Smashing Security podcast #092: Hacky sack hack hack

Graham is not a very good driver. I do not feel safe in the car with him.

Is that because he drives badly or because he collects lots of data and forgets to wipe it?

He has a smart car that does a lot of beeping.

Yeah, but it beeps to keep me awake, doesn't it? It beeps to tell me I'm doing something dangerous.

I think Carole's point, Graham, is if it's beeping all the time and the beep symbolises that you're doing something dangerous, maybe you should try and get it to beep less. Maybe you could just cut the wire that goes to the beeping speaker thing.

Smashing Security, Episode 92: Hacky Sack Hack Hack with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 92. My name is Graham Cluley.

I'm Carole Theriault.

And we are joined this week by returning guest. He hasn't been with us for a while. It's Paul Ducklin from Sophos. Hello, Paul.

Hello, chaps.

Thanks for coming on the show, Duck.

It's a great pleasure. I don't know what would have happened if I'd refused. I might never have heard the end of it. But not that I was inclined to refuse.

Talking of offers you can't refuse, he says in a segue, I think we should tell our listeners about our brand new,

We have a new store and the prices are cheaper because we have been able to do them at cost.

revamped, refurbished, generally spruced up online store.

So basically we get none of the money, none of the proceeds, and you guys get beautiful t-shirts for cheaper.

And mugs.

And mugs and stickers. And this particular store, the name of the store is?

Well, it's at the same URL, smashingsecurity.com/store. And that will take you to our store on Redbubble.

That's buying a

But one of the nice things about it is that even though we're not taking a cut at all, everything is super cheap because they're actually delivering it closer to you as well. So whether you're in Canada or America or Europe—

new used car, is it?

It's not they had to go pick them up in Mexico.

No, they didn't have to do that. But there could sometimes be expensive shipping costs. So we've got rid of that and it's a whole load cooler.

New and refurbished. Graham, I heard a secret story that there is an option on your store, not just for t-shirts, but for leggings. But you haven't ticked the allow leggings button yet because you're afraid. Is that true?

Well, tell you what, if people want Smashing Security leggings, we need their feedback.

Yeah, they would be very, very delicious, wouldn't they? Yellow and orange with a coffee cup across your calf. That would be sexy. Hey, Graham.

Hey, Carole.

I have a question for you about these password manager things you keep talking about.

Alright, go on then, shoot.

What happens if you forget your master password? What are you going to do about that?

Oh, you think you're really clever, don't you?

Yeah.

You think if you've forgotten your master password, you can't access any of your other passwords anymore. Well, piff, paff, poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory. And that means the same password that your employees are already comfortable with using to log into your system will unlock everything. It will unlock their passwords, it will unlock their work, makes it super easy to bring LastPass into your enterprise.

Seriously? And it's still super safe?

It's still super safe. Wow!

That's kind of cool.

It's a great way of getting new employees using passwords safer and more securely.

Rock on LastPass, I say!

And Carole, if you, or indeed our listeners, want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. So I think we all know that when we get rid of a computer, a computer hard drive, a smartphone, a USB stick, something like that, the smart thing to do is to make sure that it's been properly wiped, and that there's no way anyone can access any of the personal data or data on other people which might once have been stored on that device, right?

Are you going to explain what that means, properly wiped? Because a lot of people have different understandings of what that means. It's not just pressing delete.

Well, yeah, it depends on what the device is. So on an old-fashioned hard drive, for instance, you may want to overwrite a file and data multiple times with random characters to make sure that it can't be recovered even by data recovery. Things are a little different with SSDs, but one of the recommendations I would make is that you probably should use full disk encryption, which many devices do come with an option to do that these days, which means that effectively, if nobody knows your password, they can't access it anyway. Most of the contents of the drive is encrypted anyway.

Yeah, the great thing about using full disk encryption in respect of disk wiping, which is why Apple iPhones do it even if you don't put a passcode on, your disk is still— the data's encrypted before it's written and decrypted when it's read back— is it means that to wipe the whole device, you only need to wipe the key material,

Yeah.

and it's much more likely that you can guarantee that that happened. It also means if you trigger a wipe, then you know within the first few seconds you've almost certainly nobbled the key, and you don't have to sit there for an hour thinking, golly, I wonder if the crook's noticed and has frozen it in time and half the disk is not wiped yet. So full disk encryption does make it much more likely that you're able, A, to wipe it in the first place, and B, you wipe the whole device by wiping just a tiny bit of it, destroying the key.

So I think we're agreed that's a sensible idea and that's what we'd recommend people do. You know, there've been thousands of reports over the years of organizations, individuals who've been embarrassed or had their identity stolen, or sometimes data breaches occurred because there hasn't been proper disposal of computer equipment or the data hasn't been properly overwritten and wiped. But what about the most expensive computer in your possession? Carole, what's the most expensive computer you own?

An Apple MacBook.

Is it?

Is it?

Is it? Or is it actually your car? Yeah, see, trick question.

