Apps that belch out sensitive military information, what could the world learn from South Korea's digital response to the Coronavirus pandemic, and who has been deepfaking Bill Clinton, Jay-Z, and Donald Trump... and why?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the "Power Corrupts" podcast.
Plus we have a bonus feature interview with Rachael Stockton from Logmein, the folks behind LastPass, all about their report into the psychology of passwords.
Visit https://www.smashingsecurity.com/179 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guests: Brian Klaas and Rachael Stockton.
Sponsored By:
- LastPass: LastPass's "Psychology of Passwords" report surveyed over 3,000 people around the world to highlight the current state of online security behaviors – and the results are alarming.
- Download it now at smashingsecurity.com/passwordreport
- Immersive Labs: Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
- Listeners can signup at immersivelabs.com/smashing to get instant access to more than 24 hours of free labs AND a new lab to try out each week.
- Boxcryptor: Boxcryptor encrypts your sensitive files and folders in Dropbox, Google Drive, OneDrive and many other cloud storages. It combines the benefits of the most user friendly cloud storage services with the highest security standards worldwide. Encrypt your data right on your device before syncing it to the cloud providers of your choice.
- Listeners can get a 40% discount on the Boxcryptor Personal License (private use) and Boxcryptor Business (perfect for self-employed) by visiting smashingsecurity.com/boxcryptor
Links:
- Military And Intelligence Personnel Can Be Tracked With The Untappd Beer App — Bellingcat.
- What South Korea's Nightclub Outbreak Can Teach Other Countries — Time.
- When audio deepfakes put words in Jay-Z’s mouth, did he have a legal case? — Ars Technica.
- Jay-Z’s Deepfake Hamlet Recital — To Sue, Or Not To Sue — Forbes.
- Vocal Synthesis — YouTube channel.
- Doordash and Pizza Arbitrage — Ranjan Roy.
- Iron Chef Japan episodes — YouTube.
- Rabbit Hole podcast.
- The Psychology of Passwords — LastPass.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. I've never drunk a pint of beer in my life.
BRIAN KLAAS. Oh, wow. Nothing like a pandemic to start.
GRAHAM CLULEY. That's why my body's a temple.
CAROLE THERIAULT. Well done. Well done. Your halo is blinding me.
ROBOT. Smashing Security, Episode 179: Deepfake Jay-Z and Beer Apps Spilling Your Data with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 179. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hi, Carole.
CAROLE THERIAULT. Hi, Graham. You haven't said hi to me in a while on the show.
GRAHAM CLULEY. You know, I like to mix it up a little bit. And we've mixed it up this week by bringing someone onto the show who's never been onto the show before, but he's no stranger to podcasts because it is the man behind the Power Corrupts podcast, Brian Klaas.
BRIAN KLAAS. Hello. Hey, thanks for having me on.
CAROLE THERIAULT. Yeah, one of my pick of the weeks a few weeks ago. So thank you so much, Brian, for coming on the show and for creating it.
BRIAN KLAAS. I'm flattered.
GRAHAM CLULEY. Brian, for those who don't know, maybe haven't heard Power Corrupts and More for Them, can you give a brief premise about what the podcast is all about?
BRIAN KLAAS. Yeah, sure. I mean, so I sort of talk about it, I conceptualize it as if This American Life and Radiolab had a very sinister baby that was obsessed with the dark side of politics. It's one episode a week where we focus on, you know, everything from conspiracy theories to election rigging, disinformation, propaganda, pandemics, biological warfare, all sorts of stuff. And it's a scripted narrative-driven podcast. So it's polished and brings together a lot of interesting experts and a lot of people who have actually lived these things, which is fun. And the big news today, I'll say I was very, very flattered. We were nominated as a finalist for the smartest podcast of the year by the British Podcast Awards.
GRAHAM CLULEY. Yay! Hooray! Congratulations.
CAROLE THERIAULT. That is a worthy title to covet, isn't it?
BRIAN KLAAS. Indeed. Yeah, I was very happy about that.
CAROLE THERIAULT. Brilliant. Congratulations.
BRIAN KLAAS. Thank you.
CAROLE THERIAULT. Oh, so I had a question for you about your podcast actually. So I'm a big fan, but I saw that you had one titled Pandemic, and I saw that it came out March, right? So I was thinking there's a lot of work that goes into each of your episodes. So had you thought about doing that beforehand? 'Cause it does fit into your wheelhouse quite comfortably. Or was this something that you reacted to because the world was melting?
BRIAN KLAAS. No, I did it before, and I have the receipts 'cause I announced the series on Twitter And I listed the pandemic one in the original trailer, which came out in January. So the interview that I did with the person who does epidemiological modeling of pandemics, I did that when it was starting to become clear that this was coming to Europe and perhaps the United States. But the other stuff, there's a really interesting bit I did about this village in the UK where they effectively voluntarily locked down during the bubonic plague in 1665 and all died, mostly died. To save their sort of compatriots. I went up there before any of this was known. So, yeah, it was sort of fortuitous.
CAROLE THERIAULT. Yeah.
BRIAN KLAAS. In a very dark way.
GRAHAM CLULEY. Yeah. Fortuitous or perhaps a little bit creepy. Brian, you may have just stirred a new conspiracy theory inside me. You seem to know a bit too much. Maybe that helps to promote your podcast.
BRIAN KLAAS. Yeah, well, if only that little village had a 5G mast, then we would know.
GRAHAM CLULEY. What's coming up on the show this week, Kryll?
CAROLE THERIAULT. First, let's thank this week's sponsors, Boxcryptor, Immersive Labs, and LastPass. Their support that helps us give you this show for free. Now on today's bumper episode, Graham tells us about an app that puts military folks at risk. Brian reviews how South Korea handled a recent outbreak and whether we could do the same. And I am going to look for the line between video satire and deepfakes. Plus we have a special interview with Rachael Stockton from LogMeIn. So stay tuned after the show to find out how you can better protect yourself online for free. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, are you drinkers?
CAROLE THERIAULT. Yes.
BRIAN KLAAS. Yes.
GRAHAM CLULEY. Aha. See, I'm not.
CAROLE THERIAULT. I'm actually having a beer right now, actually.
GRAHAM CLULEY. You're having a beer at the moment?
CAROLE THERIAULT. Yes. Look, look, look, I'm gonna clink it against the microphone. There you go.
GRAHAM CLULEY. Fud. Well, if you are a beer drinker, Carole, then maybe you would want to use an app like Untappd. That's untapped without an E. I'm not quite sure why.
CAROLE THERIAULT. I know how to drink beer. I don't need someone to teach me.
GRAHAM CLULEY. It's not to help you drink beer. It's a geosocial networking service That's how it describes itself. It's a mobile phone application that allows you as a drinker to check in online as you drink beer. Whoa, whoa.
CAROLE THERIAULT. I don't understand. So, okay. So I crack open a brewski in my house.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And then what? Get the app open?
GRAHAM CLULEY. Then you get the app open and you're thinking, oh, I'd rather like to tell my online beer drinking friends that I'm currently having this beer and I'll rate this beer or I'll rate this hostelry. And so it's a free app for iOS and Android. Lets you discover and share beer, follow other drinkers.
