Transatlantic Cable podcast, episode 100

For the 100th edition of the Kaspersky podcast, Jeff and Dave discuss the hammer of GDPR coming down on British Airways and Marriott, and look back on some past stories.

We have hit the century mark for the Kaspersky Transatlantic Cable podcast. To kick things off, we look back on some interesting stories from our first podcasts. The first is Burger King’s crypto-venture in Russia. We follow that up with some NSA security posters.

This week’s chat starts with the story of Marriott and British Airlines breaches in the context of GDPR. From there, we head deep underground for a proposed Wi-Fi monitoring program from Transport for London. It’s supposed to increase operational efficiency, but it’s also raising the eyebrows of privacy watchdogs. To wrap up the episode, we look at Instagram’s latest test in the battle against cyberbullying.

If you enjoy the podcast, consider subscribing or sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: So Dave, do you remember way back when, when we were starting out this podcast and the ask came to us, “Hey, can you guys do a podcast for KD?” and do you think it happened?

Dave: Yeah, to say I was nervous is an understatement. I’ve done like audio stuff in the past and I’ve done some Google Hangouts —whoever remembers those? —I remember doing those but doing a podcast was kind of alien to me because you know as we got the hosting stuff to look for, the editing side of things, and just doing a podcast just seems so bizarre. So yeah, you know, when we were asked to look into a possibility of doing a podcast? Yeah, I was up for it, but it was sort of out there.

Jeff: We thank you guys that have been with us since day one. And I think looking back on it before we go into this week’s stories, I want to look back on some of the more interesting stories that we covered in the podcast. I have two of them. One talks about the crypto craze. Everyone wants to get into cryptocurrency, but the most interesting one came from Mother Russia, with Burger King launching the WhopperCoin. Do you remember this?

Dave: Yeah, this is actually episode one. I had to go digging through older episodes and this is what it was in episode one. What was it called, the WhopperCoin?

Jeff: Home of the Crypto!

Dave: They really thought long and hard about that name. Yeah, that one was a bit of a wild ride story. What the hell’s happened to the WhopperCoin? Phased out just like crypto kittens?

Jeff: I think it just disappeared on the vine. I think it was a PR/social media stunt but good on them though. I still never got any. My fat kid Burger King stories only happened a few times on the way back from Russia if I was in Terminal E, but, oh, well. Cheers to the Whopper. That’s back in 2017.

Dave: Yeah.

Jeff: And then another one, which I think is very near and dear to my heart because it ranks up there with trolling is looking back on historical propaganda posters from the NSA.

Dave: Yeah, this one, I think it was Episode 40 we were looking at this and the NSA propaganda posters. I really like those posters. They’re proper old school sort of World War II–style posters talking about information security and privacy and you know, protecting your passwords. Obviously, they’ve updated them for 2019 — 2017? 2018? Whenever it was that we — oh, 2018 There we go. They updated them for 2018. But, you know, they’re fun. That way of kind of getting people a bit more interested about the boring topic of cybersecurity.

Jeff: My favorite one is the one where they’re trolling Russia with the bear on it. And he has the hammer and sickle, and he’s like, for those who weren’t with us back in the day, we’re gonna we’re going to put links to the stories on there just because they’re freaking awesome.

Dave: Yeah, they are awesome. Yeah, I’m just a little look at them everywhere. The truth of the bear. Yeah, that’s a bit of a weird one. But anyway.

Jeff: But listen, you know what these posters segue nicely into? We take our security very seriously.

Dave: Oh, yes. So, story number one for Episode 100 is … Oh, God, you know, we’ve been talking about GDPR for probably about 50 episodes, I would have thought you know, GDPR has been talked about a lot. And nothing’s been happening. I heard people saying that whoever gets hit first will probably be — it will be a big show. It’ll be a very expensive fine as a kind of warning almost. And that seems prophetic.

Jeff: The UK came out with two haymakers now. And this makes that UFC knockout from last week and that five second knockout look pretty pretty, pretty weak right now compared to this.

Dave: Yeah. A record fine, which I’ve never seen a fight like this for a data breach. 183 million pound, which is what, $200 million. And Marriott, which I can’t quite understand the logic behind it, is facing a fine of 99 million pound which is about $124 million. But if you put them together, Marriott’s data breach, I suppose it depends on the severity but Marriott’s was something like half a billion users — 500 million users’ data is lost. And with the BA one it was 500,000, so the numbers don’t quite tally, but this is to do with the severity.

