Israel strikes back at Hamas's hacking HQ, a new sextortion email comes with a twist, and Carole saves the world with some help from hacked Roomba vacuum cleaners.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Malicious Life's Ran Levi.
Visit https://www.smashingsecurity.com/127 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Ran Levi.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Gartner: Gartner's Security & Risk Management Summit, running from June 17-20 2019 in National Harbor, Maryland, is the premier cybersecurity conference for CISOs, IT Security & Risk Professionals. Get the latest unbiased research and advice on cyber attacks, and emerging technologies including AI, blockchain, machine-learning and more.
- Visit smashingsecurity.com/gartner to find out more. Smashing Security listeners can save $350 off the standard registration rate by using the code "SMASHING". Promo Code: SMASHING
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
Links:
- New Extortion Email Scam Threatens to Release Your Sex Tape — Bleeping Computer.
- Here's what an Ashley Madison blackmail letter looks like — Graham Cluley.
- Suicide and Ashley Madison — Graham Cluley.
- Israel bombs building containing alleged Hamas hackers — Graham Cluley.
- IDF says it thwarted a Hamas cyber attack during weekend battle — Times of Israel.
- Israel: Hamas Tried to Spy on Soldiers With Fake Dating Apps — Bloomberg.
- Ransomware attack on Israeli users fails miserably due to coding error — ZDNet.
- Michael Reeves on Twitter.
- A Robot That Picks Tomatoes Out of Your Salad — YouTube.
- A Robot That Shoots Energy Drink at You When You Get Tired — YouTube.
- Consumption of Tide Pods — Wikipedia.
- The Roomba That Screams When it Bumps Into Stuff — YouTube.
- This Person Does Not Exist.
- Have they faked me?
- Drugslab — YouTube.
- The Hows and Whys of Influencing People — Reddit.
- How Master Manipulators Conceal Their Intentions — Kletische.
- How to Win Friends and Influence People — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. And I recorded a video of it. Not just the video, I even saved all your passwords, contact lists, and everything. I did all of this when you were in the bathroom trying to clean yourself.
GRAHAM CLULEY. So a few things here.
CAROLE THERIAULT. First, why didn't you ask Ran to read this out?
UNKNOWN. Smashing Security, episode 127: I Do Love the Dutch with Carole Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 127. My name is Graham Cluley.
CAROLE THERIAULT. I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Groom.
GRAHAM CLULEY. Hello. And we are joined— Groom? We are joined this week by someone new to the show, a bit of a podcast star in his native country of Israel. It is Ran Levi, star of the Malicious Life podcast. Hello, Ran.
RAN LEVI. Hi, hi. Great to be here.
CAROLE THERIAULT. We are super stoked to have you here. It's awesome.
RAN LEVI. Thank you. I am super stoked myself.
GRAHAM CLULEY. Now, Ran, I'm sure lots of our listeners will already have checked out the Malicious Life podcast because, well, why don't you explain what it is and why people might enjoy it?
RAN LEVI. Hmm. Okay. So my personal hobby is malware research and like the history of malware. And Malicious Life is a podcast about the history of malware where we talk every other week about some like obscure episode from the past of cybersecurity. Lots of interesting stories. I mean, some of them were rather famous back in the day, like the famous Morris worm from the 1980s. And of course, you, Graham, our star of our show. I mean, I've interviewed you at least twice, I think, for the show.
CAROLE THERIAULT. Oh, is this why he asked you to describe the show? Because he knew he'd get a plug?
RAN LEVI. Oh my God. It works. Yes, you see, it works.
CAROLE THERIAULT. He's a master.
GRAHAM CLULEY. But you've had some proper experts on the show as well talking about computer security.
RAN LEVI. Almost every episode we've got experts and talking about like very interesting stories, lots of human stories. I like the human side of cybersecurity.
CAROLE THERIAULT. Well, I have quite a few stories about Graham, real ones.
GRAHAM CLULEY. Whoa, whoa, whoa, whoa, whoa.
CAROLE THERIAULT. So maybe we should talk.
GRAHAM CLULEY. No time for that. No time for that. Carole, what's coming up on this week's show? And don't mention anything like that.
CAROLE THERIAULT. We have a fab story lineup for you guys today. Thanks to the support from our sponsors, Gartner, MetaCompliance, and LastPass. Graham is going to talk turkey about intercourse. What? I just said this is a fad lineup and you hit us with intercourse.
GRAHAM CLULEY. I wouldn't say hit you with intercourse. I don't think that's the verb I would use.
RAN LEVI. Right. Right.
CAROLE THERIAULT. It's going to educate us on modern asymmetrical cyber warfare. That's more like it.
RAN LEVI. Yeah, because it's happening in my backyard.
CAROLE THERIAULT. And I've actually solved a global problem and I'm going to run my theory past all of you to test it out. All this and my more coming up on this episode of Smashing Security.
GRAHAM CLULEY. So chaps, chaps, imagine you have received an email. Not that unusual, obviously. Carole, I've shared with you the text of an email, so maybe you can read it out to me and we will discuss it as though it's just appeared in my inbox.
CAROLE THERIAULT. Okay, I do know it has intercourse in it because I had to introduce the show, so I'm a little Okay, if I hesitate, people, surprised, I have yet another surprise for you, our intercourse video. There you go.
GRAHAM CLULEY. Intercourse. So this is the first thing which surprises me, right?
CAROLE THERIAULT. You don't remember making it, no?
