Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
If they're really keen to convince Telegrass's admins that they're legitimate dealers, they actually will even upload video footage of themselves next to huge amounts of weed.
Can we just make pot legal? I mean, wouldn't that just be the easier way and basically save people's privacy?
Smashing Security, Episode 120.
Silk Road with Deliveroo with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 120. My name is Graham Cluley.
You're 120?
No, I'm episode 120.
I'm Carole Theriault. Just kidding.
And we are joined this week by a returning guest. It's Paul Ducklin from Sophos. Hello, Duck.
How are you?
I am super duper. Thank you.
Yay for coming back on the show.
Yeah, I noticed that you've already deviated from the script that I added to your script.
I didn't really understand what you'd written here. What?
We're joined by returning guest Paul Ducklin from Sophos, whom we have once again forced against his will to join the Smashing Security sheep run.
We're joined by returning guest Paul Ducklin from Sophos, whom we have once again forced against his will to join the Smashing Security sheep run.
Meh, meh, meh.
By installing and using a browser created by the world's biggest peddler of online ads and tracker of keystrokes in the whole universe, the Googleplex.
How do you feel about that, Duck?
How do you feel about that, Duck?
Oh, I'm all right. I've got— I'll remove Chrome as soon as I've done.
So Carole, what have we got coming up on the show this week?
Well, we have a good one this week. Graham, you are going to talk to us about Telegrass.
Ducky's going to talk to us about what we do when we sell our old devices and what we should be doing. And Kroll is going to be talking about an old hacker group.
All this and more coming up on Smashing Security. Right guys.
Ducky's going to talk to us about what we do when we sell our old devices and what we should be doing. And Kroll is going to be talking about an old hacker group.
All this and more coming up on Smashing Security. Right guys.
I want you to imagine you're on your smartphone and a message appears.
It says, hey, dear friends, in light of the heavy demand for Patrick Lemon Haze, deliveries to the Tel Aviv area, 5 grams, just 500 shekels.
It says, hey, dear friends, in light of the heavy demand for Patrick Lemon Haze, deliveries to the Tel Aviv area, 5 grams, just 500 shekels.
Okay, delete.
Would you know what I'm talking about?
No.
I'd go, what accent were you trying to do? Was that New York Jewish? Is that supposed to be Tel Aviv? Are you some kind of laid-back San Francisco 1960s hippie?
I'd say you're probably a bit wasted there, Graham.
I'd say you're probably a bit wasted there, Graham.
I am a bit wasted because I want to talk to you about something called Telegrass.
Telegrass is a community that operates through Telegram, the encrypted messaging app, and it was set up by a guy called Amos Dov Silver and is estimated to have more than 150,000 members from countries around the world.
And what is it? Well, it describes itself as being Uber, but for weed.
Telegrass is a community that operates through Telegram, the encrypted messaging app, and it was set up by a guy called Amos Dov Silver and is estimated to have more than 150,000 members from countries around the world.
And what is it? Well, it describes itself as being Uber, but for weed.
Oh, isn't Telegram a kind of messaging service, a secure messaging service?
Yeah, that's Telegram, but this is Telegrass, a community which operates on Telegram.
But not owned by Telegram.
Well, I imagine not, otherwise they're going to be in a little bit of trouble. Now, Telegrass is somewhat innovative, right?
It allows users to do a search of dealers by name and find reviews of their operations, just like Yelp if you're checking out restaurant reviews.
And this has resulted actually in people who are dealing in pot and other drugs, improving their service and product quality in order to compete with others, because everyone wants to get a 5-star review.
It allows users to do a search of dealers by name and find reviews of their operations, just like Yelp if you're checking out restaurant reviews.
And this has resulted actually in people who are dealing in pot and other drugs, improving their service and product quality in order to compete with others, because everyone wants to get a 5-star review.
Okay.
On Telegram, they even have a help wanted channel.
So if you need help in all different manners, maybe you need to hire a Python programmer, for instance, you go on to Telegram and you're pretty sure to be able to find one.
You put up a little ad.
So if you need help in all different manners, maybe you need to hire a Python programmer, for instance, you go on to Telegram and you're pretty sure to be able to find one.
You put up a little ad.
Is that to control the lights and the heating in your grow house?
In your hydroponics unit?
Yeah, maybe.
Now, Telegrass is run like a proper normal organization.
So there are people with titles like chief financial officer, vice president for infrastructure, vice president of operations, and even a spokesperson.
So it's running in a way like a dot-com startup.
So there are people with titles like chief financial officer, vice president for infrastructure, vice president of operations, and even a spokesperson.
So it's running in a way like a dot-com startup.
Pot is legal in many states now, certainly in the US.
Yeah.
And in other countries, maybe not.
And certainly dealing it in many countries is something which could get you a hefty prison sentence, as it can in Israel, where many of Telegrass's users are.
But it's not all fun and games. There's bad stuff which happens on Telegrass as well. Sometimes people steal or they don't pay up.
And some dealers have even sexually harassed their potential clients, telling them that they can pay in a different way if they don't have the shekels on them.
And there's even a sexual harassment officer at Telegrass who's trying to impose standards upon the dealers so that they don't suggest that people have a bit of nookie rather than paying up.
And certainly dealing it in many countries is something which could get you a hefty prison sentence, as it can in Israel, where many of Telegrass's users are.
But it's not all fun and games. There's bad stuff which happens on Telegrass as well. Sometimes people steal or they don't pay up.
And some dealers have even sexually harassed their potential clients, telling them that they can pay in a different way if they don't have the shekels on them.
And there's even a sexual harassment officer at Telegrass who's trying to impose standards upon the dealers so that they don't suggest that people have a bit of nookie rather than paying up.
Wouldn't you rather have a title like anti-sexual harassment officer?
Yes.
I mean, really, it's a bit of an odd title, really.
Yeah. If you have a complaint against this company, we'll set the sexual harassment officer on you. With a truncheon.
Yeah. Well, on Telegrass, the sexual harassment officer, her name on the app at least, is Iron Flower.
Ooh, strong lady.
She can throw people off.
Sometimes it's just for a week for behaving inappropriately, or she can even request that victims are given 7 grams in compensation for any trouble that has been caused.
So, you know, they've thought this through. You know, it's not just an amateur operation, this.
Sometimes it's just for a week for behaving inappropriately, or she can even request that victims are given 7 grams in compensation for any trouble that has been caused.
So, you know, they've thought this through. You know, it's not just an amateur operation, this.
So basically, people are going on there trying to buy pot, and then there's a bunch of dealers out there going, hey, buy my pot. This is how much it costs.
This is the strain, whatever, whatever.
This is the strain, whatever, whatever.
And they're looking up the reviews and then they turn up on your doorstep and they give you whatever it is that you want.
Right. Okay.
So this is sort of like Silk Road, but in person, not using— but with Deliveroo or—
Yeah, exactly. Yes.
Silk Road with Deliveroo. There's our title.
Now, obviously, they don't want undercover cops coming onto the system, right?
So any would-be dealers are required to go through a verification process to be authorised on Telegrass.
So any would-be dealers are required to go through a verification process to be authorised on Telegrass.
Oh, so Telegrass don't want to have undercover cops there.
No, no, they don't, because that's going to upset the customers, right?
That doesn't seem very legal, but yeah, it's true.
So one of the checks that they do is if you want to be a dealer, you have to upload your photo ID to the administrators, who will do a background check.
They look on your Facebook account, they see if you have likes from 5 years ago.
They want to make sure that you've got a history rather than being a new account and make sure that everything's kosher.
They look on your Facebook account, they see if you have likes from 5 years ago.
