Erection your honour! Lawyers find themselves behind bars after they make porn movies in an attempt to scam internet users, boffins in Israel detail a way to steal data from an air-gapped computer, and Instagram coughs up $30,000 after a researcher finds a simple way to hack into anybody’s account.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
When you press Caps Lock, your Caps Lock light comes on, and as does Num Lock or Scroll Lock. Why they even bother putting Scroll Lock on keyboards, I've got no idea.
But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with your husband. Well, I don't need to know the details, Maria.
Smashing Security, Episode 137: Porn Trolling Lawyers. Instahacking and Ctrl+Alt+LED with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 137. My name is Graham Cluley.
But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with your husband. Well, I don't need to know the details, Maria.
Smashing Security, Episode 137: Porn Trolling Lawyers. Instahacking and Ctrl+Alt+LED with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 137. My name is Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Graham.
Welcome back from Canada. We missed you. I'm sure someone missed you anyway.
Well, yeah, it's great to be back. I'm jet-lagged as anything, so forgive any—
Mind you, you were on the show, so it's not like anyone who listened to the show missed you.
No, they don't miss me at all. You in fact don't miss me. No one missed me.
I'll tell you who I have been missing.
Who have you been missing?
That lovely Maria Varmazis.
She's the best. Where is she?
When's she going to come back on the show? Wouldn't that be great?
She's going to come on.
Oh, she'd be wonderful, wouldn't she? If only she were. Hang on a minute. Who's that? Who's that on the interwebs?
Who's that knocking at our digital virtual door?
Who's that who forgot her mute button was on her mic this entire time and has been talking to the two of you wondering why you've been ignoring her.
Hi. Carole, keep on ignoring, keep on ignoring.
Oh, shit. Mine blinks at me when it's on mute, and even then I didn't notice that I was muted. So, hi.
Okay, this is great. So I'm jet-lagged, Maria's obviously insane. This is going to be a great show.
Well, I'll tell you what has changed is that now Smashing Security is on Patreon. Is it Patreon or Patreon?
Who cares? It's exciting.
It is exciting. If you want to support us, go and check us out on Patreon, and we'll talk a little bit more about that maybe at the end of the show.
The very end.
At the very, very end.
Just for those who really want to listen.
The real addicts.
Yeah, the real cool fans.
The patrons.
What else have we got coming up on the show this week?
Well, first, high five to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free.
And on today's show, Graham looks to the keyboard for crazy malicious shenanigans. That's difficult to say. Maria waxes lyrical about a recent Insta snafu.
And I see just what kind of judges Maria and Graham would make were they in charge of punishing scammers. All this and heaps more coming up on this episode of Smashing Security.
And on today's show, Graham looks to the keyboard for crazy malicious shenanigans. That's difficult to say. Maria waxes lyrical about a recent Insta snafu.
And I see just what kind of judges Maria and Graham would make were they in charge of punishing scammers. All this and heaps more coming up on this episode of Smashing Security.
We're in the hot seat again with your segment? Again?
Okay, chaps, chaps, chaps. I want you to picture the scene, right? You are Thom Cruise.
No. No.
No.
Imagine the thing. What?
That's not much of a leap to get there.
Yeah, weirdo. Who stars in movies I don't like.
Well, okay, look—
He's about my height though, so—
Well, you're probably slightly taller than the real Thom Cruise. I think he comes in at about 4'9" or something.
He wears Cuban heels, I'm sure.
Not just Cuba under there. He's got Dominican Republic. He's got all kinds of stuff going on under his shoes.
Anyway, Thom Cruise, or rather his Mission: Impossible alter ego, Ethan Hunt.
Anyway, Thom Cruise, or rather his Mission: Impossible alter ego, Ethan Hunt.
Say that carefully.
You, please. You are International Women of Mystery, and you like nothing better, jump out of a plane at 35,000 feet extolling the virtues of L.
Ron Hubbard while having a fish tank explode behind you.
Ron Hubbard while having a fish tank explode behind you.
Did you watch the highlights of the movie just to get all those scenes?
Yes.
Excellent. Okay, good.
It's famous now. Getting my seatons ready.
Yeah.
I'm sure Operation Clambake.
I'm sure you may remember in the Mission: Impossible movie, even if you haven't seen, famous scene where he's trying to get some data off an air-gapped computer.
I'm sure you may remember in the Mission: Impossible movie, even if you haven't seen, famous scene where he's trying to get some data off an air-gapped computer.
Oh, and he's dropped like a fish?
Yes, he's sprawled out, isn't he? Exactly.
Copyright, copyright.
Oh shit. America.
Now anyway, you remember, right? He's trying to get the data off there, right?
And in the movie there are lasers, probably, of pressure pads and temperature sensors, and the whole caboodle is dangled by wires and lowered from the ventilation shaft by Jean Reno.
Very sexy Jean Reno, isn't he? If you like that sort of thing.
And in the movie there are lasers, probably, of pressure pads and temperature sensors, and the whole caboodle is dangled by wires and lowered from the ventilation shaft by Jean Reno.
Very sexy Jean Reno, isn't he? If you like that sort of thing.
Bonjour, bonjour.
Swarthy Frenchman. And—
Oui.
He has just seconds to spare before the spod comes back in to deal with the computer.
Anyway, but he manages to shove his USB stick into the computer, nab the data, and vrrrt, scarper. Huzzah, success.
Now, these air-gapped computers are something which have caught the attention over the years of a bunch of researchers. At the Ben-Gurion University of the Negev in Israel.
Anyway, but he manages to shove his USB stick into the computer, nab the data, and vrrrt, scarper. Huzzah, success.
Now, these air-gapped computers are something which have caught the attention over the years of a bunch of researchers. At the Ben-Gurion University of the Negev in Israel.
Okay.
I've been looking up ways—
I've not heard of it before.
Have you not? They're quite big in the world of cybersecurity. Yeah. They really are. They do really funky research into crazy shit.
Yeah.
Including getting data off air-gapped computers. Now, on this particular occasion, the new research which they published—
Okay.
Is all about trying to steal data, but doing it via the keyboard. So I want you to look at the keyboards in front of you, right?
