Watching a $1.14 million ransomware negotiation between hackers and scientists searching for COVID-19 treatments

Hi! Before we kick off the show, we just want to send a huge thank you to just a few of our amazing Patreon supporters. Thomas Fenyans, David Peter, Ruben, Dimitri, Richard Van Leesem, Chayenne Aerosmith, Marcus Vinter, Pete H., Macaulay McCulkin, and Scotia. Thank you all. Your support really helps us. If you want to join our Patreon community, check us out at smashingsecurity.com forward slash Patreon.

Smashing Security, episode 185. Bieber Fever, Roblox and Ransomware. With Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 185. My name's Graham Cluley.

And I'm Carole Theriault. And Carole, we've got a special guest this week. Who is it?

It's someone who's been on a number of times before. Mr. John Haas.

Mr. John Haas, thank you so much for coming back on.

Hello, Carole. Hello, Graham. Nice to be here.

Hi. Thank you very much for coming back to Smashing Security Towers for yet another. Well, actually, it's virtual, of course. Virtual Towers?

It's always been virtual, though. It's not like we're on trend here.

Same old, same old. Oh, are you getting bored? No, no, I'm not bored at all. It's not like I've been cramped up in my podcast pleasure palace for four months or anything like that. No, I'm fine. I'm fine. What's going on in your world, John? Anything interesting?

Well, apart from not having left the house for six months, pretty much the same as everybody else, I think.

Six months? Are you Father Christmas? I've seen that beard of yours. Has it gone white? You know, I'm an early adopter. What's coming up on the show this week?

Well, first, thanks to this week's sponsors, Authenticate and LastPass. Their support help us give you this show for free. Now on today's show, Graham explains why the latest Roblox hack is so unusual. John reveals which US university just paid what might be the biggest ransomware fee ever. And I talk Pizzagate because it's back with a Gen-Z makeover. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, we were alluding to it in our introduction, but what a ridiculous year it's been. So full of news, news, news. I started off the year in Australia, of all places, where bushfires were going on left, right and center, horrendous. And then we had Megxit. I imagine you're both still quite upset about Megxit.

These were certainly, these were last year's dramas. I think they were trading 2019 dramas to 2020. And I think 2020 is pretty shit.

The bushfires carried on until 2020, and Megxit is when they actually left. And Britain has not been the same since, since Meghan and Harry left. We've really missed them. We also got Brexit done as well, remember.

Oh, that's true.

We had Trump's first impeachment. I say first because I'm hoping there may be another one still to come. Global pandemic and lockdown, of course. I doubt you've even noticed that. Protests around the world after George Floyd's death. Hundreds of billions of locusts. Did you hear that story about the locust swarms?

Yes, now it's all been done and it's all sorted. Nothing more to worry about there. Yes, not good. Not good for food production at all.

Not good at all. And Tiger King came out on Netflix.

I have not watched that. I refuse. Yep. I listened to a podcast from Wondery on it a few years ago, and that was enough for me.

Are you kidding me? No.

Okay, make your case, make your case.

So oh my god.

So Roblox of course is an immensely popular online gaming platform. 100 million users. You have little Lego men and you create your games and you publish them for other people to play. Anyone of any age can play it. There's no age limit, but it's really for tweenies and young teens. I think they're the biggest market. Does your son play this? He doesn't. He would love to play Roblox.

Oh, but you don't let him yet because he's too young?

Well, there's just some nasty stuff which goes on on Roblox. I think we'd have to police it quite a lot. However, these hackers are breaking into accounts. They're taking over accounts. And one of the things you can do with Roblox is you can customize your gaming experience. So just like with Fortnite or with Animal Crossing even, you can buy items and skins. You can change the appearance of your in-game character. You can give them T-shirts and hats and other accessories. Now, what the hackers are doing in the last week or so is they're breaking into Roblox accounts. And they're not doing it, as far as we can tell, to make money. What they're doing is they're modifying players' profiles and specifically according to the report in Bleeping Computer who did some research into this, they are changing people's profiles to say in the about section "Ask your parents to vote for Trump this year hashtag MAGA 2020."

