Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty

I think he should just apologize to the people that he either freaked out or really gave a headache to.

Yeah, and he did an apology audio thing on Twitter.

Oh, he didn't send it to people's printers though. Come on, Jack, lots of people won't have seen it. Smashing Security, Episode 114: Darknet Diaries: Death and Bitcoin. Ransomware and Phishing Beauty Apps with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 114. My name is Graham Cluley.

God, you sound proud. I'm Carole Theriault.

I am proud. And we are joined today by a special guest, someone who hasn't been on the show before. It's Jack Rhysider, host of the Darknet Diaries podcast, no less. Hello, Jack.

Hey guys, really excited to be here.

So exciting to have you on.

I love it.

Yeah, it's a trip because I spent years doing security myself and consuming your content, Graham, and bringing it into my own world and learning from you and stuff. And then here we are together. So stop.

Yeah, please do stop it.

Digesting my content. You can imagine you've eaten it all, but of course, you know what happens to it afterwards. So anyway, great to have you on the show. And during the course of the podcast, we'll talk a little bit more about the Darknet Diaries as well, because probably a lot of listeners will be interested if they're not already listening to it. But what have we got coming up on the show this week, Carole?

So this week we have you, Cluley, telling us about missing crypto millions. Jack, you are delving into the world of hackers, giraffes, and YouTube atrocities. PewDiePie. And I'm visiting the world of fake beauty apps feeding off the kids' love for digital surgery. All this and more coming up on episode 114 of Smashing Security.

Recorded Future provides deep, detailed insight into emerging threats by automatically collecting and analyzing billions of data points from the web. Every security team can benefit from that kind of threat intelligence. Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks. Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.

Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique. I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashing. I'm on the show.

Well, chaps, news has reached us from the chilly tundras of Canada.

Tundras.

It's very cold there at the moment, you know. And one of the country's bitcoin exchanges, QuadrigaCX, has found itself in a right old pickle.

That's a catchy name. Well, QuadrigaCX.

I guess if you're new to the internet and creating cryptocurrency exchanges and things like that, you may have to be slightly imaginative when it comes to your domain name in order to grab it.

Yeah, well, they've certainly excelled on that one.

Well, it is claimed that approximately $250 million Canadian dollars— what's that, Carole? About £4.50?

I was just going to say £20. That's awful.

Well, no, apparently Is said to be stored in cold storage as opposed to a hot wallet. Now that's normally quite a sensible thing to do, right? it's actually $190 If you've got loads and loads of cryptocurrency.

Who owns the cryptocurrency? Is it the users or?

Well, yes, it's the users. So I think this is stuff which they've sort of safely borrowed away onto the cryptocurrency exchange and it's been stored away by these fellows who are looking after it. million US dollars. And they've put it in cold storage with the thought that it's going to be hard for the hackers to access it. It'll be offline hopefully and protected by a hard to crack password, strong encryption, you know.

Blimey. Well, all the stuff you'd expect from a bank, I guess.

Yeah, sounds kind of sensible that any funds which they're storing, they're going to look after properly. But things aren't so good, are they, if you can't remember the password?

Oh, shut up.

Now, passwords have often been a predicament when it comes to storing cryptocurrencies. And it's been a real problem in the last couple of years as well. If you remember during 2017, the price of Bitcoin absolutely exploded. It rocketed, didn't it? An extraordinary rate. Until the end of the year. I think it got up to about $20,000 per Bitcoin.

Even more, I think. Yeah.

Even more, was it? And then it suffered that really rapid fall as well, which is making John McAfee's bet that I think— was he predicting that Bitcoin would be worth $2 million or something by the end of 2020? I can't remember.

Or he would do what?

Oh, do we have to really go into that?

And I seem to remember we disagreed on what actually that meant.

Yeah, well, he said he'd eat his dick on TV or something, didn't he?

And Graham took that literally, Jack.

I'm not kidding.

Why are you even reading this? Reading his tweets or anything.

I know, exactly.

Thank you.

Yeah, it's a good question. Why does the media pay attention?

No, why do you?

Why do I? Because I'm just fascinated by these— having been there at the early days of antivirus, I'm fascinated by these enormous characters.

Do you see yourself in him?

No, I don't see myself.

Do you admire him?

No, of course not.

What would you like?

Anyway, listen, it's been a problem. The point I'm making is that because Bitcoin's exploded in their price, lots of people who had Bitcoin investments— maybe people just sort of made a punt and they spent $300, right, years and years ago on buying some Bitcoin. Suddenly they found out, oh my goodness, it's worth $300,000. How can I get hold of that money? But they couldn't remember their passwords and they couldn't get their Bitcoin.

Yeah, yeah, we've heard that.

Yeah, right. And some were so desperate they turned to, you know, really unusual directions to determine what their password might be. I was reading about this South Carolina hypnotist who was actually offering his services helping people recall. No, for real. His name is Jason Miller, and he was charging 1 Bitcoin plus 5% of the amount recovered. If he managed to hypnotize the password out of you.