GRAHAM CLULEY. Well, exactly. It's like, what? So there's someone who sent me an email saying, I've got a surprise for you. Here is our, not hers, not theirs. This is our intercourse. And who calls it an intercourse video? Did they mean a sex video, I imagine? Right?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You wouldn't necessarily call it an intercourse video, but anyway, let's hear more.
CAROLE THERIAULT. Yes, you read it right. We had intercourse quite a long time back.
GRAHAM CLULEY. Quite the sexy talker there, isn't it? We had intercourse.
CAROLE THERIAULT. This is like, I am blushing here. Okay. I don't even know what the next bit's going to be.
GRAHAM CLULEY. Who did you have sex with? Richard Nixon? It's just, it's just like, what? Who's talking here? It's just bizarre. Okay.
CAROLE THERIAULT. And I recorded a video of it. Not just the video. I even saved all your passwords, contact lists, and everything. I did all of this when you were in the bathroom trying to clean yourself.
GRAHAM CLULEY. So a few things here. Firstly—
CAROLE THERIAULT. Why didn't you ask Ran to read this out?
GRAHAM CLULEY. Firstly, what the fuck?
RAN LEVI. It's better when you read it.
GRAHAM CLULEY. So imagine you were having intercourse, as it's called. If you were having sex with someone, wouldn't you notice as they set up the lights and the microphones and all the rest of it to make this video? But secondly, They say that they've also grabbed our passwords and contacts list and everything. And they actually write, "I did all of this while you were in the bathroom trying to clean yourself." Failing. It's like, how dirty did you get? And what is that dirt you're trying to scrape off? And how long does it take you in the bathroom to sort yourself out?
RAN LEVI. That this other person's like, "Oh, just download all their passwords." I think that we can safely assume that the person who wrote that email didn't have intercourse yet.
CAROLE THERIAULT. Ever in their lives.
GRAHAM CLULEY. Yeah, exactly. I think you're right. They've never had sex, have they?
RAN LEVI. They read about it.
GRAHAM CLULEY. Yeah, they've read about it. They think, oh, that must take an awfully long time, you know, to clean up afterwards.
CAROLE THERIAULT. They've watched some really nasty porn.
GRAHAM CLULEY. Is that all? It's gone through Google Translate or something like that. So why are they saying all these things? Let's find out some more.
CAROLE THERIAULT. Trust me, I can fuck up your life if I want to. I'm not an evil individual. It's just that I need some money and I'm certain you can help me with it.
GRAHAM CLULEY. Help you with a few things. Yeah, okay, carry on.
CAROLE THERIAULT. So here's the non-negotiable deal. You send me $1,500 and I will delete everything I have about you. You will not ever, ever hear from me.
GRAHAM CLULEY. And then they give a bitcoin address. And so this is in many ways a fairly standard sextortion email, right? But there's this unusual angle, which is not that they've hacked into your webcam or detected that you've been visiting porn sites and secretly videoed you as you sort of You know, what word can I say? As they enjoyed watching these videos.
CAROLE THERIAULT. I have a thought here. Right. Okay. So let's say they send this, spam this out. What to let them know? Let's just say random number, 20,000 people.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Okay. And let's say what, 1% of them are people that might go possible.
GRAHAM CLULEY. It's possible. Maybe.
CAROLE THERIAULT. I remember cleaning myself or trying to.
RAN LEVI. It did take me a long time in the shower. I was there a while.
CAROLE THERIAULT. And if those 1% respond and kind of panic, or 1% of 1%, they're still quids in.
GRAHAM CLULEY. Yeah, exactly. So there will be some people who think, well, I did have the intercourse a long time back. I don't remember who, but there was that strange situation. I mean, I remember I've personally been secretly filmed. I think I may have mentioned this on the show before. Not while— Really?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Not while having sex, to the best of my knowledge. It'd be a short movie at that. But no, I've been secretly filmed while on the lavatory inside a restaurant.
CAROLE THERIAULT. Oh, delicious.
GRAHAM CLULEY. A camera came under the cubicle door and started pointing at me. So I've had that experience. So I might— if I'd received an email saying, we filmed you while you were in the bathroom trying to clean yourself up or something like that, then I might have found it more plausible. But I think it's quite unlikely, this particular thing. So they are threatening. They're saying, unless you pay so many bitcoins within one day, As though the average user can find out how to buy bitcoin and arrange all of that within a day. They're saying they will send the video, or the intercourse video as they call it, to all of your contacts. They will leave the DVD with your neighbors. They say, we know where you live, so they're going to pop round with a DVD, put it through the letterbox.
RAN LEVI. Who has a DVD player now?
CAROLE THERIAULT. Yeah, I guess.
GRAHAM CLULEY. Can't they just stream it on Netflix instead? That is so much more convenient.
CAROLE THERIAULT. You can put it between Miami Vice Season 3 and Miami Device Season 4 DVDs.
RAN LEVI. You know, I might just wait for somebody to send me the actual video because then I'll have bragging rights at least.
CAROLE THERIAULT. I mean, yeah, exactly.
GRAHAM CLULEY. Mom, Mom, I finally had sex.
CAROLE THERIAULT. I'm a film star.
GRAHAM CLULEY. I mean, there'd be a lot of techie people who they would never believe this for a second, would they? Because they would simply think, you know, the only time I have had sex was with myself. There's no one else present in the room.
CAROLE THERIAULT. And just last week, Graham, you were talking about people that can be duped by certain scams. That maybe techie people may not fall for, but there seems to be a lot of people out there that do.
GRAHAM CLULEY. Yeah, and I think you're right, Krow, when you said that if this was sent to a huge number of people, there might be one or two unwary or vulnerable people, or—
CAROLE THERIAULT. They read the first line and freak out.