Now, if you've got an old-fashioned sort of PC keyboard, you know, the type with a number pad, you've probably got buttons with weird words on them like Print Screen, SysRq, and Scroll Lock.
Has anyone ever used the Scroll Lock button?
Now, if you've got an old-fashioned sort of PC keyboard, you know, the type with a number pad, you've probably got buttons with weird words on them like Print Screen, SysRq, and Scroll Lock.
Has anyone ever used the Scroll Lock button?
Not in a long time.
Pause, break. On a regular-sized PC keyboard, you'll see some of that.
And right up there in the top right next to it, you'll see 3 little lights quite often, which are the scroll lock, the num lock, and the caps lock.
And right up there in the top right next to it, you'll see 3 little lights quite often, which are the scroll lock, the num lock, and the caps lock.
Do you have one of these keyboards? 'Cause—
Oh, I'll have one somewhere in the office.
Yeah. I'm using one right now.
There you go.
Okay.
You're a big fan of the mechanical keyboard, aren't you?
I'm a dork for them. Yes, I am.
Yes. So yours has these lights and things, does it?
It does. And it also has rainbow LEDs underneath it that are constantly changing.
I love Maria so much.
So my husband and I in the same room have mechanical keyboards. So the two of us typing at the same time, it's this amazing cacophony. Anyway.
There's just so much racket going on.
It's true. I love it. Murder, She Wrote.
So as you know, and for people who don't have this kind of keyboard—
Normal people.
Damn it. When you press Caps Lock, your Caps Lock light comes on, and as does Num Lock or Scroll Lock. Why they even bother putting Scroll Lock on keyboards, I've got no idea.
But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with husband. Well, I don't need to know the details, Maria.
But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with husband. Well, I don't need to know the details, Maria.
Yeah, yeah, yeah. She has normally the life of a swamp rat, so when she sees a few lights on her keyboard, she goes insane.
Completely. You nailed it.
I'm sorry for Graham.
These Israeli researchers, they say that this is the way in which data could be stolen from a computer. What they're saying is this.
If there was malware on the computer which could access data, but because it's air-gapped, because it's not connected to the internet or other networks, they don't have a way of sending that data which they want to steal back to the evil hacker overlord, there's no internet connection, what they can do is this.
It can take data which it wants to exfiltrate, it can encode the data into 3-bit chunks.
So every little byte of data, which normally is about 8 bits or something, it makes it into chunks of 3 bits instead. So it'll be something like 000, right?
If you imagine it in binary or 001. 0, 1, 0, 1.
If there was malware on the computer which could access data, but because it's air-gapped, because it's not connected to the internet or other networks, they don't have a way of sending that data which they want to steal back to the evil hacker overlord, there's no internet connection, what they can do is this.
It can take data which it wants to exfiltrate, it can encode the data into 3-bit chunks.
So every little byte of data, which normally is about 8 bits or something, it makes it into chunks of 3 bits instead. So it'll be something like 000, right?
If you imagine it in binary or 001. 0, 1, 0, 1.
Because 0 and 1 are the— yeah.
Exactly. 0s are off and 1 means lit. So imagine those numbers being the lights on your keyboard right now, Maria, right now in front of you.
You maybe got Caps Lock on or something like that.
You maybe got Caps Lock on or something like that.
Yeah, mine goes through all those colors. It doesn't do this fancy stuff.
Right.
Okay. It's right now, it's a purpley pink. So I don't think that's very helpful for Ben-Gurion research.
Okay. Okay. Maybe you've come up with a defense. I don't know.
Yes, I was going to suggest this.
But normally, on most people's keyboards, it would come up maybe a green LED, and that means that that particular light is on, right?
And if someone could see, or even better, record those lights flickering on and off as the malware tells each one of those lights to turn on or off to signify different characters.
And if someone could see, or even better, record those lights flickering on and off as the malware tells each one of those lights to turn on or off to signify different characters.
It basically slowly spells it out for you.
Yeah, yeah, yeah.
Holy moly, you really wanna get on this machine, eh?
Carole, this is Israeli researchers. This is gonna be serious state-sponsored cybercrime, right? That's why they're being tasked to do this.
Either they're investigating it to protect themselves, or they're investigating it 'cause they want to do this against other countries.
Either they're investigating it to protect themselves, or they're investigating it 'cause they want to do this against other countries.
I just would someone of that level of security to want to not use an old-style IBM computer.
What? Well, these are the guys that did the research about the fan. They did sort of something similar, data exfiltration with a fan, right?
That's right. They sped up and slowed down the fan, and then by the sound of the fan changing on computers, they were able to get data.
That's my favorite.
They've used radio waves in the past. They've used the PC speaker.
But did they release these exploits or did they just say, "We can do it"?
No, they've put together a research paper, which I'll link to in the show notes. And they called this technique, this is quite punny, this is a bit of a dad joke, Ctrl+Alt+LED.
Rather than Del, rather than Ctrl+Del, you got LED, you see? Very clever. But the idea is—
Rather than Del, rather than Ctrl+Del, you got LED, you see? Very clever. But the idea is—
I didn't need really an explanation.
Exactly.
Thanks, Graham.
The morons in the audience that need to be there.
No one needs to be in the room. You don't need to get Thom Cruise into the room to watch this, because what if a hacker was able to hack the CCTV camera?
There's a lot of what-ifs here.
Oh yes, of course there are. In the air-gapped room and record the LEDs when they're sending the information. So it's quite interesting.
Now, before you start sticking gum over your keyboard or honey or whatever—
Now, before you start sticking gum over your keyboard or honey or whatever—
Yeah, that's exactly what I was about to do. Yeah, I was just pouring the treacle now, Graham.
The mitigation is electrical tape.
There are, yes. Well, there are some things that you should bear in mind. One is, how did the malware get on the air-gapped computer in the first place?
Ooh.
If it was air-gapped, you know, was it planted there by a cleaner or a rogue employee, or did they leave a USB stick in the car park and someone plugged that in?
Or, you know, so this is always—
Or, you know, so this is always—
It's quite a huge barrier though, right?
