17-year-old Graham Ivan Clark, of Tampa, Florida, was charged and arrested last week for his alleged role in the Twitter mega-hack which saw celebrity accounts including Bill Gates, Elon Musk, Barack Obama, Joe Biden, and others tweet out a cryptocurrency scam.
A bail hearing for teenager Clark took place at the Thirteenth Judicial Circuit Court of Florida in Tampa yesterday. Virtually, of course. After all, there’s a global pandemic going on.
Which meant that the hearing was held over Zoom.
And, as Brian Krebs reports, that’s where the problems started:
Even before the hearing officially began it was clear that the event would likely be “zoom bombed.” That’s because while participants were muted by default, they were free to unmute their microphones and transmit their own video streams to the channel.
Sure enough, less than a minute had passed before one attendee not party to the case interrupted a discussion between Clark’s attorney and the judge by streaming a live video of himself adjusting his face mask. Just a few minutes later, someone began interjecting loud music.
It became clear that presiding Judge Christopher C. Nash was personally in charge of administering the video hearing when, after roughly 15 seconds worth of random chatter interrupted the prosecution’s response, Nash told participants he was removing the troublemakers as quickly as he could.
Well perhaps unsurprisingly the accused Twitter hacker-Bitcoin thief’s first (virtual) hearing was shut down within 25 minutes due to relentless Zoombombing. (It ended a minute after this when someone screenshared a Porn Hub video.) pic.twitter.com/fGiceq4WfN
— Jen Wieczner (@jenwieczner) August 5, 2020
What could be worse than that? Well….
What transpired a minute later was almost inevitable given the permissive settings of this particular Zoom conference call: Someone streamed a graphic video clip from Pornhub for approximately 15 seconds before Judge Nash abruptly terminated the broadcast.
Some folks shared the offending part of the Zoom call where some porn clips were played on social media. Frankly I’m not that keen to embed it on my website, but if you really must see it here’s a link to a tweet.
Clearly the judge didn’t read our instructions on how to host safer Zoom meetings – which includes instructions on setting “Screen sharing” to “Host only,” having an assistant co-host the call and chuck out any offenders, and not allowing users to unmute themselves.
If anyone is still reading this rather than checking out the tweet, I’ll add that Ars Technica reports that the judge set Graham Clark’s bail at $725,000.
According to lawyers, teenage Clark has $3 million worth of Bitcoin under his control.
For more discussion of how the alleged Twitter hackers were caught, listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey everybody, it's Carole Theriault here. So this is just a short message to extend extreme thanks and gratitude to our Patreon supporters.
And this week we would like to feature Hades, Nathan, Richard Wade, Tapal Call, Sean Reifschneider, Jamie White, Mark Norman, Teppo Tastic, Gent B, and Roman Busser.
Thank you, all of you. You help make Smashing Security what it is, as all our Patreon supporters do.
If you would like to join our Patreon community, check out deets at smashingsecurity.com/patreon. Now let's get this show on the road.
And this week we would like to feature Hades, Nathan, Richard Wade, Tapal Call, Sean Reifschneider, Jamie White, Mark Norman, Teppo Tastic, Gent B, and Roman Busser.
Thank you, all of you. You help make Smashing Security what it is, as all our Patreon supporters do.
If you would like to join our Patreon community, check out deets at smashingsecurity.com/patreon. Now let's get this show on the road.
By the way, Carole, OG, do you know what OG stands for? No. I can impress you now.
Okay.
Original gangster.
Okay, there you go.
I found that out from my 9-year-old. There's a lot of that kind of lingo going on in our house at the moment.
Whoa, it's so fly out in Oxfordshire, isn't it? Fly, fly with a PH.
Smashing Security, Episode 190: Twitter Hack Arrests, Email Bad Behavior, and Forks Versus Facial Recognition with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 190. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 190. My name's Graham Cluley.
And I'm Carole Theriault.
And this week we are joined by a regular guest, but also now a published author. It's Geoff White.
Hello, hello, hello. Not quite published. One week to go.
Oh!
Sorry.
Monday 10th, that's the big day.
Yes, yes, yes. It's been a sort of very long pregnancy. A sort of elephantine pregnancy where they just—
Well, it's a frackload of work, isn't it?
It is, it is, yeah. And what has come out of the backside of this elephant is a book called Crime.com.
Indeed.
Are you comparing his book to elephant dung?
No. I hope not, because if I am, then I've got a pile of elephant dung beside my bed right now. I have managed to get my paws on an early copy of it, which I'm really excited by.
I've begun to read it. It's got some good yarns in there, hasn't it, Geoff?
I've begun to read it. It's got some good yarns in there, hasn't it, Geoff?
Yarns is exactly, yes. Basically, this is written for techies, but also the general public. And for the general public, you have to tell them a yarn, you have to spin them a yarn.
And that's, you've spotted it, that's my exact tactic.
And that's, you've spotted it, that's my exact tactic.
Oh, even us techies enjoy a yarn once in a while.
And so it's all stories about cybercrime, the bad guys, the hacking groups, what they've been up to, what they've been doing, how they've been caught in some cases.
And its impact on society as well.
And its impact on society as well.
Exactly that, yes. It goes through the really early days, the hippie hackers of California.
There's this amazing crossover with the hippies and the sort of psychedelic refugees and sort of early hacking culture.
And it goes all the way through to the election manipulation and vote rigging and disinformation stuff of the present day, which I think is sort of cutting-edge type stuff.
So yeah, it's a sort of full survey of the territory.
There's this amazing crossover with the hippies and the sort of psychedelic refugees and sort of early hacking culture.
And it goes all the way through to the election manipulation and vote rigging and disinformation stuff of the present day, which I think is sort of cutting-edge type stuff.
So yeah, it's a sort of full survey of the territory.
Yeah, perfect August read, right?
Now, Geoff, if our listeners are interested in this but just want a little taster, would you be able to give them a little tease or something?
I think I could see my way clear to that. Yes, I think I could.
In fact, the final chapter, the one that's all about the election hacking and the disinformation stuff, would be a doozy. Let's do that.
In fact, the final chapter, the one that's all about the election hacking and the disinformation stuff, would be a doozy. Let's do that.
So we will put a link in our show notes so you can go and read that final chapter.
For free.
Yes, at smashingsecurity.com/crime.com. When I say crime.com, that hasn't got a dot. That's the word crime.com, like as in Dorothy.
And you'll be able to read the final chapter of Geoff's book. Fantastic.
And you'll be able to read the final chapter of Geoff's book. Fantastic.
And then you're going to love it so much, you're going to race to go buy it.
Indeed.
He'll be too big and important to come on this podcast again, Carole. What's coming up on the show this week?
First, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free.
Now, coming up on today's show, Graham looks at how sexy fox costumes could reveal your privates. Your privates?
Geoff looks at the recent Twitter hack, now that FBI indictments are out. And I look at some of the ways people are trying to combat surveillance tactics.
All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham looks at how sexy fox costumes could reveal your privates. Your privates?
Geoff looks at the recent Twitter hack, now that FBI indictments are out. And I look at some of the ways people are trying to combat surveillance tactics.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, imagine for a moment that you're interested in checking out a book, maybe. Maybe a book by a celebrated, newly published author.
And you think, oh, I'd love to find out more about that book. I'll visit an online bookshop. But then you change your mind. Maybe you're distracted by something else, right?
And then maybe half an hour, an hour later, you receive an email saying, hey, we saw you visited our website. How would you feel?
And you think, oh, I'd love to find out more about that book. I'll visit an online bookshop. But then you change your mind. Maybe you're distracted by something else, right?