Oh, I don't know, my car, well, I don't know, my car is pretty old. I've got a nice car, but it's an old car.

I bet it's got a computer in it. It may, your car, I'm thinking of your car. Your car may not be a connected car. So you, I don't think. It's not. Right. So you can't connect it to the cloud.

It's got lots of computers on it.

Yes, but it's got computers in it, hasn't it? And I think we so easily forget about these things. You know, I didn't give you this question because I think you don't have a car, do you Paul? You just cycle everywhere.

I do not have a car. I do have a bicycle. The nice thing about not having a car is you can actually afford a lot of bicycles. Well, more than one.

Depends how expensive those bikes are.

But I would say these days, modern cars are the ultimate IoT-enabled mobile device.

Okay.

And by the end of 2017, there are estimated to be around about 9 million internet-connected cars on just British roads alone.

Really? That's like 1 in 3 cars or something. How many cars are even here?

Well, I don't know. I haven't been counting, Carole. You don't think I do research for this sort of thing?

I think it's like 30 million, isn't it? It's a lot.

Yeah, it's going to be a lot, but it's going to be very difficult these days, I think, to buy a new car which doesn't have an app or doesn't somehow connect or speak back to the mothership. Oh, I'm sure you could buy one or two that don't have it. Well, there may be some, but I think many of the major brands, you can't do that. Now, when you get rid of a car, when you decide to get a new car, you don't crush your old car normally, unless it's in a particularly bad way.

A real banger.

Yeah, exactly. What you do is you sell it to a dealer or to some stranger via the classifieds. And after you've handed over your MOT certificate and the logbook—

This is in the UK.

Yeah.

People don't even know what an MOT is in the real world.

Well, you don't, right? But you know, some sort of warranty that the thing goes and you've handed over the keys. But increasingly, it's not as simple as that, because there are now many connected cars being sold, and they allow owners to interact with their motorcars via an app, even when they're far away. So you could set the climate— Turn left!

Turn left! I know I'm not driving you, but I don't care!

It's not quite— it's not normally with most of these cars, you don't have that much power necessarily, but you could maybe set the climate control, or if it's a cold day, you could start the engine up, or you could send it an address to go to the sat nav.

But how far would that work? Like 10 meters? Oh no. It would be a near-physical.

It's via the cloud.

It could grow its spider webs.

So they're doing it like an app, like an internet-enabled app that they have for this.

Yes.

Ah, going for the internet or the World Wide Web, as I've heard it said. Yes.

So you may even be able to find its physical location. You may even be able to unlock its doors remotely as well.

Oh, dear lordy lordy. Okay.

And I know we've had past guests on this show who are big fans of these sort of cars and love the idea of warming up their car in the morning. Hello, Scott Helmee. And unlocking door so they can make a swift entry like they're from the Dukes of Hazzard or something. Actually, they didn't open the door, did they? So I think you can see where the problem begins to come from here, right? These apps allow people to potentially locate and unlock these cars.

It also means there could be either in the cloud of the vehicle manufacturer, an awful lot of historical data that's tied to the car, not to you, about where you've been and what you've done. Well, there could be stuff even in your key. I mean, the key is just an electronic device, isn't it? Like a mini smartphone. And stuff that's stored in the car that you didn't even know was there.

Hold that thought, Doug, because my concern is about previous owners, because quite often we are hearing that previous owners can track their sold car's location without the new owner's knowledge. So the new owner may be completely oblivious to the unauthorized access to their car's locks and its location, leading to obvious dangers. And there's an article all about this on The Register, which really demonstrates the indifference shown by some car manufacturers to this problem.

Can I make a guess as to how come this is happening?

Please do.

Could this be because the new owners haven't yet registered or downloaded the app and started using the app? So as far as the app is concerned, it is still connected to the previous owner.

Well, that is certainly true in the case of BMWs. So BMW—

Very beautiful car.

Okay. With BMW, what you can do is if you have one of these cars, if you are the new owner and you connect, it basically boots off the old owner.

Okay. But the old owner is there until the new owner boots them off.

Unless the old owner chose to detach themselves from the new car. And frankly, when you sell a car, you're probably not thinking about, you know, oh, I need to wipe the car and reset it as you would with a computer.

Yeah, in the old days you just think, oh,

Yeah.

And I need to vacuum the boot because I don't know what fell down behind the spare tyre. But now you have to wonder about what's in the box under the seat. I must get all the garbage and maybe some

So one of the Register's readers told them that for 6 months after he had sold his BMW, he was still able to unlock and lock the vehicle, flash its

old letters out of the glove box.

lights, start the ventilation, and see where the car was parked.

Well, that's nice. So he terrorised the new owner.

No, it's not that he was— it's not that, Carole, it's not as though he actually did it. It was just that he had the ability because—

Well, how did he know without testing it?

Well, because it's— well, I don't know. He may have just, you know, wandered past and flashed the lights. You're right, Carole. Or viewed the location. He may have just viewed the location and said, oh, it's moved.

Or if you know the new owner and you're sort of reasonably friendly with them, or it's a dealer, you might—

Of course you knock on the door.