Is that Make America Great Again? See I didn't even know that.

It is, yes. Does that really work?

Yeah. Mummy, mummy, can you vote for President Trump, please?

Well, I was going to vote for Joe Biden, but now... Thanks, little Richie. As I do everything that you want me to do, because you are my spoilt child, I'll also vote the way you want.

Okay, so do we have any information on who might be behind it?

We don't know who's behind this. My guess is, Carole... The Russians. My guess is it's someone who supports Donald Trump. So that narrows it down.

Well, you see, it could be, what's it called? A double bluff.

Oh, I see. Like a Joe job. Yeah. Is that what it's called? A Joe job? Well, a Joe job is where you do something naughty, but you make it look as though someone else did something naughty.

Oh, I've done that. And then they get the blame for it.

It happens sometimes with spam campaigns. I just wonder, right, if the people behind this might be actually not wanting Trump to win, so that the kids go up to mum and dad and say, please vote for Trump, daddy. Please vote for Trump, mummy. And they go, outrageous. No, I will not. Why did you say that? I'm definitely voting Biden.

You're not a parent, are you, Carole?

No. What did I get wrong on that? I just simply don't know if the child nagging them to vote one way would actually get them to vote either for that person or not.

It's astonishing, isn't it? It's incredible.

I don't think it would be them.

That's an interesting theory because I mean that would of course increase the potential pool of perpetrators wouldn't it and it obviously has to be someone with some time on their hands and I'm thinking that Hillary Clinton, she's had a lot of time on her hands. I mean, she's sorted out her email server now.

How weird you brought that up because she's coming up in my story.

Oh, is she a special guest later in the show?

Yes, yes. She had nothing to do, so I called her up and said... We should drop her a line, shouldn't we? We should get her on the show. Now, the hackers aren't just changing Roblox profiles to say, tell your parents to vote for Trump, MAGA 2020. They are also buying online clothes for the character who they've hacked, for the player. And they are giving people a red baseball cap with white writing on it. And a white T-shirt bearing an American eagle with the old star and stripes. No crazy orange hair pieces. I bet that's possible. It must be, surely. Don't give people ideas, John. I know what you're like. Or maybe we could see Roblox actually strengthen their security. Well, is it really Roblox's fault? I wonder. Well, let me ask some questions. Do they have multi-factor authentication available?

They do have. Yeah, it's two-step verification. They have that available. But of course, is the typical 11-year-old kid going to have turned it on?

Is it by default? Or do you have to go into some weird setting to go enable it? I'm not a Roblox user. I'm pretty sure it's not turned on by default, just as in most of the world it isn't, of course. So you do have to go to some effort and you have to find out. And what we'll do is we'll put in a link in the show notes as to how to turn on your two-step verification. No, no. But if Hillary Clinton comes up to you pretending to be a kid and reaches for your laptop, it could, of course, be her. Don't be tricked into entering your username and password into an in-game form because these games can actually present forms to you, which might appear to be a dialogue from the real Roblox. And some kids are tricked because what they all want to do, of course, is they want free Robux. Yeah.

We say, yeah, because, of course, we know. Well, no, we've covered it before in the show as well.

I think it would be the outrage that the Trump campaign might have used this method to convince them because presumably as soon as a child asks this they're going to say where did you get that from and they will show them.

Yeah, and we're familiar with Animal Crossing Bells, of course. Lots of kids are after free Robux and prizes and cheats or membership of the Builders Club. And, again, they will install programs or browser extensions to try and get hold of them. And their computer is compromised. No. Well, here's what they could do, Carole, right? So these hackers are giving people baseball caps and American Eagle T-shirts. What if people came in and gave them all face masks, right? So if you're going to one of those Trump rallies, maybe there's an online rally inside Roblox. At least you'd all be protected from each other and not spreading disease. It's kind of gross that kids are being targeted, though. From whoever is behind this, you know, the fact that they're actually targeting kids is pretty yucky, in my view.

