Transatlantic Cable podcast, episode 97

June 21, 2019

The Transatlantic Cable podcast is nearing its hundredth episode — man, how time flies. For this week’s edition, Dave and I split our time between the consumer space and the legal world.

To start things off, we look at a newly placed FCC complaint against AT&T, T-Mobile, Sprint, and Verizon for selling customer data to third parties. This story ties to a past podcast topic — the location-based data that can help bounty hunters (or those with the money to spend) to track a user’s location.

From there, we jump into the story of a lawsuit against Amazon for an Alexa recording a child without consent. After that, we head over to the music world, where a hacker threatened Radiohead with the release of minidisks from OK Computer. Instead of paying the ransom, the band released the tracks on the Internet for all to see (for a fee).

To close things out, we discuss the deepfake of Mark Zuckerberg that went viral after showing up on Instagram.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: So to start things off today, Dave, let’s take a look at a story that we covered a while back that was on Motherboard, talked about how telco companies in the US were going to be in a little bit of trouble, like they were selling their data openly to bounty hunters and the people who might not really need location data based on a user’s cell phone.

Dave: Yeah, we did cover the story. Well, I think I think this story on an offer quite a few weeks ago, but it’s been sort of bubbling under the surface, isn’t it? And I think now, it’s kind of come to a head with the story, basically, as you mentioned, and kind of wrapped up there with the term through a complex network of kind of middleman and, and other companies. Large telcos in the US have been selling privacy and location data to bounty hunters, law enforcement agencies, all without warrants and things like that. So I was kind of waiting for a lawsuit to come off the back of this, I was surprised it took so long, to be honest.

Jeff: But I think in this kind of case, this is really a bigger fish to fry, where things start to look at a complaint to the FCC, which is in charge of, you know, all this, this data and these types of things done on people’s phones, I think what pops out here to me is just, it’s not just the small companies that you would think about doing this. These are the biggest carriers in the US. Some of them are global companies as well, you’ve got AT&T, T-Mobile, Sprint, Verizon, all which have a decent sized international footprint, and is something really that we’re starting to see companies talk about more, I think, especially where, you know, the public talk about more, especially as we’re looking at things like stalkerware and things like that and how this data was openly available to people that you just paid the money to get the input.

Dave: Yeah, I’m actually surprised that this story isn’t as big as I was expecting it to be. Maybe it is over in the States, Jeff, you, you’d have a better sort of understanding of it, then myself, but it is something that I think just felt like from a story point of view kind of got brushed under the carpet a little bit. And, you know, we had the big Cambridge Analytica story, which popped last year, year before, something like that. And that was a huge scandal. But this, I think, you know, potentially is worse, because this has been going on for a long, long time. And also, you know, Facebook weren’t aware of Cambridge Analytica, whereas, you know, you have these large companies selling data to smaller companies through this, like, complex network. So, you know, it is strange to me that this hasn’t kind of bubbled up further, and that people aren’t sort of questioning it, it’s good to see that people are starting to get a bit concerned about this sort of information being publicly available, or say, not publicly available, but available to the highest bidder.

Jeff: So, where this comes in with this comes down to the thing where people really, you know, don’t get carried too much about privacy until it impacts them. Yeah. And I think when you’re looking at something like this, you know that the Wu Tang Clan said it best, you know, cash rules everything around me. And I think that’s what comes up to these telco companies. And even going back to, you know, a book that I had started to read that I bought a black hat a few years ago of American spies, and why you should care based out of the University of Cambridge, this was a, you know, a doctorate paper type of thing turned into a book. And what it talked about, was just allowed the, the deep level of, you know, information sharing from telco companies when it comes to the government. And when you look at it in another light, can you make money off it on the private side? Yeah, you can. And I think this is one of those things where you see more money corrupting types of things of where this goes on of, you know, this isn’t a case of Facebook, where if you aren’t paying for the product, you are the product, you pay for your cell phone data on it. It’s just a matter of the technology coming, and being able to give more data back to make more money off and clean more data. So I think this is something that’s really worth keeping an eye on in the US, this isn’t really getting as much giant coverage, as you would expect. It’s more of the motherboard in the New York Times both of which New York Times a big publication, but it’s not getting the giant outrage of people because people rather see bad news concerned to my president based upon ratings versus something that impacts every single American holding a phone, potentially.

