Rogue IT security worker who impersonated ransomware gang is sentenced to jail

And he's probably in the meetings going, look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away. I won't make it public. Yeah, hush, hush. Tell no one.

Shh.

Smashing Security, episode 323, Botched Bitcoin Blackmail, I Spoof, and Meta's Billion Dollar Data Bundle with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 323. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, who have we got in the hot seat this week joining us?

We have Zoe Rose of the Imposter Syndrome Network podcast. Hi, Zoe.

Hey. Welcome back, Zoe.

Yeah, it's lovely to be back.

Yeah, it's been a while. It's been a minute. It's been a minute.

A minute.

Yeah, I like that expression a lot. It's saying, "I haven't talked to you in ages." Oh, is it?

Oh, I see. Yeah. Fair enough. You could just say, "It's been an age." It's been an age.

I could say that too.

It's been a while.

Tell us about your podcast.

Yeah, well, I co-host it, so more credit to my co-host because he probably does a lot more than I do.

It is important to give credits to your co-host, isn't it?

Isn't it?

That's what I've been told.

I've heard that. I've heard that. Heard that.

Imposter Syndrome Network. What is it all about?

Yeah, well, it's basically we're interviewing extremely successful people and talking about their journeys, their careers. It's technical careers. So it's anybody from security to engineering to, I don't know, anything you really want to do. Developers as well. And yeah, we're just talking about why the bloody hell they're there, what they're doing, and how they got there. And it's been really interesting because some really good advice has been shared about how to overcome not just feeling like an imposter, but also overcoming mistakes. Because that's probably been a huge part of my career, is I've made slight errors that have been massive.

Who hasn't though?

Well, it's the best way to learn, from my opinion.

Yeah, of course. If you've lived long enough, you haven't fallen flat on your face at least once. What's going on? What kind of shoes are you wearing?

I think the thing is a lot of us, though, we look around us and we think, "Oh, those people aren't as idiotic as I am." But they are, and that's the best part.

Yeah. I'm not sure there's many people that are more idiotic than Graham. I'm not sure.

Well, okay. Degrees, degrees. But it's awesome because it's we'll interview somebody, and the entire time I've just sat there, "Bloody hell, you're so amazing." And then they're talking about all these simple things that they've done wrong, and I'm just, how is that possible? You're just so perfect. It's just really cool.

Well, listeners, go and check out the Imposter Syndrome Network podcast to hear more from Zoe and her co-host and her guests.

Yes.

And let's get this podcast on the road. Before we kick off, let's thank this week's wonderful sponsors, Bitwarden, Kolide, and Centripetal. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about a bizarre bitcoin blackmail plot.

Oh, nice alliteration. What about you, Zoe?

I'm talking about Meta's exceptionally large fine for failing to follow GDPR.

And I'm going to talk about why you can't trust caller ID. All this and much more coming up on this episode of Smashing Security.

Now chums, I want to take you back to February 2018. That's where my story is going to begin. And it begins in the offices of an Oxford company, Carole. Oxford Biomedica, just down the road from you. Very swanky building, lots of glass. It's near your neck of the woods, Carole. If you know where Lidl is, near the big Tesco's.

I do know where Lidl is.

Right, opposite Kennington Flooring. If you go down there— Oh, you know them as well? All right.

They did our floors. Oh! There you go.

Oxford Biomedica. They are gene and cell therapy firm. They worked on Parkinson's disease, they partnered with Microsoft to use their AI and machine learning to work on treatments for a large number of sicknesses, and perhaps most famously, they manufactured a vaccine for COVID-19. Oxford Biomedica.

That's right.

And, well, way back, 27th of February 2018, actually, they suffered a cyber attack. What happened was a hacker accessed their systems and senior members of the company received a ransom demand from the attacker.

Right.

Nothing that unusual, really. Kind of thing that happens all the time, right, Zoe?

Well, it happens more than you hear about, to be fair.

Yes, exactly. Yeah, right. So, as far as I've been able to work out, Oxford Biomedica never went public about this particular attack. I did search, and it doesn't look like they ever actually admitted it. But anyway, it's now come out into the open because of the story I'm about to tell you. So a hacker accessed their systems, senior members of the company received the ransom demand, and what do the bosses at the company do? What do you do when you receive a ransom demand?

