TFGL2021 - S3 - Ep 5 - The Disinformation Dozen

Welcome to this episode of the Tech For Good Live podcast.

Hosting this show this time around is Tom Passmore and he’s joined by Greg Ashton.

Our special guest is David Higgins, variously CTO for the original Learndirect online learning platform, Programme Director for the NHS Care Record, Security Cleared Odd-Bod at the Home Office and FCO, Programme and Security Director for the 2nd Generation UK Smart Meters Network, Cabinet Office High Risk programme reviewer, occasional CNI Security consultant and all round advisor for technical and security things. That's a lot of things.


Transcript

Tom: As the intro jingle fades away, I predict that you're feeling untold amounts of joy because you know that you're about to start listening to a group of mates talk about the weekly news. About stats, charities and tech. That's right. This is the Tech for Good Live podcast here to warm the cockles of your heart. Our plan for the show today is to spread the light as we highlight just how deep COVID misinformation goes. We'll talk excitedly about the league table of trust. And as a joué du veau, we're going to talk about digital security in China. Let's get cracking. So today you'll hear the voice of Greg Ashton. Say hi, Greg. 

Greg: Hello. 

Tom: And this is the voice of the host. That's me. I'm Tom Passmore. And we have a guest with us today. Hello there guest. What does your voice sound like? Who are you? And what do you do?

David: Hello, I'm David. David Higgins. As you can tell by my voice, I'm from God's own country, which is Yorkshire which I am today. And it's, goodness me, it's hotter than the devil's underpants today. What do I do? Well, all sorts really. And I started out, I suppose, of things you might have heard of. I was Chief Technology Officer for Learndirect which was the government’s original e-learning platform before Learndirect kind of took a turn to the right. I was Programme Director for the original and possibly best…

Tom: [laughs] 

David: NHS Summary Care Well. And it's like anything in life isn't it? Your first time is always the most. So I was programme director for that, and that was sort of the second job I had where I've been vilified in the press. So I kind of got vilified by further education at Learndirect and I got vilified by almost everybody frankly for the National Summary Care Record. And after that I did some weird stuff. 

Tom: [laughs] Don't we all? Don’t we all? 

David: Yeah, no, really weird. And also when I was at the Home Office and Foreign and Commonwealth and I did a few stints, did a few short stints with the DWP. Did a bit of, well, quite a lot of security work. So you know, sort of high net worth individuals as they say. 

Tom: Oh, wow. 

David: Which was nice. 

Tom: As in their driver?

David: Well, no. Well, bizarrely, I was talking about this the other day. I mean, the rich are different, let me tell you. And while I was doing that particular job and I can’t name the client right, but while I was doing this particular job I had to do three meetings in a day. One in London, one in Jersey and one in Geneva because it was hedge fund stuff right? It was all about security posture for the stuff we were doing.  And no matter how we tried to sort the travel, I couldn't get around all in a day and the guy who owned the hedge fund was like, oh what are you doing, just just rent a private plane. So we're on a private plane for the day. 

Tom: So yeah, I stopped in London and then jumped into the obligatory black Mercedes outside the office with the tinted windows and a nice bottle of water, straight across to Northold, onto the tarmac. Like, you know, Ryanair has never been on the tarmac, up the steps. Very personal young woman in there. Couple of blokes in the front driving the bus, you know, and off we went to Jersey. Forty minutes. A few canapes on the way. Another Mercedes there, getting pounded. The staff got back on the plane, flew an hour and a quarter, had a light lunch on the way. Very nice. Went to Geneva, did the stuff and was back in the flat in London for half past seven at night. 

Tom: Wow. 

David: And you know, time is a factor for these people right? 

Tom: Yeah, yeah, time is money.

David: I'm not even going to say how much it costs, right, but you could probably buy a very nice Mercedes for the money. But the day was, you know, time is more important than that. So I did some stuff for that kind of environment. And then what do I do? Oh then I got got shanghaied into going being the programme security director for the UK smart metres network. Second generation right? A bit like Star Trek.

Tom: The better of the two? Yeah.I’m gonna have to, like we've got a whole agenda here David, we've got a whole agenda. We get the idea. We get the idea [laughs]

David: Obviously I'm popular. I've done some very odd sort of stuff as well, you know, squirrel stuff in bits and pieces. 

Greg: So basically you've done a lot. 

David: Well, I’m really old right. Like honestly, let me give you a bit of advice, my children. Make the most of the time you’ve got now because by crikey, does it go quick!

Greg: [laughs]

Tom: Well, David, I don't like, so we’re happy to have you cameras on so you can see each other and I don’t think you look old. And I think that's a massive amount of misinformation. And talking about misinformation, Greg, I'd like to take you on to that to the stat of the week.

Greg: Very nice. Nice segue there. Starting strong, I really like that. So a new report has come out, claiming that the majority of COVID misinformation is linked to just twelve people. They're calling them the disinformation dozen. This is from the centre for countering digital hate, which is a cross Atlantic charitable organisation. The report was quoted by the White House in the last week. So they analysed over 800,000 Facebook posts and tweets and found 65% came from this disinformation dozen. On Facebook alone, the dozen are responsible for 73% of all anti vaccine content. 

David: They’re busy little bees aren’t they?

Greg: Yeah. 

David: I mean, what do they do with the rest of their day? 

Tom: [laughs] Like do they know who these dozen are? 

David: Yeah, they do. They've got them listed. And they've got some great names as well. I mean, they've got some like proper American names. So there's like Thai and Charlene Bollinger, which is an interesting combination of neighbours and champagne, isn't it? 

