How to stop dick pics on Twitter, and a new way bad guys are extorting money from websites earning cash from Google ads.
All this and much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.
Visit https://www.smashingsecurity.com/166 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- DomainTools: DomainTools turns threat data into threat intelligence, giving organizations the ability to use and create a forensic map of criminal activity, assess threats and prevent future attacks.
- Read a free report into how automation is changing IT security, and specifically the staffing of IT departments.
Links:
- Tweet from Kelsey Bressler.
- safeDM – Making the Internet Safer.
- @showYoDiq — Twitter.
- This Dick Pic Filter For Your Inbox Does Block Most Pictures Of Dicks, And Some Dick-Like Things — Buzzfeed.
- Smashing Security 034: The pen is mightier than the password — With special guest David McClelland.
- Pay Up, Or We’ll Make Google Ban Your Ads — Krebs on Security.
- The Personal History of David Copperfield (Trailer) — YouTube.
- The Personal History of David Copperfield — Wikipedia.
- Hunted — Endeavor Audio.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. It's rather like the real thing. It may take a while to really get up to full force. And so—
CAROLE THERIAULT. I think that's an age-related issue. I don't think everyone experiences that.
ROBOT. Smashing Security, Episode 166: What the Dickens?
CAROLE THERIAULT. Ad ban?
ROBOT. Thank you, scam. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 166. 166. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hi, Carole. How's it going?
CAROLE THERIAULT. Uh, fine. I feel like I've talked to you a lot of times this week already.
GRAHAM CLULEY. Well, yes, because we recorded our special bonus Patreon episode, didn't we?
CAROLE THERIAULT. We did.
GRAHAM CLULEY. Smashing Security After Dark.
CAROLE THERIAULT. Yeah, we put it out last night. I'd love to hear what people think about it. Did you see any comments yet?
GRAHAM CLULEY. Yes, yes. One guy says, "This is why I signed up for Patreon in the first place." He's very happy. And someone else wants to go on a sort of like uber platinum gold tier in order to find out what particular name I said, which was thankfully bleeped out for maybe libel reasons.
CAROLE THERIAULT. Thank God for censoring, eh? Sometimes it's a gem.
GRAHAM CLULEY. But anyway, What we should do is we should chuck at the end of this podcast a bit, a snippet. I mean, that Patreon bonus, it's about 40 minutes long, so we won't put all of that up, but maybe we could put up a couple of minutes of it at the end of the show.
CAROLE THERIAULT. Yep, deal.
GRAHAM CLULEY. And tempt people to become Patreon supporters at patreon.com/smashingsecurity.
CAROLE THERIAULT. Okay, enough advertising.
GRAHAM CLULEY. Oh, okay, yeah, right. What's coming up on today's show then?
CAROLE THERIAULT. Well, first, thanks to this week's sponsors, LastPass and Domain Tools. Their support helps us give you this show for free. Now, Graham is gonna tell us about a new a content filter for Twitter, and I walk us through an unusually sneaky scam all geared towards stealing your moolah. All this and oodles more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chum, chum, we have—
CAROLE THERIAULT. You could just say, hey, Carl.
GRAHAM CLULEY. Yeah, hey, Carl. We haven't got a guest this week. It just feels wrong not saying chum or chaps even. I still would rather say chaps, but—
CAROLE THERIAULT. Yeah, well, I don't have a dick.
GRAHAM CLULEY. Okay, so, well, oh, interesting. Well, funny you should say that because was in August '29, a developer going by the name of Kelsey Bressler, she had a rude awakening, poor thing. As she described on Twitter, she woke up to an unsolicited dick pic in her direct messages.
CAROLE THERIAULT. Okay, I'm glad it was in her direct messages. Right. And I'm glad it was a pic. Okay.
GRAHAM CLULEY. Not really the kind of thing that you want.
CAROLE THERIAULT. First thing in the morning?
GRAHAM CLULEY. No. And apparently the way the conversation went is that they said, "Hey." She didn't reply. And then they said, "Why don't you talk to me?" Can I interrupt? Yeah.
CAROLE THERIAULT. You're a guy.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Why do guys want to send dick pics? Can you explain it to me?
GRAHAM CLULEY. Well—
CAROLE THERIAULT. No, no, I really don't understand.
GRAHAM CLULEY. The only reason I could fathom that you could possibly want to send a photo of your penis to somebody is if you had some kind of urgent medical ailment.
CAROLE THERIAULT. Oh, like your cooter issue. Did you do it then?
GRAHAM CLULEY. So if you, so if there was some medical emergency, you might want to do it. I can't really imagine why else, unless someone was very, very insistent, that you would ever want to do such a thing. Anyway, she wasn't—
CAROLE THERIAULT. Just seems there's a lot of guys that like to do it.
GRAHAM CLULEY. Sure. Well, is that in your experience or what?
CAROLE THERIAULT. Carry on with your story. Come on, you're digressing. Okay.
GRAHAM CLULEY. She wasn't entirely sure how she should respond. And some of her Twitter followers, they suggested responses like, "Oh, that looks just like a penis, only smaller." Or—
CAROLE THERIAULT. Right, making it personal. Nice.