GRAHAM CLULEY. Or people who are just very, very sleazy and slutty, who think, well, nope, it's a fair cop, it might have happened. And so the cost to the bad guy, email a lot of people, is practically zero, right?
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. But the rewards—
RAN LEVI. but it is, I mean, would it be more logical to assume that if you claim to have, you know, videoed someone who masturbated on, you know, some porn site, you'd get much more potential hits than somebody who was filmed during intercourse with somebody who just sent him an email?
CAROLE THERIAULT. I mean, this is a new area we haven't explored on the show.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And it's for that reason we're now going to survey our listeners. So if you Well, the only thing—
RAN LEVI. send us your videos and we'll do some research.
GRAHAM CLULEY. I suppose the intent of this email is to make it appear that you are being more specifically targeted. They know where you live, they might know your family situation, they may have a personal grudge against you. I mean, yes, it does seem implausible.
CAROLE THERIAULT. There's one dead giveaway that they don't. There's one, uh, there's nothing specific in any of the email, right? Show me this video that you talk about.
RAN LEVI. You know, if you remember, there was like very, very serious attempt at very thing when, how was that adultery site called?
CAROLE THERIAULT. Ashley Madison.
RAN LEVI. Ashley Madison, exactly. And after the Ashley Madison hack, people sent out mails to probably the people who were in like the database that was siphoned away. And claiming that they either they pay and here was their actual details because it was in the database. And I understand that there were lots of people who did pay.
GRAHAM CLULEY. And there was some people who sadly ended up committing suicide. And, you know, obviously families will have broken up. It's absolutely horrific.
RAN LEVI. So I'm feeling as if I'm bringing your show down.
GRAHAM CLULEY. I'm sorry.
CAROLE THERIAULT. Just wait to your story.
RAN LEVI. Yeah. And we haven't even started yet.
GRAHAM CLULEY. So, Ran, what story have you got for us this week?
RAN LEVI. Okay, so two days ago, Israel released a video, you know, the kind of like generic videos when you— where you— black and white videos where you see a bomb hitting a building and it explodes. You've seen like probably hundreds of those in Iraq, whatever. And it turns out this specific building is claimed to be the cyber headquarters of Hamas in Gaza. So I think this needs a bit of like an outline of what we're talking about. So very, very briefly, Israel and the Palestinians have been at odds for like the last, what year is it? Like 2000, half a century.
GRAHAM CLULEY. What century is it? You mean? What millennium is it? Yes.
RAN LEVI. It's a rather old conflict to say the least. And in 2005, Israel pulled out of Gaza and short time later, Hamas took control of Gaza. And ever since then, People probably heard on the news like occasional conflicts, missiles, etc. And like in the background of that, say, military conflict, there's also some sort of cyber warfare conflict going on. Except that in that case, Israel is a major superpower in cybersecurity and Hamas is basically amateurs. So I mean, it's as asymmetrical as it gets, really. And Israel has used every conceivable technology against Hamas, from advanced malware, spyware, tracking cell phones, whatever. But it's very interesting to see from my perspective, I'm not talking here as like an Israeli who's got a stake in this, but like somebody who follows cybersecurity. It's very interesting to see how Hamas is kind of adapting to this reality of being, I would say, the David in that specific conflict.
CAROLE THERIAULT. Exactly, I was just going to say that.
RAN LEVI. Not in the political sense, mind you. View, just in the more like order of magnitudes in terms of capacity. And they do, they're trying interesting stuff over the years.
GRAHAM CLULEY. That's the thing, isn't it, with cyber attacks is that all you need is a computer and an internet connection at the very basic level. That's much easier for me or someone else to get hold of than it is to get hold of a tank or a fighter jet.
RAN LEVI. Exactly. And you know what I mean? Most media outlets I saw that referenced that strike two days ago against the Hamas headquarters, the actual building, were claiming that, I mean, they were trying to paint that bombing as if it's maybe like, you know, a new phase in cyber warfare, that there's kind of kinetic warfare after a cyber strike or something like that. And I call bullshit on that because really the way I see it, Israel probably was aiming to take down that specific building for years. And just, we had the opportunity right now because we are in the middle of an actual live conflict with missiles flying in every direction. So it doesn't have anything to do with retaliation against any cyberattack from Hamas, as some people probably claimed. And it's, I think, more of a publicity stunt from Israel because, as you said, Graham, I mean, everyone, everybody with a computer can actually plan some sort of an attack from their home. Yeah. So actually taking down a building, which is quite quote unquote cyber headquarters in Gaza. It was probably empty if you ask me. Yeah, they probably fled the building a long time prior.
GRAHAM CLULEY. I don't know, but I mean, Israel's Defense Force, they are the ones who've managed to get lots of attention for themselves with this because they tweeted out an image and then later a video was released as well where they painted it very much as, they did paint it as a response to a cyber attack, didn't they? They said there had been an attack against Israel.
CAROLE THERIAULT. But no details.
GRAHAM CLULEY. They haven't given any details. So there was a cyber attack against Israel Israeli targets, as they've said. They said that it was thwarted, and so they managed to actually deflect it, whatever it was, maybe in a denial of service, who knows.
CAROLE THERIAULT. And bomb the headquarters.
GRAHAM CLULEY. And yes, but—
RAN LEVI. It sounds good, right?
GRAHAM CLULEY. I mean, if it was—
CAROLE THERIAULT. No, I don't think it does. For me, cyber warfare is, whilst, you know, there's loads of pains associated with it from all kinds of points of view, it is not actual physical violence, right? Where people are actually dying.