Pay them and get them to go away.

Exactly.

Shh, shh, shh.

Here you are, here's the money.

What's this here?

Clear off, clear off, why don't you?

I mean, that's better than pretending it was a security researcher for a bug bounty, isn't it?

Oh yeah, yeah, exactly. Don't take the Uber route. Yeah, exactly. Don't do that. Well, what they decided to do was they brought in the IT boffins. So they have people obviously inside their company, IT experts, and they said, look, we've received this email, slightly worrying. Have we been hacked? What should we do? And so they brought in the geeks inside the company, which included a 23-year-old IT security analyst called Ashley Lyles.

Okay, security analyst.

Yeah. Yeah.

Okay.

And Ashley and his— I guess it just means he worked on the IT security team, you know?

Right, right, right.

And it's one of those sort of, you know, names, isn't it? Ashley and his colleagues, they worked alongside the police to try to mitigate the incident, find out what was going on. Because obviously there was the threat that maybe a hacker had broken in, stolen sensitive information, maybe planning to leak it. They were obviously demanding money as well from the company.

And they did this on the QT. Right? Is this Ashley guy was under NDA to do it on the hush-hush?

Well, Ashley's just one of the employees. It's like any—

Oh, right, right. Sorry, sorry, sorry. I thought he was a consultant brought in.

Oh, no, no, no. He's working for Oxford Biomedica. He's on the staff.

I feel like I know where this story is going.

Right. So—

Because, yeah, I'm excited.

I feel for Ashley right now, I think.

You think?

I don't think so. I feel you're uncovering a—

I'm going to believe in them until proven... Okay, quite right, Zoe.

Thank you. Quite right. I your attitude. Zoe, you're just so cynical.

Anyway. But it's an interesting story, and interesting stories always have a not-so-ethical situation. So I feel I know where it's going.

Alright, alright, come on, just calm down.

I'm excited though, I'm excited.

Can everyone just calm down? Calm down, right? I'm telling you the story. Here we go. Right, so Ashley and his colleagues are looking into the incident. They've got the blackmail email, they've got the communications which are going on. They're trying to work out, have we been compromised? Has any data been taken? They're working alongside the police. The thing is, Ashley's company, Oxford Biomedica, and his colleagues and the cops didn't know that Ashley had plans of his own.

Oh, you darn it. It's not to give it to charity, right?

The giveaway was that they were actually named. Because you're saying Ashley and Connie.

Yes, the fact that I'd named an individual.

You're so clever, Zoe. Yes.

No, I'm just a

Special guest star.

Now, you're probably thinking, oh, Ashley. Must have been the guy behind the attack. He must be the one who hacked.

little bit suspicious.

He must have been the one who sent the ransom note. No, no, no, he didn't. He was just a regular IT security guy at a company which happened to get hacked, which happened to receive a ransom demand.

Okay.

But, but what he did was he accessed the private email account of a board member at Oxford Biomedica, the one who'd received the ransom demand from the hacker.

Yeah, post, post post-ransom demand, post-ransomware. Right. Okay.

It was the typical kind of ransom email, right? Which just says, pay us or you're toast. Just pay X hundred thousand pounds worth of bitcoin into this cryptocurrency wallet. And maybe you can understand why an IT guy inside your company would want to see that email, maybe want to access the member of staff's email account with their permission once or twice to see what the hacker had demanded, if there were any follow-up emails. Et cetera, et cetera. That, I think, would be understandable. That'd be understandable. But what Ashley did was he accessed the board member's email account over 300 times.

Oh no. Doesn't have a good memory.

And what's more, what's more, he took the original blackmail email stored on their email server, and he changed it. The actual ransom—

He changed the account numbers.

Yes.

The ransom demand, which included a bitcoin wallet... Can you just send it to Barclays sort code?

No, no.

He changed it so it was a different bitcoin wallet where the money had to be sent.

Invoice redirection.

I kind of admire Ashley. I do. I love the— This is going to work.

This is going to work.

Who's going to find out?

Business email compromise, you know?

