Israel bombs building containing alleged Hamas hackers

And I recorded a video of it. Not just the video, I even saved all your passwords, contact lists, and everything. I did all of this when you were in the bathroom trying to clean yourself.

So a few things here.

First, why didn't you ask Ran to read this out?

Smashing Security, episode 127: I Do Love the Dutch with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 127. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole. Hello. And we are joined— Groom? We are joined this week by someone new to the show, a bit of a podcast star in his native country of Israel. It is Ran Levi, star of the Malicious Life podcast. Hello, Ran.

Hi, hi. Great to be here.

Hello, Graham. We are super stoked to have you here. It's awesome.

Thank you. I am super stoked myself.

Now, Ran, I'm sure lots of our listeners will already have checked out the Malicious Life podcast because, well, why don't you explain what it is and why people might enjoy it?

Okay. So my personal hobby is malware research and the history of malware. And Malicious Life is a podcast about the history of malware where we talk every other week about some obscure episode from the past of cybersecurity. Lots of interesting stories. I mean, some of them were rather famous back in the day, like the famous Morris worm from the 1980s. And of course, you, Graham, are a star of our show. I mean, I've interviewed you at least twice, I think, for the show.

Oh, is this why he asked you to describe the show? Because he knew he'd get a plug?

Oh my God. It works. Yes, you see, it works.

He's a master.

But you've had some proper experts on the show as well talking about computer security.

Almost every episode we've got experts talking about very interesting stories, lots of human stories. I like the human side of cybersecurity.

Well, I have quite a few stories about Graham, real ones.

Whoa, whoa, whoa, whoa, whoa.

So maybe we should talk.

No time for that. No time for that. Carole, what's coming up on this week's show? And don't mention anything like that.

We have a fab story lineup for you guys today. Thanks to the support from our sponsors, Gartner, MetaCompliance, and LastPass. Graham is going to talk turkey about Intercourse. What? I just said this is a fab lineup and you hit us with intercourse.

I wouldn't say hit you with intercourse. I don't think that's the verb I would use.

Right. Right. Yeah, because it's happening in my backyard.

And I've actually solved a global problem and I'm going to run my theory past all of you to test it out. All this and more coming up on this episode of Smashing Security.

So chaps, imagine you have received an email. Not that unusual, obviously. Carole, I've shared with you the text of an email, so maybe you can read it out to me and we will discuss it as though it's just appeared in my inbox.

Okay, I do know it has intercourse in it because I had to introduce the show, so I'm a little— Okay, if I hesitate, people, I have yet another surprise for you, our intercourse video. He's going to educate us There you go. on modern asymmetrical cyber warfare.

Intercourse. So this is the first thing which surprises me, right?

You don't remember making it, no?

Well, exactly. It's like, what? So there's someone who sent me an email saying, "I've got a surprise for you. Here is our, not hers, not theirs.

That's more like it.

This is our intercourse." And who calls it an intercourse video? Did they mean a sex video, I imagine? Right?

Yeah.

You wouldn't necessarily call it an intercourse video, but anyway, let's hear more.

"Yes, you read it right. We had intercourse quite a long time back."

Quite the sexy talker there, isn't it? We had intercourse.

This is like, I am blushing here. Okay, I don't even know what the next bit's going to be.

Who did you have sex with? Richard Nixon? It's just bizarre. Okay.

"And I recorded a video of it. Not just the video. I even saved all your passwords, contact lists, and everything. I did all of this when you were in the bathroom trying to clean yourself."

So a few things here. Firstly—

Why didn't you ask Ran to read this out?

Firstly, what the fuck?

It's better when you read it.

So imagine you were having intercourse, as it's called. If you were having sex with someone, wouldn't you notice as they set up the lights and the microphones and all the rest of it to make this video? But secondly, they say that they've also grabbed our passwords and contacts list and everything. And they actually write, "I did all of this while you were in the bathroom trying to clean yourself." And what is that dirt you're trying to scrape off? And how long does it take you in the bathroom to sort yourself out?

That this other person's like, "Oh, just download all their passwords." I think that we can safely assume that the person who wrote that email didn't have intercourse yet.

Ever in their lives.

Yeah, exactly. I think you're right. They've never had sex, have they?

They read about it.