Dave: Although you kind of touched on something there when you say, you know, it doesn’t affect me, if it if it doesn’t affect me, it doesn’t concern me. So, you know, a lot of people sort of dismiss it. And I think, because people don’t see tangible results of the back of this, perhaps that’s why there isn’t such a large outcry about it. I mean, you know, if the Cambridge Analytica thing was probably hit close to home, because it’s Facebook, but I think, you know, a good analogy, and I know, we need to go to the next story. But a good analogy is, a lot of people say, with passwords, like, you know, they — a lot of people have really rubbish passwords, and they didn’t do anything about it until I hacked or, you know, their, their accounts are compromised, and then all of a sudden, they might have, you know, go do something about this. Is it a similar sort of thing, you know, people don’t care until their accounts compromised, and they lose money or social media accounts hacked. And it’s only when they’re kind of spurred on to do it by external factors, do they actually bother to do change your password or anything? So similar sort of scenario, it wouldn’t surprise me if that’s the mentality behind it with a lot of people?

Jeff: Yeah. And I think that’s, that’s really one of the cases there. And, you know, let’s see what happens with that keeping the legal side, we’re going to go over to another favorite topic of this podcast, Alexa.

Dave: Amazon, Alexa, yes. Stories from the Seattle Times. I’ve seen this crop up a few times, actually, this story. And he’s talking about how a lawsuit has been filled in Seattle regarding Amazon recording children against their wishes. Well, not against their wishes, but without consent. Basically, this story is, I think, going to test Amazon little bit. It’s, it’s certainly something that’s never cropped up before. So the basic premise is that you say you, Jeff, I don’t you don’t want to have them. I think you have one, don’t you? Say you bought one and you know, you sign a contract, blah, blah, blah, as you normally do when you purchase these things. But then your son or daughter uses the Amazon Alexa is then recording and storing those recordings for a certain period of time. And that’s where the class action potential class action lawsuit comes from? Because in what is it eight states in the US, consent has to be asked for first before making sure that these recordings are stored? Right?

Jeff: Yep. And I think with this one, it’s really just one of those things that how you say this, right? You know, this is a really interesting case of where technology isn’t keeping up with the laws — or the laws aren’t keeping up with technology. Sorry about that. And when you look at this, I think this is the problem we’ve always had with Alexa. Yeah, definitely. You know, I think we’ve talked a lot about what could go wrong with it. And, you know, to be honest, I think this is something that people have a right to be concerned about. And this isn’t a spot where you see it as a normal like, Oh, this is just an ambulance chaser trying to get some money out of it. This is somebody actually proving a point that the terms of use of Alexa might not be legal, because yes, it’s for the end user. In the terms of traditional contracts. The end user is the person who buys the product. That’s right. However, when it comes to something like Alexa, where anybody in the house can use it when they wake up Alexa by saying Alexa and then searching something. Hell, I’ve seen it too much with my nephews and my kids and my frickin mother’s house and they start using it all the time. Or my brother in law’s house where his kids used to try to play fart sounds, it took them only five minutes of them hooking up the Alexa to try to have it make a fart noise.

Dave: Well, that’s what you gotta do as a kid, but you hit the nail on the head, don’t you know, as companies kind of push forward and sort of test the boundaries regarding privacy, legal issues, states and governments are slow. And that’s not because they you know, just slow to pick these things up. I think it’s just the way they legislate. I’m going to say that the legal system is just generally slower, right? I mean, you know, companies are agile in nature, a lot of them these days, and they kind of push forward. And then, you know, law catches up with them and starts to sort of constrain them in a little bit. I think, yeah, I really don’t know where the story is going to go. And personally, it’s, it’s blindingly obvious. And I’m surprised it’s taken this long with Amazon Alexa being out for, for someone to notice this. But, you know, it’s gonna be a real test, I think. And I’m quite keen to follow this one and just see what happens off the back of it and see if because I think at the moment, this is, it’s just one complaint, but they’re looking to turn it into a class-action lawsuit, which you, Jeff will probably have a better understanding of how that works. So, it’s going to take even more time. But a class action lawsuit will mean that if I’m right, that it will be open up to anyone to join this lawsuit actually, you know, you could join yourself. And I think you remember you telling me you got back a pack of beer ones from Costco. Yeah,

