A conspiracy spreads on social media about Coronavirus tracing apps, US police find decades' worth of sensitive data leaked online, and is there a Bitcoin bonanza to be had from watching Elon Musk YouTube videos?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology reporter Zoe Kleinman.
Visit https://www.smashingsecurity.com/184 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Zoe Kleinman.
Sponsored By:
- MetaCompliance: Create a more security-conscious workforce with MetaCompliance's Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- How photographs are airbrushed — A 2010 BBC News article, starring Zoe Kleinman.
- Elon Musk Bitcoin vanity addresses used to scam users out of $2 million — ZDNet.
- Kate Winslet responds to Bitcoin scam faking her endorsement — Decrypt.
- Bitcoin scam uses Prince Harry, Meghan Markle to dupe would-be investors — Decrypt.
- Covid-19 tracing tool on smartphones is 'not app' — BBC News.
- ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments — Krebs on Security.
- Koko Analytics — A privacy-friendly analytics plugin for WordPress.
- Fathom — Fast, simple and privacy-focused website analytics.
- Upload trailer — YouTube.
- Backspace and beyond — Audioboom.
- The Magnus Archives — Horror podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Zoe, the thing is, Carole thinks she invented the phrase take heed. It goes back a few years in our relationship. No, I just...
CAROLE THERIAULT. What happened is I used it once, the first time ever that it was ever mentioned between either of us in a very, very funny context. And we both cried with laughter. And then therefore I own that fucking statement. That's how it works.
GRAHAM. And so she insists on putting TM Carole Theriault after I say take heed.
ZOE KLEINMAN. Are you like the Taylor Swift of this relationship, just trying to trademark everything?
CAROLE. He takes a lot. He's a taker. That's all I'm going to say. He's a taker.
ZOE. You've got to protect your assets. They're all assets.
GRAHAM. Hello, hello, and welcome to Smashing Security, episode 184. My name's Graham Cluley.
CAROLE. And I'm Carole Theriault. Hello, Carole.
GRAHAM. Hello, Graham. And we are, steady, we are joined by a special guest, someone who hasn't been on the show before. It is BBC technology journalist and co-host of Backspace and Beyond, the podcast, Zoe Kleinman. Hello, Zoe.
ZOE. Hello, Graham.
GRAHAM. Welcome, Zoe.
CAROLE. Thank you, Carole. Very excited to have you here. Now, have you listened to the show before or is this a baptism of fire?
ZOE. No, no, I had a listen. In fact, I've been listening to you rather a lot in the last week or so, Carole, while I, you know, familiarised myself with the podcast.
GRAHAM. As if lockdown wasn't bad enough now.
CAROLE. Now, Zoe, I did a little recon on you because we've never met. We haven't. And I just plugged your name in my search engine, and after all your socials came up an article written by you came up from 2010 in the BBC News. Do you know what article it might be?
ZOE. Oh my word, a 10-year-old article.
CAROLE. Yeah, it was number four hit after your social medias. Is it something I wrote?
ZOE. 10 years ago? Oh hello, I've just...
CAROLE. Yep, it's okay so it's in the show notes. Oh my word, look at that. Wow, photographs are airbrushed. Yeah, in the first of a five-part series about technology and modern culture this is 2010 BBC News looks at the rise of image manipulation. So what a cool thing to come up.
ZOE. Well I tell you what, I wish I still looked like that. You do these days. I settle for the before photo, I really would.
GRAHAM. Which one's the before? I haven't pressed play yet. Which one's the before and which one's the after?
ZOE. Oh Graham, you are such a charming man. The one on the right. Sorry, can you not see? The one on the left with the, you know, sparkling eyes and the gleaming white straightened teeth, that's not me.
CAROLE. I think they look beautiful in both and it's fantastic. Links in the show notes, folks.
GRAHAM. Links in the show notes. So, Carole, what's coming up on the show this week?
CAROLE. First, thanks to this week's sponsors, Metacompliance and LastPass. Their support helps us give you this show for free. Now, on today's show, Graham shares Bitcoin investment advice. Zoe gives us the latest on COVID track and trace apps. And I share what I've learned about the Blue Leaks archive. All this and much more coming up on this episode of Smashing Security.
GRAHAM. Now chums, some people have done marvelous things for the world, haven't they? I don't want to blow my own trumpet, but... good, don't. Some celebrities, they've gone the extra mile to wake up the world to the problems which are out there. People I'm thinking of, people like Bono. Oh, people like Mother Teresa.
CAROLE. No, not her so much.
GRAHAM. Bob Geldof, right, and Richard Curtis. They've done their bit to make poverty history, drop the debt, feed the world. And now, of course, we have another... What about Eddie Izzard?
CAROLE. There's so many more.
GRAHAM. Well, yes, he's done a bit of running around in a dress.
CAROLE. A bit of running around? What? He ran 40 marathons in 40 days.
GRAHAM. That is extremely impressive. That's extraordinary. That is very good. Well, look, we now have another savior. Okay, we've mocked him in the past, and I think it's time for us to stop doing that, because Elon Musk is literally saving the human race by helping us take our first step into the stars and beyond with his SpaceX exploration. What a guy. Okay, as we saw last month, we saw that amazing rocket launch, the astronauts, they've got those new style spacesuits, right? It's so cool. There are new types of spacesuits now as well. He is a master of getting attention for himself and his company, of course. Whether it's launching a Tesla car into deep space or messing around with Johnny Depp's ex or giving his child a ridiculous name, whatever it might be. You're fascinated by him, though. You are.
ZOE. Everyone is fascinated by him. We find when we do stories about him, everybody wants to know.