It is a huge, I totally agree.
And I always think this, whenever I see research from this particular group, you know, I think that's very clever, but how did you get the malware on to start beaming out the data via the keyboard or via the fan in the first place?
And I always think this, whenever I see research from this particular group, you know, I think that's very clever, but how did you get the malware on to start beaming out the data via the keyboard or via the fan in the first place?
Well, that's where you go to their social engineering department and find out.
Do you know what?
Do you know what?
Actually, I bet they do some seriously great stuff, but if they want to have any press, they have to do crazy stuff like this in order to get journalists to pay attention because it's easy to explain, it's sensationalist.
And then people like you, Graham, go, woo-woo, look what these guys can do.
And then people like you, Graham, go, woo-woo, look what these guys can do.
You're part of the problem. Yeah.
And unfortunately, if you look a little deep and you scratch the surface, this kind of threat, whilst it sounds really scary, is pretty hard to pull off.
I would certainly say to people, don't be afraid of this.
Good, I agree.
I think this is interesting technically, and it's cool from that point of view.
But anyone who was able to plant the malware in the first place could potentially have stolen data from those computers at the same time, couldn't they?
But anyone who was able to plant the malware in the first place could potentially have stolen data from those computers at the same time, couldn't they?
Yeah, you should be about as afraid of this as a baby little Thom Cruise flying down on your ceiling, landing in your sitting room.
I actually find the idea of a tinier Thom Cruise scarier than the— The one you can see through.
Like a toddler-sized Thom Cruise.
Yes, that's a horrendous thought. Now there are some other things they said.
Jackie Stiles.
They said, well, what if there aren't any hackable CCTV cameras in the room? And they said, well—
What if?
Maybe there's a window. Maybe.
That air-gapped room has a window?
Maybe it doesn't open, but maybe it offers a lovely view of an attractive water feature, and you could use a long-range camera. Or they said—
Sounds like, what's that show, CSI? It's like, magnify, magnify.
Enhance. Or maybe, the researchers postulated, someone could enter the room wearing a video camera, or even their smartwatch could record the flickering LEDs.
And the key thing, they say, is the quality of the camera, because CCTV cameras typically record at 30 frames per second, but your smartphone or your watch potentially could capture more frames per second, which means you can grab more data and more reliably.
And the key thing, they say, is the quality of the camera, because CCTV cameras typically record at 30 frames per second, but your smartphone or your watch potentially could capture more frames per second, which means you can grab more data and more reliably.
Yeah, I just don't think I'm the right audience for this one.
Right.
Fun, but whatever.
Anyway, so as you've probably guessed, there are some countermeasures if you are worried. Don't allow people into the room if they've got smartphones and smartwatches and cameras.
Ban them from your secure room. Put some sticky tape over the LEDs or even disconnect them entirely.
Ban them from your secure room. Put some sticky tape over the LEDs or even disconnect them entirely.
Just put a little Post-it note over it.
Maybe put curtains over the windows.
Don't put your air-gapped shit in a room with a window might be the first thing.
Maria, from your mechanical keyboard, tell us what you've got for us this week.
My story comes by way of a security researcher and bug bounty hacker who found bugs in Facebook code. Because I have to talk about Facebook, right?
I'm contractually obliged every time I come on the show. So this researcher's name is Lakshman Mutia, and I hope I pronounce his name correctly.
And he has found bugs in Facebook's code many times, and he's made some money from this.
And this week he did it again, and he published the details of how he earned $30,000 from a bug bounty from Facebook for finding a way to hack any Instagram account.
I'm contractually obliged every time I come on the show. So this researcher's name is Lakshman Mutia, and I hope I pronounce his name correctly.
And he has found bugs in Facebook's code many times, and he's made some money from this.
And this week he did it again, and he published the details of how he earned $30,000 from a bug bounty from Facebook for finding a way to hack any Instagram account.
You think they could add a zero to that if he found a way to hack any Instagram account? I mean, how many Instagram users are there?
Millions and billions and millions and millions worth a lot of money.
Millions and billions and millions and millions worth a lot of money.
Yeah, a lot of people, their whole business is Instagram based.
Exactly.
So yeah, I think he should have gotten a lot more than that.
But to be honest, if he turned to criminals, he could have sold that probably for more, couldn't he? Or rent it out to others who might have tried to abuse it.
Facebook are hurting right now though. They just got fined something like a few billion, didn't they?
Oh yeah, they got fined about a weekend's income.
I know.
Yeah, I know. Zuck sneezes and he loses more money than that. So yeah, I mean, I'm pretty sure his napkin is made of $30,000 bills.
So Lakshman's method to hack Instagram was actually almost beautiful in how simply it worked. That's why I really love this story.
So he basically used Instagram's password reset method to hack Instagram.
So for context, for folks who may not know about how Instagram works, it's owned by Facebook, firstly, because again, have to talk about Facebook and you love—
So Lakshman's method to hack Instagram was actually almost beautiful in how simply it worked. That's why I really love this story.
So he basically used Instagram's password reset method to hack Instagram.
So for context, for folks who may not know about how Instagram works, it's owned by Facebook, firstly, because again, have to talk about Facebook and you love—
Sucks.
I pardon out of context. That sounded quite dirty. So unlike Facebook, which was a web browser thing originally, Instagram is meant to be mobile first.
It's really a mobile smartphone app. So everything about it is supposed to be easy to use on the phone, optimized for phone use. So that goes for password resets.
So if you lose your password, you tell Instagram, oopsie daisy, I made a mistake, need my new password.
And then Instagram verifies that you're the person who lost their password and they send you, a smartphone user, a 6-digit recovery code straight to your phone number.
Easy as possible. So you don't have to click any clumsy email password reset links or codes you have to type into some form somewhere on some website.
You just get a 6-digit code and you just verify yourself easily.
It's really a mobile smartphone app. So everything about it is supposed to be easy to use on the phone, optimized for phone use. So that goes for password resets.
So if you lose your password, you tell Instagram, oopsie daisy, I made a mistake, need my new password.
And then Instagram verifies that you're the person who lost their password and they send you, a smartphone user, a 6-digit recovery code straight to your phone number.