Oh my God.

He said he had this great technique. I mean, you could have sort of tried to brute force it, I suppose, or use other techniques. But, but yeah, that's what he was trying to— that's what he was trying to sell to people. Some people would turn to things like this.

Yeah. I've also heard where someone threw away a hard drive which had bitcoin

Yeah.

on it, and then years later they went back to the dump with an

There's a guy in Wales doing that right now. I don't think he's found it yet.

That's right. And he's been trying to crowdfund it because it's cost him quite a lot of money, and I think the council aren't letting him—

Are charging him for searching.

excavator and tried to find their hard drive.

Are they?

Yes.

We shouldn't laugh. If it was us, it would just be tragic.

I know, it's awful. It would be tragic.

But in the case of QuadrigaCX—

Oh, sorry, what company? What name?

Oh, do I have to keep on saying it? In the case of QuadrigaCX, the Canadian cryptocurrency exchange, the problem wasn't so much that the password couldn't be remembered, but the only person who knew the password had died.

Oh. Yeah. Now, on the 14th of January, Quadriga announced on their Facebook page that their CEO and co-founder Gerald Cotten had died in India. And they posted this message saying, "With a heavy heart, we announce the sudden passing of Gerald Cotten, a visionary leader."

In December, he was in India. He was opening an orphanage, helping kids in need, giving them safe refuge. You think, "Oh my goodness, how terrible."

It's a good obituary.

So yeah, you feel very sorry. And this was signed off by his partner who was sort of assuming control of the company. Now, so far, that's quite sad, right? But they haven't said anything about passwords. The thing about the password was only revealed at the end of January, the end of last month, when they revealed that Gerald Cotten was the only person who knew the password to Quadriga's cold storage, meaning that its clients' $190 million worth of holdings couldn't be repaid to them.

Thank you, blockchain.

And if you—

I wonder if we could spend a million dollars to research a technology to pull memories out of a dead person's brain and we'd still be up $90 million at the end of this.

Right.

Yeah, I mean, you know, it's amazing what CSI can do, isn't it? With a bit of technology, I'm sure it could be possible. Maybe magnify, enhance the picture, going to analyse his brain, plug a couple of jump leads into the cerebellum. It'd be fantastic, wouldn't it? Now, all of that makes me wonder, was it really sensible for them not to have written down the password or put it somewhere securely? Because we tell people all the time, be very, very careful with your passwords, right? And maybe you shouldn't write them down, but what's going to happen if you die? Shouldn't we be thinking more about our digital legacy, about our accounts after we've gone? And we kind of think—

Well, especially if you're managing $190 million worth of other people's money.

It's not that easy a question though. If you're really keen to secure your clients' cash, you might be very nervous about sharing that password with one of your colleagues who might go rogue. It's $190 million, for goodness' sake. Isn't it a cybersecurity practice to always have two people that know part of the password? So they need to get together. Well, that's not going to be—

It's not going to help very much if one of them dies.

You've just got half a password. I mean, you may have Mary had a little and you think, well, I don't know what the end is. Going through, I don't know, rhubarb and custard trifle.

I would put unicorn just to screw with them.

Right, exactly. But, you know, I think people do need to think about the digital legacy. We're advocates on this show, of course, of password managers and making sure that they're securely held that way. But how many of us honestly think about the situation of what we're going to do with our passwords once we've popped our clogs, like this guy Gerald Cotten, the CEO of Quadriga, does?

I don't think you care very much, maybe. Do you care?

Well, you maybe should do.

If it's not yours.

But in all of our personal situations, shouldn't we be prepared to share that with our partners? Or, you know, you don't know what they might need to log into and how inconvenient it's going to be if they can't access accounts.

So traditionally, right, your partner could handle the mortgage and bank account because you can easily get someone to help you with that, a financial advisor or something. But, you know, if you have a bunch of Ledger wallets or bitcoin around and something happens to you, is your partner able to understand that technology or your family or whatever to be able to know this is supposed to go to them? This, you know, you need to do something with that. So I think I'm glad you brought this back around to us, make it more relatable to us, Graham, because I think it is a good practice to find someone you trust to somehow make them the tender of your digital world after your passing, because you give it to someone you can trust and they can take care of it for your family for you or whatever, because your family may not know how to work the password vault or log into all those accounts or something. And that's a really good question.

And even if they are able, if someone in your family dies and you're reliant upon them as a breadwinner, even if you know, oh, in 6 months' time, I'll get all this paperwork sorted and I'll be able to access that. I'm thinking of things like investments. That may be a critical length of time. It may be that you actually want access sooner than that because you're basically in a real pickle as well as having your head befuddled by what's happened.

Yeah, but all that is moot because the main guy of the place where your money is being stored doesn't remember the password.

He's dead.

Exactly. He doesn't remember anything.

Yes, but if it's stored in a password manager or in some kind of vault.

