Got a Nest security camera? Enable two-step verification now

Some have bought physical ads above urinals. So when people go for a wee— Above what? Urinals.

What?

Urinals.

What is a urinal?

What do you call them?

Urinals. Urinal, that sounds like a creature next to the elephants at the zoo.

Smashing Security, episode 109. Phishing, Grinches Target Amazon and Reddit, Stealing Christmas from the Poor with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 109. My name is Graham Cluley.

Ho, ho, ho, Graham. I'm Carole Theriault.

Is that how you introduce yourself now?

Yeah.

From now on. You got two sisters.

It's on our business card.

Yeah. We're joined by our special seasonal guest, Dave Bittner from the CyberWire podcast. Hello, Dave.

Hello. Welcome back, Dave.

Thank you. Thank you. I'm everyone's second favorite recurring guest.

Oh, certainly not first, right?

No, no, no.

Don't get too confident there.

Always a bridesmaid.

That's true.

I might not even be second. I could be way down the list.

Probably in the top 4. Top 4, I think. On a good day. Anyway, on today's show, we've got coming up for you, YouTube channels at war with each other and it's spilling out into internet warfare. We have the strange mystery of what Google are doing with YouTube videos which might surprise you, and Christmas Grinches as well. All coming up on today's Smashing Security. Well, ladies and gentlemen, I have some bad news. I have to announce that there is war on the internet. Conflict is going on. It's not between Russia and America this time. It's not the Chinese stealing our intellectual property. It is much more serious than that. For the last two months, two YouTube channels have been at war for the title of the most popular channel. In one corner we have the Swedish YouTuber PewDiePie.

How's it going, bros? My name is PewDiePie!

And in the other corner we have the Bollywood Indian music label channel T-Series. And they both want to be the first to get to 80 million subscribers.

So that would make them the biggest channel on YouTube if they had 80 million.

Yep. And PewDiePie has been the most popular for quite some time, but T-Series has been zooming up and growing much, much faster. And so the fight is on who can get to 80 million first. Now, I don't know who started this fight, but both sides are participating, encouraging their fans to get new subscribers and putting up messages. And things have got a little bit out of hand. Can you believe?

Sorry, before you start, how many YouTubers were they starting with? Are we talking that they have 30 million and they have to get to 80, or is it—

Well, they started with zero, Carole. Everyone starts with zero.

When they started this competition, Graham? Well, well, we don't know. Okay.

That is something which hasn't specifically been researched.

Okay, I'm sorry, I exposed your little Achilles heel.

That's fine, that's fine. Not a problem. And some of the guerrilla marketing which has been taking place on behalf of the two YouTube channels has taken a distinctly criminal turn, in particular in the case of PewDiePie's supporters.

Okay.

For the past couple of months, someone calling themselves the Hacker Giraffe has— what's funny about that?

Wind your neck in.

It's like being a cracking tortoise, I guess, or a penetration testing porpoise, or, you know, anyway, the hacking giraffe has been—

Hacker Giraffe.

Oh, sorry, the Hacker Giraffe. I hate to get my giraffes mixed up. He has used a tool called PRET, the Printer Exploitation Toolkit.

Not the sandwich people.

No, not Pret à Manger. He's been using the Printer Exploitation Toolkit to hijack over 150,000 printers. He scanned with Shodan, which, as you probably know, is the search engine for finding insecure things on the internet, things which are connected to the internet. He found over 800,000 printers connected to the internet. 150,000 of these devices he has now accessed via port 9100 and told them to spew out flyers and messages urging users to subscribe to PewDiePie's channel.

So is this someone from PewDiePie?

No, I don't think so. I think this is just a fan. I think this is just someone who thought, oh, this would be really easy to do, let me do it. Because this kind of remote hijacking of printers isn't new. In fact, we've spoken about this I think in one of the early episodes of Smashing Security when someone did it before, spreading a sort of an awareness message telling people to close and secure their printers better.

A bit 1990s though, come on.

It is rather. Yeah. And he sent a little bit of ASCII art and—

Oh, I love ASCII art.

Oh, now it's all right.

I like them now.

Now you can do anything you want these days, right? You can mug an old lady, but leave a piece of paper with some ASCII art and Carole's happy about that. Great.

