Transatlantic Cable podcast, episode 98

June 26, 2019

For the 98th edition of the Kaspersky Transatlantic Cable podcast, Dave and I jump between the consumer and public sectors — from consumer cybersecurity to government-focused ransomware attacks.

To start things off, we dive into the world of music — for the second straight week. In this story, Genius.com says it has evidence of Google scraping its site for song lyrics. The devil’s in the (Morse code) details. After that, we look at a story about Instagram testing out new ways for users to recover their accounts following a hack.

The third story has us looking at the Internet of Things and Samsung’s message for users to run antivirus scans of their smart TVs. To wrap up the episode, we head to Florida, where a local municipality decided to pay the ransom after falling victim to ransomware.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: Today I think today we’re going to start off in an era we haven’t talked about, on this podcast much outside of the Radiohead story recently is, we’re going to the world of music today for something with Google, and website Genius.

Dave: I love this story. It’s still in a bit of legal quandary. But yeah, the story’s over from Business Insider, and he’s talking about how genius.com apparently, I say apparently, because this is still going through the legal works, apparently called Google red-handed copying lyrics, and basically just robbing them of valuable search traffic. So, for anybody who doesn’t know, I think Google in 2017, maybe 2016 started introducing like these little hot boxes at the top of search. So if you search for something, which has a short answer, or could be kind of truncated down to a short answer, Google, were able to autofill this little box at the top, and you see it for all sorts of things. Google started doing it for lyrics to specific songs. Now, the problem here is that genius.com is a site where artists upload their lyrics, so you can you know, check lyrics on particular songs. And the search bar, little hot box at the top means that you don’t have to go through to a website, Google display that information for you, Genius on losing traffic to their website, because Google was autofilling these responses for them. And the story goes that Genius were sure that they were basically copying, copy-pasting from their site. So they came up with a little plan to try and catch Google out on this. And it’s a fascinating plan, including some Morse code. I don’t want to spoil it because it’s actually quite a fascinating story. But they it was is basically all around fonts and things like that, wasn’t it? And they managed to prove, I’ll use air quotes because none of us has been confirmed yet prove that Google was stealing genius.com’s lyrics than their artists have loaded. It gets more complicated, but that I mean, that’s the general gist of the story so far.

Jeff: I think this whole story is really interesting. For a number of levels. It’s like number one, anything you do with the search boxes, you realize Google’s taking content from a site, whether it’s Wikipedia, it’s a how-to site, or even just a an overview site of what you’re looking for. So on one level, you’re going to get a short, abridged version. But with lyrics, you know, let’s be honest, your songs are only usually two to three minutes at a time, so you’re not going to have much text. So I see the I see the gripe that Genius has here. And I think this plan is not play spoilers. It’s really interesting what they did with the apostrophes here. Yeah, what I find interesting here, Dave, is the closing paragraph of the article that states Genius, of course, does not own the copyright to the lyrics it publishes. The musicians do. That means it may have tough luck taking its complaints and evidence to court to hold Google or its partners accountable. Now, why I find this interesting is, you know, Google has partnerships with a lot of places to get data and put pull it into sources. It’s a lot of he said, she said, of where was this data taken from? And I think, at the same time, you know, there is a compelling story with where the stuff had been scraped from, but, again, it comes down to who owns the lyrics, which isn’t Genius.

Dave: Yeah, I think I think there’s kind of a wider question here as well, that, which you touched on, you know, Google are able to stop people from going to specific sites, if they also fill these hot boxes. And I’m sure that there’s a lot of companies out there that have a real beef with Google about this, not just genius.cam, because, you know, there’s other things like, I was just thinking, as you were talking about a like, another one, which is ripe for complaint is my famous quotes, you know, you might be trying to think of someone who has done a recent quote, or something like that, and you search, I don’t know, Bob Marley quote. And if you do that, Google autofills in a hot box, you know, the most popular quotes. And there are actually quote sites, which I would imagine are losing traffic, because people will see this on Google and never go over to specific sites. So, I’m pretty sure there’s more than Genius, you know, frustrated by this.