CAROLE THERIAULT. And it's just done out of the love of their hearts.
GRAHAM CLULEY. Well, people are doing it because I guess they're obsessed with beer, right?
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. So they drink beer, they earn badges, you share pics of your beer. Surely you've done this sort of thing, Brian, haven't you? You haven't done this?
BRIAN KLAAS. No, I'm afraid not. You're missing out. How can I get more followers? Do I need to get some cat, like some craft beers?
CAROLE THERIAULT. Become an alcoholic seems to be the answer according to this app.
GRAHAM CLULEY. This is what the pandemic was designed for, right? Be sharing your drinking capabilities. You post reviews of the beer. You can see where your friends are drinking beer. Oh, they're drinking at home at the moment. Beer, beer, beer, beer, beer.
BRIAN KLAAS. So do we have, do we have an app? Is there like a Negroni'd app without the, you know, like apostrophe D as well? Or an Old Fashioned without the E at the end?
GRAHAM CLULEY. Oh yeah, you might, you might be, might be onto something there. I mean, they haven't kept it too old school. This, this, this app has really kept up with the times because imagine you're drinking a beer. And catastrophe, you finish your beer. What you can do with the Untappd app is you can scan the barcode on your beer.
CAROLE THERIAULT. Okay, I'm looking right now.
GRAHAM CLULEY. And the app will hail an Uber taxi to take you—
SPEAKER_03. Shut up!
GRAHAM CLULEY. —to where you can drink more of that beer.
CAROLE THERIAULT. I would love someone up in the northern coast of Scotland, right? In the Hebrides or somewhere like that. Isle of Wight, try this out. Wow.
GRAHAM CLULEY. Could cost you a few quid, couldn't it? Anyway, so this is clearly for people who are really into their beer. And as we know, People who are really into their beer are really into their beer. Well, investigative website Bellingcat, I don't know if you're familiar with them. They've done some extraordinary work in the past using open source intelligence. They've looked into the criminal underworld. Do you remember the Russian poisonings in Salisbury? Where those chaps came over and they claimed to be big lovers of the cathedral and knew how many metres high it was. They visited twice. They've investigated the use of weapons in Syrian civil war. Well, now, They've turned their attention to beer drinking. Okay. And they say— Do I have to worry? They're on pandemic as well, right? They're on lockdown, the guys at Bellingcat, and they're thinking, what can we do to amuse ourselves? So they've looked at the Untappd app. And what they found was that it could be used to track military personnel, locate secret military installations, and even offer a glimpse at sensitive military documents. Fancy that.
CAROLE THERIAULT. Okay, question. Yes. Is it the fact that if a military personnel used this app, this information could be garnered, or is the app specifically designed to try and snuffle up military info?
GRAHAM CLULEY. Oh, it's not a malicious app. No, this has been designed by beer drinkers for beer drinkers, and they're all good people who believe in real ale.
CAROLE THERIAULT. But even the military drink beer. Apparently they do, yes.
GRAHAM CLULEY. Hopefully not while they're on duty or if they're in charge of any important military equipment. But according to the team at Bellingcat, all you need to do to find individuals working at military organizations or intelligence centers and track their general whereabouts is do a bit of digging deep into untapped public data and cross-reference it with other social media. And through this method, they were able to find, for instance, people who had checked in at Camp Peary, which is a place in Virginia, I think, where they're doing like covert CIA training. And from there, they were able to track untapped users as they visited bases and presumably bars in the United States and across the Middle East. They found, they logged over 700 check-ins at 500 unique locations. There were even people who were checking in near the Guantanamo Bay detention center and other people who are also going to the Pentagon. So this history of people moving up around has all been revealed by the Untapped app.
CAROLE THERIAULT. Okay, but did the Bellingcat people— Yes. Tell the Untapped people and indeed the military that this was happening before they trumpeted their news?
GRAHAM CLULEY. Oh yes, they've been in touch with everybody whose profiles they came across to say to them, hey, you might want to lock down your settings a little bit. Right. Because sometimes the snafus which happened were quite bad because people don't just like to drink and rate their beer. They also like to take drunken photographs of their beer bottles. And sometimes, and this may surprise you— And their beer bottoms as well. Well, I don't know. I think there's a different app for that, Carole.
CAROLE THERIAULT. Well, it depends how many beers they've had.
GRAHAM CLULEY. But apparently people will take a picture of their beer bottle and they're a little bit careless and they'll leave it Also in the same frame, debit cards, plane tickets, ID cards. Social Security card. Right. Military documents, even an F-16 fighter jet. And its location, all revealed on Untapped. Because I guess they're sort of blearily sort of taking the photograph or whatever and making a goof. Hmm.
BRIAN KLAAS. Plus you can find out if someone has a really bad taste in beer.
GRAHAM CLULEY. Right. I've never drunk a pint of beer in my life.
CAROLE THERIAULT. Oh, wow. Well done, well done. I know, aren't I impressive? Your halo is blinding me.
GRAHAM CLULEY. That's why my body's a temple.
BRIAN KLAAS. Nothing like a pandemic to start.
CAROLE THERIAULT. OK, so do you— don't you think there's a bit of shared responsibility here? So on the one side, the military personnel or the users of the app need to think about what they're taking pictures of, right? Uh-huh, yeah, yeah. So don't take a picture of your beer bottle on top of your passport. Open. Yes. Right?
GRAHAM CLULEY. Are you suggesting that the Untappd app should actually display that warning before you take your photograph?
CAROLE THERIAULT. No, I think users should be smart enough to figure that out. I do kind of think that would be the responsibility of the user. So what did Untappd say when Bell Cat got in touch with them? Did they say, "Ooh, cheap, we're gonna fix that right now"?
GRAHAM CLULEY. Well, actually, Untappd aren't gonna change anything. Oh. Because Untappd has already decent privacy settings, and you can set your profile to be private easily. And users have to consciously select the location which they check into. And so their opinion is that they've already set this all up to be as private as required. It's down to the ruddy users. And maybe what needs to happen is some major general to speak to the people in the military and say, stop posting that kind of information onto social media apps.
BRIAN KLAAS. Isn't this also a story about how the power of opt-in versus opt-out is so important? Right. And you just need to have, you know, a critical mass arguing for opt-out of privacy settings rather than opt-in.
GRAHAM CLULEY. Yeah, I mean, all of these apps, of course, because they want to build up the network and they want to be as attractive as possible to new recruits, of course, they always automatically opt you into all of these. They basically have privacy turned off by default, don't they?
CAROLE THERIAULT. Yeah, that's such a point to underline though. I think most people think, hey, if I just stick with the default options, they're going to be looking after me. As long as I don't change anything, I'm running it as I should. But exactly to your point, they don't make it so it's the safest it can be for you. It's so it can use as many features as possible.
GRAHAM CLULEY. Yep, it's absolutely true. And we do need to have a sort of, I don't know, some sort of mental shift when we use these apps and when we log into these websites as to what they're planning to do with our data and to double-check the settings. Of course, sometimes the settings change without us even realizing.
CAROLE THERIAULT. Yeah, this is from the Facebook guy.
GRAHAM CLULEY. What are you using again? Facebook? Facebook Portal, which I bought for the in-laws. Yes.
