Apple pushes out another silent update to address flaws in RingCentral and other video conferencing apps

Band-aids are the solution to this.

Sounding more and more like it.

Not for your butt, for the camera.

Yes, exactly. Yes, yes, yes. Careful which hole you cover up. Okay, Smashing Security, episode 136. Oops, we created Iran's hacking exploit with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 136. My name is Graham Cluley. And I'm Carole Theriault. How are you, Mr. Cluley? Oh, I'm all right, thanks. You're over in Canada at the moment, aren't you? Yeah, did you notice? You're missing me. Oh, the whole country's missing you, Carole. It's gone to hell.

Actually, I'd like to do a shout-out. I am in Canada, but I went and saw my aunt Mimi. She held a big party on the weekend. And you know what she told me? She listens to the show every week. My aunt. Yeah, she listens every week and she loves it. So Mimi, shout out for you. There you go. Goodness.

Mimi listens to you. Mimi listens to you. Exactly. Now, people may have already noticed that we have a special guest who's joined us. So, Carole, you're far, far away in Canada. But even further away, I suspect, is our guest today, Charles van der Waal. Charles did I say your surname correctly first of all?

Graham I think you said it as correctly as you're ever going to say it so let's go with that.

And explain to people where you are and who you are.

Maybe say your name correctly first so that people can actually know what it is.

So I'm Charles van der Waal. Van der Waal. Okay. Van der Waal. Okay. And I am in Cape Town South Africa where I work for a pen testing company called Sensepost.

And is it very hot there?

It's winter here, so it's not very hot. We're struggling with a blizzardy 16 degrees or something. Oh, how hellish that must be. 16 degrees Celsius. You know what they say about the snows in Africa.

Don't start that again. At Christmas time. Now, we met, didn't we? I was down in Johannesburg giving a talk, and you were there as well. And a splendid time was had by all.

By all, yes, we did. Yeah, it was a good old conference and that's why we've...

Sad to have missed it.

Well... You weren't invited, Carole. Oh, nice, nice. Sorry.

Thanks. No. Carole, to make up for it, what's coming up on the show this week? Well, first, let's high-five this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. Carole, it's been six years, six years since we quit our jobs at that cyber security firm. Six years, one month actually.

The loos without any seat covers? No, no, not that. Not the messages about not dropping jam on the carpet tiles or anything like that. Especially the meetings when you weren't actually required to be there, but somehow you had to be there. Let's be honest. I really wasn't needed at any of those meetings. Hey, hey, don't put yourself down so much. No, because, you know, there's really nothing worse than getting lots of people in a room to discuss something. In fact, there's only one thing worse than getting lots of people in a room to discuss something, and that's getting lots of people who aren't in the room to discuss something as well by teleconferencing. I had to go into the office once at 5 a.m. to do one of those.

Horrendous. Well, how could anything be worse? Well, I'll tell you how. By adding video onto a teleconference. It's going to go, oh, boy, oh, boy. Because then you can't even disguise how bored you are. So when you've been on the call for eight hours, and sometimes the calls do last that long, you know, you're rolling your eyes. Everyone in the Singapore office can see that you're actually playing solitaire or not really paying attention or doing your receipts. You know, the trick is just to be really, really quiet, right? Because then it doesn't actually, the camera doesn't focus on you. Oh, yes. STFU, Graham, STFU. There is one advantage, Graham, to be fair. Yes. Well, I don't know What you do down there in Cape Town, Charles, but in England, we tend to wear trousers in the office.

Am perfectly happy not seeing you.

Yeah, exactly. It's for everybody, really. No one wants to see me. But, of course, because I'm dealing with different clients and things, they all want me to sign into their particular video conferencing app, the one they've chosen for their business, which could be Skype or Zoom or GoToMeeting or Google Hangouts or Join.me. It's a pain in the butt because you have to Install stuff and then you've got four or five different video apps on your computer that you don't want. Yeah, I've been there. Need them infrequently, but they're there. And normally you only realise with about 90 seconds before the call begins or maybe two minutes after it was supposed to begin there's not a phone number for you to ring but you have to go in through a particular app you have to download it yeah you have to download it and then okay so

You're going to complain about First world problems okay good carry on so that's the whole show. So I'm going to actually talk about one of these today which is Zoom and specifically the Mac. Zoom, Zoom, Zoom. Yes.