RAN LEVI. Exactly.
CAROLE THERIAULT. And there seems to be some kind of evolution involved from moving from, you know, kind of beating someone on the head to being able to do it digitally. So it's a sad day we actually have to respond in a kind of such a crude way.
RAN LEVI. Yeah. I mean, if you, if you look at what the, I mean, the actual cyber attacks that Hamas did over the last 3, 4 years, you can see that these are not really cyber attacks in maybe the way.
GRAHAM CLULEY. So what have they been doing? Okay.
RAN LEVI. So it's think about it from the perspective of somebody in Hamas trying to to strike one of the most sophisticated armies in the world in terms of cybersecurity. They can't really hack anything, I mean, not military installations or military systems and stuff. They are pretty amateurs in that regard. But what can they do? They can target the actual soldiers, the servicemen and women in the military and try to gather intelligence. And what they did in the last few years is use social engineering. To try and get young servicemen and women to install compromised applications and use those applications to spy inside military installations around Gaza. So the typical scenario would be, say you're a young soldier, like a 20-year-old guy, and you're getting a Messenger message, Facebook Messenger, or a WhatsApp conversation from some some, you know, lovely lady presenting herself as a young immigrant new to Israel, and she's really excited because she got your phone number from her girlfriend or whatever, and you're a brave soldier, whatever.
CAROLE THERIAULT. I mean, you're lonely and you hate— yeah.
GRAHAM CLULEY. And she saw the intercourse video which is going around as well, that's been making the rounds, and she thought that looks quite good, you know.
RAN LEVI. Yeah, yeah, why not? Why not? I mean, I was in the Israeli military, and I've got to tell you I can tell you from personal experience, the minute somebody puts your uniform on, you become hungry, tired, and horny. Not in that specific order.
GRAHAM CLULEY. I think now you're 43, Randy, you should really take the uniform off. I think you're pushing it a bit to still be strutting around.
CAROLE THERIAULT. It looks good with the ladies.
RAN LEVI. And I understand the attraction of that specific attack. And I mean, there were probably hundreds of soldiers who installed these spyware applications and the applications themselves were, I mean, related to stuff that interests young, young people like soccer, World Cup, dating, fitness, whatever. I mean, it's a generic, it was used, I mean, generic tools that anybody can create simple applications. It's not that difficult. And once the victim installed that application, now Hamas could and turn on, you know, cameras, microphones, whatever inside military installation, it probably gave some sort of intelligence. It seems like a good idea.
CAROLE THERIAULT. So it seems like cyber training is required for the actual young personnel upon entry to the military to help deflect this kind of stuff?
RAN LEVI. Exactly. So in response, the military started like a public campaign to raise awareness in soldiers, and it was called Operation Broken Heart. They got good names. They give good names to it.
CAROLE THERIAULT. Yeah, good names. Yeah.
RAN LEVI. So that's one aspect of what Hamas is doing. And the other aspect is more enlisting help from sympathizers from around the world. Many of them kind of fuzzily related to the Anonymous movement. And each year around, actually this time of the year, they commence some sort of coordinated attacks against Israeli websites, you know, governmental websites, media outlets, whatever. DDoSing, defacements. Actually, there was just a few days back, early this month, we had one of these attacks. It was called Operation Jerusalem. And I think the attackers defaced around a million web pages in Israel. Quite a lot. And it was really smartly done. They targeted an accessibility plugin. That is used by many Israeli websites. And the hackers broke into the DNS record of the company which makes the plugin. And since it is one single plugin and it injects JavaScript code into almost every major website in Israel, the attackers were able to deface tens of thousands of websites.
GRAHAM CLULEY. So the hackers only had to compromise one piece of code which was being used by many, many websites. It's effectively a supply chain attack.
CAROLE THERIAULT. Exactly.
RAN LEVI. So smart. I mean, this is really smart. Actually, the real objective of that attack was not defacement, but was installing ransomware on all the visitors of the websites. And imagine to yourself for a second if that attack really came through and they were able to like inject ransomware code into tens of thousands of websites in Israel. I mean, half the population's PC computers would probably be ransomed in some way, you know, except that they had a bug in the code. There was some broken if condition somewhere in the code and it didn't work. But it was rather daring. I mean, if it did go through, it could have been a very annoying attack.
GRAHAM CLULEY. If it had happened, can you imagine? Can you just imagine how smug all those Apple Mac users would have been? That would have been vile, wouldn't it?
RAN LEVI. Exactly.
CAROLE THERIAULT. They would all put on their turtlenecks, get their flat whites out. Drink their macchiatos.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. No, we've moved on now. It's flat whites.
GRAHAM CLULEY. Fantastic. Carole, what's your story for us this week?
CAROLE THERIAULT. I couldn't have wished for a better handover, Ran. This is, of course, an equally terrifying and upsetting story, especially for those of you out there who are not inclusive or welcoming of our brothers and sisters afflicted with Tourette's. Like, fucking seriously, get woke, people. Actually, it's even bigger problem than that. This could be seen as a veritable nightmare for any technophile clean freak who is not very cozy with swearing, fulminations, profanities, or expletives. Now, as the self-appointed CEO of the body advocating lewd language and signs, I swear a lot in this show. We all know that. And I think, you know, we could say that I do fight intolerance, you know, to colorful castigations, right? And I want us to abandon this dogmatic and outdated mindset. Screw the swearing naysayers, I say.
GRAHAM CLULEY. So have you swallowed a thesaurus? What's going on here?