Greg: [laughs]

Tom: [laughs] Yeah. Like, this has blown my mind actually. I don't understand this as a, like, there's 12 people telling lies and the world is lapping it up. 

Greg: Yep. 

Tom: But the internet, like, I'm not gonna say the entire world, that's probably not fair. Half the population in the world are lapping it up. 

David: Yeah. 

Tom: 3 billion people, let's say give or take, are lapping what 12 liars are saying.

David: Well, yeah, yeah, I've sure you've got good lawyers, right? You can tell I do this for a living as well. Now, I'm sure that they firmly believe that they're in the right. But there is a fair bit of madness about, frankly. I think I was saying before we did the pre roll titles, that I have to spend a bit of my time on social media looking for various trends and things and as you quite rightly pointed out the report does as well, Facebook by increasingly, Twitter, right, you wouldn't think so many people would get so much angst into 140 characters, would you? Are becoming the sort of echo chambers, you know, and you know, and it kind of, if there is a master plot behind it, and well done for organising because nothing else gets organised, does it right? No, no, you know, we've taken the, the, what's it, the wood chip off the back bedroom for the last 12 years or beyond that, right. 

Tom: [laughs] 

David: But, you know, these ideas sort of self perpetuate, don't they? I mean, there was something I was watching some video from the lockdown protest on the day of the lockdown finished, right. And I thought there's an oxymoron for you. And they got this, this woman there who would had been a nurse and being struck off, apparently, and she was quite, you can see by looking at it, she quite firmly believed that the vaccine had some sort of radio chip in it. And the radio chip was talking to the 5G network. And now if that technology exists, I really like some of that, because rather than carrying a phone round, you could just like think and connect to the network, wouldn’t it?

Tom: [laughs] You know, I mean, that is the dream. I would love, I would love that. But yeah, like, kind of, but yeah, no, I just, I'm struggling to get my head around this, this level of, well, I'm struggling to get the words out. How twelve people can spread this so like, efficiently like this is a science.

Greg: It goes back to the heady days of social media, where viral was the thing and I think we got, we got this impression that like, because virality was what everyone was trying to seek and it was kind of a fake thing. You know, I used to do talks on how via virality It was pretty much a fake. And I think we've got this idea, not just the social media people but like everybody else as well, has got this idea that sometimes ideas just take hold, and you can't really pin it down. And we saw it with Trump when he got banned. Like loads of misinformation, disappeared from Twitter and Facebook then and, you know, this just continues that trend with these twelve people. And it just shows how much just a few people with enough influence can really kind of steer the conversation and the culture of nations.

David: But it's um, I was talking about this actually, bizarrely, I was talking about threat intelligence assessment. But the truth is such a rare quality now, isn't it? You know, and I've always said we should treat it as such, but actually, you know, to really find the truth of the matter, you personally have to go and see it, don't you, and a lot of this stuff is, and you see on the repost, don't you, that there's kind of this this core of people have these ideas. And, and then it just gets amplified and re posted and other people pick up on it and stuff. And it does take on a life of its own. And I suppose, I can't remember who said it but if you say a lie big enough, often enough then it becomes a truth, doesn't it?

Greg: Hmmm. 

Tom: Wasn't that one of Hitler's friends? [laughs]

Greg: Probably. Yeah. 

David: Could’ve been.

Tom: The thing is, it was probably well before that but they convinced themselves that they said that. 

David: I believe it was Julius Caesar but I wasn't there, either. But, but yeah, and like you say, because if you step back from this stuff, and you go, Well, actually, yeah, it's got chips in it. Right? Well, okay. Who designed those chips? And where are they manufactured? And how do they get into the vaccine? And how can you see them right? Because actually, if you've got tiny, tiny chips, you know, how small are they? So on the proviso that there is a chip in it, right? Who did the chip design? Right? Bring me, bring me the head of that chip designer. And where's the manufacturing plant? Oh, but it's got to be in China because they do that kind of stuff. Fine. All right. So where is it? Yeah, have you got any satellite picture, this kind of thing. But you know, people become very wedded to these ideas. 

Greg: So like, I often think I'm a little bit jealous, because I feel like my world is much more mundane and boring than theirs. So I feel like, I kind of, I wish for the days where I believe that lizards are running the world because actually, there might be some excitement in the world then rather than it's just a bit shit.

David: Yeah, yeah. Life. Yeah, I think life would be really quite more entertaining, wouldn't it? Frankly. And I suppose, you know, maybe, maybe people want to think that there's a grand conspiracy. I mean, you see the great reset stuff come up quite a lot. 

Greg: Hmmm. 

Tom: What's the great reset? Sorry, I don't know anything about the great reset. 

David: The great reset and I can't remember who did it. Was it the World Health Organisation whatever. Anyway. This is the, you know, we have too many people and it's all terribly awful and we need to reset everything, which is kind of the global equivalent of sticking one of those unfolded paperclips into the back of your malfunctioning. 

All: [laughs] 

David: Somewhere there's a hole in the world, and there's a big thing coming from space and we’re gonna get stuck in and the world's gonna reset, and it's all gonna be like, lovely. And we're all going to love one another. 

Tom: Oh, yeah. Okay. Yeah. 

David: And that sort of a, you know, but the idea is, is that those people who don't want the great reset, who want it to be exactly like it has been, which is generally disorganised and a bit unpleasant. Because, you know, that's their view of how the world should be, oh, somebody’s ringing me. I’ll stop that. It’ll be another one of those HMRC callers telling me we're going to come and arrest me again. I'm getting a lot of those, which will be later. 