For God's sake, do you want someone who's running that much money storing it in, you know, really—

I'm not saying inside a password-protected Word document, Carole.

Right.

I'm suggesting something a little bit stronger than that. Now, if you look at some of the most popular password managers, things like LastPass, things like Dashlane, they have emergency access features. And the way in which they work is you can, before you die, you can nominate someone who you trust and you can say, if this person needs emergency access, give it to them. And the way it works is they apply for emergency access, it then emails you, the deceased person, and if you don't respond within a certain time frame, right, then it will assume that you are granting them permission. So you have the ability to say no, no, no. What on earth are they doing?

Is this your pitch to get your hands on my money when I die? Is that what you're doing?

I can't believe you've nominated me. And you can also do this, by the way, it was a past Pick of the Week, something called the Google Inactive Account Manager. You can also do this with Google too. And you can say, look, if you don't hear back from them for a week or two, you can choose what the time is, then the account access will be granted to this other person. Anyway, so that's the kind of thing they should have considered. And that would normally have been the end of my story, but there is an additional wrinkle in the story of QuadrigaCX, because I discovered that in October 2018, October last year, it was reported that Canadian Imperial Bank of Commerce had frozen a number of accounts linked to the cryptocurrency exchange's payment processor and its owner, Mr. Cotten. In all, they froze $28 million because they were a bit suspicious about goings-on at the company. Oh. And that left hundreds of the platform's customers stranded and strapped for cash.

And then people still didn't remove their money from this exchange.

Well, for months, months, a lot of people had concerns about this particular exchange and whether it had quite as much money as it was claiming. There is a researcher and data analyst, his name is Crypto Medication, which is a rather strange name. Mr. and Mrs. Medication decided to call their son Crypto, and he has conducted an in-depth analysis of Quadriga's bitcoin holdings. And his claim is that they never actually lost access to their bitcoin holdings. And the number of bitcoins which is being held is substantially less than is now being claimed by the widow of the allegedly deceased CEO.

And what would be in their best interest? That insurance would pay out? Is that the game?

Well, I think the argument is, and we have to put lots of allegedlys in here.

Yeah, yeah. Right, right. We think we might.

I think that the theorem might be that maybe this cryptocurrency exchange is claiming that it can't access an awful lot of money, and maybe the money it does have is being squirreled away in another direction. Who knows?

I mean, isn't there a paper trail through the blockchain that you could see if something moves out of that account, then obviously someone has access to it.

You would think so, wouldn't you? That would be the obvious sort of alarm bell which would go off.

It's recorded, right?

Certainly right now they are claiming that they can't pay up some of the money which maybe the Imperial Bank is demanding they pay up for questionable activities in the past. There's a rival crypto exchange called Kraken, and its CEO Jesse Powell has—another name—he's very suspicious of the whole thing, and he's even questioned the validity of the death certificate issued in India. So there's another crazy theory: is this man really dead at all?

Do you remember that story, that guy in the UK that pretended to die, but he didn't die. And he was living in the walls of his house.

Canoe Man.

Canoe Man.

And he was living in the walls of his house, collecting the insurance money and pretending to be dead, even to his kids.

And then he went off to live in Panama with his wife and he came back because obviously you miss Britain if you're in Panama. Got caught. And because the weather's so good. But yeah.

Put a link in the show notes. That's such a good story.

Well, to get completely off track, Sky News actually hacked into Canoe Man's email account because he came, he came back, didn't he, claiming to have lost his memory and have been found himself in Britain again.

And anyway, my conspiracy hat's on now.

Good, good. That's why you're here, Jack. We got you here to be the conspiracy guy. We love that guy.

Yeah, it's a little-known fact that I'm an amateur conspiracy theorist. I'm not a professional.

You are, wouldn't you? That's exactly what a professional— I knew it, I knew that's what you were.

So if you did give your digital world to someone upon your death, and they got it, right? So this guy's actually dead, right? Now the next person got a hold of that password. Yeah, they have a big decision to make on whether to take the money and run, or give it back to the company and whoever else it owns. So who could it have gone to? It could have gone to the co-founder. It could have gone to the wife.

Yeah.

Oh, yeah. So maybe we believe he is dead. Maybe it hasn't gone to the wife. Maybe it's gone to someone else who's just keeping— tumpty tum. Don't look at me. No, I haven't received any emails.

I mean, and then there's another option of he was killed because he had the only access to $194 million.

He was tortured and he gave away his password in his dying breath. That could have happened.

I love it. Well, I think we got the movie script written. Okay, so this is a Rhysider, Terry O'Cluley production. We'll put it into operation immediately. Sell the rights to Hollywood. Fantastic. Thank you very much. TM, TM. Don't steal it, listeners. We'll edit all this out. We don't want the listeners to hear this bit. Jack, what are you here to talk to us about today?