They want to make sure that you've got a history rather than being a new account and make sure that everything's kosher.
Oh, damn, Graham. There's no way we're getting on.
No, we wouldn't be able to join, would we? Suspicious by our lack of Facebook presence.
Exactly.
But if they're really keen to convince Telegrass's admins that they're legitimate dealers, they actually will even upload video footage of themselves next to huge amounts of weed.
So you're like, here's me strolling through my plantation, kind of thing.
Yeah, yeah. That's what cult leaders often demand of their followers. Give me something that holds you for ransom should you ever step out of line.
Okay, so people are obviously uploading this thinking it's a great idea.
Okay, so people are obviously uploading this thinking it's a great idea.
On the other hand, maybe it's just know your customer.
Yeah. And meanwhile, of course, the dealers themselves, they're paranoid. They don't want to sell to an undercover cop.
So when a potential client contacts them via private message on Telegram, the dealer verifies the client usually by saying, can you send us a selfie?
Can you send us a photo of your identity card, or can you send us a photo of your salary slip? And that's another way in which they verify, okay, this is a—
So when a potential client contacts them via private message on Telegram, the dealer verifies the client usually by saying, can you send us a selfie?
Can you send us a photo of your identity card, or can you send us a photo of your salary slip? And that's another way in which they verify, okay, this is a—
Oh my God!
Yeah, this is what's going on, Carole. They don't want to be caught.
Can we just make pot legal? I mean, wouldn't that just be the easier way and basically save people's privacy? Honestly. Okay, carry on.
All of this, of course, means that the administrators of Telegrass and the dealers have collected an awful lot of personal information of the users. Some of whom...
Yeah, and the dealers as well. That's right. So what could possibly go wrong with this?
Yeah, and the dealers as well. That's right. So what could possibly go wrong with this?
Nothing. I think everything went perfectly. There's no story here.
Well, what could go wrong is that the group's entire database of dealers could be leaked onto the internet.
No, really? That can happen?
And what could go wrong is an undercover agent could have infiltrated the group for 9 months collecting information. I guess he was feeling laid back 9 months.
It's just like, oh yeah, I've got to do a bit more investigating here.
It's just like, oh yeah, I've got to do a bit more investigating here.
How many more fish can I nab?
Last week, police arrested 42 people in Israel, the United States, Ukraine, Germany on suspicions that they were running this drug distribution online network.
Amongst those arrested was Amos Dov Silver, Telegrass's founder. He was in the Ukraine allegedly having business discussions with local criminal gangs.
And Telegrass is meanwhile suspected of selling tons and tons of drugs over the years worth hundreds of millions of shekels.
Amongst those arrested was Amos Dov Silver, Telegrass's founder. He was in the Ukraine allegedly having business discussions with local criminal gangs.
And Telegrass is meanwhile suspected of selling tons and tons of drugs over the years worth hundreds of millions of shekels.
It sounds to me like they're pulling that whole Facebook thing, like, hey, look, we're not dealing drugs, we're just inventing a kind of highway that people are using in the way they want to use.
It's not our fault that they're doing it from countries where pot's not legal.
It's not our fault that they're doing it from countries where pot's not legal.
Well, they have very much a philosophy that everyone in the world should have access to pot.
They should be able to get it, and it should be as easy as possible regardless of local laws. That's their view. That's very much the philosophy of the guy who set this up.
And so he's tried to make it as simple as possible to do that. Now, what kind of defense they're going to mount around this, I don't know.
Certainly in Israel and in some other countries, it's likely that they're going to have the book thrown at them.
Amos Dov Silver, the founder, he is apparently now cooperating with the police. I think he's realized that may be in his best interest.
They should be able to get it, and it should be as easy as possible regardless of local laws. That's their view. That's very much the philosophy of the guy who set this up.
And so he's tried to make it as simple as possible to do that. Now, what kind of defense they're going to mount around this, I don't know.
Certainly in Israel and in some other countries, it's likely that they're going to have the book thrown at them.
Amos Dov Silver, the founder, he is apparently now cooperating with the police. I think he's realized that may be in his best interest.
And where was he when he got arrested?
He was arrested in Ukraine. Now, he hasn't been back to Israel for years. He's dual citizenship.
He's both American and Israeli, but he's been sort of nomadically travelling around the United States for a few years, doing interviews, talking about his basically Uber-for-weed operation.
But he wanted to do it from the States because he found it a bit more free and easy over there.
He's both American and Israeli, but he's been sort of nomadically travelling around the United States for a few years, doing interviews, talking about his basically Uber-for-weed operation.
But he wanted to do it from the States because he found it a bit more free and easy over there.
And as soon as he goes to Ukraine, and that's where they nab him.
I imagine even in places where it's lawful, like some states in the US, not federally, and Canada, Uruguay, places like that, you can't just set up a website and sell it.
Because there are taxes to be paid and there's registration to be done and there's all sorts of— it's quite complicated to comply.
Because there are taxes to be paid and there's registration to be done and there's all sorts of— it's quite complicated to comply.
He has a CFO, he must know how to do all that. I'm sure it's not just a title.
But just consider, it's a shame they didn't have a Chief Privacy Officer really, isn't it?
Just consider that they went to the effort of thinking, we're going to base this on Telegram, we're thinking encrypted messaging, we're going to keep our communications secure.
But at the same time, they were collecting video footage, photo IDs.
Just consider that they went to the effort of thinking, we're going to base this on Telegram, we're thinking encrypted messaging, we're going to keep our communications secure.
But at the same time, they were collecting video footage, photo IDs.
I wonder how they were doing that. Were they saying, oh, just email it to us?
Yeah, yeah.
And copying it to a USB drive that they kept in a cupboard somewhere.
I think that the transmission was via Telegram, but then of course it may well have been saved in places or on cloud servers. Yeah, exactly.
They may have copied it to their local drives as well.
They may have copied it to their local drives as well.
Well, there's no point in not keeping it, is there? If you're going to collect it, you're doing it so you can identify the person. Right. And therefore anyone else can.
If you're going to get the message and then throw it away, what's the point of collecting it?
If you're going to get the message and then throw it away, what's the point of collecting it?
Oh, it'd be such a nuisance if I had to keep on videoing myself past my marijuana plantation, wouldn't it?
You gotta drive out there, walk around with your, you know, running through your fields of pot.
I think you just set up a webcam and open it up and then say, look, just find me on Shodan.
So all sorts of trouble for those people, I guess, because everyone's going to be quaking in their boots now.
So all sorts of trouble for those people, I guess, because everyone's going to be quaking in their boots now.
Yeah. Yeah. Well, whether you are a good guy or a bad guy, remember, encryption does not necessarily mean that you're going to have complete operational security.
You're not necessarily going to keep all your information private. You don't know what else will happen with it.
And it's just extraordinary that these people who are obviously involved in criminal activity were sharing so much data, and now it's come to bite them on the bum, hasn't it?
You're not necessarily going to keep all your information private. You don't know what else will happen with it.
And it's just extraordinary that these people who are obviously involved in criminal activity were sharing so much data, and now it's come to bite them on the bum, hasn't it?
Well, it's the whole Snapchat thing all over again, isn't it?
Yeah.
Hey, we encrypt end-to-end, and people think, oh, end-to-end, that means from the very, very, very beginning to the very last moment, forgetting that actually they mean the other end of the network link, and then the picture appears on your phone.
And if someone takes a picture of the picture with another telephone, how are you going to control that? So you're sending this to somebody so they can verify you.
Obviously they have to have that unencrypted saved somewhere so they can look at it.