Jeff: Yeah, I think this one is kind of — these are two crazy numbers to look at. I didn’t think anything was going to overshadow some of the stories this big, but these had such a giant looming area and you know, first of all, it’s just shocking how much money is there, so that’s number one. But I think when it comes back to you know, some of these there’s some serious stuff that was stolen like with BA, its names e-mail addresses, credit card information, including all the expiration dates and the CVV codes. So that’s something that’s really big and when you look at the fines like you see like Data Protection Act, but there’s not like major like the max fine is 500,000. So you see like Facebook, Equifax, Uber are up there on the high numbers, but then you jump and this infographic and this BBC article is frickin’ amazing and I think I’m saying here is this — is just a lot of money. And I have never flown BA, so this won’t impact me but you probably have, Dave.

Dave: It’s surprising in a number of ways, the severity of the fine. I don’t even think BA were quite expecting this amount of money, but I suppose the argument is, yeah, okay, it’s a massive amount of money and BA obviously are going to get their lawyers involved in trying to argue that number down, but it’s not actually the maximum that they could have been fined for. So in some ways, the ICO is, is being a little bit lenient. So if you read them the analysis by Rory Cellan-Jones, he says that it could have been much worse. It could have been a full 4% of turnover, which would have meant a fine approaching half a billion pound, which is, you know, I mean, that that would hugely affect BA so in some ways, they should count their blessings. That is not the full 4% of turnover, but you know, it’s early days. Yeah, we will have to see what happens. I mean, the same goes for Mariott. Mariott have gotten off lightly, in some ways.

Jeff: But, Marriott, though. Marriott’s statement was better than BA’s because, guess what it says? We take the privacy and security of guests information very seriously. Boilerplate right there. Boom. But yeah, but I think when you start looking at this one, you know, their filing on there. It’s still just the amount of 339 million guests records globally that were impact, including 30 million Europeans. I think the number might be lower because when you take the European area into it, it drops the number. If it was that big number, let’s say that was the global number was affected. I could see them getting whacked with something similar to BA.

Dave: Yeah, easily.

Jeff: And you know, they’re appealing their fine, too.

Dave: Yeah, of course. It’s their right to appeal to fine I mean, I’m not just gonna sit there and go, “Fine whatever.”

Jeff: No, no, don’t do that.

Dave: No, they’re gonna defend it, you know, vigorously but at the same time —

Jeff: Out of these two stories, the one thing that that does stand out is one, companies are now being held to the fire, you know, when they do, you know, suffer a breach. But the one that I find very interesting is like this one little anecdote in the BBC story about BA here, where it’s talking about this one guy who tried to set use a fraudulent, you know, use it as credit card, and he was trying, he was trying to get some type of restitution for it.

Dave: Yeah, yeah. I think you think he was trying to say that the hackers are trying to buy something at Harrods in like Malaysia or something like that. But apparently the card was declined. So he wasn’t able, you know, he was he wasn’t out of pocket at the end of the day. So and I think a lot of the time banks are pretty good with things like this. If you are genuine and you know, you lose money, then I’ve not seen people they refused to have the money reimburse. But anyway, we’ll get talking about that story for a fair while. So let’s fly over to the next one. Or shall we say let’s go on the underground for the next one, because this one’s talking about the TfL. And how the TfL — the Transport for London — is going to track all London Underground users who use Wi-Fi or have Wi-Fi enabled on their devices. From July 8. I mean two minds with a story. This is over on Wired. And he’s talking about how basically they’re going to use Wi-Fi scanners to track individual MAC addresses. So that’s a unique identifier to your phone or your tablet, your laptop. And they’ll use that data to then track how many people are at a particular station at a particular time. If anyone’s ever used London Underground or during rush hour. I’m sure you have, Jeff. You kind of understand why they need this data. It is maxed out. Victoria line can be mad is not the word. It is a —

Jeff: — family show. We learned our last hundred episodes, you’re not allowed to say some words here.

Dave: Yeah, just a few times. I get it. Yeah, I totally understand why they need this information. I mean, this is a sort of goldmine of information that the TfL can really use.

