's touch typing, and hunting and pecking. Okay, so those are the 3 groups of typists.
CAROLE THERIAULT. Those are the 3 types of typists. Okay, sounds super researchy so far. Okay.
GRAHAM CLULEY. If you're trying to find out someone's password, first thing is you need to consider that there's different ways of typing. You also need to consider the different types of keyboard. Because some keyboards are very clacky, right?
CAROLE THERIAULT. Yeah. You have those bendy ones, those ergonomic bendy wendy ones. Those are crazy. Yeah. Don't you? And you get those ones that roll up like cigars, you know, the soft foldy ones. Yes.
GRAHAM CLULEY. And you get membrane keyboards, you know, which don't make a lot of noise. So your first thought might be, well, maybe I can do some analysis on the sound as people are typing on the video call. And these researchers say, well, they looked into that, but it's not really very effective because there's all kinds of noises going on in the call anyway, which mess things up. And audio on video calls isn't that great anyway, which is why we're not doing this as a video call right now, right? We've just connected. Well, there's more reasons than that that we're not doing a video call, Graham. So I'm going to explain what they do. Okay, fuck. Nice. You get on the video call, right? And the researchers say you observe the typing behaviour and you attempt to detect if typing is taking place off screen, because obviously the webcam isn't pointed at your keyboard. So what these researchers do, they say, is they're able to look at the micro movements in people's shoulders and upper arms and work out what you might be typing. Oh my God.
CAROLE THERIAULT. Okay. You know what? I have the defense for this. Right. Okay. Tell me. It's really good.
GRAHAM CLULEY. All right. Shoulder pads. Shoulder pads. Exactly. Yes. Joan Collins, Dynasty style, 1980s. Yes. Wear shoulder pads, hide your shoulders. I think that's genius. And it's cheap and it's easy.
CHRIS COCHRAN. Yep. What if you dance while you actually type in your password and shake your shoulders? You know, you can shake them back and forth. Like, you would never know.
CAROLE THERIAULT. You would never know.
GRAHAM CLULEY. I couldn't dance for two reasons. I'm English and technical. So I don't think I could do it.
CAROLE THERIAULT. But— Well, Graham, this is serious news you're sharing with us here.
GRAHAM CLULEY. So seriously, they've produced this research paper, and I will link to it in the show notes, where they've looked at all the muscles and the bones in your arms and the ways in which just a small movement of your fingers, left or right, up or down, or as they call it, north, south, east, west, can begin to identify what key you are heading for.
CAROLE THERIAULT. Who is funding this frickin' research? I know you don't even know. I know— see, this is what I would want to know right away, and I know you wouldn't even think about going to research that, but who is funding this research?
GRAHAM CLULEY. I don't know. I think it's just students, isn't it? This is the sort of thing students do. They have to come up with something. So they think, oh, what are we gonna do? And there they are smoking on a doobie or something. So I've got a crazy idea. Let's look for another one.
CAROLE THERIAULT. I don't think doobies are legal in Texas yet, Graham. Oh, okay. No, they're not.
GRAHAM CLULEY. I mean, this is a serious research paper. It's a PDF and everything. It's about 17 pages long.
CAROLE THERIAULT. It's got a university stamp.
GRAHAM CLULEY. Yeah, it's got a university sticker on it. So what we need to do is we need to somehow protect against this problem because they also say that this is a problem which has become more serious because of the increased quality in webcam. Can everyone's been upgrading their webcam because they're stuck at home? Yes, Chris.
CAROLE THERIAULT. Why are people typing in their passwords in front of Zoom? Ah, I'll tell you. Oh, because their screen's locked because they get so bored of listening to the call, they don't do anything?
GRAHAM CLULEY. Maybe, or maybe the call is so dull that you log into a personal pursuit website Or maybe it's not the password you're after. Maybe you're simply after a URL or a credit card number or who knows what.
CAROLE THERIAULT. Ah, so password managers are the answer, I guess.
GRAHAM CLULEY. Well, yeah, but I think your idea, Carole, of the shoulder pads is much better. Or you could dress up as an American footballer because they have big shoulders.
CAROLE THERIAULT. That's not really their shoulders, honey. That's like actually shoulder pads. Is it? To protect them from like injury and stuff. I have some other ideas.
GRAHAM CLULEY. So the software which they produced does a little bit of, you know, artificial intelligence, an analysis of the image to work out where your head is, and they make assumptions as to where your arms are compared to your head, right? And where your shoulders are, because most people have them more or less in the same place.
CAROLE THERIAULT. Okay, so you're gonna dress as an— you're gonna get a papier-mâché giraffe head. Right.