Jeff: I got beer and Red Bull. And like, I don’t know what was in the thing. But, you know, look, when I get still drink energy drinks, it was awesome. But like, I still drink beer. So at least from what I remember of it. Yeah, but, but I think what this one, it really goes, what we’ve talked about in a while is, as you’re putting these devices into your home, you know, I don’t care about the company side of it for this this talk right now, what it is, is, as a parent, bring something to your home, or as a consumer, what are you doing? What are you trading off to have this divide, you can make something buy something easier. And maybe that’s just us being a bunch of grumpy old men and get off my lawn. But at the same time? You know, I think the more and more we talk about this, the more and more it’s becoming something where there’s actual real world repercussions about this that, you know, you’re looking at this now, and you’re talking about a kid being — an 8-year-old boy — being recorded. Now, this is a lawsuit about it. But imagine this now, if you multiply the number of Alexis at homes, how many kids were actually recorded? Yeah. Yeah. I guess a beep ton.

Dave: Yeah. So that’s, I think that’s where this is going to get interesting. And, you know, we’re at the initial stages, right, you know, we literally just got the starting gate. So this is going to be a story that’s going to run for a fair while I’m, like I said earlier, I’m quite keen to follow this one. But anyway, let’s go away from the legal side of things to something that’s a bit more sort of —

Jeff: Oh,

Dave: — yeah, we love lawyers. Jokes aside, the next stories from our friend Graham Cluley, and I’d like this one, so Radiohead has refused to pay $150,000 ransom for, quote, marks, hacked recordings, and has instead released them not for free for 18 pound which is what I don’t know $22 something like that is a really interesting story because I don’t think they were hacked reading a story I think someone stole some may gotta remind me here is a mini drive.

Jeff: Yeah, so I think this is really an interesting thing because it’s kind of funny. Radiohead, still a big band and an interesting spot on his how they’re addressing the whole setup of potentially somebody stealing their stuff in trying to extort them is instead of paying the money which they can do they’ve got a lot of money as a band for the for the B-sides, or outtakes if you will, have a lot of things on their OK Computer album and just put it out there for play a place of sale kind of mocking the attacker at the same time saying hey, let’s see if this was really worth the money you would have had us pay that we didn’t want to pay which I think is I think it’s pretty cool it’s kind of like on some levels it’s the you know if you do this to the system at hand, but it’s also something that’s pretty cool when it’s you know, if you’re a fan of this maybe it’s worth buying some of this I would have never seen the light of day i i don’t know i don’t care that much about it. So I wouldn’t be the one buying it. But if you are, hey, it’s your money.

Dave: Up until the 18th of July I think we’ve got it on. I’ve got to admit I’m no Radiohead fan and Jesus Christ, this is one hell of a long time call it an album but series of discs if I remember rightly a mini disc something like 500 meg capacity and is 18 discs. So that is a lot of audio even Radiohead themselves say that this is, sorry, very, very long. So I mean, you’ve got to be like a super ardent fan to even be bothered to listen to this. Apparently, this is just a noted audio of people talking and you know, music playing and things like that. So you’ve got to be serious. You got to be a serious Radiohead buff.

Jeff: And I like this. I like this quote from the lead guitarist Jonny Greenwood here. That is never intended for public consumption. parentheses, though some clips did reach a cassette in the Ok, Computer reissue. Close parentheses. It’s only tangent. Tangent, tangent. teli. Tangent, tangent. Tangent teli. Interesting. Thought it was a new word today. And very, very long. Not a phone download. Rainy out, isn’t it though?

Dave: Yeah. Yeah, I’m going to Google search that in a minute and find out what it means. Maybe it’s a typo.

Jeff: Internet’s hard. But I think I think it’s definitely a cool thing. And it goes to show like, you know, granted, this isn’t a ransomware case, but it’s something being held as a ransom. So similar what we say but ransomware don’t pay for it. And these guys are sending a big F-U. And they’re going to make money off it to on the other side. So instead of losing money, they’re probably going to make a few bucks.

Dave: Yeah. And before we go to the next stories, it’s also worth pointing out that I suppose Radiohead in a way are in a privileged position, because they can do this, you know, they can just say whatever, you know, release, it doesn’t matter. I don’t care. But if it’s a small band with like, audio recordings and things like that, how would that be, you know, if someone got hold of small bands, audio clips, recording sessions, and there was only that recording? How, would that band react? I don’t know. But you know, it. Thankfully, that’s not happened here. In this case, Radiohead, just two fingers to the hackers just said, Do what you want. So it’s quite funny, but I suppose take my hat off for a second and try and look at it from another point of view.