Greg: [laughs]

David: I mean, there's lots of people who are unhappy, perhaps with their life or with the world in general and maybe this is just a way of dealing with it. 

Tom: Yeah, I mean, so it's interesting, this idea that, yeah, there's people, there's unhappy people in the world that are trying to deal with it. But like, as in, is there a lot of trust within these people. And is there a lot of ways to kind of govern these trusts? Because I'd like to segue neatly onto the charity news of the week to talk about trust, if that’s alright Greg,

Greg: Yeah, a new report has come out and it's actually positive news for charities. So an independent study carried out by Yonder has found that charities are among the most trusted groups in society. Third only to doctors and police. So 60% of those who were asked say charities play an important or very important role, compared to 55% last year. LinkedIn parts of the COVID-19 pandemic. So basically, what they think has happened here is charities have become a lot more visible in the work that they're doing because of things like people struggling to feed themselves, you know, there was a lot of stuff about school dinners and that kind of thing. And people clothing themselves and just generally support and it just seems like it's been a lot more visible to people during the pandemic, not counting as well, the health charities that obviously have been essential during that time. So yeah, it's just nice to see a bit of positive news for the charity sector.

David: It’s certainly an interesting point. Isn't it about trust? Because I'm gonna just zoom back to the other topic? That's a whole, you know, don't trust science right thing in there, isn't it, because they're all in it as well. Infamy. Infamy. You've all got it in for me. And yeah. And scientists are now interested and doctors are interested in stuff. So it's nice, if that's the appropriate adjective to think that charities have become more trusted. And I think you're absolutely right, that, you know, during these, seems to be going on forever now, doesn't it, the whole COVID thing. But yeah, I mean, they, you know, there's been a whole bunch of stuff that sort of came out the very start I mean, I, I do a bit for doing a bit for sort of community radio, amongst everything else. 

Tom: [laughs] 

David: One of the things that we noticed in terms of sort of people that they were talking to on the station, was all of a sudden, there was this sort of social cohesiveness, which I think is broadly evaporated, because people got fed up of it all. But people were coming together, and there were kind of regional groups to help people and, you know, let me go and get your shopping for you, or let me go and do this for you. 

Tom: Yup. Yup. 

David: And you know, check up on the elderly and all that kind of thing. So it wasn't just kind of like the, ‘’formal’’ charity sector that can account for those informal networks. And that was, you know, if, if anything good could come out of this, all this whatever's going on, right, that level of social cohesiveness, because you know, there was a bigger enemy out there that was called COVID, that brought people together. And you're quite right. I mean, I think there's loads of people that have availed themselves of, you know, charities and things. Or charities have helped people where other systems or other social systems have failed. So I think it's to be applauded, frankly. So you know, kudos to everybody who, yeah, be it formal or informal, frankly, that helped out during the crisis. And, yeah, it will be great, wouldn't it, iIf if we weren't all writing about 5G reading my thoughts that actually that social cohesiveness that was there at the start, but I think it's faded quite a lot since then, could somehow stay. You know, I don't know how to do it but I just thought it would be, again, nice if we did. 

Tom: Yeah, I think like, I think it'd be great if we have that. I know that some of my elderly relatives; they live down Hereford, they really benefited from that. They actually got to know people in the local community, people really helped me because they have to, they have to self isolate, like go into like full lockdown. What, what was it called again? 

David: Not socially distancing but I know what you mean. 

Tom:  Yeah, yeah. Like, yeah, when you fully were like, locked down for like, six weeks or whatever. And people would go and drop food onto the doorstep. They really benefited from that. And this kind of great, you know, this community spirit really came about. With this story, I just worry that there's a double edged sword here, that's a bit unfortunate. Because I remember watching a news article that was on Twitter, so it probably wasn't true. But like, where someone was just like, are like, the conservatives have been great. They're like, this government's great, because we have food banks. We never had food banks under the Labour. That's why the Tories are better. And it was just like, no, you've got this wrong. So like, the fact that people are seeing charities and being like, they are doing fantastic, amazing jobs. Like they're really helping us out. Or is it unfortunately, because the state ahs claimed that the charity sector have seen more into the limelight or is that just me playing devil's advocate?

Greg: Well, I think there's two aspects to that. Yes, we shouldn't need charities, but frankly, there are often cases where that expertise only comes from that sector. And it does need to have separation from the government, I think, in many cases. But also, I mean, the big puzzle for charity for a long time has been that question of how do we become more visible? How do we make people realise how important our work is? You know, years ago, I was talking about this lack of understanding that so many of the services that people would access day in day out, where they thought it was like the council or the government was actually being delivered by a charity on behalf of the council or government. So yeah, this is, you know, who knew it was just gonna take a global pandemic to kind of solve that question of how do you become more visible as a charity?

Tom: Yeah, just helping more people, I suppose. Like, help more people get more like and to kind of show the expertise show the ability to kind of respond quickly to a situation in your local area and I think that is, like, I think that is really key and really important to what we are facing at the moment. Like kind of these very like, hyper localised interactions with the public.

David:  I think you're right. I mean, it's an interesting one, you know, the report about trusting charities, because I suppose the question is, is it actually because there are more local charities, right? You know, of course, you always like people that, you know, look like you and talk like you, live round the corner from you, you know, you're from round here kind of thing. And I, you know, I've certainly seen that in these kind of fledgling charities, let's do this, let's do that. All these help groups and stuff. And people went to them, because they knew those people. On the other side of that coin, I'm not gonna name any particular charities, but some of the big charities have got a bit of a lousy reputation at the moment, haven’t they? 