Jeff: Yeah. I’m sure there’s a lot of people frustrated with it. But at the same time, you know, search is a game of you’re really playing with Google is the main thing. Then, you know, what I think, on some areas, I think like lyrics and famous quotes, like you’re saying, is something that’s very interesting, because there is that gray area of what’s public domain and what’s not. I know that lawyers and everything have their own statements on this. And I’m building lawyers and take no legal advice for me. But I think when you see something like this, people are going to be scraping this data. And to be honest, if somebody’s blocking Google from scraping their site, but there’s a partner that’s aggregating things, it comes out to where is Google getting the information from? If a partner scraping, shame on the partner, but at the same time, this is something that technically is in the public domain to a certain extent. And, to be fair on this, you know, I think as we look at this, you could see a point where, you know, record labels might not be happy with genius.com from putting lyrics up there. And that’s, that’s something else that’s that comes into it. So I think that ending quote is really what sticks to me in this whole saga, which I’m sure is going to keep going on. Because it’s one thing to, you know, allegedly catch Google in the act, it’s another to allegedly be able to, you know, win at this in a court of law versus a court of public appeal, which I think right now they’ve won the court of public appeal, because it’s, you know, this big monster versus the little guy who’s just sharing what you want.

Dave: Yeah. David, Goliath, the whole thing. Yeah, I don’t, I can’t see this going away anytime soon. I’m sure there’s going to be a few other companies, as we said, who have a bit of a beef with Google. But as you rightly say, you know, Google’s the boss, at the end of the day, you’re playing by their rules. So I mean, who are the competitors like go and Bing and Yahoo search to a lesser extent and things like that. But I mean, what Google online, say, 80-90% of the search traffic, so you know, you kind of play by their rules. So yeah, let’s watch where it goes. And I’m pretty sure it’s not going to go away anytime soon.

Jeff: Yeah. And I think, you know, we’ll see what happens with one thing that hopefully is going away soon is Instagram account takeovers, and I think this is a really big win for users who fall victim to getting their accounts, hacked or locked, is that Instagram’s testing new methods to help people recover their hacked accounts, which I think is a really good thing.

Dave: I think this story touches on a few of the things that are going on in the background. And, you know, we’ve talked about in the past in in the fact that a lot of people put a lot of importance on their Instagram account.

Jeff: Of course, everyone wants to be an influencer, homeboy.

Dave: Yeah, exactly. But very few people take the security of those accounts seriously. So, we tend to find this, that we’re in this unusual position where people are getting their accounts hacked, especially those and Motherboard have touched on this in the past, especially those who have, like, really sought-after accounts, like one lot of characters accounts. And this is similar to what we’ve seen on Twitter in the past, but to a lesser extent, we’ve seen a huge increase in these this sort of activity on Instagram. And you know, the dark net trading of hacked and stolen Instagram accounts is thriving by all accounts. So, to see Instagram, trying to put new measures in place is good. But, you know, a lot of the time I just wonder if just simple security procedures, if people were to follow them in the first place, we wouldn’t be in this situation, would we?

Jeff: I think this one’s interesting, because it’s a multistep process where they’re going to send you a security code to your e-mail address or phone number. And supposedly, it sounds like they’re putting in extra measures to stop people from losing their accounts when somebody does do one of these takeovers.

Dave: Yeah, it sounds to me a bit like, like two-factor authentication, but these specific users.

Jeff: To be honest, looking at this the screenshots in this article, it looks it looks very similar to the Apple ID account, when you’re locked out of your account.

Dave: Yeah, yes, yeah. So when you get you get the little notification number that you have to punch in? Yeah, it just looks similar. I mean, it is morning testament and moments. I mean, we kind of going on, on what they’re saying on here.

Jeff: But I think it’s a good step, Just as you said, this is coming up to be a bigger issue where people are getting locked out of their accounts, blah, blah, blah. And now it’s like, what do we do here? And with this one, you know, this is a way of the company’s doing something to also augment the fact that they have bad customer support for general users.

Dave: Yeah. Unless you’re an influencer, as you said, probably. They probably get 100,000 tickets a day regarding account check ins and things like that. So unless you’re an influencer, you probably should got away.

Jeff: Yeah. I think this quote here that I like about here is it with this feature, we give the account holder the security of knowing that their username will not be available to be claimed by someone else for a period of time following any changes, the spokesman added. The feature is currently available to Android users and the rolling out the iOS, the I don’t know, what I think is good about this is just the fact that, you know, they’re admitting they know that there’s a trade of these sites. And now what it comes up to is, how are they going to stop and protect users from losing those accounts? So it’s a good step in the right direction, but again, in testing programs, and let’s see what happens when hackers alter their methods as well, because let’s be honest, here, it’s going to happen, they’re going to alter the way they do business as well.