CAROLE. Okay, can I ask you both a question? If you could invite eight people to your final dinner party, social distancing party, your Zoom dinner party, right, and everyone in the world would attend, would he be one of the eight?
ZOE. No.
CAROLE. Even though he's a world leader in improving the world, according to you, Graham.
GRAHAM. Definitely not. Okay, no. I don't warm to him particularly. No. Maybe if he does save the world, then perhaps, you know, just to thank him, give him some dinner. But then he probably wouldn't want my dinner anyway, would he? He wouldn't want it. He wouldn't fancy it. Wait, bangers and mash? The fake mash? What's it called, that stuff? Smash.
CAROLE. Smash. Is that where we got the name from?
GRAHAM. Oh, maybe it is. Sorry, I digress slightly. Now, with someone like Elon Musk, it wouldn't be a surprise for many people if, you know, because he's so charitable, if you ended up watching a live stream from Elon Musk's own YouTube account, telling them about an incredible offer, saying 500 bitcoins up for grabs. That's 5 million US dollars, or in British money, 32 pounds 50, which you could get your hands on. And the live stream says that all you need to do, right, is send some Bitcoins to Elon's account and he will charitably give you double in return or maybe even 10 times as much.
CAROLE. So was this an Elon Musk deep fake that was being used or was it just a slide deck of pictures of him?
GRAHAM. Well, I think what was happening on this particular occasion was there was live footage from the NASA and SpaceX rocket launch. And overlaid on it were these, hey, you know about this Zoe, you know how when you're watching BBC News, you get all those tickers and all the things filling up the bottom third of the screen. What are they called?
ZOE. Well, the news ticker is the thing that just sort of throws headlines at you. And then the way you get the name of the person speaking and their job title or whatever, we call those Astons. Yeah, which I think is a brand name. I didn't know that for years, but actually I think it might be a brand name.
GRAHAM. Well, I can think of it as Aston Villa.
ZOE. Maybe it's from Birmingham. I don't know.
GRAHAM. Maybe it was invented up there. Who knows? But yeah, so and then you get a message at the bottom of the screen, maybe saying, look, here is Elon's wonderful offer to make lots of Bitcoin. Now, I know what you're thinking because you're cynical types, you're sceptical people.
CAROLE. Smart. That's the other word.
GRAHAM. Yeah. You're thinking we've seen scams like this before on Twitter. You're thinking, you know, we've even seen them on YouTube, right? Where accounts are being created in the name of SpaceX, 130,000 subscribers.
CAROLE. Elon Musk has been used in these scams before. Yes, it's been done on things
GRAHAM. Twitter, exactly, where people have created fake Elon accounts. They've added his picture and tried to trick people into believing it's him making an offer. So how do we know that this particular one, this particular YouTube channel, live streaming, is a genuine offer? And it's not necessarily straightforward because you may have been taken there by YouTube's own recommendation algorithm, right? If you regularly search on YouTube for things like, I don't know, Tesla or SpaceX or Rocket Launch and things like that, it's quite possible that this YouTube channel is shown to you as well.
CAROLE. Would you not think of looking at who produced it? Like, was it from Elon Musk's own channel, for example?
GRAHAM. Well, when you look at it, it says it's a verified account and there's Elon's name and there's Elon's photo as well.
CAROLE. I'm just gonna carry on telling you what I would do so you can trip me up so then I would go look at the playlist of the videos that he had pushed out.
GRAHAM. Yeah you could do that so I don't know what would happen then. I don't know what it would show. I mean potentially it could be re-uploaded videos which look quite genuine.
The thing is with Elon Musk as well he's so unusual isn't he that you almost think that
ZOE. Shit crazy you mean? She's so polite, that is one way of putting it. I mean, it's not beyond the realms of possibility that he would tweet something like this at four o'clock in the morning, is it?
GRAHAM. Exactly. He's bananas. I mean, I'm putting it out there right now, right? Elon Musk is going to end up US president one day.
CAROLE. Ironically, though, maybe his craziness works against him in this case, because people might go, okay, this could be true. And I don't want to miss out.
GRAHAM. Right. Exactly. And so people, and what they do is when they look at the Bitcoin address, now, normally, I don't know if you've ever looked at a Bitcoin address. It's normally a jumble of random characters. You know, it's I don't know, it's probably about 26 characters, something like that long. But in this particular case, these are what appear to be vanity Bitcoin addresses. So you will have a Bitcoin address, which is mostly all jumbled up. But at the beginning, you might have one and then Musk or one Elon Musk, maybe with a couple of characters small. So it looks like these are special vanity Bitcoin addresses, which only a crazy tech billionaire would be mad enough to pay the fortune.
ZOE. Is that a bit like a personalised number plate? I kind of like the idea of it.
GRAHAM. It is. It is like a personalised number plate. Zoe, what would yours be, your personalised number plate, if you had a rock and roaster?
ZOE. I am blessed and cursed with a very, very short name, aren't I? I always struggle with these things. You know, my name is Zoe, which is only three letters. Yeah, you could have Zoe rocks. Yeah, but I would never get that. I would have to be Zoe 1597230AB or something. And then I'd just look like a scammer, wouldn't I?
GRAHAM. You could have Z03 in LeetSpeak. Oh, yeah, LeetSpeak.
ZOE. Because you're the tech journo. Do you think anyone would get that joke?
GRAHAM. Could be kind of cool.
CAROLE. But I would argue that people already with web and phishing are already a little bit clued up to if an address just mildly indicates a name, it might actually be a bad place to go.