And that's, you know, so I think maybe people, when they hear about these messaging systems that use the term end-to-end, it kind of sounds like it's universal, complete, eternal, everything encrypted, forgetting about the fact that you had to see it at your end and the other guy sees it at the other end.
What do you not understand about that bit about seeing it?
And if someone takes a picture of the picture with another telephone, how are you going to control that? So you're sending this to somebody so they can verify you.
Obviously they have to have that unencrypted saved somewhere so they can look at it.
And that's, you know, so I think maybe people, when they hear about these messaging systems that use the term end-to-end, it kind of sounds like it's universal, complete, eternal, everything encrypted, forgetting about the fact that you had to see it at your end and the other guy sees it at the other end.
What do you not understand about that bit about seeing it?
Yeah.
And from the Telegraph's point of view, of course, maybe a lot of people now will lose confidence in Telegraphs and be nervous that their information may soon fall into the hands of the authorities, which means that if you are after 5 grams of Patrick Lemon Haze or whatever the hot substance is in Tel Aviv right now, you're going to have to look elsewhere, aren't you?
I wonder if there'll be other criminals operating similar networks and taking advantage of the internet and technology to make this as smooth an operation as apparently Telegraphs was until it came undone?
And from the Telegraph's point of view, of course, maybe a lot of people now will lose confidence in Telegraphs and be nervous that their information may soon fall into the hands of the authorities, which means that if you are after 5 grams of Patrick Lemon Haze or whatever the hot substance is in Tel Aviv right now, you're going to have to look elsewhere, aren't you?
I wonder if there'll be other criminals operating similar networks and taking advantage of the internet and technology to make this as smooth an operation as apparently Telegraphs was until it came undone?
I'm just thinking, I mean, the guy was there for 9 months stalking this group, right? So I'm sure things, you know, came to light during that time.
But I imagine many people would have loaded up, maybe not their passport numbers, you know what I mean?
You'd want to obfuscate your character and you'd have an online character that may be different from your real physical character.
I'm going to be amazed if people actually went forward with all their proprietary information.
But I imagine many people would have loaded up, maybe not their passport numbers, you know what I mean?
You'd want to obfuscate your character and you'd have an online character that may be different from your real physical character.
I'm going to be amazed if people actually went forward with all their proprietary information.
Well, I feel sorry for the people whose IDs have already been ripped off in a previous data breach that was now uploaded here. Exactly.
So that, you know, who knows what people are in the database?
Because you imagine it's not going to be people who are buying weed online, although if it's delivered to your house, it's all LinkedIn.
So that, you know, who knows what people are in the database?
Because you imagine it's not going to be people who are buying weed online, although if it's delivered to your house, it's all LinkedIn.
This is all LinkedIn data that's been uploaded to Telegram. So all the photographs of people in their suits with their ties done up really tightly.
What sparked your interest in this story?
So are you deliberately putting these terms in that sparked?
Yes.
You're welcome.
Duck, what's your story for us this week?
Well, my story is based on something we wrote on Naked Security with the imaginative title, You Left What on That USB Drive?
Now, this comes about, it was a survey done by the University of Hertfordshire that bought up a whole load of USB keys from kind of what you might call public sources.
So they went to eBay, people are selling off old stuff.
And they just bought up devices, which is very much like a project I was involved in when I was working at Sophos in Australia. This is now about 8 years ago.
We went to the New South Wales Railway Company's lost property auction and bought up a bunch of USB keys, and we were interested to see what was on there.
And as you can imagine, the answer is quite a lot that you shouldn't have let out.
Now, this comes about, it was a survey done by the University of Hertfordshire that bought up a whole load of USB keys from kind of what you might call public sources.
So they went to eBay, people are selling off old stuff.
And they just bought up devices, which is very much like a project I was involved in when I was working at Sophos in Australia. This is now about 8 years ago.
We went to the New South Wales Railway Company's lost property auction and bought up a bunch of USB keys, and we were interested to see what was on there.
And as you can imagine, the answer is quite a lot that you shouldn't have let out.
Oh, it's not funny, man. I think everyone has a bunch of these USBs lying around with personal stuff.
Well, you know what, Carole?
There was someone who commented on our site saying, you know, it kind of seems a pity that what everyone's saying is when you're done with a USB key, just, you know, put it in a vice and do it up and crush it to bits and just let the dust drop to the floor and be done with it.
And that's obviously a great way to deal with it. No one's going to get the data off, you don't have to worry about it. Who wants a 256-megabyte USB stick anyway?
And this lady Samantha said, you know, it kind of seems very wasteful and very un-green, which was the angle that I took all those years ago when people were saying, we can't believe that New South Wales State Rail, as it was then, that they're selling the stuff off.
This is a violation of people's privacy, you're saying. So they should waste this stuff, because people can't be bothered to look after their own data properly.
And eventually, you know, the Privacy Commissioner in New South Wales decided it is actually too hard, it's too expensive, it takes too long to wipe a USB key, and who knows if it even worked correctly because of the way writing to USB devices, SSD devices, storage works, that they're not valuable enough, that it would cost us too much to sell them.
I'm really sorry, we're going to— they're basically going to get shredded and turned into dust and distributed back to the universe. And it does seem kind of wasteful.
I love old USB keys because when I want to wipe them out after every time I've used them, the smaller they are, the faster they wipe. And I don't normally need to fill them up.
But we're in this sad thing that it's almost making these devices kind of disposable and wasteful and un-green and un-environmentally friendly.
Sadly, that's the right thing to do from a privacy point of view, because it's the one way you don't have to worry about what you might have left on them, whether you thought it was encrypted or not.
There was someone who commented on our site saying, you know, it kind of seems a pity that what everyone's saying is when you're done with a USB key, just, you know, put it in a vice and do it up and crush it to bits and just let the dust drop to the floor and be done with it.
And that's obviously a great way to deal with it. No one's going to get the data off, you don't have to worry about it. Who wants a 256-megabyte USB stick anyway?
And this lady Samantha said, you know, it kind of seems very wasteful and very un-green, which was the angle that I took all those years ago when people were saying, we can't believe that New South Wales State Rail, as it was then, that they're selling the stuff off.
This is a violation of people's privacy, you're saying. So they should waste this stuff, because people can't be bothered to look after their own data properly.
And eventually, you know, the Privacy Commissioner in New South Wales decided it is actually too hard, it's too expensive, it takes too long to wipe a USB key, and who knows if it even worked correctly because of the way writing to USB devices, SSD devices, storage works, that they're not valuable enough, that it would cost us too much to sell them.
I'm really sorry, we're going to— they're basically going to get shredded and turned into dust and distributed back to the universe. And it does seem kind of wasteful.
I love old USB keys because when I want to wipe them out after every time I've used them, the smaller they are, the faster they wipe. And I don't normally need to fill them up.
But we're in this sad thing that it's almost making these devices kind of disposable and wasteful and un-green and un-environmentally friendly.
Sadly, that's the right thing to do from a privacy point of view, because it's the one way you don't have to worry about what you might have left on them, whether you thought it was encrypted or not.
So let's just imagine there's someone listening right now who's got a handful of USBs in his hand going, oh God, I don't even know how to wipe these.
What steps would you— where would you tell them to go?
What steps would you— where would you tell them to go?
Well, Graham and I have had discussions about this in the past. What I'm about to say now is not relevant to USB keys. So he is allowed to laugh.
But the first thing you should do is— you see how times change, Graham? First thing to do is go out and buy yourself a Mac.
But the first thing you should do is— you see how times change, Graham? First thing to do is go out and buy yourself a Mac.
Mac.
Hallelujah. It's been years, Carole. It's been years. I ran Linux on my work computer for very many years until I got a Mac.