I mean, it's quite possibly a 14-year-old kid who's doing it as well.

I have a feeling that today's 14-year-olds know a lot more than I did at 14.

Well there's some things I hope, some things so—

What were you trying to say? What insults are you trying to land there awkwardly?

I was just going to say I hope there's some kids who don't know what you knew at 14. That's all I was going to say Carole.

Oh well I didn't know you well.

Excellent. Excellent. Excellent. And let's move. John, what's your story for us this week? So all of the big headlines for the last couple of days have been about a US university, which has paid out over a million dollars to ransomware operators. So this is the University of California in San Francisco, which is basically the medical part of the University of California. So like a major medical research center, it's got a major teaching hospital attached. But then the lockdown dragged on a bit and they were thinking, oh, crikey, we need to— They got bored. They got bored. We still need to make some money. Maybe we can just infect a few hospitals. They didn't really care so much. Well, and also I think the group that's supposedly behind this, which is known as NetWalker, they were not part of that announcement anyway.

Were they complacent with security, do you know? Or were they just targeted? It's very difficult to tell. Universities and hospitals, this is why we've had so many stories about ransomware in those kinds of settings recently. They're very big, diverse organizations. They tend to have lots of different kinds of hardware and software that they need to run on some kind of ancient machines in some places. And it's very difficult to keep all that secured, which is why they're big fat targets for nasty people. Whoa. So they admitted to making an over $1 million payment.

Mm-hmm. So somehow the BBC learned about this thanks to an anonymous tip, and they had access to the actual negotiations that were going on with the ransomware people.

Oh, really? Yes. Not really quite clear how it worked out that somebody gave them all the details of the— So what kind of things were they saying? Mel Gibson.

Cutting out bits of newspapers or at least going to a payphone and putting a hanky over the mouthpiece.

That's right.

Oh, yeah. You can't kidnap someone without a hanky over the mouthpiece. It doesn't count.

Of course not. In the modern age, so apparently they have a dark web website complete with FAQs and a web chat system. These are the ransom guys. You're just in the queue.

Please wait. We'll get around to you. All of our operators are busy at the moment.

This is not the first time we've talked about kind of malware and attacks like this actually operating like corporations.

Well, it's properly professional business, isn't it? I mean, that's the message everyone needs to learn.

It looks very slick. So the BBC has actually published a bunch of the conversation, although only the ransomware side, not the university side. It's very interesting to see how the conversation develops and the sort of language they use.

Tell us some of it.

So the UCSF, they were asked for $3 million, and they came in with an opening bid of $780,000, which seemed like a pretty high starting point.

I would have probably come in with nothing. That to me says right away they want to pay a million.

If they come back and said,

Or how about just giving us our stuff back and not being bad people?

But the thing is with this ransomware is that there was a ticking countdown as well. So there was an urgency on the university's part to do something about this, not only because they'd been doing coronavirus research and looking into possible treatments there, but also because it was possible their data would either be permanently deleted or published for everyone to see.

Yes. So when they made this 780,000 offer, the response was, keep that 780k to buy McDonald's for your employees.

John, could you do that in a sort of kidnapper voice?

That was my kidnapper voice. Good to know for future reference. So I worked out, apparently there's 25,000 people working at the UCSF, so they could have all had seven Big Macs each. It still had changed for a few drinks.

Is it even possible to eat seven Big Macs in one single day? Yes. Yes. Yes? Yes. I could not do that.

You need to try harder. Also, I imagine, given that most of them are probably health professionals, they would...

They would rather die and put that poison into their stomachs. Good for them.

We're in lockdown, Carole. Everyone needs a hobby. I think you can try and do it before we have it each.

Yeah, no, you just want me to die. Jeez.

Anyway, so after a day or two of this chat, it went back and forth with messages every few hours. They finally settled on this $1.14 million, which the UCSF paid in Bitcoin the next day. And my first thought was, is that the highest ransomware ever? Because I couldn't remember hearing of anything that high and also that seems like a very odd amount. It wasn't even exactly 1.1, it was 1.14.