I'm gonna talk about Hacker Giraffe. All right, so imagine you're on the internet and you're clicking around and you find that 50,000 printers are exposed to the internet in a way they shouldn't be, and you have the ability to print whatever you want to 50,000 printers. What would you do in that situation?

Would you print something?

Would you report it to someone?

I honestly don't think that I would care enough to do anything. I would just move on with my day.

Oh, I barely have anything I would like to say to 300 people on Facebook, let alone send out a message to 50,000 people. I think it's unethical to use somebody else's equipment without their permission. Maybe I'd put it in the hands of the media.

Knowing as little as I do about the whole thing, probably what I would do from a moral standpoint is I would send something to each one of those printers saying, you know, this is not secure and you probably want to do something about it. So would you print something? No. Why not? I think I would not print anything because that seems kind of weird and maybe a misuse of resources. And I really like trees and that's a lot of paper.

So.

Well, first I would print a bunch of obnoxious memes to every printer on there and then I'd report it. You've heard of this person, Hacker Giraffe. The thing is that some people think that this person is one of the goofiest hackers because what he's done is hacked printers to promote PewDiePie.

He also has a goofy name.

The Hacker Giraffe.

It's a bit of a goofy name, don't you think?

Yeah. I don't know if he's on the savanna or on a safari or something. But the thing is that the media has just ran with the story that printers are being hacked for PewDiePie propaganda and such like that. But I think let's put all that aside for a second, the PewDiePie part, and let's talk about the security issues here. The printers that he was able to access— This has been such an easy thing where he looked up port 9100 on Shodan, found 50,000 printers, and then used a script off of GitHub to print something to 50,000 printers. It's possible because of poorly configured UPnP settings on home devices.

So there's this huge flaw that shouldn't be there, and he spots it.

Yes.

And what are you supposed to do with that information, right?

Yeah, I mean, is it the printer's fault for requesting this port open? Is it the router's fault for saying, "We're gonna open it to the world"? Or is it the user's fault for not knowing what to do with their settings.

Because this was the thing, I think, was that even if you received this message on your printer telling you to sort out the security because your printer's opened the internet for anyone to send a print job to it effectively, or potentially worse than just sending a print job, most people wouldn't have a clue as to what to do next, would they?

I wouldn't.

Right. A lot of people think that there's some sort of magical hacking going on, like, oh, it's— this is way above what I'm capable of understanding. So I don't even know where to go. There's hackers on my system. Let's burn everything down. That's a scary situation to be in when somebody gets in your stuff. But if you recognize that it's as simple as, "Oh, my router was exposing that port and I didn't even know that was happening," then you can get control of this pretty quick.

So this, Jack, is on your latest episode on Darknet Diaries, and you actually speak to Hacker Giraffe.

The very first tweet I saw was a woman saying that their local police station printed this paper out of the ticket counter. And I was like, what? I had zero concerns whatsoever about any consequences. I was so into it. I was like, yes, this is working. This is so cool. I got to tell everybody that this is working.

Now, how did you find him?

So I reached out to him when he did this, he leaned into the whole thing and created a Twitter account and started taking credit for it. And pretty much that first day I was in contact with him, pretty much advising him this is not a good idea to lean into this. But he was just, he was on cloud nine. He loved the attention. He loved all this stuff going on. All those news was reaching out to him and the stories were coming out crazy. And it just fueled this excitement for him. And so I've been following him and trying to get together with him, but you know, scheduling guests is a very difficult thing. Yeah, we never quite aligned with our schedules until it was all over and he went completely dark. And he reached back out to me then and said, hey, give me a bit of limelight, baby. Yeah, not so much that, but hey, look, all this is over. Do you want to cover it from the beginning to the end now? And that's the best story that I think is worth telling is the news is that first draft of history. But once everything is over and we can see from the beginning all the way to the end what happened.

Because that was the thing, wasn't it, with this particular story? For those people who don't remember it, and we spoke about it in an earlier podcast as well, so we can link back to that and some of the news stories about this as well. It got the media's attention on a massive scale because the message which was sent to all of those insecure printers was, well, part of it was subscribe to PewDiePie's channel because PewDiePie was in a subscriber war effectively with T-Series and Indian music.

Oh, stop acting like you know what you're talking about for any other reason other than you did research.

Well, we spoke about it on our other podcast. That's why I know about it. But, you know, it got huge coverage, largely, I think, because the PewDiePie thing was part of it, though. I still think that if it just sent out ASCII art of the Pink Panther or something like that, that would have got lots of coverage as well.

See, that's the one question. I don't think he's wrong that the mention of PewDiePie did probably kind of launch him from tech press to mainstream press. And it was a goal that he seemed to want from listening to your show, Jack. Do you agree with that?

Yeah, he says that. And he was working with another person who both say, actually, this had nothing to do with PewDiePie. We just used his name to get the message to spread further. And we like PewDiePie, so we'll help him out, but that wasn't the goal here. The goal was to expose this in the biggest way possible to get the most attention possible.