CAROLE THERIAULT. Well, not for the in-laws.
GRAHAM CLULEY. You have one in your house too. Well, yes, in order to communicate with them, we have—
CAROLE THERIAULT. Telephone doesn't work.
GRAHAM CLULEY. Okay. Here's the thing, Carole. The Facebook Portal, I give you an update, it's actually been turned off, and it's no longer being used. And the reason is, having had two portal calls with the in-laws to keep in touch with them during the pandemic, their dog ate the remote control. Good! Or their Facebook Portal.
CAROLE THERIAULT. So you've been saved yet again by your canine friends. That's true.
GRAHAM CLULEY. Now the Pentagon, of course, they banned Fitbits and GPS tracking. Do you remember the Strava app? I think we spoke about it before and how that was logging how people were running around. Runways and military bases and submarines and things like that. So the guidance from the Pentagon is that you shouldn't be using these kind of apps. But I suspect apps like Untapped are sneaking through because your initial thought wouldn't be, this is something which is tracking my location. But truth is, there's lots of apps out there which are asking you to check in and share information. So maybe they need to have a rethink on that.
BRIAN KLAAS. I think, you know, I think it's one of these things where it's astonishing still how much of this type of stuff comes out from groups like Bellingcat, which are doing amazing work. Yes. But why is it that it takes their investigation to uncover these loopholes that could genuinely pose security risks for an entire country? Why isn't the government spending money to, you know, as you say, you've got to have your personal device, but you can say here are the apps that you either can't use, or if you do, you have to change these settings. And then I think it's a reasonable balance.
GRAHAM CLULEY. Well, I wonder what else Bellingcat are currently investigating, which led them to look at the Untapped app. You know, what criminals or scoundrels are they currently after?
CAROLE THERIAULT. I think they have brainstorming sessions, right, where they're all in a meeting room, or in the old days, and someone would say, let's put beer and military together and see what happens. And then they go down that route.
BRIAN KLAAS. It would be amazing though if there were actually like beers that had, you know, national, like clear national markers. So like, you know, in Ukraine, you end up seeing the pockets of the Russian soldiers based on the Untappd app. You know what I mean? Or it's the, because there's a specific type that the Ukrainians don't drink and the Russians do.
CAROLE THERIAULT. And imagine if this information is then sold on to beer advertisers to say, this is where your markets are.
GRAHAM CLULEY. That's an interesting— actually, I wonder how Untapped makes its money. Yeah. I have no idea, not being a boozer like you.
CAROLE THERIAULT. He's saying everyone's drinking Beck's beer down in, you know, blah, blah.
GRAHAM CLULEY. Oh, we've all become so cynical, haven't we? Well, they're smart. Thank goodness for that. Yes. I don't know. Brian, what have you got for us this week?
BRIAN KLAAS. Well, I've been looking at this story coming out of South Korea, which is, you know, South Korea sort of had a moment in the spotlight, so to speak, early on when it had what looked like a serious outbreak and now has had around 250 deaths total from COVID-19. And there's this story that I think is just, it was this gut check moment for me, is basically you have them reopen because, you know, the country did pretty well with dealing with coronavirus and a whole bunch of young people flock to these nightclubs where social distancing is a pipe dream. And a couple hundred of them got COVID-19 there, which, you know, completely predictable, uh, unavoidable. Maybe they should have kept the nightclubs closed. But what's astonishing is the next part of the story, which is that using a series of different digital tracking mechanisms, including purchases made at the nightclubs, asking for voluntary phone data from carriers, and also some CCTV, they were able to find tens of thousands of potential contacts from these couple hundred cases. And with the span of, I think, less than a week, tested— the last number I saw was 46,000 people in those potential clusters. And the reason why it was such a striking thing for me was to say, you know, could any North American or European country currently do this? And I think the answer is quite clearly no. And I don't think it's just a technical thing. I think there is obviously technical barriers. I think there's testing capacity barriers, etc. But I think there's also just sort of competence in government, trust in government, questions about aversion to privacy invasion, and cultural elements that all come together that mean that this really effective public health intervention is probably not going to be something we see anytime soon in European countries or the United States or Canada. And it raises the point of sort of, well, okay, but there's trade-offs here, right? Because South Korea has As I say, around 250 deaths. The US is about to, at the point we're recording this, is about to be at 100,000. And at some point you start to think, okay, what, what freedoms are we willing to give up relative to the possibility of highly invasive tracking around an outbreak and a pandemic? And it's gonna put all these issues much more center stage, I suspect.
CAROLE THERIAULT. Yeah, cuz so I was looking at the COVID apps that they had been organizing in different countries a few weeks back on the show, and one of the countries I looked at was South Korea. And what was interesting about about it is they were quite impacted by the MERS outbreak. And they changed their privacy laws at that time, which has been very useful for them during this scenario because they are using a centralized network basically to track everybody. But one of the big things they're doing is they can basically look at banks, right? They're getting it from loads of different sources. So they're really tracking individuals. So it's a really interesting privacy versus, disease point of view, which puts me in a really difficult situation, right? You don't want people to die.
BRIAN KLAAS. But it's also really astonishing because South Korea was a dictatorship not long ago. I mean, it was a couple of decades away from its transition to democracy. So like the people that are aware of the risks of overbearing states, there's no question it's in many adults' life experiences. And yet there's this sort of, I don't know if it's cultural or because of the MERS outbreak or whatever, but there's this acceptance that this is a rational and reasonable response. And you think about the variation even within the United States, within individual states, right? Because some states are much more willing to adopt this sort of policy and others are so, so against it. And, you know, of course, showing up to protests with anti-tank rocket launchers and things like that to show their disdain for it. So you're going to have quite a big, I think, variation internationally in terms of how this pans out if this becomes the new normal. I mean, if the vaccine arrives in September, October, it's a different story. But if this is the next 15, 18 months, there's going to be massive variation on this question, I think.
CAROLE THERIAULT. And it's an interesting point of view from a power play perspective too, because whoever gets it really right and can kind of show it through numbers and kind of over the years be able to say, you see, we did this, that was right, we did this, but this was right, they can become quite a leader in terms of being able to deal with these things in the future.
GRAHAM CLULEY. I think regardless of the result, some people will be claiming that they were the best. Do you think so? They have done remarkably better than any other country. Don't look at the numbers. And the only problems that they've experienced have been because they've been doing too much testing. If they didn't do so much testing, there wouldn't be as many cases. Oh. Maybe, maybe, yeah. Do we know how popular the Untappd app is in South Korea? I wonder whether that may have, maybe it has an additional function, which is helping people. But it is astonishing, isn't it? How some countries seem to have really succeeded in this and others are floundering.
BRIAN KLAAS. I think one other point that I just, I think it's worth mentioning is we'd be in a very, dire state of narratives between democracy and authoritarianism were it not for South Korea and Taiwan, for example. Because you look at the sort of state interventions that have taken public health seriously early on, and with the exception of— I guess you could also add, of course, Australia and New Zealand, though those countries are, you know, they're isolated in different ways, they face probably lower risk to begin with. Okay, but you have those sort of four, right? You have Australia, New Zealand, Taiwan, and South Korea. And finally, you can say, look, It's not authoritarianism, it's competent open government that's effective and state capacity and trust in government. I think trust is hugely important so you can accept some of these things. But otherwise, without those 4 cases, you'd have China going around the globe and saying, look, the US, the UK, France, Italy, Spain, they all had mass death. And those are the countries that you're supposed to aspire to. And so I think it's really important to make clear it's not democracy It's just whether the individual leaders of those countries took it seriously early on. And I think that's really why I wanted to bring up this story.