And then maybe half an hour, an hour later, you receive an email saying, hey, we saw you visited our website. How would you feel?
What?
So what, have I given them my email address?
Nope.
I haven't logged in or anything like that.
I'm just perusing the shop.
You haven't logged in, you haven't given them your email address, and yet they know you came to their website and they've contacted you via email.
Well, surely, I mean, if Google or Facebook have got a tracking code on the site, then they could tie that together with your email. So all that's technically possible.
In fact, I'm sort of— now you say, I'm kind of surprised that we haven't crossed that Rubicon yet. It's a big— is that happening? Is this a bit—
In fact, I'm sort of— now you say, I'm kind of surprised that we haven't crossed that Rubicon yet. It's a big— is that happening? Is this a bit—
Well, imagine this. Imagine you have a particularly niche porn interest. Maybe you're a bit of a furvert on the side. And you decide to go and visit. Wait, what's that? Furverts.
You thought you'd throw that in as though—
Explain what you mean, Graham.
What's a furvert? I am reliably informed that furverts are people who like dressing up as furry animals, like mascots at a football game.
And they get their kicks from these sort of things.
And they get their kicks from these sort of things.
I wonder if I should make an outfit that looks like my husband because he's quite hairy.
I think you must be a secret furvert.
I can't figure out what would be more disturbing, Paul, if he found that attractive or unattractive.
So imagine you visit this site. Okay. And you get your fill of whatever it is you want. And then you receive an email saying, "Hey, see, you are a bit of a pervert." And again—
But what, it throws it back in your face?
Well, or says, "We've got even more of that kind of stuff.
Why don't you come back sometime?" If you had never given them your email address, you're gonna be rather disturbed, right?
Why don't you come back sometime?" If you had never given them your email address, you're gonna be rather disturbed, right?
Yes, considerably.
And also, of course, if someone's got your email address and you never gave it to them, there's the potential for doxing or blackmail or who knows what.
You better tell me how they got our email addresses.
Okay. There's a fascinating article on Jezebel. And Jezebel has written about an outfit called Get Emails, a startup. They claim to be the all-new audience growth tool for publishers.
And they say they can convert—
And they say they can convert—
Listen up, Geoff White.
They say they can convert anonymous website visitors into names, email addresses, and even their home addresses.
Boom!
What? And I know—
Book sales sorted!
Post them out.
You may need to write another chapter, Geoff. Incredibly, they claim they can do this for around about a third of all US web traffic.
Jeez. Okay, well, their claims are impressive.
Well, okay, let's look a little bit more into this. They say that their service is already being used by— do you know that chap Tucker Carlson? On Fox News.
Dweeb.
Well, he is one of the founders of a website, quite right-wing website, surprise you, won't it, called The Daily Caller.
Oh, yes.
And that is one of the sites which is using exactly this technology right now. So potentially, someone could find out if you're partial to particular political views as well.
I don't understand. I'm sorry, you've lost me. Okay. So how is The Daily Caller, this website, run by Tucker Carlson taking advantage of this technology?
So they are a customer of this firm called GetEmails.
Okay.
GetEmails is run by a guy called Adam Robinson.
Right.
He's a former Lehman Brothers employee and his girlfriend Helen Sharp. And they've actually put together a video where they explain how their thing works.
You can go and check that out on YouTube. I'll put in a link, but I can explain it in very simple terms.
You can go and check that out on YouTube. I'll put in a link, but I can explain it in very simple terms.
Yeah, how does this all work?
Most importantly. Right. Okay. So there are lots of scammy kind of websites on the internet.
No!
I know, it's a shock. So there are websites which will claim, oh, we can get you better health insurance, or we can get you better car insurance.
Just enter all your details here and we will go away and find an answer for you, right?
And what you don't do when you fill out those, or what most people don't do, is they don't read all the terms and conditions and the privacy agreement.
Just enter all your details here and we will go away and find an answer for you, right?
And what you don't do when you fill out those, or what most people don't do, is they don't read all the terms and conditions and the privacy agreement.
The thing you mock me about every week when I read through.
Well, exactly. You're one of the unusual people who actually does that, Carole.
But those sites will gather all that information, and they're not really set up to sell you health insurance and car insurance.
They might do that sometimes or refer you, but what they're really doing is creating a huge database of people's contact details.
But those sites will gather all that information, and they're not really set up to sell you health insurance and car insurance.
They might do that sometimes or refer you, but what they're really doing is creating a huge database of people's contact details.
Okay. And they are then selling those to people. And that is all apparently legal because people chose to give their information and they agreed to the terms and conditions.
To be marketed at, presumably.
Yeah.
I've always thought those sites, you know, insurance compare sites or mortgage compare sites. I think that's exactly what a lot of them are doing.
Yeah, I think some of them are legitimate and they're getting a cut of the deals.
But they say, we are sharing this with interested parties on purpose to get you the numbers you want, right?
They have to share that information with third parties and they don't have to give you a list, you know, here are the exact people we're doing, because it's changing all the time.
And some of them might be, you know, very bona fide companies and some might be shady.
They have to share that information with third parties and they don't have to give you a list, you know, here are the exact people we're doing, because it's changing all the time.
And some of them might be, you know, very bona fide companies and some might be shady.
Well, one of the companies which is buying this kind of information is this company GetEmails.
And what they've done is they've generated MD5 hashes, so a checksum for all of those email addresses.
And they reckon they've got around about half a billion now, and they're adding about 1 million more every day.
And they say they've also partnered with mailing lists firms so that when folks click on a link in a newsletter and go to a website, a cookie can be set on their computer containing that MD5 checksum for their email address on their computer.
And so what they're able to do is when you go to the Daily Caller website or another website which is running GetEmails' script, they can compare the hash in the checksum to the hash in GetEmails' database, which they've gathered from all of these sites around the world.
And they've got all your other information which you filled in on that form.
And what they've done is they've generated MD5 hashes, so a checksum for all of those email addresses.
And they reckon they've got around about half a billion now, and they're adding about 1 million more every day.
And they say they've also partnered with mailing lists firms so that when folks click on a link in a newsletter and go to a website, a cookie can be set on their computer containing that MD5 checksum for their email address on their computer.
And so what they're able to do is when you go to the Daily Caller website or another website which is running GetEmails' script, they can compare the hash in the checksum to the hash in GetEmails' database, which they've gathered from all of these sites around the world.
And they've got all your other information which you filled in on that form.
Yeah, that's really interesting.
So I don't know, it's interesting because US law is obviously different to UK and European law, but there's just all sorts of legal issues with this.
The idea is, you know, you give over the information for a particular purpose, you know, to get better car insurance, for example.
The question would be, if I insert a clause saying, yeah, you're after better car insurance, but by the way, I'm going to keep your details handy and use it for this marketing exercise, possibly you've got my consent.
But if it's just a kind of enter here for car insurance, and in some way in the terms and conditions is a vague reference to being marketed at, I'm not sure what the UK and European rules would make of that, because it sounds like they're getting information for one purpose, but then using it for a slightly, well, quite different but slightly related purpose.
I don't know.
So I don't know, it's interesting because US law is obviously different to UK and European law, but there's just all sorts of legal issues with this.
The idea is, you know, you give over the information for a particular purpose, you know, to get better car insurance, for example.
The question would be, if I insert a clause saying, yeah, you're after better car insurance, but by the way, I'm going to keep your details handy and use it for this marketing exercise, possibly you've got my consent.
