An app leaking private conversations and intimate photographs is ignoring requests to fix the problem, hackers poison a security update sent to ASUS PCs, and how to protect your privacy in motel rooms.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- Mimecast: Grab your FREE Cybersecurity Awareness Training Kit from Mimecast, and share it throughout your company. Give your employees the information they need to make the best cybersecurity decisions.
- Get your free kit at smashingsecurity.com/mimecast
Links:
- Varmazis.gr - The hot sauce factory.
- This Spyware Data Leak Is So Bad We Can't Even Tell You About It — Motherboard.
- A family tracking app was leaking real-time location data — TechCrunch.
- Popular family tracking app exposed real-time location data onto the internet – no password required — Hot for Security.
- Hosting Provider Finally Takes Down Spyware Leak of Thousands of Photos and Phone Calls — Motherboard.
- security.txt | A proposed standard which allows websites to define security policies.
- Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers — Motherboard.
- Operation ShadowHammer — Kaspersky.
- Shadow Hammer APT MAC Check.
- ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk — Federal Trade Commission.
- ASUSFourceUpdater.exe is trying to do some mystery update, but it won't say what... — Reddit.
- Asus implements fix for malware attack — Reuters.
- ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups.
- Passion for life: Self-expansion and passionate love across the life span — Journal of Social and Personal Relationships.
- So THAT'S Why Hotel Sex Is So Much Better Than At Home — Huffington Post.
- South Korea arrests two for spy cameras that livestreamed 1,600 motel guests — Reuters.
- Zach King magic tricks — YouTube.
- Killed by Google - The Google Graveyard & Cemetery.
- Outline - Read & annotate without distractions.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
MARIA VARMAZIS. And they dubbed this malware because, you know, it has to have a fancy name. Operation Shadow Hammer.
CAROLE THERIAULT. That's all right. That's a lot better than most names where it's like BitZog VingDine428.
GRAHAM CLULEY. Hey, there was nothing wrong with BitZog VingDine418, girl.
MARIA VARMAZIS. I played the second version of that game back in the '80s. It was great.
UNKNOWN. Smashing Security, episode 121. Hijacked motel rooms, Asus PCs, and leaky apps with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 121. My name is Graham Cluley.
CAROLE THERIAULT. I am Carole Theriault.
GRAHAM CLULEY. And we're joined this week by returning guest, fan favorite, Maria Varmazis. Hello, Maria.
CAROLE THERIAULT. Yay!
MARIA VARMAZIS. The crowd's gone wild! Hi everyone.
GRAHAM CLULEY. Maria, has anything wonderful happened to you in the last week? Uh, hot sauce. Hot sauce.
MARIA VARMAZIS. Oh, oh, I was like, uh, that sounds like a bit perverted, guys. Well, I found out that my third or fourth cousins have launched a hot sauce line in Greece. It's called Varmazis Hot Sauce.
CAROLE THERIAULT. Varmazis Hot Sauce?
MARIA VARMAZIS. Yes. I can't buy it yet. I don't think they have a distributor yet in the States, or at least outside of Europe.
GRAHAM CLULEY. Um, maybe it's too dangerous to ship. Maybe it's like lithium batteries, you can't put it on an airplane. Might explode. It's that hot.
MARIA VARMAZIS. I have actually had hot sauce explode on my luggage when I transport it from one place to another. It is a mess to clean up. I can verify.
CAROLE THERIAULT. That happened once to me with maple syrup.
MARIA VARMAZIS. Yeah. Oh Canada.
CAROLE THERIAULT. Now tell me, did you—
GRAHAM CLULEY. were you—
CAROLE THERIAULT. I know you're a little artiste, Maria. Did they hit you up for the logo?
MARIA VARMAZIS. Oh no, no, no, no, no. We— my mom was literally Googling our last name and their website came up and we went, what? Who are these people? And we, we did a thing where we talked to an uncle who talked to our grandmother back the home village, and she verified that these are indeed like distant relatives.
CAROLE THERIAULT. Yeah, a cousin two steps removed got on a donkey and went down the mountain.
GRAHAM CLULEY. It's not the Stone Age in Greece, girl.
MARIA VARMAZIS. Oh no, no, well, economically it's not. Economically it might be going back, uh, but it's an unusual last name. So when we saw that, we kind of went, we must be related to these people because there aren't that many of us, and ends up we are.
CAROLE THERIAULT. So yep, I'm looking forward to trying it.
GRAHAM CLULEY. Sounds pretty cool to me. Not cool, Graham.
MARIA VARMAZIS. Hot. And that's That's my pick of the week.
GRAHAM CLULEY. Okay, so what have we got coming up on this week's show, Kryll?
CAROLE THERIAULT. Fuck, I don't know.
MARIA VARMAZIS. I'm not talking about Facebook is what's happening this week.
GRAHAM CLULEY. Now, chaps, have you ever suffered from a leak? Can be pretty embarrassing, can't it? Well, there are data leaks happening all the time. Aren't they? And there's one happening right now, exposing a database of thousands of people's private intimate photographs and conversations to the whole internet. Anyone can access it. No password required. And normally you hear about a data leak after it's been closed or when it's getting fixed. But this one is a wee bit different.
CAROLE THERIAULT. Hmm.
GRAHAM CLULEY. Security researcher Kian Heasley, Smashing Security is the chap who found this exposed database on an internet server earlier this year, and he discovered two folders on this server with over 95,000 images and more than 25,000 audio recordings of phone calls. Well, the problem with this particular database is that every day more photos and more audio recordings are being added. The leak hasn't been— would you patch a leak? I don't know, but it hasn't been filled, right? Plugged. No, plugged.
MARIA VARMAZIS. Exactly. It's not a—
GRAHAM CLULEY. Oh, anyway. All right. So, well, you may be wondering, where is all this data coming from? Well, it's coming from an app, a stalkerware app that lets you spy on other people's phone activity. And it's primarily marketed towards parents wanting to keep an eye on their kids. And what they might be doing online, which is understandable, although some people have ethical issues with that, obviously. But it's safe to assume that the same app could be used to monitor anybody, right? Whether it was you looking after your kids or monitoring staff or keeping an eye on your spouse.
CAROLE THERIAULT. Right. So basically, people could be using this app for good reasons or to spy on their partner.
GRAHAM CLULEY. Yeah, it may be that you don't trust your partner, for instance, and you want to see—
CAROLE THERIAULT. Or you don't trust your dog not to eat.
GRAHAM CLULEY. I don't think dogs normally have smartphones.