GRAHAM CLULEY. Just to confuse them. I think you could do that, or you could have a fancy dress costume and dress up as an octopus. Or if you were a fly, not actually a real fly, apply, but if you had more than one arm, you could do that.
CAROLE THERIAULT. Another perhaps more viable solution is learning to type with your feet. Oh yeah. Oh no, that's a really good idea.
GRAHAM CLULEY. Right? And then you can have a USB keyboard.
CAROLE THERIAULT. Put that on the floor. Chicky, chicky, chick, chick. Right?
GRAHAM CLULEY. No problem. No problem at all.
CHRIS COCHRAN. How effective was this software?
CAROLE THERIAULT. Well— Good question, Chris. I like Chris.
GRAHAM CLULEY. They said they were able to to work out some passwords from it. Now, it seems it was much better when people chose a particularly dumb password. So, for instance, if they used a dictionary—
CAROLE THERIAULT. Bob was easy to tell.
GRAHAM CLULEY. The letter A repeated, AAAA. No, they said, they said if it was a dictionary word. So, what they do is they feed the software common passwords or common dictionary words, which they're looking for. And that helps them begin to identify what the most likely word is if you're hand and your shoulder indicate that you've gone left on the keyboard or up or whatever. And so they're trying to make a guess. So they did have some success, but they also came up with some solutions. So having dreamt up this frankly ridiculous threat—
CAROLE THERIAULT. Do any of them compete with mine? The shoulder pads?
GRAHAM CLULEY. Carole Theriault. No, not really. They came up with ideas like pixelation. So what they should do is people are only really interested in your head. On the Zoom call. And so the rest of your body should be pixelated or blurred.
CAROLE THERIAULT. So, okay. Yes. So, you know, when you're on Zoom and you have those like virtual backgrounds, right? So instead of having your whole body, it would just be this tiny little sun-like thing of your face.
GRAHAM CLULEY. Or it could superimpose lots of other arms randomly onto the thing. Or maybe—
CHRIS COCHRAN. You're thinking too much. You're thinking way too much. All you need is some grease on the camera and you won't be able to see anything.
GRAHAM CLULEY. Or just a cover for the webcam. Charlie just put up the webcam.
CAROLE THERIAULT. No, but I wonder if that's a good idea for all these people who have to do their exams at home. Just put a tiny bit of Vaseline on the camera, right? And go, "Look, I don't know, I'm sorry.
GRAHAM CLULEY. It's the best thing I can do." Or it's a bit steamy in here. You know, I was cooking. That's why some of it missed me.
CAROLE THERIAULT. I think you're gonna be in the shower again. Yes. Yeah, I'm in the shower. I just thought I'd do my exam from here, my Zoom call. Multitasking.
GRAHAM CLULEY. You could maybe have some fake arms, Like if you had a shop dummy. Okay, you're obsessed with fake arms. It's like the fifth time you've brought it up.
CAROLE THERIAULT. It's like octopus arms, different arms. Okay, I've got another idea.
GRAHAM CLULEY. You know if you go to the seaside in Britain, and maybe in other places which probably have seascapes as well, you get those cutout things where you stick your head through and you have your photograph taken and it looks like you're somebody else, like a fat person on the beach or something, right? Mm-hmm. If you had one of those, and if you went onto your Zoom call with one of those, you just stick. You wouldn't be able to type anything, of course, 'cause your arms wouldn't be able to come through.
CAROLE THERIAULT. Or you could get, you know those things that they often have outside of car dealerships? Those kind of blow-up kind of columns that get with the air? Oh yes. You could have two of them over each shoulder, right? With fans underneath. Just wiggle, wiggle, wiggle, wiggle.
GRAHAM CLULEY. Anyway, this is a whole new security threat. This, which has been uncovered by the University of Texas, as I said. Thank you, University of Texas.
CAROLE THERIAULT. And the University of Texas.
GRAHAM CLULEY. And whoever's funding this project. More than one university have been working on this. I think it was a jolly interesting paper. I'm not sure it was that serious a threat, to be honest, but maybe in some extreme circumstances it might be. I suppose maybe the best advice of all is just choose a really strong complex password and don't type it in while you're on a Zoom call or get a worse webcam. Like, or Chris's idea of get some grease.
CAROLE THERIAULT. Have you identified any threat that actually uses this method for password collection? Not yet, Crow, not yet.
GRAHAM CLULEY. But now the research is out there.
CAROLE THERIAULT. Take heed, you say.