Dave: Yeah, I mean, there’s no foolproof security method for something like this. And you know, every step towards a kind of more secure Instagram account is to be lauded is a good thing. But as you rightly say, and as also, as the article also points out, hackers are only going to shift and adjust their methods. If this if there’s something of value that they think they can get across, you’re going to try it in a different way. So yeah, you know, it’s good. But I think simple security procedures like enabling two-factor authentication, strong passwords, and things like that. And obviously, don’t share your account with anybody else, you know, simple steps that we can all take to help stop it in the first place.

Jeff: So yeah, that’s good news. But something else that now pops into the news a little bit more, we’re going to talk about our other favorite thing outside of Facebook-owned companies and talk about the Internet of Things. And the latest update from Samsung.

Dave: Yeah, I feel sorry for Samsung with this one, because I think they’re trying to do the right thing. But obviously got a lot of flack for it. So the story’s from BBC, and it’s talking about how I think this was like two weeks ago, something like that, Jeff, wasn’t it? [Jeff: Yeah.] Samsung support USA tweeted, scanning your computer for malware, and I’m quoting here, scanning your computer for more where virus, malware viruses is important to keep it running smoothly. This is also true of your QLED TV, if it’s connected to Wi-Fi, prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how. And then there’s a link and a video.

Jeff: I saw that post has also been deleted.

Dave: Yes, it was deleted shortly after it went up. But apparently, video was viewed something like 200,000 times, I think is a case of you know, they’re trying to show that they want people to they’re trying to educate the customers, but it kind of came out the wrong way. Because you know, people don’t want to feel that they have to scan the TV. I mean, what an age we live in, right.

Jeff: You know, the thing is here is that most people don’t like to scan their computers or viruses, let alone the TVs. Yeah, yeah. And I think, you know, this isn’t the first time that we’ve talked about the TOS and potential security issues with it. I think going back to 2017. It says this was talked about but you know, on one hand, you know, I feel for the guys handling, you know, the support handles from Samsung on the Twitter space, because you know, they’re going to get trolled incessantly. But when you look at this, at the end of the day, a smart TV is a computer that’s sitting on your wall.

Dave: Yeah, I think we have seen actual, you know, in the wild malware that attacks TV software. It’s not, it’s not unheard of, it’s not like it doesn’t happen, it is exceptionally rare from what I understand. And you’ve got to be looking at some pretty dodgy sites on your TV, you’ve got to be using the usually using the Internet browser, on built into the TV, or you’re plugging something into it. Why USB? You know, you’ve got to go out your way basically to get a TV in fact that it does happen. But, you know, I think I think going back to what we’ve said in the past, and this is this is a perfect example of does it this device need to be connected to the Internet? Do you need this to be connected to the Internet? And you know, you ask, ask yourself that question first. I mean, for smart TVs, these days, they have all the Netflix apps and BBC I play and things like that. But I mean, for example, like myself, I run all that through an Xbox. And I know there are other alternatives. I think there’s the Amazon Alexa Stick, sorry, Fire TV Stick with Alexa built in. There’s multiple different options, right? So there’s not necessarily any need to have a TV connect to the Internet. And as someone points out, in the tweets below, on the article, make a TV, just a TV. And if you want Internet connectivity, just have a box, Xbox, PlayStation 4, whatever, which does that for you. And that kind of cuts out the need to have your TV connected to the Internet. So, you know, if you want to do it sure, is not a problem. But I think you know, asking that question first.

Jeff: I think that the problem here is there’s a lot of the tweets, say as they’re talking about how the burden is on the end user, and this is could be done by push update. But to be honest here, does anybody really want to see their TV having the blue screen, the Microsoft-style blue screen, it says you’ve got 561 updates to do and, you know, updating, updating your TV is a pain in the ass. I had to do it to one of my TVs. And yeah, even with the Fire Stick have to do it every so often. And it just takes time and it takes away from what you’re doing. So again, is there a better way, probably not. You just need to practice safe Internet Security economist saying that, but I think at the same I think at the same time, take it on to yourself to do some of these because, you know, sadly, we can’t just us to be something that the vendors are going to push on people. And, you know, let’s see what develops with the story because as the people are saying in there, it’s very limited in terms of malware attacking, you know, smart TVs right now. But then again, remember everyone said ransomware was a limited-scope operation outside of a few years ago, too. Now, speaking of ransomware, I’m going to jump over the States here to the latest example of consultants telling governments to do the wrong thing.