GRAHAM CLULEY. Or, "Not sure if that's a dick pic or a thumbs up that you're giving me there." Sorry, I don't smoke. So I thought that was— But anyway, Kelsey, she's a smarty pants developer. So rather than just reporting the user to the Twitter police for sending offensive pictures of his skinny chipolata to her. She instead rolled up her sleeves and wrote some code. And on Valentine's Day just gone, appropriately enough, she unleashed what will probably be her lifetime's greatest achievement. It is—
CAROLE THERIAULT. I'm listening.
GRAHAM CLULEY. A Twitter filter for dick pics.
CAROLE THERIAULT. Hallelujah! What's her name again?
GRAHAM CLULEY. Kelsey Bresler.
CAROLE THERIAULT. Kelsey Bresner, she's the girl of the day, isn't she?
GRAHAM CLULEY. There you are. It is called SafeDM for direct messaging.
CAROLE THERIAULT. Let me take a note. I'm just writing that down.
GRAHAM CLULEY. Right. safedm.com is the place where you want to go. You can find out all about it. DMs are direct messages, of course. And there's this whole thing about slipping into your DMs, isn't there? It's like when someone is chatting to you publicly on social media, but then they go into your direct messages because they're going to get a little bit down and dirty and a bit personal. And maybe send you a photograph of their penis. Now, SafeDM is a free service that can block unsolicited nude photographs. Specifically, Kelsey has requested that Twitter users forward to her their dick pics. She set up a special account called Show Yo Deek. So that's S-H-O-W for show and then yo as in yo. And Deek.
CAROLE THERIAULT. That's a street.
GRAHAM CLULEY. Deek as in D-I-Q. So, show yo Deek. Make sure, please, you spell it correctly. You don't want to send it to the wrong person. You'll get into awful trouble. So, if it is a photo which you are authorised to send, and if you're over 18, obviously, and it's all legal.
CAROLE THERIAULT. Okay, I double love her now. Not only has she developed the service, but she's basically saying, hey guys, you need a channel, you need a vector for this dick energy.
GRAHAM CLULEY. You need somewhere to put your dicks.
CAROLE THERIAULT. Yeah, you can keep your dick pics here. Love it. Send nudes for science.
GRAHAM CLULEY. Now, if you send them to that address via DM, not as a public Twitter message, obviously, they will be fed into Kelsey's system, which is basically an artificial intelligence system which is learning all about penis photographs.
CAROLE THERIAULT. Are you sure she's not just taking the Twitter handle and blocking it?
GRAHAM CLULEY. Well—
CAROLE THERIAULT. Because that's what I'd do.
GRAHAM CLULEY. Well, no, I don't think this is purely for men to send in pictures. Of their own dicks. It may be that if you're a woman who has received a dick pic and you would like the filter to improve, maybe it's one that slid past the filter.
CAROLE THERIAULT. You could forward it over.
GRAHAM CLULEY. Forward it over to her system where it will learn.
CAROLE THERIAULT. Bounce your dick over there.
GRAHAM CLULEY. About the characteristics of a particular penis. And then we'll block it in future. So it's adding to the knowledge, right?
CAROLE THERIAULT. Do you think there'll ever be like a Google, what are they called? You know, to verify that you're human. It'll be like, click on all the dicks.
GRAHAM CLULEY. Oh, well, there was something like that. Do you remember? I think in a past episode, David McClelland, in one of his early guest spots with us, he talked about a porn website, which was asking you to verify—
CAROLE THERIAULT. Oh yeah, verify your age or something.
GRAHAM CLULEY. Or verify you were male or something by taking a photograph of your penis.
CAROLE THERIAULT. I think it was age.
GRAHAM CLULEY. Was it age? Oh my word. Anyway.
CAROLE THERIAULT. Just to make sure you're old enough to be on the saucy sites.
GRAHAM CLULEY. Or if you've all got grey hairs, maybe, you know.
CAROLE THERIAULT. Yeah, yeah. Grey pubes. Aha. That could be in our title, grape juice.
GRAHAM CLULEY. Anyway.
CAROLE THERIAULT. Anyway.
GRAHAM CLULEY. Okay. So, so far over 4,000 dick pics have been sent into the system. And Kelsey reckons that her filter blocks up to 99% of the penis photos. So this is how it works, Carole, because you may want to put this in place in case you—
CAROLE THERIAULT. Oh yeah, I have a serious problem with this.
GRAHAM CLULEY. Right. Now we've been talking about it on the podcast, maybe we'll start receiving these ourselves.
CAROLE THERIAULT. Do you think it's also picture of men that act like dicks as well? Do you think she can move that into the next version?
GRAHAM CLULEY. She has specifically asked that the pictures don't include people's faces or any identifying information. You can send in tattooed penises, which of course might have your Social Security number on it.
CAROLE THERIAULT. What about with a Prince Albert?
GRAHAM CLULEY. Oh, well, anyway, this is how the filter works. Let's move on. This is how the filter works. Imagine, Kroll, you sent me a picture of a penis. Via Twitter, via Twitter direct message.
CAROLE THERIAULT. As I often do. Okay, yeah.
GRAHAM CLULEY. So what SafeDM would do is it would look at my direct messages, spot what it believes to be a dick pic, deletes it so I can no longer see it, but sends a message back to you, the sender, and you can even optionally block them.