You see, when I heard that he'd changed the ransom email. I thought it would change the demands. He'd say something "Please, can we eat doughnuts again in the office?" Or, "Can the toilet paper be improved in the staff loos?" Or—

"Can we not get fired if we photograph our butts on the photocopier machine?" "Don't serve fish on Fridays.

It makes the whole office stink." You could— all kinds of things you could put in the ransom demand for a bit of fun. But no, he changed the bitcoin wallet address to which the ransom should be paid.

And so he's playing the game, "Are they gonna pay it or are they not gonna pay it?" And he's probably in the meetings going, "Look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away." "I don't wanna make it public." "Yeah, hush, hush.

Tell no one." And also, who's gonna believe the criminal? The cybercriminal is like, "You didn't pay it." It's like, "Yeah, we did.

We have proof." Poor old criminals are gonna feel like they've been defrauded. They'll say, "Hang on, hang on a minute.

What's going—" Even while he's flying out of there. Sayonara!

That's brilliant.

So he changed the crypto wallet address. Brilliant. So he would end up with the cash if the company decided to pay him.

Brilliant. Well, I guessed that. I didn't think he would. Yeah.

I would watch this movie. I'm just saying, anyone out there who's a movie writer, this is a good one.

Furthermore, he created an almost identical email address to the one which was used by the original hacker. And he began to email his employers at Oxford Biomedica, pressurizing them to pay the money. It was just sort of applying the thumbscrews, going, "You know, your data's gonna get it." You know, that kind of thing.

Do you think people that work there that would get these emails are pretty smart and might have spotted the little, you know—

Well, no, they were leaving it with the IT security team, Carole. They wouldn't— The board member wouldn't notice. Oh, that's true.

Bring it down to IT and go, "This is weird." And go, "No, no, no, that's..." That's perfectly normal. That happens all the time, as Ashley would say.

He's having the argument with himself.

Yes. Arrives on Ashley's desk, he says, "No, this looks legit. It looks like it's from a hacker to me." Great story, Graham. So, police officers from Southeast Regional Organised Crime Unit, the cybercrime unit there, they identified that someone had been accessing the board member's email, traced the hack back to Lulz's home address, presumably his IP address. Which makes me think he didn't cover his tracks properly. It's unclear whether he's using a VPN or not.

Let's be honest though, security and IT are different things. And then also, even in security, operational security and, you know— Yeah. Those are different paths. So I could understand he maybe didn't think of all of the solutions.

And it takes one time, right?

Yeah, you only have to goof once. Could've been. Anyway, the police, they grabbed his computer, laptop, and phone, and a USB stick to analyse them. Now, apparently Ashley Lyles had realised the police investigation was heating up. So a few days before he was raided—

Can you imagine how he felt?

Fuck, fuck, fuck! Yeah, so he wiped all the data from his devices.

And he'd be snapping at everybody, "Shut up!" I mean, I think this guy, he's quite a genius. Yes. But do you actually feel bad for him? I know that's silly because, you know, obviously— He's 23.

He was young at the time. He was 23.

I mean, technically his brain is fully developed because that's 21, isn't it? But—

He might never have thought about doing this unless the hackers did it in the first instance and he just got on the train and thought—

Opportunistic, I think.

Yeah, opportunistic.

Exactly. That's what he should put in his CV.

So he tried to delete the data before the police get there, and he did zap the data, but apparently he didn't do it very securely. So that's his mistake number 2. It's watching an Agatha Christie. If you have a— It's not

That's another skill set as well.

Yeah, empty trash doesn't always work, right? So, yep, so he'd failed to properly wipe the data. going to be the extra who hasn't got a name.

He needs to upskill.

Yep. Put that on his CV, training required. So the cops were able to recover his data. You know, it's going to be someone with a name. Anyway, back in 2018, he denied any involvement. It's taken forever to go through the courts. He asked for £300,000 ransom. He was denying everything until this week at Reading Crown Court. He did finally plead guilty, and he is due to be sentenced. I think—

in July. I was a juror, so I would have loved this case.

I would have loved it.

Well, they could have called on you, Carole. You are local. You could have gone down there. You know, shared your expertise. This would have been awesome. If you were popping down to Lidl or Kennington Flooring, you could just pop over the road. I would love that. Zoe, what are you going to talk about this week?