But what was fascinating about this was initially he had this huge rush and excitement about, "Oh my goodness, look at the impact which I'm having." But then it really turned sour, didn't it? And that's what comes across in the interview you did with him.

Yeah, that's the thing I think I'm most fascinated with on my show, Darknet Diaries, is the human factor behind all of these breaches and hacks. I want to know what was that feeling like when you had to call the FBI or you had to call your executive to tell them the breach is happening? Because that's the most scary, spine-chilling moment. And here I have access. I was able to interview him for 2 hours with telling me all of the emotional experiences that he had gone through, like the decision to push that button, to hit enter, and then all of the depression that hit because you have this distance, this difference between the popularity of being online and the loneliness of being in the real world. And it's like the more popular he got, the more depressed he got because he couldn't match that in the real world. And I just think that that's such a fascinating aspect to pretty much all hacker stories. I'm sure all big hackers have gone through this when they've done something big. They can't take credit for it and they have this isolation. They can't tell other people. And so there's this loneliness. And it's so fascinating.

Do you experience that, Carole Theriault? Because you're very popular on the podcast, but in real life?

Not so much.

Not so much.

You don't know. You don't hang out with me and my buds. Now, I'll tell you something that I felt off. So I felt that Hacker Giraffe kind of had that Robin Hood kind of feel, right? Like I'm doing something a little bit bad. I know it, but I'm doing it for the greater good because I've signed off and said, hey, you're vulnerable. Is that what you're suggesting? But then all the guys and girls who actually follow the rules and try to do responsible disclosure and try and go through that whole horrendous bureaucracy of trying to get a hold of the right person to say there's a problem. And, you know, they ring and ring and ring and there's no one home. I just feel frustrated for them, right?

Yeah. Some people are saying responsible disclosure is harder now than it has been before.

So yeah, I don't doubt that actually.

And particularly with something like this, who do you call?

It's not Ghostbusters.

It's not. Who you gonna call?

I mean, technically, when you're looking at Shodan, it's going to tell you maybe it's Lexmark or something is the one that's open the most. But still, whose fault is it? It's kind of like, I always think of it like, who's in charge of making the roads safe? Is it the drivers? Is it the people who make the roads so it's not too curvy or fast? Or is it the police that need to drive by faster to check and make sure everyone's following the rules?

I kind of want him to go out on some channel and say, look, dudes, all the people that got yelled at by their bosses because the printer was spurting out paper. He also did that playing YouTube through the Chromecast, right? Later on in your podcast, you cover that as well. He did two of these events, right? I think he should just apologize to the people that he either freaked out or really gave a headache to.

And he did an apology audio thing on Twitter. He didn't send it to people's printers, though.

Come on, Jack.

Lots of people won't have seen it.

They were then fixed, so he couldn't.

He should have sent out a sorry message and then a follow-up saying, sorry for sending the sorry message. And, you know, we could have had something recursive going on there instead. Does he think what he did was wrong?

Okay, no, the question, you know what the question would be? The question would be, would you be surprised, Jack, if you saw him in the headlines doing something like this in the future?

I think he learned his lesson the hard way. I think he— I mean, I really hope that he has learned his lesson and that he doesn't, because it sounds to me like as I'm talking to him, it sounds like he's a good guy with a bright career and future ahead of him. And he's not a hoodlum trying to make a ruckus out there, cause destruction. He really— a couple other factors here. The tool that he used could have given him command line access to those printers. It's possible to send a malicious PDF to a printer and get command line to it. He didn't take that step. The tool he used could have made him a botnet of 50,000 or 800,000 nodes and taken down something bigger. He didn't do that. All he did was just send a print job to it and he took, you know, extra steps to not cause this kind of disruption. And, you know, that's what kind of makes me think he's probably, you know, good deep down.

Yeah. But he made some bad decisions, I would say.

Yeah. And so I also want to talk about that Chromecast hack he did as well, because what he was able to do was figure out that there was certain ports that the Chromecast was telling the router, open this up, and the router was doing. So that's again UPnP, and these are API endpoints. And so when those ports are open, they were open to the whole world, and we're talking over 100,000 Chromecasts were exposed in this way, which means that people can play videos or take control of your Chromecast from around the world. But not only that, while he was doing that, he also discovered that some Google Home devices were also listening in on that same port, and he could connect to the Google Home device and see how much noise level the mic was picking up. He couldn't listen to what the mic was picking up, but he could see the, you know, the bar, the volume unit, to say, oh, there's a lot of noise here, or no, no noise at all. And that, that alone is kind of a scary point that a lot of this media doesn't cover. They're just all PewDiePie, PewDiePie, but it's, wait a minute, why are thousands of Google Home devices letting people listen to the noise level remotely? This is a huge story.

And arguably, both these hacks that he did have, because of what's happened, have made the world a tiny bit safer, which is kind of a cool goal.