GRAHAM CLULEY. Now it's been published publicly. Who knows what threat actors are exploiting this? Hard to say, isn't it? Chris, I'm sorry.
CHRIS COCHRAN. This would be a hard one to pull off. You'd have to say, "Hello, I made this meeting for no reason and you don't know me, but please type in your password now." And you'd be like, "Okay, sure." I don't think that's gonna work.
GRAHAM CLULEY. You don't think it's gonna work? I don't think so. Okay. You've just been a bit laid back about it. Some people might say you've just been a bit blasé.
CAROLE THERIAULT. Yeah. Some people might say you're a little QAnon-y for bringing this up. I don't know.
GRAHAM CLULEY. On which note, Chris, what's your story for us this week?
CHRIS COCHRAN. So there have been hackers for hire in the past and there's a new one on the streets. There's a new hacker for hire group tracked as Costa Rico.
CAROLE THERIAULT. Costa Rito? Costa Rito. Oh, so okay, difficult name to spell.
GRAHAM CLULEY. Yeah, like Costa Rica, but with a toe on the end.
CHRIS COCHRAN. That seems to be the theme for most cybersecurity companies. They want to make things hard to pronounce, and that still might be wrong. Um, but yeah, BlackBerry Research, uh, the reason they believe it's a mercenary group is because they are targeting all over the place, different countries, different industries. And what's interesting from a threat intelligence perspective is that you're not gonna know or be able to predict where they're going next because they're hackers for hire, so they will go where the money takes them.
CAROLE THERIAULT. Oh, so you can't follow them as a pattern of them, they always go after, you know, single widows, for example, to get their cash or whatever, or these type of businesses.
CHRIS COCHRAN. Right, exactly. You just never know. They could go wherever the money takes them.
GRAHAM CLULEY. Okay. So this Costa Ricto hacking group, are they hacking little old ladies or are they hacking sort of more serious organizations? No, it seems like that they're hacking serious organizations.
CHRIS COCHRAN. They might be going after governments, things like that, because they believe that those are the types of folks that are hiring them. So government entities, to give them a little bit of that separation between who is actually doing the operations. And that's another thing that's interesting from an intelligence perspective, because you might think it's this team, but really it's X country. So that really can muddy the waters in terms of attribution. Right.
CAROLE THERIAULT. Yeah. Like obfuscate the route to who owns it Who's doing it? Make it all complicated so that no jurisdiction can actually take control of it and do some research.
GRAHAM CLULEY. And so if you were a bit of a rubbish country, I'm not going to name—
CAROLE THERIAULT. What, like UK? I'm sorry, you're not a rubbish country. I was just like, which one? Which is a shit country, Graham?
GRAHAM CLULEY. Well, hang on, let me just look up our stats.
CHRIS COCHRAN. And with one listener.
GRAHAM CLULEY. I think, I think the Pitcairn Islands. So if you were the Pitcairn Islands, then, and you thought, oh man, you know, we're never getting any headlines for our state-sponsored hacking. We haven't got much resource here on the island to do some hacking. They would approach a group like Costa Ricto and say, hey, can you do some hacking for us to find out what other islands in the Pacific might be up to? Exactly. Or stealing information.
CAROLE THERIAULT. And what about how they hack? There's no kind of pattern, I guess. They just do whatever they want.
CHRIS COCHRAN. There is a little bit of a pattern because they use their own malware. So you could go based off of that, but they don't know whether that malware came from this group or they hired another group to build it for them. So there's that. There's some behavioral stuff that they can track, like some tunneling stuff. But again, that could be anybody. So tracking them is going to be unique.
GRAHAM CLULEY. So I'm imagining, so countries who want to, or intelligence agencies who want to hire Costa Rica to do some dirty work for them, They presumably have to go to some murky area on the web and do a deal and negotiate in some way. How does that intelligence agency know they're dealing with the real Costa Rica gang and not— here's an idea for anyone enterprising who's listening— and not some fake Costa Rica hacking gang who's gonna scam— because it'll all be cryptocurrency, won't it— who will scam the intelligence agency or the country into paying them to do something, and then they'll not do anything. Yeah, I don't know.
CHRIS COCHRAN. I don't know how they're going to do it. I don't know how they recruit. What kind of question is that? How do you get recruited for a hacking mercenary group? Oh yeah, I'm, I'm retired, we need you to come back in, you know, that type of thing. Is it like that? You go and get the retired hackers?
CAROLE THERIAULT. Rudy Giuliani calls you up as the cybersecurity czar, right? Or the equivalent of any other country.