Did you divide it by the price of Bitcoin on that particular day? Maybe it was something like X thousand Bitcoin. Well, again, I think it was 116.4 Bitcoin. It wasn't a round number of Bitcoin either, although maybe it was the day before or something. But what I did find, so I looked what the biggest payouts ever and there was one in 2017 made by a South Korean web hosting firm who paid out a million dollars which is widely listed as the biggest one ever. But if you then look back at the stories from the time, they quote it as 1.3 billion won which at the time was 1.14 million dollars. So Netwalker have got this quite professional criminal organization where they have people online available to chat with you if you happen to be a victim of that. Do you think one of their operators thought, I'm going to really impress the boss. I'm going to hold out until I can go back to my bosses and say, hey, I've brought in actually the biggest ransom ever. So I'm aiming for that amount. I think that's very possible.

This is a really big problem, though, because they have basically financially incentivized a bunch of bad guys.

Okay. But there's a couple of things. So as a general principle, I agree, you shouldn't pay criminals for this kind of thing and it just encourages them to launch more attacks. However, there is a global pandemic going on and these are medical researchers who are working on trying to find better treatments for COVID-19. So that increases the urgency. And there was the risk this data would be released in public and maybe endangering other people's privacy as well. And so I think under those circumstances, you may think, well, just to be up and running as quickly as possible, maybe we need to be a bit more...

I completely understand that. Is that enough, though, to say, here, bad guys, here is a million dollars?

Well, that's also the other side of this. For a long time, we've been saying, oh, ransomware, as long as you've got good backups, you don't have to pay out, you can just restore and you'll be fine. But more and more of them nowadays are actually taking stuff away as well and saying, okay, either pay the ransom and you'll get your stuff back and we'll delete our copy of it, or we will release this and you'll be destroyed. But in a way, they've almost sort of doubled the uncertainty around paying the ransom, because in the past you pay the ransom and you might get the decryption keys. And now you pay the ransom, you might get the decryption keys, they might delete their copy, they almost certainly won't. They might just not release it for a little while, but you've kind of stretched that likelihood of it being released further down the road, and you've told them that you're willing to pay lots of money to them. I don't know. I think if I was the criminal who'd stolen the data and I had been paid, I think in order to make my future attacks more successful, I wouldn't release the data at a later time. I wouldn't double cross.

But you might change your mind in 10 years or 20 years. I mean, you may be 20 years old right now and have successfully done this, right? And storage is cheap. I mean, you used to say, oh, all these guys, they're all mostly script kiddies writing little viruses, because back then it was mostly true. Ain't true anymore, sunshine.

No, not true. And as John just said, we used to say the answer is backups. And sure, you should have backups. But actually, these days, prevention is the thing which you need. You want this to stop happening in the first place.

The main way in for most of these attacks is almost always some kind of phishing. It's an email either tricking you into handing over usernames and passwords or to running something nasty on your machine that starts it all off. So I think that probably the biggest step towards reducing this kind of problem is going to be better phishing prevention. Yeah, but also have backups.

Carole, what have you got for us? Well, Clue, I'm going to talk about a serious topic this week. So you can rest easy that I will not be funnier than you this week. But first, I think you should come clean. Do you want to tell everybody? What are you talking about? Seriously, don't you think our wonderful listeners have the right to know the truth? Do you remember it? Well, I remember it wasn't a conspiracy involving the use of pineapple on pizza. It was that there was some kind of child trafficking pedophile ring running out of a Washington pizza parlor.