GRAHAM. You don't think that that would reassure people that it's more likely to be legitimate?
CAROLE. Starting with a one and then being followed by 10 to 20 different...
GRAHAM. Yeah, but they all have Bitcoin addresses, but this is one where his actual name is in the middle of it as well.
ZOE. Yeah, I can see that it could look legit for some people.
GRAHAM. Anyway, take heed, obviously, is our warning here. Sorry, where's your TM call? Because, Zoe, the thing is, Carole thinks she invented the phrase take heed. It goes back a few years in our relationship. No, I
CAROLE. Just, what happened is I used it once, the first time ever that it was ever mentioned between either of us in a very, very funny context. And we both cried with laughter. And then therefore I own that fucking statement. That's how it works.
GRAHAM. And so she insists on putting TM Carole Theriault after I say take heed. I'm just...
ZOE. Are you like the Taylor Swift of this relationship? Just trying to trademark everything.
CAROLE. Look, he takes a lot. He's a taker. That's all I'm going to say. He's a taker.
ZOE. You've got to protect your assets. They're all assets.
GRAHAM. So, chums, let me explain what is going on here. Hackers are hijacking people's YouTube accounts. YouTube accounts which have hundreds of thousands of followers in some cases, YouTube accounts which aren't properly protected or maybe are reusing passwords, don't have multi-factor authentication. They are changing the names of those YouTube accounts. Is that easy to do? Yes. It's an absolute doddle. They're then changing the names to say Elon Musk, and then they're live streaming and they're changing the profile photo as well, and they've already got hundreds of thousands of followers. And YouTube then begins to point people to these videos. And because they're live streaming genuine footage of something like a Tesla launch or an Elon Musk space flight or something like that, but they're adding extra graphics and extra messaging about the Bitcoin offer, it seems quite convincing to people.
CAROLE. Yeah, the New York Times put out a podcast recently called The Rabbit Hole, and they talk a lot about how YouTube is suggesting videos that are maybe not necessarily appropriate for the viewer. And basically, they're helping form the whole world that we live in.
GRAHAM. In the past, scammers have posed as everybody from Kate Winslet, Bill Gates, John McAfee, football manager Alex Ferguson. In April, oh Zoe, there was a fake BBC News report. Was there? Not fake news. Don't panic. Oh, God. A faked BBC News report which used images of Prince Harry and Meghan Markle. We're not supposed to call her Meghan Markle anymore, are we? Now she's married. The Duchess. The Duchess or something. And that was intended to dupe Bitcoin investors as well.
CAROLE. Oh, dear. Oh, it's too fricking sad. It's too fricking sad.
ZOE. Can I tell you my Bitcoin story?
GRAHAM. Yes. Yes, please do.
ZOE. So a few years ago, I was sent to the Isle of Man by the BBC. And the Isle of Man was trying to sort of promote itself as being like Bitcoin island, basically. They were sort of saying, you know, this is going to be our currency. You'll be able to live here just on Bitcoin. So I went along with my producer, a good friend of mine, Sarah. We went for the weekend and the thing we were trying to do for the radio, we were trying to survive for a weekend on Bitcoin on the Isle of Man. So I discovered that it's quite hard to do that. We managed to get a taxi and pay in Bitcoin for the taxi, which was cool. And we managed to get a pint of beer in a pub and pay for it with Bitcoin. But that was kind of it. So we were pretty hungry and pretty drunk most of the weekend.
CAROLE. Yeah, you're arseholed, but you got home safely.
GRAHAM. Zoe, what is your story for us this week?
ZOE. So I want to talk to you about a story that really divided opinion, I think. It had a lot of the kind of tech heads rolling their eyes and a lot of normal people getting very freaked out. It's one of those sorts of stories. So the story is about COVID-19, as all stories are at the moment. But specifically, you know, there's been this saga, hasn't there, of the track and trace app that was going to happen, wasn't going to happen, was trialed on the Isle of Wight, didn't work. Apple and Google said, look, we've come up with a tool that could help. And the UK said, no, no, we don't want your tool. We want to do our own thing. And now they've sort of said, actually, can we use that tool as well, please? And, you know, negotiations are ongoing. Anyway, as part of the fairly recent updates to both the iPhone and Android phone operating systems, this little widget appeared, which says COVID-19 tracing tool. And probably it's been on people's phones for several weeks in some cases, and nobody's noticed it because it's kind of hidden away. I think in Apple's iPhone, it's sort of hidden in the privacy settings.
GRAHAM. Yeah, you go into settings, don't you? And I think it's under privacy.
ZOE. Yeah. In an iPhone, it's under privacy. And in an Android phone, it's under Google services.
CAROLE. Okay, I'm trying. I'm in privacy section, but I don't seem to have anything.
ZOE. On iPhones, go into the settings app. Yeah. Go to the privacy menu. Yeah. And then health subsection. Health.
CAROLE. Okay. Yeah. Oh, yes. There you go. Look at that. COVID-19 exposure logging. There you go. And mine's turned off.
ZOE. Yeah. So they're all turned off by default. What this is, is the API that Google and Apple have built together, which would enable any future tracing app, bear in mind there isn't one, to work. So if we were to get an app and you were to download it and use it and you were to activate that thing, you would be tracked and traced via the app that we don't have. But anyway, the point is that everyone is just freaked out because it looks like this tracing thing has appeared on people's phones. And the conspiracy theories have gone nuts. People are furious. Whether it's the government or Google and Apple, the tech giants, doesn't seem to make any difference. They're still furious that this has sneaked on.
GRAHAM. Let me take a guess at random. Would this crazy conspiracy theory that they'd secretly installed a tracing app onto our phones, would that perhaps have been spread on a site like Facebook, maybe?