Jeff: Keyword there is gold mine. And as they say to Spiderman, no spoilers here. With great power comes great responsibilities.

Dave: Yeah, definitely. Because there is the possibility of using this data for police tracking.

Jeff: I think I think to be honest, you guys are kind of like a police state with the amount of surveillance you have.

Dave: CCTV cameras everywhere.

Jeff: So you could you could technically probably start mapping some of those stuff with facial recognition, But governments have never leaked facial recognition at all at borders. Never happens.

Dave: No, no, that never happens. Like the last two episodes. I mean, two minds with a story because I kind of understand where the Wired article is coming from, in that if this information isn’t protected correctly, salted and hashed correctly, then, you know, it could get into malicious actors and things like that. But at the same time, I use the Underground regularly. And I know how busy it gets, I kind of see why this information. There’s no other real way of doing this without deploying cameras and even more pervasive technology. So, you know, this is just a kind of middle ground where, you know, users can still have privacy for the most part.

Jeff: So let’s take an Uber in London.

Dave: Yeah, well, yeah, I mean, you just a black cab, Uber, whatever. Or bike.

Jeff: I’m not riding a bike.

Dave: Now you probably die in London. I’m not sure I’d like a bike.

Jeff: I don’t know where I’m going. I kind of was good at biking. Until I got hit by a car, but that’s a story for another day.

Dave: No. Yeah, that is a story for another day. I’ve got to admit, even I’d get lost in London. If it wasn’t for the Underground. I just follow the Underground signs. So anyway, I think I mean, what are your thoughts, Jeff?

Jeff: I think in some ways, you know, from the side of the CFL. If they’re providing the beacons and things like that, to allow people to use Wi Fi, you know, it’s the same thing. You know, when you get on the Euro, the metro in Russia last week. So did you use the Wi-Fi?

Dave: I tried. It didn’t work.

Jeff: It’s got to call your number. But I think when you use those things you’re adding you’re going on to a network. So technically, they can do it, if they own the beacons you’re jumping off of and you’re using somebody else’s, you know, system there. You know, the question is, I think for people who don’t want to do this, is it a case where you, you can opt out in a sense of — wait, wait for it, wait for it, gasp — use airplane mode? Or, you know, even just turn off your device and read a book?

Dave: Yeah. Yeah, both are valid options.

Jeff: To be honest here, like, it’s something that, to me, I don’t tend to use public transportation where I live in the US quite frequently, because it’s not the greatest system. But also, I think, when you look internationally, and you look at going into areas, you’re playing by the government’s rule getting onto a government-run system. So in some levels, this level of Big brother is to be expected. And the real question is, how does the day to get us and hopefully, it’s not abused in the future, because that’s where everything gets a little bit sketchy is, you know, as we, as we saw with some of the pictures that we were talking in the last two weeks about the, you know, the data at the US border is being taken with the photos. What we saw was, there is a potential for abuse of a third party looking to mirror things outside of the scope of use that they were planning for. And when you when you look at something like that, let’s hope that you know, everything with the TfL stays kosher and clean and I think, you know, we haven’t had many stories that we’ve talked about about snafus in the UK in terms of data, except for that whole queen’s route with the USB that was leaked for going to Heathrow or was it Gatwick Airport. But it was you know that that’s the major USB snafu that we saw. But again, I think this one is early days, I think, to be honest, like walking around London, you’re already on as much CCTV as you probably are anywhere else. The only two places I think I’ve seen more cameras watching you are Moscow and Singapore.

No, I’ve got to admit, I think London is probably the worst with CCTV, even having visited Moscow, like three times now.

Jeff: Check out Singapore.

Dave: I’ve not been to Singapore.

Jeff: Singapore is like, Whoa, there’s cameras everywhere.

Dave: Cameras on top of cameras, cameras watching.

Jeff: No, no, seriously, we have a picture of it somewhere. I gotta find that. But there’s, it’s a tower, which is like cameras facing every direction. So like, even if you were like one of those people contortionists you couldn’t hide from the camera. You know, you’re like gymnastics and stuff. So this is like one of those things that if you were in like a Mission Impossible movie, you would still get caught on CCTV. Which is why they have so many laws to stop people from doing stupid stuff like spitting on the street.