CAROLE THERIAULT. No, but the owner might, and they They might have the house surveilled to make sure, you know, to make sure that he doesn't steal the treats.
GRAHAM CLULEY. What are you talking about? What?
MARIA VARMAZIS. So what?
GRAHAM CLULEY. You've lost me.
CAROLE THERIAULT. Do you not understand about people putting cams in their house to make sure their pets behave as they should?
GRAHAM CLULEY. Yes. In this particular case, it's an app where you can steal photographs stored on the phone, or you can steal the conversation.
MARIA VARMAZIS. So unless your dog is taking photos with their Yes, if you've got a pet which is taking selfies, then yes, I agree with your scenario.
CAROLE THERIAULT. I'm with you. I'm with you.
GRAHAM CLULEY. Okay. It's clearly my fault. I didn't explain it well enough. Hopefully it's clear now. Now, Kian Heasley approached Motherboard, the technology website, with this story because they have been repeatedly trying to contact the vendor, the people who made this app, right, to alert them to the breach. But despite multiple attempts, they've received no response. Absolutely nada. Ooh. Ooh.
CAROLE THERIAULT. Well, that's, yeah, you know, I'd love to say that's so unusual, but it's not. It's not unusual.
GRAHAM CLULEY. It can often be difficult, can't it? But this is something where the leak is continuing to happen. And with an established app, you would hope there would be an email address or a phone number, or, you know, you could tweet them or something to say, hey, can we speak to you guys? And they've sort of hit this brick wall. They say that they've tried to ethically disclose the vulnerability to get these private images secured. Many of which will be intimate, of course. They reached out to them through the official email address displayed on the site, no answer. They've used the Gmail address of the site's administrator, who appears to be the company's founder, no answer. They've left voicemails, no answer. They've looked up the WHOIS information, they're not getting any response.
MARIA VARMAZIS. Yikes.
CAROLE THERIAULT. This app is available from official stores?
GRAHAM CLULEY. Well, here's the thing. They haven't named the app. I imagine it is available in the popular app stores, judging by the number of people who appear to be using it. But they don't want to name the app because they are very worried that every asshole on 4chan is then going to work out where the database is and take those photos and those recordings and start posting them on the internet.
MARIA VARMAZIS. Oh, they're at it already. Yeah.
CAROLE THERIAULT. But presumably our researcher guy here, Kian, he is aware of the actual app name, right?
GRAHAM CLULEY. Yes. Yes. They've been to the website. They've tried to contact them, but they're not getting any response.
CAROLE THERIAULT. Right. I guess so what I'm getting at is why wouldn't you go to Apple or Google and take it down that way?
GRAHAM CLULEY. Well, maybe you could. I mean, maybe if you were able to convince Apple or Google, they would remove it from the App Store.
CAROLE THERIAULT. Well, pretty compelling evidence.
GRAHAM CLULEY. I think that's, well, I think that's the natural progression of things. I think first of all, you try and contact the company and say, look, you need to fix this because Apple themselves may say, well, look, what they're doing with the data may not be our responsibility. They may feel uncomfortable with that. They may be worried about getting into legal trouble themselves, but potentially that's something to do. They've also tried they've tried to contact the web hosts and they name in the article who the web hosts are. It's a company called Codero. And they've approached them multiple times for help saying, look, you are actually hosting this content.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. And they're not getting any response from the web server hosts either.
MARIA VARMAZIS. What on earth?
GRAHAM CLULEY. Even though Codero on its website says, the difference with Codero isn't just that we answer the phone when you call day or night, but it's like, well, they're not even doing that. So maybe they don't care. Maybe they don't want to piss off a customer, but it's a bit of a problem.
MARIA VARMAZIS. Well, that level of radio silence almost to me sounds like it's coordinated. I don't know. It's just if literally nobody's getting back to you at that level, it makes me start to wonder if they've been told not to.
GRAHAM CLULEY. Well, it really begins to put the journalists and the security researcher in this difficult dilemma, doesn't it? Because do you protect the innocent users by getting them to stop using the app? Do you find a way to communicate this? Unfortunately, the data itself doesn't have contact information of the people inside the database, but apparently you would be able to identify the individuals. I don't know whether that's by distinguishing birthmarks or verbal tics or Tourette's or whatever it is, but there would be ways of saying, oh yes, I know that penis. And they— well, not me personally. I don't have a huge database or memory bank to work from, but maybe other people— Carole, maybe other people would.
CAROLE THERIAULT. I was waiting. I started laughing before you even said my name. I knew it was coming. Yeah, I'm listening to your story carefully. Yes.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. It seems to me this is yet another reason why if you want to be a big app store provider, you have to be a gatekeeper. And—
GRAHAM CLULEY. But can you really expect the likes of Apple and Google to—
CAROLE THERIAULT. To put it on hold and put it in quarantine because they received a complaint with sound evidence until they get in touch and say, oi, what's going on with our app?
GRAHAM CLULEY. Well, you know what? If they were to freeze out the app for a while, wouldn't that also highlight to people there could be a problem with it and maybe send the bad guys in the direction of the database, though. There are already people on Twitter who claim to have worked out who it is from information, even the limited information which is available in that Motherboard article. So, my best—
CAROLE THERIAULT. And coming back, this data that's up there, what kind of things is it gonna be? It's like audio, like phone calls and pictures.
GRAHAM CLULEY. Yeah, exactly. The kind of things that—
CAROLE THERIAULT. People have taken either, you know, with consent or without consent.
GRAHAM CLULEY. Who knows?
MARIA VARMAZIS. Who knows, right? Yeah, I could see this kind of software being used by, oh, I don't know, like a really controlling, potentially abusive spouse or partner trying to spy on the person that they're trying to control. So I could see people who are already very vulnerable being further victimized by this leak.
CAROLE THERIAULT. Well, you know what, I get— actually, that's a really good point, Rhea. I think then what you do is you get the cops involved, get the cyber cops involved, take a listen to take a listen at the data that, you know, that's being collected and make a call.
GRAHAM CLULEY. The thing that's been highlighted to me is that it can be really difficult to contact companies who are leaking data. And if you are a company, if you were found to be accidentally leaking data, how easy would it be for someone to tell you? We've just seen a similar situation happening with an Australian iPhone app called Family Locator, which purports to help people stay informed about the location of their loved ones. So they've got a database, 238,000 individuals were exposed for weeks on end, unsecured MongoDB database, no password required. Same old story. TechCrunch wrote about this. They tried to get in touch with the makers of the app, React Apps. They had no contact information on their website. Their WHOIS record was privacy protected.