Now, Graham, has this affected you? Because you're sort of the poster child for printer security.

I think you're referring to when my wife began to print out a long document.

I see, so it's her fault.

Yeah, well, no, my printer—

It's never Graham's fault. It's usually your wife, Dave.

I do not believe, although I'm prepared to be found out wrong, I don't believe my printer is connected to the internet, so I think I'm safe.

Have at it, listeners.

Yeah, thank you. But anyway, the messages which are being printed out tell people to unsubscribe from T-Series, subscribe to PewDiePie instead, and share awareness with the hashtag #SavePewDiePie.

How do you know it's PewDiePie and not PewDiePie?

Because this guy is a social media star, Carole. Anyone who's—

I live under a rock.

Yeah, I know it because I have kids, and so I hear his name thrown around every now and then.

Do you have any opinions on him? Do your kids watch him or anything like that? Do you know?

Well, no, I'm not a fan. I think they find him annoying.

Yes, tick.

And he certainly had lots of controversy. He was the one who did the whole thing with the suicide forest. That was him, wasn't it?

No, that was another YouTuber, I think. Yeah, the guy who found the— it was really grisly, wasn't he? Found a body hanging in the forest. I think that was a different YouTuber. But certainly PewDiePie has had his share of controversy, which we will be coming to.

Now, the Hacker Giraffe. This fan who apparently is trying to get everyone to subscribe to PewDiePie, right?

Yeah, the Hacker Giraffe has been able to generate some cash for his printer hijacking exploits. He set up his own Patreon page, and at the moment he's earning $470 per month for doing this. So I imagine these are other PewDiePie fans who are keen for him to carry on spreading the message. He says, by the way, that he will, quote, shit my pants. Well, sorry, he says he will shit my pants.

I thought you were trying to do the ad, ship my pants.

No, no.

Are you sure you didn't misunderstand it?

Shit my pants if he gets to $500 per month. That's his pants, I think, rather than my pants.

Who would want to do that?

Will he do it on YouTube?

Will he take a picture?

I don't think he's being literal.

I mean, I think maybe he

I mean, anyway, the point is PewDiePie fans are going out of their way to promote their YouTube hero. Some have bought physical ads above urinals.

found what's going to put him

So when people go for a wee— Above what? Urinals. What? Urinals.

over the top here, right? What is a urinal?

What do you call them?

Urinals.

Oh.

Yeah, I don't like the word either.

Urinal, that sounds like a creature next to the elephants at the zoo. Urinals. Anyway, those.

So some have bought ads there. Another guy called MrBeast, he's another YouTuber, he's bought local TV spots and billboard space in New York's Times Square.

Are you kidding?

No, I'm not.

This is the most famous billboard in all of Times Square, and it's the biggest one, the biggest advertising billboard in all of Times Square.

It's about to say subscribe to PewDiePie on it. This is going—

We're about to break the internet.

There! Oh my gosh, it's up there! There it is! We did it! We did it! It's up there! Subscribe to PewDiePie right now, guys!

He did this!

Oh my gosh!

Another guy has done the same in Mumbai. So he's bought ads. So, you know, you have to think, why are these people doing this? Why are these people spending all this money?

Well, there's going to be a huge amount of money. It's got to be money.

Well, the reason why they're doing it is PewDiePie then features their activities in his videos. That's their incentive. They get their fame. Millions of people see that they bought ads in Times Square or in Mumbai or above the urinal.

And it's a virtuous circle.

And that encourages other people to think, oh, I wish I was in a PewDiePie video as well. What should I do? Oh, maybe I'll tattoo my forehead with a message telling people to subscribe to PewDiePie. They haven't done that yet, but it's only a matter of time, Carole.

OK, so it must cost a ton of money to have an ad in Times Square.

You would think so, wouldn't you?

I don't think it does, actually. I think there's one of the video screens that just shuffles through different content. I think they have a way you can buy basically a 10-second happy birthday kind of— put any kind of message up there. And so the idea is you schedule that and then you stand in front of it and you take your picture in front of it and it says, happy birthday, Graham and Carole. Congratulations on your 80 millionth YouTube subscriber, whatever.

Well, if you want to make it to number one spot, Dave. I have an idea.

Yes, don't tell Maria.