He shouldn't probably have done it, but the outcome was more printers are probably secured. But the risk at the same time is that maybe there are more people now who are aware of this kind of exploitation. So you could see copycats and, you know, will no one think of the trees? You know, the amount of paper and the—

Walk away, kids. Walk away.

Yes. So that's kind of the problem here as well is it's one of those immune systems that makes it worse at first and then safer because I think what, now that it's exposed, there's copycatters out there saying, oh, I could just do this. I will do this, and they're doing a lot worse situations, right? Now it's like, okay, well, we really actually need to stop focusing on PewDiePie and really do need to focus on this security issue, and at some point we'll get there.

What is it with that guy? What is it? You're younger, Jack, I think.

Oh, he's definitely younger than you, Carole.

PewDiePie, I think gaming is a popular thing. People watch gamers. He's a gamer. He talks about the latest memes. And say funny things and do, you know, comedy sketches. Yeah, I mean, I am not a fan of him. And I did— I had to watch a lot of videos to understand this story. But yeah, it seems it's targeting, I don't know, a younger audience or something.

For me, you've suffered enough, Jack. You've suffered enough watching all of those videos.

I think there is a couple of videos that's, if you laugh, you lose. And he tries to get you to laugh. Showing you a bunch of memes. And I did laugh at some of them. So he did deliver on a few, but it was rare. And I got mad and I shut off the computer. I said, it's not fair. You won't win this round.

Carole, what's your story for us this week?

So we're going to go back back to when I was a teen growing up.

Oh, the '50s.

On the Ontario-Quebec border in Canada. No, Graham. Okay, this was the late '80s. Now, during this time, you might have found me spending my hard-earned cash on mags Bazaar or Vogue, and the worst of them all, Cosmopolitan. And here, for example, I've— I'm sending you guys a typical cover. Okay, this was from 1989. I mean, just look at the headlines here.

The joy of sex with an older man. Well, I can, I can appreciate that. Well, not personally, I wouldn't want to anyway, but yes.

So they're all, they're just outrageous, right? The hard realities of marriage, blah blah blah. My point is, this was during the supermodel era, and I literally would obsess about how flawless these women looked, right? And it really, this was just a thinly veiled pity party for one me because I was sporting a mullet, right? A poodle perm. I had braces. So yeah, I had a long way to go.

You still look a teenager to me from that description. I don't think you've changed that much at all.

So nice of you. So nice of you. But I remember the day when I finally freed myself from this bogus beauty shackle is when I found out that most of these model pics went through severe Photoshopping before they went to print. Right? And I thought, fuck that. It's, what a sham. And that, from that day on, it was a complete lie to me. And how could I have predicted if we were to fast forward to today, it wouldn't just be top-tier models that go through this humiliation of being digitally scrubbed and buffed and polished and smooth, but a whole generation of girls that go out and do it to themselves in selfies of their own accord, and they often pay for the privilege.

Yes.

No, it's just—

The other thing is that the women of your generation had— I don't know where you learned how to do makeup. Your friends, your mom, but now you just pop up YouTube videos.

I think it's at the circus, isn't it, in the case of some people? Right, Carole?

Oh, Graham.

Oh, that's a bit low blow, low blow.

Now you get to just pop on YouTube and see people doing it and social media teaching you how to do it. You get younger people also interested in how to do beauty tips.

Yeah, and it's like, see, now you can totally airbrush your acne or whiten your teeth or plump up your eyelashes or shrink your schnoz or make your eyes big and sparkly, right, Graham? And you know, it's dubbed, the whole thing is dubbed selfie surgery.

Is it? Yeah, oh my goodness.

And there's this one app called Facetune. It's one of the bigger legit players competing with Snapchat and Instagram in this space. And it's in the top 10 paid apps for Apple, right? It's been there for ages and most of the users are 21 to 34 and 70% are female. And it's currently at number 6 in the US in top paid apps.

So what does it do?

It does filters, it does photo filters. So it just makes you look prettier or, you know, you just—

Skinnier.

Yeah, you can shave your face, make it look pretty, whatever you need to do.

You've got a lot of girls shaving their faces. Okay.

So you don't even need makeup anymore. You just need an app.

You just need a lot of apps. Yeah, apparently. Now, I haven't played with these myself, which is probably a disservice for the podcast. I'm sorry, listeners, because there's a lot of money in these kind of apps, right? Remember, number 6 in the US. We're not surprised that there are some internet ne'er-do-wells who thought this might be an ideal market to target.

Yep.

And according to security firm Trend Micro, 29 bogus beauty camera applications or apps, read photo filters, were found to be doing something rather naughty on the user's phone. So of these 29 apps, some would display full-screen ads every time the user unlocked a device. And what was sneaky is it didn't tie it to the app. It kind of obfuscated its tie to the app. So you just see this thing pop up and you'd be like, oh, why is this ad here? But you wouldn't be able to figure out how to turn it off or where it was coming from.

That'd be irritating, yeah.