Easy as possible. So you don't have to click any clumsy email password reset links or codes you have to type into some form somewhere on some website.
You just get a 6-digit code and you just verify yourself easily.
Okay.
Doxxing sucks. High five for that.
Yeah, super easy. That actually may have predated Zuckerberg. That may have been before Instagram was bought by Facebook.
Okay.
So yeah, anyway, so if you wanted to attack an Instagram, one that has millions and millions of followers, I don't know, Kim Kardashian, worth a whole lot of money, in theory, all you really need are those 6 digits to get in.
Yeah.
So Loxman figured, okay, so the path in is just a random 6-digit combination, and how many of those can there possibly be? If I guess them all, I can eventually get the right one.
And for those of you crunching the numbers in your head, because it's a quick little math problem, any guesses on how many possible combinations there are?
And for those of you crunching the numbers in your head, because it's a quick little math problem, any guesses on how many possible combinations there are?
If it's decimal, then it's—
I would have thought—
0 through 9.
0, yeah, 0 to 999999. Yeah.
Saving you the trouble in calculating factorials.
A million.
It's a million. It's a million. Yeah, it's a million. So you've got a million possible different 6-digit combinations. So if you—
That's a lot smaller than I thought.
Yeah, but there are some mitigating factors here.
The main problem that Lakshman has to overcome here is you have to try up to a million different number combos before hitting the right one and getting access.
So that's the problem. So as you pointed out, a million is not as many as you think.
And also, I'm sure some of our savvy listeners are thinking there's got to be some limitations in place here before Instagram would allow people to just try a million combinations, right?
Yeah. So wouldn't Facebook have some kind of failsafe in place to prevent someone from spamming their servers with all those guesses? And yes, indeed they did.
So in fact, they already had something in place called rate limiting.
So the faster you try to guess number combinations— so if you're trying to spam their servers with a million guesses, they're going to put the kibosh on you really quick.
So Lachlan found out after some experimenting that he could safely attempt about 200 guesses from one IP address before Facebook blocks his IP from making any more attempts.
So you've got about 200 guesses. And wouldn't Facebook also put a timer in place to expire the code so you can't keep trying to get in in perpetuity? And yes, it's a 10-minute timer.
So.
The main problem that Lakshman has to overcome here is you have to try up to a million different number combos before hitting the right one and getting access.
So that's the problem. So as you pointed out, a million is not as many as you think.
And also, I'm sure some of our savvy listeners are thinking there's got to be some limitations in place here before Instagram would allow people to just try a million combinations, right?
Yeah. So wouldn't Facebook have some kind of failsafe in place to prevent someone from spamming their servers with all those guesses? And yes, indeed they did.
So in fact, they already had something in place called rate limiting.
So the faster you try to guess number combinations— so if you're trying to spam their servers with a million guesses, they're going to put the kibosh on you really quick.
So Lachlan found out after some experimenting that he could safely attempt about 200 guesses from one IP address before Facebook blocks his IP from making any more attempts.
So you've got about 200 guesses. And wouldn't Facebook also put a timer in place to expire the code so you can't keep trying to get in in perpetuity? And yes, it's a 10-minute timer.
So.
Both of which steps are quite sensible, you know, because you don't want some automated script starting at 0 and working its way up to 999.
So putting a block in place, very sensible. Sounds like they've done well so far.
So putting a block in place, very sensible. Sounds like they've done well so far.
Indeed. These are all good things. If they hadn't had those fail-safes in place, this would be a very different story. We would be laughing.
And also Instagram would have been hacked years ago. So yes. So the TL;DR is you get 200 guesses for that precious recovery code from one IP address in 10 minutes.
And if you don't get the code in those 200 guesses, you're done. Yes.
And also Instagram would have been hacked years ago. So yes. So the TL;DR is you get 200 guesses for that precious recovery code from one IP address in 10 minutes.
And if you don't get the code in those 200 guesses, you're done. Yes.
It's a pretty easy script to write, right?
Yeah. Yeah.
So you either hope you get it in 200 guesses, or what if you had more than one IP address available to you? No, that can't—
No one has that, Maria.
What if you, I don't know, spent all of $150 to spin up some cloud accounts on AWS or Google and create, oh, I don't know, 5,000 IP addresses and had all those 5,000 IPs, or bots really, guessing their 200 guesses at the same time.
Surely one of them will find the golden ticket within their 10-minute allotment. Ding, ding, ding. Wow.
Surely one of them will find the golden ticket within their 10-minute allotment. Ding, ding, ding. Wow.
So it's not that he had 5,000 computers in his back bedroom.
No, in his basement, no.
These are basically virtual machines which are running on some sort of cloud service like Google or Amazon. Correct. And they've all got different IP addresses.
Correct. So he actually has a wonderful 2-minute video proof of concept of this, which is, I thought, a really fun watch.
He used only 1,000 IPs that he bought from Amazon's EC2, and from those 1,000 IPs that he bought, they sent out 200,000 requests to Facebook servers in an attempt to get a right guess on the recovery code.
And that's only 20% of the total possible number combos, but he still got it. And it's a 2-minute video that shows how pretty elegantly simple this is.
It's a wonderful little brute force attack. And super fun to watch, but that was enough for Facebook to go, "You know what?
You nailed it." Because $150 is not a lot for a hacker to spend to, I don't know, try and hack Kim Kardashian's Instagram account.
He used only 1,000 IPs that he bought from Amazon's EC2, and from those 1,000 IPs that he bought, they sent out 200,000 requests to Facebook servers in an attempt to get a right guess on the recovery code.
And that's only 20% of the total possible number combos, but he still got it. And it's a 2-minute video that shows how pretty elegantly simple this is.
It's a wonderful little brute force attack. And super fun to watch, but that was enough for Facebook to go, "You know what?
You nailed it." Because $150 is not a lot for a hacker to spend to, I don't know, try and hack Kim Kardashian's Instagram account.
And the other thing I read about this case was that you also found that if there were concurrent attempts to guess the number, Instagram sort of got its knickers in a twist regarding how many attempts there had been.