MARIA VARMAZIS. As they often are now.
GRAHAM CLULEY. As they often are these days. So there was no way to get in touch with them. Online feedback forms weren't getting answered. Eventually they went to Microsoft and said, look, you guys run the Azure cloud server platform, which this app is using. Yeah. Can you get that shut down?
CAROLE THERIAULT. And?
GRAHAM CLULEY. And they in that case were successful. So Microsoft actually shut it down.
MARIA VARMAZIS. Well, there you go. Bravo, Microsoft. Okay, good.
GRAHAM CLULEY. But Cadeiro, the server hosts in this case, aren't responding. Who knows why? So some advice for people. If you are a company, how easy would it be to get in touch with you if there's a security issue? Look at your WHOIS privacy protection. If you are a company or running an app, maybe it makes sense LastPass, not to have privacy protection there so people can get your contact details. If you've got an online form, you need to monitor that email address and answer it. If you—
CAROLE THERIAULT. Basically don't be a douchebag.
GRAHAM CLULEY. Right. Make sure your email addresses don't bounce. Make sure that phone calls don't go unanswered. And one thing you can do is there is a standard on the internet called the security.txt file.
MARIA VARMAZIS. I think that was one of my picks of the week a while ago.
GRAHAM CLULEY. I think it was, yes. Yeah. So you can read all about it at securitytxt.org, basically create a subdirectory called.well-known, and inside it you put a file called security.txt where you contain information on how to contact you. My concern is only security-minded people are likely to do this in the first place. So these companies which don't care simply won't do that. But it's all a huge mess, isn't it? If only people went back to the good old days of uploading their intimate private snaps to trusted services like Facebook, Maria? Something like that instead.
CAROLE THERIAULT. I think that word should be banned for the episode.
GRAHAM CLULEY. Sorry, yeah, I shouldn't use the F word.
MARIA VARMAZIS. You're quite right. That's the F word.
GRAHAM CLULEY. Maria, what's your story for us this week?
MARIA VARMAZIS. It's not Facebook.
GRAHAM CLULEY. Yay!
CAROLE THERIAULT. Hey!
MARIA VARMAZIS. Oh, it's not the F word?
GRAHAM CLULEY. Yay!
CAROLE THERIAULT. Exactly.
MARIA VARMAZIS. Yeah. So, story broke yesterday, which is Monday. On Motherboard via journalist Kim Zetter that thousands, if not hundreds of thousands, of ASUS brand computers have been compromised with malware that was installed via ASUS's official automatic software updater.
CAROLE THERIAULT. Yeah, that's a big yikes. Yuck.
MARIA VARMAZIS. Yeah. So there's still a bunch of estimates floating around about exactly how many machines have been infected because this story is only a little over a day old right now. But conservative estimates say that it's about half a million machines infected. But Kaspersky, who actually first found this malware, said it's actually close closer to a million. So no small number of people have been affected by this, right? So as I mentioned, Kaspersky, they discovered this back in January, and they dubbed this malware— because, you know, it has to have a fancy name— Operation Shadow Hammer.
CAROLE THERIAULT. That's all right. That's a lot better than most names where it's like BitZog VingDine428.
GRAHAM CLULEY. Hey, there was nothing wrong with BitZog VingDine418, girl.
MARIA VARMAZIS. I played the second version of that game back in the '80s. It was great.
GRAHAM CLULEY. I kind of agree with the crow. I wish, you know, I loved it when there was a vulnerability called Poodle. Do you remember Poodle?
MARIA VARMAZIS. Yeah, good old Poodle.
CAROLE THERIAULT. Or, you know, there's the Avril vibe, no threat, you know, they just named it after something memorable.
GRAHAM CLULEY. Lumpy trousers. Yeah, I know, they're also macho, aren't they? Like they're Marvel supervillains.
MARIA VARMAZIS. Yeah, Operation Shadowhammer's not, right? It's definitely very, you know, subdued. No, that's a name, you know, and that means it's serious business, guys. So just diving into what what they found a little bit. This malware flew under the radar for a couple months because not only was the malware itself hosted on the official ASUS update servers, but it was also signed with two legitimate ASUS certificates.
CAROLE THERIAULT. Embarrassing!
MARIA VARMAZIS. And not only that, to this day, those two certificates have not actually been revoked.
GRAHAM CLULEY. Oh, so for those people who aren't aware, software companies use digital certificates to say, yes, we really did write this code.
CAROLE THERIAULT. Yes, we approve.
GRAHAM CLULEY. If you have any uncertainty about this, let us reassure you, this is a legitimate program which you can safely run on your computer.
MARIA VARMAZIS. It's not unheard of for certificates to be faked, and they're not foolproof by any means. So this is not like a, oh my God, this never should have happened. But the fact that these have—
CAROLE THERIAULT. On their websites?
GRAHAM CLULEY. But oh my God, it never should have happened.
MARIA VARMAZIS. It never should have happened. It's on their servers. It's signed with actual certificates that are from them. They weren't faked, and they're still legit as of right now during this recording.
GRAHAM CLULEY. So they haven't revoked them. So somehow the hackers got in. They meddled with the update, which got pushed out to—
MARIA VARMAZIS. Correct.
GRAHAM CLULEY. Who knows how many, a large number of ASUS computers. And it was also signed with something that the hackers shouldn't have had access to.
CAROLE THERIAULT. Correct.
GRAHAM CLULEY. Not that good news, is it?
CAROLE THERIAULT. Oh, I bet there's a lot of hair on fire in the ASUS offices at the moment.
MARIA VARMAZIS. It is a wee mess. Oh, yes.
GRAHAM CLULEY. But I expect ASUS is handling this very well. I expect they're reassuring people that there's, you know, that they've got all hands on deck, right?
MARIA VARMAZIS. Oh, oh, if they are, nobody knows because as far as we know, as of the time of this recording, they've yet to actually say anything publicly about this. So we did— there was a story this morning through Reuters that there's been some sort of update to fix this issue on the client side. But there's been no communication from Asus at all. So people are tweeting at them. They're getting no response or they're being told, oh, just email our security team. And that's about it.
CAROLE THERIAULT. So this is another story of companies not responding.
MARIA VARMAZIS. Yeah. And so this story is going to—
GRAHAM CLULEY. In fairness, they're probably still trying to work out what happened. Doesn't matter.