Tom: Yeah. 

David:  And maybe glossing over some of the details there, right, but they’ve become like big corporate organisations someday, you know, international businesses, and so on and so forth. And some of them, despite trying to do good things, have not necessarily gone about them in a way that people, you know, would expect them to do. Whereas, you know, this local stuff, I think, has been a bit more iterative in terms of, here's a problem. Here's another problem. Here's another problem. And like you say, those, those sort of micro initiatives, a lot of those came up and gone away again, but a lot of them have got to be quite big organisations now. And because they learn basically, a live fire exercise, about how to deal with those kinds of things and those kinds of social issues. So, you know, I might take off my invisible hat to them, right, because I think it’s , you know, of all the terrible things over the last 18 months, that kind of groundswell of community stuff, I think, is to be applauded.

Tom: Yeah, I think the groundswell for that kind of hyper localization kind of those, like small kind of small interactions are really key. But going to the tech news of the week, also macro, macro intervention, global scale, that seems to be key at the moment as well, Greg,

Greg: Yes. Yeah, very much. So. So there's a lot of security news going on at the minute. So we're going to cover quite a lot of different bases for this, starting with China and then we're going to, you know, look at the Director General of the Security Services and his address recently and then talk about ransomware. So we got a lot of ground to cover on this one. particularly suitable for David and his interesting past there. 

David: My sordid background [laughs]

Greg: [laughs] 

David: Are the words you’re looking for. I'm generally close to my criminal tendencies.

Greg: [laughs] So we're gonna start with China. So this, you know, broke yesterday. Britain and the US, along with other allies have formally accused Chinese state based hacking groups have been behind the exploitation of around a quarter of a million Microsoft Exchange servers worldwide, which happened earlier this year. Microsoft released a patch after discovering they were hacked. So they were stealing email communications from internet-facing systems running its business software. The group was called Hafnium. And now the gch q have come out and said it's highly likely that they are associated with the Chinese state. Yeah. So what do we think guys?

Tom: [laughs] 

David: I mean, first, you know, attribution. I mean, presumably they've got the FBI and National Security Agency on this, right. But attribution in these cases can be quite difficult. And you know, I think if they’ve probably nailed them to the mass enough. It is quite interesting because Americans do like to go legal on this stuff don’t they? They also issue an arrest warrant for these characters, which is like, yeah, that's gonna work, isn't it?

Greg: [laughs] 

David: So it's more about window dressing and saying, you know, you've been very naughty and don't do it again. Yeah. And so, yeah, I mean, it kind of you got to understand, I mean, we were talking about this together in the pre roll titles, I think. We, you know, historically, going back a very long time to when I was a boy, we used to have kind of like activist type hackers that did it for the joy and that kind of thing. And then you had, you know, the fledging nation states that thought, here's a good idea., let's make some stuff that might be interesting to us. Right? Because dirty pictures with manases doesn't work anymore, right? So anything actually cheaper or whatever, right. So can have some prints please. Yeah. And it’s cheaper. Anyway. Can I have some prints please? Sorry. Yeah. See where my mind goes? We'll talk about political correctness later, maybe. The line between those sort of two types of organisations have sort of blurred, right because you know, the guys on the left, if you like, the guys that actually do the legwork, you know, are quite well funded or they get a percentage of the take or whatever. And yeah, I mean, again, you know, you got to understand that, you know, these things kind of don't just happen. You know, be it a ransomware attack where they do it for money. You know, the guys will now sit down, you know, probably in a very nice hotel,with a Lamborghini and Russian girlfriend and say, you know, what's gonna make the money? And if you think about ransomware, there used to be things that used to be off limits, didn't they? You didn't do healthcare, right? Didn't do health care. And then by accident, a few people did healthcare. The Irish Health Board has had a bit of a to do with ransomware just recently and stuff, right? Then, you know, in the olden days, you know, when hackers are principles, right, they wouldn't do that, But now they would, right because actually, that's where they've got you in a vice-like grip, you said, holding onto two round objects. And, you know, what they want is the money, right? Give us the money or give you the decrypt keys, right, and they're gonna hit you where it's most painful. So you know, energy distribution, healthcare, that kind of thing. So that's kind of ransomware. The other side of this coin is where you've got, you know, countries that have particular political agendas or economic agendas, that say, we want to know stuff about other things, right. So let's assume that you build nuclear power stations for a living, right, or that's one of your key things you're gonna do to make money for your country, you're going to kind of want to know what the energy demand profile is for a load of countries, aren't you? But countries don't literally release those, you know, energy demand profiles. So why don't you get some characters to nick them for you and then you'll know when you're bidding for a power station, you know, how to do that. You know, how big to make it or how much money you can make out of it. 

Tom: This is missing for me. I don't think, that wouldn't happen. That's a callback to earlier. People wouldn’t do this. No. That’s dishonourable? [laughs]

David: Yeah. 

Tom: We were just talking about how the world of community was coming back. This is a different world.

David: This is my point, right? That, you know, before you start to look at, you know, what people are hacking, you've got to understand why people want to do that. And intellectual property theft. If you had a genius idea that was on your laptop, but actually, if I commercialise it, I can make a billion quid out of it and I could get it to market before you could get the funding, why wouldn't I steal that idea, if I had those tendencies to do that? 