GRAHAM CLULEY. Are you suggesting, Carole, that the Costa Ricto hacking gang are actually based at the Four Seasons Landscaping escape in. Any excuse. Anyway, so interesting question you've got there, Chris, which is how are they going to hire members of their team? Because it would be a bit like bringing in Stallone, wouldn't it? Or— How would I hire these people?
CAROLE THERIAULT. Let's say I wanted to just, you know, crack down on you, Graham. Just crack down on you.
GRAHAM CLULEY. Right. Because the attempt to steal my password via Zoom failed for some reason. I dressed up as an octopus.
CAROLE THERIAULT. Couldn't see through your shoulders what movements you were doing.
CHRIS COCHRAN. Your shirt was just too Way too many fake arms attached to his body.
GRAHAM CLULEY. I was typing with my toes again.
CAROLE THERIAULT. He was using an octopus, you know, virtual background. I couldn't tell.
GRAHAM CLULEY. So you'd have to try and hire Costa Ricto girls. So what do I just go?
CAROLE THERIAULT. CostaRicto.com? Go yo, yo, yo, guys.
CHRIS COCHRAN. I don't think so. Cause that's, that's BlackBerry's name for them. So they probably have some other cool ominous name that no one knows.
GRAHAM CLULEY. Bob Smith. There you go. They haven't really thought this through at all, have they? I need a bit of help with this. Their marketing is crazy. Maybe they should sponsor our podcast, Carole.
CAROLE THERIAULT. Hey.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. Okay, parlay, parlay, parlay, guys. Have you heard of parlay?
CHRIS COCHRAN. So the only time I've heard parlay is in the Pirates of the Caribbean movie where you want to talk to the captain of the ship. I know.
CAROLE THERIAULT. I love that expression so much. Let's parlay. Yeah. I love that. I say that to my husband when we're having a fight. You know, like a silent war, I'll go, "Look, we need to parlay." And the guy grabbed it from, I don't know, some TV show, but it was great.
GRAHAM CLULEY. I watch a show sometimes about art and forgeries, and they're always talking about the provenance. Yes. And I love a bit of provenance.
CAROLE THERIAULT. Just because that has nothing to do with parlaying. No, no, but it begins with the letter P. Yeah, it does. And it's French. So that's well done.
CHRIS COCHRAN. Thank you. Good job, Graham.
CAROLE THERIAULT. He's so cool. Okay, so Parley, for those that don't know, is an American microblogging and social networking service, right? It launched about two years ago, so brand new-ish. And recently they've seen a huge uptick in users, but they've also been getting some heat. So I say, gentlemen, let's grab our trowels and let's do a little digging and see what's going on. So if you go first to like the Parler website or in their messaging, Parler is an unbiased social platform focused on open dialogue and user engagement. We allow free speech and we do not censor ideas, political parties, or ideologies. We protect your privacy and we'll never sell your personal data. Log in, sign up, right? So it started with this messaging and it was bubbling along slowly, but then it kind of burst into the spotlight this past June. And this is when Twitter had labeled 5 of the current president's tweets with warnings that perhaps the information was not based in 100% truth. And Trump retaliated by signing an executive order that opened the door for an internet shield law to be considered. And then Facebook announced it would start labeling posts. The Trump campaign even publicly declared that it might decamp from Facebook and Twitter and refocus its efforts through Parler. Surprise, surprise, Parler got an upshot of users, possibly because the Trump campaign had given it some endorsement, but also because it markets itself as a free speech and unbiased alternative to Twitter and Facebook. The go-to place for people who may have been banned from mainstream social networks as well.
GRAHAM CLULEY. People who've got something offensive to say, here is your home. 'If you're worried about— if you've been thrown off another system, because I don't know, you've said something grossly and utterly horrible, don't worry, come here, because you can definitely do it here,' right? Is the basic message. Okay, so I think that's true.
CAROLE THERIAULT. But there's also a group of people which may have been kind of marginally radicalised by the amount of power that these technology firms, Facebook, Twitter, have over being able to censor information, right? I can understand there'd be a group of people that say, 'You know what, I don't think that's fair. I want to go somewhere else.' And certainly Parler it's advertising itself as that, right? Yeah. And you've got, you know, Trump's endorsement of, you know, well, I might go if you don't do what I want. Now, the chief executive and co-founder of the company is called John Matze, right? And he said, quote, we initially attracted conservative users because they felt disenfranchised by other social media platforms. And he is right, because conservative influencers such as Katie Hopkins, Lara Loomer, and Alex Jones have have sought refuge on Parler after being banned from other platforms.
GRAHAM CLULEY. Yep, you're really selling it to me.