And then after 5 minutes, I thought, what have I been doing all this time? Now, the reason I'm saying this—
And then after 5 minutes, I thought, what have I been doing all this time? Now, the reason I'm saying this—
Sounds a rather expensive way of wiping a USB drive.
What I mean is, if you have a Mac, it's kind of easy. Easy, right?
Okay, it's easy with a Mac.
All right, well, if you have a Mac, the command you want is diskutil space zero disk, and that's a way that you can basically write zeros over an entire device.
It's quite slow, but you can leave it running in the background and then it will offer you the chance to reinitialize it and whatnot if you want to.
Or if you're just going to put it back in your own drawer in case you need it later— once I've finished using one for a temporary purpose, I'll wipe it, I'll wait for that to happen, then I figure if I do lose it or someone steals it or I need to hand it to somebody else, yeah, I'm handing them something that I'm pretty certain is blank and I don't have to worry about it.
And the other thing, the other reason I'm suggesting a Mac— you can do this, it's easy enough on Linux or the BSDs, you can do it on Windows although you might have to upgrade to the Windows 10 Pro— but at least on a Mac when you put in a blank USB device it will come up and say do you want to format it and prepare it for use, and when you do it'll say do you want to encrypt it.
And you can actually format it using the Apple filing system, the new Apple filing system. You can format it so that it's encrypted from the start.
Put in a passphrase, you get a recovery key which you can print out and lock away if you really want to.
And that means that then if you do lose it, somebody who hasn't got the key, to them it's just— the data is just so much shredded cabbage.
It's quite slow, but you can leave it running in the background and then it will offer you the chance to reinitialize it and whatnot if you want to.
Or if you're just going to put it back in your own drawer in case you need it later— once I've finished using one for a temporary purpose, I'll wipe it, I'll wait for that to happen, then I figure if I do lose it or someone steals it or I need to hand it to somebody else, yeah, I'm handing them something that I'm pretty certain is blank and I don't have to worry about it.
And the other thing, the other reason I'm suggesting a Mac— you can do this, it's easy enough on Linux or the BSDs, you can do it on Windows although you might have to upgrade to the Windows 10 Pro— but at least on a Mac when you put in a blank USB device it will come up and say do you want to format it and prepare it for use, and when you do it'll say do you want to encrypt it.
And you can actually format it using the Apple filing system, the new Apple filing system. You can format it so that it's encrypted from the start.
Put in a passphrase, you get a recovery key which you can print out and lock away if you really want to.
And that means that then if you do lose it, somebody who hasn't got the key, to them it's just— the data is just so much shredded cabbage.
But hang on, a lot of people use USB sticks in order to give a file like a presentation or a Word document to someone else, right?
Yes.
It's like when I go and give a talk, people say, oh, can we load your presentation onto our computer?
It's like, okay, here's the USB stick.
They all have that voice, those people paying you money. They do.
Nothing wrong with that voice. Anyway, and so you give that to them. If it's encrypted, Doug, how are they going to access it?
I'm talking about that's for storage, storing your stuff. What I do is, and I actually keep some old USB sticks that have a low capacity. As I said, they wipe fast.
And I keep a blank one lying around in the little bag I carry around with my stuff.
And if I get somewhere I need to share data with somebody and I can't do it via some electronic means like AirDrop or something from Mac to a phone or whatever, then I basically will take out one of the USB keys that I know I've got blank.
I'll plug it in, my Mac will say this key is unusable on this computer, do you want to prepare it for use? And then I will format it, and I'll format it unencrypted.
I'll put that one file on it, I'll hand it to them, let them use it, and when they give it back, I'll go through the wiping process again.
Because 8 years ago when we did this experiment with the New South Wales State Rail, all doxing USB keys, two-thirds of them had malware on them, and not one of them had any encrypted files.
So nobody had bothered to encrypt them.
So when I get the key back from somebody else, if they've had malware on their computer— I know that happened to you once, didn't it, Graham, at an RSA conference?
Yes, you handed them the key, they plugged it in, or you— they gave you the key, you plugged it into your computer, your Mac, and bloop, Windows virus. Thanks very much for you.
Yeah, so you wonder how many other presenters— I was speaking at an event last week and I got an email saying, thank you, you're one of 700 speakers.
So if they were passing a USB key around, there was a lot that could have gone wrong. I use my own computer, so that didn't come about.
But generally, when I get the key back from somebody, I'll then put it in and immediately wipe it, won't use any of the files off it, and then just put it back in my bag blank.
That way, if someone does run off with it, or someone says, hey, can I borrow a USB stick, I'll just give them that one.
If it's old, relatively low capacity, to be honest, I gave it to them if they never give it back to me, I'm not going to burst into tears. So that's what I do with my old USB keys.
I keep them around as kind of semi-expendables.
And I keep a blank one lying around in the little bag I carry around with my stuff.
And if I get somewhere I need to share data with somebody and I can't do it via some electronic means like AirDrop or something from Mac to a phone or whatever, then I basically will take out one of the USB keys that I know I've got blank.
I'll plug it in, my Mac will say this key is unusable on this computer, do you want to prepare it for use? And then I will format it, and I'll format it unencrypted.
I'll put that one file on it, I'll hand it to them, let them use it, and when they give it back, I'll go through the wiping process again.
Because 8 years ago when we did this experiment with the New South Wales State Rail, all doxing USB keys, two-thirds of them had malware on them, and not one of them had any encrypted files.
So nobody had bothered to encrypt them.
So when I get the key back from somebody else, if they've had malware on their computer— I know that happened to you once, didn't it, Graham, at an RSA conference?
Yes, you handed them the key, they plugged it in, or you— they gave you the key, you plugged it into your computer, your Mac, and bloop, Windows virus. Thanks very much for you.
Yeah, so you wonder how many other presenters— I was speaking at an event last week and I got an email saying, thank you, you're one of 700 speakers.
So if they were passing a USB key around, there was a lot that could have gone wrong. I use my own computer, so that didn't come about.
But generally, when I get the key back from somebody, I'll then put it in and immediately wipe it, won't use any of the files off it, and then just put it back in my bag blank.
That way, if someone does run off with it, or someone says, hey, can I borrow a USB stick, I'll just give them that one.
If it's old, relatively low capacity, to be honest, I gave it to them if they never give it back to me, I'm not going to burst into tears. So that's what I do with my old USB keys.
I keep them around as kind of semi-expendables.
You must be pretty flush, Duck. You must be making a lot of cash over there at Sophos.
I've got several dollars a month.
I'll tell you the way I make money, Graham, is that when I do presentations, I don't use a funny voice when I'm talking about the people who've very kindly invited me to present.
I found that pays for several USB keys a decade. Just saying.
I'll tell you the way I make money, Graham, is that when I do presentations, I don't use a funny voice when I'm talking about the people who've very kindly invited me to present.
I found that pays for several USB keys a decade. Just saying.
Just FYI, Graham.
Carole, what have you got for us this week?
You guys have been around in the cyber biz for a long time, right? Like way, way longer than me.
Did you just use cyber as a noun?
Yeah. Yeah, actually no, it was an adjective. I appreciate the cyber biz.
Yeah, okay, just check. That's okay.
So welcome to the old school quiz game. Are you guys ready?
Oh, okay.
Question number 1: What does 31337 stand for?
It's the back orifice port. 31337.
It has an acronym that it stands for, doesn't it?
3-leet, man.
3-leet. And when was it invented? Do you have any idea on timing?
2000 and— no, earlier than that. 2001, I'm going to say. '98.
It'd be around the time that we started getting teh and prom for porn.
It's actually earlier than that. It's in the '80s, apparently. And who invented it? Any ideas?