How interesting. Do you have any Macs in your office at all, may I ask? Graham, I'm not sure I should tell you. No, maybe you shouldn't. The issue today is specifically with the Mac version of Zoom. It's a very popular video conference app, not just Charles using it as SensePost down in Cape Town.

No, because otherwise I wouldn't have anyone to talk to. Right, exactly. Yeah, I have actually been asked to install it by a leading security, IT security firm. Don't do it, Carole. Wouldn't be alone because around about three quarters of a million businesses around the world are using this app. It's one of the leading video conference apps.

Liquid paper those cameras, isn't it? It is. I Have some knotty plasters we could use. Do you call them plasters? Yeah, knotty band-aids. Now, when I first saw this headline saying Zoom, and I thought, oh, crumbs, you know, I've probably installed that at some stage. Let me just back up for a second. This is the legitimate Zoom app. This is not a fake Zoom app or anything like that. Yeah, Yeah. It's a slick little app which you have on your Mac and you can, like any other Mac application, go into the applications folder and drag it into the trash can and it should be deleted and uninstalled. Potentially unwanted software. Software. Well, Exactly. Potentially unwanted application. Has probably all your old settings as well.

It's all set up. Yeah. So I did this this morning. I uninstalled Zoom because I was reading about this and I clicked on a Zoom link and in literally the blink of an eye, the entire app was reinstalled. Not cool. I even tried to get a screenshot of it as it was doing it and it was too fast for me to do it. Well, you are a certain age now. I am. I am a bit slow. So no

User interaction required, Graham. It just reinstalls seamlessly in the background. That's right. Just by clicking on the link.

You could try it right

Now, shall, on your computer. Well, they would be confessing that I run a Mac, wouldn't it? And

I can't do that. Nice try. Nice try, Carole. Nice try. So I think that's, first of all, pretty darn rude, installing software without my permission. And I expect software to behave nicely. If I've uninstalled it, I expect it to be properly uninstalled. You

Probably wouldn't have a show if they all did that, though.

That's right. Thank heavens for rude, misbehaving software. Otherwise, where would our entire career be? You'd probably be still working

In a corporation. Right. Well, that corporation probably

Wouldn't exist, would it? Probably. So, yeah. So I think we should all have control over which apps get installed on our computer. 100%. I think most Mac users would expect that that thing had been uninstalled. Not

Just Mac users. All freaking computer users should be able to expect that.

Yeah, totally. See, I don't mind the idea that if I click on a Zoom meeting link, I don't mind if it then pops up and says, oh, you don't have Zoom installed. Would you like to install it? That would be kind of acceptable to me, I think. I don't have a problem with that because then I could say, no, I don't want that ruddy software. I'll go into the web version of Zoom instead of actually installing an app. Yeah, because

They have a web version, don't they?

Yes. I think there is a web-based version. Although I was looking at their support knowledge base and it sounded almost it's up to the host of the call to decide whether it also sends you a link to the web version of the meeting rather than using the app. That makes sense, though,

Because you wouldn't want to confuse people by sending multiple links potentially. But basically we're saying I can say as a consultant, I want the web version of everything. I do not want

To install apps. There's some other weird things that that researcher points out. For example, that the host can dictate that when you join the meeting, your mic and camera are immediately activated. That's one of the features he's abusing, but it's a feature of

The app. This is extraordinary. It's worth underlining. So with Zoom, by default, the meeting host has the ability to decide whether participants' video is turned on automatically when they join the meeting. And again, let's talk about your trousers situation, Charles. Potentially, that's disastrous, right? If you dropped your pen or your notes on the floor just as you were clicking on the link and then you're asked... We'd never go back.

We would never go back.