of Podesta's brother who owns this pizza place. Yeah, and crazy QAnon people were spreading stuff and photographs. And eventually some nutter turned up there with a gun. So at the time after this all happened, fact checkers debunked the conspiracy. And we might have thought that it might just disappear because it really seemed to be all around the Podesta Clinton emails, which is no longer the flavor du jour as we have much bigger fish to fry these days. Hang on. So, a few things, right? So, they were asking Justin Bieber to give a secret sign if he was somehow involved in this child trafficking ring. I'm imagining that they understand that he wouldn't want to come forward on his own and he has to do it. It wouldn't have been that surreptitious, would it, to do it in a public Instagram, having just been asked a few minutes before whether he would touch his hat to give it away and then he touched his hat. So that's one comment. Yeah, exactly. Do not touch your nose. Right. Exactly.

think of pink elephants, right? You're going to do it. Okay, so tell us more, Carole. Tell us more. So the problem, one of the problems that was pointed out by the New York Times reporters was that thousands of comments were flooding in at the time. So there's no evidence, they say, that Bieber saw the message, right? Which I can kind of understand. live chat, everyone was chatting to him, of course, because he's Justin Bieber. Yeah. And so he probably doesn't see 99.99% of the comments. Okay, right. So however, the viewers that noticed the hat scratch went nutso, right? And hundreds of videos online analyzing Mr. Bieber's action started. They were translated into Spanish, Portuguese, other languages, right? Amassing millions of views. And even if they, I don't know, mute the hashtag or whatever the phrase is, people are going to read that as, oh, here we go again. Here is state controlled. Here's deep state media.

how about $780? It also helps stem the spread of the conspiracy. So because Facebook and Instagram and Twitter were actually strongly rooted in existence when it first happened in 2016, and after the pizza gun incident, there were loads of social media stopping the search for Pizzagate or stopping the hashtags from being used. And so Twitter and Facebook and the like already had some mechanisms to handle it already in place. But TikTok was in its infancy then. It didn't exist. So they didn't have any of this.

But even if Pizzagate is being stamped on by social media, all someone has to do is start something about pasta goat, for instance, right? You can get a goat and you can have some goat meat with pasta.

Oh, good. Give them ideas.

Well, no, I'm not trying to give them ideas.

Well done. Well done. Calzonegate.

John, Graham, you guys.

Okay, now here's my question to you guys. The big question I have is, once I read about this, I was like, well, what is Justin saying about all this? Right. And as far as I can see, nothing. Now, he has 112 million followers on Twitter alone. Okay, that's three times the size of Canada.

The universal measurement of size, yes. It's the Carole measurement of big. Three Canadas big, yeah. No, he can't win because during his video where he says this is all a load of cobblers, he would scratch his nose or he'd stop to bite a piece of pizza while leaning up against his garden gate or there'll be something which someone would analyze in the video and say, there's a secret message he's embedded in there to tell us what's really going on.

I don't think you can win. Yeah, it's depressing, I think. I actually feel sorry for him. You know, I mean, he has been... I do. Okay, he's Canadian. Not that's not why I feel sorry for him, but, you know, I have more empathy for Canadians than to other people.

I feel sorry for people who are Canadian.

And, too, he has been the butt of viruses, phishing scams, since he was a young teen.

Maybe that's why he keeps quiet about it. He's just, yeah, yeah, whatever.

Too much. He's jaded, man. Jaded.

He probably just thinks that people are idiots. And he probably thinks that all these fanatics, whether they be fans of his music or fans of QAnon or whatever, are just insane. It's better just to keep your head down.

I think it would be wrong to assume that everyone who are contributing to this conspiracy are actually buying what they're peddling. I think a lot of them, from what I'm reading, see this a bit as play gaming. It's almost like a community-driven conspiracy mystery storyline. I think it's exciting and fun for a lot of them. And I think they're doing it ironically. Problem is there's loads and loads, millions, that are not in on the joke. And they're falling for it hook, line, and sinker.

At least they're not doing it on Roblox. Well, yes. Yet. Yet. Yet.

It'll come. Yeah, yeah. Fake news is evil shit in my book, right? So shouldn't do it. Doesn't make you any better than the leaders that are contributing to all the disinformation garbage. Anyway, so...

Can we stop it? How do we stop it? Stay true, man.