ZOE. Imagine if such a thing were to happen, Graham. I think social media has certainly had a field day with this. And I was in the position where I was working on Saturday, which is never a good spot to find oneself in. But there I am working on Saturday and I'm seeing this going nuts. I'm like, I wouldn't normally write the story about an operating system update unless it was spectacular. And this is not in itself spectacular. It's pretty obvious what it is. But the chat and the fear around it is so great that I feel like we need to spell it out.
So I wrote this little story about it, just basically saying what I've said to you. And I put in the headline, the headline of the story was new COVID-19 tracing tool is not an app. And then hundreds of people got in touch. Oh, my God, what is this app? And I'm like, oh, my word. Have you actually even read the headline? It is not an app. And one person I had a back and forth with on Twitter, because I don't believe that you should be smug about these things. Just because you know something doesn't necessarily mean that someone else does. I'm trying to be reasonable. And in the end, I'm like, I really can't say this in any other phrase. I don't know how else to put this to you. It is not an app.
CAROLE. Yeah. So it is complicated, though. So basically, make sure I understand it correctly, because maybe I've got this wrong. So Google and Apple worked together to build some kind of system that would allow tracing apps to work better with Bluetooth connectivity and phone distance and all that?
ZOE. Exactly right. The UK government decided to go a different route, to go to a centralized route, didn't want to go down this route, but then started changing its mind. So this stuff is just there as laying the groundwork on our phones or devices for a subsequent app that the government might put out. And I think there's so much anxiety and fear around it. And some of the tech bros were like, well, didn't they read the update to terms and conditions?
CAROLE. Well, I was just thinking that because I did do an update recently, maybe five days ago or something on the weekend. And obviously, that's when that update might have happened. And I didn't read it. Normally, I'm a bit of a stickler for that. But because I guess I trust Apple and its updates, and I can't leave it unprotected anyway, I just sometimes do it blindly. But that means that I can understand why people might have gotten freaked out by seeing this. So good that you wrote the story to tell people.
ZOE. Well, thank you. It was one of those where some people were saying, oh, well, you exist to downplay these sorts of things. And I was like, you know what? In terms of my life's priorities, I'm a mother, I'm a journalist, I'm working, I've got family. Existing to downplay operating system updates is pretty low down in terms of my to-do list. And it was a Saturday.
But a lot of people did say thank you very much because they were frightened by it. And I think the more people were, you just did Carole, what's this? And then you sort of go through the menu because somebody tells you about it. You're like, whoa, I've got it as well. When did I get it? And that it all kind of became a big fear thing.
CAROLE. Right. So it's not just, you know, a lot of people would say, I know more about technology than the average person. And still I was a bit...
ZOE. And I think the use of the word logging is quite emotive, isn't it? Immediately you think, oh, hang on. Even though you know that those devices are harvesting data, that's what they do. But still, seeing it written down like that is potentially alarming, isn't it?
CAROLE. Well, when you were explaining it, I was going through to kind of see how they explain it. So there's read more, read more. And I can't say that it's done in a very friendly manner, accessible to all. You know, people that are 13 have iPhones, right? People that are 90 have iPhones.
ZOE. Exactly. I mean, my mum would totally freak out. I haven't even told her about this. I'm like, just don't look at the BBC News today because, you know, she will freak out about this.
GRAHAM. Well, I suddenly got contacted by people as well who had seen this thing, and they said, Graham, have you seen what they've done? Oh, really? Oh, yes. They've secretly installed an app onto our phones. And I said, no, no, no, they haven't. This is just your regular iOS or Android update.
Did you use your Jesus voice?
CAROLE. No, no, children. Calm down.
GRAHAM. I don't know that he had such a classy English accent. That's that. Carole, what have you got for us this week?
CAROLE. Okay, so this one is a little tricky. So this is all according to investigative security blogger Brian Krebs, that hundreds of thousands of potentially sensitive files from police departments across the US were leaked online last week. And the whole thing has been named the Blue Leaks Archives. So this is not a tiny little dump. This is a huge treasure trove, 270 gigs strong. That's big. I was trying to work out how many pieces, if you're printing that off, how many files that would be. It's a lot, a lot, a lot. Apparently it's the size of the typical computer back in 2009. So if your entire computer was just this, that's what it would have been.
GRAHAM. If you printed it out, a lot of polar bears are going to drown, basically. So don't do it.
CAROLE. Exactly. We should write a little script that does that. That would be a very good thing to measure all this stuff. So a group called Distributed Denial of Secrets, or DDoS Secrets, I guess that's the way I could do it. So they're dubbed as an alternative to WikiLeaks.
GRAHAM. Because we need another WikiLeaks, don't we?
CAROLE. That worked out so well for them. They've claimed responsibility for publishing the Blue Leaks Archive. And on Twitter, they have this Latin strap line, I guess, that loosely translates to something like to know the truth, let justice be done. So, you know, expose the truth, let justice be done. Something like that. My Latin is pretty rusty. I actually studied Latin for three years. I should know exactly what it says, but I don't.
ZOE. I think I'd be really rubbish at being a data thief like this. Obviously we can't have, you know, you can't have any stolen data, you can't access it. And I sort of think, thank goodness, because if somebody presented me with, what did you say? A load of files that would fit on a 2009 computer. Pages and pages, I'd just think, I can't be bothered. I might read the first three lines, go and have a cup of tea.
Very interesting, Zoe.