But if it's just a kind of enter here for car insurance, and in some way in the terms and conditions is a vague reference to being marketed at, I'm not sure what the UK and European rules would make of that, because it sounds like they're getting information for one purpose, but then using it for a slightly, well, quite different but slightly related purpose.
I don't know.
Yeah, that's gonna be my question. GDPR.
You've put your finger on a very important point, and GetEmails admit that this isn't legal in Canada, it isn't legal in Europe, but it's 100% compliant with the US CAN-SPAM Act.
Oh, God bless America.
Under US law, you can send people unsolicited emails as long as you give them an opt-out at the bottom.
And they claim that all this collection of data is perfectly legitimate, and that's how they're doing it.
And they claim that all this collection of data is perfectly legitimate, and that's how they're doing it.
See, I don't understand how this works, because I know that each state has its own privacy act that they employ.
Some of them are pretty strict, the California one, and some are really, really weak.
I don't understand whether the federal act supersedes those, or, you know, just because it may fit in with the federal act doesn't mean they comply with California's Privacy Act.
And what happens then?
Some of them are pretty strict, the California one, and some are really, really weak.
I don't understand whether the federal act supersedes those, or, you know, just because it may fit in with the federal act doesn't mean they comply with California's Privacy Act.
And what happens then?
I don't know either. But all I can tell you is that Get—
You just say, interesting question.
Interesting question, Carole, which maybe should get examined on another day. But GetEmails, they claim they're 100% legal for US consumers to do this.
And if you go to their website, you find out it's not just the Daily Caller. There's also a fake news site called Western Journal. There's a trade publication focusing on stocks.
There's a testimonial from a company called Newswire.com, which puts out press releases.
They reckon within 60 seconds of putting the code on their website, they were getting hundreds of new contacts sent back to them. And you can see a legitimate need.
And if you go to their website, you find out it's not just the Daily Caller. There's also a fake news site called Western Journal. There's a trade publication focusing on stocks.
There's a testimonial from a company called Newswire.com, which puts out press releases.
They reckon within 60 seconds of putting the code on their website, they were getting hundreds of new contacts sent back to them. And you can see a legitimate need.
I mean, I would flip out.
Well, wouldn't you? Exactly. If you got an email, you'd think, how many emails would I get?
Yeah, about it.
Well, you'd have to have a weekly digest, wouldn't you? You went to Furry Friends, then Furverts, then Pussycats.
It's basically spam.
Yeah. But it's interesting, you know, as you've described it, I was thinking, well, how's this working? I thought, well, of course, it's obvious technically how it can work.
And why haven't we— why has nobody tried to cross this Rubicon before? Obviously, in the UK and Europe, it doesn't sound like it'd be legal.
But it makes perfect sense, you know, linking the cookie to the actual email address.
And why haven't we— why has nobody tried to cross this Rubicon before? Obviously, in the UK and Europe, it doesn't sound like it'd be legal.
But it makes perfect sense, you know, linking the cookie to the actual email address.
Is that difficult? Well, I'm not convinced.
Just because they say they are 100% operating completely legally and are 100% compliant with US CAN-SPAM Act and every other federal law and state law, well, prove it.
Just because they say they are 100% operating completely legally and are 100% compliant with US CAN-SPAM Act and every other federal law and state law, well, prove it.
But how is this different to the model of Facebook where if I visit a website and Facebook's code's on it and I then go to my Facebook page, the website that I visited that's got the Facebook code in it will then throw adverts at me on Facebook.
Yeah, that's right.
So to a certain extent, it's similar.
It is similar.
Yes, but they're not sending you a private message on email. You know, they're not kind of—
It is similar to what Facebook is doing. It's somehow a little bit more intrusive and a little bit more creepy, maybe just because we've just got used to Facebook acting like that.
I don't know.
The curious thing is these guys who are running the company, Adam and Helen and his girlfriend, Adam Robinson and his girlfriend Helen Sharp, they seem to be reveling in the slight grubbiness of their operations.
So they always address the legality issue and they say, yeah, it is a bit creepy. It is a bit weird, but it's 100% legal. And I even found a video.
So they've been making these short little videos in their homes, in their kitchen and wherever else, promoting their service.
And I think they're trying to be as outrageous as possible. Maybe this is why they initially contacted Jezebel, asking Jezebel if they wanted the service.
I don't know.
The curious thing is these guys who are running the company, Adam and Helen and his girlfriend, Adam Robinson and his girlfriend Helen Sharp, they seem to be reveling in the slight grubbiness of their operations.
So they always address the legality issue and they say, yeah, it is a bit creepy. It is a bit weird, but it's 100% legal. And I even found a video.
So they've been making these short little videos in their homes, in their kitchen and wherever else, promoting their service.
And I think they're trying to be as outrageous as possible. Maybe this is why they initially contacted Jezebel, asking Jezebel if they wanted the service.
And then you covered it.
Was knowing that they would cover it. And we've just covered it as well. Well, you. Well, yeah. Yes. Okay.
But one of the videos which I'm now going to drive traffic to, for instance, is one where Helen is calling Adam a very, very naughty boy.
But one of the videos which I'm now going to drive traffic to, for instance, is one where Helen is calling Adam a very, very naughty boy.
So tell me, bad, bad boy, what does Gaymails do?
You put our script on your website and we identify 35% of your anonymous traffic and we give you email addresses you don't have on your list yet in real time.
Oh, that's so violating of people's privacy.
It's 100% CAN-SPAM compliant and CCPA compliant. It's totally legal in the USA.
Oh, that's so bad. Tell me more.
We send records directly to your email marketing account so you can get people back to your website. It's under 20% of the cost of getting an email any other way.
Click through to learn more. Click through to learn more.
Maybe you want to check that out, and then you'll get a sense of what these two are like. Click on the link.
What, me?
It's better than watching a Fervor video, girl.
And he used to work where?
Lehman Brothers.
Oh, of course. Well known for their high ethical standards, as I remember.
So if they're not calling each other very, very naughty, bad, bad boys for what they're doing, and some of the videos are quite funny, but they're obviously designed to provoke a reaction and try and get their name out there as much as possible.
There's some other ones where she dresses up as a sexy fox.
There's some other ones where she dresses up as a sexy fox.
Graham, this is not The Sun.
What?
Smashing Security is not— isn't— what, were you trying to bring The Sun?
I'm not saying it's The Sun. It's an important, serious topic, this, Carole.
Okay, why? Tell me why it's important and serious.
Because I don't think people are aware that companies are able to get so much personal information, which they never gave those websites.
Oh, and this is just the fun factor now, kind of going back and forth.
This is the thing that they're doing to get people to sign up with them, and more and more companies are beginning to sign up with them.
Mm-hmm. Well, I'm sure they're going to send you a thank you hamper for mentioning them on the show and helping build their credibility.
This week's sponsors, getting announced. So Geoff, what have you got for us this week?
I'm just increasingly intrigued by the Twitter hack. I was intrigued when it happened.
Happened, obviously.
And now we've had two complaints come out from the FBI and three people charged in the US, including one person who comes from the UK but is charged in the US.
And it's just the detail in the criminal complaints is fascinating.
And it's just the detail in the criminal complaints is fascinating.
I'm so glad you're covering this because I've not followed the story this week at all.
When it happened, frankly, okay, you've got access, seemingly backend access to Twitter. That's a huge amount of power.
And whoever did it used it for a fairly crap bitcoin get-rich-quick scheme. And as soon as I saw that, I thought, oh God, bitcoin get-rich-quick scheme using Twitter hacks.
This is going to be youngsters. And so when the arrests came out, the charges came out, they are 17, 18, and 22, I think, from memory.