I mean, I know you're not hirsute, I mean, you've got a beard, don't you? But you're, how can I put it? You're sort of focally challenged on the top of your head. I have no idea what's going on on your bottom. But that could be broadcast to everyone else on the video conference. Again,

Band-aids are the solution to this. It's sounding

More and more like it. Not on your butt. Yes, yes, yes. Careful which hole you cover up. Yeah, it could lead to problems. But yeah, so, okay. So the researcher pointed this out and he said, look, this isn't good because basically, because this all can be done with just a link, potentially a bad guy could booby trap a web page to initiate the link or trick people into clicking on it or maybe even use malvertising to open up a video conferencing stream with someone. And the researcher reported that to Zoom. And Zoom's response was a little bit snidey, I thought. It felt a little bit... What did they say? Well, they didn't really acknowledge it. They said, well, look, the reason why we've implemented our software in this way is because it's a legitimate solution to poor user experience problem. In other words, they're saying, we've saved you a click. Yeah. And we want our users to have faster one click to join meetings rather than have to confirm that they really want to do it. And I think, well, come on.

I know, but I agree with you. I agree, obviously, because I, you know, but I can understand that there are many times when a service provider has to make a call of how many features to add to improve a service. And this is why baked in security is so important. You need to have a security expert in those meetings. Sorry, Graham, I know we won't call on you. But we need people in those meetings from the get-go to think, hey, guys, whoa, whoa, that may not be all that secure.

But in a video conferencing system where it's possible for the host to determine if your microphone and your video is enabled instantly, then that seems really rough that that person doesn't have a choice. I agree. And they don't have the ability to.

But I also, you know, as well as I do, that when we do these things, sometimes people can't find the right mics or the right headphones or et cetera. And, you know, maybe they don't know how to turn it on. And, you know, sometimes you can grease the wheels a bit. And I'm just saying there's two sides to every coin. Two sides.

Well, you know, it seems to me the approach of running a web server locally on a machine and the kind of website hack that they use to create this feature just seems really hacky. It seems like a strange workaround. And, you know, we all know how this goes. I think you've got a feature set like that and one vulnerability gets discovered. I think we can expect that there'll be more. We're going to see more of this.

You guys are going to be all over it now. Yeah. OK, so we need to tell people how to get Zoom off their computers and also how to get this nasty little hidden bit of Zoom off their computers, too.

So there are links in the show notes where we've linked to the researcher's blog article where he gives the technical instructions. Unfortunately, it isn't as easy, I said, as just dragging the Zoom app into your trash can. You do have to use some terminal commands. That's going to the command line in order to do this properly. Zoom has said that it is changing its software. It already said, well, look, we've dealt with one of your complaints, okay? So what we're doing is we've released a quick fix, which disables the meeting creator's ability to automatically enable participants' video by default. And you think, well, that's good that they've done that, right? Unfortunately, a couple of days later, that vulnerability sort of crept back into the software. So they'd fixed it and then the fix fell off. Because they did a rollback or something. Who knows? But somehow or other, that fix is no longer present. They've also said they're going to make some other changes as well. They're Muppets. They're Muppets. So I guess we're going to have to find out how to do this in browser rather than installing the app, aren't we? Yeah, exactly.

I mean, you know, the porn industry proves that you don't need an app to sell a service, right? So I think, you know, let's go back to the web. I'm a big fan of that. No installation, visit a web page, do what you need to do, and then get out of Dodge.

Do you take a lot of advice from the porn industry, Carole?

Well, there's lots to be learned there.

Oh, yeah. Satan's school for girls. That's how I've decided to live my life. Interesting.

I'm very happily married, that's all I've got to say.

These days, it's not really relevant, Carole. Charles, what's your story for us this week?

My story is about Twitter but not the kind of Twitter where that's all YOLO and selfies. This is the Twitter account of U.S. Cyber Command who we know is the cyber warfare branch of the U.S. military who've sort of been growing in prominence and getting louder and louder over the last few years.

And they don't tweet out selfies of themselves is what you're saying. I haven't seen one. I think they're more on

Instagram for that. Right. Okay. And this is their

official Twitter page. This is their

official Twitter page. Well, an official Twitter page called US Cyber Command Malware Alerts. And they post out warnings about things that are happening that they're aware of, and that they think civilian space should know about. And on the 2nd of July, so just a few days back, they tweeted out about this Microsoft vulnerability affecting Microsoft Outlook, which is the email application that Windows users use, that's being exploited in the wild. But what we can read between the lines and what a number of analysts picked up on is that what they're referring to is a campaign linked to a threat actor group, which is believed to be Iranian state-backed hackers called APT33 are exploiting this Microsoft Outlook vulnerability in the wild. And Cyber Command wants us to know about it because it's a big deal.