Was it that guy who hacked Prince Philip? Tell me it was.
Oh, Chiffrim.
Yeah, Cult of the Dead Cow. I thought you guys would get that one.
In the '80s? I didn't know they were that— they've been going that long. I thought they were more of a late '90s, early '00s.
Very interesting you say that, because I think that's when they, you know, we started paying attention to them, as in our industry, right? So Cult of the Dead Cow formed in 1984.
This is the year Frankie Goes to Hollywood told the world to relax.
Cyndi Lauper told them that girls just wanted to have fun, and Wham!'s George Michael just wanted to be woken up before he go-go'd.
This is the year Frankie Goes to Hollywood told the world to relax.
Cyndi Lauper told them that girls just wanted to have fun, and Wham!'s George Michael just wanted to be woken up before he go-go'd.
Wasn't there a book about that, about 1983? Yeah, there was.
I don't know if many people have heard of it.
Now in the late '80s, this Cult of the Dead Cow, also known as CDC, basically organized and maintained a loose collective of affiliated bulletin board systems, or BBSs, across the US and Canada.
And these bulletin boards are kind of the geeky Reddit or Facebook of its day, an online discussion forum that allowed people to connect electronically. Did you guys use BBSs?
Now in the late '80s, this Cult of the Dead Cow, also known as CDC, basically organized and maintained a loose collective of affiliated bulletin board systems, or BBSs, across the US and Canada.
And these bulletin boards are kind of the geeky Reddit or Facebook of its day, an online discussion forum that allowed people to connect electronically. Did you guys use BBSs?
Absolutely. Of course you did.
Of course you guys did.
I want to hear Graham make a modem noise.
Did you do anything naughty on it ever?
Of course not. I once got acoustically coupled with Gwyneth Paltrow. But other than that, no, she got consciously uncoupled, didn't she, from Chris Martin.
Anyway, no, I didn't do anything naughty. I did used to log into bulletin boards and things back in.
Anyway, no, I didn't do anything naughty. I did used to log into bulletin boards and things back in.
Acoustic couplers are a thing.
So instead of connecting directly to the modem, you actually— yes, the modem actually played the noises and your phone listened to the noise and played it down the line.
So instead of connecting directly to the modem, you actually— yes, the modem actually played the noises and your phone listened to the noise and played it down the line.
And this was the thing, of course, because if you were living in a house which only had one phone line, if you were on the Internet, other people would pick up the phone to ring Auntie Marge and they'd just be hearing.
They'd say, get off the phone, you know.
They'd say, get off the phone, you know.
The CDC or the Dead Cow also published an underground ezine in the late '80s.
They also claim to have invented the term hacktivism, which is describing human rights-driven security work, or security quote unquote.
So this is all in the '80s now, and this is all going to become very relevant in a second.
Now, from the '90s onwards, the CDC started releasing tools, right, both for hackers and system administrators and for the general public.
They also claim to have invented the term hacktivism, which is describing human rights-driven security work, or security quote unquote.
So this is all in the '80s now, and this is all going to become very relevant in a second.
Now, from the '90s onwards, the CDC started releasing tools, right, both for hackers and system administrators and for the general public.
Now, were these— were the CDC bad guys, or were they just people just playing around with computers?
Well, I think we would have seen them as bad guys. So these guys are the guys behind BackOrifice, which we certainly saw as malware.
Yes, that was a tool for remotely accessing computers, wasn't it? Which could be used for naughty purposes.
And it was probably being adopted by malware authors, yeah.
The features in it were clearly there because it was, ha ha ha, look at how smarty pants we are.
It had a button where you could remotely eject the CD drive or you could swap the mouse buttons around. Why would you need to do that?
But it was this attempt to create tools that were, you know, I suppose a firearm or something.
It's kind of— it's just technology and it's kind of morally neutral on its own, and it's what you use it for.
To be honest, I always found the Cult of the Dead Cow— always, one of the guys is called Sadistic, wasn't he? Yes, he's the guy who did BackOrifice.
I always found it rather childish rather than criminal. It was just guys who had maybe needed to grow up a bit.
It had a button where you could remotely eject the CD drive or you could swap the mouse buttons around. Why would you need to do that?
But it was this attempt to create tools that were, you know, I suppose a firearm or something.
It's kind of— it's just technology and it's kind of morally neutral on its own, and it's what you use it for.
To be honest, I always found the Cult of the Dead Cow— always, one of the guys is called Sadistic, wasn't he? Yes, he's the guy who did BackOrifice.
I always found it rather childish rather than criminal. It was just guys who had maybe needed to grow up a bit.
Well, it's very interesting you say that because one of them has, hasn't he?
Just last week on Friday, Reuters issued a rather explosive article saying that popular Texas Democrat and 2020 presidential candidate Beto O'Rourke was once a member of the CDC.
Just last week on Friday, Reuters issued a rather explosive article saying that popular Texas Democrat and 2020 presidential candidate Beto O'Rourke was once a member of the CDC.
Cool name. Yeah, I love it. I'd vote for him on that name alone.
Well, let's see after I tell you a few things, if you would, because it'd be really interesting. Now, this is not someone dobbing him in.
He's kind of coming clean about his membership to the CDC way back then.
Now, a few things he reportedly admitted to doing whilst in the CDC, or Cult of the Dead Cow— CDC sounds like some Center of Disease Control.
He's kind of coming clean about his membership to the CDC way back then.
Now, a few things he reportedly admitted to doing whilst in the CDC, or Cult of the Dead Cow— CDC sounds like some Center of Disease Control.
Yes, Center of Disease Control.
Yeah. So he avoided big phone bills because of course he was doing mobile dial-up, right? So he admits to stealing internet at the...
And savvy teens, like you guys were talking about, like savvy teens learn techniques to get around the modem charges, right?
Such as phone company credit card numbers, getting those and having the 5-digit calling codes to place free calls. Because it cost a bomb, didn't it?
Like, you know, these calls would get hundreds of dollars at the end. Did you guys, you're old fogies, did you guys get any horrendous modem bills?
And savvy teens, like you guys were talking about, like savvy teens learn techniques to get around the modem charges, right?
Such as phone company credit card numbers, getting those and having the 5-digit calling codes to place free calls. Because it cost a bomb, didn't it?
Like, you know, these calls would get hundreds of dollars at the end. Did you guys, you're old fogies, did you guys get any horrendous modem bills?
Oh yeah, it used to get huge. It used to cost a huge amount here in the UK to get on the internet.
But I remember, I think in the United States, there were reports that people could get local dial-up access very, very cheap, or even maybe free on some plans.
That certainly didn't happen here in the UK. You paid through the nose to get on the internet.
But I remember, I think in the United States, there were reports that people could get local dial-up access very, very cheap, or even maybe free on some plans.
That certainly didn't happen here in the UK. You paid through the nose to get on the internet.
Yeah, because we did have local calls were free. But so you'd have to guess if you were in a big city, it would probably work well for you. But if you're in the country, it wouldn't.
Yeah. Right.
Yeah. Right.
Or if you wanted to connect to somebody's bulletin board interstate. So, you know, the bulletin board operators would try and exchange stuff.
And in many cases, they just mail copy disks to one another with like collections of software on, and then the other guy would upload it to avoid the toll charges.
But if you decided, if you were sitting in the UK and you decided, I want to dial up this US bulletin board because that's where all the cool stuff is and it hasn't got over the pond yet, then you had little choice but to dial up at, what would you get, 300 bits per second at international rates.
Yeah, it could add up pretty quickly.
And in many cases, they just mail copy disks to one another with like collections of software on, and then the other guy would upload it to avoid the toll charges.