She's probably—

She's logged on right now.

She might be listening.

She might be.

Anyway, so PewDiePie is featuring them in his own videos, and that's of course encouraging even more craziness. And now the latest thing: earlier this week, part of the Wall Street Journal website was defaced with a message in support of PewDiePie. And the message said, "Wall Street Journal would like to apologize to PewDiePie. We have now fired some of our journalists. We're now sponsoring PewDiePie to reach his maximum subscribers and beat T-Series to 80 million. We'd also like your credit card number, expiry date, the lucky 3 digits on the back to win the chicken dinner in Fortnite," they say. And that's not unusual, is it? And that's true of so many sites, Facebook or LinkedIn or any of these things. And they have a link to PewDiePie's YouTube channel. Now that obviously wasn't a real story posted by the Wall Street Journal's news journalists. This was a case of a hacker who'd managed to breach part of the WSJ website where they post sponsored content. In this case, it was placed in Oracle's section, and so plenty of people have seen this. They've now fixed the page, but there must have been some security issue which allowed the hacker in. Now, why did they target the WSJ? Potentially, if you say something is private, you mean private from other people on the Well, my suspicion is because the WSJ and PewDiePie have something of a checkered history. Back in January 2017, millions of people saw a video by PewDiePie that included some images of two men laughing as they held up a banner that read "Death to all Jews." Now, yes, exactly. Now, surprise, surprise, that didn't go down very well with some of the brands like Disney who were supporting PewDiePie. They severed their links and PewDiePie got in some trouble with YouTube as well. But a lot of PewDiePie's rabid followers didn't like how the Wall Street Journal reported that story. And that's probably why they've been targeted. And the very latest is that the Hacker Giraffe, the guy who's breaking into all of these printers in order to post this message, he apparently disapproves of the defacement of the Wall Street Journal website. He says he doesn't think it was cool, doesn't think it was awesome. It was plain illegal, he says, and did nothing except cause media outrage. Whereas going around getting some innocent people's printers to churn out all of this garbage, that apparently is completely acceptable. internet. You don't necessarily mean private from the service which you're actually using.

Is that a cockwomble?

I mean, I think the most likely one for me is it's a lols thing. It's riffing off The Grinch Who Stole Christmas. And it's going to be bored kids just being douchey.

I don't know, never underestimate the destructive impulse of a teenage boy.

Well, you would have been pretty disappointed had McCartney not been there after paying for tickets.

Mm-hmm.

I'm being sarcastic. I don't think that is acceptable at all.

This whole thing is just a pile of stink. It is, right? The whole idea, the 80 million subscribers. Who cares? Who cares?

Right.

Yeah.

Right.

Yes, we do, that's true.

Yeah, exactly. Who cares?

What a strange celebrity they enjoy.

Yeah, well, maybe. I mean, imagine, you know, if you haven't got very much great going on in your life, if PewDiePie gives you a shout out in one of his videos, that might make you sort of, you know, feel like you're cooler in your little social vacuum.

Can I just say it wouldn't? It wouldn't.

It wouldn't to you?

No. I'll tell you what really annoys me. The Hacker Giraffe doing this thing, right? So it was basically the guards got more violent if they were left unchecked? Yes. How is it not breaking the law? Right. And then there was the marshmallow effect.

Right, that's what I was gonna say. Does it run afoul of the Computer Fraud and Abuse Act? If you have unauthorized access to someone's computing device, that's not cool.

Do you remember that one?

It would seem like that to me. You could say theft of ink, theft of paper, couldn't you, as well?

Right.

Just taking control. It's like, you know, it's taking control of a device that doesn't belong to you.

Correct.

End of.

This is interesting though. So yes, hacking giraffes, we don't like you.

Yeah. Next.

I mean, there's— Clear off. Dave, what's your story for us this week?

Well, before I get to my story this week, I have a question for you, Graham.

Oh, yes.

Yesterday I was over in the linguistics building on the CyberWire campus.

Were you mangering a little sandwich of avocado and roasted eggplant?

Yeah, well—

You travelled over there on your Segway?

No, actually I took the monorail. And this is a long walk and it's cold out there this time of year. And the poor sap who was manning the foreign idiom desk pulled me aside and he wanted me to ask you what the term cockwomble means. Evidently you used that in some of your writing in the past few days and it left us here on our side of the pond, besides not knowing what a urinal is, we are puzzled as to what a cockwomble is. So what is a cockwomble, Graham?