CAROLE THERIAULT. Yeah. The thing is, is journalists have now kind of done, you know, because they grew suddenly, they had a real uptick at this time. So, you know, people started digging around, and journalists and users have been criticizing the service for its content policies that some are saying are more restrictive than the company portrays. Oh, um, they kind flying in the face of the free speech banner, right? Right. Huh. There's a number of rules like they have, like, you're not gonna, you know, we can't, we're not gonna have violence, we're not gonna have hate, we're not gonna have this, we're not gonna have that. But he also added, building off the company's existing guidelines, when you disagree with someone, posting pictures of your fecal matter in the comments section will not be tolerated, said the CEO of Parler. So that's the kind of thing they want to, they want to censor.
GRAHAM CLULEY. It's really specific. I know, it's so weird.
CAROLE THERIAULT. However, by the CEO's own admission, they seem to have what they are calling a troll problem. And that has to do with a group of people that seem to hold a different ideology. And this ideology clash is basically causing Parler to up its moderator game. Right. And even the CEO misses lunch, right? Too distracted by banning these trolls, quote unquote, that he calls them. He, Manzei, this is CEO, says he knows the leftist trolls. He knows their ages because some have verified their accounts, coughing up selfies and driver's licenses and passports. And some are saying that's quite a high set of unusual requirements. For proving identity and registering for an online account.
GRAHAM CLULEY. Well, this is the thing which I'd heard about it, which was, yes, to get a verified account, to get the equivalent of a tick, you have to scan in the front and back of your driving licence as well as a selfie.
CAROLE THERIAULT. And sometimes social insurance number I've read as well.
GRAHAM CLULEY. If it's being stored securely, then maybe that's all right. But there has to be a bit of a worry about that because people want to feel comfortable saying what they're going to say without repercussions. and now the company will know who you really are.
CAROLE THERIAULT. Mm-hmm. Right? Let's assume that they're keeping their data super, super encrypted. No one can get to it just for the rest of the story. And then at the end, I want to know whether you'd use Parler, right? Uh-huh. Okay. So in talking about these trolls, right, as Matt Sey labeled them, and he's saying that some are making it unpleasant for the app's conservative users to post and interact with each other. Quote, they're trying to get people to have a bad experience and leave. We've got a big army of volunteers to help take care of this. It's going to be handled within 48 hours. So there's this whole free speech question, right? Like you have free speech, but only if you do what we like you to do. And free speech is a whole weird thing in the digital world anyway, because presumably spammers could be, you know, that's free speech, surely, to get your message out, right? But yet we stop spam.
GRAHAM CLULEY. But if I create an app crawl, right? Which is, you know, and I invite people to join if they want to, can I not as the app owner decide who I want to come to my party and who doesn't come to my party? Because that's how it would work at a dinner party, right? If I find someone objectionable, if they say something or they behave in a way I don't like, then I'm allowed to say, well, actually, you can't come to my dinner party.
CAROLE THERIAULT. Sure, if you want to be a dictator and not a democratic app provider. Sure.
GRAHAM CLULEY. Well, you know, I just—
CAROLE THERIAULT. so you're gonna choose— so you're gonna be like that cake shop that says, oh, I'm sorry, you're gay, no, we're not making cakes for you?
GRAHAM CLULEY. Well, no, I don't want to be like that, but why is that different? All right, okay, interesting.
CAROLE THERIAULT. Anyway, a Wired journalist, Ariel, decided to open an account to see what would happen. Oh yeah. So after she chooses a username, the app prompted her to follow a few of its star users. Okay, the suggestions included the conservative political commentator Sean Hannity. Yes, Sheen, who has called for an exodus from Twitter. Uh, you have internet personalities Diamond and Silk who were throttled by Facebook in 2018 for sharing dangerous content. And you also have conservative talk show host Mark Levin whose Facebook account was recently restricted for repeated sharing of false news, right? So these are people that were actually put on her page saying follow these guys. 5 minutes later, she saw that she had a comment on her intro post. It came from Team Trump. Quote, "Welcome to Parler. Help us make America great again by clicking the link below. Be sure to text TRUMP to 88022." And she navigated to the Team Trump page and they had left this exact comment on many, many other Parler user accounts up to 1.6 million times. So then she's asking, is that spam? Why aren't you controlling that? I didn't ask to receive this. They're obviously sending this crap everywhere.
GRAHAM CLULEY. You don't ask to receive promoted tweets, do you? So companies can pay a little bit of money to Twitter and then tweets begin to appear in your timeline. Isn't that comparable? I mean, presumably Trump has done some kind of deal with the makers of this in order to promote their account.