CAROLE THERIAULT. How's your feelings of trust with BoJo?
BRIAN KLAAS. I mean, I think it's tricky because as an American living in the UK, you constantly are torn between US politics and UK politics, which has been a very dire thing to be torn between for the last 3 or 4 years.
GRAHAM CLULEY. Tell us about it.
BRIAN KLAAS. But, you know, it's something where you look at Johnson and originally I think there were massive mistakes. And pandemics are unforgiving. So if you make massive mistakes in this critical first month, first few weeks even.
CAROLE THERIAULT. Yeah, he was flippant.
BRIAN KLAAS. Yeah, I mean, it just, it magnifies the death toll massively. That being said, I think he's woken up to the risks. Yeah. By the fact that he was hospitalized. Yeah, yeah, he got a good fish slap in the face there, didn't he? And I think since that moment, and I think indeed since the lockdown, there's been some mess-ups on messaging, some very unclear advice, et cetera. But you compare it to Trump and you're sort of like, well, you know, they're really trying in the UK. Like, this is a genuine effort. They're not pretending it's fake. They're not hypothesizing about various drugs that don't work and possibly kill you or putting disinfectant in your body or a powerful light. These things are— so to me, it's one of these things where it's the perpetual lowering of the bar. But I sort of look at the UK and say, well, it could be much, much worse.
CAROLE THERIAULT. Yeah, 100%. 100%. I agree. There you go. Well, cheery. Don't worry, mine's fun.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. Okay, we're starting off with a music quiz, boys. No way. Not music. No, we're starting off with a quiz. So I'm going to play something for you, and I want you to tell me who does this sound like? Who is this voice? Okay. Okay, give me a moment.
BRIAN KLAAS. I like big butts, and I cannot lie. You other brothers can deny that when a girl walks in with an itty-bitty waist and a round thing in your face, You get— Sounds like Bill Clinton. Bill Clinton. Okay, good.
GRAHAM CLULEY. One more. Here's a little hillbilly.
CAROLE THERIAULT. Here's another one. Who is this? Okay. To be or not to be, that is the question. Whether 'tis nobler in the mind to suffer the slings and arrows of oppression—
GRAHAM CLULEY. Is it someone like Kanye West or someone like that?
CAROLE THERIAULT. Yeah, it's Jay-Z. Well done, Graham. Well done.
GRAHAM CLULEY. I wouldn't really have known that, but it just sounded his sort of attitude.
CAROLE THERIAULT. Yes, okay. Well, the problem is that None of these people are Bill Clinton or Jay-Z, right? These are clips from a channel called Voice Synthesis. This is a YouTube channel. Now I've put it in the show notes if you guys wanna have a click on through to the channel. So you guys can see the playlist and stuff and you can see what's going on. Now for you listeners at home, this is basically a site that purports and proudly states that it senses voices and pairs them with a non-expectant text. So you have like Bob Dylan Billie Eilish covering Britney Spears. You have Frank Sinatra crooning Dancing Queen. You have various presidents reciting rap lyrics. You even have George W. Bush take on 50 Cent's In Da Club.
GRAHAM CLULEY. I'm looking at it right now. You've got Bob Ross in here. Yeah. One of your heroes. One of my heroes. Mr. Rogers, who's a big American icon, isn't he? Or was?
CAROLE THERIAULT. Yes, he was one of my— all through my childhood, he was around, yeah.
GRAHAM CLULEY. Oh, goodness me.
CAROLE THERIAULT. So what's interesting is check the number of subscribers to the channel.
GRAHAM CLULEY. Okay. How do I do that? Geez. Oh, 50,000.
CAROLE THERIAULT. Are you surprised by how small it is? Well, let me carry on with my story and you can tell me if you think— Okay. If that plays a role in anything of this. Now you can see on the page, you can see that at the end of each title of any video, it says in brackets, voice synthesis. Yes. Right. And so, and then underneath in the description, it says the voice in this video is entirely computer generated. Using a text-to-speech model trained on the speech patterns of Jay-Z or whoever he's mimicking in that particular video. Apparently, the YouTuber behind the Jay-Z deepfake says they were created by Tacotron 2. This is the teach-to-speech program from Google.
GRAHAM CLULEY. And a lot of these have got like hundreds of thousands of views, haven't they? I mean, some of them are quite popular.
CAROLE THERIAULT. Yeah, interesting. Question I have for you too. Do you, so the term deepfake, do you think at this moment, do you think that's fair? So they're not videos, it's just the audio. It's almost like you're at a presentation or something. So there's There's a slideshow and then you hear the voice of the purported person behind it.
GRAHAM CLULEY. Do I think deepfake is a correct way of describing it? Is that the question?
CAROLE THERIAULT. Is it an impersonation? Is it a deepfake?
BRIAN KLAAS. The way I understood deepfakes is that they have to use generative adversarial neural networks to generate content. But I understood it as these GANs were used to create new content using machine learning and AI. Again, I'm a political scientist, so I'm wading outside of my, my comfort zone.
CAROLE THERIAULT. Right now, there is a bit of a brouhaha going on between Jay-Z and this YouTube channel. So according to Ars Technica, right, this was April 26th, a new video— this is how it all came to light— a new video was posted on this channel, right, saying that YouTube had taken down the Jay-Z related videos. There was two of them that he he created. One was Shakespeare's "To Be or Not to Be," which we were listening to earlier, and then there's Billy Joel's "We Didn't Start the Fire." And apparently the request came from Jay-Z's company, Rock Nation. Now, the way in which voice synthesis tell their followers was rather novel. They put together a video featuring the simulated voices of Barack Obama, Donald Trump, Ronald Reagan, JFK, and FDR to explain This time, maybe it's copy-pasted.
SPEAKER_03. The channel was created by an individual hobbyist with a huge amount of free time on his hands, as well as an interest in machine learning and artificial intelligence technologies. He would like to emphasize that all of the videos on this channel—
GRAHAM CLULEY. Okay. Yes.
CAROLE THERIAULT. Now, is that an understandable response? Because this guy is kind of saying, I'm thinking he's going, look, I have been super clear on my channel that I'm doing this for fun and I'm taking a synth voice, not the real person.
GRAHAM CLULEY. And what What's the big deal? The thing is, a lot of people could see these videos without seeing the video description, couldn't they? If they're shared on social media, I suspect you might see the title, maybe. But having speech synthesis in brackets at the end, you might only see the start of the title on your mobile phone. I'm a little disappointed they didn't get Mr. Rogers to join in on the rebuttal as well. That would have been a bit classier.