Yeah, they've read about it. They think, oh, that must take an awfully long time to clean up afterwards.

They've watched some really nasty porn.

It's gone through Google Translate or something like that. So why are they saying all these things? Let's find out some more.

"Trust me, I can fuck up your life if I want to. I'm not an evil individual. It's just that I need some money and I'm certain you can help me with it."

Help you with a few things. Yeah, okay, carry on.

"So here's the non-negotiable deal. You send me $1,500 and I will delete everything I have about you. You will not ever, ever hear from me."

And then they give a bitcoin address. And so this is in many ways a fairly standard sextortion email, right? But there's this unusual angle, which is not that they've hacked into your webcam or detected that you've been visiting porn sites and secretly videoed you as you enjoyed watching these videos.

I have a thought here. Right, okay. So let's say they send this, spam this out to, let's just say random number, 20,000 people.

Okay.

Okay. And let's say what, 1% of them are people that might go, "Possible."

It's possible. Maybe.

"I remember cleaning myself or trying to."

It did take me a long time in the shower. I was there a while.

And if those 1% respond and kind of panic, or 1% of 1%, they're still quids in.

Yeah, exactly. So there will be some people who think, well, I did have the intercourse a long time back. I don't remember who, but there was that strange situation. I mean, I remember I've personally been secretly filmed. I think I may have mentioned this on the show before. Not while— Really?

Yes.

Not while having sex, to the best of my knowledge. It'd be a short movie at that. But no, I've been secretly filmed while on the lavatory inside a restaurant.

Oh, delicious.

A camera came under the cubicle door and started pointing at me. So I've had that experience. So I might— if I'd received an email saying, we filmed you while you were in the bathroom trying to clean yourself up or something like that, then I might have found it more plausible. But I think it's quite unlikely, this particular thing. So they are threatening. They're saying, unless you pay so many bitcoins within one day. As though the average user can find out how to buy bitcoin and arrange all of that within a day. They're saying they will send the video, or the intercourse video as they call it, to all of your contacts. They will leave the DVD with your neighbors. They say, we know where you live, so they're going to pop round with a DVD, put it through the letterbox.

Who has a DVD player now?

Yeah, I guess.

Can't they just stream it on Netflix instead? That is so much more convenient.

You can put it between Miami Vice Season 3 and Miami Vice Season 4 DVDs.

You know, I might just wait for somebody to send me the actual video because then I'll have bragging rights at least.

I mean, yeah, exactly.

Mom, Mom, I finally had sex.

I'm a film star.

I mean, there'd be a lot of techie people who they would never believe this for a second, would they? Because they would simply think, you know, the only time I have had sex was with myself. There's no one else present in the room.

And just last week, Graham, you were talking about people that can be duped by certain scams. That maybe techie people may not fall for, but there seems to be a lot of people out there that do.

Yeah, and I think you're right, Carole, when you said that if this was sent to a huge number of people, there might be one or two unwary or vulnerable people, or—

They read the first line and freak out.

Or people who are just very, very sleazy and slutty, who think, well, nope, it's a fair cop, it might have happened. And so the cost to the bad guy, email a lot of people, is practically zero, right?

Exactly.

But the rewards—

But it is, I mean, would it be more logical to assume that if you claim to have videoed someone who masturbated on, you know, some porn site, you'd get much more potential hits than somebody who was filmed during intercourse with somebody who just sent him an email?

I mean, this is a new area we haven't explored on the show.

Right.

Yeah.

And it's for that reason we're now going to survey our listeners. So if you Well, the only thing—

Send us your videos and we'll do some research.

I suppose the intent of this email is to make it appear that you are being more specifically targeted. They know where you live, they might know your family situation, they may have a personal grudge against you. I mean, yes, it does seem implausible.

There's one dead giveaway that they don't. There's nothing specific in any of the email, right? Show me this video that you talk about.

You know, if you remember, there was a very, very serious attempt at that very thing when, how was that adultery site called?

Ashley Madison.

Ashley Madison, exactly. And after the Ashley Madison hack, people sent out mails to probably the people who were in the database that was siphoned away. And claiming that they either pay and here were their actual details because it was in the database. And I understand that there were lots of people who did pay.

And there were some people who sadly ended up committing suicide. And, you know, obviously families will have broken up. It's absolutely horrific.