Dave: That’s a crazy place. Never been though

Jeff: It was. It was beautiful. But anybody who speaking of beautiful … and ugly. I think this is a really interesting story. It seems that Instagram is now looking to take on bullies, and is asking people are you sure? before posting something and in the image from this, this post actually kind of brings it up to ya Look at this. And it says user says Amazing, I guess they’re coming on a picture of something. Another user rights, You are so ugly and stupid. It says, Are you sure you want to post this learn more?

Dave: Yeah, just reading the title. I think people are kind of scoff and roll their eyes and think I’m stupid. But I kind of, you know, it’s a first step, I think. So Facebook, who own Instagram are coming under a lot of pressure, especially from I think the UK government. And because it was quite a high profile, and suicide of a 14-year-old girl who sadly took her life, I think it was last year. And the father of the daughter was saying that Instagram was kind of partly responsible because of the some of the stuff that she was seeing on there. So I think there’s a you know, a bit of pressure for Facebook to act, and they they’ve kind of been using a bit of a other being a bit clever with this. So they’re using AI to, to kind of predict what sort of words they will consider to be like, you know, offensive language or bullying language. And then it will come up in it. And ask you, if you show you want to post this now, it does sound trivial. But Facebook was saying that this actually does lead to a reduction in people posting harmful content and harmful posts. But Facebook also go on to say that this is this the first of many new things that they’re looking to introduce. So, you know, yes, it does sound kind of silly, and a lot of people will just think, well, I’ll just post it anyway. But you know, good on ’em for actually starting to do something about this. Because, you know, for a long time, I think online bullying was seen as being a sort of, you know, people rolled their eyes and just kind of went or get on with it sort of thing. But you know, it’s a real thing. And teenagers especially have a real hard time of it online, I think.

Jeff: Yeah, I think that’s a good point. And I also think with this whole setup, is Facebook’s putting that second-guessing like, let’s be honest here, like, how many times have you? I think a lot of times I’ll write an e-mail even at work. And I’ll say, All right, let me reread this. And is it worth sending? Yeah, Did I say something wrong in here, which, you know, you know, me I do say stuff around a lot. I have no filter. But when you look at some of the other areas, when we’re looking at what comes up and what people are doing, this might have somebody second guess and say was this a bad thing to say? It’s almost like that, that that whole thing of people joking, there’s an app where it’ll stop people from looking at their ex or texting their ex when they’re drunk. And I think this is one of those areas where, you know, maybe it doesn’t stop all the bad decisions. Maybe it doesn’t stop everything. But it’s a start to get people thinking in that direction.

Dave: Yeah. And I think you know, the likes of Snapchat and Twitter need to kind of, and I’m sure they are they need to watch closely and start to develop their own tools and programs to be able to help. And it is teenagers for the moment, like 90% of those who do suffer from online bullying, not saying it is just purely teenagers, but predominantly teenagers who do suffer the most from this. So you know, I think, yeah, it’s definitely a start. I’m hoping that we can go a little bit further. And there is in the article to do talk about a few of the other tools that Facebook are looking to roll out, and some of them some pretty cool as well.

Jeff: I think it’s a good start. And I think this is some that will see more up because I think, to be honest, we talked about this a few weeks ago back with the you know, everything with Facebook and them saying that they need to regulation from the governments. I think on some levels, this is the first step of coming to pressure and what do you need to do to fix this? Because let’s be honest, here, the cyberbullying is a huge issue. And, you know, when you see suicides in countries around the world is, you know, there’s a problem. And I think this is good on Facebook for taking that first step. And you know what the steps from here are, let’s see, and let’s keep an eye on this. But, guys, thank you for being with us for 100 episodes of this podcast. Dave, and I have loved doing this the show for you, we’re still going to keep doing it. But if you’re new to the show, or you’re just liking us now, please feel free to share us with your friends. Sharing is caring, guys. And if you really want to help out the podcast, please give us a good rating on iTunes. And make sure to subscribe to us on your favorite podcast-listening device. If there’s a store you think that we should be covering or we got something wrong, hit us up @Kaspersky on Twitter, or jump over to our Facebook page Kaspersky as well, and leave some notes for us and we’ll get back to you and talk to those in the comments. And until then, we’re going to see you guys next week, where we’re going to start the next century of the Transatlantic Cable podcast.

Dave: Bye-bye.