My story is about Meta, and we all know that social media is not really well known for privacy practices. But Meta decided somewhere in their processes that if people signed standard contractual clauses— apparently is the term— but people signed it, the consumers of Facebook specifically— this fine is related to Facebook— then they can transfer the data from the EU to the US. And it was since the 16th of July, 2020. So at the time they had that whole agreement with transferring data between US and EU, but obviously that was recently decided that wasn't good enough. But they were still sending massive amounts of data consistently from the EU to the US because people sign those clauses and they're, it's okay.

Well, so the users are agreeing to the terms and conditions, is that what you're saying?

So essentially, yeah, you sign up to Facebook, you say, you know, you accept their policy, whatever, the terms and conditions that nobody reads, including myself. Well, no, that's not true. There are privacy people that do actually read these things.

But, you know, Carole does it for us so we don't have to.

They are excellent people. Oh, and that's why we love you.

I just look to see what they try and hide in them.

Well, this is one of the things they tried to hide, I suppose.

So, so the argument's really interesting. So basically you're saying inside the EULA or whatever privacy notice, they're saying, yeah, yeah, we transfer data to and back from the States, we've got an agreement, cool, cool. And then when you sign it, you've effectively agreed to it. And that's what they're using as their argument, essentially.

Yeah, because it's just the way that they're processing the data. So in organizations protections, you know, you send data to wherever you store your data and you process it or whatever, and it makes sense. The problem is they did the EU data in America, which you're not allowed to do without having appropriate protections. And I think the reason it was that the American agreement or whatever was declined essentially is because they didn't have appropriate protections protecting European data from, what was the term they used, the spy agencies or something?

He's Dexter, man.

Oh, the intelligence agencies. Yeah, intelligence.

Yeah, that's why it was declined or whatever. But the thing is, because they did this on a consistent process and it's essentially all the data, like it's a massive amount of data, they are being issued with, or they've been issued with, the largest GDPR fine ever. How much is it? €1.2 billion.

He's on both sides.

It's a lot of money. It's a lot of money.

I mean, let's be honest, how likely are they actually going to pay that amount? I don't know.

This does feel like a good opportunity to have an enormous party. We should stop the podcast right now just because the thought of Facebook possibly having to pay over $1 billion is rather wonderful, isn't it?

But let's look at that, though. I looked at another article, and it says May— the 25th of May will be the 5th anniversary of GDPR, blah, blah, blah. Privacy Affairs has tracked the fines. And all 1,701 of them for a grand total of over $4 billion American. Meta accounts for 50% of all GDPR fines. Wow, 50%. Yeah, they are keeping EU running.

Well, the GDPR fines, as I recall, it can be based upon how much money your company makes, can't it?

I think it's like— okay, I don't— don't

I think that sounds right. I believe— I could be wrong, but I believe they chose to do the full amount that they can actually owe. And I feel like this probably has something to do with the fact that they've been fined multiple times. So I think they've just been like, bloody hell, like, I'm done, I'm done, just bloody pay us, because we're, you know. But here's the other part that I found really interesting. It wasn't just that they have to pay a fine. It's also that they have to become compliant. So it says, so actually, if you follow Privacy Matters on Twitter, he's a lovely man, and he clarifies a lot of privacy issues and concerns and news. I found him so interesting. But so he's highlighted on his Twitter the three demands, essentially.

quote me. I think it's 4% of the

The require Meta Ireland to suspend any future transfers of personal data to the US within a period of 5 months. That might sound long, that is not long. I remember when we had a year to prepare for GDPR and there were people, there were organizations that were like, within this year we won't even know if we're able to be compliant. But they've got to do this in 5 months and then they've got that €1.2 billion fine, which is quite exceptional. And then also they have to bring its processing operations into compliance with Chapter 5 of the GDPR by ceasing any unlawful processing, including storage in the US, personal data of EU/EEA users within 6 months.

annual turnover. I think you're right.