It's the only way. I think cut people's fingers off with bolt cutters and just remove them from the internet. So I ask you again, Graham.

In the interest of honesty, are we going to talk about your secret love affair with Piers Morgan and Sean Hannity? Oh, for goodness sake. I'm going to get a hashtag. I wish I'd sorted one out already. Use a password manager. Just do it. These aren't my words. These are the words of Brian X. Silo for Research Toolbox from Authenticate is a secure and anonymous web browsing solution that enables threat intelligence, security and public safety professionals to conduct research, collect evidence and analyze data across the open, deep and dark web. When you're coming back on David?

Chen, the lead consumer technology writer at the New York Times. It's time that everybody uses a password manager, both at home and at work. Now get this, LastPass from LogMeIn offer businesses a secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts. And guess what? You home users out there, you can get LastPass free. For more info, go to smashingsecurity.com/LastPass. That's smashingsecurity.com/LastPass.

And they were talking about this video called Building the Perfect Squirrel Proof. Perfect Squirrel Proof. Squirrel Proof, but it's 2020. Building the Perfect Squirrel Proof Bird Feeder.

Oh, cool.

So what this chap has done is, because of lockdown, he set up a bird feeder, and he noticed that squirrels kept on stealing the walnuts or whatever. So he thought, right, I'm going to have a bit of fun. I'm going to give the squirrels more and more of a challenge. And he ended up with this huge assault course, which the squirrels had to complete in order to get to the nuts.

I'm looking at it now. It's incredible. Pretty cool. It is pretty cool. And there's a variety of ways and challenges for the squirrels which they have to complete in order to get to their nuts in what he stresses is a squirrel-friendly fashion.

No, there isn't.

There is. And if the squirrel stops by it for too long, there's a pressure sensor underneath it and it gently flicks the squirrel up into the air.

Gently. You just put that in so you don't look cruel.

I believe in this. He does stress this over and over again and he shows you the video in slow motion of how the squirrels are affected. It's quite interesting, actually, how both squirrels and cats manage to land quite safely from remarkable distances. So there's that. There's another one, which is a bit like when you go to the British seaside, you might find one of those sort of stand-up placard things with a hole cut out for your head, and you stick your head through, and suddenly you're a fat lady or something, and you get your photograph taken. Well, he's built one of those for the squirrels and incentivized them with a nut to stick their head through, and so he can then take their photograph. There's all manner of things.

Oh my God.

I have to say squirrels are incredible things. So if you haven't already seen Mark Rober's perfect squirrel proof bird feeder video, I would recommend it because it is my pick of the week.

Do you know what? It's a serious problem, Graham. My parents, my whole childhood, that was one of the big concerns in our wood where we lived was how to protect the bird seeds from the plethora of squirrels.

Oh, I thought you meant homewrecker squirrels.

I'm just saying it's a real problem that people face every day.

It is.

It is. Surely drones are the answer.

Oh, really? How would you do that?

You hang your bird feeder from a drone and you fly it up in the air and then the squirrels can't get at it.

All while decapitating all the birds?

The birds fly in from underneath or, you know, the drone has little guards around its blades.

Okay. I'm glad you're not in charge. Just saying. John, what is your pick of the week?

So I wanted to talk about a TV show called Dark.

Oh, this sounds fun.

Pretty sure it's been brought up on this show in the past.

It rings a bell, actually.

It's a great show. Season three came out the other day at the weekend, I think.

Oh.

Apparently the final season.

Are you a big fan of Dark?

Absolutely love it. It's glorious.

Remind us again what the show is about.

So it's a German teen time travel thriller, I guess you could call it. It's set in a small German town in the countryside. And there's three or four families that we focus on. Some kids have been going missing. One of them finds a spooky tunnel leading to the past and possibly the future. From there, it builds and builds and builds. It becomes insanely complicated. You've got these 30 core people, and you're seeing them as small children and then as teenagers and as middle-aged and old people, but some of them are moving through these tunnels and then some of them also develop time travel machines, which they use to time travel, and then sometimes take the time travel machine through the time travel tunnel.