Tom: Because you’d be a very naughty boy.  You shouldn’t do that. 

David: You shouldn't do it. Right. But you know, if you've got a, you know, national policy that says we're going to be a leader in, I don't know, network communications, for example, and we've got all these people back in the factory who could not these network communications out, we just haven't got cutting edge tech. Got to take us ten years to do the research. But actually, there's a university over there, right, that's just about to publish your paper or doing the research on this. Why don't we have that away anyway, just to be on the safe side? Yeah. Intellectual property theft, this is what Ken from security services was talking about wasn't it, in terms of…

Tom: Is this Ken McCallum?

David: Yeah, sorry, I feel I could call him Ken. 

All: [laughs] 

David: Comparing all of what used to be called MI5 before they had a rebranding exercise.  The MI5 have been around for absolute years and MI6 isn’t MI6. It's a Secret Intelligence Service. And GC HQ is a donut shop. 

Tom & Greg: [laughs]

David: But yeah….

Tom: So what has Ken been saying, Greg?

David: Well, I mean, he's talking about the…...go on. Go on.

Greg: His exact words were ‘increasingly the UK victims of espionage on other states range way wider than just government. We see the UK’s brilliant universities and researchers having their discoveries stolen or copied. We see businesses hollowed out by the loss of advantage they weren't painstakingly to build’. So yeah, exactly what David was just saying there. It's not about governments attacking governments anymore. It's about how do we attack, you know, the best and brightest of the nations to steal their innovations, their ideas and their business.

Tom: I mean, that is, as a small tech business owner, that is terrifying. Like, been spending the last four years working on some software with a small team, like,  getting some innovate money, and then someone just being like, thank you. 

David: Yeah, we'll have that. Thank you very much. And that's broadly what it's like kids. You know, I mean, there's, you know, we were picking out China, but you know, other nation states. 

Tom: [laughs] They do exist.

David:  May be available. Markets and nation states may be available. Yeah, what's their economic policy? What's the global policy? You know, where do they want to be in the world kind of thing. And if you think, well, actually, we got to become a world leader in all I don't know, you know, 5G routing technology. Yeah, but we want to kind of leapfrog the opposition, where do I go to get that tech? Well, I suppose I could set up a Research Centre in China, couldn't I? 

Tom: I think they've made little vaccines. That's quite easy to get now. Everyone's got 5G in their arm now. This is what the dirty dozen have been saying. Not the dirty dozen. Is it the disrespectful dozen? What were they called? I don't want to name their real name.

David: They’vee some great names in there. And if you listen to the podcast, read the report. There's some fantastic names in there. And, Ty and Charlene. Oh, yes. Goodness me. So yeah, I mean, it's, you know, it's kind of, it used to be, you know, let's break in somewhere for a bit of a laugh. Now it’s let's break in there and see what they've got. And Ken McCallum talking about university. I mean, universities used to be like, oh, God are boring, all lack of academic research and stuff now, but suddenly gone, no, actually, you know, these are switched on kiddies. And yeah, they're doing COVID research, they're doing advanced fusion, they're doing the advanced materials. And lots of times when you look at, because I'm doing this at the moment, right? When you look at these universities, they're working with all the technology companies, right? So if you're doing something really clever with aerospace materials, you know, after Rolls Royce, or, or Lockheed Martin or whoever, you know, in Grumman or whatever in there, working with you, right, cause they're going to commercialise that product, right? But if you come up with like a, you know, a magic metal, I don't know why I said that, but something magic, right? 

Tom: [laughs]

David: Whatever, you know, Rolls Royce wanted turbine fans or something, right, some really efficient turbine fan research. I just made that up. They're not doing that, by the way. But you actually wanted that to put in your aircraft, you know, and you wanted it before it went to market, then why wouldn't you try and get hold of it?

Tom: What's the solution here? Do we need more people with digital skills?

David: Endless vigilance.

Tom: [laughs] Endless vigilance.

David: I mean, it's weird, isn't it? Because when I talk to people all the time, and they say, well, we've got a twelve month security strategy. I think fantastic, that is right. But tomorrow, the enemy will come back with a different, or the opposition will come back with a different approach. So you have to think about this every day. And sadly I do. And, you know, and it kind of, there's a whole bunch of stuff. I mean, I've worked with, I did some stuff with Jenny Ratcliffe, who was on that, what was it?  That Hunted programme? She's the kind of the social engineer and stuff, right? And, you know, I mean, you kind of, the old world where you, you know, if you just took people at face value, can you need to be a bit suspect about that. I mean, I'm, I'm sort of looking at, I'm sort of listening to something at the moment, which was about the North Korean hack of Bangladesh bank, where they shipped a billion and they did electronic transfer a billion US dollars, which is quite a lot of money if we split it between the three of us.

Tom: I'm happy to take it and if you know if you know where to find that money, I'm committed. I'm committed. I'm in.

David:  This is North Korea we're talking about. 

Tom: I’m still in. What have they got that I haven't?

Greg: [laughs]

David: Anti aircraft guns. So, but you know, when you look at that, before they you know, before they actually do anything, they start to social engineer people. And if you're on things like LinkedIn, I get it quite a lot of the time, you get approached by, you know, lots of people who on the face of it, unless you really do, you're really superstitious or suspicious and start to do kind of reverse image searches and see if you find them, you know, who aren't who they say they are. I had a particular case, where I got approached by a Bahraini based investment company that wanted to give me a large amount of money.