And I thought, oh, that's skewing a bit old for what I thought was going to happen.
People don't realize there's this whole community of Twitter hackers, and it's like kids who are just obsessed with personalized number plates on their cars, and they trade for thousands of dollars these accounts, particularly what are called OG accounts.
So like "@123" or "@xyz" or "@abc." But it's weird to describe because, as I say, the trade around this is really, really febrile.
And also, because a lot of it's teenagers, they're all doxing each other and trying to hack each other's accounts.
And when one of them pays one for the account, it doesn't come through, they blaze them on Twitter. There's all this stuff going on.
So as soon as I saw Twitter and bitcoin, I thought, "Okay, potentially juvenile culprits here, not exactly organized crime geniuses." So yes, 3 charges have been laid.
The 17-year-old officially can't be named.
The FBI hasn't named them, although they are named elsewhere on the web, weirdly, by the people who are charging that person in Florida, because in Florida a 17-year-old could end up being charged as an adult.
But what's interesting is that inside the criminal complaints is this massive detail which the FBI always put out as to how they actually found these guys.
Okay, yeah, this is obviously subjudice. It's subject to legal proceedings, so these are allegations at the moment. But they followed the breadcrumb trail along.
So there was a Discord chat in which two people were discussing. One person claimed to be an employee of Twitter, and person number two said, "Oh, great.
Can you get me access to these accounts?" And person number one said, "Yes, what's the price?" And they negotiated back and forth.
So very early on, there was this confusion as to whether the Twitter hack was because there was an insider at Twitter, or whether it was somebody had hacked Twitter employees.
And whoever did it used it for a fairly crap bitcoin get-rich-quick scheme. And as soon as I saw that, I thought, oh God, bitcoin get-rich-quick scheme using Twitter hacks.
This is going to be youngsters. And so when the arrests came out, the charges came out, they are 17, 18, and 22, I think, from memory.
And I thought, oh, that's skewing a bit old for what I thought was going to happen.
People don't realize there's this whole community of Twitter hackers, and it's like kids who are just obsessed with personalized number plates on their cars, and they trade for thousands of dollars these accounts, particularly what are called OG accounts.
So like "@123" or "@xyz" or "@abc." But it's weird to describe because, as I say, the trade around this is really, really febrile.
And also, because a lot of it's teenagers, they're all doxing each other and trying to hack each other's accounts.
And when one of them pays one for the account, it doesn't come through, they blaze them on Twitter. There's all this stuff going on.
So as soon as I saw Twitter and bitcoin, I thought, "Okay, potentially juvenile culprits here, not exactly organized crime geniuses." So yes, 3 charges have been laid.
The 17-year-old officially can't be named.
The FBI hasn't named them, although they are named elsewhere on the web, weirdly, by the people who are charging that person in Florida, because in Florida a 17-year-old could end up being charged as an adult.
But what's interesting is that inside the criminal complaints is this massive detail which the FBI always put out as to how they actually found these guys.
Okay, yeah, this is obviously subjudice. It's subject to legal proceedings, so these are allegations at the moment. But they followed the breadcrumb trail along.
So there was a Discord chat in which two people were discussing. One person claimed to be an employee of Twitter, and person number two said, "Oh, great.
Can you get me access to these accounts?" And person number one said, "Yes, what's the price?" And they negotiated back and forth.
So very early on, there was this confusion as to whether the Twitter hack was because there was an insider at Twitter, or whether it was somebody had hacked Twitter employees.
And I think, Graham, you thought that might be the outcome.
It was an early theory, that's right, that there could be an insider who'd either had their account hijacked and their credentials stolen, which I think is what they're now leaning towards.
It makes sense as well.
Or whether it was someone knowingly assisting the hackers.
So looking at this chat, you could understand why a complicit insider was the theory. Twitter obviously have said, no, this was phishing, and seem to be pouring cold water on that.
What's interesting is the FBI have charged the buyer, if you like, of this service, the other side of the chat who was saying, "Hey, can you get me this account?
I'll pay you X amount." But they haven't named the person who claimed to be a Twitter insider. So we don't know whether that person yet is actually a Twitter insider or not.
What's interesting is the FBI have charged the buyer, if you like, of this service, the other side of the chat who was saying, "Hey, can you get me this account?
I'll pay you X amount." But they haven't named the person who claimed to be a Twitter insider. So we don't know whether that person yet is actually a Twitter insider or not.
Interesting. Interesting.
But then what happens is, so the person who's buying the Twitter accounts and buying access to this says, "Oh, here's my bitcoin address." So what's the next step for the FBI?
They find where the wallet address has been set up. It's a cryptocurrency exchange. And they say, well, okay, here's a subpoena. Who set up this wallet address?
And you get through a few more steps. And of course, as anybody who's recently experimented with cryptocurrency, they ask for your passport or your driver's license.
They find where the wallet address has been set up. It's a cryptocurrency exchange. And they say, well, okay, here's a subpoena. Who set up this wallet address?
And you get through a few more steps. And of course, as anybody who's recently experimented with cryptocurrency, they ask for your passport or your driver's license.
Yes.
So sure enough, the cryptocurrency exchange says, oh, here's the driver's license that was used to set up this account.
And that's led to, allegedly led to arrest number one, charge number one.
And that's led to, allegedly led to arrest number one, charge number one.
Which is kind of crazy.
I mean, even though they're teenagers, you would think if you're asked for something like that, if you're setting up a cryptocurrency wallet for criminal purposes, the first thing you do is you probably go and buy—
I mean, even though they're teenagers, you would think if you're asked for something like that, if you're setting up a cryptocurrency wallet for criminal purposes, the first thing you do is you probably go and buy—
Yes.
Some fake ID, right?
A fake passport at the fake passport shop?
Right.
Fake passport to us.
'Cause you're 17?
A, the OPSEC was not exactly spectacularly high the whole way along. B, as Carole points out, they're 17.
But C also, I'm not sure whether this wallet address was originally set up for crime, it was just— And this is the thing, you know, if you look back at the Silk Road case, actually years ago, Ross Ulbricht originally didn't set up his email addresses for criminal purposes.
It's just later on when he was later in the criminal purposes, he reused that early email address.
So remembering what ID you attached to what in the past is actually quite difficult.
But C also, I'm not sure whether this wallet address was originally set up for crime, it was just— And this is the thing, you know, if you look back at the Silk Road case, actually years ago, Ross Ulbricht originally didn't set up his email addresses for criminal purposes.
It's just later on when he was later in the criminal purposes, he reused that early email address.
So remembering what ID you attached to what in the past is actually quite difficult.
Yes.
Other thing that's interesting about this is they start to unravel this. Then there's this issue of, okay, there's a forum called OGUsers.
So OG are these Twitter accounts @123, @abc, and so on.
So OG are these Twitter accounts @123, @abc, and so on.
Right.
By the way, Carole, OG, do you know what OG stands for?
No.
I can impress you now.
Oh gosh.
Okay.
Original gangster.
Boom.
Okay. There you go.
I found that out from my 9-year-old who's very—
You sure he's right?
Yeah, no, I do. I think there's also OP as well as the other one.
What's OP?
Overpowering or something. But there's a lot of that kind of lingo going on in our house at the moment.
Whoa, it's so fly out in Oxfordshire, isn't it? Fly with a PH. Do you spell Oxfordshire with two zeros instead of two O's?
It's Oxford, O-X-P-H-O-R-D.
Classy.
Anyway, so OGUsers is the forum where a lot of these guys hang out trading Twitter accounts.