Well, or at least call them up and say, hey, hang on.

Yeah. Or go outside.

The new owner would be more worried than the old owner, wouldn't you? Although it affects both of you.

So as we've discussed with BMW, it's not as much of a problem because the new owner can connect their app. But what if that new owner isn't very tech savvy? What if, Carole, the last thing they would ever want to do is connect an app to their car. They won't do it. And yet someone else still has that control over them. Now, things are even worse for Land Rover owners. They are unable to evict the previous owners from accessing their car. You have to go to a dealer in order to evict them. So you can imagine how many Land Rovers and Range Rovers may be out there, which still have people unauthorized, able to access the vehicle and potentially open its doors, mess around with it, locate it.

Yeah.

This is one of those things that I don't think anyone expected to crop up, but now it's this, it's going to turn into a huge problem if something's not done soon.

You can say that if you've got a system that, you jolly well ought to have thought of it.

So I think it's really easy for us to blame the dealers here. I think they're all people who we think, well, you should have handled this properly. If you are taking a car from somebody else, if you're going to be selling it on, you should make sure that it's been reset and the accounts have been changed and so on and so forth. But what happens when you sell that car privately? There's no dealer involved, is there? And so I imagine in many of these cases, this is what's happening. Now, this issue has been highlighted recently by a guy called Matt Watts. He bought a used car, which he tried to connect because he's a bit nerdy. He tried to connect to the car's app, only to find it had already been connected to the past owner. And the past owner hadn't disconnect the connection, right? So he went back and forth with his dealer and the car's manufacturer, and he was getting nowhere. And eventually he got a message from the manufacturer, which said, "Dear Mr. Watts, we're not in a position to remove the owner without their permission. Previous owners would normally disconnect before they sell the car. I would suggest you contact the previous owner and ask them to disconnect their car from the system via the app. And when this is carried out, we'll be happy to connect you."

But he bought it through this dealer.

And they're not helping whatsoever.

Well, they probably just don't know how. They haven't even been directed.

Well, why not? You know, if they're building this kind of functionality and it's yet again, another bell and whistle, which has been added to a device without necessarily thinking through all the implications.

Yeah.

Anyway, security in cars is going to carry on being a significant problem going into the future, I think. It reminds me just a few years ago, there was this case of over 2 million BMWs and Minis and Rolls-Royces and things like that. It was found out— Sami Kamkar, actually, the researcher who's infamous, notorious for writing a MySpace worm way back when, he discovered that there was a way to intercept the car's network traffic. And in fact, he could— it turned out there was a vulnerability in how those cars looked for security updates. And that was actually how he was able to exploit them. Because their internet updates weren't completely kosher. So there have been ongoing long problems with car security, and I think they're probably not going to disappear and zoom off over the horizon anytime soon.

Now, Graham, you know, you made a sort of lighthearted remark at the beginning about me being a cyclist, which means, you know, no registration, no license plate or tag, etc., etc. However, all of the— Well, actually, Graham, I do pay road tax just like you because it comes out of my income tax. The excise duty is on your vehicle, not on the road, but that's another issue. But the thing is that these days most bikes are connected. Maybe not the bicycle itself, but the Garmins that people buy, the GPSs, the apps they put on the phone.

Yeah, that's interesting.

I heard what sounded like a dog going Hello, I'm back.

Carole, I realise this section has gone on for quite a while. Was there anything—

Should I just hang up?

Was there anything you wanted to say that was rude about my driving or anything like that? It's just here as an opportunity to do that.

Why would I want to do that?

Good.

But this is your— What are you doing?

No, I was asking if you've got anything funny to say.

Well, I've got jokes in my own bit. I'm not here to make your bit funny.

That was quite amusing, actually, in a very slightly disrespectful way.

Duck, what have you got for us this week?

Well, I've got a story which we wrote up on Sophos Naked Security and provoked a very interesting response from people commenting, one that I hadn't expected because it was just a sort of news story, bad and sad really. It was a kid, he was underage at the time, was 16 years old or so, and apparently he hacked into some servers owned by Apple and managed to make off with or download 90 gig of data that he wasn't supposed to have. So no huge harm done in the end, but it was very naughty indeed, and he apparently pleaded guilty. He can't be named because he's a minor. So the one word of warning out of the story is apparently one of the things that made his hack a little more noticeable that might have been that he stashed the data somewhere temporarily on the server while he was doing his hack. And instead of choosing a directory name like Documents and Files or Yesterday's Meeting, he chose the directory name Hacky Hack Hack. So the first, it's probably, you know, if you want to stay under the radar, that's probably a bad choice.

You see, if he'd just called it Hacky Sack, right? That would have been a great throwback.

Or even, you know, Hacky Hack.

So what's a hacky sack, Carole?

You know what a hacky sack is?

No.

A little bean bag?

It's a North American thing.

You guys didn't have that?

It's like football, but where you can't afford a real ball, so you use a bag full of sand.

Oh, I know what you mean.