Tom: It used to be Nigerian princesses. 

David: No, no. Well this was a bit different, right. This was a Bahrain based investment company that had a whole board of directors and all this kind of thing that wanted to give me a bunch of money, all via email and they wanted to learn about my clients, you know, and the kind of security things I could help them with. And so I did a full forensic breakdown of this organisation. Every photo was stolen. Their website domain was registered to a tumble down shack in Arkansas. A very green pool with a back garden probably to give that a bit of a scrub. And, you know, one of the pictures they used was from a lawyer somewhere in Arkansas, who'd disappeared in mysterious circumstances. Turned out she was dead because I found her funeral notice.  So you know, they put the effort in.

Tom: [laughs] I mean, they're hard working criminals. 

David: When you think of the upside, right, you know, why were they researching me? Because they're researching me to get to maybe some of the high net worth individuals that they were going to tap.  I don't really know, because the trail went a bit cold when I got cheeky with them. But, you know, what's the way to do this? Well, first of all assume that that, you know, you know, security through obscurity, right, forget, because everybody's got something interesting with having money. And, you know, be a bit more suspicious. I mean, a lot of this around confidence trickery, isn't it, you know, when they send you those links, not the Nigerian prince stuff, but some really well crafted stuff that comes in and you know, if they've researched you properly and they really know who you are, or they know who your friends are, you might get an email from a friend with an attachment that you then click and they got the dropper and stuff. And so, you know, it’s sad but true, isn't it? So is exactly the black mirror, if you like to that, you know, that community spirit that we saw during COVID. But, yeah, it's big business, right? There's big money. 

Tom: Yeah. Yeah.

David: Big money, whichever way you look at it, right.

Greg: Yeah, that's the key, isn't it? You know, I think a lot of people can attest to having received one of those email we were talking about and you clearly see all their spelling mistakes. But then there's the higher level more refined stuff. And I remember hearing about the ransomware attacks, one of the previous ones where they just did a blank, I think it was one a cry maybe and they just did a blanket thing. And people were getting requests for Bitcoin and when they were getting back in touch with them, apparently their helpline was better than some of the hotlines you'd have with, like, when you were contacting your ISP.

Tom: [laughs]

Greg: It was great. Yeah. So it really kind of indicated that they've got these, not just like slick operations, but they've got structures and organisation within there that they will like, they've got customer service reps, they got people doing their hacking and things like that. And I think, you know, that's when you hear a lot about this interaction between nation states and these groups and essentially what they're doing is they're going out there and offering a service to these nation states. 

David: Yeah,yeah.

Tom: Wow.

Greg: They've industrialised hacking and they've made it pay, so you're just gonna see it more and more and more now.

Tom: It's almost legitimising it as well. So coming like, it's like property mark, yeah. Like everything about it seems to be it's been doing proper, proper like, and that's terrifying. Actually, I think that's really like, I think that is terrifying.

Greg: The Guardian is doing a string of stories called Project Pegasus at the minute about an app from a genuine, like, legal organisation. I think they called... where they've sold this thing that can be used to hack into people's phones. So it's a hacking tool. And they've, there's been a data leak, and it's found that loads of journalists, lawyers and different people's information has been accessed through this tool and it's a real human rights risk. But that's not like an underground hacking group or a secretive nation state. They've sold that on the open market. 

David: Yeah, it was Israeli firm. And they produced this particular exploit that that you know, with, but for iPhones and for Android, that kind of stuff. And it allows you to know about what's happening on people's phones. I bet that brought some stuff up for the Christmas party, didn't it? But yeah, you know, why do we have reality television because other people's lives are much more interesting than your own. And yeah, I mean, it's sort of the antithesis of that with the encrypted chat phones used by criminals. A few months ago now there was a camera encrypted phone service that they developed, this sort of modified Android handset and fully encrypted and all that kind of thing. And very popular, right, because it couldn't be eavesdropped, except of course that I'm not quite sure which particular agency got in there but they got into encrypted chat, into basically the software update server for these phones. And they put stuff on it that actually just went because the way, and this is quite interesting, well interesting to me anyway right, actually, if you were typing attacks right it didn't encrypted as you're typing it wrote it then encrypted each of the out the back so they found a wedge in between the unclear you know, the stuffing clear and the and the encryption but and they just lifted hundreds of villains, you know, these phones were being used by all sorts of people.

Tom: I mean, yeah. There’s some clever cookies in the world. You got clever cookies working for states. You've got clever cookies working for the criminals. But you've also got clever cats that are happy to write articles. 

David: Yeah, yeah. And kind of, you know, and if you're trying to defend against stuff. 

Tom:  Defend against articles written by cats?

Greg: [laughs] I think he was trying to do a segue there.

David: Oh, nice. Oh, yeah. Sorry. 

Tom: [laughs]

Greg: Do we not have a bit more time to cover the rant on ransomware?

Tom: Yes. Yes. I assumed we went into rant mode about people stealing stuff. Yes. Yes. Sorry. I got overexcited about an article writing cats about that. Sorry. My segue was terrible. So rant of the week, Greg. I could be a nice. Is it a nice overlap this week?

Greg: So I think we'll go on the NHS digital one because I'm really interested to hear what you had to say about this, David. Because it's an interesting topic.