OGUsers got hacked a while ago, presumably by a rival site, and the database of OGUsers users was leaked. And this includes a lot of stuff, email addresses, IP addresses, and so on.
So the FBI starts sniffing around some of the people who are involved in this Twitter hack, allegedly, and they have a copy of the leaked database.
So they start looking up the users on OGUsers who are involved in this, and they start coming out with email addresses, IP addresses, and so on.
And what I find fascinating is cybercriminals have been hacking into websites and leaking databases for years.
What they haven't sort of realized is they think that they're doing that as a criminal act for other criminals, but now it raises the prospect that the FBI and other law enforcement agencies are using this like a sort of Google search engine.
OGUsers got hacked a while ago, presumably by a rival site, and the database of OGUsers users was leaked. And this includes a lot of stuff, email addresses, IP addresses, and so on.
So the FBI starts sniffing around some of the people who are involved in this Twitter hack, allegedly, and they have a copy of the leaked database.
So they start looking up the users on OGUsers who are involved in this, and they start coming out with email addresses, IP addresses, and so on.
And what I find fascinating is cybercriminals have been hacking into websites and leaking databases for years.
What they haven't sort of realized is they think that they're doing that as a criminal act for other criminals, but now it raises the prospect that the FBI and other law enforcement agencies are using this like a sort of Google search engine.
Yeah.
So when they get a suspect in a case, they can go after them. Amazing.
It is, actually.
They've turned some of the criminals' tools, potentially, allegedly.
The road to good intentions.
Yeah.
No matter what they are, can always flip.
Exactly. But I mean, they made 100 grand, I think, in bitcoin out of this scam, 'cause basically it's—
I can't even believe that, 'cause I'm not surprised they're 17 based on the messages they put out on Twitter.
Graham tried to profess that loads of people fell for it, and I was looking at them going, really?
Graham tried to profess that loads of people fell for it, and I was looking at them going, really?
The original hacks were cryptocurrency exchanges. So I think Binance was one of the Twitter accounts that was affected.
Binance, interesting pronunciation.
We've covered that, Carole, I think.
Just saying. Binance.
Exactly.
Binance. Some people think it's like Beyoncé.
Some people think it was Beyoncé, okay?
I'm not gonna say who. But anyway, so then obviously they end up getting into Barack Obama and all these people.
Obviously, nobody's going to believe Barack Obama's going, hey, I'm into bitcoin now, I'll double your money. I'm a tech god.
Had they stuck with the cryptocurrency exchanges, they might have more luck.
Obviously, nobody's going to believe Barack Obama's going, hey, I'm into bitcoin now, I'll double your money. I'm a tech god.
Had they stuck with the cryptocurrency exchanges, they might have more luck.
Me and my buddy Musky.
But anyway, so this is yet to be heard. Obviously, nobody's guilty until they're proven guilty. So we'll see where this happens.
But I suspect when these youngsters come to court, it'll be— which presumably will happen.
But I suspect when these youngsters come to court, it'll be— which presumably will happen.
They must be bricking themselves.
Well, one of them is based in the UK, isn't he?
Yes, yes, yes.
Yeah, he's in Bognor Regis. Glamorous Bognor Regis.
Oh, Bognor Regis.
And I wonder whether the Americans will want to get their hands on him or not.
Well, BoJo's standing between that, so.
Chlorinated chicken, get emails, and the kid from Bognor Regis.
Those are our three demands.
That's them.
Further emails. Chlorinated chicken and that kid from Bognor Regis.
And then we're done.
Done. Then we're done.
We can sign off. That's it. Carole, what's your story for us this week?
Okay, so we start back in June. Now, in June, IBM made the rather surprising announcement that it would stop selling, researching, or developing facial recognition services.
And we were all like, whoa, that's a big deal. And then Amazon and Microsoft kind of followed similar suit, right?
And this was largely due to pressure related to increased visibility of unwarranted police brutality. So these were all good first steps for these big firms.
But there is a firm here that should be listed and isn't. And that is Clearview AI, a company we've mentioned a number of times on this podcast. But a quick refresher.
So this is a company that has scraped billions of faces off the web from sites like Facebook, Twitter, LinkedIn, Google, et cetera, et cetera, et cetera, and made them available to places like law enforcement.
So any pic of a person you have, you could just drop it into the Clearview AI app and presto, here are all their images of that person that have been scraped.
And we were all like, whoa, that's a big deal. And then Amazon and Microsoft kind of followed similar suit, right?
And this was largely due to pressure related to increased visibility of unwarranted police brutality. So these were all good first steps for these big firms.
But there is a firm here that should be listed and isn't. And that is Clearview AI, a company we've mentioned a number of times on this podcast. But a quick refresher.
So this is a company that has scraped billions of faces off the web from sites like Facebook, Twitter, LinkedIn, Google, et cetera, et cetera, et cetera, and made them available to places like law enforcement.
So any pic of a person you have, you could just drop it into the Clearview AI app and presto, here are all their images of that person that have been scraped.
Yeah.
If you click on one that's LinkedIn, you'll get to their LinkedIn profile. If it's a Facebook one, you go to the Facebook profile.
And it was incredible. It wasn't available on the iPhone App Store, but I know they made it available to some influencers, for instance, in those early days.
Yeah.
And people would show it off in restaurants or things. It's like, oh, you fancy that girl over there? "Let me tell you what her name is." And you take a picture.
I mean, really scary, creepy stuff.
I mean, really scary, creepy stuff.
So I went and looked at their website just to see how they're handling this, right? And you know what their slogan is on the front and center?
Computer vision for safer world, which I don't even know what it means. Computer vision for safer world.
Computer vision for safer world, which I don't even know what it means. Computer vision for safer world.
But anyway.
That's true of most mission statements though. You can't really understand what they're saying.
Yes. Yeah, so they're very strongly pushing. They're saying they're a research tool used by law enforcement agencies to identify perps and victims of crime.
And, you know, it's been— it's helped track down hundreds of at-large criminals, including pedophiles, terrorists, and sex traffickers.
Already I'm really annoyed with the inflammatory language here, right? There's a lot of words that are basically saying without us, you know, the world is going to go to shit.
And you know, you're reading this and you're thinking, I wonder what the Electronic Frontier Foundation, the EFF, think about this. They must be totally on board, right?
So I just put in Clearview AI and EFF to see what would come up.
And the first thing that came up was an article called, "Yet Another Example Why We Need a Ban on Law Enforcement Use of Facial Recognition." So reading on that, there are two big arguments as to why facial recognition is considered scary.
Because some people are thinking, what's the big deal?
In the States, in Canada at least, real estate people, for example, put their actual mugs and their full names on billboards across the city crooning about their real estate prowess, right?
And people on social media, I mean, we all have somewhere where we're publicly billboarding about ourselves. So what's the big deal with the surveillance aspect?
So the two big arguments, one is that it's gonna disrupt relationships between enforcers and communities.
And I think we can all look and see the disruptions that have happened in the States in the last few months and see that that is indeed happening.
And imagine women who are outside in public and they could get snapped and cyberstalked by someone with this app, just go tappity tap tap tap on their phone.
And, you know, it's been— it's helped track down hundreds of at-large criminals, including pedophiles, terrorists, and sex traffickers.
Already I'm really annoyed with the inflammatory language here, right? There's a lot of words that are basically saying without us, you know, the world is going to go to shit.
And you know, you're reading this and you're thinking, I wonder what the Electronic Frontier Foundation, the EFF, think about this. They must be totally on board, right?
So I just put in Clearview AI and EFF to see what would come up.