So in the next 5 to 6 months, they have to have a massive digital transformation. They also have to pay an exceptional fee. But here's the thing, Graham, that I don't understand is we had these conversations when GDPR was coming out. And there was so many discussions about, oh, where is our data centers? Do we have them, you know, not just do we have them in different locations for resilience, but also so do we have EU-specific, you know, when we go to get contracts with third parties, do they keep their data in the EU? This is not new.

That is the shortest documentary I've ever heard of.

It's a micro-documentary. And why not? I think, you know, we're all busy. If that contains the whole story, then it's wonderful. The documentary is called John Was Trying to Contact Aliens. This is a documentary on Netflix about an electronics whiz called John Sheppard. And he spent 30 years of his life all on his own, not really making any friends, poor chap, trying to find extraterrestrial life from his cottage in rural Michigan.

I mean, he was trying to make friends, alien friends.

How much did you spend, Zoe?

Exactly. Not something I'm good at.

But you know what, I'm just looking here, apparently in 2022, Facebook's ad revenues hit $135.9 billion.

It's still a hefty fine though. It's a hefty fine. And it's all the upheaval caused by trying to fix this, to try and become compliant.

It's going to be a more and more business process, right? And they have to change their entire business process, which as we know is very difficult to do, especially at that scale.

It's not like they haven't had years of warning that this might come.

No, no, no. This is why when they changed their name to Meta, I thought it was absolutely hilarious because when I think of Meta, I think of metadata, which is like, hey, we've got all your data. I think they claimed it was beyond, beyond social data. But I was like, no, no, no, it's the data, but whatever. But I think the other interesting thing is, not only is this a scary big thing that's going to happen for them, but also, is this setting a precedent? Are other organizations going to be less likely to want to transfer— do you want to deal with EU data, or are they going to be more cautious? Hopefully, because the risk of misalignment is quite an exceptional fine.

I also wonder whether— I mean, a company like Facebook will have employees all based around the world, helping their users in different areas and working on the data. And maybe we're going to begin to see more silos of people dotted around different parts of the world rather than just in one single place. So the data doesn't have to be moved to that part of the world in order to do some work. No, no, that's true. But they're Facebook, they probably think they're above the law. It's just embarrassing.

Yeah, and how much money did they make by not following the law for the last 4 years?

And how many situations have they caused? How many political, how many not so ethical situations have been associated with Facebook in general? It's almost like a, well, is it really financially worth it to care?

Zoe, are you saying we shouldn't trust Facebook?

What? Seriously? Come on. What the hell's going on? And now a word from our sponsors, Facebook. Do apologise about Zoe.

We're not having her back.

Carole, what have you got for us this week?

Well, I just wanted to talk about life as a hacker, because it can't be easy, right? The poor little sausages. Stressful. You gotta lie and cheat. You gotta love up lonely grannies. You know, you have to dupe staff members into giving you credentials, and all the time you can't tell anybody. You got to stay on the down low. You never reveal, haha, I'm the one who did this. And it's got to be difficult. I mean, Graham, I bet even if you empty the dishwasher, I'm sure if someone's around you'd be, I just want you to know I emptied the dishwasher, because you would want to get the points. You wouldn't want, you know, them to think someone else had emptied the dishwasher.

I did turn on the dishwasher earlier today. I just want to tell everyone that.

Did you tell anyone?

No, there was no one else here to tell.

I'm telling you, I'm telling all the listeners, but your typical hacker, they can't go around showing off, right? They have to stay schtum because if the information gets into the wrong hands, they gotta say sayonara to their big fat bank accounts, their big houses, their yachts, golden slippers.

I mean, how many malicious actors were caught because they were bragging?

So, but there must be many, many that are smarter than that and stay schtum. So if anonymity is key, you might be tempted by a service that claims to guarantee that for you, ensuring that if the authorities got wind of a cyber heist, they would have no idea who was behind the crime.

A privacy service for the hackers.

Excellent. And this is how sites like iSpoof.cc fill a very necessary business gap. Now we spoke about iSpoof.cc in our 300th episode, but I wanted to revisit the story because there's been some very interesting news that broke only this week. So to recap, this is an underground website created in 2020 that sold spoofing services to ne'er-do-wells, people that want to pretend they're someone else. And the business model was very simple. For a handsome fee, iSpoof would allow its users to display a false caller ID, one that matched the services they are pretending to be, which were normally banks. So were you to get one of these calls, they say they were from your bank saying that maybe there was suspicious activity on your account, and you wisely would look at the caller ID number and say, oh my God, that is correct, that is my bank. You'd be inclined to think the call is legitimate and provide any information they requested, right?