CAROLE THERIAULT. Okay, good. I'll give you that one too. I'll give you that one too. Okay. So finally, let's see. So you're still, you're in, you're all in, you're all in. I didn't just say I was all in, Carole.
CHRIS COCHRAN. I think he already has an account. He probably freaking does. He might already.
CAROLE THERIAULT. I swear to God. Okay. So the question when it started becoming really much more famous, right? And getting loads and loads of users. It's like, I think it's got like 10 million users now or something like that. Wow. Who the heck is funding this? Right? Like the question I had for you earlier. Now, Mike Masnick from TechDirt writes, there's no big VCs named or known investors behind the company. And it wasn't clear how it was surviving, right? Because it wasn't making any obvious cash at this point. Anyway, so they dig around, they dig around, they dig around and they hit the motherlode. Okay. This was, I think, the Wall Street Journal. And they revealed that Parley was being funded by the Mercer family.
GRAHAM CLULEY. Does that ring any bells to you. Aren't they big Trump supporters or something? Isn't that— or big Republicans?
CAROLE THERIAULT. Yes, they are quite Republican. Let me just tell you. So this is a Wikipedia page. Okay. Robert Leroy Mercer is an American hedge fund manager, former principal investor of the now defunct Cambridge Analytica. Hmm. Oh, Mercer played a key role in the campaign for Brexit by donating data analytics services to Nigel Farage.
GRAHAM CLULEY. Thanks a bunch for that one.
CAROLE THERIAULT. He is also a major funder of organizations supporting right-wing political causes in the US, such as Breitbart News, Donald Trump's 2016 campaign for president, and he's the principal benefactor of the Make America Number One Super PAC.
GRAHAM CLULEY. But Carole, there's nothing really wrong with this, is there? I mean, if he's someone who has maybe right-wing views and he feels that there isn't a place for people with similar opinions to congregate and exchange chit-chat, then he's well within his rights to fund a site which produces an app which does that, isn't he?
CAROLE THERIAULT. Yeah, sure, sure, sure. I'll give you that one too. Now, over this weekend, this last weekend, Rebecca Mercer, Robert Leroy Mercer's daughter, took it up a further notch by claiming that it's not just CEO John Matze that's on the, uh, that's running the show. She was also the co-founder of the company. Here's the working theory from Tech Dirt. Cambridge Analytica's entire claim to fame was collecting a shit ton of data on people by abusing the rules on an academic personality quiz, wasn't it? From Facebook? Then they used that to target political messages. This is why Facebook got hit by that huge FTC fine because it let Cambridge Analytica extract a bunch of data that it promised promised it wouldn't.
GRAHAM CLULEY. Are you spinning some conspiracy theory that maybe someone's trying to collect lots more data?
CAROLE THERIAULT. Former Cambridge Analytica data expert Christopher Wylie, who we've talked about on the show before, he was the kind of the brains behind the whole thing who then came clean and went, whoa, I hate what they're doing. Do you remember? Yeah, yeah. He had pink hair. Yes. Noted this weekend that the Mercers had always wanted their own social media network in order to cut the middleman out and collect the data directly. Right. How interesting. Right? So you have some bona fide rich conservatives who have expressed publicly a wish to run their own social media platform, at least in front of Christopher Wiley. And they really wanted to collect the data directly. And they had their thumbs right in Cambridge Analytica's. And presto, now they have Parler. And they say obviously on their website that they don't share any data with anybody. But if you read their privacy policy, I need a jingle when I say privacy policy. They say that, you know, your information can be used for marketing purposes and they also can remove any content that you put on. So Graham, if you still decide to go on, just know that they can remove any content and terminate your access to the service at any time for any reason or no reason.
GRAHAM CLULEY. So, yes, that's the equivalent of me whipping away the plate with your beef Wellington, you see, if you've just been rude. To the hostess of the dinner, I would take it away. See, it's the same principle, Carole, same principle.
CAROLE THERIAULT. I think it's a bit worse than that, but I completely respect your opinion and I am not going to try and shut it down.