And you kind of kick it around on your elbows and your knees and your ankles.

Times must have been fairly dull in Canada, Carole.

They were great, you have no idea.

Yeah, but they were doing this hacky sack while skating at 200 miles an hour down the Rideau Canal, Graham.

Listening to Avril Lavigne.

This has got us slightly off the topic of Apple hacking. So to get back there, what was intriguing is that the story, which, because he's a minor and because he pleaded guilty and everything, we've not got all these enormous details about exactly how he did it, but it does look as though he made some attempt to disguise who he was, apart from the hacky hack hack bit, by using a VPN or Tor or something like that, that, you know, makes it look as though he's coming from—

Like obfuscated his location.

Yeah, absolutely. So he's not coming from his own place. But then the story suggests that he was—Apple was able to figure out who he was anyway because of either his serial number or the UUID, you know, some identifier which was unique to his computer because he was using a Mac to do the hack.

So how would it have done that? Because it wouldn't have sent his user ID or something to Apple, would it?

I mean, well, that was what people go, how can they get the serial number when all he's doing is hacking? And of course, the thing is that if you're going through a VPN, yes, it might look as though you're coming from Venezuela or from France or Belgium or something instead of Melbourne in Australia, but you'll still come from the same place for a bit. And so imagine that during that time, while your computer's wired to go through this place that is supposed to be anonymous, it also does— say it does an automatic App Store update, in which case you've kind of got to tell Apple who you are so Apple knows what apps you've got installed, so it knows what updates to send. And it'll say, hey, I am Mr. Hacky Hack Hack, and I'm connecting for my update. So when Apple go and investigate the hack, they'll find the hacker came from some weird IP number in Belgium or wherever it was, and they'll find at exactly the same time this youngster who actually lives in Melbourne, Australia when the computer was registered appears to be coming from the same Belgian VPN company, or I'm making up the Belgium bit, or the same Tor exit node or whatever it is.

So what you're saying is this hacker put so much faith into Tor and to his VPN, he shouldn't have been working from his own machine, I guess.

Well, we don't, obviously, that may not be, there may be a lot lost in translation, 'cause this is based on a newspaper report from the court. Since we weren't there ourselves. But yes, I think that's what a lot of people do. They get themselves a VPN service and they go, "Right, now I'm anonymous." Really. Firstly, all they've done is they've switched their current ISP where all their traffic comes from for another ISP, which is their VPN provider, which may actually be in another jurisdiction, another country operating under rules and mechanisms that they're even less familiar with. So it may actually reduce your security by using a VPN if you're not careful, because you don't know a lot about the company, particularly if it's one of those companies that says, ooh, we exist mainly so you can do piracy.

Yeah.

And the other thing is, you run Tor, all you're doing is you're meaning that if somebody finds out where the traffic's coming from, they can't go directly back to your computer immediately. But imagine you load Tor, you come through this anonymous connection, you get to the Facebook website, and then you log in as yourself. And Tor doesn't rewrite your name magically. So it's suddenly— all Facebook goes is, wow, you've moved places, and they'll probably ask you to go through the two-factor authentication because it'll see you in a different location. But it knows who you are because you went out of your way to tell them. And that's the problem, is that there may be many other parts of your computer that are doing that at the same time.

Right, so even if he didn't manually log into Apple, as it were, into his Apple account or Facebook or whatever, there might have been processes running on his computer which were communicating with perhaps Apple services. And so would have—

And have enough of a unique identifier that when Apple went investigating this IP number, maybe they— oh, it's a Tor exit node. Oh, it's a VPN provider. So it's probably not the real guy. What other connections came through that service at the same time? And if there's only a small number that actually identify particular computers, and then they noticed that he hacked on Tuesday and Thursday and in 3 Fridays' time. And at those very times, this very same account was the only one at all 3 times that tried an update.

So our top tip for any criminal hackers out there who are listening to Smashing Security is to—

I wonder if Apple were disappointed when they finally located the perp and it turns out to be a kid.

Well, not just that, Carole, but reportedly he had access to Apple servers for something like a year. And his Hacky Hack Hack folder hadn't been stumbled across.

Yeah, not that stupid a name.

So who knows?

Hiding in plain sight.

It is rather embarrassing for the trillion-dollar company, isn't it, that this should have happened?

They could just turn around though and go, but we do have a trillion dollars.

So yeah, it's a good reminder that whether you expect it or not, and this is not just true of Apple, everyone loves to say, oh, well, it's Apple's fault and Apple do this. Many apps on many devices. Google Apps do it, Microsoft apps and operating systems do it. There's some identification when an app you've already installed calls home for updates. There's some identification to differentiate you from everybody else, which is particularly important if you're using a cloud app because it wants to know, you know, what have you got installed, who are you, do you authorize it? Because, for example, if you install something say you install an app on your iPhone from the App Store, then it'll come up and say, oh, you are so-and-so, and then you can configure it so it forces you always to put in your password, which is good because it means you can't install an app by mistake.