CAROLE THERIAULT. What if someone has wiry hair and a really long face? She could get sued. I hope she's got good liability insurance in place.
GRAHAM CLULEY. Well, there are a few problems, right? One problem is that the filter takes— well, it takes a few minutes to rev up. So it won't necessarily—
CAROLE THERIAULT. So if you get a flood of cockshots, right?
GRAHAM CLULEY. It's rather like the real thing. It may take a while to really get up to full force. And so—
CAROLE THERIAULT. I think that's an age-related issue. I don't think everyone experiences that.
GRAHAM CLULEY. So, so, so, um, it, it, so it might be that if you're very quick on the Twitters and you see, oh, I've got a message, and you go and look at it, it'll be there. Whereas if you were to wait a couple of minutes, it may have by then got round to actually analyzing it.
CAROLE THERIAULT. Okay, so Twitter addicts are screwed.
GRAHAM CLULEY. Yes, potentially. Now, I haven't tested this service myself because I don't tend to receive dick pictures, although actually Now I think about it, I have once received a photo of someone's dick. I was giving a speech at the Excel Center in London. It was the biggest speech I've ever got. It was for Microsoft Future Decoded. There were thousands and thousands. It was like a rock stage, right?
CAROLE THERIAULT. Right, yeah. And that's exactly what I associate Microsoft with, yeah.
GRAHAM CLULEY. Oh, well, it was a huge event, right?
CAROLE THERIAULT. It's like a Zeppelin event, right?
GRAHAM CLULEY. And, oh my goodness, it was like being at a Madonna concert. All they got to see was me instead. So I went on and I did my thing and I gave my talk and coming off the stage, I thought, oh, I wonder what the response was from all those geeks in the audience, right? And I got people telling me, hey, your shoelaces are undone or something like that, right? So there were sort of personal comments. And one person in the audience actually just sent me a picture of their penis.
CAROLE THERIAULT. Of a penis.
GRAHAM CLULEY. Well, yes. I don't know.
CAROLE THERIAULT. I don't know if he signed it.
GRAHAM CLULEY. I didn't verify. Right. Or whether he took it there in the audience.
CAROLE THERIAULT. Spot the difference.
GRAHAM CLULEY. He was so bored. But yeah, so I did— that wasn't very pleasant, actually, I have to say. And I do feel for the people who might receive them more regularly than me. Now, although I haven't tested it, the marvellous chaps at BuzzFeed did. Okay. They went on to Wikipedia, where there are some penis photographs, and they fed them into the system to see if they'd be sucked. They also went to a Reddit channel There is a Reddit channel called Worldie Penis, where apparently there's lots of very varied penises, flaccid tattoos, ones wearing overalls, you name it, they are up there. And so, and they fed them into the system. So they tried it to see how well it would actually block the messages. Now, Carole, I wanted, I thought it might be fun to share some of these photos with you. Well, I'm going to do that right now. So I'm going to just chuck some in the document right now, which we're sharing. So I'm just pasting one in now. Oops, Daisy, let's do it like this.
CAROLE THERIAULT. Yeah, I'm not looking.
GRAHAM CLULEY. No, do look. They're all safe.
CAROLE THERIAULT. Oh, do I have to?
GRAHAM CLULEY. So, yep. So you will see it there.
CAROLE THERIAULT. The most famous penis of them all.
GRAHAM CLULEY. So that's Michelangelo's David, the statue.
CAROLE THERIAULT. They're prettier in stone.
GRAHAM CLULEY. So yes, they are, aren't they? So that one was detected. There's another one I've just put in below there. That isn't a penis. It'd be very unfortunate if it was. That is a lipstick.
CAROLE THERIAULT. Wow. Okay.
GRAHAM CLULEY. Okay. This is as nature truly intended, which astonishingly is not a penis.
CAROLE THERIAULT. Whoa.
GRAHAM CLULEY. Yeah, that is a plant.
CAROLE THERIAULT. Called the penis plant?
GRAHAM CLULEY. I don't know what it's called.
CAROLE THERIAULT. I think a lot of men would be envious of that plant.
GRAHAM CLULEY. I dread to Google it, to be honest. Yeah, I know it's quite—
CAROLE THERIAULT. Majestic.
GRAHAM CLULEY. Yes, exactly. And finally, finally, here's one which it didn't stop, which it allowed through. Here we have a statue of what appears to be a monk giving a young boy a loaf of bread.
CAROLE THERIAULT. Oh my God. Okay. You're going to have to put these pictures up on the website, aren't you?
GRAHAM CLULEY. I think what I'll do is I'll link to the BuzzFeed article so people can check these pictures out for themselves.
CAROLE THERIAULT. Brilliant.
GRAHAM CLULEY. But the one of the statue is is quite wonderful. So now it doesn't just block penises, apparently it will also block la vagine as well.
CAROLE THERIAULT. Oh, la vagine.
GRAHAM CLULEY. Yes. So ladies, your lady gardens, they may well be barred.
CAROLE THERIAULT. Keep them off Twitter.
GRAHAM CLULEY. I don't know that people— do girls do that kind of thing?
CAROLE THERIAULT. Not the ones in my echo chamber.