And the first thing that came up was an article called, "Yet Another Example Why We Need a Ban on Law Enforcement Use of Facial Recognition." So reading on that, there are two big arguments as to why facial recognition is considered scary.
Because some people are thinking, what's the big deal?
In the States, in Canada at least, real estate people, for example, put their actual mugs and their full names on billboards across the city crooning about their real estate prowess, right?
And people on social media, I mean, we all have somewhere where we're publicly billboarding about ourselves. So what's the big deal with the surveillance aspect?
So the two big arguments, one is that it's gonna disrupt relationships between enforcers and communities.
And I think we can all look and see the disruptions that have happened in the States in the last few months and see that that is indeed happening.
And imagine women who are outside in public and they could get snapped and cyberstalked by someone with this app, just go tappity tap tap tap on their phone.
Yeah, it's very creepy.
The other big argument is that democracy is threatened, right?
There are countless studies that show that people who think the government is eavesdropping or watching them alter their behavior to avoid scrutiny.
So it means people don't speak out because they're afraid of being identified, targeted, hunted down, whatever. So those are the two big kind of camps of argument.
Now, the problem is, it's not just authorities that have access to the software. You mentioned earlier, you know, these rich guys in clubs were using it.
The New York Times did a big exposé on that. But it's companies Macy's and the NBA and that little-known company called Best Buy, right? Why are they using this software?
Ultimately, the main problem here is there's not nearly enough legislative oversight, right? Let alone understanding of its power from our federal authorities.
But there's evidence of people getting fed up with waiting for legislation and they're kind of taking privacy-screwing mass surveillance into their own hands.
Okay, so I've got two that I want to introduce you to.
There are countless studies that show that people who think the government is eavesdropping or watching them alter their behavior to avoid scrutiny.
So it means people don't speak out because they're afraid of being identified, targeted, hunted down, whatever. So those are the two big kind of camps of argument.
Now, the problem is, it's not just authorities that have access to the software. You mentioned earlier, you know, these rich guys in clubs were using it.
The New York Times did a big exposé on that. But it's companies Macy's and the NBA and that little-known company called Best Buy, right? Why are they using this software?
Ultimately, the main problem here is there's not nearly enough legislative oversight, right? Let alone understanding of its power from our federal authorities.
But there's evidence of people getting fed up with waiting for legislation and they're kind of taking privacy-screwing mass surveillance into their own hands.
Okay, so I've got two that I want to introduce you to.
So these are people who, because legislation's taken so long, they're looking for ways to mess up facial recognition?
Not just mess up, but redress the balance of power. Okay, so one is something that the EFF put together called the Atlas of Surveillance.
Okay, and this is a database of surveillance technologies across the US.
And just this week, this Atlas of Surveillance has been updated to include searchable— it's a searchable interactive database.
And you can now see which cops are using body cameras, drones, automated license plate readers, Ring Neighbors app, camera registries.
I don't know, if you looked in your neighborhood, either of you, right, and you saw that the cops were using all these kind of facial recognition-y software and predictive policing measures, would you feel happy?
Okay, and this is a database of surveillance technologies across the US.
And just this week, this Atlas of Surveillance has been updated to include searchable— it's a searchable interactive database.
And you can now see which cops are using body cameras, drones, automated license plate readers, Ring Neighbors app, camera registries.
I don't know, if you looked in your neighborhood, either of you, right, and you saw that the cops were using all these kind of facial recognition-y software and predictive policing measures, would you feel happy?
In a word, no. But anybody who's seen my previous output on facial recognition won't be surprised by that answer, yeah.
Yeah, I was about to say, you've been quite outspoken on this, haven't you, in the past, Geoff?
I created a website called facialrecognitionmap.com. Which is an online record of all, you know, as far as I know, all the facial recognition uses going on in the UK.
And I just find with this, you know, when Facebook was formed and we all merrily uploaded our pictures to our Facebook profiles, it just shows you the unintended consequences that come down the line.
You say, oh, what's the problem, what's the problem?
And then suddenly it's like, well, yes, you can basically be snapped in the street and somebody can stalk you and find out, you know, what your name is and where you live and who your friends are.
Just by pointing a phone at you. That's actually a genuine potential consequence now. So yeah, it's fascinating.
And I just find with this, you know, when Facebook was formed and we all merrily uploaded our pictures to our Facebook profiles, it just shows you the unintended consequences that come down the line.
You say, oh, what's the problem, what's the problem?
And then suddenly it's like, well, yes, you can basically be snapped in the street and somebody can stalk you and find out, you know, what your name is and where you live and who your friends are.
Just by pointing a phone at you. That's actually a genuine potential consequence now. So yeah, it's fascinating.
It is.
One of the findings from this Atlas of Surveillance was the US had 130 law enforcement tech hubs that are able to process real-time surveillance data. That's kind of scary, eh?
If you're thinking you're in a neighborhood in the States, you want to know what cops are doing or you want to know what the authorities are doing, this is a good site to go and find out what your local cops are up to.
Here's another wackier approach, okay? It's called an image cloaking device. They called it Fawkes after Guy Fawkes.
And this comes from a recently published paper from the University of Chicago, okay? So here's the gist.
If you're thinking you're in a neighborhood in the States, you want to know what cops are doing or you want to know what the authorities are doing, this is a good site to go and find out what your local cops are up to.
Here's another wackier approach, okay? It's called an image cloaking device. They called it Fawkes after Guy Fawkes.
And this comes from a recently published paper from the University of Chicago, okay? So here's the gist.
Is it a balaclava?
It's so great. It's so great.
Okay.
Okay. At a high level, Fawkes takes your personal images and makes tiny pixel-level changes that are invisible to the human eye in a process they call image cloaking.
Okay, so you can use these cloaked photos as you normally would. You share them with your friends, put them on social, print them, whatever.
And you just use them like you would any other photo.
The difference, however, is that when someone tries to use these photos to build a facial recognition model, the cloaked images will teach the model a highly distorted version of what it thinks you look like.
And they claim it's 100% effective.
Okay, so you can use these cloaked photos as you normally would. You share them with your friends, put them on social, print them, whatever.
And you just use them like you would any other photo.
The difference, however, is that when someone tries to use these photos to build a facial recognition model, the cloaked images will teach the model a highly distorted version of what it thinks you look like.
And they claim it's 100% effective.
So the photos still look like you?
Okay, that is a very good— oh, so I was thinking, you know, we could take tiny little bits of Piers Morgan, right?
Tiny little bits of him and put his little pixels into your face. Maybe a few Thom Hanks, right?
Tiny little bits of him and put his little pixels into your face. Maybe a few Thom Hanks, right?
We're both quite poor. Oh, don't bring Thom into it.
Okay, so New York Times journo Kashmir Hill wrote about this. She tested it. So she goes to test the tool.
All right.
I asked the team to cloak some images of me and my family.
I then uploaded the originals and the cloaked images to my Facebook to see if I fooled the social network's facial recognition system. It worked.
Facebook tagged me in the original photo, but it did not recognize me in the cloaked version. However, the changes to the photo were noticeable to the naked eye.
In the altered image, I look ghoulish. My 3-year-old daughter sprouted what looked like facial hair, and my husband appeared to have a black eye.
Now apparently later on in the article they talk about how they really amped it all the way up just to make sure it would work completely for her stuff.
But still, there's an issue, right?
I then uploaded the originals and the cloaked images to my Facebook to see if I fooled the social network's facial recognition system. It worked.
Facebook tagged me in the original photo, but it did not recognize me in the cloaked version. However, the changes to the photo were noticeable to the naked eye.