MARIA VARMAZIS. Just say, yeah, we heard about it.
CAROLE THERIAULT. There's a fuck-up.
MARIA VARMAZIS. Just say, yes, we've heard this story. As soon as we have more to tell you, we'll get back to you. Like, that would be something.
GRAHAM CLULEY. You'll find it's called a Facebook-up, Carole. We'll have to bleep that.
MARIA VARMAZIS. It's a Facebook-up. It's a big Facebook-up. A giant Facebook-up. Yes. So what's a weird wrinkle about this malware is that apparently it was only designed to target around 600 machines. Specifically, the malware was looking for MAC addresses. Basically, the malware was looking for a MAC address, one of these 600, and if it found it, it would download a second payload. So the weird thing is this looks like it's basically highly targeted malware. So yes, whoever's doing this was casting an extremely wide net to find these extremely targeted machines. So dun dun, who did it? Was it some sort sort of nation state, who knows? But people, you know, the people are—
GRAHAM CLULEY. You would naturally lean in that direction, wouldn't you?
MARIA VARMAZIS. One might.
GRAHAM CLULEY. But to be clear, this MAC address, it's nothing to do with Apple Macs, is it? Because these are PCs which are getting infected. A MAC address is just an identifier for a particular piece of hardware, which is unique.
MARIA VARMAZIS. Correct. MAC addresses are hardware-based identifiers, capital M, capital A, capital C. And these ASUS machines are specifically running Windows.
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. So Linux users of the ASUS machines are not affected. It's Windows users specifically.
GRAHAM CLULEY. And it's not connected with Mac makeup or concealer or anything like that either. Gosh, I'm so, I'm so in touch, aren't I? Yeah.
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. So what they've done is they've basically installed a backdoor onto maybe up to a million computers. Who knows the exact number?
MARIA VARMAZIS. Yeah. Still finding that out.
GRAHAM CLULEY. And then it will work out, oh, is this one of the computers I'm interested in? And if it is one of those 600 or so, download something else. LastPass, which is going to do who knows what.
MARIA VARMAZIS. Who knows what right now. Yeah, I think we'll find that out over time. Yeah, this, it's an interesting story because we've been hearing at least this year, 2019, is the year of the supply chain attack. I've read at least a handful of articles saying that. And this is a very timely example of what that means of when basically an attacker's like, we're not even gonna bother going after the user anymore through the normal phishing or trying to get them to download malware because their machines are so hardened at this point that, yeah, it could work, but it's, it's, it's getting a lot harder. So let's go in the back way. Let's go in a way that people are not going to expect it through channels that people have been told to trust, like the manufacturer of your machine. We've all been told you can trust these guys. So if they can figure out a way to compromise the manufacturer, they've got a clear in.
GRAHAM CLULEY. And this seems to be a growing trend, doesn't it? These supply chain attacks, although they're hard to pull off, they're extremely effective. Maybe the best recent example is the NotPetya ransomware, which was Spread via a malicious update to a Ukrainian accounting software package, but then spread all around the world and hit really big companies and cost them, in some cases, hundreds of millions of dollars.
MARIA VARMAZIS. Yeah, there was a Bloomberg story at end of last year that purported that a whole bunch of firms like Amazon and Apple were compromised by a hardware-level supply chain attack.
GRAHAM CLULEY. Yes, that's right.
MARIA VARMAZIS. Yes. That all of those companies then furiously denied, said this is a completely false story, but Bloomberg's still standing by it. It. So who knows? But they were saying that the servers that these companies were using were all compromised at the hardware level. Yeah. I was curious myself when I was reading this story about how long this attack had been active, because the, the range that we've been given, at least in the motherboard story, is from like June of last year to November of last year-ish. And I did a little Googling, so I'm not going to pretend I, I researched this, but I found on, on the Reddit forums, the Reddit ASUS forum specifically, that users back in July were noticing some really weird behavior from their official ASUS updater. Specifically, a critical update was coming from ASUS via a system pop-up, so sort of normal-ish. But the file that they were being told to download was called the ASUS Force Updater with a U in the word force.
GRAHAM CLULEY. Sorry, were you saying that in a Canadian accent?
MARIA VARMAZIS. Can you do this? Yeah, just put that on repeat. It's a great sound. It's force with a U put in it. And I'm a dumb American, but I don't think a U generally belongs in the word force. Worse. So it's like, even though I'm used to use not being where they're supposed to be, apparently. So yeah, that extra U set off a lot of red flags for people going, that looks weird. But then you read the comments— this is from 9 months ago— people are going, well, I ran it through, you know, I didn't execute this, I downloaded it and put it, you know, I sent it to, you know, my AV, I checked the certs, everything's coming back clean. So I guess this is legit, but it's setting off a— I don't— my gut's telling me something's wrong.
GRAHAM CLULEY. Oh my goodness. Yeah, spider sense wins even when the digital certificate tells you, oh yeah, this he's really from ISIS.
CAROLE THERIAULT. Yeah, and, and back then, did ISIS say anything? Did they own up? Did they apologize?
MARIA VARMAZIS. No, no. I mean, and I just want to be clear, I have no way of knowing if this is actually the malware in question. I'm going to be crystal clear, but the timeline— I'm willing to, to make a guess that this, this is probably related. And I'm just thinking, like, the fact that they did all the checks, they went above and beyond what most people would do. I'm speculating. It's speculation. I'll put it out there. But the timing and also that little red flag makes me So that's probably related. Just, it's just kind of heartbreaking to see people going, I'm doing all the things I'm supposed to be doing and more, and yet it's coming back as legit. And Kaspersky themselves, and actually Symantec also backed this up, they were only recently able to detect this like two months ago. So it was going past everybody's detection systems because nobody knew how to find the thing. So yeah, interesting.
GRAHAM CLULEY. If people are worried though, that they may have been affected by it, if they've got ASUS computers, is there anything they can do?
CAROLE THERIAULT. Get a sledgehammer.
MARIA VARMAZIS. You can go to Kaspersky's fancy website, shadowhammer.kaspersky.com, and they have a thing where you can input your MAC address and they'll actually walk you through how to find your MAC address, because I realize not everyone might know how to do that. And it'll tell you if you're one of the 600 machines that have been targeted. And/or they have a tool that you can download and run on your machine that will automagically clean up all the mess for you.
GRAHAM CLULEY. That's digitally signed by Kaspersky.
MARIA VARMAZIS. That I'm sure is totally trustworthy. So if you're feeling lucky, you could do that. But if you find out that you've been targeted, I would just nuke your machine from orbit, frankly. Just kidding.