Wouldn't it? They would forward users to phishing sites, try and steal credentials. They had 'You've won a prize. Enter your phone number and email address here.' And some were even actually trying to steal photos. Okay, Trend believes these could be used on fake social accounts.

So you would use this app to make yourself more beautiful, and the bad guys are stealing the photos as well for creating fake social accounts? Seems a little bizarre to me. It's not like there's a shortage of pictures of people on the internet.

I'm thinking vanity ransomware. That's my idea. You can get in touch with them and say, 'I have your pre-pics. Like, honey, oh, we'll show everyone what you truly look like.' Now apparently, these apps were reportedly incredibly difficult to catch out. So they were packed and compressed, the files were all obfuscated, the relationship with ads was all kind of hidden, so you wouldn't be able to tell where everything was coming from. And the apps have now been— you don't have to worry if you're into this kind of stuff, because the apps have been removed now from the Google Play Store. But as if there's not going to be more in there in the near future. How do people avoid being enslaved by these kind of malicious apps pretending to be something else?

Don't be so vain. Full stop. The end. Right. Thank you for listening to Smashing Security this week. Aren't you, Graham? I'm going to see if you're going to lie right now, but aren't you the person every time you saw yourself in the mirror, you would say you were gorgeous?

Yes, exactly. I didn't need an app to do that. I just had self-belief.

Okay, so you don't need an app to be vain. Is what you're saying. Just find it in yourself.

Every time someone asks you, how are you? You just say, I'm gorgeous. And eventually begin believing it. And other people begin believing it. This is my PR strategy.

Okay, so I have advice, right, to avoid this thing. So download discriminately, right? Look for apps that have been recommended by a trustworthy friend or site, right? Don't just go willy-nilly and go, that looks cool, and download it. Delete all accounts and apps you don't use, no longer want. And I follow this rule of thumb: if I haven't looked at it in 6 months, I don't need it. Get rid of it.

Yep. Here's my cryptocurrency app. I'll delete that. Don't need that one anymore. You know what?

I totally would. I totally would. That's why I never bought any. I totally would do exactly that.

Very sensible. Very sensible.

Review the settings of the apps you've installed on your device, of course, and turn off anything you don't use and read the fine print. I know I say this all the time, but you know, if they're legit, at least you have an idea of what they're gonna do with the information they're taking from you.

And of course, watch the permissions you're giving them too, and don't give 'em extra info, you know. Totally.

That's a really good point. Yeah. All the settings that they turn on by default, they don't actually need.

But it's difficult, isn't it? If you're a vain 14-year-old and you want to compete with sexy Shirley in the other class and have an equally sultry picture, you're not going to think about permissions, are you? You just want to install the app.

Can I ask an inappropriate question?

Have you ever not?

Okay. So I did some research on sexting, right?

All right.

So 1 in 5 under 18 have sexted. So how many people do you think in that group are throwing their junk through filters first before they send them to intended recipients?

I don't want to—

When you say junk, you mean—

You know what I mean.

Well, I certainly wouldn't add a slimming filter to it.

That wouldn't be a good idea. Okay, Jack, are you right? You surviving?

Yes.

Jack's doing great.

I'm just checking in on him.

And welcome back. And you join us, our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Is that like my nose or—

Jack.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

It should definitely not be.

It can be.

Shouldn't be.

But my one isn't this week. My pick of the week is a YouTube channel which is run by a German chap called Christian Eiloh, also known as Mr Puzzle. And Mr Puzzle has, at the time of broadcast, 632,000 subscribers, and I find him rather addictive. I've been watching him for about a year on and off.

Can I ask you something?

Yes.

Do you think most of our listeners are retired?

Why would you think this would only appeal to people who are retired?

He does puzzles?

Not jigsaw puzzles. By the way, there's nothing wrong with jigsaw puzzles either.

Okay.

No, he does things like locked boxes or things with keys or the sort of puzzles where, you know, do you remember when you were a kid, you'd sometimes get them at Christmas? You get some sort of logical puzzle which you'd have to sort of undo and unravel, and you're like, haha, I've worked out the combination. It's a bit like picking a safe, you know, and opening it up. And he's made a series of these videos of incredibly complicated puzzles. I watched one earlier today, which is the impossible Excalibur sword puzzle, which took him 23 minutes worth of fiddling before he was able to get the sword out. And he was hoping that everyone else would be able to follow it as well. And I find it rather lovely. First of all, I love his accent because he has a charming German accent and he has a lovely way about him. But these puzzles are terrific, and I would be quite tempted to buy some of these puzzles. And I noticed that some of the puzzles— there's this sort of homespun market where people are creating their own puzzles, and what they will do is they can sell you basically the blueprint of the puzzle, and then you make it for yourself on your 3D printer. So people who can't sell them commercially—

Sell the plans.

Sell the plans and things. And I think it's kind of cool. Anyway, I would recommend the Mr Puzzle. Of all the things in the last week, this is what I would recommend.

Jack, there's one that's called the Amazing Jack Puzzle. I just see it here.