So basically, we've got Iranian government backed hackers who are attacking other countries and maybe breaking into the systems of industries based overseas, using Outlook up to all kinds of mischief. And so we've got US Cyber Command, who obviously there's a little bit of tension at the moment, isn't there between America and Iran is something I picked up on. Very astute. So they are, I'll try and get my finger on the pulse. So they, We are alerting organizations, watch out, because people are using this particular Microsoft vulnerability, and we think it's Iran who's up to it.

Exactly. And to summarize that sort of in a nutshell, the Forbes article that ran around this tweet, the headline for that article reads, US military warns Outlook users to update immediately over hack linked to Iran. So your finger is very much on the pulse, Graham. You've summarized that perfectly. Thank you. So I'm reading into this article and it turns out that the vulnerability is being exploited using a hacking tool called Ruler, the thing that you measure distances with. And this tool, as it happens, was developed back in 2017 by my team. So my team.

Wow. Hang on a moment. So there are Iranian government-backed hackers who are trying to break into American systems. And effectively, the tool which they are using, the weapon which they are using, was written by you and your buddies.

Thanks, Charles. Thanks so much. In South Africa,

Yeah. There you have it. This might be my greatest achievement. You know, the story kind of rattled me because I thought, you know, look, we do this, right? And pen testing companies do this routinely. It's how we demonstrate capability. It's how we attract people to come and work for us. It's how we warn the industry and our customers. It's how we demonstrate that threats are real. And arguably this disclosure of vulnerabilities and exploits is a very powerful tool in moving the industry forward. You know, I spoke to a lot of people off the back of this and asked them how they felt about it, people from my team. And they all kind of stood by this decision to publish the exploit at the time. And they all believe strongly it was the right thing to do.

You basically released this tool and this information in order to get the problem fixed, because you found the problem and thought there might be a way of exploiting this. Let's build a little tool which does it. It's not as though you guys were using it maliciously yourselves. But

They did build the weapon that was used, so to speak.

We weaponized the vulnerability. Yeah, that's true. And we use that toolkit extensively in our work. For good. And the vulnerability wasn't actually disclosed by us. The vulnerability was disclosed by a crowd called Silent Circle Security sometime before we wrote the tool. So the knowledge of the vulnerability was out there. We just shrink wrapped it and demonstrated how it could be used in a weaponized way.

And I guess the normal way in which you actually use that in the course of your work is, would you be doing something like testing the defenses of a company who's asked you to see if they are vulnerable? And this tool would be one of the methods which you use, for instance?

Exactly. That's exactly how it would work. And it's very effective and it demonstrates a very real contemporary threat, which can instantly be exploited in a lot of other ways too. Because the tool requires two things. It requires this outdated version of Outlook. But it also requires us to have valid credentials for that user, valid Microsoft credentials for that user. So we're demonstrating not just that bug. We're demonstrating a whole class of bugs linked to, you know, weak passwords or password reuse.

So once you exploit this vulnerability, what can you then do with it? What's the risk to the person who's been targeted? In this case, obviously, Iran is targeting organizations in America and maybe elsewhere around the world. What could they do with that?

So when this vulnerability triggers, we effectively have persistent remote command and control over that user's machine with their privileges. So it's kind of as if we're sitting on the user's machine at their terminal, you know, at that command interface and typing commands. And anything that user could do, we could do too, but remotely. And from there, once we have that control as one user, then we exploit all those privilege escalation, lateral movement techniques that you hear people talk about. And our testers would argue that once we have that initial entry point into the network, to get from there to domain administrator is a matter of days, maybe, probably hours, never weeks. It's that quick and easy to go from that initial foothold to having full control of the domain for most environments.

So the good news is Microsoft has patched this vulnerability in Microsoft Outlook, and they did it a while back, didn't they?

Yeah, they made a patch available, and of course, more recent versions of the software simply don't have those features anymore. That particular feature is now gone from the software. Defunct, okay.