So if you had different computers attempting at the same time, it kind of lost count.
And so there was a bigger number of attacks which were possible to get to that number more quickly within the 10 minutes.
So if you had different computers attempting at the same time, it kind of lost count.
And so there was a bigger number of attacks which were possible to get to that number more quickly within the 10 minutes.
There you go. This was beautiful, I thought. Just a really fun little exploit that he found. And Facebook has already patched it.
So for anyone who's buying EC2 instances right now, you're already too late. But yeah, it's $30,000 for that. I think that was a really neat discovery.
So for anyone who's buying EC2 instances right now, you're already too late. But yeah, it's $30,000 for that. I think that was a really neat discovery.
I wish he'd got more money.
Yeah, same. Yep. I'm going to be interested to see how companies start hardening their defenses against these virtual account attacks.
So if he used AWS to spin up all these different instances, are companies prepared for something like that where you've got 5,000 different IPs coming at you at the same time?
Or is that just gonna look like normal web traffic for you? I don't know. It'll be interesting.
So if he used AWS to spin up all these different instances, are companies prepared for something like that where you've got 5,000 different IPs coming at you at the same time?
Or is that just gonna look like normal web traffic for you? I don't know. It'll be interesting.
Also, what makes it kind of elegant is it's pretty old school brute force, right? That's why these guys should really have had some fail safes.
So it's kind of embarrassing, isn't it?
So it's kind of embarrassing, isn't it?
It is embarrassing, but they also have to be careful in their defenses because if they were to block people from attempting to access the account because they'd noticed lots of different computers were trying to break in, then potentially there's a denial of service which people could do as well to lock the genuine user out of the account.
Just to be a bloody nuisance. What if?
Just to be a bloody nuisance. What if?
Yeah, there you go. It could happen. I mean, we'll be talking about it next time on Smashing Security.
Yeah, I love, I'm loving the FUD, loving the FUD. Okay.
So Facebook has hardened Instagram as a result, so this kind of attack can't be done in future.
But the other piece of advice we'd probably give to Instagram users is do enable two-step verification onto your accounts. Oh, yes, absolutely.
Because that's a much more common way in which your accounts will get hacked is because your password has been reused or you get phished or something like that.
But the other piece of advice we'd probably give to Instagram users is do enable two-step verification onto your accounts. Oh, yes, absolutely.
Because that's a much more common way in which your accounts will get hacked is because your password has been reused or you get phished or something like that.
And never enter your code in front of a window because— You never know! You never know!
I am looking up at my ceiling right now in case Thom Cruise is dangling down.
The baby one?
Pitsy-whipsy little one. Little baby Thom Cruise. Hi, everybody! Wow. It's like I'm there. It's amazing.
Oh, Carole, tell us what your story is this week.
Okay, so way back in August 2018, a year ago, episode 93, I introduced you to John Steele and Paul Hansmeier.
I remember it well.
Of course you don't remember them. So I'm going to be reminding you on this show. So these are two Chicago lawyer dudes with the morality and legal ethics akin to a pile of turds.
Literally.
Literally.
I think you could have just said they were lawyers. I think that would have covered— that was just tautology.
This sneaky legal duo got caught making dirty money, and just last week, they have now faced the consequences for their actions.
And I thought, as a game, I'll remind you of what these two dirtbags did, give you a little insight into the legal case, and you two, and all you listeners out there, why don't you take a stab in the dark at the punishment the judge doled out.
Okay, and we'll see if you're right or not, right? So John Steele and Paul Hansmeier.
So back in 2010, these boys ran a Chicago-based law firm, and by their subsequent actions, I'm gonna guess they were just in for the money.
If $1,000 were a hot dog, John and Paul would easily beat the world hot dog eating champion, the Japanese Takeru Kobayashi, who I've watched a video of recently and it's impressive.
And I thought, as a game, I'll remind you of what these two dirtbags did, give you a little insight into the legal case, and you two, and all you listeners out there, why don't you take a stab in the dark at the punishment the judge doled out.
Okay, and we'll see if you're right or not, right? So John Steele and Paul Hansmeier.
So back in 2010, these boys ran a Chicago-based law firm, and by their subsequent actions, I'm gonna guess they were just in for the money.
If $1,000 were a hot dog, John and Paul would easily beat the world hot dog eating champion, the Japanese Takeru Kobayashi, who I've watched a video of recently and it's impressive.
Sorry, I think I've just woken up in a parallel universe. What are you talking— what, what?
Okay, okay, the hot dog world eating— He is known for eating 60 hot dogs in a single sitting.
And his trick, in case you're interested, clearly, was to dunk the whole hot dog and bun into water before sucking it down his pie hole.
And his trick, in case you're interested, clearly, was to dunk the whole hot dog and bun into water before sucking it down his pie hole.
So he's lubricating it well before— okay, got it. Yeah, lube is usually the trick.
So that's what they call hot dogging. I've always wondered.
All right, we've gone off the rails.
Yeah, we have. I have. I just wanted to get that in. It's a bad crowbar. Sorry. Okay, so here is how these guys made millions and millions. So they first, they created the honey.
They hire porn stars and film some porn. And then they copyright the material.
They hire porn stars and film some porn. And then they copyright the material.
So these were lawyers making the porn?
These two lawyers, yeah, two Deutsche Bank lawyers. Yeah. Okay, then they create the honey trap. They populate popular content sharing websites.
Hang on. Objection, Your Honor.
So then they create the honey trap. They populate popular content sharing websites like Pirate Bay with said porn vids.
There's no porn on Pirate Bay.
Trust me, I've looked. There definitely isn't.
There's a separate checky box you gotta check for that.
And then they set the trap, right? They wait for people to come and download them, and then they go after them for copyright infringement. Why? For money.
So in other words, they donned their legal robes and went after the guys that downloaded the sexy stuff all only intent to extort cash out of them. It's insane.
So in other words, they donned their legal robes and went after the guys that downloaded the sexy stuff all only intent to extort cash out of them. It's insane.
That's so many extra steps for extortion. Oh my God.