So you can probably guess half of it. Are you familiar in the United States with—

You can go

You can follow— well, I've heard some of their You can also follow us on

Half chicken.

to thecyberwire.com and

guest correspondents are very good. From you, at least, Twitter @SmashingSecurity. Twitter wouldn't allow us Are you familiar with the residents of Wimbledon Common in London? Over in the United States?

I'm sorry, what? No. it's all right there.

Carole, is what you've told me. to have a G. So you aren't familiar with Wombles? Wombles are a British institution. They are the creatures who live— well, they work underground and overground, and they come out and they clean up all the mess that humans leave behind.

You guys need a few of those in the States right now.

This is a series of children's books and a wonderful TV show way back in the '70s. My favourite Womble was, of course, Orinoco. It was, it was more kind of just the themes of what we talk about sometimes.

"Edmondson!" That's woken an Orinoco up. "What's that? What's that? It's a wild animal roaring. Oh, it must have been a dream. Oh dear." But he—

It just became so difficult deciding in is this explicit or not? Yeah, they're lovable creatures, and somehow this is a portmanteau word which is used in Britain to suggest a person may be of dubious character. Someone who we don't have a very high opinion of is a cockwomble. It's just, why don't we just label them all as explicit?

And you would say it like, Graham, you're such a cockwomble.

You know what? Yeah, exactly.

Exactly like that.

Yes. We do have that explicit tag, don't we? Yes. Right. Good.

Okay. Well, next time I'm over on that side of the CyberWire campus, I'll be sure to check in and let them know.

Don't use it at passport control at Heathrow, though. Try not to use cockwomble. Don't greet.

Don't greet.

Don't pretend you're Dick Van Dyke. Oh, right, mate. Oh, blimey, governor, you cockwomble.

Good morning all you cockwombles, how are you all doing today? Right, got my cockney rhyming slang at the ready. Yeah, very good. Shall I move on to my story?

Yes, what's your story for us? Please.

Please.

So this story comes courtesy of Danny Bradbury from the Sophos Naked Security blog. This is about a programmer who found an interesting behaviour in the way that YouTube analyses uploaded videos. Now this gentleman, his name is Austin Burke, and he had uploaded a video that was demonstrating a cross-site scripting vulnerability that he discovered. So it sounds like basically he was doing a screen capture of a process that he was demonstrating. No, no. He wanted to disclose this cross-site scripting vulnerability, so he made this video.

Demonstrating vulnerabilities, you'll do a simple little video showing it off. Right, okay.

Now he had marked this video as unlisted, which means it doesn't come up in search results. But he discovered that moments after he uploaded the video, that there was a URL that appeared on screen in the video. The URL didn't appear in any of the metadata. It wasn't in the file name. This URL got crawled within minutes of the video being uploaded. Wow. So this got Austin's attention, and he decided to do another test. So he created another unique URL. This time he uploaded a video and set it to private, which means only someone else who has the password to see the video should be able to see it. Yeah. And sure enough, within minutes, this brand new unique URL was also scanned and crawled.

Well, this is fascinating, isn't it? Yeah.

So it seems as though YouTube is performing OCR on the video. And whenever they see a URL, they go out and crawl it. So what's the problem here, right? So Austin, in his, he did a blog describing this, and he said, imagine a security researcher has found a critical vulnerability in a site and has crafted a URL that will trigger it, causing harmful effects to the website. So during a video that was uploaded to YouTube, if YouTube sees this URL, they go and crawl the site, trigger the SQL injection, and break the site. So what's interesting, I think, about this is that evidently private on YouTube doesn't mean private from YouTube. Quelle surprise. Yeah.

So who would be guilty of the exploitation then? It sounds Google has just basically exploited a vulnerability on somebody else's site. They trip the bear trap.

Yeah, isn't it? I don't think I'm following. Okay, so on my video, I display a URL. Correct. That's a private video. Google, through OCR, grabs that URL and tags it in what? The URL isn't for the private video crawl. The URL is the SQL injection vulnerability. So it'll be a URL to a particular web server which demonstrates a vulnerability. Right. And when they do, that triggers the SQL injection. Gotcha. And breaks the site. It's clever.