But clearly, the selfie-taking guys at US Cyber Command are still concerned that there's going to be some organizations out there who haven't properly patched and are still vulnerable to, I'm afraid to say this again, Charles, but against your weapon.

Against our weapon. We're there. Yeah.

It's a really complicated situation for you guys, actually. I feel for you.

It is a complicated situation. There was a time where this trade-off between keeping a vulnerability to yourself or exposing it was, it seemed simpler to think through, you know, but now in a world where nations and armies are using these kinds of tools effectively in kind of low-level cyber wars, the equation becomes much more complicated, I think.

But come on, come on, come on. When you read this, right, when your team heard about this, did you kind of think, well, you know, this is actually the, you know, this is kind of the best endorsement we've ever had because we wrote this thing a while ago.

I think he pooped his pants a little bit.

You know, Carole... We have to keep on coming back to that.

I'd like to avoid using the word poop in public.

Carole, what's your story for us this week?

So, my story this week... Actually, Graham, would you just read the following paragraph, please?

Okay, hang on. It's in the document there. You've got something in front of me here. You read it rather than me. You just read that. You want me to read it? Do you work for you? Why not? Okay. Wonderful, Carole. Okay. You are not only a great trusted friend who is much, much funnier than me, but also the best co-host in the world. You're the only co-host. Really, you are much funnier than me, and I learned so much from you. Just wanted you to hear it directly from me.

Okay, no offense, but is that the best you can do?

Wonderful, Carole. You are not a great... You know what? Forget it. I'm just going to deep fake it.

It's probably much easier. It'll probably be much more believable and it'll lose that sarky tone that you brought in with your little comment there. So deep fakes, that's what we're talking about. The reason for the story is I fear we're going to see a lot more of them and there's not a lot we can do about it. Well, there's a lot of talk about it, isn't there? All things internet though clearly deep fakes can be used for fun right or to make a valid point but they can also be used for the more nefarious purposes all that horror show of propaganda disinformation reputation destroying all that. So basically for those that don't have a full grasp on deep fake it basically takes existing footage real footage of a person and doctors the face, body, words, or clothing. So it's being used to target celebrities, politicians, and other high-profile people. And this deepfake tech is getting slicker. And I need you all to appreciate that it can be pretty darn convincing. I have put a link in the show notes there. You guys can go see it of a video.

Hang on. Oh, for goodness. Oh, bloody Rik Astley. I just had to Rickroll him, it was time. Every couple of months he does that.

I've been taught not to click on... Oh my goodness.

I'm looking at a video of... Well, it's Jennifer Lawrence's lovely body, but she has the face of Steve Buscemi which I have to say is slightly alarming. But I don't think this would fool me into thinking it's really Jennifer Lawrence, Carole. It's not the most convincing.

Exactly, exactly. You see, in this case, this mash-up isn't set to dupe us, right? We're kind of, as the viewers, we're in on the joke. We know it's Jennifer Lawrence and Steve Buscemi being mashed up together. But there are many deep fakes out there that are designed to bully people or mislead us humans. And the worry is the tech is getting much, much better at it and people are figuring out much more nefarious ways to work with it. So just last week, there was this Windows app that came on the market called Deep Nude.

Oh, that was horrendous, wasn't it?

Right? And it cost something like $50.

Exactly. It was so expensive. It was horrendous how much one had to pay to get hold of it. And you know what? It was taken down very soon after it was made public, thanks largely due to the tech press led by Motherboard for vilifying it for its gross raison d'être, right? Oh, right. So if you use this against me, you would see my face, but I'd have breasts and things as well.

You'd have boobies and a little, yeah.

Which I don't have in real life. Moobies, Graham. I heard on a previous show that you have moobies.

I heard it at the source. Or mitts. Mitties is another great one.

Mitties? What are mitties? Mantits. Oh, for goodness sake.

Not to diminish how gross this idea is, I do see a legitimate business application.

Okay, shoot.

When used in conjunction with the right kind of video conferencing application, it could be used to remove your trousers if you happen to accidentally be wearing some.

Or we could reverse engineer it and add trousers on you. So you could be sitting there right nude, but actually look fully dressed in your sports slacks and blue button down Oxford shirt.