I'll have to check that out. Anyway, I find it rather lovely. And I thought some of our listeners may enjoy Mr Puzzle as well. I've been digging into a book lately and I like it. It's called Dawn of the Code War and it's written by, I'm pretty sure, an ex-FBI agent. And so he goes over the history of security and hacks that have been against the nation or have been things like a nation-state level. And it's just really great to see to hear the stories from the FBI agent on what they saw and experienced during some of these big-time hacks.

And it's written well. You can read it and you kind of roll it along. You don't kind of—

Yeah.

Okay, that's nice. That's always nice.

Yeah, the author is John Carlin, FBI agent.

I'm just reading about him. He apparently was the Assistant Attorney General under Barack Obama. So he was fairly sort of high up from the sound of things. So he would have had some visibility on these things.

And so, you know, some of these I don't always agree with, you know, the reason that they have conducted or done some of their stuff, but it's fun to hear from the horse's mouth why, or, you know, what they saw that you don't normally hear on the news cycles.

Oh, and he partnered with an award-winning journalist to write the book. So that's really nice as well. Garrett McGrath.

Are you saying this is as interesting as my YouTube channel about puzzles, Jack?

It's about the context, okay? If I'm on a bored conference call where I just don't want to be on that call anymore, I'm going to get your puzzles out and I'm going to start solving your puzzles. And that's going to be so, so great to me. But if I'm flying on an airplane or I don't know, doing something where I need to, because this is an audiobook as well, you know, then I can use it there. So.

Where have you been all our lives? We've always needed a peacekeeper and we've never had one ever.

Carole, I'm surprised you're saying this because this is kind of security related, this pick of the week.

I don't mind.

And yet you're defending it.

Yeah, I don't care.

You were right about this week.

It's a book as well, which is always nice because, you know, not all of us read here, do we?

If only everyone would choose something like that, Krow, rather than some internet fliff-flaff and flim. Anyway, talking of which, what's your pick of the week, Krow?

Internet fliff-flaff. So, okay, it's an oldie, but it's a goodie. And do you remember the Dark Alphabet of Things That Can Kill You? Did you ever see that? Okay, take a look. Look, you can listen to a little snippet. Okay.

Just be careful, Jack. In the past, when she's given us a YouTube link, led to Rik Astley. So let's see what's going to happen this time.

Oh yeah, whatever.

In life, you have choices. They're healthy and not, and sometimes it's tricky to choose what you ought. So if you are—

So basically, it's a beautifully drawn Grim Reaper waxing poetic on all the things that can kill you from A to Z.

A is for alcohol, source of addiction. Liver diseases, and other afflictions. So how about water? That might be okay, but if it's in plastic, there's B, BPA.

And it's a reminder not to avoid life when living, right?

Okay, it's very cutely drawn.

Now the whole thing is only 3 minutes long, so it's very cute, it's really sweet, and it just basically says carpe diem. You crazy cats.

Perfect amounts and eating some things that you shouldn't consume cause dozens of dishes will lead to your doom.

So this is the thing to watch if you need a smile today. Link's in the show notes. And I recommend you all do it. Even if you've seen it before, it's worth it.

What, we do everything from A to Z?

Yes, do everything from A to Z and let me report back.

See crystal meth or whatever it is. You're saying just do that. Well, that's really responsible, Carole. Well, let's hope Apple don't remove us from the podcast library, all right?

I'm a very responsible podcast host.

Well, on that bombshell, I think we've just about wrapped up the show. Jack, for people who want to find out more about you and Darknet Diaries, what's the best way that they can do that?

DarknetDiaries.com is the website. It's a podcast that's available in your favorite podcast player anywhere.

Subscribe to it, people. It's excellent.

Yeah, it's really good, everyone. If you're enjoying our show, you'll enjoy Darknet Diaries much, much more.

And my favorite social media is Twitter, so if you catch me on there, I'll probably be really responsive as well.

Not LinkedIn.

I'm on there, but wow.

I know, I'm kidding.

It's awful.

When I get on a website and it turns up the fan on high on my computer, I know it's a good website, you know, quality built.

Exactly. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have G. And you can join us in discussing all of these topics on Reddit. The quickest way to find us is to search for Smashing Security, and you'll find our subreddit up there.

A huge hat tip to our sponsors this week, Recorded Future and LastPass. Now, these guys help us give you these episodes for free. If you want more fab guests like this on Smashing Security, help us boost our listenership in this world of podcasts. Download numbers talk. So high fives to everyone who listens to the show, who's taken a few minutes to give us a review, who recommend us to friends or salty coworkers, or who sends us a lovely spot of love by email, Reddit, or Twitter.

And you can check out past episodes on smashingsecurity.com as well. Until next week, cheerio, bye-bye. Bye. Bye.

Thank you, Jack.

Thank you, Jack.

Oh, that was really fun.

Was it painful?

What are you saying about Jack's contribution?

Not his contribution, our contributions.