CAROLE. Put that in your pocket. That's going to come up later. Very interesting. So they said, so this DDoS Secrets group on Twitter said that the Blue Leaks archived indexed 10 years of data from over 200 police departments and centralized jurisdictional centers and law enforcement training and support resources, basically all the kind of systems that the authorities use across America. And the perps behind this said that among the hundreds of thousands of documents were police and FBI reports, bulletins, guides, and more. So they reported this on Twitter. Now, this group, DDoS Secrets, I hate this name.
GRAHAM. I'm very annoyed by their name.
CAROLE. Me too. You know, this is maybe going to tell new people who are going to try this to get a better name because podcasts matter.
ZOE. They need better PR, don't they?
CAROLE. Exactly. DDoS Secrets. Now, they started issuing tweets listing a smattering of agencies that were included in this big data dump. So, you had things like Austin Regional Intelligence Center, Boston Regional Intelligence Center, California Narcotic Officers Association, Delaware. So you can say I'm going alphabetically. So it went on and on and on. An official confirmed the leak to Brian Krebs from the authority side, saying that the data in the leak actually didn't span 10 years, but probably 24 years, from August 96 through to June 19, 2020. And he says the documents included names, email addresses, phone numbers, PDF docs galore, images, large numbers of text, video, CSV, zip files. So a huge gamut of information. Now, it appears that the data published in the Blue Leaks archive was due to a security breach at a company called Netsential. These guys are in Houston, Texas, and they are a web development firm that basically provide web managed services to loads of law enforcement agencies across the state.
GRAHAM. So what did they do? Did they leave a bucket open or something?
CAROLE. Well, they told Brian Krebs they think that a compromised web user account was used and that they used the web upload feature to upload malicious content. And I wanted to ask you, can you harden a website against that? But if you're accepting people's uploads, surely you would say, yeah, but no X's, please.
GRAHAM. Yeah, it depends what they're uploading. But I imagine they were uploading a bit of script or something, and hopefully you'd be able to sanitize that and prevent it.
CAROLE. So it doesn't look great on the authorities. It doesn't look great on the authorities that got through. From what I've read so far, there's no accountability on their side on that front. They're just saying they got through this way.
Now, also, Blue Leaks Archive released on June 19th, which was known as Juneteenth. This is the oldest nationally celebrated commemoration for the end of slavery in the U.S. So, all those are important facts.
We're now going into the weeds, Zoe and Graham. From my point of view, from a political standpoint, the message is clear. The cops don't play fair in your communities and across the states. So, we're fighting back by putting all this information online.
But there are a number of concerns online. So Reddit has a number of posts on this with thousands and thousands of comments. And it appears that when the documents were initially published, both victims of crimes and suspects of crimes were initially searchable in the database that they published.
GRAHAM. Oh, so this isn't just data about police?
CAROLE. No. One writer said that the Blue Leaks archive was searchable by reason for investigation, suspect's name, suspect address, suspect's birth date, known associates, bank account numbers, bank account routing, etc, etc, etc. And this goes back to the mid-1990s? 1996.
This commenter also explained something interesting, because he explained that there would probably be next to no police misconduct findings in this treasure trove. And that's echoed by someone else, a lawyer that was representing one of the officials on this, because most of the information comes from these inter-jurisdiction investigation coordinating service.
So basically, if you were in Texas and you need to work with cops in Delaware, you would use these services to share information.
GRAHAM. Okay, yep.
CAROLE. And you tend to use that in an investigative sense, not to put in reports of misconduct, because misconduct doesn't necessarily happen across jurisdictional borders.
GRAHAM. Yeah, yeah, understood.
CAROLE. So you have this wave of people now saying, holy moly, guys, you just made things a heck of a lot worse for a fuck-ton of victims out there, who maybe are frightened of abusers.
GRAHAM. Is that a metric fuck-ton or an imperial fuck-ton?
CAROLE. It's a very important fuck-ton. So it's kind of frightening for people that, you know, if you think of abusers and criminals being able to find victims that have not been protected. So it's yeshy, yeshy, yeshy, yeshy.
GRAHAM. I think the idea of leaking data and people's personal information is horrendous anyway, regardless whether it's police people or criminals as well. But if it's going back that length of time, then people will have moved house or their phone numbers will change. Or change jobs or no longer be cops. Or change whatever, you know.
Well, they really are a true reflection of the way WikiLeaks used to work, aren't they?
CAROLE. This is really interesting because once the information got out that this database was available and accessible, getting access quite a lot, and people started stamping their feet online. This is only a week old. And the DDoS secrets team started redacting victims' names.
But as I said, it's a humongous data set, so people are saying they've definitely missed some. You know, people are now online going, I've seen one here and I've seen one there. So in a way, they're kind of helping them redact it. But how many times has it been downloaded?
ZOE. That's going to take a while, isn't it?
CAROLE. I think my big worry here is that they got their hands on the data. And because they definitely wanted to get it out on Juneteenth for the PR impact, they didn't have enough time to do their due diligence. And they didn't scrub the data properly.
So, you know, I kept reading this going, why didn't they just wait? Why didn't they just do it properly? And it's because they wanted to hit that date. It's a very important not only this year, but in the States every year. So I can understand that. But at the same time, you know, when you're going to out some wrong, you need to protect the innocent. Otherwise, it turns you into a villain.
GRAHAM. I don't think you should call it scrubbing the data, by the way. I think you should probably call it airbrushing, which is the term of the podcast. The term of the podcast, airbrushing. If we had an airbrushing expert on the podcast, we'd be able to talk to them about that.