CAROLE THERIAULT. I propose that this young hacker— I'm going to introduce him in a second.
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. May just have stumbled upon an exquisitely simple solution that resolves this global pandemic of no swearing allowed. So this young hacker is an internet celeb-ish guy who seems to hack devices in fun ways for the pure entertainment of his followers. Now, his channel, Michael Reeves, has well over 1.5 million subscribers, and he has 120,000 followers on Twitter. And his banner on Twitter says, "I like to hack things." So I'm just giving you a kind of, you know, a visual here. So no small potatoes, right? 1,000 followers.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And on his channel, he has videos like a robot that picks tomatoes out of your salad.
RAN LEVI. Only tomatoes?
CAROLE THERIAULT. Yeah. If you want to take a quick look at that link, I've even timed it for you so you can just see it in action for 10 seconds.
GRAHAM CLULEY. Okay. Okay. Let's just check this out. Sounds like very useful for some people.
RAN LEVI. If you hate tomatoes.
CAROLE THERIAULT. I love them.
GRAHAM CLULEY. So it's not working for me. Oh, there is a little bit of collateral damage, isn't there? Of course, by this thing.
RAN LEVI. Yeah.
CAROLE THERIAULT. He has another video, which is a robot that shoots an energy drink at you when you get tired. And I've also lined that one up appropriately for you guys if you want to take a look.
GRAHAM CLULEY. Oh, he's— oh my goodness. That's a bit like—
RAN LEVI. he's rather young, this guy.
GRAHAM CLULEY. A bit like having a visit from the Israeli army, that actually, isn't it?
CAROLE THERIAULT. See, that's what I was saying. Equally terrifying. Terrifying.
RAN LEVI. He's got a lot of time on his hands.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. So his videos are around 10 minutes long. So, you know, shortish. And they tend to show a little about how he hacks said device to make his wacky inventions. Right. And people seem to love it. Yeah. Now, personally, I've watched a few of his videos and I find his on-screen persona incredibly annoying and smug. And the thing is, like you say, Ran, he is just a kid, one that thought it was clever to use an old Tide pod container. Did you notice that in that energy drink video, he's actually using an old Tide Pod container to hold the fizzy energy drink. So ha fucking ha.
GRAHAM CLULEY. I don't get that. What, what's, what's that mean?
CAROLE THERIAULT. About a few years ago, kids were actually, uh, doing like, uh, daring each other to chew the pod. It was the challenge.
RAN LEVI. The challenge.
GRAHAM CLULEY. And that's like washing.
CAROLE THERIAULT. Yeah, the washing thing. Yeah.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Anyway, he was making a reference to a very uncool meme as far as I'm concerned. Anyway, in a video that he uploaded on the weekend, Mike Reeves decides to hack a Roomba, those little, you know, automated vacuumy things. And using a Raspberry Pi, a Bluetooth speaker, and some voice recordings, he does a little jiggery-pokery so that the Roomba, while it's doing its cleaning things and bumping into things as it does, like a table leg or a sofa or wall, it swears its butt off.
RAN LEVI. Okay, okay.
CAROLE THERIAULT. Now in a Karolery video, he tests out this hacked Roomba in a kind of dinner setting. So let me set the scene. You got 3 roommates, they're all eating together while the Roomba crashes around their feet howling expletives. Take a listen. Oh, why was that created this way? Likely would you be to adopt this into your household? This is hilarious.
GRAHAM CLULEY. Yes, yes, exactly. It's like it's really stubbed its toe.
CAROLE THERIAULT. Exactly. So he's kind of basically—
RAN LEVI. Sounds like me.
CAROLE THERIAULT. It's quite fun. So today, Tuesday, on the day of recording, there's a few select tech media that have picked up and reported on this guy. So you've got Next Web, Fast Company, those kind of guys. And I expect by the time we publish on Wednesday at midnight, This will be a much bigger story. It has all the hallmarks of going viral. Anyway, back to me and my idea.
RAN LEVI. Good. I want that Roomba. I want that Roomba. I'll buy it.
CAROLE THERIAULT. Yes, right? Listen to my theory.
GRAHAM CLULEY. All right, let's hear it.
CAROLE THERIAULT. As CEO of the BALLS, let me explain.
GRAHAM CLULEY. Sorry.
CAROLE THERIAULT. What? Body Advocating Lewd Language and Science.
RAN LEVI. Oh, okay.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. Yeah.
RAN LEVI. Yeah.
CAROLE THERIAULT. Let me explain how this will help me finally end the resistance to swearing. So there's this like German expert. I can't remember his name, but he showed that one way to get people over serious aversions that they suffer from is to basically lock them in with it for as long as possible until the panic and this fear subsides completely. Say you were afraid of birds, like crazy afraid.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. This guy would cure you by locking you in an aviary for hours on end. End. And you would scream and freak out and panic and probably have 1, 2, 10 panic attacks, but then your body would realize that your 'I am dying' panic can't be trusted, right? So it stops panicking. Boom.
RAN LEVI. So you're either healed or you go nuts.
CAROLE THERIAULT. Yep, 50/50.
GRAHAM CLULEY. My wife has a friend who has an aversion to canned sauces, uh, so she— yeah, so I mean, her idea of being locked in a pantry or something would be—
CAROLE THERIAULT. you'd bring her to Tesco's, right? Or Aldi or something.
GRAHAM CLULEY. All right, yes, so you basically lock someone up with a great big hairy spider and then you say, look, you're over spider phobia, arachnophobia, rubber.