GRAHAM CLULEY. This episode of Smashing Security is sponsored by LastPass. Now everyone Everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So, whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. Smashing Security is sponsored this week by Recorded Future. They empower organizations revealing unknown threats before they impact a business, helping teams respond to alerts 10 times faster. Recorded Future does this by automatically collecting and analyzing intelligence from technical, open web, and darkweb sources. Well, you too can access the up-to-the-minute security intelligence that allows Recorded Future clients to make fast, confident security decisions by installing their free browser extension, Recorded Future Express. Go and grab it now at smashingsecurity.com/recordedfuture. That's smashingsecurity.com/recordedfuture. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CHRIS COCHRAN. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week is not security-related. It is a useful tool which I use on all of my Apple Macs and my MacBooks as well. It is a tool called Hazel, and it is effectively a digital housekeeper. What it does is it monitors folders on your computer, and when it sees certain things happen in the folder, like a new file appear for instance, it will run a series of rules over it. And so you can create a rule to automate files being moved or sorted or renamed and other functions as well. And you can create quite complicated rules on each folder on your Mac to get to do the really menial tasks that that frankly you consider beyond you, and that's why you've hired Hazel to help you do it instead. So for instance, I've got rules which if I take a screenshot rather than cluttering up my desktop. So lots of people on their desktop, they've just got hundreds and hundreds and hundreds of icons, right? That's me. Yeah, me too.
CAROLE THERIAULT. I would find that— Can I just interrupt for a second? Yes. Not only that, but when my desktop gets full, I create a folder called Desktop ABX and then I just throw everything in. And then when I get too many folders, I throw them all into a folder called 123.
GRAHAM CLULEY. Like, it's ridiculous. You are— okay, you need something like Hazel. Me too.
CAROLE THERIAULT. No, well, if you'll set it up for me completely, I'm listening. But otherwise, no, I have search.
GRAHAM CLULEY. I just, I rely on search. Okay, well, it would just fry my brain to work the way you are working. So what it would do is it would take different kinds of files which it sees on, for instance, your desktop, and then it could file them away into subfolders automatically. So you could file all the MP3 files, all the screenshots, all of the I don't know, Word documents or whatever it is. And you can even get cleverer than that. You could change their names to include the date, and you could put them into subfolders. I've got a script or a rule running in my Hazel on my computer, so if I take a screenshot, maybe for an article I'm writing on my blog, it will automatically run an AppleScript which will then optimize it to reduce the size of the image because I don't want really big big fat images, it will remove any EXIF metadata and then convert it to the correct file format that I want. So if it was a GIF, for instance, it will change it into a JPEG or whatever it is. Or Kroll, if I dump a podcast, an MP3 file into a folder, it will share it with you or it'll put it into an archive and make sure that we have a backup of it. So just all those menial sort of really sort of spring cleaning kind of activities. Tidy maintenance, it will do all for me.
CAROLE THERIAULT. So can you, can you buy it for my husband for Christmas so that he could do it on my system? Yeah, sure.
GRAHAM CLULEY. It doesn't, it doesn't cost very much as far as I remember. Um, they've just brought out version 5. It's a lovely tool. It's surprisingly powerful, really intuitive. Cool. And, um, it's called Hazel. It comes from a company called NoodleSoft. So what more reason than a company called NoodleSoft, uh, do you need? It is cute. To choose. Do you identify with Hazel? Do you identify? For having a soft noodle. You know, at my age, it does happen sometimes. Chris, I'm sure you don't have that trouble.
CHRIS COCHRAN. What have you got as your pick of the week? What a segue. What a segue. That might be my favorite segue of all time. Is it my turn for pick of the week? It is. All right. My pick of the week is a book called Make Noise by Eric Newsom. It was actually recommended by a friend of yours and a friend of mine, Jack Reesider. It's his favorite podcast book and it's now mine. I'm sure people ask you all the time, how do I get into podcasting? How do I make my podcast better? And I think this book does it really, really well. There's a part in the book where you talk about your 10-word description. So our old description for our podcast, Hacker Valley Studio, was exploring the human element of cybersecurity programs and technology. And so you write it out in this this activity. And then in the paragraph below, he basically said, I can't read what you just wrote, but it is way too vague. And I was like, well, how did he know? So then I reworked it and I made it better. And so now we're exploring the human condition to inspire peak performance in cybersecurity. And I've mentioned it to Jack and he loved it. And so I think that folks need to learn that, you know, podcasting isn't always easy and there is a science and an art to it. So I would say that that is my pick of the week this week.
GRAHAM CLULEY. Sounds very interesting. So the book's called Make Noise by Eric Newsom. Mm-hmm. Fantastic. Yeah. Carole, what's your pick of the week?