So, John, to keep track of what's going on in this TV show, have you got flowcharts? Have you got an obsession wall with pieces of string?

It is the most tempting show I've ever seen to go out and build an obsession wall. But I don't think you could do it on a wall. I think you would need some kind of five-dimensional thing. Actually, there is an excellent Netflix, and they have built a website to go with it. It's got a list of all the different people and all the interesting concepts. As you arrive, you tell it which episode you're up to so you don't get any spoilers. Oh, that's a cool idea. You say it's a German show. Well, Netflix has been really pushing dubbing. They're trying to make that come back again. So I've been watching it dubbed, but also subtitled, which is part of the fun, because I've no idea why they do this, but they have different writers, I guess, doing the dubbed part and the subtitled part. So you're watching and somebody might walk in and go, "Fuck you, motherfucker." And the subtitle says, "You're not very nice." But yes, the website is actually probably vital, especially if it's been a while since you saw season two, because there's so many faces. Each character has at least three different faces and some of them are played by different people obviously because the child and the grandpa are the same person. I think pretty much every episode ends with a little montage scene where you see all the different characters that have been in the episode and then it merges into a face of what they were in a different period and stuff.

So this is for people that have a lot of time on their hands, enjoy complicated plot structures, and teen thriller type things. And time travel shows. It's not a lot of time. With three series. Yes. Well, yes. What? Well, three series, 24 hours? Well, because otherwise you, if you leave it a few days and you come back to it, you're suddenly scratching your head going, "Who's that guy again? Is that the granddad of that guy or is that the same guy just a bit older?" John, is your home life okay? Just checking.

Just watch it all at once and it's much easier to remember.

Or use the online obsession wall which is very useful.

Fascinating. So that's the Netflix series Dark and the latest third series has just come out.

Yes, fantastic.

Carole, what's your pick of the week? Okay, mine's an article and it all involves Sherlock Holmes and I think John you mentioned before that you're an avid fan.

I do love a bit of Sherlock Holmes. Right, right, right.

So I partly chose this article because I knew you're coming on the show. So let me just set the scene. Oh, this is bullshit, isn't it? It's ridiculous.

Anyway, so I just think it's a great story. It's written quite cutely from The Verge, written by Addie Robertson. I will put a link in the show notes and you should enjoy it. I think it sounds going to be fun.

And also, I've just opened the article. So the actor playing Enola Holmes was Eleven from Stranger Things, another spooky teen sci-fi. There you go. Check it out. And you know, greedy estates.

Well, on that ridiculous note, I think we've just about wrapped up the show for this week. John, I'm sure lots of our listeners would love to follow you online. Unfortunately, they're not allowed. You don't really exist online, do you, John?

I try not to. Right, OK.

See, you're so secure. John, you should start your own blog, explaining how people can unplug and be cool.

You know, I do have things plugged in. I don't like to shout about it.

Well, you can follow us on Twitter at smashinsecurity. No G, Twitter wouldn't let us have a G. And you can also join us on our subreddit up on Reddit, just look for smashinsecurity. And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast app, such as Spotify, Apple Podcasts or Pocket Casts.

And huge thank yous as always from us for listening, for supporting us, for sharing our content, for liking it. It means the world to us. Also, thank you to this week's Smashing Security sponsors, Authenticate and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details and information on how to get in touch with us. Until next time, cheerio. Bye-bye. Bye-bye. Bye-bye. Bye-bye. Psst! Did you notice that we opened the show thanking a few of our wonderful Patreon supporters? From this show forward, we plan to thank each and every one of you that support us. It's just another way for us to say you humans really make a difference, and we salute you. Listen out for your Patreon name. Oh, and if you aren't yet a supporter and want to join the Smashing Security community, visit smashingsecurity.com/Patreon. And thank you. From the bottom of my heart. Not Graham's, because we're not sure he has one, right?