David: Oh, okay. So, um, yeah, it's been a bit stop, start, hasn’t it for the guys up at NHS Digital, who have been called many things in their lives.  The National programme for IT, Connecting for Health and a whole bunch of other stuff. Anyway, they've sort of now gotten like digital because it's cool and trendy. And they had this, they had this idea that they were going to aggregate all the GP data, which tends to exist in a myriad of GP systems across the world, some of it hosted on a kind of, you know, cloud based system. Some of it not cloud based. And so they're gonna aggregate all this data into a big bucket and put it together with a bunch of other data they've got and then use it for quite useful research. And well, I mean, the NHS has been doing kind of research on healthcare outcomes, since well, I don't know, 2003 was the first time I looked at this stuff. And, you know, paying by results and all that kind of good stuff. So there are some positives in this, if you're looking for kind of, you know, healthcare, semantic linkages, between, you know, lifestyle and whatever. So that's fine. But the other thing is, you know, are other people going to use this. Now, again, you know, you get universities that do healthcare research, they need access to the metre. So, you know, if they're going to how they're going to access the data, you know, because there's a, there's a thing where the value of data increases, more of it you've got right is, you know, and it becomes more sensitive, the more you have aggregated together. So I was sort of following this story. And I'm going well, it all sounds alright on paper, doesn't it? But really the rub on this is who's going to get the data where they're going to keep it? How secure is it going to be? And, you know, how are you going to audit it right? Because yeah, once you get data out to a million other people, right, it's much harder to control and then it’ll be in one particular place. And the argument was, well, we’re gonna pseudonymise it, which does sound like a band Victorian practice, doesn't it? 

Greg: [laughs] 

David: But actually, I'm going to pseudonymise your, but it's not the same as anonymization. Because pseudonymisation is reversible. And the answer was, well, we're going to keep the keys. Well, the next question is, were you going to keep those keys tiger? Well, we're putting in a folder marked security keys, right, on our intranet. Well why don’t you put them on an encrypted USB and you split them up around the country and put them in different safes, that kind of thing. That's probably the way to do it. I mean, I don't know what they're doing with it. But you know, first of all, pseudonymisation. But even with pseudonymised data, if you can then cross reference that with other databases that aren't pseudonymise, you can reverse engineer identity, or at least narrow it down, can't you? So I thought, you know, I still know people who do NHS digital and stuff. And I thought, well, they sort of feel thought through to me, and I particularly didn't like pseudonymisation. Again, social media, going back to social media, you know, when there are lots of people on social media at the time that we're saying, oh, you know, you can't you can't do this, and they're going to give it to Palantir. Well, you know, other other data mining tools are available, right? But they were going to give it to Palantir and Palantir is funded by the NSA, and, you know, my healthcare records are going to go to Langley or wherever. So my point was, not so much who you're gonna give it to, but the fact that, you know, if you get enough data put together, you can reverse engineer the identity. So, you know, I mean, it's gone away for a bit, it hasn't. But, you know, it’s gone away for a bit. You know, if you've got, if you know, I'm not saying you will need to give us the exact encryption key but I think it might have been a bit better if they'd spoken in a bit more detail, a bit more transparency and sort of explained how they were going to do this. Now, you know, the dark mirror to that is all well, that's just telling me how I cracked this. But you know, you know you kind of put your face on you.

Tom: I mean isn't the solution to all of this, as with all tech solutions, blockchain?  You just put this on the blockchain and it'll be magic. 

Greg: [laughs]

Tom: Be magic. Then it’s distributed. Everyone has access to it but, you know, blockchain.  Magic.

David: I admire your confidence. Yeah. But you end up with branches don’t you, and it's been interfered with.

Tom: It's blockchain magic. Blockchain magic. It's the best type of magic. Yeah, well, you know, you just have a pill, and you'll be alright.

Tom: [laughs]

David: Sit back in your chair and we'll plug it in. 

Greg: [laughs]

David: So it's just one of those things where, I mean, they had a bash at this with CAD data a while back, was it in 2017 or something like that. And that that promptly found that sword when a couple of pointed questions got asked a while I'm, you know, I'm fully on board with, you know, it's great for identifying health outcomes and a bunch of data in GP systems, you have gotten the national systems, I understand how all that works. So my question is, where are you going to put it and how are you going to keep it?  Because there's loads of people that would just love your healthcare records, wouldn’t they? 

Tom: That amount of health care records, like, yeah. 

David:  Yeah,regularly using jokes, that kind of thing. So just be a bit careful with it. It was sensitive stuff back in 2003, when I first started putting the summary care records together. And we had a thing back then, which still exists in sort of national systems, they’re called legitimate relationships where you know, you had to have a legitimate clinical relationship with a patient to look at their data.  You couldn’t just go and have a browse. And if you did the sky fell in on you because we were watching you. And so, you know, it sort of strikes me that it's broadening the legitimate relationship argument quite a lot. So I personally would want to know, where are you putting it, how are you going to keep it and how are you going to keep it safe?

Greg: Yeah. And I think the main thing for me is the minute you put all that data together, you've got it. It's a massive store of data. So you could argue, you know, you've got all these rickety GP systems and people could be accessing those individually. But, you know, 

Tom: It becomes a target. 

Greg: Yeah. It becomes a target.  Yeah. You're like, do I spend loads of time going around thousands of GPs to collect the same amount of data or do I just attack one source and get everybody's data for the whole of the UK?