So I'm feeling as if I'm bringing your show down. I'm sorry.

Just wait for your story.

Yeah. And we haven't even started yet.

So, Ran, what story have you got for us this week?

Okay, so two days ago, Israel released a video, you know, the kind of generic videos when you— black and white videos where you see a bomb hitting a building and it explodes. You've probably seen hundreds of those in Iraq, whatever. And it turns out this specific building is claimed to be the cyber headquarters of Hamas in Gaza. So I think this needs a bit of an outline of what we're talking about. So very, very briefly, Israel and the Palestinians have been at odds for the last, what year is it? Half a century.

What century is it? You mean? What millennium is it? Yes.

It's a rather old conflict to say the least. And in 2005, Israel pulled out of Gaza and a short time later, Hamas took control of Gaza. And ever since then, people probably heard on the news about occasional conflicts, missiles, etc. And in the background of that military conflict, there's also some sort of cyber warfare conflict going on. Except that in that case, Israel is a major superpower in cybersecurity and Hamas is basically amateurs. So I mean, it's as asymmetrical as it gets, really. And Israel has used every conceivable technology against Hamas, from advanced malware, spyware, tracking cell phones, whatever. But it's very interesting to see from my perspective, I'm not talking here as an Israeli who's got a stake in this, but as somebody who follows cybersecurity. It's very interesting to see how Hamas is kind of adapting to this reality of being, I would say, the David in that specific conflict.

Exactly, I was just going to say that.

Not in the political sense, mind you. Just in the more order of magnitudes in terms of capacity. And they do, they're trying interesting stuff over the years.

That's the thing, isn't it, with cyber attacks is that all you need is a computer and an internet connection at the very basic level. That's much easier for me or someone else to get hold of than it is to get hold of a tank or a fighter jet.

Exactly. And you know what I mean? Most media outlets I saw that referenced that strike two days ago against the Hamas headquarters, the actual building, were claiming that they were trying to paint that bombing as if it's maybe like a new phase in cyber warfare, that there's kind of kinetic warfare after a cyber strike or something like that. And I call bullshit on that because really the way I see it, Israel probably was aiming to take down that specific building for years. And just we had the opportunity right now because we are in the middle of an actual live conflict with missiles flying in every direction. So it doesn't have anything to do with retaliation against any cyberattack from Hamas, as some people probably claimed. And it's, I think, more of a publicity stunt from Israel because, as you said, Graham, everyone, everybody with a computer can actually plan some sort of an attack from their home. Yeah, so actually taking down a building, which is quite "cyber headquarters" in Gaza, it was probably empty if you ask me. Yeah, they probably fled the building a long time prior.

I don't know, but I mean, Israel's Defense Force, they are the ones who've managed to get lots of attention for themselves with this because they tweeted out an image and then later a video was released as well where they painted it very much as, they did paint it as a response to a cyber attack, didn't they? They said there had been an attack against Israel.

But no details.

They haven't given any details. So there was a cyber attack against Israeli targets, as they've said. They said that it was thwarted, and so they managed to actually deflect it, whatever it was, maybe in a denial of service, who knows.

So think about it from the perspective of somebody in Hamas trying to strike one of the most sophisticated armies in the world in terms of cybersecurity. They can't really hack anything, I mean, not military installations or military systems and stuff.

And bomb the headquarters.

They are pretty amateurs in that regard. But what can they do?

And yes, but—

It sounds good, right?

I mean, if it was—

No, I don't think it does. For me, cyber warfare is, whilst there's loads of pains associated with it from all kinds of points of view, it is not actual physical violence, right?

They can target the actual soldiers, the servicemen and women in the military and try to gather intelligence. And what they did in the last few years is use social engineering to try and get young servicemen and women to install compromised applications and use those applications to spy inside military installations around Gaza.

Where people are actually dying.

So the typical scenario would be, say you're a young soldier, a 20-year-old guy, and you're getting a Messenger message, Facebook Messenger, or a WhatsApp conversation from some lovely lady presenting herself as a young immigrant new to Israel, and she's really excited because she got your phone number from her girlfriend or whatever, and you're a brave soldier, whatever. Exactly.

And there seems to be some kind of evolution involved from moving from, you know, kind of beating someone on the head to being able to do it digitally. So it's a sad day we actually have to respond in such a crude way.