BRIAN KLAAS. The original video might have a disclaimer, but people who do not have a sophisticated understanding of fake video, fake audio, will not see it. And I think what Photoshop did for photos was that people started to understand that it could be doctored easily. And I don't think that most people have made that leap. Like most people who are not dialed into this world of disinformation have made the leap to understand how easy it is becoming to do the same with video and audio. And I had this debate, I hate to do the plug of the podcast, but I had this episode called The Godfather of Fake News, where where there's a guy who just deliberately writes fake news. That was a brilliant episode. And he just, he does it for clicks, right? And he makes money off of it. And he has in every single post, a disclaimer that says this is satire, but it still goes viral. And you know, a lot of the people who are consuming it don't know what the S means on the story. They don't understand it. They don't click on the actual story. So the headline seems plausible and the story is absurd. And I think with this, it's the same type of thing, right? You could just have it go around the world and change people's minds and have them either vote on it or make decisions based on something that's totally wrong. And I think the scariest thing is the idea of the world leaders because they can miscalculate in terrible, terrible ways. Well, yeah.
CAROLE THERIAULT. And if you look at this channel, right, and you see what videos this person is producing, I mean, there is a political slant. You've got Bernie Sanders, you've got past presidents, you've got Ayn Rand. I mean, it's hard.
GRAHAM CLULEY. I'm not sure that they're doing it necessarily with malice in mind. I think it's just more the juxtaposition of having Frank Sinatra singing, dancing.
CAROLE THERIAULT. Graham, I'm so glad you're saying that because I'm going to do this for you. I'm going to take your voice and I'm going to have you read Piers Morgan's tweets. And I'm going to just stream it live. And I'm so, so glad because I was worried that you think it was unfair that I used your voice. And I'll add in some, "Oh, Piers, I love you. You're so great. You're fantastic." That's okay, right?
GRAHAM CLULEY. No one's gonna believe that, girl.
CAROLE THERIAULT. So now this isn't the end of the story. This isn't the end of the story. So a few days go by, right? And suddenly the videos reappear. Yes. And they reappeared because Google said, actually, the takedown requests were incomplete. And so the YouTube spokesperson told Ars Technica that the videos have been been temporarily reinstated pending more information from whoever filed the claims. So now the ball seems to be in Jay-Z's court. And this is really interesting for me. So this is why I come back to the 50,000 subscribers. So, so for Jay-Z to go after someone with 50,000 subscribers is like an elephant going after a flea. So he will build this person's channel by going after him. Oh, won't he?
BRIAN KLAAS. Yes, I think so. It's the Streisand effect.
GRAHAM CLULEY. Yeah, Streisand effect. Whoa, whoa, whoa, whoa, whoa. Carole. What? Is it possible that the person who's made the complaint isn't actually Jay-Z, but is a deepfaked Jay-Z who's making the complaint? And now Google has thought, oh, maybe this wasn't a real complaint and therefore we're temporary. And now this channel's got all these interest.
CAROLE THERIAULT. That's interesting because YouTube would not confirm that it was Jay-Z's production company, Roc Nation, that had done it. This is only— the only reason we say that is because the YouTuber himself or herself said that.
GRAHAM CLULEY. Look, we've got Brian on the podcast. He can unearth all the conspiracies, right? You can get to the— for goodness' sake, Brian, you've got some— you need something for series 2. Can't you look into this?
BRIAN KLAAS. Maybe the most logical explanation is Jay-Z has been really comfortable having 99 problems. And now that he has 100, he has to get back to equilibrium. Funny, funny. And so he has to get rid of this one problem. Told you he was a professional.
GRAHAM CLULEY. Sorry, is that— I think that reference may be too hip for me to understand. Okay.
BRIAN KLAAS. I've missed something. It is the main song for which he is known.
CAROLE THERIAULT. I don't know.
GRAHAM CLULEY. I don't know what to do. Yeah. Very interesting, Krow.
CAROLE THERIAULT. Yeah, well, you're welcome. So the whole issue is this is kind of cool because satire, like no one's ever gone after Weird Al Yankovic and succeeded just because he did satires of all their songs. And as far as I know, he didn't pay for the rights to do that. Everyone knew what was going on. But the gray line between the satire, the pastiche, and the, "Hey, that's my face," or, "That's my voice," and I don't want to be fluffing Piers Morgan verbally. Can you even copyright your voice?
GRAHAM CLULEY. Can you even claim, "That is my voice and not anybody else's"? Because there are people who sound quite similar.
CAROLE THERIAULT. What else can you copyright if not your voice and— how you move and stuff. And it's going to become that world. I think we should.
GRAHAM CLULEY. You sound a little bit like Marge Simpson's sisters, I've always thought. Yeah, I'm not going to say what you sound like.
CAROLE THERIAULT. I'm too polite. Hey, Graham? Yes? So I've got a problem. Yes? I use a cloud service. I put all my files and data up there, and I'm kind of nervous about prying eyes. Looking at it. Any advice?
GRAHAM CLULEY. Yeah, you've got to encrypt it. Because any file which you put on Dropbox or Google Drive or OneDrive or those other sort of cloud services, it could be accessed by that company or indeed law enforcement or any hacker who broke into your account. So what I would recommend is use a piece of software like Boxcryptor. It's what I run on my computer. And any file before it gets uploaded to those cloud services gets encrypted with my own keys, which I control. They're offering a fantastic 40% discount to listeners of the Smashing Security podcast. If you want a Boxcryptor personal license for private use or a Boxcryptor business account perfect for the self-employed, go to smashingsecurity.com/boxcryptor.
CAROLE THERIAULT. So the guys behind LastPass, LogMeIn, they've put out a report called The Psychology of Passwords: The Online Behavior That's Putting You at Risk. And basically, as we do more working and purchasing and socializing online, hackers are chomping at the bit to take a little piece of us away. The best thing you can do is get a password manager to help you make unique and difficult-to-crack passwords for every single account you have online. Check out LastPass's report for loads more tidbits at smashingsecurity.com/lastpass.
GRAHAM CLULEY. If you listen to our show regularly, you'll know that hackers never stop innovating. Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats. Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week. Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.
CAROLE THERIAULT. On with the show.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
CAROLE THERIAULT. Brian, if you would. Pick of the Week.
GRAHAM CLULEY. Thank you very much. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Really hope it's not this week.
GRAHAM CLULEY. Well, mine, I almost considered making this my main story on the podcast this week. It's not really strictly speaking security related necessarily, but kind of anyway, see what you think. My pick of the week is a blog post by a chap called Ranjan Roy, and I will link to it in the show notes so you can check it out some more. But he's talking about a friend of his and his friend owns a few pizza restaurants. And for 10 years, his friend resisted offering delivery of his pizzas because he was like, I'm a classy joint, right? I'm not offering deliveries. Come in, have the in-restaurant experience. It'd be better than Domino's. Takeaway, do you do that? I don't know. I don't have that information.
CAROLE THERIAULT. Not much research. Okay. Brian, see, this is what we work with here.
GRAHAM CLULEY. But then something odd happened. Okay. Then something odd happened. This guy who ran the pizza restaurants began to get complaints from customers complaining about their deliveries. Saying, I got the wrong pizza, the pizza was cold. And this restaurant was like, well, we don't, what? We don't do deliveries. What are you talking about? What are you complaining? And it turned out when he looked up his own shop on Google, there was a delivery option listed in the Google listing and it had been put there by an organization called DoorDash. And DoorDash, I think, they're like Deliveroo or Uber Eats. They're an online delivery service, right? Who work with different restaurants. Now, the guy who owned these pizza restaurants had never arranged for DoorDash to deliver his pizzas. DoorDash had taken it upon themselves to do that, and they'd rather provocatively listed themselves.