I can see why you're the host of the show and I'm only a guest.

I am reinstalling Zoom right now. It's going back on my system. But the point is, the point is, this app, Deep Nude, it's very easy to see how people could be bullied by it. My goodness, yes. It's an awful piece. So that's interesting. So these are these business email compromises where someone, there's a variety of ways you can do it, but you could ring up pretending to be the CEO and go, okay, you know, I'm ringing up from head office in Glasgow.

It's exactly like a voice phish, right? Move £1,000 into this bank account.

And because they've grabbed the audio from earnings calls. The real CEO. It would sound like the real CEO. Gosh, that's very devious, isn't it? And if they combined that with background noises of an office and things, then it would maybe even seem more convincing.

Golf clubs, right? Golf clubs. The golf cart. The golf cart. It's similar to the Smashing Security story Jessica Barker did on our show on episode 134 where she was talking about how scammers used bad lighting and a 3D printed mask to dupe millions in France to give out money to help the government and it was a great story go listen to it episode 134 you know.

What that's called Carole, what's that called? Bad lights and cheaply printed 3D masks, that's not deep fake, that's cheap fake. Great, I didn't even think that's what it's called, kaboom. I didn't know that, I love it. Cheap fakes. The cheap fakes refers to like if they're just slowing a video down, for example, to make someone look drunk or just cutting a part out of a video. You know, there's no real machine learning or AI, it's just kind of really cheap and dirty hacking with media.

Right, so they did that to Nancy Pelosi, right? So we call that a cheap fake as opposed to a deep fake. Okay, today I learned. Yeah, I saw a demo by Adobe of a piece of software they were planning to release that would take a voice recording of someone delivering a speech or in a meeting. I think they said they needed maybe it was 20, maybe it was 40 minutes of text, so it's a fairly significant amount. So it needs about a few hours of video, apparently. That seems to be the consensus for my research this morning, right? You need about a few hours, sometimes I've seen 40 minutes, but you need about a few hours to make a really good deep fake.

So if I had some footage of Carole speaking, for instance, I could get her to convincingly say words like whilst. Whilst, without sort of gagging, yes.

Surely she would say whilst anyway.

No.

I would never. Isn't that the correct? Apparently she's got some sort of issue. Isn't that the proper English? No. Yes, it is. Thank you, that's what I would have thought. Yes, exactly, very wise, excellent guest, excellent guest.

I know what you all are wondering. How the heck do I handle this, how do I spot them? And right now, you know, there's no reliable reverse engineering to a deepfake as yet that I'm aware of. So I was looking around to see what people recommended, and I have to agree with Slate journalist Jane C. Hugh, because what she suggests seems to be the best for me. Perhaps you don't want to get lured by deepfake, you need to get familiar about them, right? So there's for example, on Reddit, there's a subreddit called gitfakes. Not gitface, but gitfakes, gitfakes, yep. And there's many, many hundreds of examples, right? And you can look at those images and those videos and look at the lighting, look for fuzziness around the neck where it connects to the body, look at fuzziness around the mouth, face discolorations. And you know, you need to teach your brain what to look for, and that's basically how you train yourself for it.

That is, you know, that is so hopeless.

Yes, because technology is going to get better and those lines are going to become imperceptible to the human.

We still haven't solved that problem for something as simple as phishing, right? Whether these clear technical markers and you know, of course also that your brain sees what it wants to see, right? It's cognitive dissonance, people are going to believe it. I think it's awful, right?

Graham, so maybe if you don't want me to create a deep fake of you saying nice things to me, maybe you in real life should say nice things to me more often. That would be one way to do it.

Maybe you could give me some reasons to say nice things. Let me share one last weird thought that I had when I was preparing for this story. So I'm doing this, right? And I'm thinking, you know, in a way, if the internet gets littered with deep fakes, we actually, in a way, get our privacy back because none of it's real. You can deny everything, not real, you have no idea.

And I could claim that I was actually wearing trousers on that, exactly.

You did what in your dad's office?

I didn't, I'm just...

All right, well I've just heard you say it, haven't I? I can take that audio, thank you very much. That's a cheap fake.