If it's a spoofed number, if my phone tells me it's you calling, Carole, then I expect to hear your voice at the other end. You'll go, "What up, asshole?" Well, yeah, well, that's how I would tell it was you rather than someone pretending to be you.

No, no, I was saying that's what you would answer.

Oh, I see. Oh, yes. That's right. And I don't want to upset a fraudster who's pretending to be you. So— But anyway, yes, you're absolutely right. If you spoof someone's phone number, then it's a large part of the social engineering you've already got.

I think it's important to note that it's actually not difficult to do. So if you do trust by default, for people that aren't aware, don't do that. I was going to say something witty, but I couldn't.

Yeah, but it's one of those things though that somehow, even though you know that, it does give the caller a sense of authority.

It's just showing up with a business card. You know, I might have printed it at home with my fancy printer, but it doesn't actually mean anything.

Now, iSpoof, what made them particularly successful is they didn't just focus on a single geography. This operation was global, baby. At its peak, it had almost 60,000 users who paid up to 5 grand a month in bitcoin to access software.

Could you imagine how much they made though if they're paying that much a month?

It's incredible. iSpoof was reportedly used to make 10 million fraudulent calls worldwide. 40% were in the US and 35% in the UK. And at one point they say as many as 20 people every minute were being targeted by callers using technology bought from iSpoof website. So big deal, right? And they say that the iSpoof services is said to have helped fraudsters nab around $100 million from victims all around the world. Now, in 2021 and 2022, it was part of an investigation by numerous law enforcement agencies. We talked about this bit in episode 300, so you can go listen to that. It was shut down in November 2022 as a result of Operation Elaborate. That was the name. And this was a multi-agency investigation. So you had the Met, the Netherlands police, Europol, and Eurojust. But what happened to iSpoof.cc ringleader TJ Fletcher, right? Because he got arrested as part of this.

Not TJ Hooker. TJ Fletcher. TJ Fletcher. Okay, it wasn't— it wasn't Shatner. It wasn't William Shatner who was behind this.

No, no, it wasn't Shatner. But he was found guilty for running this complex banking scam in the UK courts. And just a few days ago, he was sentenced to 13 years in the clink. Interesting.

That doesn't sound very long.

No, see, I thought it seemed like a long time in the UK.

Okay. Yeah, that does seem long for the UK. Yeah.

And what makes this case kind of, well, makes it completely unusual for me is that—

Can I guess? Can I guess what the unusual thing is? Yes. Was he also hit by a GDPR fine? 'Cause I'm thinking if they have that many customers with that many accounts and that much money sloshing around, they must have been accessing European— And it's global. Exactly. I'm thinking, let's stop imprisoning people for the scams. Let's just get them for GDPR. It's the old Al Capone thing, isn't it? Where they got him for tax evasion. Love it.

Love it.

I was just thinking, wow, you made a GDPR joke. That's amazing.

Let's call the Irish, commissioner, get them on the phone. Yeah, why not?

Sorry, Carole, carry on. Tell me more about TJ Fletcher.

But what makes it kind of unusual though is that the thousands who lost money through all these sophisticated scams, right, were not direct victims of Fletcher or his junior partners, but he did create the opportunity.

Exactly. Oh, but so I manufactured a hammer, Zoe, and other people chose to take the hammer and smash people's windows. Are you going to imprison me?

That's— to me, that's a little bit different though, because you're not advertising your hammer as effective murdering devices.

No, no, not necessarily, but it could be a device for maybe, you know, if you wanted to bruise a pineapple or something like that, then it would be— or if you wanted to crack a coconut in half. There's all kinds of ways of presenting it.

I suppose that's true. It is a slippery slope. You do make a good point, because it is a slippery slope. VPN.

iSpoof could be advertised as a practical joke service where you call up people claiming to be their auntie. Or training. Yes.

Yeah, if they just had an emoji in the corner with laughing emoji, that's their icon.