Yeah. I mean, if you look at what the, I mean, the actual cyber attacks that Hamas did over the last 3, 4 years, you can see that these are not really cyber attacks in maybe the way.

So what have they been doing?

I mean, you're lonely and you hate— yeah.

And she saw the intercourse video which is going around as well, that's been making the rounds, and she thought that looks quite good, you know.

Yeah, yeah, why not? Why not? I mean, I was in the Israeli military, and I've got to tell you I can tell you from personal experience, the minute somebody puts your uniform on, you become hungry, tired, and horny. Not in that specific order.

I think now you're 43, Ran, you should really take the uniform off. I think you're pushing it a bit to still be strutting around.

It looks good with the ladies.

And I understand the attraction of that specific attack. And I mean, there were probably hundreds of soldiers who installed these spyware applications and the applications themselves were related to stuff that interests young people like soccer, World Cup, dating, fitness, whatever. I mean, it's a generic, it was used, generic tools that anybody can create simple applications. It's not that difficult. And once the victim installed that application, now Hamas could turn on cameras, microphones, whatever inside military installation, it probably gave some sort of intelligence. It seems like a good idea.

So it seems like cyber training is required for the actual young personnel upon entry to the military to help deflect this kind of stuff?

Exactly. So in response, the military started a public campaign to raise awareness in soldiers, and it was called Operation Broken Heart. They got good names. They give good names to it.

Yeah, good names. Yeah.

So that's one aspect of what Hamas is doing. And the other aspect is more enlisting help from sympathizers from around the world. Many of them kind of fuzzily related to the Anonymous movement. And each year around, actually this time of the year, they commence some sort of coordinated attacks against Israeli websites, governmental websites, media outlets, whatever. DDoSing, defacements. Actually, there was just a few days back, early this month, we had one of these attacks. It was called Operation Jerusalem. And I think the attackers defaced around a million web pages in Israel. Quite a lot. And it was really smartly done. They targeted an accessibility plugin that is used by many Israeli websites. And the hackers broke into the DNS record of the company which makes the plugin. And since it is one single plugin and it injects JavaScript code into almost every major website in Israel, the attackers were able to deface tens of thousands of websites.

So the hackers only had to compromise one piece of code which was being used by many, many websites. It's effectively a supply chain attack.

Exactly.

So smart. I mean, this is really smart. Actually, the real objective of that attack was not defacement, but was installing ransomware on all the visitors of the websites. And imagine to yourself for a second if that attack really came through and they were able to inject ransomware code into tens of thousands of websites in Israel. I mean, half the population's PC computers would probably be ransomed in some way, except that they had a bug in the code. There was some broken if condition somewhere in the code and it didn't work. But it was rather daring. I mean, if it did go through, it could have been a very annoying attack.

If it had happened, can you imagine? Can you just imagine how smug all those Apple Mac users would have been? That would have been vile, wouldn't it?

Exactly.

They would all put on their turtlenecks, get their flat whites out. Drink their macchiatos.

Yeah.

No, we've moved on now. It's flat whites.

Fantastic. Carole, what's your story for us this week?

I couldn't have wished for a better handover, Ran. This is, of course, an equally terrifying and upsetting story, especially for those of you out there who are not inclusive or welcoming of our brothers and sisters afflicted with Tourette's. Fucking seriously, get woke, people. Actually, it's even bigger problem than that. This could be seen as a veritable nightmare for any technophile clean freak who is not very cozy with swearing, fulminations, profanities, or expletives. Now, as the self-appointed CEO of the body advocating lewd language and signs, I swear a lot in this show. We all know that. And I think we could say that I do fight intolerance to colorful castigations, right? And I want us to abandon this dogmatic and outdated mindset. Screw the swearing naysayers, I say.

So have you swallowed a thesaurus? What's going on here?

I propose that this young hacker— I'm going to introduce him in a second.

Oh, yes.

May just have stumbled upon an exquisitely simple solution that resolves this global pandemic of no swearing allowed. So this young hacker is an internet celeb-ish guy who seems to hack devices in fun ways for the pure entertainment of his followers. Now, his channel, Michael Reeves, has well over 1.5 million subscribers, and he has 120,000 followers on Twitter. And his banner on Twitter says, "I like to hack things." So I'm just giving you a kind of visual here. So no small potatoes, right? 1,000 followers.