Or what, Dave, if I was sending you a private message and it was burn on receipt, so you only get one chance to look at it. And so I'm sending you—

What would it say? I hate Crawl. Want to replace her. Yes, exactly.

A secure message and say, look, you've just got one time to read this. And before you even get to look at it, I don't know why I would have included this URL in the video, but anyway, Google would have gone to it and it would have been zapped.

Yes, chances are they would have gotten to it first.

But from a security standpoint, there is some advantages to trying to stop misinformation from being spread.

And I suppose the lesson is, if you're going to share a video, don't do it on YouTube. The YouTube private on YouTube doesn't mean private from YouTube.

Exactly. Exactly, yes.

Though I think many people who are doing anything on the Google platform must understand that privacy is, you know— Yeah, that's probably true 99.9999% of the time.

So has there been any word from Google as to exactly why they are— have they given any explanation? I mean, you've some interesting theories you've come forward with. No, they haven't. And in his blog, Austin Burke goes and looks into it and basically says that Google has said very little about this. I wonder if you were, for instance, to be going down the street just videoing stuff out of your car window and you passed by a shop or you passed by a poster which had a URL on it as well, whether Google has the ability to pick that up, scrape it, and visit it.

I'm sure they do. Yeah.

Yeah, why not? It's kind of spooky the way the world's going, isn't it? Incredible how they can gather so much information.

Isn't it just, Granddad?

I think of things like if you upload a video that has metadata, that has location metadata, let's say you upload, like we see all these Russian dashcam videos and there's dashcam videos from all over the world. Well, if they have location metadata, and you can cross-reference that with license plate data, suddenly here's another way for you to gather data about where people are when.

It's a bit like that TV show from America, isn't it? Is it Person of Interest? Yes. Lots of people all over the world.

You are being watched. The government has a secret system, a machine that spies on you every hour of every day. I know because I built it. I designed the machine to detect that.

Best intro ever.

Zoom in, magnify, enhance.

Turn, yeah, enhance. That's my favorite. Enhance. Yeah. I saw one once where I can't remember what the show was. Was it CSI? Yeah, CSI Miami.

I remember the episode, and they got the reflection from the—

Yeah, there was one image. Yeah, I remember this was years ago, and it's a shame Maria's not here because she'd enjoy this.

I think it's a shame she's not here as well, Dave.

Yeah, she's number one, remember that.

Our listeners wish she was here.

Every episode that she's not on, all the listeners say it's really a shame Maria's not here. Shame. How do you hold a moonbeam in your hand? So ask Maria. Yeah, they— someone said every episode of Star Trek: The Next Generation, someone would alert them that there was a ship nearby, and Captain Picard would say, "On screen," and this little tiny dot would show up on the screen, and he'd say, "Magnify," and then the thing would show up. But just once they wanted him to say, "On screen so I can see it, damn it!" If he had to say "magnify" every single time, you think Commander Data would know? No, that's okay. Anyway, I digress.

Carole, what's your story for us this week?

Well, okay, to start this story, Dave, I want you to imagine that you have fallen on hard times.

I'm there.

Okay, you've drunk bleach.

Ooh!

Thinking it was elderflower cordial or something, thereby losing your voice. Bye-bye radio career. Rather than the dulcet-toned singer and podcaster, you sound more like Gollum gargling gummy bears. Really not pleasant. And your family, of course, are very sad. Very sad, right? They miss their papa belting out the show tunes in the shower.

That is true.

But they know it's also Christmas time and the big day's just around the corner. And little Ricky so wanted a Sudoku book. You know, little toddler Frank will go crazy for glow-in-the-dark stars.

It's like you're in my house.

And even these tiny little presents are out of your financial reach because CyberWire and the campus have outed you, right? Because you can't work anymore. So yes, it's all boo-hoo-hoo in the Bittner household.

As you all would say, I've been sacked.

Exactly. And there's not a twig of hope. But wait, wait, Dead Voice Dave. There's this little thing on Reddit called Santa's Little Helpers. Now Santa's Little Helpers is a kind of Reddit wiki dedicated to helping out others with non-monetary gifts during the holiday season. Reddit coordinators called mods volunteer to help coordinate people who request gifts and people who want to donate gifts. So as an idea, it's pretty sweet, right?