Yeah. Or it could also be, you know, privacy. You don't want people to know who you are or what your number is.

Yes, that's also possible, yes. I would be prepared to pay £5,000 worth of bitcoin a month for such practical joke facility.

The prosecution described the business up. They were effectively luring criminals into the service, is what they were accused of.

They were manipulating criminals to be criminals.

Naughty. So it was really the copywriters that iSpoof hired who wrote the content for the web pages. It's not this poor TJ Fletcher guy who was just too busy running his site and didn't realize what the bloody marketing people had written on some of the web pages. I should have been on his defense team. Oh really? I could have got him off this.

Objection, Your Honor. I mean, you do make a slightly interesting point though, because— slightly interesting, slightly interesting. I didn't say overly. But with the skill set that I have to develop in my career, funnily run into situations where people are like, I don't trust you because you're a hacker. And I'm like, no, not really. And they're like, no, no, you're gonna hack me. And I was like, why would I hack you? You know, such a weird thing. But also, but that's a valid point. I mean, if I create a solution that's very privacy-focused, does that mean I'm enabling hackers?

Yeah, you see, you see? It's deep.

That's deep, Zoe.

It's not appropriate for this podcast, this kind of depth of thinking. I think we've— Yes, let's move on.

Broken the show.

Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work. Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing, and thanks to Bitwarden for sponsoring the show.

Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log into your cloud apps until they fixed the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture, which is device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication. And it's built to work seamlessly with Okta. The moment Kolide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked. Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo. That's k-o-l-i-d-e.com/smashing.

Smashing Security is also brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity. The company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every cyber threat. Now available as a cloud-based deployment, Centripetal's Clean Internet service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on-premise, remote, or in the cloud, removing the need for a more costly cybersecurity infrastructure. Learn more about Centripetal's intelligence-powered cybersecurity solutions at smashingsecurity.com/centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show.

And welcome back. Can you join us? Our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. I love a documentary. I love a good documentary. I'm not really interested in that drama nonsense so much. But give me a documentary, and I'll be very happily eating my popcorn. And I have been watching a documentary this week. Not for very long, because it's only 16 minutes long. It's 16 minutes long.

What a gloriously interesting title. What do you mean, poor guy? I think he probably had the Well yeah, he was trying to make— he was doing his bit. That's what he was into from a young age. He was interested in contacting extraterrestrial life. And unlike the rest of us who, I don't know, may have filled up a balloon with helium and thought maybe it will get through the atmosphere, or how about I write a really large word in the crop circle, he actually built transmitters, enormous amounts of electronic wizardry, which began to dominate his grandparents' sitting room. time of his life. You've been talking for five. It's a third through.

But it is a heartwarming, lovely documentary, which I'd recommend to everyone. It's called John Was Trying to Contact Aliens, and I really enjoyed it. And so I wanted to share it with you two and all of our gorgeous listeners today. And it is my pick of the week.

Lovely. Sounds great.

So Zoe, what's your pick of the week?

Yeah, my pick of the week is I wanted to highlight things that have helped me with insomnia. I had really severe insomnia for many, many years, exceptionally bad, where I would only sleep for two hours at a time. And then now I'm a mum and sleeping is vital but also not very readily available. So I figured, here's some ideas that I've had that have worked for me in the past. Mind you, if it is really severe, I would still recommend seeing a doctor, going to your GP. But yeah, so one of the ones that I— the most important thing for me was eye covers. And I know that sounds really silly, but—

You mean an eye mask?

Yeah, yeah, yeah, right, right. Yeah, because I've bought many and I've always found them very rubbish. And then I was feeling, I don't know, silly, I guess, and ended up spending probably more than I expected I would spend on an eye mask. It wasn't crazy, but it was like, I think the one I bought was probably just shy of €30 or £30 because I was in the UK at the time. Quite expensive, but I did add a link because I think that one wasn't quite that much. And I don't know if that's the exact model I have, but it's similar. It looks similar to the one I have.

Okay, so we're going to put a link in the show notes where people can check out your eye mask or something similar to your eye mask.