GRAHAM CLULEY. Right. Okay. Yeah. Back doors also, they are unwelcome as well. They can also be spotted.
CAROLE THERIAULT. Oh my goodness. Smutty.
GRAHAM CLULEY. It is, and I would like to apologize.
CAROLE THERIAULT. But she's trying to stop the smut, so yay her. Exactly, exactly.
GRAHAM CLULEY. Now, now, it's not all good news. Stop thinking that this is all fantastic, because of course there are dangers associated with this, right? In order to get this to work, you have to authorize the Safe DM app to link in with your Twitter account.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. And I'm sure it's been written well and competently, but you do have to give it a huge amount of access to your account to do its work, such as the ability to view pics and block users, right? That's what it's meant to do. And the developers are aware that it's actually got much more power than that because unfortunately, Twitter doesn't offer much granularity, right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. It doesn't allow you to say, "Oh, this third-party app, it can access my DMs and block people, but it can't follow accounts or it can't update my profile or it can't post and delete public tweets." So you have to give it access to everything.
CAROLE THERIAULT. This is a big problem for lots of plugins and security startup companies because in order for them to monitor, they need to get access to a lower level to be able to kind of stop stuff from happening.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. But the problem is you have to give them permissions to do that. And in some cases, I mean, it's, it's, it's, it's really, it's a jungle out there for people because do you go by reputation? Do you go because it's a really great idea?
GRAHAM CLULEY. And who's to say at one point, I mean, I'm sure Kelsey's put in lots of work and I think she's honorable in what she's doing. But what if she were hacked? Or what if this tool were compromised in some way?
CAROLE THERIAULT. There'd be dick pics everywhere.
GRAHAM CLULEY. Well—
CAROLE THERIAULT. It'd be the reverse of what she wanted.
GRAHAM CLULEY. Well, potentially, yes, they could start multiplying.
CAROLE THERIAULT. Exponentially, ha!
GRAHAM CLULEY. Just imagine, yeah, well, think of the curve. It would be horrendous. So be a little bit careful about installing things like this. There's nothing wrong with it as far as we can see at the moment. But if you are suffering a great deal from this sort of deluge of pinots, then what's French for penis, Carole? I was deluge, I was trying to think of what the—
CAROLE THERIAULT. It's the same, Graham.
GRAHAM CLULEY. Is it really?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. That's a bit disappointing. They don't put an E on the end or anything?
CAROLE THERIAULT. No, they have an accent.
GRAHAM CLULEY. Oh, they have, does it, where?
CAROLE THERIAULT. What if the E?
GRAHAM CLULEY. Does it? Penis. What, is that how you say it? Oh, extraordinary.
CAROLE THERIAULT. Anyway. Graham, are you basically trying to get our listeners to send in dick pics to this woman to test her service? Is that what you're doing? Are you doing a public service ad here?
GRAHAM CLULEY. Well, I think it's entirely up to people whether they want to send pictures of their penises, flaccid or otherwise, to this artificial intelligence system. Personally, it's not something I'm racing to do myself. I feel if she has 4,000 penis pictures—
CAROLE THERIAULT. You're a busy man, you don't drink coffee, you don't have time for dick pics.
GRAHAM CLULEY. I think it's— it's probably already been covered to a large extent, I think. Looking forward, looking to the future, there's no reason why this kind of tech couldn't, of course, be integrated into other systems. And maybe the likes of Facebook and Instagram and Twitter should begin to do something like this themselves rather than leave it to third parties.
CAROLE THERIAULT. Collecting some data. Well, it often starts with, you know, good ideas often start with third parties, and then the big guys just hoover it up, steal it, and say it's their own.
GRAHAM CLULEY. Yep, that's true. That's often the way it is.
CAROLE THERIAULT. That's what you want.
GRAHAM CLULEY. I think more power to Kelsey's elbow. I think fantastic that she's been doing all this work and hopefully it will protect some people. But just be aware, does sort of open the doors to all kinds of dodgy behavior going forward.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. There is safedm.com and read more about BuzzFeed's experiment because it's quite a—
CAROLE THERIAULT. Cock-free Twitter, here we come.
GRAHAM CLULEY. So Carole, what's your story for us this week?
CAROLE THERIAULT. Okay, I'm going to have this wacky scenario for you. But imagine for a second that all the scams out there, you know, like phishing scams and ransomware and poisoned ads, they're all milling about at a party, right? Schmoozing and chit-chatting away, right? You've got the old Nigerian 419 scammers bored in the corner because no one falls for them anymore. The romance scammers are frustrated at being turned down left, right and centre.
GRAHAM CLULEY. Who's in the kitchen discussing house prices? That's what I want to know.
CAROLE THERIAULT. When in walks this little sneaky number and all heads turn like, who the hell is that? Now, I'd like to now tell you it's called blah, but it's so new, I don't think the scam's kind of been named. So maybe we can come up with a name together. So listeners, Graham, thinking caps on.
GRAHAM CLULEY. Yo, describe it. Let's see what we come up with.