ZOE. I tell you what interests me about this story, actually, moving away from the airbrushing. This is a debate that we have at work sometimes. For me, there was a real change in tech reporting at about the time of WikiLeaks, because up until then, the way in which a message was communicated was as interesting as the message itself. You know, going back into the archives, we did stories that are like man orders pizza on Instagram, because it was so amazing that he'd done it. Now, these days, that would not be the story. The story would be what was on the pizza or what happened to the pizza or did the man die? Do you know what I mean?
And with WikiLeaks, it felt like a shift from, you know, this is not a tech story because this information was leaked via email. And in the old days, that would be, oh, right, email, that's a tech story. But actually, the global politics of the content of those messages was much more important. And so it became not a tech story. It became, you know, a global politics story.
And I sort of feel like I struggle still with that now. I'm thinking about this blue leak story of yours and thinking, is the story the leak itself? Or is the story, as you said, the victims who are named within the leak? You know, is it a sort of data story or is it a politics story? You know, where would you put it? It's interesting, isn't it?
CAROLE. No, it's completely interesting. And it's, you know, I kind of get it. I get their idea of, hey, if we're going to gain trust into everything, we need to have full transparency. But, you know, as we learned with Julian Assange's Icarus moment, there's also responsibility is an important role to play. You can't just put out information with people's names in it and expect everyone to go, oh, well done. Thanks so much for that, especially if there's victims through it.
So I think they got this huge treasure trove and they didn't read it. So the same as you were saying earlier. Someone put that on my desk. Would I go through it all? I think they said exactly the same thing.
GRAHAM. Julian Assange's Icarus moment. You make it sound like he launched himself from the Ecuadorian balcony. That's not how he came out.
CAROLE. Do you think he's feeling a bit burned now? Maybe you want to read your...
GRAHAM. Maybe from his tanning salon. Well, he had the tanning machine in there, didn't he? Really? I think so.
CAROLE. Anyway, you know, look, we all poop, right? But very few of us try to do it publicly. So I just think you shouldn't... How do you know we all poop?
GRAHAM. Have you got any evidence of that? But I know you poop. You're an innocent pooper. Stop making assumptions. When I'm around your house and I go to the laboratory, you've no idea what goes on. I wish that were true.
CAROLE. Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager. LastPass by LogMeIn is a password manager both for consumers and the enterprise. In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multi-factor authentication. Learn more at lastpass.com forward slash smashing. Oh, and if you're a home user, LastPass is available for free. So check it out. LastPass.com forward slash smashing.
GRAHAM. The folks at Metacompliance are fabulous, not only because they're sponsoring our podcast this week, but also because they're offering listeners a free cybersecurity awareness for dummies book. In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness, best practices, and oodles, oodles more. Grab a free copy of the Cybersecurity Awareness for Dummies book from Metacompliance now at smashingsecurity.com slash cyberaware. Smashingsecurity.com slash cyberaware.
Back to the show. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
ZOE. Can you say it too?
GRAHAM. Oh, sorry. Yeah, Pick of the Week. Yay. Pick of the Week is the part of the show where everyone chooses saying they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be. Well, mine's not security related, but it is maybe privacy related. So, you know how people have been taking up new habits over lockdown? You know, they thought, oh, maybe I'll become an artist. Maybe I'll do some. Is that a dick? No, no, no. Better not be. Maybe I'll read a book about, I don't know, whatever, or learn to play the piano. I have a website. And I like nothing more, if I have a spare moment, to tinker around with my website. And I think, oh. Oh, my God. Is your website
CAROLE. your pick of the week? Are you just trying to get a bit of traffic? Not quite. Not quite. It's so freaking obvious. Oh, my God. Is that how this works? I didn't realize this.
GRAHAM. So it's a WordPress website, right? And I had Jetpack installed, which was mostly for WordPress stats, but it slowed down my site. I also had Google Analytics, which is free in quotes. I didn't really like that they were getting all that data and it felt uncomfortable.
And I want stats on my website because I have sponsors on my website. And occasionally they say to me, do you get any visitors on your website, Graham? And so it'd be nice to be able to say to them, yes, I do. But I don't want to use Google Analytics anymore, right? And I don't want to use WordPress's Jetpack thing.
So I started looking for something more privacy conscious to measure my traffic instead. And I came across something which doesn't track bounce rates, which I couldn't care about, or the time a visitor spends on a page.
And it is called Koko Analytics. Koko with Ks. It is a free open source WordPress plugin, and it's marvelous.
So how long have you been using Koko Analytics to call it marvelous? I've been using it for a few weeks. Okay. Quite happily.
And there is an equivalent service called Fathom Analytics, which will work on any website. They seem to be based on the same code base. That is one which you pay for, although there's also an open source version on GitHub as well.
CAROLE. So this is a pick of the week for people that run websites and would like to remove some of the sluggishness and the privacy issues from Google Analytics. Right.
GRAHAM. There's loads of people out there who run little websites and just by default are using Google Analytics, which is overkill. And it's giving all that data and information to Google.
Was it hard to move over? Oh, golly, no. Cool. It's an absolute doddle.
CAROLE. So if you have any trouble moving over, just tweet Graham and he'll give you a hand. Fantastic. Graham, you're awesome, you guys.
GRAHAM. It's a bit nerdy, but there you go. Zoe, what's your pick of the week?
ZOE. Well, I was going to tell you about a TV show, but now I'm wondering whether my pick of the week should be my podcast.
Definitely should be. But first, let me tell you about my actual pick of the week, because I am not a great binge watcher of TV. I don't know why. Busy life. I just can't be bothered to. You know, when you see a series, there's five series of this and each series has got 30 episodes and everyone goes yeah brilliant and I think oh no that's half my life that I'm not going to get back.