In the altered image, I look ghoulish. My 3-year-old daughter sprouted what looked like facial hair, and my husband appeared to have a black eye.
Now apparently later on in the article they talk about how they really amped it all the way up just to make sure it would work completely for her stuff.
But still, there's an issue, right?
Just a small one.
Well, yeah, because the whole problem with people sharing stuff on Insta and on Facebook is to look fantastic and have the most perfect life ever.
They don't want to have hair coming out of their eyeballs.
So then the New York Times went to the Clearview CEO, right, to find out what his views are of the Fawkes data poisoning approach.
And he said, there are billions of unmodified photos on the internet, all of them on different domain names.
In practice, it's almost certainly too late to perfect technology like Fawkes and deploy it at scale. And you know what? I think he's probably right. That's why we need legislation.
It's like we've all become celebrities, and the police and corporations are the paparazzi constantly hounding us to turn a dime.
They don't want to have hair coming out of their eyeballs.
So then the New York Times went to the Clearview CEO, right, to find out what his views are of the Fawkes data poisoning approach.
And he said, there are billions of unmodified photos on the internet, all of them on different domain names.
In practice, it's almost certainly too late to perfect technology like Fawkes and deploy it at scale. And you know what? I think he's probably right. That's why we need legislation.
It's like we've all become celebrities, and the police and corporations are the paparazzi constantly hounding us to turn a dime.
You're totally right. You're totally right.
Hey, but it's not that bad, right? You can flip those frowns upside down.
We could just go to Zoom, can't we, and share our deepest, darkest secrets, and no one's ever going to know about any of those.
We could just go to Zoom, can't we, and share our deepest, darkest secrets, and no one's ever going to know about any of those.
Depends who's on the other end of the Zoom conversation, doesn't it?
Yeah.
Or who's decided to Zoombomb you. So yeah, fun old world right now. It's a digital Wild West.
So right now, your best advice for avoiding facial recognition is to wear a sombrero or something like that?
Well, wear your coronavirus masks.
One thing that I've never figured out about facial recognition is they largely rely on eye pupils, basically.
The pupils are super reflective, and most of them, not all, but most of them rely on pupils. Aviator shades, mirrored shades.
It's the one question I've forgotten to ask all the facial recognition people: does it work with mirrored shades? Some of them do nose and chin and all that kind of thing.
But again, if you've got a mask and mirrored shades on these days, I reckon you're good to go.
The pupils are super reflective, and most of them, not all, but most of them rely on pupils. Aviator shades, mirrored shades.
It's the one question I've forgotten to ask all the facial recognition people: does it work with mirrored shades? Some of them do nose and chin and all that kind of thing.
But again, if you've got a mask and mirrored shades on these days, I reckon you're good to go.
I love a pair of aviator mirrored shades. I'm going to get myself a pair.
Thom Cruise-tastic.
Oh no, no, don't bring him up. Hey, you IT security guys out there, I know that you have a tough job.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security-related necessarily.
Oh, it better not be.
And I have been trying to play some, because of course it's August now, summer holidays, and I've been trying to play some games with my son, which are not video games, but old-fashioned, good old board games.
Oh, have you?
Yes.
And so I have found a game, which is called Rush Hour, which is similar to a wooden block game called Klotski, if you've ever seen Klotski, which I believe a version of it did ship in a Microsoft Windows Entertainment Pack many years ago.
So Rush Hour is a sliding block puzzle game invented by a guy called Nob Yoshigahara in the 1970s. It's produced by ThinkFun Games.
So Rush Hour is a sliding block puzzle game invented by a guy called Nob Yoshigahara in the 1970s. It's produced by ThinkFun Games.
This is a physical game.
It is a physical game. And it's played on a 6x6 grid, and you have little cars, vehicles, and lorries of different sizes. And they're all jam-packed.
It's like a traffic jam, or imagine a really crowded car park. And what you have to do is just slide the cars back and forth. You can't go around corners, you can't turn them.
So just going up, left, right, or up and down. You have to manoeuvre them in order to get your car out of the car park.
It's like a traffic jam, or imagine a really crowded car park. And what you have to do is just slide the cars back and forth. You can't go around corners, you can't turn them.
So just going up, left, right, or up and down. You have to manoeuvre them in order to get your car out of the car park.
How does a car move horizontally?
Ah, well, let me explain. So some of them are placed perpendicularly to the others.
So they're all going forwards and backwards, but some are sort of north-south and others are east-west. Yeah?
So they're all going forwards and backwards, but some are sort of north-south and others are east-west. Yeah?
This sounds like, you know, every Saturday in the IKEA car park before lockdown for me. I don't know how— Well, how is this entertainment?
Oh, it's so much fun because of course you start with really easy puzzles. So it gives you about 60 or so little puzzles with layouts which you can put them in.
And you start with these and you think, this is a doddle.
And you start with these and you think, this is a doddle.
Oh, this is like Unblock Me.
Yes, exactly. I was about to say.
Yes, we should have just said that at the beginning. Everyone knows Unblock Me.
Oh, do they? Well, anyway, so there was allegedly a Rush Hour app for Android and iOS, but I can't find them any longer.
So the closest I found is Unblock Me, as you mentioned, which is for iOS. And I'm sure there are similar ones for Android as well.
We're putting a link to Unblock Me so you can check it out if you're a cheapskate. But I've had a lot of fun with this, and some of them are extremely complicated.
So the closest I found is Unblock Me, as you mentioned, which is for iOS. And I'm sure there are similar ones for Android as well.
We're putting a link to Unblock Me so you can check it out if you're a cheapskate. But I've had a lot of fun with this, and some of them are extremely complicated.
Is your son having fun?
Surprisingly, yes.
Oh!
This has been the big shock to me. This morning, he ran upstairs. I was in bed snoring away. He said, "Dad, Dad, Dad, I've finally done number 23." Because I'd got—
Does he really speak like that?
Pretty much. I had been— He wants to come on the podcast to promote his YouTube channel. I'm not sure if he's ready yet. Maybe for episode 10.
Oh, you don't think he's ready yet?
9?
9?
Maybe he is.
Do it now. Do it now, because in a few years' time, you'll be begging to go on his YouTube channel.
He'll be like, "Not yet, Daddy."
Not now.
When you're 65.
Anyway, my recommendation is Rush Hour, or if you can't get hold of a copy of that, you can get the digital equivalent, which is Unblock Me. And it's good fun, good brain.
You're thinking logically, you know, you have this visualization and it's quite clever little game. I enjoy it.
You're thinking logically, you know, you have this visualization and it's quite clever little game. I enjoy it.
Great.
Cool. And that is why it's my pick of the week. Geoff, what is your pick of the week?
Pick of the week, I guess at the moment, there's a book I'm reading, which is amazing book called Origins.
It's written by a guy called Lewis Dartnell, who's an astrobiologist of all things. I have no idea what the fuck that means.
It's written by a guy called Lewis Dartnell, who's an astrobiologist of all things. I have no idea what the fuck that means.
I was gonna say, aliens?
What I am, an astrobiologist, and your eyes just glaze over and go, "Yeah, okay." This book basically is how geography and geology and our geological history of the world has basically shaped everything about us.
You can trace everything, all of our entire sort of current existence, you can trace it all back to the sort of geological age-old sort of shifts and stuff.
So, you know, the reason we have family units, the reason, Graham, you have a kid who wakes you up early in the morning with information about game, is because of the Panama Canal.
Right.
So basically the Panama Canal used to be open, that gap between North and South America, and so warm water from the Pacific would go to the Atlantic, and that closed that gap.