But if you decided, if you were sitting in the UK and you decided, I want to dial up this US bulletin board because that's where all the cool stuff is and it hasn't got over the pond yet, then you had little choice but to dial up at, what would you get, 300 bits per second at international rates.
Yeah, it could add up pretty quickly.
Yeah. Beto was, you know, admitted to stealing modem connections, you know, basically, you know, ripping off the phone companies.
And he also admits to scouring the BBSs for pirated games so he could play them for free, he and his friends in the group. Now, he quit the Cult of the Dead Cow at age 18.
This was the year he enrolled into Columbia University, 1991. And as you alluded to, Duck, the '80s seemed really to be more about e-zines.
And yeah, Beto was quoted in the Reuters article as saying "There's just this profound value in being able to be a part of the system and look at it critically and have fun while you're doing it.
I think The Cult of the Dead Cow is a great example of that," unquote.
Now, it's an interesting thing to say, don't you think, for someone who's, you know, who's a presidential candidate? It's like he's trying to appeal to, like, Mr.
Robot lovers out there. Or does he just want all of his skeletons out of the closet?
And he also admits to scouring the BBSs for pirated games so he could play them for free, he and his friends in the group. Now, he quit the Cult of the Dead Cow at age 18.
This was the year he enrolled into Columbia University, 1991. And as you alluded to, Duck, the '80s seemed really to be more about e-zines.
And yeah, Beto was quoted in the Reuters article as saying "There's just this profound value in being able to be a part of the system and look at it critically and have fun while you're doing it.
I think The Cult of the Dead Cow is a great example of that," unquote.
Now, it's an interesting thing to say, don't you think, for someone who's, you know, who's a presidential candidate? It's like he's trying to appeal to, like, Mr.
Robot lovers out there. Or does he just want all of his skeletons out of the closet?
He wouldn't be the first presidential candidate linked potentially to hacking, however. Maybe this is something...
Yeah, actually, maybe he's got better credentials than maybe someone else who's been accused of it.
Yeah, actually, maybe he's got better credentials than maybe someone else who's been accused of it.
What I was surprised to hear is that he seems to think that this is a great education into understanding modern computer systems and cybersecurity.
That's what worries me, is that I think he's— it sounds like he's got this idea that it's all like it was in the 1980s with modems going— Graham did a— so I think he'd say, yeah, we've moved on and I've moved on and I think I've got bigger things to worry about now.
That's what I'd want to hear him say.
That's what worries me, is that I think he's— it sounds like he's got this idea that it's all like it was in the 1980s with modems going— Graham did a— so I think he'd say, yeah, we've moved on and I've moved on and I think I've got bigger things to worry about now.
That's what I'd want to hear him say.
You're absolutely right, because his attitude seemed to have changed slightly following the Twitter storm that ensued upon Reuters publishing this article.
He said, it was something I was part of as a teenager, referring to the Cult of the Dead Cow, not anything I am proud of today. So that's exactly what you want to hear.
He was just a bit late at saying that.
He said, it was something I was part of as a teenager, referring to the Cult of the Dead Cow, not anything I am proud of today. So that's exactly what you want to hear.
He was just a bit late at saying that.
And I heard there's also been some fallout against the newspaper because they're saying, well, why did the journalists keep this quiet until after the election, back in November?
Well, yes, because this is all an excerpt from an upcoming book called Cult of the Dead Cow. So I was thinking exactly the same thing.
This journalist has been working on this for some time and hasn't brought it up until now. Now, the book is scheduled to be published in June. He's made a lot of cash.
And you're right, it's a bit interesting that he's waited and whether that was the ethical thing to do.
This journalist has been working on this for some time and hasn't brought it up until now. Now, the book is scheduled to be published in June. He's made a lot of cash.
And you're right, it's a bit interesting that he's waited and whether that was the ethical thing to do.
Well, my understanding is that Joseph Mann, who's the journalist, he wasn't able to get anyone to confirm on the record as to whether Beto was the guy who used to be in the Cult of Dead Cow until the election had already passed.
Well, good for them, I think. You know, so no one was prepared to talk. And so he kind of did a deal and said, look, after the election, Will you let me interview you about it?
Well, good for them, I think. You know, so no one was prepared to talk. And so he kind of did a deal and said, look, after the election, Will you let me interview you about it?
It's a little bit like when someone finds a bug and then they kind of hold on to it for the highest bidder and you think, I wish you hadn't done that, but I kind of can't, given that bugs now have a value and you're allowed to sell them on the open or the private market.
I can't really blame you for it. You know, if the journo went too early, then he'd burn his book.
And but now maybe he figured, oh golly, like if someone scoops me to this news before my book comes out in June, I'll undermine myself. So I have to pick the right time.
I guess he's allowed to do that, isn't he?
I can't really blame you for it. You know, if the journo went too early, then he'd burn his book.
And but now maybe he figured, oh golly, like if someone scoops me to this news before my book comes out in June, I'll undermine myself. So I have to pick the right time.
I guess he's allowed to do that, isn't he?
What's like Roger Stone, right?
He's putting out a book now, and he's gonna, you know, he's facing prison time, which is really, you know, it's crazy the whole way people are using books.
He's putting out a book now, and he's gonna, you know, he's facing prison time, which is really, you know, it's crazy the whole way people are using books.
Is this really the worst thing in the world though, that he used to be in the Cult of the Dead Cow? Is this something really for people to get upset about?
Because it seems to me the typical politician would have done much worse things during their teenage years, like get dressed up in a KKK outfit or blackface themselves up, or who knows what.
Because it seems to me the typical politician would have done much worse things during their teenage years, like get dressed up in a KKK outfit or blackface themselves up, or who knows what.
He's not running for president.
Well, whatever it is, you know, those are sort of things which people often will get outraged about. It sounds like this is a group which didn't really do that much.
And yes, so he may know more about computing than the typical politician, which may be no bad thing.
And yes, so he may know more about computing than the typical politician, which may be no bad thing.
Yeah, exactly. Understanding technology is one of those things that you do want policymakers and politicians to understand better. I certainly do.
So I don't think Beto O'Rourke is like the new Julian Assange either, right? Can you imagine him running for president?
So I don't think Beto O'Rourke is like the new Julian Assange either, right? Can you imagine him running for president?
I mean, he's welcome to travel to the United States to register his interest.
Yeah, but we were, we eagerly await—
My understanding is that he was born in the Commonwealth of Australia and therefore he is ineligible to be President of the United States of America.
Yes, by constitutional affirmation or something. Just like Schwarzenegger. Yeah, exactly the same. Australia. They're easily mixed up.
Yes, by constitutional affirmation or something. Just like Schwarzenegger. Yeah, exactly the same. Australia. They're easily mixed up.
If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations.
Grab it now for free at smashingsecurity.com/intelligence. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Do I have to do that as well? Say it in that funny voice. How many times?
Any voice you like. Pick of the Week.
Beautiful. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
It should not be.
Now, my Pick of the Week this week is a documentary, which you can watch in a number of places. I watched it on Netflix and it is a documentary called Behind the Curve.
And this documentary is about people who believe that the Earth, which we're all living on, is flat. Not all of us.
And this documentary is about people who believe that the Earth, which we're all living on, is flat. Not all of us.
Some of us—
What, not all of us on the show?
How do you know you don't have listeners on the International Space Station? Be nice.
Yeah.
Anyway, get in touch if you are.
So this is a documentary which takes us behind the scenes of the apparently growing flat Earth community.
The internet has put these people in touch with each other, and they are preparing during the course of the documentary for their first ever Flat Earth International Conference.