GRAHAM CLULEY. Presumably all the major antivirus vendors are adding detection for this dodgy update to their database or have done already.
MARIA VARMAZIS. I would assume so. I would hope so.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. So hopefully that will give people a warning as well.
MARIA VARMAZIS. So your question, Carole, has ASUS acknowledged this? No, they have not. As we mentioned a little earlier, they haven't put any kind of public comment out, at least as the time of this recording. Phishing, but apparently Reuters says there's a fix in place. Has ASUS gotten trouble for security issues in the past? Yes, they have. Oh. So in 2016, ASUS settled a lawsuit with the US Federal Trade Commission, the FTC, where the FTC basically sued ASUS for lack of security practice regarding their routers. Uh, the FTC said ASUS had not, quote, taken reasonable steps to secure the software on its routers. So part of their agreement in the settlement with the FTC was was that ACES had to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
CAROLE THERIAULT. Where were these auditors?
MARIA VARMAZIS. We will see. I'm very curious to see how that comes up in the context of this. The story's still so fresh. It's still steaming new.
GRAHAM CLULEY. Something's steaming.
MARIA VARMAZIS. It's a big steaming pile of story, so we're going to find out exactly how this all plays out.
GRAHAM CLULEY. Now we interrupt our regular programming for a news update. So what you've been listening to about the Shadow Hammer attack and about the data leak at the mystery stalking app company was all recorded on Tuesday. Since then, there have been developments, and rather than issue this podcast as is without mentioning them, we thought we'd inject a little bit of me in here. So firstly, ASUS has now responded to the Shadow Hammer reports— links in the show notes— and has confirmed it has issued a fix in the form of an actual security update that you can download using its live update software tool. Yes, the irony of that isn't lost on any of us. Presumably they've digitally signed it as well. Meanwhile, Motherboard and Kian Heasley have finally succeeded in getting a response from Cadero, the company which was hosting Mobispy's leaky server. Yes, they are now confirming the name of the app as well. So that sensitive data is no longer accessible for the world to peruse without a password.
MARIA VARMAZIS. Phew.
GRAHAM CLULEY. Right. Well, let's return to our regular programming. Carole, what's your story for us this week?
CAROLE THERIAULT. Well, a lot of us are facing the end of the financial year this week. Many a boss is going apeshit, cracking the proverbial whip to force their underlings to finalize projects or close deals before the annual tax bell bing-bongs. I've actually been in touch with several mates this week who seem at their wit's end, like pulling their hair out trying to juggle all the responsibilities being foisted on them. The upshot: these peeps are desperate for a break. I mean, I've been there. It's stressful, right?
GRAHAM CLULEY. Yes.
MARIA VARMAZIS. Pulling my hair out.
CAROLE THERIAULT. But don't you remember when we were working in the big corps, everyone was freaking out, you know, in March?
GRAHAM CLULEY. Yes. Sell, sell, sell. Stop spending money.
CAROLE THERIAULT. Yeah, totally, totally.
MARIA VARMAZIS. Or spend all that budget. Otherwise you don't get it next year.
GRAHAM CLULEY. Yeah. Buy donuts.
MARIA VARMAZIS. Yeah, that's just me.
CAROLE THERIAULT. I always wanted to be in that team where it's, here's more money. You have two weeks to spend it. Go nuts. But if you look ahead just a few weeks, we can glimpse a ray of hope. Easter is just around the corner, which means holiday time for a lot of us. Work pressures have eased because the financial year is over. Offices and schools close for a few days, at least in the EU and UK. I don't know about the States actually. Do you guys close around Easter?
MARIA VARMAZIS. Depends on where you live. Oh really? Towns by towns, at least around here, some towns close more for Passover or holidays It really depends on where you live. It's kind of complicated. Yeah.
CAROLE THERIAULT. So it's kind of time to take a breather and maybe book a hotel somewhere different, somewhere where you can soak up some rays or drink in some culture. Who knows, even maybe indulge in a little romance.
GRAHAM CLULEY. Steady.
CAROLE THERIAULT. Let's talk about romance and hotels for a second.
GRAHAM CLULEY. So, all right.
MARIA VARMAZIS. Okay, segue.
GRAHAM CLULEY. I'm up for this. Let's talk about it.
CAROLE THERIAULT. Amy Muise, uh, she's from the psych department.
MARIA VARMAZIS. Amy Weeze? Muise.
GRAHAM CLULEY. M-U-I-S-E.
CAROLE THERIAULT. M-U-I-S-E.
GRAHAM CLULEY. Sorry.
MARIA VARMAZIS. M-U-I-S-E.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I wasn't sure if she had asthma or whether she had her own data leak. Okay. So Amy Muis.
CAROLE THERIAULT. Amy Muis from the psych department at York University suggests that the new adventures we seek out away from the home routines actually help make adventures in the bedroom a little more exciting.
MARIA VARMAZIS. What podcast am I on again?
GRAHAM CLULEY. I don't know, but I like it.
CAROLE THERIAULT. And I didn't know that, but in the In the drink biz, the concept of this is called self-expansion.
MARIA VARMAZIS. Of course it is.
CAROLE THERIAULT. Okay, steady on, steady on. Now, Louise maintains that couples may be more likely to experience this happening on vacation because trips often have that element built in. You're in a new place, you're eating new foods, you may be trying new activities, new positions.
GRAHAM CLULEY. What is going on?
MARIA VARMAZIS. I don't understand. Where are we going? We were just talking about aces, malware.
CAROLE THERIAULT. Aren't you glad I'm here? Oh my Lord. You guys should stop judging and just go with it, baby.
GRAHAM CLULEY. Okay, so here we are. We're on holiday. We're in a hotel room and we're thinking, let's get a little bit.
CAROLE THERIAULT. And I guess actually motels, are motels and hotels very different?
MARIA VARMAZIS. Yes, they are.
GRAHAM CLULEY. Well, there's a letter different. Motels you go to in a car and hotels you go to in a car.
CAROLE THERIAULT. You don't have to go through reception.
GRAHAM CLULEY. Oh, that's true. Yes, that's what it is. Yes, you have your own door. Yes.
CAROLE THERIAULT. And they're often probably cheaper as well. And motels in many countries such as South Korea, you can rent by the hour. And I'm guessing that—
GRAHAM CLULEY. You don't need that long.
CAROLE THERIAULT. That hour is rarely being used for a bit of shut-eye, more like a bit of slap and tickle.