Jeff: Yeah, I think I think it’s just interesting, to be honest. Like I said, it’s like ransomware, if you pay it, you don’t empower the criminals. And in this case, they gave the one-finger salute to the people. Speaking one-finger salutes, I kind of love this story for a number of reasons. But yeah, for those of you who haven’t seen it. A deep fake video of Mark Zuckerberg hit Instagram recently, and it’s just really a great video if you haven’t seen it yet. But what it really does is it changes, you know, Zuckerberg, his voice to kind of talking about how they don’t do a great job of protecting things.

Dave: Yeah, this one. You know, deepfakes are really creepy. I was it last year, year before we had quite convincing de fake of Obama, President Obama, maybe two years ago?

Jeff: Yeah. It was a really convincing one. And it showed how dangerous these videos can be.

Dave: Yeah. But I mean, prior to that, deepfakes were kind of around, but they were really sort of, they looked a bit rough and ready. And, you know, nobody took them seriously. And now we’re getting to a point, I think we’re kind of at that critical point where we’re starting to see, I do remember when Photoshop first came out, and people thought it was stupid, and then as Photoshop sort of matured, and we started seeing better, sort of more realistic Photoshop. Yeah, everybody knows Photoshop images as well. We’re at that point now where we’re starting to see sort of realistic fake videos. I mean, we spoke about the David Beckham one, which that was crazy. That was really, really convincing. So this one this one’s not. If you keep it muted, it’s actually —

Jeff: — but I think that’s the point, people don’t listen to videos, or not YouTube on Instagram, they just watch it on the screen. And when you start seeing the comments about them for like, imagine this for a second: one man with total control of billions of peoples’ stolen data, all their secrets, their lives, their futures. Think about that.

Dave: Yeah.

Jeff: Somebody even seeing that pop up can be like, “Damn, this is this is this is some deep stuff here.” No pun intended. But I think when you look at it, this is what can happen. But I find the most interesting part about this is it’s not it doesn’t just test Facebook’s ability with deepfakes. It tests their policy on what they’ll do with videos like this.

Dave: Yeah, yeah. Because they’ve originally said that they wouldn’t do anything with videos like this. And they just leave them as any other video normally. But obviously, this one is with Mark Zuckerberg, and it is kind of taking the mickey out of Facebook’s attitude to sort of transparency and privacy and things like that. And he’s also pushing this bill posters, aspect to our installation. So that’s quite interesting in itself. Yeah. Let’s see what Facebook do with it. Because whatever they do —

Jeff: I actually think they’re going to leave it up.

Dave: Yeah, I think they will as well.

Jeff: I think that I think at this point in time, they have to, because if they’re looking to try to, you know, let people say that they’re going to be serious about things with like elections, they can’t just pick and choose when things suit their own their own business agenda. Instead, it’s something that has it, you know, instill trust back in their two platforms. And when you look at this, you know, I think that’s, you know, legitimate to have a concern that people should have when they’re looking at something like that.

Dave: Yeah, definitely. Yeah, we’ll have to see what happens. But I think you’re right. I don’t think it’s going to get taken down or deprioritized.

Jeff: Yeah, I think looking at this, it’s really something that will be cool to see what comes of it. And I think as we look at the series of stories today, you know, we end with some that’s a common theme, you know, we’re looking at privacy, we’re looking at dealing with something of a data breach. And then we’re also dealing with something that’s more new age, and things that are going to be manipulated in the next, you know, this election cycles coming up in the US. Let’s be honest, here, we don’t have a good track record of not throwing mud at people to begin with, let alone now you’ve got technology making the rounds. And so when I look at this, I think this is something we’re going to see a little bit more of. And really need to see what comes of it. And you know, for that users would love to hear your thoughts on that because this week’s edition of our podcast is come to a close. Hope you liked what you heard. If you did, please subscribe below or share with your friends. Sharing is caring, and it really helps the podcast and if you really want to help us out a lot, please leave a starred review on Apple iTunes. And with that, Dave, have a great weekend, man. Users, it’s great you joining us. We appreciate the time. We’ll be back next week with another edition of the Kaspersky Transatlantic Cable podcast. See you then. Bye-bye.

[Automated podcast transcript lightly edited]