It's also because there's money tied to it, right? Well, even for free apps, credit cards tied in. Yeah, okay.

I've set mine so it always asks, but the other end already knows who I am. It knows who requested the app. And if at the same time, even if I'm coming through a VPN, if that same phone is in the middle of something dodgy against the same company's servers, then it's not exactly rocket science for them to put two and two together and make at least three and a half. And it looks like that's what happened in this case. Anyway, he was a youngster, so I don't think they're going to lock him up and throw away the key.

Which is obviously good news for him.

I bet he was pretty scared though, when he got that knock on the door.

Well, you would be, I think, at any age.

Yes, I think his mum would be pretty angry, particularly if she bought the Mac for him and registered it in the first place.

Carole, what have you got for us this week?

Well, I have a crazy story about a few copyright trolls who ramped up their scam all the way to 11.

What is a copyright troll?

You're gonna find out. So settle in. So meet John Steele and Paul Hansmeier. Back in 2010, these two boys created a Chicago-based law firm named rather imaginatively Steele Hansmeier. Of course. Why are the names always their names? Oh yeah, your company is your name, isn't it, Graham? You did the same thing. Interesting.

Well, I wasn't going to call it after someone else's name. I was going to call myself John McAfee or something like that.

In case you ever forget, right?

That's right. That's exactly what it is.

Now, these two guys were interested in making moolah, and they were interested in copyright infringement. So they started looking for some clients, as you do. And they decided to target a specific type of audience, namely people and firms that own copyright to porn films. The moneymaker here is pretty simple. You target people who illegally access copyrighted adult material, and then you try and make them pay up. We with me so far?

Hang on a moment. So if I was to go to an adult website and watch a porn film, and I wasn't careful enough about the one which I selected.

Well, maybe you're at a file sharing website. Maybe you're on Pirate Bay, for example, and watching something salacious.

Right. Okay.

You might think, hey, I got around it, right? Or maybe you found the password to access this salacious material and you kind of, hee hee hee, now I can watch it, no one will know, and I don't have to pay. All right, so they're targeting people that are watching porn and violating copyright in doing so.

Is this kind of sextortion but with supposedly with the law on its side? Just wait, just wait to hear what these guys did. Okay, so the fact that this material was pornographic might have made their task of getting a payout a little easier, right?

Okay.

So these guys are going after the porn copyright infringers. And I guess they're seeing a pretty good return because they decide to up the ante. Here's how. In 2011, John and Paul created various LLCs. These are entities that would eventually play the role of plaintiff in their copyright infringement lawsuits. So they were basically creating out of thin air plaintiffs that would bring lawsuits against these copyright violators as they're watching their porn. I'm not even finished. That's just one of the things they've done, right?

Yes.

And of course, no-brainer, being both the plaintiff and the legal eagle, they're gonna get a nice return if defendants opt to settle. According to fightcopyrighttrolls.com, they created 8 entities and represented dozens of porn peddlers such as Sunlust Pictures and Hard Drive Productions.

Hard Drive Productions.

Yeah.

So grubby.

Yeah. Yeah.

Lowering the tone of the podcast again.

That's me. Now stuff starts getting really trolly. Really, really trolly. These guys start actively uploading copyrighted porn onto popular file sharing sites like the aforementioned Pirate Bay, effectively creating a honeypot, baiting the porn seekers.

Okay, let me— It gets worse. It gets worse?

Yep.

Right. So they are uploading copyright adult movies in the hope that people will download them so that they can then sue them for downloading them.

Exactly. Exactly.

Okay.

Now, here's the crème de la crème. Or a cherry or whatever else. It's a big, big sundae. In 2012, they upped the ante once again. They figure out, why don't we just make our own porn films, upload them onto the sites like Pirate Bay, and then threaten to sue the pants off anyone who watches them? It's a great idea, right?

What? So these lawyers are doing this. They're making their own porn. Why would it be necessary to create your own porn movie? Why couldn't you just make a movie of kittens? And if people download that, say, I'm afraid you're violating our copyright of our kitten movie.

Not quite as compelling, is it, when it's published in the media?

Oh, I see. Oh, yes, right.

You might say, let's go to court.

Well, I think you could give it some imaginative titles for the movie, at least, couldn't you, if it had kittens in it?

I think the thing is that they actually produce the movie in court. Produce in a different sense of producer. Right.

Yeah.

So they're really closing the circle here, aren't they?

These guys actually hired porn stars, paid for filming.

Oh, they didn't actually make the movies themselves?

No.

They weren't in them as well to save on acting costs?

Maybe there was a cameo.

Oh, I thought they were actually in the movies.

That would have been—

I always imagine a couple of lawyers, you know.

One way to keep your costs down.

Dressed up as a plumber. Coming in?

No, no, no, no, I don't think there's any cameos.

Oh, okay, it's kind of disappointing.

They hired people, they paid for the filming before slamming these copyrighted adult films onto the file sharing sites and waiting to see what IP addresses would try and access the content. So trolly, so trolly. Now John and Paul only have the IP addresses of copyright infringers at this point.