GRAHAM CLULEY. Keep talking, Crow.
CAROLE THERIAULT. So these two guys in South Korea thought they might make a buck or two by taking advantage of the seedier stuff that might go on behind a motel door, right? By spying on the guests as they were doing what they were doing in the motel room.
GRAHAM CLULEY. Who would actually want to do that? Really?
CAROLE THERIAULT. What do you mean, like spy on them?
GRAHAM CLULEY. Yes. Well, isn't there enough of that kind of stuff on the internet anyway? You don't have to make your own with poor lighting and—
CAROLE THERIAULT. Well, maybe if you want a bit of the pizza.
GRAHAM CLULEY. Amateurs.
CAROLE THERIAULT. You want a bit of the money?
GRAHAM CLULEY. You want a bit of the tingling? Okay, all right. Okay.
CAROLE THERIAULT. So the way they did this is they dressed— see, this is the other interesting thing that they chose motels over hotels, because they dressed up as employees and installed hidden cameras. In 42 rooms across 30 different motels.
MARIA VARMAZIS. Wow.
CAROLE THERIAULT. So because you don't have to go through reception, right? You could just knock on the door and say, "Hey, maintenance." Oh, I see. Right?
GRAHAM CLULEY. Right.
CAROLE THERIAULT. They apparently were able to record a whopping 1,600 guests doing whatever they were doing in those rooms. Cameras were hidden in televisions, sockets, hair dryer holders, Do you know what the guys did with the footage? What do you think they did with it?
GRAHAM CLULEY. I think they securely erased it. They recanted. They realized that they were very naughty people.
MARIA VARMAZIS. Correct. They enjoyed it. And really?
GRAHAM CLULEY. What?
MARIA VARMAZIS. No. I was going to say blackmail, probably.
CAROLE THERIAULT. See, that's what I thought too. Like, it seems to me like perfect ransomware.
GRAHAM CLULEY. Yeah, they'll be selling it to someone.
CAROLE THERIAULT. Yeah. They broadcasted live on the internet.
MARIA VARMAZIS. Oh, fuck, that's terrible.
CAROLE THERIAULT. It was the first case in, uh, South Korea. And the kicker, the kicker in all this, do you know how much these boys made by invading all these people's privacy?
MARIA VARMAZIS. $10,000?
GRAHAM CLULEY. Less.
CAROLE THERIAULT. Less than— well, $6,000. $5,000.
MARIA VARMAZIS. Did that even cover the cost of their equipment at that point?
GRAHAM CLULEY. And the uniforms?
CAROLE THERIAULT. Yeah, I worked it out. I worked it out, and it's 30p for each pair of butt cheeks.
GRAHAM CLULEY. Oh, fuck you! Hang on, are you counting each butt cheek twice, or is that— that's for a pair?
CAROLE THERIAULT. I worded that very, very carefully. It's 30p for each pair of pumping cheeks.
MARIA VARMAZIS. We're very precise here in Smashing Security. I just want everyone to know and appreciate the level of precision that goes into this. There's so much math, so much math, so much math.
CAROLE THERIAULT. So the good news here is that the two douchebags have been arrested.
MARIA VARMAZIS. He's still wheezing.
CAROLE THERIAULT. I know some unfortunate person said on Twitter that they loved his wheeze. Oh my God. Now he just turns it on. He's like, yeah, it's just like someone—
GRAHAM CLULEY. yeah, everyone can have a fetish. It's all right if they— if that's what they like.
CAROLE THERIAULT. Uh, the law in South Korea was apparently amended last November to toughen penalties for illegal filming and distributing images without consent. So punishments for the convicted include a 5-year jail term, or up to 5 years in jail, or fines of up to 30 million won. That's about $30,000. So they could effectively, based on the money they brought home, be— find themselves 24,000 smackaroos out of pocket if the judge maxes out the financial punishment.
GRAHAM CLULEY. They've got to get jail time as well, haven't they? Surely. That's what a terrible thing to do.
CAROLE THERIAULT. And the thing is, okay, so while it's great that they've arrested these guys and these guys are going to be facing their, uh, their punishment, The problem is all those people whose personal privacy has been invaded, what do they get? They probably don't even know that they're, you know, they've been filmed.
GRAHAM CLULEY. You know what they should get? They should get a free subscription to the webcam in their prison cells to watch those two as they're shuffling around under their duvets at night.
CAROLE THERIAULT. That's entertaining.
GRAHAM CLULEY. Well, it may— no, but it's justice.
CAROLE THERIAULT. That doesn't sound very empathetic either, Graham.
GRAHAM CLULEY. I was empathetic. Last week, not been empathetic this week, but done that.
CAROLE THERIAULT. So advice, okay? Because the whole story here is that we all use hotels or motels or Airbnbs or whatever, stay at places other than home. And some of us might be concerned that they might be being spied on. And so there's a few things you can do.
MARIA VARMAZIS. Okay.
CAROLE THERIAULT. And these—
GRAHAM CLULEY. All right. Okay. Let's say we are.
MARIA VARMAZIS. All right. Okay.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. So number one, conduct a physical search of the room. You want to listen for a hiss or buzzing because shittier equipment emits this kind of low buzz hum sound. So you want to use your Britneys to search the room.
GRAHAM CLULEY. Sorry, Britneys?
MARIA VARMAZIS. Britneys.
CAROLE THERIAULT. Cockney English. Britney Spears ears.
MARIA VARMAZIS. Oh, jeez.
GRAHAM CLULEY. Good. It could equally be the minibar or something like that, though, couldn't it? Just humming away.
CAROLE THERIAULT. Of course. I think if you find that it's the minibar, you move on, don't you?
GRAHAM CLULEY. I never move on from the minibar. I'm there for a while. Table around.
CAROLE THERIAULT. Turn off all the lights and look for a glimmer of an LED light source. And apparently, this is a cute tip, use your phone's camera because it's better at catching light and detecting light than the human eye. So you can scan the room through your actual phone screen.
GRAHAM CLULEY. But wouldn't they have covered up any LED on the camera so it didn't go blink, blink, blink, you're on camera?
CAROLE THERIAULT. Say, for example, there was a little device inside the fire alarm gizmo in the room. And you might turn off light and you might see two little LEDs blinking there and you might go, that's weird. And you might go up and look closer and one you see attached to a hidden device and you go, aha. Now this is one of my favorites. I've never actually been in a room where I thought the mirror might be two-way. But what do you do if you think it might be two-way? So you turn off all the lights and you put a flashlight directly onto the glass.