CAROLE THERIAULT. Yes, my theory is this: we need to wire up some sweary Roombas, place them in the houses of all those intolerant folks out there, and the barrage of sweary insults will indeed, after a while, make them immune to swearing. They won't care anymore, and I've met my mission.
RAN LEVI. That's a start. That's a startup.
CAROLE THERIAULT. TM Carole Theriault.
RAN LEVI. Yeah. We can make more versions of this Roomba, like, you know, Canadian version. When the robot hits something, it apologizes.
CAROLE THERIAULT. Yeah, Quebec one, Carlis, you could say.
GRAHAM CLULEY. So Carole, when at the start of today's show, you said you were going to change the world for the better.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You are going to make people less intolerant of bad language by surrounding them with Fowl speaking Roombas.
CAROLE THERIAULT. And people with Tourette's and people that are afflicted with bad language as well.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Tolerance is a great thing, wouldn't you agree, Ran?
RAN LEVI. Yeah, actually it reminds me of that robot in The Hitchhiker's Guide to the Galaxy. Marvin?
GRAHAM CLULEY. He's got this horrible pain down the diodes on his left-hand side.
CAROLE THERIAULT. Yes.
RAN LEVI. Exactly. Exactly. So now we've got that. I mean, science fiction is being realized. Not in the exact ways we thought it will.
CAROLE THERIAULT. Exactly. Together we can end the tyranny against swearing.
GRAHAM CLULEY. Frankly, who needs to fight climate change, right?
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. Who needs to do that? I think get your priorities right.
CAROLE THERIAULT. We've got bigger issues at hand right now, people.
GRAHAM CLULEY. Good.
CAROLE THERIAULT. Good. Let's go to Pick of the Week, for instance.
GRAHAM CLULEY. Very good, Crow.
RAN LEVI. Thank you very much.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. We are supported this week by Gartner. Gartner is the world's leading research and advisory company, and they are having a big event.
GRAHAM CLULEY. It's Massivo, I'll tell you. All the big security vendors are going to be there. They're going to be talking about cyberattacks, artificial intelligence, blockchain, machine learning, and much more. It's all taking place between June 17th 18th and 19th at the Gaylord National Convention Center in National Harbor, Maryland. So I'd really recommend that if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit.
CAROLE THERIAULT. And listen up, listeners, you can receive $350 off the registration fee by using the code SMASHING with a G. To learn more, visit smashingsecurity.com/gartner. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?
GRAHAM CLULEY. Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.
CAROLE THERIAULT. Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.
GRAHAM CLULEY. You don't have to say forward slash, by the way, Graham, just say slash.
CAROLE THERIAULT. And we are also sponsored by MetaCompliance. Now MetaCompliance make this platform to help you train up all your employees in all things cybersecurity related.
GRAHAM CLULEY. That's right, you can simulate phishing attacks, you can teach them about password safety, all aspects of data security. Go and sign up right now at smashingsecurity.com/metacompliance and you can see because you listen to this podcast. You're a listener to this podcast. Boom.
RAN LEVI. And welcome back.
GRAHAM CLULEY. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
RAN LEVI. And Pick of the Week. Took me a time to get on the wagon.
CAROLE THERIAULT. Yeah. Welcome aboard.
RAN LEVI. It's the lag. It's the lag.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Well, shouldn't be.
RAN LEVI. Hmm.
GRAHAM CLULEY. Doesn't have to be. Now my Pick of the Week is a website. Now I'm sure listeners remember we talked about a website a little while ago. Called thispersondoesnotexist.com, an extraordinary website which used artificial intelligence to create random computer-generated photos of a fictional person. And these photos were in the main quite convincing.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Sometimes they had an extra ear or a mouth in the middle of their forehead or something like that, but many of them didn't look like people who worked in tech support. Many of them actually looked remarkably believable. Some of them I even quite fancied and thought, oh yeah, they're all right.
RAN LEVI. Actually, it was quite chilly to look at some of these pictures. I mean, they looked so real.
CAROLE THERIAULT. Yeah, yeah. It's just like Second Life, you know, 3.0.
GRAHAM CLULEY. Well, now another site has taken a new spin on things. There is a site called have they faked.me. And have they faked me asks you to upload your own real photo or point it to a photo on the web, and it will then compare your photo to its collection of over 400,000 fake photos. So you— You all right there, Carole?
RAN LEVI. So you—
CAROLE THERIAULT. Who's running this?
GRAHAM CLULEY. So you can find—
CAROLE THERIAULT. Where are the privacy legalese? I'm looking on the website. I see nothing.
GRAHAM CLULEY. So you can find out if you have a look-alike.
CAROLE THERIAULT. I'm looking for a picture of you. I'm looking for a picture of you.
GRAHAM CLULEY. I tested it. I haven't uploaded my photograph.
CAROLE THERIAULT. I'm putting your picture up right now.
GRAHAM CLULEY. Well, can you upload Ran's instead? Have you done it, Ran?
RAN LEVI. Yes, I did. I mean, I'm a serious guy. I do, I mean, try to be on the show, trying to prepare myself. And I've got nobody who looks like me in that estate.
CAROLE THERIAULT. You will now.
RAN LEVI. I'm either too ugly to be faked or I don't know, maybe probably too ugly.
GRAHAM CLULEY. Carole raises a quite reasonable concern, which is what the heck are they going to do with all of these photographs people are uploading? Yes, because this could all be— this could be conveyor belted into some other artificial intelligence machine, or it could be going into some huge conglomerate.
CAROLE THERIAULT. Can we do a Whois? Who's— let's do a Whois.
GRAHAM CLULEY. Oh yes, because that will definitely answer it, won't it? They won't have thought of that one, Carole.