Right.

They need the names in order to draft up some lawsuits.

Yes.

So they go to court. They file an ex parte motion to uncover the people behind the IP addresses as part of their early discovery. So basically, they're trying to say, look, I know this is early in the whole court case. We really need to know who these guys are. They're breaking the law, copyright violation, yada, yada, yada. And they get it.

Why?

The courts, of course, were never told that they actually uploaded their own porn films, that they were basically honeypotting and baiting people, and that they owned and controlled the plaintiff entities. So basically, they were the plaintiffs as well as the lawyers.

Carole, would the court have, in that case, if they'd known that, have gone, this is going too far? Could that actually make it closer to home, that they'd have more of a case to get the details because they can sort of dot every I and cross every T? I'm trying not to make a double entendre there.

I think any court in America would say, we would like all the information that pertains this case so that we can make a wise decision. That basically this information was of interest to the court and was withheld knowingly.

Okay.

So that pissed off the courts, as you can imagine.

Right.

Because they found out.

Can I ask a fairly fundamental question here? Something I may have missed earlier, because, okay, so, and this may help me understand this story a little bit more. Is all of this happening in the United States of America?

Yes, it is.

I see. That's okay. I've put my finger on it.

But that doesn't— I don't think that—

I don't think— it just seems insane. It just seems insane that all of this is going on. This is how they're making a living.

There are very many sane Smashing Security listeners based in America.

I know there are. I know there are. But also the fact that this law firm has somehow got into the business of creating porn movies to upload them to then sue the darknet.

They created a law firm in order to go after copyright violation.

See, now I'm getting the real information. See, I picked—

Well, if we listen again, you'll see.

Okay, all right, fair enough.

There's nothing unique about US law, US attitudes that mean that this couldn't happen in many other jurisdictions, right? You've got copyright owner publishes material, traps people for watching it, then brings a lawsuit, etc. I guess here it's just the way that they carefully stitched all the components together so that they could control the way it all flowed and then neglected to tell the court that that's how it actually worked.

Yeah. Do you want to know what else they did?

Don't tell me.

They falsely alleged that defendants had hacked into their plaintiff's computer system, which of course turned out to be one of their own LLCs that they created, to fool the courts into giving them a thumbs up and letting them issue subpoenas to the ISPs that serve the copyright infringement. Because the ISPs can connect the IP address to the individual.

Well, that's naughty, isn't it? So they were able to go to the court and say, these IP addresses hacked our business, therefore we need to identify who they are.

Hacked our clients' businesses.

Yes, sorry. Yes, yes.

The clients, quote unquote. Yes, exactly.

The movie producers.

Did they just leave systems so they could easily be hacked like a honeypot?

Yes.

Or did they make all that up?

No, apparently left honeypots. There were also articles about them leaving special passwords lying around in places that were easy to find so that people could watch material really easily. So they basically greased the wheels, paved the path for people to watch copyrighted material, and then slapped them with a lawsuit or a fear of lawsuits.

Awful lot of effort to go to.

Well, the extra step they've got there that I imagine that a court would find convincing if it didn't know how it tied together is that if you're just— my understanding is if you're just occasionally watching stuff from a pirate site, then the court's going to go, "Well, that's not that important." But if you're the person who's enabling the sharing by doing the uploading, you stole it, you uploaded it, and then you and your buddies watched it, then it's as though you've got a much bigger case to answer, isn't it?

Yes, and it's also misappropriation of the law. The law is there to protect people and try and prevent people from downloading copyrighted material illegally, not, you know, pave the way. So of course, the idea here, they didn't want to take them to court. They obviously would have had to reveal that they indeed loaded the movies, perhaps a movie that they even commissioned and paid for. So they didn't really want to have that go down. The idea was to scare folks into paying up several thousands of dollars to avoid the public humiliation and the court hassle. John and Paul ended up making millions until they got caught. So the reason these guys were still walking around making money and scamming people is that they had all these shell companies set up and all kinds of legal complexity that bought them a lot of time. But their comeuppance came in December 6th, 2016, where John Steele and Paul Hansmeier were arrested by federal authorities and charged with 18 counts of running a multi-million extortion scheme between 2011 and '14. They had a raft of federal crimes—conspiracy to commit mail and wire fraud, money laundering. So there are 14 separate instances of perjury and lying to the courts. The feds reportedly stated the scheme netted around $6 million in copyright settlements. Payments, of which $3 million went to Steele and Hansmeier, and $1 million going to their fake plaintiffs, i.e., them. Yeah, yeah. But they had to kind of wire it back to their company, and kind of—and they, you know, there was money laundering issues there as well. John Steele, he pled guilty in March 2017 and agreed to cooperate on the case. And the reason I'm talking about this today is because only this past Friday, the other troller, Paul Hansmeier, finally pled guilty to federal fraud and money laundering conspiracy charges. Now, in exchange for the plea, he—they've agreed not to charge him with bankruptcy fraud, and he will not get a sentence exceeding 150 months in prison. That's over 10 years. Hmm.