GRAHAM CLULEY. Oh, come on, Carole.
MARIA VARMAZIS. What?
GRAHAM CLULEY. You've been too paranoid here. This is too much to do.
MARIA VARMAZIS. People do it.
GRAHAM CLULEY. Do they?
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. I think if people are concerned about this thing, if people are sitting somewhere and they got their spidey sense going, this doesn't feel right, just on all these people in motel rooms, they might have helped them not expose their you-know-whats to you-know-whos.
GRAHAM CLULEY. So I've watched Dexter, right? The serial killer guy. You know, I've watched that show.
MARIA VARMAZIS. The TV show?
GRAHAM CLULEY. Yeah, the TV show. Yes.
MARIA VARMAZIS. Not an actual one.
GRAHAM CLULEY. And what he does is he sets up his little murder room and he puts the polythene up over all of the walls, all right, so he doesn't leave any blood traces anywhere, right, for the, for the cops to find him and catch him. If you're really that worried about a hotel room and it's going to be so difficult to work out where these tiny devices might be, maybe you should just take some sheets of polythene with you and just polythene the whole room, and then you live inside the polythene thing. Couldn't you do that?
MARIA VARMAZIS. Can you say polythene one more time?
GRAHAM CLULEY. Sorry, polythene.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Am I saying polythene incorrectly?
MARIA VARMAZIS. No, I just enjoy it. What?
GRAHAM CLULEY. I said it like a Canadian.
MARIA VARMAZIS. It sounds funny to my ears for some reason.
GRAHAM CLULEY. I don't know.
MARIA VARMAZIS. Okay.
CAROLE THERIAULT. I'm going to carry on with my very—
GRAHAM CLULEY. Oh, please do. Please do. What else have you got?
CAROLE THERIAULT. You want to— obviously the good one, keep off the Wi-Fi if you don't trust it or use a secure VPN. VPN if you're going to do that. And note that many cameras are wired in. Pay special attention to sockets, fire alarms, anything with a plug, right? You want to see— and if you look for wires that are going into weird places. The other good one is they often put these cameras to the action locations, right? Like a— the bed, facing the bed, or the shower or something like that. So you want to look for out-of-place decorations. Like, is there something facing the bed oddly? A pot plant, for example?
GRAHAM CLULEY. Or only ever have sex up against the door of the hotel door, right? If you did it there where people aren't expecting it. I think that's what you're actually advocating is having sex in unusual places in the hotel room where you're not going to be videoed.
CAROLE THERIAULT. Actually, coming back to your suggestion, Graham, maybe you could just get yourself a polythene, almost like body bag that you can get yourself into, right?
GRAHAM CLULEY. With no air holes.
MARIA VARMAZIS. Or just make a little tent.
GRAHAM CLULEY. Make a little—
CAROLE THERIAULT. You should try it out first. You should try it out first. Make sure it's Just all zipped up.
GRAHAM CLULEY. Some people do do that, don't they? They zip themselves up in their luggage for fun.
MARIA VARMAZIS. Where is this podcast going this time?
CAROLE THERIAULT. My God.
GRAHAM CLULEY. We're not recommending that, folks.
CAROLE THERIAULT. So there's of course RF radio frequency detectors. So you can scan a room and look for frequencies being emitted.
GRAHAM CLULEY. Seriously, if you're this paranoid, just stay at home. You know, I'm never going to leave the house if I'm worried about all that. Back it up.
CAROLE THERIAULT. Okay. This story was about two guys who filmed 16,000 people across 30 hotels, motels in South Korea. It happens. So if people are nervous about this and go, I don't know what to do, I am telling them things they can do.
GRAHAM CLULEY. Right. And I'm saying just stay at home. Because if you're that worried, for goodness sake, you can't live your entire life in fear, Carole.
MARIA VARMAZIS. Just throw a sheet over. Like, they can't see anything.
GRAHAM CLULEY. Yes. Excellent idea. So just do it under the duvet. They, right?
CAROLE THERIAULT. I do agree with Graham though, that if you do get a spidey sense, you feel like you're being watched, it— yeah, just leave, you know.
MARIA VARMAZIS. I had to cross your gut is almost always the best advice.
CAROLE THERIAULT. Or just do something really incredibly dull and nothing else, like maybe just play a game of chess for hours or something.
GRAHAM CLULEY. Now that I'd subscribe to. That I would—
MARIA VARMAZIS. you've been spying on Graham then, is what I'm—
CAROLE THERIAULT. oh yeah, I don't spend enough time with him during this podcast.
GRAHAM CLULEY. Hey, don't bash Bitdefender, right? Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, phishing, and much, much more. Grab it for yourself at smashingsecurity.com. Www.minecast.com/minecast. And thanks to Mimecast for supporting the show. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the— I'm keeping you up. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever you wish. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Should not be.
GRAHAM CLULEY. Well, my pick of the week this week comes courtesy of our Reddit community. One of our listeners who goes by the user ID PaleSkinnySwede.
CAROLE THERIAULT. What if it's descriptive?
GRAHAM CLULEY. You think he's actually a vegetable? He has nominated a pick of the week for us and I checked it out and I thought, oh, that's quite good. That's quite fun. So he has recommended to a chap on YouTube, 29-year-old Zach King, who is a personality on the video service who makes short digital sleight-of-hand videos, like sort of magic-y, but there's a bit of editing and jiggery-pokery and crafty editing, and they're jolly clever, and kids will love them, and it will amuse you as well. So I've put in a link in the show notes. He makes things disappear, he does tricks with perspective, and I thought, you know what, that's very Very good. Well done you, sir, for making videos like that. They're like little Vine videos. They're like 6, 10 seconds. They're very cute and wonderful. And I thought very creative and good for him. And so my recommendation, my very quick pick of the week this week is Zach King. And thank you, Pale Skinny Swede, for recommending it.
CAROLE THERIAULT. Yeah, rock on, brother.
GRAHAM CLULEY. Yeah, it's good fun.
CAROLE THERIAULT. Sister.
GRAHAM CLULEY. Maria, what is your pick of the week?
MARIA VARMAZIS. Well, as a fellow pale skinny Swede, I wanted to give my own recommendation. And it wasn't just the VerMozzaz hot sauce, although that was sort of mine for this week.
CAROLE THERIAULT. God, advertise, we have to charge.