The internet has put these people in touch with each other, and they are preparing during the course of the documentary for their first ever Flat Earth International Conference.
Okay, can you explain to me how someone can be a flat earther? Do they literally believe this, or is this some kind of metaphysical concept? No, they really believe it.
They believe—
They think there's an edge.
They believe that there is an edge and that basically there's a great big dome surrounding the edge, so that the circumference is basically Antarctica.
So there's a great big wall of ice where you can't get past any further, and then there's this sort of hemispherical dome above us, and so things like the sun and the moon and the stars are sort of projected onto the dome.
For what reason, we know not.
So there's a great big wall of ice where you can't get past any further, and then there's this sort of hemispherical dome above us, and so things like the sun and the moon and the stars are sort of projected onto the dome.
For what reason, we know not.
Do they have a single cosmological view?
I mean, does the Earth have to be flat like a disc and round with Antarctica at their edge, or could it just be maybe like a kind of flattish, bulgy pancake that's a bit thicker in the middle and you kind of— like, there is an underside which is, say, where Australia is, and you know, you— so there isn't— it doesn't have to be an edge, does there?
But it could be quite flat.
I mean, does the Earth have to be flat like a disc and round with Antarctica at their edge, or could it just be maybe like a kind of flattish, bulgy pancake that's a bit thicker in the middle and you kind of— like, there is an underside which is, say, where Australia is, and you know, you— so there isn't— it doesn't have to be an edge, does there?
But it could be quite flat.
In the documentary, there's no sort of underneath, as it were.
There's no sort of— I mean, Australia is there, but obviously the map of the world is slightly different than what we may be familiar with.
There's no sort of— I mean, Australia is there, but obviously the map of the world is slightly different than what we may be familiar with.
So you could fall off the edge?
Well, no, because you're inside the dome. Think of The Truman Show. That's basically the principle.
I'm pretty sure in The Truman Show, in the end, he opens a little hatch and goes outside.
He does, and they would love to do that as well.
And then what happens? You go up or down?
Well, some people believe that the world is then repeated, and so rather like parallel universe, you know, all these different universes, you enter another ice zone which ultimately becomes another flat world.
But it will surprise you to hear that there are counter theories and there are schisms inside the flat Earth community, and some of them do not like the other flat earthers.
Now, one of the stars of this documentary is a woman who runs a YouTube channel.
Her name is Patricia Steere, and she has been accused by some of the other flat earthers of being a CIA operative who is giving what they believe not to be the true flat earth message.
But it will surprise you to hear that there are counter theories and there are schisms inside the flat Earth community, and some of them do not like the other flat earthers.
Now, one of the stars of this documentary is a woman who runs a YouTube channel.
Her name is Patricia Steere, and she has been accused by some of the other flat earthers of being a CIA operative who is giving what they believe not to be the true flat earth message.
Now, she's put a slight bend in the message.
One of the accusations against her by these people is that they can tell she's a CIA operative who is steering people in a particular way because her surname is Steer and the last 3 letters of her name, Patricia, are CIA.
So these are— Oh, so clever. So clever. It's genius, isn't it? It was there all along. That's a complete genius.
Now, it's easy when you watch the trailer to think this is just a documentary taking the mickey out of these people and their beliefs.
And the trailer doesn't really give an accurate view. There is some comedy in it. In the documentary, and you do chuckle at some of these things.
So these are— Oh, so clever. So clever. It's genius, isn't it? It was there all along. That's a complete genius.
Now, it's easy when you watch the trailer to think this is just a documentary taking the mickey out of these people and their beliefs.
And the trailer doesn't really give an accurate view. There is some comedy in it. In the documentary, and you do chuckle at some of these things.
You've bought in, haven't you?
No, no, no, I haven't. But you sound very sympathetic.
What I liked about the documentary is it does make something of a compelling case for empathy and dialogue with people who hold vastly different views from yourself.
And rather than ridiculing these people, it does discuss the importance of actually communicating with them.
What I liked about the documentary is it does make something of a compelling case for empathy and dialogue with people who hold vastly different views from yourself.
And rather than ridiculing these people, it does discuss the importance of actually communicating with them.
I just suppose you could be— you could— I mean, maybe you don't think it's completely flat. Maybe it sort of bends off at the edges.
Maybe it's more like a very, very, very long rugby ball or something. I don't know.
But I suppose that you could think that the Earth is flat and still travel around it and, you know, contribute decently.
And you could still think that it's a bad idea to pollute the Earth and waste its resources, be cruel to people and shoot animals for no reason, all that stuff.
So, you know, maybe it's not all bad.
Maybe it's more like a very, very, very long rugby ball or something. I don't know.
But I suppose that you could think that the Earth is flat and still travel around it and, you know, contribute decently.
And you could still think that it's a bad idea to pollute the Earth and waste its resources, be cruel to people and shoot animals for no reason, all that stuff.
So, you know, maybe it's not all bad.
They think all the images from space are faked?
Well, it always shows a circle.
That's all faked. That's all faked. You can't trust that. They didn't go up there.
And apparently the claim is that in the '50s, the Americans were putting up lots of sort of nuclear weapons into the atmosphere trying to burst through the dome, and they didn't succeed.
And yeah, all of that apparently— It's faked. They do some scientific tests to try and prove that it is flat during the course of the documentary, and they fail.
But the justification which they give for it, because they won't accept that their scientific tests are failing, and they say, well, we have to do more tests because something must have gone wrong, because they're so, so tied.
And apparently the claim is that in the '50s, the Americans were putting up lots of sort of nuclear weapons into the atmosphere trying to burst through the dome, and they didn't succeed.
And yeah, all of that apparently— It's faked. They do some scientific tests to try and prove that it is flat during the course of the documentary, and they fail.
But the justification which they give for it, because they won't accept that their scientific tests are failing, and they say, well, we have to do more tests because something must have gone wrong, because they're so, so tied.
Who's funding all this? I suppose they are.
That would be an interesting question.
Well, but anyway, the reason why Behind the Curve is my pick of the week is because I think it sends us an important message about how we can communicate with people who have different points of view.
After all, the world is becoming more polarised, isn't it?
After all, the world is becoming more polarised, isn't it?
What has happened to you? This is the first— this is the first week you've ever talked about empathy in your life.
You are probably the person who has the least amount of empathy of anyone in my circle of friends. Do you not agree with that? So you've had a revelation.
This is an epiphany moment for you.
You are probably the person who has the least amount of empathy of anyone in my circle of friends. Do you not agree with that? So you've had a revelation.
This is an epiphany moment for you.
Okay, good. Charming, charming. Duck, what's your pick of the week?
Well, I want to keep it a little bit scientific and have a bit of a laugh. Last Friday, oh yes, it was. I've been looking forward to that.
Did I hear you mention the word empathy earlier? Does empathy mean when you take the piss out of somebody, as long as you giggle a little bit, that makes it okay?
Did I hear you mention the word empathy earlier? Does empathy mean when you take the piss out of somebody, as long as you giggle a little bit, that makes it okay?
Yes, we're on a funny show. That's what we do.
Oh, you're taking his side?
No, I'm taking your side. I'm on your side, Duck. Tell me about Google.
Okay. What's the— Oh, well, yeah, Google do come into this.
Last Friday was 3/14 in American notation because they got this weird way of doing dates where they go month, day, year, so that it's completely illogical and it suits very badly.
Yeah, it's a bad way of doing it, but I can live with it.
Last Friday was 3/14 in American notation because they got this weird way of doing dates where they go month, day, year, so that it's completely illogical and it suits very badly.
Yeah, it's a bad way of doing it, but I can live with it.
In the UK, it should really be the 22nd of July, shouldn't it? 22/7.