And tell me, what's happened to John Steele, which seems like a porn name if I've ever heard one?

Well, John Steele has now—

He's been waiting for that joke. No, I've just made it up.

John Steele has been cooperating with the authorities. So probably bringing—yeah, he's been helping bring down Paul Hansmeier, I'm sure, to save his own butt.

Shades of Sabu. So this is quite intriguing, Carole, that, you know, people love to criticize particularly US copyright holders and the US legal system for being down on the little guy. And piracy and all of that. But in this case, it kind of looks as though the man sort of looked out for the little guy.

Yeah, I don't think there was any little guy involved in these particular films, most likely.

Uh-uh-uh. Phew. Crumbs. Why, to watch a movie?

What? Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare! That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back to our favourite part of the show. It's the part of the show that we like to call Pick of the Week.

Pick of the Week.

Do I have to say Pick of the Week now?

Yes.

Just to be cool?

Otherwise, okay. Pick of the Week. Was that good enough?

Sounds enthusiastic.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

Definitely shouldn't be.

Well, my pick of the week this week is security related. I'm going to choose a rival podcast set up by a former guest of this here show.

I know what this is and I support it. Yeah.

There is a new podcast which has come out from Geoff White, who's been on the show a few times.

He was on the show recently.

Yes. And Geoff is a technology journalist and he has just set up a podcast called Cybercrime Investigations. And Cybercrime Investigations is at the moment, well, there's only 3 episodes because he's just telling the story of one particular investigation, which he has done, which was into WannaCry. And he set out to try to work out where the money, which was paid by people who were hit by the WannaCry ransomware, where it ended up. And so he attempted to trace the bitcoin wallets and see where money was moved to. And it is very interesting and entertaining indeed. I'm not going to give away any spoilers, but—

Yeah, what I liked was the honesty of it. You're kind of with him and he's kind of going, so this is what I thought at this time. I thought I'll go down this route and try and find who owned the wallet. And you're like, yeah, of course, that's a great idea. So you can really go along with him and understand how he's working things out. It's great.

Anyway, the name of the show, Cybercrime Investigations. Well done, Geoff, on producing it.

Yeah.

And I hope he has future investigations which he's able to commit to podcast as well. But it's recommended from us.

Yeah, more please. Yeah.

So, Duck, what's your pick of the week? And it rather raises the question— Graham was talking earlier about, you know, what's left behind on your smart car and who owns it. I wonder what a great idea this is that you hand somebody a USB stick that they're going to put controversial data on and give it to someone else where you know in advance that where it goes, it's kind of illegal.

Well, my pick of the week is something that Graham turned me on to. I wasn't aware of this, but when I messed around with USB keys in the past, when I was working at Sophos Australia, we bought a whole batch of USB keys at an auction to see what people had left behind on them. Answer: a lot. Two-thirds of them had malware, but none of them had any encrypted stuff, and nobody had— obviously because they lost them on trains in Sydney, they hadn't expected to have to wipe them, but they hadn't had them encrypted.

Yes. You know, Graham, this is not Pick of the Week. This is Nitpick of the Week.

This is a thing called Flash Drives for Freedom. And the theory is that these guys don't like the way things work in North Korea, and they think information should be free, and they want to send in information and inject it into North Korea in a way that people might be able to see it. And it's all supposed to be great for freedom, and you should feel good about yourselves. But of course they need USB devices because North Koreans can't get on the internet, and then they'll give them videos of South Korean soap operas that they can't normally watch. And you know, you can get the idea. It's, you know, there's a life beyond your borders, etc., etc. And they want the— they want information to be free, and North Korea doesn't, etc. So it seems, if you're that way inclined, quite a noble idea.

Oh, we might need a new tune for that.

But they need USB keys. So instead of just going to a USB factory and saying, okay, give us a cheap deal on 7,000 1GB USB keys, they're asking you to donate yours. And you can even get a tax-deductible donation receipt thingy. And then they put this stuff on that North Koreans aren't supposed to see and kind of let them go into the North Korean cyber underground or something.

Yeah.

So it is a—

Is that something to do with North Korea or something?

I don't get it.

I think she just means a negative pick of the week.

Yes, nitpicking.

Oh, I see. Oh, I thought, yeah, I was trying to think, oh, it's knit. It's North nitpick, nor NK. No, I was— Basically, I wouldn't recommend anyone to hand over their own USB key, even if they think they've wiped it, because there are some controversies and complexities about whether you can even do that reliably or not. I wouldn't hand over a USB key really to anybody, and I certainly wouldn't hand it to somebody knowing that they were going to put it to this coolly controversial use, knowing that my name, address, and telephone number might be on it. I think that's probably a bad idea.

I mean, they do say they will wipe them, don't they? But I guess the problem is that ultimately you can only trust yourself. Well, I bet you all the people who bought those fancy smart cars LastPass you were talking about at the top of the show had no inkling that there was going to be some information disclosure access control problem. And the problem with USB keys is you don't— when you plug them into your computer and you write to them, even at the hardware level, you're writing through the broker of whatever firmware the vendor's chosen to put on there. And you don't actually know when you overwrite every sector that's currently available for use, you don't actually know where you're writing. It could be remapped by the firmware. So you say, I want to write from the first sector to the last.