Yes, similar. And I actually noticed it made a huge, huge impact because it was also a routine. It was not just that I put the mask on and I went to sleep. That didn't happen. But I put the mask on and I didn't look at my phone because I have my mask on. And if I do that, I have to take it off. And, you know, I didn't look around the room. It made me focus, forced me to focus. It's going into those— what is it called where you reduce the senses? What is it? An isolation tank?

Sensory deprivation. Yeah. That's the word.

It's not to the extreme, obviously. You could still hear and everything, but it forced me to be in the dark. And it was this routine that when I started to get a bit tired, I put it on and it required me not to do anything because I have a very short attention span and I'm not so good at that. So it's had a huge impact in my sleeping quality, which has been great. But for people that do not stuff on their face, which I understand. I'm very picky about materials. There's also the option of blackout curtains, and if you rent me, you don't want to install them, and you don't really usually have the money to buy really fancy curtains anyway. And so what I found is suction cup based blackout blinds. So it's basically blackout material, but they suction cup to your window, and so you can remove them. So they're good for travel, they're good for a variety of sizes of room because you can suction them, and then they also have Velcro to reduce the size if you need to. They're not perfect, but it does make your room quite a bit darker because you put it on there and then you put your curtains that you do have over.

Yes, quite helpful. I just learned about these things because I have a friend who has a slopey roof, a window, what's it called? A Velux window. And one of their kids sleeps in that room and now the sun's out all the time, but getting a blind in that shape was super expensive. So I was just suction cups and we looked it up and there they were. So yeah, really cool. Makes such a smart idea.

Making the room darker specifically was what made a huge benefit to me. The suction cups, podcast selection was interesting.

I fall asleep listening to podcasts. If I can't sleep, I just put on a podcast. I literally will fall asleep within probably 5 minutes.

Well, I'm not a fan of you right now. I'm not saying your podcast. No, I'm just jealous.

Carole, what's your pick of the week?

Well, I'm making Netflix's Jewish Matchmaking my pick of the week. So last week I had a lot of mundane tasks to do, you know, signing stuff, putting things in bags, all kinds of— because I was doing this little art thing and I needed something that was good but not great, right?

So this is a good but not great pick of the week.

Sometimes you need that in life, you know, you need something that's kind of interesting but not fascinating.

I 100% understand. I need the background noise. Exactly, it's a background noise thing that you want to look up occasionally and kind of go, huh. And that's about it.

He also requested big assets as well, didn't he? I've watched this, Carole. When I saw that you were going to recommend this, I've actually spent this afternoon watching a couple of episodes of this in readiness for the review.

So what do you think? What do you think? Do you understand what I mean?

I know what you mean about it being casual wallpaper TV. It's not entirely gripping, and some of these people are horrendous. I liked the very first woman on it because she was looking for a man with strong eyebrows.

She was, she's, she had beautiful eyebrows. She's, my eyebrows are beautiful, and I would someone who has beautiful eyebrows too.

Strong eyebrows. Strong eyebrows.

Someone out there for me. I can, I can relate to her because I do not have strong eyebrows, and I actually despise my eyebrows. They're white. So I have to draw them on.

You can always get a Sharpie.

Not really, that would look kind of ridiculous. Oh, okay. But also, my daughter has white eyebrows, and I feel very guilty for passing that down to her.

You should. You totally should. Yeah, that's awful. That's totally your fault. Yeah, terrible mother.

I'm saving up for her to get as many tattooed eyebrows as she wants. That is my requirement.

Well, look, while you're pondering that, maybe you want to check out Jewish Matchmaking. It's on Netflix. Guardian gave it 3 out of 5. I think I'd agree.

Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would to follow you online and find out what you're up to. What's the best way for folks to do that?

We've got Twitter, which I'm @RoseSecOps, and then Mastodon, which I'm . You can use Morse code, smoke signals. Yeah, you could try that. I probably won't see it, but you could try.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And there's also a Smashing Security Mastodon account. And make sure to never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And huge shout out to this episode's sponsors at Kolide, Centripetal, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest bios, and the entire back catalog of more than 322 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye, Rose. Sorry. Yo, Rose!

Hey, Rose, why aren't you saying goodbye to the audience? What's your problem, Rose? Cheers! Yeah, that'll do.

Okay. I'm so bad at cues.