CAROLE THERIAULT. Yeah, right. So it all starts with an email. And this was an email that was sent to Brian Krebs by one of his readers. Krebs didn't name him, but we will. We'll call him Frankie. Now, Frankie apparently maintains a few high-traffic sites, and Frankie serves ads through the Google AdSense program. Right now, a few quick facts on Google AdSense. Its program was launched in 2003. Today serves almost 11 million websites. And in 2018, 7,34,000 publishers were removed from AdSense as part of their quality control measures. Okay, so just keep that in your back pocket.
GRAHAM CLULEY. So these might be scammers, for instance, or people who are promoting dodgy things via the ads and they're just trying to clean up the network.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. So now let's get back to Frankie, the website guy, Webby Frankie. Now Frankie gets an email from persons unknown and the email says that they plan to flood Frankie's Google ads with trash. Traffic. Now you might be thinking, why would this be a problem? Surely this is a big kerchin moment, right? Uh, every ad click generates some money for the site owner, right? But no, the scammers promise that the flood of traffic will be direct bot-generated web traffic with 100% bounce ratio and thousands of IPs in rotation. And this is where the Webby Frankies of this world might start to get a little sweaty under the collar. Because they get the scam now, right? The game plan is to ruin Frankie's Google AdSense account, effectively killing his moneymaker.
GRAHAM CLULEY. Because Google would detect that kind of behaviour and they'd think, oh, it's Frankie trying to make his ad look really popular, or some, someone's making money by sending lots of traffic to that site, or?
CAROLE THERIAULT. Basically, Frankie's sitting there, gets this email, The email basically says, you know, look, we are going to be throwing all this traffic towards you, right? It's not going to be good traffic. And by flooding your sites with shitty traffic, Google algorithms are going to smell something fishy. And Google is going to fire you a warning shot, sending you this notice. They say, it says, ad serving on your content is currently being limited due to invalid traffic concerns. We'll automatically review and update this limit as we continue to monitor your traffic. But of course, the scammers don't stop, right? They continue to hammer Frankie's sites with bogus clicks. So Google then temporarily suspends Frankie's account and all the revenue is refunded to the advertisers.
GRAHAM CLULEY. Oh, so Frankie ends up with empty pockets.
CAROLE THERIAULT. Yes. And then the scammers say, sure, Frankie, you can lobby Google to get the ban lifted, but this usually takes about a month. They promise that if Frankie manages it, they'll simply just retarget him and hit his ads again with a glut of shitty links. And this, of course, could lead to a permanent ban, leaving Frankie as a statistic like the one I read out earlier.
GRAHAM CLULEY. Gotcha.
CAROLE THERIAULT. Of course, there is an out. All Frankie has to do is pay $5,000 in bitcoin and the problem goes poof. Oh.
GRAHAM CLULEY. It is interesting because, I mean, over the years we have seen ad click malware and ad fraud, which has generated sort of bogus traffic to ads in order for someone ultimately to make some money by making their ads appear more popular. And in a way, they're sort of using the same technique. But this is really crafty, the idea of getting them kicked off Google. Because for many people, Google is it, right? If you aren't making it, it's like you'd have to find another advertising network. But of course, There's no reason why another advertising network, if you decided not to use Google Ads, many people do, of course.
CAROLE THERIAULT. Well, Brian Krebs being Brian Krebs got in touch with Google.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And Google declined to discuss this reader's account, but said that this looked like it was only planning an attack. So they say, quote, we hear a lot about the potential for sabotage. It's extremely rare in practice. And we have built some safeguards in place to prevent sabotage from succeeding.
GRAHAM CLULEY. How does that tell the difference between a blackmailer doing it, an extortionist doing it, and someone who's—
CAROLE THERIAULT. So I was thinking about this, and I don't know if Google actually will really care because it's not going to happen to a ginormous percentage of its holders. And indeed, it makes a huge amount of cash out of this and has tons and tons of users. So if they have to lose 5%, who cares?
GRAHAM CLULEY. So well done on Frankie for going public and revealing this to the world. Maybe we need more people if they have received similar threats.
CAROLE THERIAULT. Well, there is a form. Okay, so go and read Brian Krebs. There's a link in the show notes to his article, but he provides a link to the form on Google where publishers can contact Google if they think they're victims of sabotage. But being a victim of sabotage isn't the same as getting a threat of sabotage. I imagine at this stage, Google would maybe do nothing. And I indeed probably didn't do anything, which is why he got in touch with Brian Krebs in the first place.
GRAHAM CLULEY. Right. So basically Google are saying, well, nothing bad has happened at the moment, so we don't have to act upon anything. But by the time something bad happens, it takes a month for it to come back at least.
CAROLE THERIAULT. Yeah, but it's an interesting approach of a scammer using Google algorithms against a user.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Like it's using its own systems.
GRAHAM CLULEY. Well, I think the real problem ultimately here is our over-reliance on single technology companies. It's the fact that when you have a company which more or less has a monopoly, as, you know, Google has quite, you know, it is the internet advertising company, isn't it? And so many people are using its systems to get signed up with someone else. It's difficult to switch. And even if you did switch, That's the thing, isn't it? They could, if they really wanted to, target you again, but it seems like they've deliberately targeted Google Ads in this particular case.
CAROLE THERIAULT. And look, that is very standard, isn't it? Where attackers go after the biggest marketplace available. Like, so in the same way that, you know, Windows malware, there's a greater number for Windows malware than Apple malware. I can imagine Google's gonna get more heat than other ad services.