Dave: A city in Florida Riviera beach, has agreed to pay £600,000, which is a whacking amount of money, to hackers. And this is probably the most I’ve seen paid out by the way, you might know different, Jeff. But, you know, this is this was a city that was hit. Their whole infrastructure was affected, apparently. And they unanimously decided that they should pay this. Pay the hackers, this £600,000. Apparently was put to a vote, although as you quite rightly pointed out, their security consultants suggested that they do it. So, you know, what’s at play here?

Jeff: Governments are a big target, especially small municipalities, as we’ve seen, you know, not even the small ones of Baltimore have seen recently with ransomware. I think what really comes out here is, in a sense, these communities are up a certain type of creek without a paddle. Yeah. And then when you start to go this way, there’s not, you know, a lot of wiggle room. And the problem is, you know, with everything crippled, you’re worried. And for a city of under 40,000 people this this is not, you know, a giant city by any stretch of the imagination, but it’s still a large number of people impacted and day to day operations come to a standstill. Now, in the article, it talks about an employee clicking on a link, my question here is, Why are there no backups?

Dave: Yeah, I think you might have hit the nail on the head there, you know, it’s a city of 35,000 people, so you’re not going to have the budgets of like Boston and larger cities. So that’s probably one of the things that there’s a problem here. But also, I think we’ve seen not only as you can probably attest to in the States, but over here in the UK, we’ve seen like a lack of funding for IT security infrastructure, pretty much everywhere. And I think this is kind of what we’re seeing as a result of it.

Jeff: I think this is one of those areas where you still see people saying, well, that won’t happen to me. Yeah, at the end of the day, when you’re a target, they’re going to come after you municipalities are targets. And you know, unfortunately, as you said, the UK and the US know that a lot of cities being taken and held ransom by attackers. And you know what, we’ve got to start thinking about this, that if you’re somebody who works in one of these municipalities, you really need to start educating yourself on ransomware. And if you don’t, I’m not gonna say bad things aren’t going to happen or if they will, but chances are, you know, it only takes one mistake for stuff to happen.

Dave: Perfect example, because this was apparently just one employee clicking on and downloading something from an e-mail attachment. And it’s crippled the entire infrastructure of the city.

Jeff: The sad part is the people who are discussing this and making the decisions probably aren’t the IT security experts there. They’re probably somebody who’s elected to a job. And they’re looking to keep their job instead role, and do what their consultants say that trust your people, and their people are telling them pay the ransom say do but again, you know, neither the FBI, nor major law enforcement want you to pay those ones because it further enables criminals to do criminal stuff.

Dave: Yeah, exactly.

Jeff: We also don’t recommend that. We think it’s bad.

Dave: No, I think, I suppose, in a way, and I’d always say anyway, but in a way, it’s easy for us to say that because you know, we’re not, we’re not the one with systems down and not being able to pay people and you know, that that looking at it from their point of view, the easy option. And when you’re in the thick of it, the best option seems to be, let’s just pay this money. The insurance company will pay will cover it, let’s just pay this money and get the data back. But, you know, that kind of, as you rightly say, just perpetuates hackers doing what they do, because, hey, I’ve just got $600,000 from this city, just hacking one e-mail, I mean, literally one e-mail did this.

Jeff: Just educate yourselves on what to do and what not to do and, you know, look at possibly investing in better systems and better protections. So with that, guys, this week’s edition of the Transatlantic Cable podcast has come to an end. Hopefully you like what you heard. If you do, please give us a rating on Apple podcasts or your favorite podcast listening station. If you feel that somebody in your life could use the Transatlantic Cable podcast, feel free to share it on your social networks with them because sharing is caring and we love you for that. And hopefully you liked what you heard. You know, we’ll be recording again next week. And until then, we look forward to hearing from you on the interwebs. See you soon.

Dave: Bye bye.

[Automated podcast transcript lightly edited]