CAROLE THERIAULT. Anyway, they might not have. This is not looking that great so far.
GRAHAM CLULEY. Geoff Bezos registered this domain. Now, if you do look in the small print, if you do look in the small print, they're obviously aware that people might be concerned. And they do say the website automatically deletes uploaded files 3 minutes after uploading and also removes additional information extracted from the photos for facial recognition. But of course, you've only got their word for it, haven't you?
CAROLE THERIAULT. Whose word? Philip Wang?
GRAHAM CLULEY. Well, whoever's running the website, whoever you find on the Whois crawl.
CAROLE THERIAULT. That's the name, by Philip Wang. That's all we have.
GRAHAM CLULEY. Is it Philip Wang? Okay. All right.
RAN LEVI. Okay. I use the picture that is already, I mean, so, I mean, my picture is all over the web.
CAROLE THERIAULT. Oh, here come the excuses.
RAN LEVI. Yeah. I mean, I don't care.
GRAHAM CLULEY. I don't have any privacy at all. I don't care.
RAN LEVI. I don't care. My privacy is gone. Gone with the wind. 10 years ago, it was gone already.
GRAHAM CLULEY. Anyway, listeners, over to you. You feel free to upload pictures of yourself or indeed—
CAROLE THERIAULT. Just one co-host here, Carole Theriault, recommends that you just ignore this pick of the week entirely and on to Ran's pick of the week.
GRAHAM CLULEY. I thought it was interesting, interesting at least. Ran, what is your pick of the week?
RAN LEVI. Okay, I'm going to recommend a very interesting YouTube channel called called Drugs Lab. It is a Dutch official governmental channel, which is important for our story.
GRAHAM CLULEY. Oh, is it run by the government?
RAN LEVI. It is run by the government. And in it, there are, I think, 3 or 4 young guys in like the mid-20s, and they are trying in front of the camera every conceivable drug there is, from weed in the lowest extremity to cocaine, heroin, all sorts of mushrooms, whatever, in front of the camera.
CAROLE THERIAULT. I love the Dutch.
RAN LEVI. I do.
GRAHAM CLULEY. I do.
RAN LEVI. And it's amazing. I mean, they, the Dutch government apparently has a policy of, I mean, some of the drugs that they are showing are illegal in Holland. So the policy is, okay, we know it's illegal.
GRAHAM CLULEY. No one would surely take illegal drugs though.
RAN LEVI. There are so many legal drugs, but apparently people And they must be pretty serious, these illegal drugs, if they're illegal in Holland.
GRAHAM CLULEY. Yeah, I have to say. Yeah. Anyway, sorry, carry on.
CAROLE THERIAULT. Yeah.
RAN LEVI. Yeah. I mean, it's right. I mean, if you're going to be illegal in Holland, it's going to have to be a very risky drug. But it's very interesting.
CAROLE THERIAULT. I haven't heard of some of these drugs like Camagra. What is that?
GRAHAM CLULEY. My goodness, Carole.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You've dropped the ball over the years. I think the gra is a hint. It's probably something related to Viagra, don't you think?
RAN LEVI. They actually do stuff while they're high with various drugs, like have sex, visit museums. I love the text. Have a party. And they kind of let you see the real effects of drugs on real people and give you warnings when it's— why it's risky, how to do it properly if you're going to try. And it's so refreshing to see somebody taking drugs, not in the, you know, the approach of don't do it, it's dangerous, but actually trying to explain what the risks are, why it's dangerous, why it can be used sometimes in a more— I mean, if you're using it, how to use it properly. And I think, I mean, my personal take is that it's probably more effective than just saying, no, don't use it.
CAROLE THERIAULT. Because you trust it. You trust it. And that's why it's great.
RAN LEVI. It kind of turned me off certain kinds of drugs that I'm saying, I'll never—
CAROLE THERIAULT. Like Kamagra?
RAN LEVI. I don't remember that specific one.
CAROLE THERIAULT. And look at the views, guys. Look at the views. 100,000 views. Hey, listen, Theresa May, if you want to improve your standing in the UK, this is a seriously cool idea.
GRAHAM CLULEY. So I've watched a couple of these videos. Now, the videos that I watched were all in the Dutch language, so I didn't really understand what they were saying.
RAN LEVI. But they have subtitles.
GRAHAM CLULEY. Ah, and they were still quite entertaining. I actually found it quite— and they're very slickly produced and they're very sort of—
CAROLE THERIAULT. What did you learn, Graham?
GRAHAM CLULEY. Professional presenters. Well, what I found was I found it a little bit like The One Show, a show we have here on BBC TV. But the difference being, of course, that to watch The One Show, you have to be taking drugs yourself to enjoy it. Whereas here, it appears the presenters are the ones taking the drugs. Other than that, it's identical experience.
CAROLE THERIAULT. Do you think you get paid? You're like, look, you need to go on cocaine and we need you there for 4 hours and you have to do all this personal stuff. A tenner? Sounds good.
GRAHAM CLULEY. Get paid by the government as well. But it does, it does—
RAN LEVI. Would you do that kind of show? I would never do that.
GRAHAM CLULEY. No.
RAN LEVI. I mean, so dangerous.
GRAHAM CLULEY. I don't drink more than one cup of tea a day. That's enough for me. I'm not going crazier than that.
RAN LEVI. I don't want to get a psychosis because I tried some weird American mushroom. That's not part of my job description. I don't know. Well, that is a great channel.
CAROLE THERIAULT. Yeah. Well done, Holland. Yeah.