CAROLE. Oh that's when I go make a ginormous bowl of buttered peppered popcorn, settle down for about five hours, you'd dive in.
ZOE. Would you? Oh I can't. I very rarely do. I find it really hard to do it. But my partner told me about this series on Amazon Prime. I've sort of forgotten about Amazon Prime. There's so much video streaming out there now isn't there? I'd forgotten all about it.
But they've made this show called Upload and I watched it all in three days. They're only 25, 28 minutes or something I think each episode so it's doable and there's about 10 of them. And what really freaked me out about it and gripped me was that it's set in the not so distant future really.
So basically there's a guy is killed in a driverless car crash right, the car drives into a parked vehicle and he dies. And there is this company that's I guess kind of Google-esque in a way that offers a digital afterlife. They found out a way of uploading your brain at the point of death and then kind of recreating you within this virtual world as an avatar and you just carry on.
I watched this actually.
GRAHAM. I watched, you've seen it? Yes.
Oh you've seen it have you? Yeah.
CAROLE. Because there's one scene. So that avatar thing, right, at one point, doesn't she, because she's real. His girlfriend's still alive and he's dead. They don't get it on, do they, virtually?
GRAHAM. Yes. Oh, for goodness sake.
ZOE. You have to pay, don't you? It costs a fortune.
What? Sorry. You have to pay, you have to pay a fortune to be uploaded. And say this guy has this very rich beautiful heiress girlfriend who pays for him to have this. And the sort of scenes where he's staying in what looks like a big hotel by a lake and when he goes to the fridge to get a drink it's an in-app purchase you know. And his clothes he has to sort of buy in-app. And I just loved, I mean it's funny, it's had mixed reviews but...
It's quite funny, isn't it?
CAROLE. You say it's light, Black Mirror. Black Mirror light.
ZOE. Yeah. And you say, you know, they are able to communicate with people who are still living. So he's got this girlfriend, still alive, who's very beautiful, but they don't really get on. But they fancy each other, don't they?
So there's some really interesting scenes in which they're sort of using this... She's so much more polite than me. It's true. It's not difficult. This virtual reality suit to try and sort of...
CAROLE. You might be into that Graham, getting on one of those suits. It's like a sumo wrestler suit with feelers.
ZOE. Yeah it's really sexy, it's very sexy. Yeah.
GRAHAM. Zoe, tell us about your podcast. Oh.
ZOE. Have you had enough of this now? And there's one bit where he decides he doesn't want to be sponging off the heiress girlfriend anymore and he wants to go alone, but he hasn't got any money. So the lowest tier that you can have is something that I think all phone users will recognize — you get a data limit, you have a data plan, right? And once your data plan runs out, you're just frozen until the next month rolls around.
I forgot that, that's right, that was very interesting. And it was just such a... They're like, you know, everything uses data so you can't think too much because that uses data, and you've got to try and slow your life right down so that you eke out enough data to exist. You can't carry anything, it's just a really interesting idea I think.
CAROLE. I think Chris would like it, you should try it.
GRAHAM. Shall we let Zoe plug her podcast?
ZOE. Oh thank you! Yeah, so Backspace and Beyond, which is my other pick of the week, is a podcast that I do with a friend of mine, Susanna. She's a business journalist and I'm a tech journalist, and we just started doing this thing where we thought, you know, we just want to chat about some of the week's news. And because we come at it from very different perspectives — she knows all about the investment and the money and I know more about the tech and the gadgets — it's just become something that's worked really well.
We started doing it thinking nobody's going to listen to it, and then about a month ago we got a call from Radio 2 because Steve Wright of all people had found it and liked it and wanted to talk to us. I was amazed that he'd found it.
So it's just a little project that's become a really fun thing to do. And then lockdown happened and we were like, "Well, what on earth are we going to talk about? We haven't got any content anymore, we can't see each other, this is going to be really hard."
But actually, it's not that bad, is it? We're doing it now, you know, you get used to talking remotely and broadcasting remotely. And it's not been as difficult as we thought to keep it going. So yeah, we're quite proud of it.
GRAHAM. Talk about all kinds of interesting things: Fortnite skins, lingerie searches and orgasm algorithms.
ZOE. Did you say foreskins? That's a different podcast, this is after dark.
GRAHAM. I'm just trying to get her some clicks, I'm just saying some keywords here. Carole, what's your pick of the week?
CAROLE. Well, from Blue Leak Archives to the Magnus Archives. I've chosen that one specifically for this week. So this is by no means a new podcast, it's been around for years, but I hadn't gotten around to listen to it until the Rona hit.
So this podcast has won many awards, strong Patreon backing, consistently puts out high quality shows. I've listened to over a hundred of them, but they're nothing like us, they're nothing like Smashing Security.
They're quite good, are they? They're really good, Graham. So okay, it's a weekly horror fiction anthology podcast. So I know right now it's not for either of you two — Zoe, you've made it clear that hearing there's more than 100 shows, you're probably just "oh no," and Graham hates anything that's fictitious. So you guys are not my audience, I'm talking to you listeners out there, okay?
GRAHAM. We'll just go, shall we?
CAROLE. Yeah, you guys just go. It's basically think Sherlock Holmes with an X-Files-y twist, okay? That's the easiest way I can explain it.
So you've got stories that are written really well and narrated super well by Jonathan Sims, and they're directed by Alexander Newell. Great little team there. There was one, for example, where the person kills a spider, right? A spider. They move into a flat, they see a spider, they kill the spider. The next day, the spider's in the same spot looking at them directly with their eight eyes. She kills it again, shows up closer and ends up being in her face when she wakes up in the morning.