Okay, so they make this porn available. Let's say, Graham, you download the porn, right, from Pirate Bay or wherever.
I go to the courts and I say, look, we have seen some hacking going on on our systems from this IP address.
I go to the courts and I say, look, we have seen some hacking going on on our systems from this IP address.
We would like to contact the ISPs and get their personal information so that we can go after— So the lawyers went to the court and said that, well, presumably they claimed that they had clients.
They didn't say it was them.
They didn't say it was them.
So yes, who are their plaintiffs? Of course. Oh, well, don't worry. They took care of that. They just created eight shell companies.
So they had very colorful names like Sunlust Studios and Hard Drive Productions. And their jobs were to act as the porn plaintiffs in the legal case against the porn downloaders.
Why? Right?
So they had very colorful names like Sunlust Studios and Hard Drive Productions. And their jobs were to act as the porn plaintiffs in the legal case against the porn downloaders.
Why? Right?
Okay, so just to be completely clear. There are lawyers who've also set up companies who the lawyers are claiming to represent.
So they've set up companies which are posing as porn companies. The porn ends up on Pirate Bay because the lawyers have uploaded it, right?
And then the lawyers send, they go to the court saying, our clients, the porn companies, who don't really, they've been hacked by people from this IP address.
So they do that to find out who owns the IP address. And then they don't actually hit them with hacking claims.
They hit them with 'You've downloaded porn from Pirate Bay, and it belongs to us.'
So they've set up companies which are posing as porn companies. The porn ends up on Pirate Bay because the lawyers have uploaded it, right?
And then the lawyers send, they go to the court saying, our clients, the porn companies, who don't really, they've been hacked by people from this IP address.
So they do that to find out who owns the IP address. And then they don't actually hit them with hacking claims.
They hit them with 'You've downloaded porn from Pirate Bay, and it belongs to us.'
Oh, just— I know. That's such trolly behaviour.
I mean, it's so much extra work. There's so many easier ways to do something like this.
Yeah, but would it be as much fun? If you're a lawyer, this is actually quite an erection, Your Honour, right? You can— it's a lot of fun to be had here getting work—
That's called a hobby. Don't— I mean, why? You don't get paid to do porn, guys.
That's not how it works.
They didn't also work in washing machine repair or anything like that, did they?
Because were they pool boys, pizza delivery?
You can combine— you can combine these different careers.
So much extra work. I just— it's offensive to me. I'm not being lazy.
Come on, it's too much work.
Okay, so they of course never want to go to court because if they go to court, they might have to reveal that they're actually behind some of these shenanigans, right?
So the idea is to scare folks into paying into a settlement, and if they don't have to pay the— you know, they don't have any public humiliation.
I have written here in my notes, pubic humiliation, and/or court hassle. So from 2010 to 2013, they netted $6 million in copyright settlements.
That's why it was maybe worth the work, Maria.
Okay, so they of course never want to go to court because if they go to court, they might have to reveal that they're actually behind some of these shenanigans, right?
So the idea is to scare folks into paying into a settlement, and if they don't have to pay the— you know, they don't have any public humiliation.
I have written here in my notes, pubic humiliation, and/or court hassle. So from 2010 to 2013, they netted $6 million in copyright settlements.
That's why it was maybe worth the work, Maria.
Yeah, but after you pay the union fees and the studio costs, there's no way shooting a porn is that cheap.
I don't know, from what I've seen, says the voice of experience.
Their comeuppance came in 2016 where Paul Hansmeier and John Steele were arrested by the FBI.
And the FBI, I think, twigged on because they were harassing the ISPs with all kinds of requests for information.
And they were charged with 18 counts of running a multi-million dollar extortion scheme, right? So fast forward to today. Yes, they've both been sentenced.
And are you guys ready to play the game? Okay, because Paul and John got different sentences. They are not the same. Why? Well, let's start with Paul Hansmeier.
He was sentenced in June by Judge Joan Erickson. They were both judged by the same judge.
Hansmeier initially refused to cooperate, but in August accepted a plea deal guilty, but he reserved the right to withdraw the plea if he was successful in dismissing the complaint.
Can you do that? Apparently. So I'm guilty, but I'm also running this concurrent plan to get this all thrown out of court. So if I do— I'm hedging his bets. Okay, exactly. Genius.
Now the judge said it is almost incalculable how much your abuse of trust has harmed the administration of justice. And of course they're not happy.
They're probably very pissy because they use the courts in a lot of their schemings.
And the FBI, I think, twigged on because they were harassing the ISPs with all kinds of requests for information.
And they were charged with 18 counts of running a multi-million dollar extortion scheme, right? So fast forward to today. Yes, they've both been sentenced.
And are you guys ready to play the game? Okay, because Paul and John got different sentences. They are not the same. Why? Well, let's start with Paul Hansmeier.
He was sentenced in June by Judge Joan Erickson. They were both judged by the same judge.
Hansmeier initially refused to cooperate, but in August accepted a plea deal guilty, but he reserved the right to withdraw the plea if he was successful in dismissing the complaint.
Can you do that? Apparently. So I'm guilty, but I'm also running this concurrent plan to get this all thrown out of court. So if I do— I'm hedging his bets. Okay, exactly. Genius.
Now the judge said it is almost incalculable how much your abuse of trust has harmed the administration of justice. And of course they're not happy.
They're probably very pissy because they use the courts in a lot of their schemings.
Yeah, wasted lots of time.
Yeah, and kind of fooled and duped. Get a hobby. So what do you think he got in prison?
So what sentence? So what, $6 million? He got 5 years.
14 years in prison, 2 years of supervised release, and he has to pay the victims $1.5 million restitution. That is hefty.
Now, John Steele was sentenced Tuesday last week by the same judge. John Steele pled guilty in 2017 to money laundering, same da da da da.
He cooperated from the get-go with authorities and he did not have any caveats to withdraw his plea, which was a bit cheeky from the other guy, to be honest.
Now, John Steele was sentenced Tuesday last week by the same judge. John Steele pled guilty in 2017 to money laundering, same da da da da.
He cooperated from the get-go with authorities and he did not have any caveats to withdraw his plea, which was a bit cheeky from the other guy, to be honest.