CAROLE THERIAULT. My pick of the week got swapped at the very last minute. So my other half was perusing the New York Times this morning and he told me about this 8-minute film and said, no one says anything. There's only one camera. Watch it. It's going to be your pick of the week. So I was like, yeah, yeah, yeah, sure. I watched it. It's my pick of the week. It's called C'était un rendez-vous. It's a French film and from 1976. Don't let that put you off, millennials or Z-Genz. It's awesome. So the premise is this: early one morning, the director of this little mini film, Claude Lelouch, got into his hairdresser's car, a Merc, and fastened the camera to his bumper. And he just floored it down the broad Avenue Foch, right? Avenue Foch. I was waiting for you to laugh. Avenue Foch, okay, where he clocks 125 miles an hour, okay? He goes past the Louvre, past the opera, through red lights, around blind corners, even onto sidewalks, right? And he goes to the height of Sacré-Cœur, and he scares people, he scares drivers, pigeons freak out. He careens, he's squealing around corners in the arrondissement. But he has his reasons. And you only find out at the end if you watch it. Now, have you boys watched it? I have watched it. Okay, what did you guys think? What did you guys think? Am I overselling it?
GRAHAM CLULEY. It's an extraordinary piece of cinema because it is all in one shot. And he's driving like a complete maniac. You also think, why on earth is he doing this? How bloody dangerous.
CAROLE THERIAULT. Yeah, the whole time you're thinking you'd never get away with that now. Right? There's no— it's kind of like a moment in history because there's just no way you could do it in any city now. Without getting caught.
GRAHAM CLULEY. I watched a video which was about the making. It sort of went behind the scenes of this, and they were telling stories.
CAROLE THERIAULT. Did you do this after you watched it? After I asked you to watch it?
GRAHAM CLULEY. After I watched it. Oh, right.
CAROLE THERIAULT. Okay. So you could sound smart.
GRAHAM CLULEY. Okay, go, go, go. Yes, exactly. And there are some extraordinary tales. Like, for instance, there are a couple of completely blind corners which look suicidal. Or if not for him, he's going to cause some damage to someone else. And I heard that he had an assistant on a radio radio, who would have been able to tell him if there was danger. Well, you'd have to have more than one. Well, there was one particular place where he was turning left, I think it was, down a tunnel, and it was completely blind, especially at the speed which he was going.
CAROLE THERIAULT. Well, I think Princess Di died in a tunnel in France, didn't she?
GRAHAM CLULEY. In Paris. Unfortunately, his assistant's radio actually cut out. So if there had been a problem, he would have had no way of communicating with the driver, which when you watch the video, you will think this really is bonkers. But it's very impressive.
CAROLE THERIAULT. It's spellbinding. What did you think, Chris?
CHRIS COCHRAN. Yeah, super spellbinding. And he blew through a lot of red lights, didn't he? Shocking. Yeah, that was incredible because that could have been an issue really quickly. But it's mesmerizing, almost like a meditation if you just sit there and watch it.
CAROLE THERIAULT. Yeah, I thought so too. It reminded me of the opening sequence of that movie Subway, another 1970s fantastic film. But there's that huge car chase at the beginning.
GRAHAM CLULEY. I haven't seen it. It's good.
CAROLE THERIAULT. Anyway, so my pick of the week is C'était un rendez-vous. Okay, an 8-minute, one-camera, one-shot film on the front of a car. Trust me, it's worth it. Links in the show notes.
GRAHAM CLULEY. Well, fantastic. And that just about wraps it up for this week. Chris, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more about the Hacker Valley Studio. What's the best way for folks to do that?
CHRIS COCHRAN. Thank you so much for having me on the show. Uh, the best way for folks to get in touch with us is just go to hackervalley.com and you'll see all of our social right there and be able to subscribe to our podcast as well.
GRAHAM CLULEY. Terrific. And you can follow us on Twitter at Smashing Security, no G, Twitter allows to have a G, and also join the Smashing Security subreddit. And don't forget Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, such as Apple Podcasts, Spotify, or Overcast.
CAROLE THERIAULT. Huge thank you to you all, you humans and your pets, for listening to us each week. And for those of you trapped indoors, I hope this gives you a few extra giggles. And of course, high five to this week's Smashing Security sponsors, Recorded Future and LastPass. And of course, our Patreon supporters. These are the people whose support give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye, see you.
CAROLE THERIAULT. Wouldn't want to be you. I used to say that all the time. All the time. Bring it Yeah, I can't think what else I used to say.
GRAHAM CLULEY. See you later at the gay day in the wild crocodile.
CHRIS COCHRAN. See, you don't want to be here.
GRAHAM CLULEY. I know, I remember, I remember.
CAROLE THERIAULT. You'd say "j'suis pas à vendre," which is basically Québécois French to mean "I'm not for sale." And you'd say that if someone was like staring at you or looking at you funny. You'd say, "I'm not for sale." Ridiculous.
-- TRANSCRIPT ENDS --