Well, or the 355th of the 113th month. You can— so it's a bit of a joke that 3.14 is Pi Day, 3.14 being approximately pi.
And so there's a chance for a lot of fun coming out in that. As Graham said, well, what if it was 22/7, because 22 over 7 is kind of approximately pi.
Unfortunately, some people think it is pi, and of course that's a problem. You can never— it's one of those things where no matter how hard you can try, you can never get there.
But a Googler apparently used Google's cloud to compute pi to the most decimal digits ever, and they delayed their announcement and their verification until Pi Day, and they computed 10 times pi times 1 trillion digits.
Wow. So 31 trillion, 400 billion digits of pi, for no reason other than they could.
And so there's a chance for a lot of fun coming out in that. As Graham said, well, what if it was 22/7, because 22 over 7 is kind of approximately pi.
Unfortunately, some people think it is pi, and of course that's a problem. You can never— it's one of those things where no matter how hard you can try, you can never get there.
But a Googler apparently used Google's cloud to compute pi to the most decimal digits ever, and they delayed their announcement and their verification until Pi Day, and they computed 10 times pi times 1 trillion digits.
Wow. So 31 trillion, 400 billion digits of pi, for no reason other than they could.
Could you read out those digits for us, Duck? These trillion numbers, just to—
3.141715. Actually, I did write a little article on Naked Security which I entitled Serious Security.
It's an occasional series I do where we try and get people to see some, you know, take something that's apparently quite lighthearted but see the serious side in it.
The message that you can take out of this is that the thing with pi is no matter how hard you try, you'll never actually compute it because it's what's called an irrational number.
It never— you can't create a fraction that uniquely determines it, and you don't need to because you can perform mathematical operations by just calling it pi and working with it.
And so if you are a computer programmer, be very, very careful about taking things which are inherently approximations, like floating-point numbers that represent a value, and then presenting them to the world as though they were exact results, because therein lies inaccuracy and crazy answers.
All right. It's a very good point. Very serious.
It's an occasional series I do where we try and get people to see some, you know, take something that's apparently quite lighthearted but see the serious side in it.
The message that you can take out of this is that the thing with pi is no matter how hard you try, you'll never actually compute it because it's what's called an irrational number.
It never— you can't create a fraction that uniquely determines it, and you don't need to because you can perform mathematical operations by just calling it pi and working with it.
And so if you are a computer programmer, be very, very careful about taking things which are inherently approximations, like floating-point numbers that represent a value, and then presenting them to the world as though they were exact results, because therein lies inaccuracy and crazy answers.
All right. It's a very good point. Very serious.
Nothing wrong with being serious. We learned something. A very empathetic response, Graham.
Yeah, I noticed that. You know what you guys can do with your empathy?
Carole, what's your pick of the week?
So I like to draw. Well, I like to doodle really, right? And I have no formal training at drawing or doodling.
And someone recently asked me to draw a box, like a cube thing, and I did, and it was horrific.
So I scoured the web and I found this— about 10 seconds— this website called drawabox.com. And DrawABox provides some great free tutorials on the basics of drawing.
I found this guy's approach to videos and tutorials really refreshing.
There's no real ad or sales pitch, you know, basically you never see him, you just see the paper and you see the lessons.
And after following a few lessons, I can draw a pretty darn good box. One of the exercises now that I'm facing is trying to draw 250 boxes. That's a lot of boxes. I've done about 50.
I'm not sure I'll ever finish, but it doesn't matter because now I can draw a pretty darn good box.
And someone recently asked me to draw a box, like a cube thing, and I did, and it was horrific.
So I scoured the web and I found this— about 10 seconds— this website called drawabox.com. And DrawABox provides some great free tutorials on the basics of drawing.
I found this guy's approach to videos and tutorials really refreshing.
There's no real ad or sales pitch, you know, basically you never see him, you just see the paper and you see the lessons.
And after following a few lessons, I can draw a pretty darn good box. One of the exercises now that I'm facing is trying to draw 250 boxes. That's a lot of boxes. I've done about 50.
I'm not sure I'll ever finish, but it doesn't matter because now I can draw a pretty darn good box.
And these aren't all cubes?
No, no, they're not perfect cubes. So you can do them with 1, 2, or 3 perspectives. See, these are things I now understand how to do, and it's kind of cool.
It's just a good way, you know, there's people that go out there and they buy these little coloring books, meditative coloring books. Don't do that.
Just go to Draw a Box and learn an actual skill. You can draw already, she says empathetically.
It's just a good way, you know, there's people that go out there and they buy these little coloring books, meditative coloring books. Don't do that.
Just go to Draw a Box and learn an actual skill. You can draw already, she says empathetically.
Can you— can I ask you, can you draw a sphere?
Yes, I've been working on hatching recently.
Oh, I love a bit of hatching. So, let me ask you a question. So you draw a sphere, and there it is, nice sphere. It's round, it's a globe, right?
I know where you're going because I know you so well.
Answer me this. Is it flat or is it not?
It is not flat if I do bright shading. If I do bad shading, it looks like a scribble.
But when you cut it out with a pair of scissors, does it actually turn into a ball?
You're right, I've changed sides.
And does it have ice all around it? You might have to leave it in the freezer for a while for that.
Well, thank you. Also, that's drawabox.com.
It's a good way to learn a new skill.
A great pick of the week there. Well, that just about wraps it up for this week, Duck. I'm sure lots of listeners would love to hear more of pi to various digits.
So how should people follow you online? What's the best way to do that? The best way is Twitter @duckblog. Fantastic. And you can follow us on Twitter @SmashingSecurity, no G.
Twitter won't allow us have a G. And you can continue the discussion with us about the show on Reddit. Quickest way to find us up there is to go to smashingsecurity.com/reddit.
So how should people follow you online? What's the best way to do that? The best way is Twitter @duckblog. Fantastic. And you can follow us on Twitter @SmashingSecurity, no G.
Twitter won't allow us have a G. And you can continue the discussion with us about the show on Reddit. Quickest way to find us up there is to go to smashingsecurity.com/reddit.
And high fives to this week's Smashing Security sponsor, Recorded Future. Its support helps us give you this show for free. And fist bumps to all of you, our wonderful listeners.
If you like what you hear and you want to help us grow, leave us a review. It really, really helps.
If you like what you hear and you want to help us grow, leave us a review. It really, really helps.
Until next week. Cheerio. Bye-bye. Toodaloo.
You guys swapped roles. Aha.
Sometimes we do. Crazy. Okay. What do you know pi to?
Me? I don't know that many. Come on. I could do 3.1415926535. 8. It's pretty good. Isn't it?
3.1415972, or have I read that off my calculator?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Show notes:
- 'It's like Uber, but for weed': Meet the man who revolutionized Israel's pot trade — Haaretz.
- Israel Police arrest top members of Telegrass online drug ring — Haaretz.
- Sources: Telegrass head cooperating with police — YNet News.
- You left WHAT on that USB drive?! — Naked Security.
- Cult of the Dead Cow — Wikipedia.
- Back Orifice — Wikipedia.
- Beto O’Rourke’s secret membership in America’s oldest hacking group — Reuters.
- Beto O’Rourke acknowledges involvement with hacking group as teen — The Texas Tribune.
- Behind the Curve.
- Behind the Curve – Official Release Trailer — YouTube.
- Serious Security: What we can all learn from PiDay — Naked Security.
- Drawabox — A free, exercise based approach to learning the fundamentals of drawing.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Recorded Future
For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
“The Threat Intelligence Handbook” is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation’s defence against the latest cyber attacks.
Download it for free at smashingsecurity.com/intelligence
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