GRAHAM CLULEY. Well, it's an interesting approach by the government over there as well, isn't it?
CAROLE THERIAULT. Not going to get the edit till tomorrow, Graham. I know what my evening's all about. I'm going to be learning some stuff.
GRAHAM CLULEY. You could be editing all night long, Crow. You'll be fully awake. Crow, what's your pick of the week?
CAROLE THERIAULT. So my pick of the week found its way to me via Reddit. I've been following this sub called Influence Advice for a few months, and I find it really useful and cool. So it links over to the— and forgive my pronunciation here, anyone who wants to help me, that's great— so Kletish website.
GRAHAM CLULEY. Kletish.
CAROLE THERIAULT. So K-L-E-T-I-S-H. S-C-H-E.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Right?
RAN LEVI. Right.
CAROLE THERIAULT. Now, I've given you guys the link there. So basically, it's a kind of collection of articles all about advice on how people try to influence you or you can influence other people. And as someone who studied rhetoric in college, I find it quite interesting. So one, I just pulled out a particular article here just to kind of give you an example here. So, how master manipulators conceal their intentions. Intentions. So I thought this would be very interesting to read, Graham, right? As you're, you know, adept in the old manipulations, aren't you?
GRAHAM CLULEY. Oh, that's charming.
CAROLE THERIAULT. Well, let's just see if you would— let's just say if you feel this exposes you in any way, okay? So a master manipulator is someone who is patient and bides his or her time. A manipulator's game is one of generating, storing, and not using the power until it's time. And the more skilled the manipulator, the fewer times you're looking to use this power. You're looking to collect, invest, and build.
RAN LEVI. This sounds so dark side, doesn't it?
CAROLE THERIAULT. Doesn't it? Well, I heard you were from Israel, so I thought this will appeal to you, Ran, right?
RAN LEVI. We're all on the dark side here.
CAROLE THERIAULT. Exactly. Manipulative individuals tend to use the fact that you may be blind to some aspects of life which you can benefit from. So for example, you might be being really good at work and I might not be doing so well. I might be feeling a little nervous, right, that, Ran, you're doing so well in front of the boss, right? And so I encourage you to go take a holiday, you know, and think it'll be good for your health, and you're looking tired. And I keep doing this because my endgame is to get you out of the race so I can get a bit further ahead with the boss. But you might think, oh, this girl's so caring.
RAN LEVI. That's manipulation. That's smart.
GRAHAM CLULEY. What drew this to you? What drew you towards this, Carole?
RAN LEVI. That's evil.
CAROLE THERIAULT. No, no, it's not about becoming—
GRAHAM CLULEY. You've been reading this for months.
RAN LEVI. It's not about becoming evil.
GRAHAM CLULEY. What are you working on? What are you plotting?
CAROLE THERIAULT. An amazing audio drama, one day. Okay, look, that's one article. Other ones are: why you should analyze live performances, why online anonymity should make you more positive, how to deliver bad news, how to entice people to hurry up.
GRAHAM CLULEY. Yeah, we've been recording for a while. Get a move on, Carole.
CAROLE THERIAULT. I'm done. Okay, seriously, check it out. It's a great resource. Cliché.com website.
RAN LEVI. There's actually a great book called How to Make Friends and Gain Influence by Dale Carnegie, which is, I mean, it sounds, I mean, as evil as maybe this kind of manipulation, but it's actually quite helpful for people with, you know, social difficulties and, you know, tips for how to, I mean, feel more natural in conversation. So it can help you if it's used properly.
CAROLE THERIAULT. Hey, I read it. Look at me now.
GRAHAM CLULEY. On that bombshell, I think we've just about wrapped it up. Ran, thank you so much for joining us today. I'm sure lots of our listeners would love to follow you online or find out more.
RAN LEVI. So probably the best way, the best site to go to is malicious.life. That's our podcast. Lots and lots of interesting episodes from the history of cybersecurity. My Twitter handle is @ranlevi. That's R-A-N-L-E-V-I.
GRAHAM CLULEY. Simples. And you can follow us on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And we've got a community up on Reddit too. You go and join us there. Quickest way to find us is at smashingsecurity.com/reddit. And if you are after a sticker or a t-shirt or a mug, You can also go to our online store where we've got all kinds of goodies. Go to smashingsecurity.com/store.
CAROLE THERIAULT. As always, we're hugely obliged to this week's Smashing Security sponsors: LastPass, Gartner, and MetaCompliance. Their support helps us give you the show for free, so be sure to check out their offers. And of course, fist bumps to all you listeners out there. Thank you for listening, supporting us, and helping us spread the word.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
RAN LEVI. Bye-bye, it's been great fun.
CAROLE THERIAULT. Bye-bye. Yay, it has been fun. Do you normally laugh a lot every day in your day-to-day life?
RAN LEVI. Yeah, I do, I do.
CAROLE THERIAULT. Excellent. You've got to, right? You've got to if you've got missiles overhead.
RAN LEVI. You know, it's, it's always, always looks more terrifying from the outside. I mean, actually yesterday we had like a small event at the offices. I run a podcasting company in Israel and we had an event on the roof and we were kind of happy to be on the roof because then you could see missiles flying. There were actually missiles being fired from Gaza and of course back to Gaza. So it was, I mean, we had great view. Uh, it sounds, it's dark humor.
CAROLE THERIAULT. Yes.
RAN LEVI. You were saying? Yes.
CAROLE THERIAULT. Yes. Yes. Very dark.
RAN LEVI. Dark, very dark.
-- TRANSCRIPT ENDS --