GRAHAM CLULEY. You know what Frankie needs to do, don't you?
CAROLE THERIAULT. Go to Hollywood?
GRAHAM CLULEY. He needs to— that's a bit of a throwback. No, he needs to stop doing adverts. He needs to start looking into sponsorship instead. Maybe if he had sponsors on his website rather than reliant on Google Ads, that'd be better.
CAROLE THERIAULT. Now, what are we going to call this scam? I came up with two names.
GRAHAM CLULEY. Oh, okay. What have you got?
CAROLE THERIAULT. Grabbed by the Goo Ads.
GRAHAM CLULEY. It's very creative.
CAROLE THERIAULT. Okay. An ad ban thank you scam.
GRAHAM CLULEY. Carole, did you actually come up with that? Ad ban thank you scam.
CAROLE THERIAULT. Yeah. This morning. In about 30 seconds. So there you go.
GRAHAM CLULEY. You're a genius. This week's Smashing Security podcast is sponsored by Domain Tools. They help security analysts to turn threat data into threat intelligence. Now, DomainTools have something special to offer listeners this week, and I've got a special guest to tell us all about it. That's right, Graham. A study has been done into how automation is changing IT security, and specifically the staffing of IT departments. Oh, thanks very much. And I'm guessing that although there are challenges, automation can help increase the productivity of IT security teams? That's correct, Cluley. And there are still some roles that are better done by human beings. So don't panic. Marvelous. Visit domaintools.com/smashing to learn more and download the report.
CAROLE THERIAULT. Okay, I'm not gonna lie to you, passwords often are a pain in the you-know-where. But they don't always have to be. Take for instance LastPass's single sign-on feature. Now single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs. And this simplifies accessing those applications, making it far more streamlined. Wanna learn more? Check it out at lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is— Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related, necessarily.
CAROLE THERIAULT. Shouldn't be, unless it's really funny.
GRAHAM CLULEY. Okay, well, my Pick of the Week this week is not security related. My son is away on a ski trip, which meant that me and my missus were able to go to the cinema.
CAROLE THERIAULT. And have some adult time.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Hallelujah.
GRAHAM CLULEY. And we went to go and see not some Disney Pixar movie or something like that, which he would probably have enjoyed. Instead, we went to see The Personal History of David Copperfield.
CAROLE THERIAULT. Oh, I haven't seen that.
GRAHAM CLULEY. Well, you should go and see it. It is written and directed by the marvellous Armando Iannucci.
CAROLE THERIAULT. Yep. A UK god.
GRAHAM CLULEY. It's based upon a book, Crow, a book book.
CAROLE THERIAULT. Is it?
GRAHAM CLULEY. Written by a chap called Chucky Dickens.
CAROLE THERIAULT. Chucky Dickens.
GRAHAM CLULEY. And I don't know if he's written any other books, but he's done pretty well if he got this one turned into a movie. So good luck to him. It's got a fantastic cast. Dev Patel, you may remember from the Yesterday movie. And I think he was in Slumdog Millionaire.
CAROLE THERIAULT. That's right.
GRAHAM CLULEY. The chilly Tilda Swinton. She's always slightly angry.
CAROLE THERIAULT. I love her.
GRAHAM CLULEY. RT, someone who you do love, Hugh Laurie.
CAROLE THERIAULT. Oh yeah, I do like Hugh Laurie.
GRAHAM CLULEY. Yeah, we all love Hugh Laurie, don't we?
CAROLE THERIAULT. He's no Geoff Goldblum, but—
GRAHAM CLULEY. No, let's not start that again. And Peter Capaldi as well as Mr. Macorber.
CAROLE THERIAULT. Okay, so an all-star cast.
GRAHAM CLULEY. Oh, it's a fantastic cast. And the movie is utterly delightful and enchanting, sometimes surreal.
CAROLE THERIAULT. This must have come out when I was in Canada, 'cause I didn't read about it at all.
GRAHAM CLULEY. I think it might have been out for a few weeks, but it's still in the cinemas at the moment, I believe. Very, very funny. Wonderfully entertaining. I found it just utterly delightful. I just thought, what a great movie. I've never read David Copperfield. I don't think I've read any Charles Dickens. Really? Is that a bit embarrassing to say?
CAROLE THERIAULT. Yeah, it is totally. Yes, I have. And did you know, did you know Charles Dickens, used to write for the papers, right? He wrote a column in the paper.
GRAHAM CLULEY. Like Piers Morgan.
CAROLE THERIAULT. But these basically formed some of his books, right? He would kind of— and he was paid by the word, which when you read his books, you can kind of see.
GRAHAM CLULEY. Well, I think particularly in the case of David Copperfield, because there's an awful lot of moving around from, "And now this is going to happen, and now this is going to happen." But it is Such a joyous— You should read him. I'll tell you what, having seen this movie of David Copperfield, it's made me want to go and read the book. So I'm on a long plane journey soon and—
CAROLE THERIAULT. What, you're going on a plane during conoravirus?
GRAHAM CLULEY. Coronavirus.
CAROLE THERIAULT. Coronavirus.
GRAHAM CLULEY. Well, you know, RSA needs me, Carole, so I'm going to go there and—
CAROLE THERIAULT. Bring your I95 mask.