Oh my word. So it's all cute, old school scare stuff.
ZOE. So I also hate spiders, so you're scaring me even more.
CAROLE. There's 100 episodes of them all about spiders.
ZOE. Oh yeah, no, you'd hate that episode. You'd hate that episode. One of the worst spider stories I think I ever heard was on Planet Earth, you know, in this big nature documentary thing.
Oh my God, this thing is called something like the spider viper, right? It's a massive snake, enormous, scary snake, poisonous snake, and it hides in the little crevices in the clifftops. And on the end of its tail is this thing that looks like a big spider. So it sticks its tail at the end, waves it about, so it looks like this big spider, right?
And the birds fly and go, "Oh, that looks like a spot of lunch, I'll go and have that." Get close to the spider viper, at which point it flips around and goes, "Aha, you idiots!" Like what kind of evil thing is that? You know what? That's deep fakes, that's true deep fakes.
I couldn't believe it. I watched it with the children and I was like... They thought it was amazing, of course, and I was hiding behind the sofa. Oh my word. I need to find out where these things are so I can permanently avoid them. I feel like, you know, even talking about it is making me shiver.
CAROLE. I don't even like horror. I never watch horror, don't listen to the stuff, I don't seek it out, but I really love listening to this. So thank you so much to whoever recommended me, I can't remember who it was. It's great — Magnus Archives, a great horror podcast with excellent pace, writing and delivery. Check it out wherever you get your podcasts from, and I'll put some links on our Smashing Security page.
GRAHAM. Marvelous. Well, I think that just about wraps it up for this week. Zoe, I'm sure lots of our listeners would love to follow you online and see what you're up to. What is the best way for folks to do that?
ZOE. I am most commonly found on Twitter where I am at ZSK.
CAROLE. How cool is that? You have a three letter Twitter account. You must be so jealous, Graham.
ZOE. Well, do you know what? There's also a German rock star who I can't quite figure it out — I think it could be a band actually — his or their Twitter handle is the capital ZSK. I always know when he's in concert because suddenly all these amazing German rock fans start tweeting me about how brilliant I am in a stadium and I'm like, yeah.
GRAHAM. I love that. And you can follow us on Twitter at Smashing Security — no G and no German rock stars. Twitter wouldn't allow us to have a G. And you can also join us on Reddit in the Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app — Apple Podcasts, Spotify or Pocket Casts.
CAROLE. And of course, huge thank yous from us for listening, for supporting us, for sharing the pod. It means the world to us. Also, thank you to this week's Smashing Security sponsors, MetaCompliance and LastPass — their support helps us give you this show for free. Check out SmashingSecurity.com for past episodes, sponsorship details and information on how to get in touch with us.
GRAHAM. Until next time, cheerio! Bye bye bye!
ZOE. So we... oh, bye! But at one point I had a problem with my Bitcoin wallet. I was using the local exchange and I had a problem with it, and the guy who ran the exchange who I'd also interviewed for this piece, he said, "Oh look, I'll just stick a little bit in there for you just so that you can..." I think it was when we were buying the pints for some reason it wasn't working. And he put whatever it would be, four or five pounds worth of Bitcoin in this account, right, so that I could buy these drinks for the thing. And afterwards, came back, did the piece, whatever, forgot all about it. And then suddenly there was that thing and suddenly Bitcoin was worth 20 grand. Right, and everyone at work is going, "Oh, if only we had Bitcoin." And suddenly I went, "Oh, hang on, I've got Bitcoin!" I couldn't remember, but you know, he put in a little bit more money than the drinks actually cost. There was a little bit of Bitcoin sitting in this long forgotten wallet of mine. So I was right, I got to dig this out. So I dug it out, found it — it was quite hellish because of course I couldn't remember what on earth I'd used to get into it. But I managed to get back in and it was worth about 200 pounds.
Lovely! I thought, "Wow, you know, this is an interesting scenario. I don't know what I'm going to have to do with this — I'm going to have to give it to charity or something, I can't keep it — but you know, I'd sort of access it." So I went all the way through this: "I want to withdraw my Bitcoin. Yes, I want to do it in British pounds. Yes." Blah, blah, blah, here we go. And then I hit this wall where it goes, "Currently, you can't withdraw your Bitcoin in pounds, but try later." So I'm like, "Oh, okay." So I do that thing where you refresh, refresh, refresh — it's not happening. "Oh God, I'm going to have to wait till tomorrow." So I wait till the next day, still nothing. I wait a month, still nothing. I wait six months, and actually I think I last tried it about a fortnight ago and I still can't get it. And now I don't know, because Bitcoin has massively slumped back down again, I don't know whether because I hit exchange it to pounds at that moment — I don't know whether it's still worth 200 pounds or whether it's now 54p or something. I feel completely in limbo here.
GRAHAM. You should hold on, Zoe, because John McAfee is pretty convinced that by the end of the year, one Bitcoin will be worth a million dollars.
ZOE. Yeah, he's so smart too.
GRAHAM. Oh, okay, I'd definitely take tips from him. They definitely won't let me take it out then, will they?
ZOE. He has promised to eat a part of his anatomy live on TV if it's not found to be true. So you know, there's your incentive.
GRAHAM. Okay, well, it must be true if that's the case. Did he give an exact date for this? Is it the sort of Mayan calendar thing?
CAROLE. Yeah, plus he has a vanity Bitcoin address that you can use.
ZOE. Oh yes, excellent. Is it John McAfee loves you? Yeah, 3-2-1.
-- TRANSCRIPT ENDS --