CAROLE THERIAULT. So they were going over and buying pizzas? That's right.
GRAHAM CLULEY. This was the thing. They didn't have the proper bags for the pizzas, so they'd arrive cold, and you know, it wasn't always brilliant service, but it was the genuine restaurant employees who were wasting time dealing with all the bad reviews and the customer complaints, right? So they were a bit miffed about this. But then when they were looking at the listing on DoorDash as to how you could order pizzas for delivery from their own restaurant, they noticed something odd, which was they sold pizzas for $24, but you could have the same pizza delivered by DoorDash for just $16.
CAROLE THERIAULT. Oh, I thought you were going to say they were adding on. I was like, no, well, no, no, no.
GRAHAM CLULEY. Tell us the price. $16 less. And apparently, the mistake DoorDash had made is that they were scraping— they scrape restaurant websites for their menus and their pricing. So, DoorDash had taken the price for a plain cheese pizza, scraped it off the website, and somehow they had applied it to a specialty pizza with loads and loads of toppings. So, like you said, someone could pay DoorDash $16. DoorDash would go into the restaurant, pay $24 for the pizza, and deliver it. So what does the owner of the restaurant do? He orders 10 of his own pizzas via DoorDash. Brilliant. He was charged $160. The DoorDash driver then shows up, pays him $240. Brilliant. And takes away the pizzas. So he's making— Well, it's keeping his costs down. Now, the story goes on from there, and it's well worth a read. I'm bookmarking it right now. I would recommend it. So, yeah, so there's actually some hope, I think, for restaurants during the pandemic who maybe don't offer delivery. Maybe there's some intermediary who'll do it and actually make you money in the process. You just order your own pizzas to be delivered to the kitchen around the back.
CAROLE THERIAULT. When AI fuck-ups work in your favour.
GRAHAM CLULEY. And that is why it is my pick of the week. That's pretty good. It's pretty good. Brian, what's your pick of the week?
BRIAN KLAAS. Mine is very much not security related. And that's because I think in the hellscape we live in, you want to live away from it and escape a bit. And so what I've been doing is watching a lot of old stuff. Ah, wonderful. And so what I've gotten into recently is one of the weirdest shows that I like. It's called Iron Chef Japan. When it was originally broadcast in Japan, of course, it was not called Iron Chef Japan, but it's one of the weirdest cooking shows you'll ever see. It's incredibly over the top. I've never seen it.
GRAHAM CLULEY. So what's the deal with Iron Chef Japan?
BRIAN KLAAS. So what you start with is you have this like really elaborate introduction that Chairman Kaga, who's like the host, has like this, you know, this massive swelling music behind him and like quotes from French chefs and things. And then he takes this bite out of a bell pepper, and that's like the intro. And the way that the setup is, is you have these 3 Iron Chefs, uh, Iron Chef Chinese, Iron Chef French, Iron Chef Italian, sometimes Iron Chef Japanese. And there is a theme ingredient that a challenger will battle them on within Kitchen Stadium, which is custom built for this show.
CAROLE THERIAULT. Okay, that's kind of like Iron Chef. I don't even know if he knows Iron Chef at all.
GRAHAM CLULEY. Yes. Yeah, yeah. No, no, no.
BRIAN KLAAS. So Iron Chef America is like a ripoff of Iron Chef Japan and way worse. Okay. Anyway, I didn't know that. So, so the point— yeah, because Iron Chef Japan ran from 1993 to 1999 and it shows. So the point is that they— these Iron Chefs come out of the floor with like dry ice and like again, like lots of— lots of—
GRAHAM CLULEY. it's like the World Wrestling Federation. Yeah, it's amazing.
BRIAN KLAAS. And then there's like this, this massive like sheet over the theme ingredient. And Chairman Kaga, who's wearing a kimono, comes down and like unveils it as the crescendo of the music happens. And there's like a series of like tomatoes. And then they have an hour to make between 3 and 6 dishes using that theme ingredient as the main thing. And they're like rushing around and stuff. And then they have like various like B-list celebrities from the Japanese 1990s to judge them, like an opera singer who will like say, oh, this is really great. And then like the, the next person is actually a food critic and they're like, this is garbage. And of course, you know, it's, it's like, it's just the most incredibly weird Japanese show and I love it. And it's, it gets your mind off of the pandemic like nothing else.
GRAHAM CLULEY. I've been binging recently on Ally McBeal. Oh, um, from 20-odd years ago.
CAROLE THERIAULT. I bet you love her.
GRAHAM CLULEY. Turns out at 20-odd years distance, it's perhaps not the most You're watching some of these characters and just thinking, that's outrageous. The guy she's in love with, he is a bastard. It's just like, what a git. Unbelievable. Anyway, fascinating. Anyway, excellent. Well done, Brian. Carole, what's your pick of the week?
CAROLE THERIAULT. Last week, my neighbor says to me, hey, have you heard the Rabbit Hole podcast? And I'm like, what's Rabbit Hole? The podcast from the New York Times. And he said, you have to listen, you have to listen, you have to listen. So as I was doing some gardening last few days, I've been listening to Rabbit Hole. I've listened to 3 or 4 so far and I'm totally hooked.
GRAHAM CLULEY. What's it about?
CAROLE THERIAULT. Kind of like a fascinating little glimpse into like internet and humans and how they both work together. So the first part was a 3-parter on this guy called Caleb, and he had offered the journalist Kevin Roose his entire YouTube history for 4 years.
GRAHAM CLULEY. Can you imagine doing that to a journalist? That's brave.
CAROLE THERIAULT. Isn't it? But amazing. And Kevin Roose then went and also looked at the algorithms that YouTubes were using and when the algorithms changed and tried to match the patterns to see if there were switches in his— how he viewed the world or what he was viewing. It's totally fascinating.
GRAHAM CLULEY. So you mean, was there like a political bent or something? Was it the thought that he's been manipulated?
CAROLE THERIAULT. I don't know if it's more manipulation, but it's basically the engine says, "Oh, you like this? Let me give you more of it. Oh, you like this? Let me give you more of it. Oh, you like this? Let me give you more of it," and really underline the point so you think everyone's thinking that way.
GRAHAM CLULEY. You enjoy Iron Chef Japan, Brian? I'll give you more men in kimonos. Yeah. More vegetables for you. More vegetables.
BRIAN KLAAS. Can't wait.
CAROLE THERIAULT. So anyway, really, really interesting. And it's true, if you think about, you probably look up chess stuff all the time, and then probably in your feed, it's always offering you new, probably the same chess videos you've seen millions and millions of times. You're looking for new games potentially, and you're finding, why am I always being referred back to these same ones all the time? Anyway, you can listen to the podcast and find out. It's really good. Um, I even reached out to Kevin Roose to see if he wanted to come on the podcast, so let's see. It's that good. In the meantime, go listen to it. Go listen to it. It's called A Rabbit Hole from the New York Times. There is a link on our webpage and show That sounds fascinating.