Yeah.

And on his channel, he has videos like a robot that picks tomatoes out of your salad.

Only tomatoes?

Alright, let's hear it.

Yeah. If you want to take a quick look at that link, I've even timed it for you so you can just see it in action for 10 seconds.

Okay. Okay, let's just check this out. Sounds very useful for some people.

If you hate tomatoes.

I love them.

So it's not working for me. Oh, there is a little bit of collateral damage, isn't there? Of course, by this thing.

Yeah.

He has another video, which is a robot that shoots an energy drink at you when you get tired. And I've also lined that one up appropriately for you guys if you want to take a look.

Alright. Oh, he's— oh my goodness. That's a bit like—

He's rather young, this guy.

A bit like having a visit from the Israeli army, that actually, isn't it?

See, that's what I was saying. Equally terrifying. Terrifying.

He's got a lot of time on his hands.

Yes.

So his videos are around 10 minutes long. So, you know, shortish. And they tend to show a little about how he hacks said device to make his wacky inventions, right? And people seem to love it. Now, personally, I've watched a few of his videos and I find his on-screen persona incredibly annoying and smug. And the thing is, as you say, Ran, he is just a kid, one that thought it was clever to use an old Tide pod container. Did you notice that in that energy drink video, he's actually using an old Tide Pod container to hold the fizzy energy drink? So ha fucking ha.

I don't get that. What's that mean?

About a few years ago, kids were actually daring each other to chew the pod. It was the challenge.

The challenge.

And that's like washing.

Yeah, the washing thing. Yeah.

Okay.

Anyway, he was making a reference to a very uncool meme as far as I'm concerned. Anyway, in a video that he uploaded on the weekend, Mike Reeves decides to hack a

Alright, yes, so you basically lock someone up with

Roomba, those little automated vacuumy things. And using a Raspberry Pi, a Bluetooth speaker, and some voice recordings, he does a little jiggery-pokery so that the Roomba, while it's doing its cleaning

a great big hairy spider and then you say,

things and bumping into things as it does, like a table leg or a sofa or wall, it swears its butt off.

look, you're over spider phobia, arachnophobia, rubber.

Okay, okay.

Now in a Karolery video, he tests out this hacked Roomba in a kind of dinner setting. So let me set the scene. You got three roommates, they're all eating together while the Roomba crashes around their feet howling expletives. Take a listen: "Oh, why was that created this way?" How likely would you be to adopt this into your household? This is hilarious.

Yes, yes, exactly. It's like it's really stubbed its toe.

Exactly. So he's basically—

Sounds like me.

It's quite fun. So today, Tuesday, on the day of recording, there's a few select tech media that have picked up and reported on this guy. So you've got Next Web, Fast Company, those kind of guys. And I expect by the time we publish on Wednesday at midnight, this will be a much bigger story. It has all the hallmarks of going viral. Anyway, back to me and my idea.

Good. I want that Roomba. I want that Roomba. I'll buy it.

Yes, right? Listen to my theory. As CEO of the BALLS, let me explain.

Sorry.

What? Body Advocating Lewd Language and Science.

Oh, okay.

Yeah.

Yeah.

Let me explain how this will help me finally end the resistance to swearing. So there's this German expert. I can't remember his name, but he showed that one way to get people over serious aversions that they suffer from is to basically lock them in with it for as long as possible until the panic and this fear subsides completely. Say you were afraid of birds, crazy afraid.

Yes.

This guy would cure you by locking you in an aviary for hours on end. And you would scream and freak out and panic and probably have one, two, ten panic attacks, but then your body would realize that your "I am dying" panic can't be trusted, right? So it stops panicking. Boom.

So you're either healed or you go nuts.

Yep, 50/50.

My wife has a friend who has an aversion to canned sauces, so her idea of being locked in a pantry or something would be—

You'd bring her to Tesco's, right? Yes, my theory is this: we need to wire up some sweary Roombas, place them in the houses of all those intolerant folks out there, and the barrage of sweary insults will indeed, after a while, make them immune to swearing. Or Aldi or something. They won't care anymore, and I've met my mission.

That's a start. That's a startup.

TM Carole Theriault.

Yeah. We can make more versions of this Roomba. You know, Canadian version: when the robot hits something, it apologizes.