An asshole move. Yeah.
So, okay, so one of them's got 14 years and this guy who's helped, he is going to get 5 years.
Yes. He got 2 years, 2 5-year sentences, but they're to run concurrently, not consecutively. So he's basically just in jail for 5 years. Oh, yeah. Cool. Okay.
So it seems as though it pays to play ball with the courts, because that's 9 years less than Paul Hansmeier. Right? Like, Graham, your son is not even that old yet.
And I bet you don't even remember life before him. 9 years is a long, long time.
So it seems as though it pays to play ball with the courts, because that's 9 years less than Paul Hansmeier. Right? Like, Graham, your son is not even that old yet.
And I bet you don't even remember life before him. 9 years is a long, long time.
Right? Well, I mean, I think it's a general rule of life though, isn't it? Is that when the authorities have got you, you just say, you put your hands up and you say it's a fair cop.
So basically, if we get caught at something, I hope you're not doing anything illegal, you're basically gonna dob me in.
Copyright infringement, Mission: Impossible music. Yes, exactly.
That's what this is telling me, because you're gonna throw me, your buddy, under the bus for, and you're gonna cooperate, and you're gonna lie to save your own butt.
Which one of us, well, it will save my butt, but which one of us will cooperate first? That's the thing. We've got to get in first, Carole.
Yeah.
Who's more loyal, Graham, I wonder? Hmm. Interesting. Hmm. Hey, Graham.
Yes.
There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass.
LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect. Do you want to make it more conversational?
And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass.
LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect. Do you want to make it more conversational?
I don't know.
I think that sounded great. We also are sponsored by MetaCompliance. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training.
Yeah, they do online training. They've gamified it.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. And best thing, it's not boring.
No, not boring at all. You learn everything. GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/PassPass.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. And best thing, it's not boring.
No, not boring at all. You learn everything. GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/PassPass.
On with the show.
And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Now, my pick of the week this week is not security-related, but I do remember many years ago working for a security firm where in the sales department, they had inspirational posters on the wall encouraging them to sell more.
What, in the bathroom, like pee carefully?
No, no, no, no, no, no. You don't have to be inspired to urinate in a straight line. I'm talking about to sell more or to be a happier person.
And I always found these rather ridiculous and comical, but it would say things like, you know, the first step of the journey is, I don't know, who knows.
But anyway, I found a website called Inspirobot.me. And what this does is it comes up with inspirational phrases. Here's a couple which I just grabbed off the website.
Ignore the connection between your virility and gravity. Never let anyone tell you that you're not fondling yourself. Damn straight.
And I always found these rather ridiculous and comical, but it would say things like, you know, the first step of the journey is, I don't know, who knows.
But anyway, I found a website called Inspirobot.me. And what this does is it comes up with inspirational phrases. Here's a couple which I just grabbed off the website.
Ignore the connection between your virility and gravity. Never let anyone tell you that you're not fondling yourself. Damn straight.
Do you know, Graham, I have a friend who actually got paid to write books that do this.
And yes, so her job was to kind of collect them around the, you know, wherever she could find them and put them into this book. It was like an early job. She was 20.
And yes, so her job was to kind of collect them around the, you know, wherever she could find them and put them into this book. It was like an early job. She was 20.
Did she have this one? No one is telling you to obsess about your mother's medication.
See, she could have written that one. She told me she made up loads of them because no one cared and no one read them. So she made up loads, so they could be hers.
She should go to Inspirobot.me because it has an artificial intelligence dedicated to generating unlimited amounts of unique inspirational ridiculous quotes for the endless enrichment of pointless human existence.
That's how it sells itself.
There's even a mindfulness mode where it'll play music in the background and display images from nature and cityscapes and read out to you in a robotic voice the inspirational quote.
That's how it sells itself.
There's even a mindfulness mode where it'll play music in the background and display images from nature and cityscapes and read out to you in a robotic voice the inspirational quote.
This is one for Nimity. She likes those. She likes a little mindfulness.
Anyway, so that is my pick of the week.
I think that sounds fun.
It tickled me. It tickled me just where I needed to be tickled this afternoon.
Oh, please don't be doing that right now. Can you just wait 10 minutes? We're almost, we're almost done.
I might need some WD-40 in a moment. There's a bit of squeaking coming. Oh, Maria, what's your pick of the week?
Well, may I ask, could I do a punt of the week, like an anti-pick of the week before I do my pick of the week?
Because I just— somebody added me, my work email, they added me to a privacy email newsletter without asking me first if I wanted to opt into this.
And that is the douchiest thing I can imagine for a privacy newsletter. So that is my anti-pick of the week. Don't do that.
Because I just— somebody added me, my work email, they added me to a privacy email newsletter without asking me first if I wanted to opt into this.
And that is the douchiest thing I can imagine for a privacy newsletter. So that is my anti-pick of the week. Don't do that.
And it has to do with security.
Yes, it's a privacy and security newsletter. They added an email that I only use for a very specific work purpose.
There's no way I would have used this email myself for a real thing.
There's no way I would have used this email myself for a real thing.
And it didn't do double opt-in. It didn't ask you to confirm.
It was nothing. It just showed up in my inbox, started spamming me one day, and I was like, how dare you, sir? It was very annoying. And yes, don't do that. Shame them. Shame them.
Maybe I will name and shame maybe on Twitter. How about that? Okay. All right.
So for my actual pick of the week, my pick is what Wikipedia calls a serialized speculative fiction multimedia narrative. It is called What Football Will Look Like in the Future.
And you don't have to have any interest in American football at all or any knowledge of it.
Yes, because I don't either, really, aside from what I've absorbed by osmosis being a Yankee. And that link that is in the show notes, you do not want to read it on mobile.
You need to be on a desktop or a laptop. So anyone who's reading show notes on mobile—
Maybe I will name and shame maybe on Twitter. How about that? Okay. All right.
So for my actual pick of the week, my pick is what Wikipedia calls a serialized speculative fiction multimedia narrative. It is called What Football Will Look Like in the Future.