Yeah.

And the device may have decided, oh, you know what, the first couple of megabytes of this disk has been going wonky lately, so I won't use those. And then somebody who knows how that firmware works may be able to read data at a lower level than you were able to write it. And so it's not quite the old days where every sector was made equal and you could read and write specific locations on the physical drive.

I find a lot of technology companies are still giving away free USB sticks, aren't they? It's I have more USB sticks than I need, and many of them I will never use. Maybe if you get given one at a show and there happens to be a booth, there was in Vegas at one of the shows recently, from Flash Drives for Freedom, you just hand over one of those.

So you carry a little evidence bag, and when they want to hand you one with all their bumf on, you just say, please drop it in here, and then you seal it up nicely. Maybe wear gloves and then hand over the whole thing.

You know, I'll tell you what I about the site. I the picture of Kim Jong-un with a mouth with a USB slot. I've always loved cartoons. It's a good pic.

I'm trying to work out from that photo whether that USB connector in there actually has 4 wires, i.e., power and data, or whether it's one of those power— the safe power-only connectors. A lot of people take those to conferences DEF CON, so you can plug into some— if you need charge and you're at somewhere DEF CON, you don't want to plug into some random some guy's device if you've got all the wires and your USB wire connected, because then they're giving you power, but they're also sending and receiving data.

I was just making a nice little comment about the art and you had to geek out again.

Not security related necessarily.

Exactly.

Just underline that.

Exactly.

Mind you, my section was. Carole, what's your pick of the week?

Not security related.

Not at all?

Not, I don't think, I don't know.

Because we're going to be watching now.

Okay, you watch, you watch.

Let's try and make it security related. Come on, let's try.

So I love this, and it's not for everyone. Okay, it's yet another cartoon for grown-ups, not for— you know, it's— I don't know how to say that. It's cartoons inappropriate for kids.

You do a lot of cartoons, I've noticed.

I do.

I love cartoons.

I love—

I love— So animated video, can't you just say that?

Maybe. It's called— okay, so it's called Final Space, and I need you to think American space opera. Comedy, drama, something like that. It's a bit weird. It's made by filmmakers Olan Rogers and David Sachs. Now it had its first airing on Reddit in February, and just recently it's made it to Netflix. So it's a good one for people who are into things like Rik and Morty, right? It follows the adventures of Gary Goodspeed, an astronaut finishing up his prison sentence aboard a space jail where he only has robots and a fridge for company. This guy is lonely until he meets Mooncake, which I'm not even going to go into. You should know about this. Do you know about this show at all, Graham?

Actually, I think there's a Doctor Who connection.

Yes, there is. I was wondering. Yeah. So what's the connection, Mr. Cluley?

I believe David Tennant, who was the 10th Doctor Who and the worst of the new series Doctor Whos.

Do you think he was the worst?

Yeah, he's all right, but he is the weakest of the modern Doctor Whos. But anyway, but he's very popular. I know he's very popular with people.

Graham's very complimentary, isn't he?

Well, no, I'm just—

This is normal.

Is it?

I'll tell you.

Anyway, he's no Matt Smith. Matt Smith is— and Eccleston are the— anyway. So anyway, but yes, he plays— doesn't he play the part of some evil villainous Lord Commander.

And he's great at it.

Right.

Now the whole thing's disguised as a comedy, but there's this unbearable darkness knitted through the whole series. It tackles head-on loss, revenge, death, and also friendship. And it taught me a lot about friendship, Graham, actually. It did. I learned a lot from that show.

What do you mean?

I don't know. You might want to watch it.

There's quite a lot about AI and machine learning in it though, implicitly, isn't there? So it does have a cybersecurity connection, surely.

Anyway, I loved it. It's on Netflix. There are 10 episodes. Enjoy it. Final Space. Can we end this, baby, please? I really need to pee.

And on that bombshell of Carole needing to pee, I think it's time to wrap up. Duck, if people want to follow you online, where's the best place to do that?

Nakedsecurity.sophos.com.

And if you want to follow us, you can follow us on Twitter @SmashingSecurity— no G, Twitter wouldn't allow us to have a G— and you can check out our brand spanking new merchandise store, where we're not making a penny out of it. We're not getting a cent.

Yay!

At smashingsecurity.com/store. And leave a review for us on Google Podcasts or Apple Podcasts. It does help new listeners discover the show, so thank you to everyone who's been doing that. Until next time, cheerio, bye-bye, bye everyone, bye.

Graham, David Tennant is not going to be happy with you.

It's very rude thing to say. No, okay, let me, let me, let me.

Come on, redo that so it sounds a bit nicer. Okay, so the worst of the best, the best of the worst. I mean, come on.

Yeah, well, David Tennant is the 10th Doctor.

Why are we laughing?