GRAHAM CLULEY. All right, okay. But anyway, my pick of the week is The Personal History of David Copperfield, the movie by Yarmendu Yannucci and I'd really recommend it to everyone. Great, great fun.
CAROLE THERIAULT. I think you should commit to reading at least one Charles Dickens book before— let's set a time. This year, you've got to read it.
GRAHAM CLULEY. This year, I have to read a Dickens book. All right. Okay. The challenge has been thrown down. I'm going to put it in my calendar so I don't forget. Okay. All right. Carole, what's your Pick of the Week?
CAROLE THERIAULT. Well, today is a two-pronged baby. I have a Pick of the Week and a Knit Pick of the Week. And it's the same Pick of the Week. So my pick of the week is a podcast by— dun dun dun dun dun dun— Dick Wolf, makers of Law Order. Ding ding!
GRAHAM CLULEY. Oh, is that the— oh yeah, it goes— dun dun, doesn't it? Between scenes.
CAROLE THERIAULT. That's right. Yeah, yeah. Love it.
GRAHAM CLULEY. Love it.
CAROLE THERIAULT. Now, the podcast is called Hunted. Okay. And it's an 8-parter season audio drama. And it opens with an FBI agent getting the lowdown on 4 prison escapees. And you basically swivel from her story and that of the 4 prisoners on the run. And it's fast-paced, action-packed, tightly scripted, well-produced. It's all good, right? But now for my nitpick of the week. So the shows are about 15 minutes long. So that's not very long. But there's about 5 minutes of fluff in every episode. Right? So ads, promos for other shows, long trailers about, you know, going over what happened in previous shows, like people aren't listening back to back, a coming up for the next future shows. It's too much.
GRAHAM CLULEY. That would be all right if it were an hour-long podcast. But if it's only 15 minutes, then that's a whole third of the show.
CAROLE THERIAULT. Exactly. Well, it's, you know, it's a quarter of the show, isn't it?
GRAHAM CLULEY. Well, 5 minutes.
CAROLE THERIAULT. No, no, it's 20 minutes in total.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. Yeah, yeah. So the show's basically, the show itself is 15 minutes long. They tack on this 5 minutes of crap. So it's 20. Yeah, it's a quarter of the show, isn't it? Is stuff you're not invested in. And I think that's too high of a number.
GRAHAM CLULEY. Do you think people feel like that about our podcast? Because we have this whole Pick of the Week section, which isn't security related necessarily. Do you think some people skip Pick of the Week?
CAROLE THERIAULT. Yeah, I know one person that does.
GRAHAM CLULEY. Do you?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Who's that? Who's that? Does he? You mean we can talk about right now and he wouldn't ever know about it?
CAROLE THERIAULT. We could. Now, I'll tell you something else that bugs me, another nitpick of the week.
GRAHAM CLULEY. He's my nitpick of the week. They'll never find out.
CAROLE THERIAULT. So, they call it a podcast. And to my mind, a podcast is like a radio program. You have a host or an interviewer or whatever. But an audio drama, is different. Like, it's an entirely different experience for the listener. Like, it has a cast, it has actors, it has plot. It gets a different— I don't know. And it feels like we should have a name that divides, because a podcast is kind of, in my view, is like people around a microphone communing about something.
GRAHAM CLULEY. Oh, I don't know. I don't know. I, I think you should be a little bit more fluid about these things. Podcast, right? The word comes from— it's like iPod, isn't it? And broadcast?
CAROLE THERIAULT. Yeah, I know, I understand.
GRAHAM CLULEY. Would you have a similar problem with a television program if it wasn't?
CAROLE THERIAULT. I don't know. I was just thinking that when I was saying this. Is that what it's like? I guess I think we need a differentiator between the two. If they're all podcasts and one's a podcast audio drama, what are we?
GRAHAM CLULEY. But you like quite— see, I'm not a huge fan of these audio dramas, although there have been some which I have enjoyed. but I think you're much more into them than me.
CAROLE THERIAULT. Oh, I like all kinds of podcasts. Oh, oh, oh, oh, oh, oh.
GRAHAM CLULEY. What did you just say?
CAROLE THERIAULT. No, I hear what I'm saying, but most. I wouldn't say audio dramas are a podcast.
GRAHAM CLULEY. You just did.
CAROLE THERIAULT. I looked at a podcast. Yes. I was going to list them off if you. You got in my way. I listen to news podcasts, I listen to interviews with celebrities. I listen to, you know, features, Articles.
GRAHAM CLULEY. Keep going.
CAROLE THERIAULT. I listen to audio dramas.
GRAHAM CLULEY. Thank you very much. But nitpick unraveled.
CAROLE THERIAULT. Yeah, I'm still nitpicking it.
GRAHAM CLULEY. Well, what do you want?
CAROLE THERIAULT. If you agree with me, let me know.
GRAHAM CLULEY. They don't, right?
CAROLE THERIAULT. It's annoying that podcast means both podcast and audio drama. We just sit in the nebulous field of podcast, just along with everybody else, and then I'm saying Isn't that a little bit confusing?
GRAHAM CLULEY. We are informational, conversational, quite casual, chit-chat.