Okay.

So here's how it works. Okay, so you would create an Amazon wishlist with the Christmas items you're hoping for, and you'd make it public. You would then register this wishlist with Santa's Little Helpers, and once approved, you can make your appeal on their wiki. So you would write about your bleach problem, your Gollum voice, you might showcase your kids and say how great they are, and then you'd provide finally a link to your kids' Amazon wishlist. And the game plan will be that someone might feel for your story and want to help you out. Everyone with me?

Yeah, yeah, I understand.

Okay, sounds like a nice idea.

Right? Yeah. So Dead Voice Dave, you would publish your request and then you would check in on your wishlist to see if any items had been hopefully purchased by a secret Santa of sorts. And then, of course, you can woohoo rather than boohoo, right? Because some kind stranger has bought your prezzies if you see that they're missing from your wishlist. So every few hours you're checking your list, Dead Voice Dave, and then one day the presents for your kids are listed as purchased. Boom. Sudoku book and glow stars on the way. Happy days. And you can't believe how effing great the world is. Good people exist. You go to the subreddit, Santa's Little Helpers, and you publicly thank the giver. And that giver could be anonymous or not, but still, you might do a public shout out for the presents, and Christmas is back on, baby. Can I say, Carole, it's so refreshing to get a happy, positive, heartwarming story. Here we are just before Christmas, and I think this is nice. Or is it?

Dun dun dun! What? What plot twist? It turns—

I did not see that coming. It turns out that rather than purchasing your items, someone, quote unquote, visited your wish list and tagged the items as purchased by another seller. Graham, will you help me demonstrate what I mean here?

Is it? And so I— well, if you want to share your list with everyone, go

And so I could go ahead and buy this for him and get it sent over to him. Or maybe instead, to mess with him, I could click the "buy this gift elsewhere" button, which opens up a pop-up and says, "Yes, cancel this request, mark this item as purchased."

Oh, so you haven't bought it from Amazon. You've said you've bought it down the local personal massage shop where you have an account already, and so it gets taken off my wishlist. ahead. But I see it right here. So no one else purchases me one because I'd obviously only need one.

Exactly. You go in, Dead Voice Dave or Graham, you know, and you're thinking, "Wow, someone's answered my present prayers." But then after a bit of digging, you realize that someone has just— and here's the word du jour— Grinched you.

You're a mean one, Mr. Grinch.

Effectively canceling Christmas, stealing Dead Voice Dave's Christmas. So the Grinch is stealing Christmas from the poor needy.

Oh, you're a monster.

Why would people do this?

Because the Grinch Who Stole Christmas is— I think it's just a meme.

Your brain is full of spiders. By the way, that voice— Dave, how nicknames get started.

Now this Grinching has caused no end of problems, so people are having to repost their items, they have to retract preemptive thank-yous, they have to re-register with the Santa Little Helper program because they were ticked off as done and fulfilled. And it's getting very close to Christmas now, so the chances of getting the goods delivered in time is fast disappearing.

So you don't have to do this via Reddit. If you had an arch enemy, you can search for their wishlists— you can search for public wishlists on Amazon. Yeah, go check yours out now.

Hehehe.

And you can mark everything as already bought, and then their auntie or their grandmother or whoever doesn't buy it for them for Christmas and they end up with socks and pants and things they don't want.

Well, and the other thing is, I could imagine someone having fallen on hard times trying to reassure the children. "Well, kids, I know there's no food to eat, but good news— Christmas presents are on their way." And then they're not.

This is rather heartless, Carole.

Oh yeah, it is. And it's causing a huge storm on Reddit, right? So there's people writing things like this Redditor called SeagoingCook wrote, "Whoever did this, I hope you're aware that you've destroyed the hopes and dreams of innocent children. Children have done nothing to you. You might think by doing this you're hurting the parents who have no other way to provide Christmas, but you're wrong. You hurt the children. This makes you scum of the lowest degree. I'd like nothing better than to take you out to sea and throw you overboard." And then he gets supportive replies like, "I'll wrap the anchor, drive the boat."

I've got another theory.