MARIA VARMAZIS. Yeah, I know, they're, they're gonna be like, what, so much traffic to our site all of a sudden? Uh, so my, my actual pick of the week is, uh, killedbygoogle.com, which is, as the name may suggest, a website that lists all the things that Google has killed. Yeah, so not people who have been murdered by like the Google Street Maps car or anything like that, not that, although I'd be I'm really interested if that is a thing. Please, somebody—
GRAHAM CLULEY. Sergey Brin hasn't been sniping at people off the top of the Google building. Again, we're not suggesting there's been any actual deaths.
MARIA VARMAZIS. I'm sure that list exists somewhere on the darkweb though.
CAROLE THERIAULT. It's the death of dreams.
MARIA VARMAZIS. It's the death of dreams. So if you want to be really mad about Google Reader with me, you can scroll down on this and then shake your fist. But yeah, it's just— when you get past the Google Reader and then let your rage subside a little bit, you can see all the other projects that they've killed of the time, many of which deserve to go.
CAROLE THERIAULT. But some, yeah, yeah, I was gonna say some of them is like, sayonara.
GRAHAM CLULEY. Odd fuck.
MARIA VARMAZIS. Yeah, but it's an interesting trip through time going, if you go all the way back, like my, the first one on the list is Google DeskBar, which I have fond memories of using. But yeah, it outlasted its purpose. But it's an interesting open source project. So you can actually contribute to it if they're missing something. Something. And it's just a simple but really good concept time waster, and I recommend it.
CAROLE THERIAULT. Very cool.
GRAHAM CLULEY. But it also sends an important message, because they've killed almost 150 products. I mean, a huge number of them. I mean, the one we all care about, as you've already mentioned, is Google Reader, which was just spiteful that they got rid of that. It was used by so many people.
CAROLE THERIAULT. What about Google Circles? Wasn't that amazing?
GRAHAM CLULEY. Toss them out.
MARIA VARMAZIS. What about Google Glass? Actually, a legitimate one that I'm not sure why they killed it was Google Flu Trends. That was really interesting.
GRAHAM CLULEY. Oh, yes.
MARIA VARMAZIS. Yeah. I'm not sure why they killed that one, but yeah.
GRAHAM CLULEY. But the important message here is if you rely on something from a company like Google, they have the ability because you're not paying customer to just zap it anytime they want. And you may be up the creek without a paddle. Glad you agree.
MARIA VARMAZIS. I wasn't sure how to respond to that.
GRAHAM CLULEY. Yes. Yes. Yes, Graham.
MARIA VARMAZIS. Yes. Yes.
GRAHAM CLULEY. You would be up the creek.
MARIA VARMAZIS. Yes, so wise.
GRAHAM CLULEY. Guru. Carole, what's your pick of the week?
CAROLE THERIAULT. VPN is not exciting, funny, or quirky, but it's flipping useful, particularly for people like us who spend a ton of time reading online news articles. But one of the things that kind of annoys me when I'm reading these sites is that everyone first displays their news in a different way, different fonts, different sizes, different locations. It's full of images, often ads, all the crap.
GRAHAM CLULEY. Do you accept cookies and—
CAROLE THERIAULT. Yeah, different size fonts and all kinds of stuff. All kinds of, ugh, it just drives me nuts. So outline.com is a resource for people that want to just get the news, right? So what I'd normally do is cut and paste the story into a reader, text editor, to actually read it that way. That's how I would normally read a story. So I could get around all that. But often a lot of extraneous information gets copied over as well. So outline.com takes all the trouble out of that. You don't have to cut and paste. You don't have to sign up. You do not have to download an app. You just go to a web page and you enter the URL for the article you're trying to read, and presto, a nice clean copy is presented to you.
GRAHAM CLULEY. And is it— it's very— I've used this a few times.
CAROLE THERIAULT. It's very pretty.
GRAHAM CLULEY. It's very pretty. It's sort of clutter-free presentation of an article.
CAROLE THERIAULT. Yeah, it's like Steve Jobs was there going, no, remove that, remove that, unnecessary.
GRAHAM CLULEY. And this is a free service, isn't it?
CAROLE THERIAULT. It is a free service.
GRAHAM CLULEY. Is it free?
CAROLE THERIAULT. Well, I'm using it for free.
GRAHAM CLULEY. Well, yeah, we're using it for free, but is there anything— what, why, why are they— see, you've made me You've made me all cynical now. Why are they doing it?
CAROLE THERIAULT. I have not made you cynical.
MARIA VARMAZIS. Yeah, you were pretty cynical to start. Let's be real. Come on.
CAROLE THERIAULT. Stop blaming everybody for your shortcomings.
MARIA VARMAZIS. What's their angle? Where's the— follow the money. Yeah, I know, I know. I'm wondering that too. Try it out.
CAROLE THERIAULT. It's a lovely website. All you're doing is cutting and pasting from articles you'd like to read.
GRAHAM CLULEY. Yeah, and just the link, isn't it?
CAROLE THERIAULT. Yeah. You can take out the trackers before you put the link in if you want to be absolutely 100% sure. And voilà.
GRAHAM CLULEY. Yeah.
MARIA VARMAZIS. Check it out.
CAROLE THERIAULT. Outline.com. It's a good pick of the week. Don't listen to Graham.
GRAHAM CLULEY. No, no, I've used it. I think it's quite handy and quite nice. Like it. Yeah. All right.
CAROLE THERIAULT. Missed that.
GRAHAM CLULEY. Well, that just about wraps it up for this week. Now, Maria, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?
MARIA VARMAZIS. You can follow me on Twitter @mvarmazis, or if you're on infosec.exchange, my handle there is @maria.
GRAHAM CLULEY. So, which is a Mastodon instance.
MARIA VARMAZIS. It is, yes. Trying to get better at using that.
GRAHAM CLULEY. Well, we're on Twitter as well. You can follow us on Twitter @smashingsecurity, no G. Twitter wouldn't allow us to have a G. And we have an active community as well on Reddit. Quickest way to find us up there is to go to smashingsecurity.com/reddit.
CAROLE THERIAULT. And huge thanks to this week's Smashing Security sponsor, Mimecast.
GRAHAM CLULEY. Cast.
CAROLE THERIAULT. It's support like this that helps us give you this show for free. And thank you to all our glorious listeners. If you like what you hear and you want to help us grow, tell some friends about the show or leave us a review. It really helps.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, later, bye. Marvelous. Marvelous.
MARIA VARMAZIS. Nicely done.
CAROLE THERIAULT. Weekend. Week out.
-- TRANSCRIPT ENDS --