CAROLE THERIAULT. Infocast?
GRAHAM CLULEY. Why do you have to make up these ugly words all the time? Just a minute ago you had a wham bam thank you scam or whatever it was. Ad ban thank you.
CAROLE THERIAULT. Ad ban thank you scam.
GRAHAM CLULEY. Yeah, that was brilliant, right?
CAROLE THERIAULT. And grad by the goo ads. That was good.
GRAHAM CLULEY. Use some of that genius now to come up with new terms for podcasts.
CAROLE THERIAULT. Oh, So you think it should have changed?
GRAHAM CLULEY. No, I'm saying if you've got a problem—
CAROLE THERIAULT. All I'm saying is that my pick of the week is Broken, a podcast made by Dick Wolff, and you can judge for yourself whether you find all the interruptions irritating. And I rest my case. Let's close the show.
GRAHAM CLULEY. Well, we're almost done. There's going to be a little bit of a treat after the ending music Yes, there is. Folks can follow us on Twitter @SmashInSecurity. No G, Twitter doesn't allow us to have a G. Don't send us your dick pics. And on Reddit as well in the Smashing Security subreddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts. We really recommend subscribing and then you won't miss us.
CAROLE THERIAULT. And big thank you to this week's Smashing Security sponsors, LastPass and Domain Tools. Their support helps us give you this show for free. And big love to you all for listening this week. Stay tuned after the show to hear a snippet of our latest exclusive 40-minute-long Q&A session. And I edited it, so you know it's going to be a little bit edgy. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye. Hello, hello, and welcome to Smashing Security After Dark. A special bonus episode for our Patreon listeners.
CAROLE THERIAULT. I am Graham Cluley.
GRAHAM CLULEY. And I'm Carole Theriault. Yes, we have got together late in the evening to answer some listeners' questions.
CAROLE THERIAULT. Can I just be honest? This is not my favorite time for us to interact because we tend to fight when both of us are tired and cranky after a hard day at work.
GRAHAM CLULEY. I'm not tired and cranky.
CAROLE THERIAULT. Oh, you will be. Give me 15.
GRAHAM CLULEY. So we asked our followers on Twitter and also on Reddit.
CAROLE THERIAULT. Not our followers on Facebook because we got rid of it. That could be a question. Why did we get rid of it?
GRAHAM CLULEY. Well, no, you could have sent that question in if you wanted, but you didn't.
CAROLE THERIAULT. No, I was dealing with other issues.
GRAHAM CLULEY. I'm not talking to you, Carole. I'm talking to the listeners. No one asked us why did we close our Facebook page down.
CAROLE THERIAULT. Can you just pretend to be nice just for this show?
GRAHAM CLULEY. So who's going to start? We've got a whole load of questions in front of us. I think we should just pick some out the hat. Okay. Okay. You ask.
CAROLE THERIAULT. I've got a question.
GRAHAM CLULEY. Who's it from?
CAROLE THERIAULT. John Baton.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Part of the show is making fun of the co-host. Isn't it interesting? So he says part of the show is making fun of the co-host. Has one of you ever thought, hmm, I've gone too far here? Have you ever stripped part of the discussion for this reason? John Baton. Yes, every single show, we remove too far material. So we get on the show, and in order for the show to be funny, we give ourselves carte blanche during the recording. Right? And the recording is probably what, an hour, sometimes an hour and 15.
GRAHAM CLULEY. Yeah, yeah, yeah.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. No more than that. Yeah.
CAROLE THERIAULT. And the whole point is to go right to the limit.
GRAHAM CLULEY. Is it?
CAROLE THERIAULT. And we regularly skid right past it as though we were on a smear of diarrhea. We just—
GRAHAM CLULEY. you can see the skid marks of the diarrhea, and it's awful.
CAROLE THERIAULT. So we remove those bits because it's embarrassing to each of us and to everyone who's listening. And, uh, and it's important we do that because—
GRAHAM CLULEY. and sometimes one of the participants on the podcast may not realize that they've gone too far, and it's only when their co-host tells them that actually—
CAROLE THERIAULT. Exactly right, Graham. Exactly right.
GRAHAM CLULEY. That was quite hurtful, what you said there.
CAROLE THERIAULT. Oh, stop gaslighting.
GRAHAM CLULEY. I'm not saying which one of us might have done something like that.
CAROLE THERIAULT. I don't worry about hurtful. I don't think you've ever hurt my feelings ever on the podcast. I'm resilient to you.
GRAHAM CLULEY. To be honest for a moment though, Carole, there have been a couple of times when I thought, that's it.
CAROLE THERIAULT. I bet you want to know what he said, and it's kind of a sneaky trick that I cut it off right there. But I just really, really want to encourage you guys become Patreon supporters because it's not very expensive and it would be just really great to build this kind of super cool community where you guys could support us and we could give you guys the content you wanted. So if you want to hear more, visit our Patreon page. All you have to do is open up a browser, go to www.smashingsecurity.com, and we'll have everything you need to know about how to become a supporter. And we thank you from the bottom of our hearts. Well, my heart. Graham doesn't have one. Yeah. The song that's playing right now, you know what it's called? You Hurt Me So. How beautiful is that?
-- TRANSCRIPT ENDS --