Yes, well, that's what I wanted to go into. I wanted to go into theories. Why are people doing this? So go ahead.

Number one. Can I be terribly cynical and say that if I was competing with lots of other people on this Reddit forum to get a Santa's Little Helpers, maybe I would get more sympathy and get people more likely to buy Tiny Tim his cartoon book or whatever it is. If I said, "Oh, people have been removing them and all the rest of it, my Christmas is ruined." I mean, that's really cynical of me. And I hate to think like that. But it's not that funny, is it? It's not like you go, "Look what I've done." You know, it's not that— sorry for the laugh, but it's not that amusing, is it? But that surely is a possibility.

Well, what if you're miserable, miserable, miserable, and you want to share your misery because, you know, misery Exactly. The subs mods are desperately trying to sort out the problem. Registered givers need to tell Reddit when a gift has been purchased so they can cross-check everything, and they're also telling people to contact Amazon support, I guess, to try and stop the culprits that are doing it, because presumably there's going to be a record of who actually canceled the gift, right? loves company, right? So spread the hate.

And Amazon support are definitely going to follow up on those. They're going to handle that and say, "Well, let's find out who's friends with who." It's like a worldwide Secret Santa competition, Carole. No one's going to know if it was a legitimate purchase, they bought it somewhere else or not. And even if this idea of registering your gift giving on Reddit, that's irrelevant. You can still go to Amazon and cause the chaos, surely.

Well, I got to say, Dave, at least this Grinchy tale of life and woes has not fallen on you yet, right? Or your family. And you can still shout out and belt out Christmas show tunes.

I am not planning on drinking any bleach anytime soon.

I think Dave should sing us out. Go on, you want to be number one? Let's go.

Okay, let's see. You're a mean one, Mr. Grinch. How's that?

And welcome back. Can you join us at our favorite time of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily. Let's not be. No, mine is not security related necessarily. This last weekend I was at a rock and roll concert held by Sir James Paul McCartney in London. And it was fantastic. He's amazing. He's about 76 years old. He was on stage for 3 hours, didn't have a sip of water, belted out about 40 songs. Incredible. And not only was I there, so was Ringo Starr. And Ringo Starr got up on the stage and he was in the crowd. There was this flurry of activity in the crowd. Everyone was pointing, looking the same way. And it was Ringo. And then Ronnie Wood from the Rolling Stones, he was there, but who cares about him? Slightly, yes. I'd have been even more delighted if the other two had been there, but they unfortunately have other commitments. Because I'm a Beatles fan. Hey! And they— oh no, he's all right, he's all right. Looks a bit like a crow. But anyway, no, but Ringo— Ringo and Paul McCartney were on stage. Anyway.

I would have run the other way. Anyway, if you get the chance, because chances are he won't still be doing this in 20 years' time, go and see Paul McCartney in concert. The way science is going today.

His carpool karaoke was pretty delightful as well. If you haven't seen that, it was— I have to say, I am warming— I'm more of a John Lennon fan, but I am warming more and more to Paul McCartney as he gets older, and I'm thinking he's an all right chap. He's obviously a musical genius.

You mean behind Ringo? Second greatest is still pretty impressive, I have to say. And it was thrilling for me and my young son to see Ringo on stage as well.

My pick of the week is a podcast. Must be a podcast too.

How embarrassing. Hopefully they're not the same podcast. Are you really having to plug your podcast? Oh, no.

That's right. Yeah.

We kindly produce a Christmas special without sponsored ads and you have to go and screw it all up.

Yeah, no, it's not my podcast.

Let me ask you, what is the name of your podcast, by the way, Dave? It's The Cyberwire.

Oh, very good. Yeah, TheCyberwire.com. Yeah, yeah. I have to ask, over on your side of the pond, what is the most well-known mythical beast? Oh, Nessie. Loch Ness Monster. Yeah, yes, Loch Ness. I, yeah, I think that's probably right. Well, over here in the Pacific Northwest, and that includes Canada, Carole, we have Bigfoot. Also known as Sasquatch. Has the Sasquatch been spotted since Carole left Canadian soil? That's interesting, isn't it? Have they ever been seen in the same place? So, this is a podcast called Wild Thing, and it is hosted by a woman who discovered that a distant relative of hers was actually one of the most well-known Sasquatch researchers in the world. Is this Auntie Jean?