Before we opened up the Panama Canal. The Atlantic got colder, Africa started to dry out, and the trees started to die.
So we came down from the trees, and instead of walking on all fours, we started to walk upright.
And when you walk upright, your pelvic bones have to come together to support your body.
And because your pelvic bones come together, the amount of baby you can push out between the pelvic bones reduces.
So you have to give birth to a younger child, which means when babies are born, they are looking after. So mummies and daddies have to look after the little baby.
So basically the reason we have a family unit is thanks to Panama. It's full of stuff like that. It's the most amazing book. It's incredible stuff.
You can trace everything, all of our entire sort of current existence, you can trace it all back to the sort of geological age-old sort of shifts and stuff.
So, you know, the reason we have family units, the reason, Graham, you have a kid who wakes you up early in the morning with information about game, is because of the Panama Canal.
Right.
So basically the Panama Canal used to be open, that gap between North and South America, and so warm water from the Pacific would go to the Atlantic, and that closed that gap.
Before we opened up the Panama Canal. The Atlantic got colder, Africa started to dry out, and the trees started to die.
So we came down from the trees, and instead of walking on all fours, we started to walk upright.
And when you walk upright, your pelvic bones have to come together to support your body.
And because your pelvic bones come together, the amount of baby you can push out between the pelvic bones reduces.
So you have to give birth to a younger child, which means when babies are born, they are looking after. So mummies and daddies have to look after the little baby.
So basically the reason we have a family unit is thanks to Panama. It's full of stuff like that. It's the most amazing book. It's incredible stuff.
As a woman, I don't think any lady out there would want to give birth to a bigger baby.
Well, exactly, exactly.
You might do if you had a wider pelvis.
Yeah, no, no, I don't think anyone would be like, "Yeah, yeah, give me a 40-pounder."
But it might be a kind of— don't you think that if men were the ones who gave birth on Earth, they would be bragging about the size of it.
Is it the Olympics?
It's true, you don't see women on Instagram, you just had a kid, it's 8 pounds something, "Yes, get in there," or get out of there, as it were.
But exactly, you might have men do it, it might be a different story. That's hilarious.
But exactly, you might have men do it, it might be a different story. That's hilarious.
Okay, cool. So that sounds fascinating, astrobiology. You'll tell us what that is next time.
Very nice. Carole, what's your pick of the week?
Okay, so mine is season 2 of Umbrella Academy. It just came out on Netflix. Did any of you watch the first season?
No. What is an Umbrella Academy?
It's a TV series, right? And it revolves around a dysfunctional family of adopted sibling superheroes.
Always bloody superheroes, isn't it?
Who— well, no, no, it's dark, it's dark, it's dark.
It's true.
It's £8 something.
Yes.
Get in there or get out of there. As it were. But exactly.
You might.
If men did it, it might be a different story. That's hilarious. Fascinating. Astrobiology. You'll tell us what that is next time.
Yes, there's loads of famous people, but I don't pay attention to that. Of course, no, there are loads. Literally, my husband's, oh wow, wow, wow, wow. I don't even know.
I don't know anybody. But yes, and good acting. But what I love is they've kind of done some movie pastiches that you'll recognize.
So there's some really great kind of Hitchcock-styled shots, and they just paid attention to the composition of images, and it really shows. And I that a lot.
And it's also a bit dark and quite clever. And it's not kind of cutesy-wootsy. It's got a real edge to it. And it's from a comic book.
It was a comic book first published in 2008, written by Gerard Way and illustrated by Gabriel Ba. And it looks awesome. I haven't read it yet, but it's on my list, Graham.
Birthday, just saying.
Yes, there's loads of famous people, but I don't pay attention to that. Of course, no, there are loads. Literally, my husband's, oh wow, wow, wow, wow. I don't even know.
I don't know anybody. But yes, and good acting. But what I love is they've kind of done some movie pastiches that you'll recognize.
So there's some really great kind of Hitchcock-styled shots, and they just paid attention to the composition of images, and it really shows. And I that a lot.
And it's also a bit dark and quite clever. And it's not kind of cutesy-wootsy. It's got a real edge to it. And it's from a comic book.
It was a comic book first published in 2008, written by Gerard Way and illustrated by Gabriel Ba. And it looks awesome. I haven't read it yet, but it's on my list, Graham.
Birthday, just saying.
All right. Noted. Right.
So dark, clever superhero mystery thriller is what I'd say.
So people who are in it include Ellen Page. Remember her from Juno?
Yes, that's right. Yes.
Excellent. And also Mary J. Blige apparently is in it.
Yes, she is in it. So see, I did know that, I just didn't remember.
Blige, actually. Blige.
Yeah, Graham, of course.
And you thought you were posh out in Oxfordshire.
Graham, posh. Right, so if this sounds like it's your thing, check it out.
You—
I don't think you'll be disappointed. Umbrella Academy, Netflix.
Season 1 and 2 are now— Well, that just about wraps it up for this week. Although I've got a little shout out to do.
First of all, I was contacted by a chap called Julius out in the Philippines who is teaching InfoSec to some of the kids out there.
And it turns out what they really to do is listen to the Smashing Security podcast. Can you believe that?
It's one of the projects they've been doing and they were put into teams and one of the teams— One of the teams at the De La Salle University in Manila, they have named their team Team Graham Cluley.
First of all, I was contacted by a chap called Julius out in the Philippines who is teaching InfoSec to some of the kids out there.
And it turns out what they really to do is listen to the Smashing Security podcast. Can you believe that?
It's one of the projects they've been doing and they were put into teams and one of the teams— One of the teams at the De La Salle University in Manila, they have named their team Team Graham Cluley.
Oh. They're gonna lose.
I've been asked to give a little shout out to Erica Chan, Miles Chan, Shereen Ching, and Stanley C., I think. I apologize if I've got your names wrong.
Thank you for listening from me. Me and Carole and Geoff, of course.
Thank you for listening from me. Me and Carole and Geoff, of course.
But also, if they're in the Philippines, they will— not to plug my book again, but there are two entire chapters in which the Philippines and its hackers feature strongly.
So guys, if you're out there, it's available on amazon.com as well.
So guys, if you're out there, it's available on amazon.com as well.
And keep your noses clean, kids, so that you don't end up in Geoff's next book. Now, Geoff, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Best place on Twitter, I am Geoff, Geoff with a G, G-O-double-F White, like the color, and numbers 247, because I'm Geoff White all day, all week.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G, and you can also join our Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
And a big thank you for listening, supporting us, and sharing our work with friends, family, and even enemies. Also, high five to this week's Smashing Security sponsor, LastPass.
Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and a free chapter of Geoff's new book.
Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and a free chapter of Geoff's new book.
Until next time, cheerio, bye-bye. Bye. Bye.
Geoff, I was sort of Googling your facial recognition stuff as we were talking about because I remembered you had done some sort of website.
You've got an article where it's called Accuracy and Facial Recognition, but you've spelled it feckognition in the title. I've just sent you a link. So you can—
Geoff, I was sort of Googling your facial recognition stuff as we were talking about because I remembered you had done some sort of website.
You've got an article where it's called Accuracy and Facial Recognition, but you've spelled it feckognition in the title. I've just sent you a link. So you can—
Oh, oh gosh. Okay.
All right.
Okay. That's useful.
Yeah. That Graham, Graham's very good at the shit sandwiches. He, what he meant to say was really, really good website. Notice a tiny, tiny typo. I'll send it to you by email.
Amazing site. Amazing work.
Amazing site. Amazing work.
Shit sandwich. I love that.