We are sponsored this week by our friends at LastPass. Now Graham, isn't it something like 90% of security breaches involve stolen password or a poor password?

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com/smashing.

You don't have to say forward slash, by the way, Jan, just say slash, just so you know. If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. That what? Pick of the Week. It's the one thing a guest has to do. It's the one thing we ask them to do. Every time. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, it could be a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, I am going to go back in time once again for my pick of the week, but further back in time than normal, I'm going all the way back to 1868. Oh, do you remember that time? I don't remember that time, no, no, but there was a book published, a mechanical encyclopedia published by a chap called Henry T. Brown. Have you heard of 507 mechanical movements? No. Mechanisms and devices. It's a classic. Are you trying to prove to

the world that you're quite intelligent?

No, I'm trying to prove to the world I've been on Wikipedia. I heard it here first, Graham. I heard it here first. So this 507 Mechanical Movements, its subtitle is, it embraces all those which are most important in dynamics, hydraulics, hydrostatics, pneumatics, steam engines, mill and other gear in presses, horology and miscellaneous machinery. Now, I'm not recommending as my pick of the week the actual book, which is now in the public domain. You can go and check it out. But instead, a website which has taken all these mechanical movements and has animated them. So you

don't have to read any words. Cool. Which is

my preference. So if you go to 507movements.com, you will see a number of these things. And go there and click on some of the ones which are in red there. and you will see little animations of gears moving and pulleys going in reverse. Yeah, it's kind of cool, Graham. It is kind of cool. And levers moving. And there's 507 ways that they've documented in this ancient book.

I'm tweeting this to my nephew right now. I think they're going to be in heaven.

Graham, did you notice that some of these don't have the animations? Is that right? Or is it just my internet that's broken?

Not all of them have yet been animated, sadly, but a good few have. This is fantastic.

I've seen about one out of five

so far have been animated. No, I'm not sure if it's quite that bad. I think it's quite good. But it's rather lovely to watch. I'm going to use this to teach my four-year-old. It's fantastic. Exactly. And myself.

Exactly. And you can sound really knowledgeable by just reading the script at the bottom. This is a screw propeller, son.

Obviously. Seriously. Or dot. Yeah. It is worth looking through because it is especially with the animations, you really get a sense for how these different things work and how ingenious it all is.

I find it wonderful that these things all have names. Have you ever had these conversations where you try and describe to someone that kind of mechanism? You know, that thing that the engine where it pushes down those other things that go around that turn the gears that turn the wheel? And actually all those things actually have names. Yep. 4.06 doesn't.

4.06 doesn't. Nope. I think Carole is just in a bad mood. I'm looking at a triangular eccentric at the moment, giving an intermittent reciprocating rectilinear motion. Apparently it was used in France for steam engines. For the guillotine. Oh, for steam engines. I have to

say, I don't know if we're selling it very well on a podcast, but I do think it's a very good website, Graham. I think people should check it out, particularly if you're into engineering or you have kids that like things that move around. Right, right.

507movements.com. And that is my pick of the week. Good pick, Graham. Thank you very much. Charles, what is

your pick of the week? Well, before I give you my pick, Graham, I have a test for you. I need you to try and pronounce me the word that is spelt X-H-O-S-A. X-H-O-S-A.

X-H-O-R. Now, I've got a feeling like, well, I'm sure I can't pronounce it correctly, but I think I know what language this is. And, Carole, do you have any idea how you say this? Because I think it's quite unusual, isn't it? It's not like... Frank. It's not Frank. I think it's not Frank. It's not ex-hosa. It's not choza. But isn't there some clicking or something? Isn't it like... There's some clicking, yeah. Can you do it for

Us? You know, I'm not very good. I learned this language at school, but my tongue is not accustomed to it, but I'm going to do my best. So the word is Xhosa. X-H-O-S-A is Xhosa. Yeah, and it's the name of a South African tribe and a language. We have 11. And they have three clicks. There's the X, which is, and the C, which is, and then the best one is the Q, which is. Oh, I like that one. So, for example, my son's nickname is Kakambile, which means the light. Anyway, the reason I mention it is because my pick of the week is a book by a South African author called Trevor Noah, who is unusual in South Africa because his mother was a Xhosa and his father was a Swiss German.