That's right. Her name is Laura Krantz, and it's a series about the search for this mythical beast, but it's also about our search for mysteries. Why, after all these years, is this still appealing? Why do we find— What drives our desire to look for these things that go bump in the night, these mysterious creatures in the woods or in Loch Ness or other places? You know, my husband's uncle quit his life at one point and went and lived to try and spot the Loch Ness Monster for about 10 years. Wow.

He lived in a caravan. Is this weird?

Right on the lake. Yeah, mad. Yeah, I'm gonna cut that bit out.

How did it work out for him?

Well, he returned home, said he thought it was dead. Oh, oh yeah, yeah. There you go.

Fair enough. Funny story, Carole. His uncle didn't die.

He's still going strong. Okay, good.

It's funny, your husband, I mean, he's not mistaken for a Sasquatch, but sometimes people have thought he's a bit of a Wookie. He does look like one and sound like one sometimes. So my pick of the week— last year, actually, you might remember my pick of the week was Rare Exports, a Finnish Christmas horror film that is just awesome. And for those of you out there who don't like subtitles, it's mostly in English, so don't let that put you off. Dave was in it. He's still in it.

I still have the scars to—

Yes. Oh yeah, the kids resisting temptation.

That's right. Yeah. These are fairly well-known results. I certainly learned about them from textbooks in high school and uni and all that. What if I told you that there were huge question marks over the tests and their results and whether they're actually valid? Because when they have tried to replicate some of these tests, the results are radically different. And these two tests are not alone. It seems that many, many, many psychological tests that we have come to trust may not be valid. It seems the problem is that journals tend to want to publish things with flashy titles and equally flashy results. Surely not. It is. So psych researchers who want to succeed can be very tempted to skew results. I know you want to hear more. So basically, you can go check out a podcast called Analysis. It's from the BBC. And this particular episode is called The Replication Crisis. And I've heard many, many of these podcasts and it's great. So it's a total subscribe for the inquisitive mind. So Graham, maybe not bother.

There is, for instance, a scientific theory that the Loch Ness Monster may actually have died after swallowing bleach and choking on a marshmallow.

Well, I think it was despair that finally did him in. When other people had clicked on his gifts and there were no gifts in front of the tree for the little baby Loch Ness Monster. It's kind of cool though because this consortium of psychologists have got together to try and re-replicate the results of famous tests just to make sure that we're actually learning from real stuff rather than potential happenstance or something that might have been a little bit skewed. Really well produced, really well researched, really well covered.

All right, well, that just about wraps it up. And it just about wraps it up for Smashing Security for 2018. Oh, break it to them gently. Yeah, geez, it's our last show of the year, guys. We're gonna take a couple of weeks off. But we'll be back in January.

Shame you couldn't have gotten Maria.

She's opening the show for us in 2019.

She'll be here.

Of course she is. Of course she is.

Cannot wait. Dave, if people want to find out about— I can't even speak today. Dave, if people want to find out more about you or about the Fantastic. And you can follow us— CyberWire, what's the best way to do that?

It's a great podcast, guys.

Not a cockwomble among Thank you, of course, to all our listeners for your continued support throughout the year. It would be a futile experiment without you guys. We're going to be off the next few weeks, as Graham said. them. That's right.

Until next time. Cheerio. Bye-bye.

Bye. Bye-bye. Bye, cock wobblers. Not wobbles.

A cock wobble is something else entirely. It normally happens when you're in your mid-50s.

Yeah, yeah, but there's a pill for that. It's a great time to be alive, isn't it, Jess? High five. Yeah. Of course we didn't forget. By the way, I noticed you guys aren't bleeping. You're not bleeping anymore.

We're explicit now. Yeah, we sometimes bleep.

Okay, if we say the C-word, because you Americans don't like it. No, we don't.

That's the one word that still

If This American Life can be explicit and use swear words, I just think, you know, yeah, why not?

has some punch over here.

So free rein, Dave. Go crazy ape bonkers with your cocky piss flaps if you want to.

I just you reading my mind, Graham. I've been holding on to that exact phrase, waiting to come on this show.

Well, there's our teaser at the end.

I'm not gonna get that image out of my mind.

Happy holidays, everyone.