David: Sorry, this is a story from a very long time ago. Prince Charles fell off a horse and broke his wrist. He ended up going to Nottingham QMC, I think it was. And of course, they didn't have digital X-rays in those days. But that report was like, you know, generally available back in those days. This was before summary care records, probably in the very early 90s or something like that. And that record was getting hit, you know, three hundred times a second, because everyone knew about Prince Charles' wrist, right. So they slapped  a need to know on that, like a D notice on his wrist. Right. But yeah, it's designed to exactly, yeah, people are just naturally, naturally inquisitive, aren't they? And off the back off that wants to see what it looks like. So yeah, a bit more thought, I think, or a bit more transparency to the extent that you can. It's not sufficient to say trust me, is it really? 

Greg: Hmmm. Yeah, that never works.

Tom: That does not work. 

David: Yeah. 

Tom: But, and finally, we can go to this article about, I've got no segue. I’ve used them all. I’m segue dry. Is that a term? I am now. I want to hear about this article written by a cat, Greg. 

Greg: Yeah. 

Tom: I feel like we've been to some dark places.

Greg: [laughs] Yeah.So I don't know if they've been feeling particularly down at Kotaku, or maybe it was just a slow news day, but somebody decided they were going to post an article that was written by their cat. So for cat owners, and for those who may not be aware, cat owners when they are attempting to work on their laptops will often find that their cat will come and sit on said laptop. Or even if you're working on a desktop, they'll come and walk across the keys. So they've posted the resulting article. And it is not a bunch of monkeys in a room writing Shakespeare. 

Tom: No, no.

Greg: I think its most popular letter was S. 

Tom: Yes. There is a long…. 

David: I'm not sure it will actually show you but I was actually having a WhatsApp conversation with a jazz musician of all things. And just something else that they are on the to do list basically. And it's Wendy Kirkland. And she was sort of texting me about some stuff about some sound engineering stuff and I kept getting these odd messages from her. I'm not sure if you can see that but basically, it was about, let me turn it that way. 

Tom: Oh, yeah, yeah.

David: It was 800 hyphens. And I'm thinking, you know, what is it? And she says, by the way, I think Sly the cat is sitting on my laptop keyboard while I'm down at Aldi.

All: [laughs]

David: So she’d got WhatsApp open on a laptop and the cat was quite happily going to [mimics typing] and she was trying to text me at the same time. 

Greg: [laughs] 

David: And yeah, the two conversations got merged together. So kind of feline intelligence rather than artificial intelligence.

Greg: [laughs]



Tom: [laughs] Yeah, well, well, that was a roller coaster ride. But yes, that is all we have time for today. So thanks for listening, listeners. David, how was that for you?

David: It was hugely entertaining. [laughs] Thank you for letting me ramble. I know I took the show over. I'm sorry, you should control me better. 

Tom: No. No. That's why we invite guests to have a chat with guests and listen to their experience. 

David: Very free forming conversation. Because I mean, I actually do another one, I do a weekly thing with a colleague of mine. We have no scripts and it's completely unscripted. We'll just start with something and see where it takes us. But it is interesting, isn't it? How all the stuff we've spoken about today has kind of got a common theme, somewhere in there as a common theme isn't there? Which is kind of about the human experience and I guess the human desire to either do right or do wrong.

Tom: Yeah. 

David: And then the cat sat on the keys, obviously. 

Tom: Yeah. And then the cat sat on the keys. Yeah, I liked it. So where can people find you online? So say, if we wanted to try to hack some of your net worth individual friends, where would we go?

David: Well, you can always find me on LinkedIn. There's a very nice photo of me, shot from below of all things. 

Tom: [laughs] Shot from below?

David: Yes, yeah, you're more imposing, don't you when you’re shot from below? And a bit like Aerosmith, you're shooting from underneath the microphone. Oh, yeah. You find me on LinkedIn, David Higgins. And there's a few security articles I've knocked out on there and some odd psychology stuff as well. 

Tom: Fantastic.

David: I’m on Twitter but I don't really do very much on there. I think I posted a picture of Father Jack today from Father Ted. 

All: [laughs] 

David: Have we got time to do this one? There was that ummm, again….

Tom: You didn’t let us answer [laughs].

David: Go on then.

Tom: Go for it [laughs] 

David: It's always nice, isn't it when the sides of the uncontrolled world, it just actually quite nicely settled as back to the anti vaxxer stuff. There was some TV crew shooting at the lockdown protest in London and this guy was doing his best to camera. And this extremely agitated woman came up behind him and proceeded to say a lot of words that probably weren't in the Ofcom acceptable language and the only image that it brought up was of Father Jack from Father Ted. 

All: [laughs] 

David: Pass the biscuits! And I think it pays to listen to all this stuff, quite frankly, because otherwise you’ll just go mad.

Tom: Yeah, indeed. No, no, definitely. You have to laugh otherwise you'd cry. But listeners, what do you think? Do you laugh or do you cry? So we'd love to hear your thoughts and get in touch with us on twitter. We are at tech for good live. Or email at hello tech for good dot live. Or we'd love it if you came and give us a nice iTunes review and told your mates about this podcast. Those reviews help us more than you could ever know. Thank you to our producers for producing this podcast. Also, don't forget this podcast is run by volunteers and we survive on sponsorship and donations. Right now our primary goal is to make all of our podcast episodes as accessible as possible by making sure where every episode is transcribed. Sadly, this does cost money and we desperately need your help to make this become a reality. So if you've ever tuned into one of our podcasts or attended one of our events, please consider chipping in the price of a cup of coffee, at tech for good dot live forward slash donate.  And thanks also to Podcast.Co for hosting us. Thank you everybody. Goodbye. 

Greg: Bye

David: Bye now.

PodcastHarry Bailey