Is this Trevor Noah, Trevor Noah?

Trevor Noah. The comedian, yes. Who took over from Jon Stewart as host of The Daily Show. So long before he was hosting The Daily Show, he was a stand-up here in South Africa. Extremely funny. Really, he's the kind of guy that you can only listen to for little bits because you start to hurt in all kinds of places. A bit like Carole.

I listen to her for a while and I begin to feel quite painful. Yeah, I get it. And he does a sort of comedy that's very local. So, you know, as a South African, you can really relate to him.

So what's the book about? So the book is a memoir. It's called Born a Crime, Stories from a South African Childhood. Okay. I'm going to take a look for that.

Yeah, and it's called, what was It? Born a Crime. Stories of Growing Up in South Africa. Okay. Thank you very much. Good pick of the week.

Okay, so I'm going to use my tween niece's vernacular here. I love me some trees. That's how she does. Anyway. So I'm visiting family right now, as we all know. And my parents have a rather manicured garden, you know, full of flower beds and trees and all this. And my mom is often out there weeding, weeding, weeding, weeding. And I was watching her the other day just pulling out all of these baby maple saplings and throwing them into the compost. And I, who love trees, think, why aren't we putting those in little clay pots and see what happens? What a fab present that would be for someone, yada, yada. So my pick of the week this week is actually an article that I saw in National Geographic. And it basically talks about how using Google Earth, scientists have found almost a billion hectares of land that is basically good for plants. So we could plant forests on that almost one billion hectares, restoring gigatons, hundreds and hundreds of gigatons of carbon back to the atmosphere. So this is based on a report that was published last Thursday in Science, and it's called the Global Tree Restoration Potential, and found there's enough suitable land to increase the world's forests covered by one third without affecting existing cities or agriculture.

Amazing. Amazing. See, technology for the good. This is a super clever idea, but it is yet still just an idea. And if we want to help curb the glut of carbon emissions, plant a freaking tree. I think, Carole, you need to scrabble around in your mum's compost heap right now and pick out those saplings.

Maybe you can find some old wrapping paper in there too, Carole, for Graham's Christmas gift. Carole, you know what the other technique is you could use to reduce carbon emissions by 25%? I heard this is legit. You feed garlic to cows.

Apparently, feeding garlic to cows reduces the amount that they — And we've said it before, so I'm just going to say it. Did you read this on the internet?

I saw it on TV, Graham.

Oh, that is completely believable. It must be true.

I'm sure they wouldn't have found it on the internet. But apparently it's not universal, so it depends on where the cow is from and what they eat. But for certain kinds of cows, if you give them — it's the garlic extract, whatever the sort of active ingredient in garlic is — it significantly reduces the amount of methane in it.

How evil is this? Which is the scientific part. I have heard before that if we stopped eating beef and instead we switched over to kangaroo meat, that would be good because apparently kangaroos don't fart.

Or just go vegetarian, Graham.

That's also a possibility. Then we'd be increasing our emissions as well, wouldn't we? Wow, well this is — well on that bombshell I think we've just about wrapped up the show for this week. Charles, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Graham, the best way is to follow me on Twitter. I'm gonna have to spell out my Twitter handle because it's a bit complicated, so it's Charl VD Walt, which is C-H-A-R-L-V-D-W-A-L-T. That's without a G because Twitter wouldn't allow me to have a G in my phone or online secdata.com S-E-C-D-A-T-A.

Fantastic, and you can follow us on Twitter at SmashingSecurity — no G. Twitter allows to have a G and we've also got our website at smashingsecurity.com. And maybe you want to check us out on Reddit or indeed our online store where you can get mugs and t-shirts and things like that — smashingsecurity.com/store.

And as always, huge thank you to this week's Smashing Security sponsors, LastPass and Recorded Future. Their support helps us give you this show for free, so be sure to check out their offers. And fist bumps to you listeners out there, especially those of you who get in touch with your emails and reviews and your shares. They all mean the world to us.

Until next week, cheerio. Bye-bye. Bye.

Don't forget Aunt Mimi. Don't forget Aunt Mimi.