Yeah, Quebec one, Carlis, you could say.

So Carole, when at the start of today's show, you said you were going to change the world for the better.

Yeah.

You are going to make people less intolerant of bad language by surrounding them with fowl speaking Roombas.

And people with Tourette's and people that are afflicted with bad language as well.

Okay.

Right?

Okay.

Tolerance is a great thing, wouldn't you agree, Ran?

Yeah, actually it reminds me of that robot in The Hitchhiker's Guide to the Galaxy. Marvin?

He's got this horrible pain down the diodes on his left-hand side. It's massive, I'll tell you. All the big security vendors are going to be there.

Yes.

Exactly. Exactly. So now we've got that. I mean, science fiction is being realized. Not in the exact ways we thought it will.

They're going to be talking about cyberattacks, artificial intelligence, blockchain, machine learning, and much more. It's all taking place between June 17th, 18th and 19th at the Gaylord National Convention Center in National Harbor, Maryland.

Exactly. Together we can end the tyranny against swearing.

Frankly, who needs to fight climate change, right? So I'd really recommend that if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit.

Exactly.

Who needs to do that? I think get your priorities right.

We've got bigger issues at hand right now, people.

Good.

Good. Let's go to Pick of the Week, for instance.

Very good, Carole.

Thank you very much.

Yes.

We are supported this week by Gartner. Gartner is the world's leading research and advisory company, and they are having a big event.

And listen up, listeners, you can receive $350 off the registration fee by using the code SMASHING with a G. To learn more, visit smashingsecurity.com/gartner. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something like 90% of security breaches involve a stolen password or a poor password?

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager like the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com/smashing. You don't have to say forward slash, by the way, Graham, just say slash. And we are also sponsored by MetaCompliance. Now MetaCompliance make this platform to help you train up all your employees in all things cybersecurity related.

That's right, you can simulate phishing attacks, you can teach them about password safety, all aspects of data security. Go and sign up right now at smashingsecurity.com/metacompliance and you can see because you listen to this podcast. You're a listener to this podcast. Boom.

And welcome back.

And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

And Pick of the Week. Took me a time to get on the wagon.

Yeah. Welcome aboard.

It's the lag. It's the lag.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Well, shouldn't be.

Hmm.

Doesn't have to be. Now my Pick of the Week is a website. Now I'm sure listeners remember we talked about a website a little while ago called thispersondoesnotexist.com, an extraordinary website which used artificial intelligence to create random computer-generated photos of a fictional person. And these photos were in the main quite convincing.

Yes.

Sometimes they had an extra ear or a mouth in the middle of their forehead or something like that, but many of them didn't look like people who worked in tech support. Many of them actually looked remarkably believable. Some of them I even quite fancied and thought, oh yeah, they're all right.

Actually, it was quite chilly to look at some of these pictures. I mean, they looked so real.

Yeah, yeah. It's just like Second Life, you know, 3.0.

Well, now another site has taken a new spin on things. There is a site called havethyfaked.me. And havethyfaked me asks you to upload your own real photo or point it to a photo on the web, and it will then compare your photo to its collection of over 400,000 fake photos. So you— You all right there, Carole?

So you—

Who's running this?

So you can find—

Where are the privacy legalese? I'm looking on the website. I see nothing.

So you can find out if you have a look-alike.

I'm looking for a picture of you. I'm looking for a picture of you.

I tested it. I haven't uploaded my photograph.

I'm putting your picture up right now.

Well, can you upload Ran's instead? Have you done it, Ran?

Yes, I did. I mean, I'm a serious guy. I try to be on the show, trying to prepare myself. And I've got nobody who looks like me in that estate.

You will now.

I'm either too ugly to be faked or I don't know, maybe probably too ugly.

Geoff Bezos registered this domain. Carole raises a quite reasonable concern, which is what the heck are they going to do with all of these photographs people are uploading? Now, if you do look in the small print, if you do look in the small print, they're obviously aware that people might be concerned. Yes, because this could all be— this could be conveyor belted into some other artificial intelligence machine, or it could be going into some huge conglomerate. And they do say the website automatically deletes uploaded files 3 minutes after uploading and also removes additional information extracted from the photos for facial recognition.

Can we do a Whois? Who's— let's do a Whois.