GRAHAM CLULEY. I mean, what a thing to do, to share your 4-year history. I mean, was he aware that he had this history all this time? Because whenever I've realized that something is storing a history of me, I just work out how to turn it off and delete it as quickly as possible.
CAROLE THERIAULT. At the time, yeah. Sorry, at the time that he was sharing with the journalist, he knew. And that becomes clear later in the episodes.
BRIAN KLAAS. Did he have any ability to selectively delete?
CAROLE THERIAULT. I don't think so. I did feel, based on the information, I felt the New York Times weren't basically salaciously going through and trying to show anything that embarrassed him. But I also felt that what they did call attention to showed a kind of route. You could see how that route would happen. So, you know, there's artistic license and, you know, there's curation happening there. But at the same time, there is an interesting approach to looking at how the internet might be shaping our brains.
GRAHAM CLULEY. Okay. Well, I guess your recommendation sounds good to me. That just about wraps it up for this week. Brian, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online or find out more about your podcast. What's the best way for folks to do that?
BRIAN KLAAS. So it's @BrianKlaas on Twitter, which is K-L-A-A-S, and The Power Corrupts Podcast is what it's called. It's anywhere that you listen to podcasts.
GRAHAM CLULEY. And very good it is too. And good luck with those upcoming awards. And you can follow us on Twitter at Smashing smashingsecurity, no G, Twitter won't allow us to have a G, and you can also make sure that you never miss another episode of Smashing Security by subscribing in your favorite podcast app.
CAROLE THERIAULT. And as always, thank you brilliant, loyal listeners for your support and all your suggestions. Also, a huge thank you to this week's Smashing Security sponsors: Boxcryptor, Immersive Labs, and LastPass. Their support helps us give you this show for free. Oh, and stay tuned after the show for our special interview with Rachael Stockton, Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye-bye.
BRIAN KLAAS. That was a lot of fun. So thanks for having me. I appreciate it.
SPEAKER_03. Our pleasure.
CAROLE THERIAULT. Rachael Stockton. It's been a while.
SPEAKER_03. It has been a while, Carole.
CAROLE THERIAULT. And a lot has changed. More than I would have predicted has changed since we've last spoken. Yes, yes.
SPEAKER_03. My hair is much longer.
CAROLE THERIAULT. I'm a little more, shall we say, ashen. Ashen is the word. Now, things at work must have changed particularly a lot for a company like you because it wasn't down tools time for LogMeIn, was it? You guys must have been really busy.
SPEAKER_03. Yeah, yeah, it has been a very busy couple months throughout the entire business, making sure that businesses have what they need so people can meet, so they can access the data that they need, and that they can do it securely. So we've really been trying to make sure that our customers are having what they need so that they can continue their business as much as possible.
CAROLE THERIAULT. Yeah, it's the first time I actually think of it, but I'm thinking of all these models that companies would have had on predicting how an environment will work, right? This is our market and this is what our market requires of us. And suddenly that flips on its head. So what changes have you seen from your customers?
SPEAKER_03. You know, it's, it's so interesting. I think there is— gosh, I'm going to quote High School Musical.
CAROLE THERIAULT. We have been spending a lot of time at home these days.
SPEAKER_03. There is this element of everybody being in it together and really trying to solve the problems. How do we make sure you are more productive at home as a worker, but also as an individual? And on the LastPass side, we spent a lot of time on businesses, but we also spent a lot of time making sure consumers are safe. And one of the things, you know, that being at home and having all of our stores shut down, I think has really driven is, like, I know myself, I've set up so many more online accounts, like just trying to find different places to get food delivery. You know, where can I get sort of the best meat and all of this different stuff? And all of those accounts, more passwords, and all my friends are doing the same thing. And there's so much more online shopping. So we're really taking our real lives that were outside and with people and then moving it much more virtual.
CAROLE THERIAULT. You know, it's interesting. I've been using a password manager for so long, I can't think of the last time I created a password where I had to kind of go, okay, what random 5 words can I put together that I'll actually remember? So obviously there's still people out there that do that. And you guys pulled together a pretty interesting report. I had a read of it last night and this morning, and there's some really good stuff in there. I loved how you narrowed down the riskiest behaviors. Maybe we could start there and go through some of that.
SPEAKER_03. You know, we did a survey of a bunch of consumers, regular people, not, not business people, just Joe Folks like you and me.
CAROLE THERIAULT. Yeah.
SPEAKER_03. And, um, try to better understand password practices. And I'm also a psychology minor from many, many years ago, but I'm so interested in the why and the catalyst of human behavior. And I think one of our takeaways is this concept of dissonance, which I think we're all very familiar now, right? Which is, I know I need to be doing one thing, but I'm really doing another, and you get that friction in between. And what we found from this report is, you know, I'll tell you, people out there, they're really smart. They know that using the same kind of password or variation or reusing the password is really risky, but more than two-thirds of people still do it. Okay, that's so interesting.
CAROLE THERIAULT. So people know— I've been banging on this 20 years now, it's part of my career. So, so people now know, this generation knows they have to use different passwords, but they don't know how to, or it's too much work, do you think?
SPEAKER_03. You know, I think there are a couple of things. One is there's an element of control, right? Access. A password is a key. I want the key to my house. I want the key to my I want to know it myself. And by asking people to create really complex passwords, that takes away that sense of control. Because what we also found is people are afraid of forgetting their login information, and they want to be in control of these passwords. But the problem is that control is making people have risky behavior. And a product manager that I used to work with gave just, I think, the best example of where passwords need to go from sort of a human perspective. We need to think of passwords like we think of phone numbers. I know my phone number. That's pretty much it. And I'm okay with that because I have my phone. And so we need to think about passwords too. We don't need to know our passwords because we have tools like LastPass and other password managers that can remember that for us.
CAROLE THERIAULT. I wonder if it's like bank details, like if someone were to ask you, do you know what your bank account number is? Would you be able to say yes? "LastPass, it's this." Or would you have no idea?
SPEAKER_03. No, I would have no idea. And so I think it is part of it, but with passwords, we use them so much more often. I think the other piece too, right? So you wanna be in control and, you know, we are all, you know, slightly self-centered. And I think that we believe that in the end, you know, nobody really cares that much about me. Nobody's going to go after Rachael Stockton and my bank account and my retail accounts because, you know, whatever.
CAROLE THERIAULT. It's almost like, "Who am I? I'm not a celebrity. I'm not loaded. I don't have anything that anyone really wants. Why am I valuable? I can't see it. Therefore, people are just making a storm in a teacup." But you know what?
SPEAKER_03. It's not you. It's not about me. It's about— the hundreds of thousands of records. We are just a number. It's about the hundreds of thousands of records that are being stolen, and it's about the algorithms and, uh, the power that hackers have in their own systems to use and plow through that information to then take those passwords and not only get into the accounts that they stole from, but then use those passwords and try various variations to get into to the plethora of other accounts that you have, including your work accounts. So it goes beyond just you. They're not after you, but guess what? They're gonna find you anyway, and you're still worth money to them.
CAROLE THERIAULT. Yeah, so basically you've got this situation where people have to work from home, they're setting up more online accounts, they are frustrated because there's too many passwords to remember. They're either using the same password or using small variations of it, This is basically, what's it called, like a red flag to a bull, I guess, for those hackers out there. So this was a worldwide report. So did you guys look at different countries?
SPEAKER_03. Were there differences? Yeah, you know, there are some differences. I think one of the things that is the same is there is still a very high level of awareness, and that's good. But one thing that we saw in Germany is that only really about 30% of them are using this variation of 1 to 2 passwords. Passwords versus globally 66%. So there does seem to be a little bit more action-oriented there and maybe a little bit less dissonance.
CAROLE THERIAULT. So that means in the rest of the world, more than 60% of people are using just one password for all accounts? Yes. Wow. Yep. And then in Germany, only 30% are doing that. So they're the lowest that you guys were able to spot?
SPEAKER_03. Yes. That seemed to be the most aware and action-oriented, like linking that awareness to the action-oriented. A couple of the other things that we saw even beyond passwords regionally was multifactor authentication. For example, in Singapore, which is a region we don't talk that much about, we actually saw a big increase in multifactor authentication use, both from a work perspective, which the end user really can't control, that's up to the business, but from a consumer perspective too, with more than 70% of people responding that they are using multifactor authentication to protect their consumer accounts, I think, which is great. That's really interesting.
CAROLE THERIAULT. I wonder if legislation had any part to play in that.
SPEAKER_03. Oh, yes, I definitely think so. There's been some very strong legislation in Singapore and actually all across Europe as well that's driving a lot of this. There's some upcoming legislation in Brazil, so an entirely other region, where they actually understand a little bit better that their accounts are valuable to a hacker. So I think that there's still a lot of education going on regionally, and a lot of it is driven both by, I think, businesses. And what I mean by that is I'm gonna say like the websites that you shop at, trying to one, educate people a little bit more about having tougher passwords, putting those requirements in, but also making multifactor authentication more available and having more integration.
CAROLE THERIAULT. I think a lot of it too has to do with an erosion of trust between consumers and companies. There's been a lot of companies in the press that have either been breached or they've claimed they've had great security and they haven't had great security. And people are just kind of like, who do I trust? And that's got to be challenging, right? So how do you go about building trust? What can you tell companies to do to help build trust, to help improve their businesses right now?
SPEAKER_03. I think the key piece is transparency. So when people are signing up for accounts, put those requirements for best practices in there, right? So you force the hand, number one. Two, ensure that the consumer, that we understand what you're doing to protect our information. And then if something happens, let us know. It becomes even more frustrating when it's 5 months down the line. You know, when we read those articles that these breaches have happened and now we're being notified, we understand, I think now, that breaches really are part of everyday news. But it's really, I think, how people are handling them and how companies are handling them that helps either one develop that trust or rebuild that trust once one happens.
CAROLE THERIAULT. And I think having a password manager actually allows you to slowly build trust with these people because it allows you to have a very unique, long, complicated— so complicated it's almost impossible to guess—
SPEAKER_03. password. In a way, this is a way you are taking control, right? I mean, if you want to be in control of your password, it's not about memorizing them. It's about putting them in something to ensure you can create the strongest one possible that you will not forget. It's unique. And if and when it gets breached, you only have to worry about that one account. You don't have to worry about the other 10 that are using that. LastPass. And then, you know, you can easily go in, change that password, and then you're protected again.
CAROLE THERIAULT. Exactly. That point, I haven't thought about that, but exactly. If your password gets breached and you're using the same password across your hundreds or even maybe thousands of accounts, you have to go through every single one and change those manually if you don't have unique passwords for each one. Yes.
SPEAKER_03. And that one thing that we found out too is that even after a breach, 50% of people don't even change their passwords.
CAROLE THERIAULT. And it comes back to the idea that why me? Why would they target me? Yeah. Yeah.
SPEAKER_03. I think the one other piece that's really important to put up here too is one area that can help with any kind of breaches, but it does ask more of us, right, is using multifactor authentication as a consumer. So we talked a little bit about it regionally. Overall, which is some good news, is there is an increase we found in this survey of both the awareness of multifactor authentication. Something you have, something you are, something that you know, right? That combination. And that use with more than 54% of people globally are using it for some set of personal accounts that are allowing it. So I think that's really important because then even if that really secure password does get breached, you're still protected with multifactor authentication. So that account is still protected.
CAROLE THERIAULT. Yeah, no, totally. I'm a big fan of multifactor authentication. I understand it can be, it's a little bit more painful, but I think it's really important to have. So I love having something you know, something you are, something you have. I think using two of those at every opportunity is great.
SPEAKER_03. Yeah, I think it's important because let's also be real, with all of us working from home and being lucky that we're able to, there are a lot more phishing attacks because we're all getting a lot more email from, you know, the core functions— HR, IT, facilities— keeping us informed. So there are a lot more reasons why we may be contacted by odd people within our organization. 100%. And so I think that's also why it's important to think about password management as well, because you need to be getting to a site. You can get to that through the password manager. If you're clicking on a site and being asked to fill in your password and it's not automatically being filled by your password manager, ransomware, you know, look at that site. Is that the right one? I think there are ways we can also use these tools to help prevent some of the increase in attacks that we're seeing as well beyond just protecting the password.
CAROLE THERIAULT. Now you guys, obviously you have your enterprise solution, but you also make LastPass password management tools available for free for consumers. Is that right? We sure do. So there's no excuse for people not to use a password manager. Password manager out there. This is the time, isn't it? It really is.
SPEAKER_03. You know what's the best about it? The best about the free product, to be honest, is— look, we spend— now, sorry, I'm sure everybody's— but I spend so much time on my mobile phone, and I have, uh, I have the iPhone, and I know exactly how much time I spend on it. Thank you so much. I hate getting that report. But I think it's also important to recognize that these same things, you know, you want to be able to have this access on your mobile device your phone, your tablet, as well as your computer. And so being able to access all your passwords no matter where you are, I think is really important too. And I want people to understand that that's out there now. You don't have to worry about getting into your accounts if you're on your phone and you don't know your password. It's one solution for all your platforms.
CAROLE THERIAULT. Yeah, it's amazing. So listen, next week we have— my cousin is coming on. She's like an actress comedian who's based in Toronto, but— and she's trapped in an apartment like millions of other people out there. But— and her life's obviously changed dramatically, right? She's not, you know, she's on stage. But one thing that hasn't changed is she's never given a hoot about security. And so the game plan next week is to see if Graham and I can convince her to at least do something to improve your security now. So I'm going to try and get her to go down the password manager route, and I'll let you know how I get on.
SPEAKER_03. Oh, I'm so curious. I can't wait to hear it.
CAROLE THERIAULT. Yeah, because I think that is one of the key things people do. And the reason I like it is it makes your life more simple. All you need to remember is your master password. That's it. So consumers, check it out. We'll put all the links in the show notes. Rachael, always brilliant to have you on the show.
SPEAKER_03. So great to talk to you.
CAROLE THERIAULT. My brother says going out now is like playing Pac-Man. You're constantly going down streets and going down blocks, then you see someone, you turn around, go different direction. Being chased by ghosts.
GRAHAM CLULEY. Don't eat the cherries. You don't know who's touched them before you.
-- TRANSCRIPT ENDS --