Oh yes, because that will definitely answer it, won't it? They won't have thought of that one, Carole. But of course, you've only got their word for it, haven't you?

Anyway, they might not have. This is not looking that great so far. Whose word? Philip Wang?

Well, whoever's running the website, whoever you find on the Whois crawl.

That's the name, by Philip Wang. That's all we have.

Is it Philip Wang? Okay. All right.

Okay. I use the picture that is already, I mean, so, my picture is all over the web.

Oh, here come the excuses.

Yeah. I mean, I don't care.

I don't have

I don't care. My privacy is gone. Gone with the wind. 10 years ago, it was gone already.

Anyway, listeners, over to you. You feel free to upload pictures of yourself or indeed— any privacy at

Just one co-host here, Carole Theriault, recommends that you just ignore this pick of the week entirely and on to Ran's pick of the week.

all. I don't care. I thought it was interesting, interesting at least. Ran, what is your pick of the week?

Okay, I'm going to recommend a very interesting YouTube channel called Drugs Lab. It is a Dutch official governmental channel, which is important for our story.

Oh, is it run by the government?

It is run by the government. And in it, there are, I think, three or four young guys in like the mid-20s, and they are trying in front of the camera every conceivable drug there is, from weed in the lowest extremity to cocaine, heroin, all sorts of mushrooms, whatever, in front of the camera.

I love the Dutch.

I do.

I do.

And it's amazing. I mean, the Dutch government apparently has a policy of, I mean, some of the drugs that they are showing are illegal in Holland. So the policy is, okay, we know it's illegal.

No one would surely take illegal drugs though.

There are so many legal drugs, but apparently people... And they must be pretty serious, these illegal drugs, if they're illegal in Holland.

Yeah, I have to say.

Yeah.

Yeah. I mean, it's right. I mean, if you're going to be illegal in Holland, it's going to have to be a very risky drug. But it's very interesting.

I haven't heard of some of these drugs like Kamagra. What is that?

My goodness, Carole. Yeah. Anyway, sorry, carry on.

Yeah.

You've dropped the ball over the years. I think the "gra" is a hint. It's probably something related to Viagra, don't you think?

They actually do stuff while they're high with various drugs, like have sex, visit museums. I love the text. Have a party. And they kind of let you see the real effects of drugs on real people and give you warnings when it's—why it's risky, how to do it properly if you're going to try. And it's so refreshing to see somebody taking drugs, not in the, you know, the approach of don't do it, it's dangerous, but actually trying to explain what the risks are, why it's dangerous, why it can be used sometimes in a more—I mean, if you're using it, how to use it properly. And I think, I mean, my personal take is that it's probably more effective than just saying, no, don't use it.

Because you trust it. You trust it. And that's why it's great.

It kind of turned me off certain kinds of drugs that I'm saying, I'll never—

Like Kamagra?

I don't remember that specific one.

And look at the views, guys. Look at the views. 100,000 views. Hey, listen, Theresa May, if you want to improve your standing in the UK, this is a seriously cool idea.

So I've watched a couple of these videos. Now, the videos that I watched were all in the Dutch language, so I didn't really understand what they were saying.

But they have subtitles.

Ah, and they were still quite entertaining. I actually found it quite—and they're very slickly produced and they're very sort of—

What did you learn, Graham?

Professional presenters. Well, what I found was I found it a little bit like The One Show, a show we have here on BBC TV. But the difference being, of course, that to watch The One Show, you have to be taking drugs yourself to enjoy it. Whereas here, it appears the presenters are the ones taking the drugs. Other than that, it's identical experience.

Do you think you get paid? You're like, look, you need to go on cocaine and we need you there for four hours and you have to do all this personal stuff. A tenner? Sounds good.

Get paid by the government as well. But it does, it does—

Would you do that kind of show? I would never do that.

No.

I mean, so dangerous.

I don't drink more than one cup of

I don't want to get a psychosis because I tried some weird American mushroom. That's not part of my job description. I don't know. Well, that is a great channel.

tea a day. That's enough for me.

Yeah. Well done, Holland. Yeah.

Well, it's an interesting approach by the government over there as well, isn't it? I'm not going crazier than that.

Not going to get the edit till tomorrow, Graham. I know what my evening's all about. I'm going to be learning some stuff.

You could be editing all night long, Crow. You'll be fully awake. Crow, what's your pick of the week?

So my pick of the week found its way to me via Reddit. I've been following this sub called Influence Advice for a few months, and I find it really useful and cool. So it links over to the— and forgive my pronunciation here, anyone who wants to help me, that's great— so Kletish website.

Kletish.

So K-L-E-T-I-S-H. S-C-H-E.

Okay.

Right?

Right.

Now, I've given you guys the link there. So basically, it's a kind of collection of articles all about advice on how people try to influence you or you can influence other people. And as someone who studied rhetoric in college, I find it quite interesting. So one, I just pulled out a particular article here just to kind of give you an example here. So, how master manipulators conceal their intentions. So I thought this would be very interesting to read, Graham, right? As you're, you know, adept in the old manipulations, aren't you?

Oh, that's charming.

Well, let's just see if you would— let's just say if you feel this exposes you in any way, okay? So a master manipulator is someone who is patient and bides his or her time. A manipulator's game is one of generating, storing, and not using the power until it's time. And the more skilled the manipulator, the fewer times you're looking to use this power. You're looking to collect, invest, and build.

This sounds so dark side, doesn't it?

Doesn't it? Well, I heard you were from Israel, so I thought this will appeal to you, Ran, right?

We're all on the dark side here.

Exactly. Manipulative individuals tend to use the fact that you may be blind to some aspects of life which you can benefit from. So for example, you might be being really good at work and I might not be doing so well. I might be feeling a little nervous, right, that, Ran, you're doing so well in front of the boss, right? And so I encourage you to go take a holiday, you know, and think it'll be good for your health, and you're looking tired. And I keep doing this because my endgame is to get you out of the race so I can get a bit further ahead with the boss. But you might think, oh, this girl's so caring.

That's manipulation. That's smart.

What drew this to you? What drew you towards this, Carole?

That's evil.

No, no, it's not about becoming—

You've been reading this for months.

It's not about becoming evil.

What are you working on? What are you plotting?

An amazing audio drama, one day. Okay, look, that's one article. Other ones are: why you should analyze live performances, why online anonymity should make you more positive, how to deliver bad news, how to entice people to hurry up.

Yeah, we've been recording for a while. Get a move on, Carole.

I'm done. Okay, seriously, check it out. It's a great resource. Cliché.com website.

There's actually a great book called How to Make Friends and Gain Influence by Dale Carnegie, which sounds, I mean, as evil as maybe this kind of manipulation, but it's actually quite helpful for people with social difficulties and tips for how to feel more natural in conversation. So it can help you if it's used properly.

Hey, I read it. Look at me now.

On that bombshell, I think we've just about wrapped it up. Ran, thank you so much for joining us today. I'm sure lots of our listeners would love to follow you online or find out more.

So probably the best way, the best site to go to is malicious.life. That's our podcast. Lots and lots of interesting episodes from the history of cybersecurity. My Twitter handle is @ranlevi. That's R-A-N-L-E-V-I.

Simples. And you can follow us on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And we've got a community up on Reddit too. You go and join us there. Quickest way to find us is at smashingsecurity.com/reddit. And if you are after a sticker or a t-shirt or a mug, you can also go to our online store where we've got all kinds of goodies. Go to smashingsecurity.com/store.

As always, we're hugely obliged to this week's Smashing Security sponsors: LastPass, Gartner, and MetaCompliance. Their support helps us give you the show for free, so be sure to check out their offers. And of course, fist bumps to all you listeners out there. Thank you for listening, supporting us, and helping us spread the word.

Until next time, cheerio, bye-bye.

Bye-bye, it's been great fun.

Bye-bye. Yay, it has been fun. Do you normally laugh a lot every day in your day-to-day life?

Yeah, I do, I do.

Excellent. You've got to, right? You've got to if you've got missiles overhead.

You know, it always looks more terrifying from the outside. I mean, actually yesterday we had a small event at the offices. I run a podcasting company in Israel and we had an event on the roof and we were kind of happy to be on the roof because then you could see missiles flying. There were actually missiles being fired from Gaza and of course back to Gaza. So we had great view. It sounds, it's dark humor.

Yes.

You were saying? Yes.

Yes. Yes. Very dark.

Dark, very dark.