And you don't have to have any interest in American football at all or any knowledge of it.
Yes, because I don't either, really, aside from what I've absorbed by osmosis being a Yankee. And that link that is in the show notes, you do not want to read it on mobile.
You need to be on a desktop or a laptop. So anyone who's reading show notes on mobile—
I've just gone there on my desktop. It's a pretty— it's exploding my screen.
Okay, don't give away too much. It's very, you don't have to have any interest in any kind of sport because I don't. It's a very captivating read.
I don't want to give away what it's about. It will take you— it's a long read.
And I will just say it was a contender for a Hugo Award for best graphic story last year, and a Hugo is like a very, very—
I don't want to give away what it's about. It will take you— it's a long read.
And I will just say it was a contender for a Hugo Award for best graphic story last year, and a Hugo is like a very, very—
Yeah, yeah, big deal.
So for just as a point of how much this draws people in, I sent it to my husband last night. Yeah.
And he, an hour later, he was still reading it, and an hour after that he was still reading it. And then when we went to bed, he started asking me questions about it.
It got him really thinking about life in the universe and stuff.
So it's best to go into it knowing nothing about it, and you really want to set some time aside to give it proper attention. And I— this came out actually two years ago.
Yeah, it's awesome. It's actually two years old, but I've never shared it with our listeners. So I said, okay, in the show notes.
And he, an hour later, he was still reading it, and an hour after that he was still reading it. And then when we went to bed, he started asking me questions about it.
It got him really thinking about life in the universe and stuff.
So it's best to go into it knowing nothing about it, and you really want to set some time aside to give it proper attention. And I— this came out actually two years ago.
Yeah, it's awesome. It's actually two years old, but I've never shared it with our listeners. So I said, okay, in the show notes.
Yes, we'll make it big and obvious for people.
And the show notes— even some podcast apps don't support show notes properly, so if you can't find something, you can click on there, go to smashingsecurity.com and all the links are clickable from in there as well for this episode.
Yeah, you can search what football will look like in the future, or it's also called 17,776. It's a year. 17,776. Sorry. Imagine 15,000 years from now, basically.
And that's sort of a spoiler. So— How curious. Yes. You both have been sucked into it, I can tell.
And that's sort of a spoiler. So— How curious. Yes. You both have been sucked into it, I can tell.
That's why I'm not talking. I'm totally—
I'm already in. Oh, it's my favorite part of the show, Carole. Okay, well, we'll skip your Pick of the Week then, in the interest of time.
You don't want to miss my Pick of the Week. Okay, tell us about it. Tell us about it. Okay. Because what would be the most boring thing in the world to be? Anything in the world?
Anything that exists. Quantity surveyor? Yeah, or a rock, right? I mean, a rock's pretty. You don't move, you don't communicate, you don't grow. You get kicked around a bit, maybe.
Well, my pick of the week changed my mind about rocks. It's a little video I saw on Damn, That's Interesting subreddit. And I've put the link in here, so take a look. Right.
It's posted by a user Tetrapolis. This. It's kind of just a little vignette, a little anime vignette, silent movie.
Anything that exists. Quantity surveyor? Yeah, or a rock, right? I mean, a rock's pretty. You don't move, you don't communicate, you don't grow. You get kicked around a bit, maybe.
Well, my pick of the week changed my mind about rocks. It's a little video I saw on Damn, That's Interesting subreddit. And I've put the link in here, so take a look. Right.
It's posted by a user Tetrapolis. This. It's kind of just a little vignette, a little anime vignette, silent movie.
There's no sound. Silent movie. Yeah. Rock Experience. Okay, the life of a rock.
Yeah, just watch a bit of it. Okay, it looks cute.
It's more than cute. It's quite sweet and it's really interesting, and it kind of has a bit of historical element to it. I think it'd be great for kids too.
It's very peaceful and takes a few minutes, and it just changes how you might see rocks. Oh, see, trees last week and now rocks. Yep, going back to basics.
Well, that just about wraps it up for this week.
It's very peaceful and takes a few minutes, and it just changes how you might see rocks. Oh, see, trees last week and now rocks. Yep, going back to basics.
Well, that just about wraps it up for this week.
Thank you, Maria, for joining us as well. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
On the Twitters, I'm @mvarmazis and on mastodon's infosec.exchange, I'm @maria. Either one is great.
Cool. And you can join us on Twitter at Smashing Security, no G, Twitter wouldn't allow us to have a G. And you can join our community on Reddit as well.
Just look for Smashing Security up there.
Just look for Smashing Security up there.
Huge thank you to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free, so be sure to check out their offers.
And as always, big love to you all, you listeners out there, and welcome to our new Patreon subscribers. Stay tuned after the show for more information on our Patreon launch.
Check out smashingsecurity.com for past episodes, sponsorship details, info, and how to get in touch with us.
And as always, big love to you all, you listeners out there, and welcome to our new Patreon subscribers. Stay tuned after the show for more information on our Patreon launch.
Check out smashingsecurity.com for past episodes, sponsorship details, info, and how to get in touch with us.
Until next time, cheerio, bye-bye. Bye, bye, Maria, say something, hey, so you guys are on Patreon now. Spontaneously.
Oh, oh, so y'all are on Patreon now then.
What's the answer to that? Yeah, we are. We've just dipped our toes into the Patreon world.
The thing is, there were people who said they wanted to support the show, and we were like, well, just tell your friends, you know, get them to listen to it.
And some people said, no, Graham, I really want to give you money. They said— they didn't mention Carole. They said, we really want to give you a small amount of money.
I'm joking, Carole, of course they wouldn't, of course. But they wanted to— no, no, no, it's just— I just have jet lag, you know.
So what we're doing is that we've got two tiers on Patreon, $2 a month, which basically means that you love us very, very, very much.
But if you want to be a really schmancy fancy pantsy supporter of the show, you can give us $5 a month, which means you get everything for the $2 tier plus early release episodes when possible and behind-the-scenes bonus content.
And some people said, no, Graham, I really want to give you money. They said— they didn't mention Carole. They said, we really want to give you a small amount of money.
I'm joking, Carole, of course they wouldn't, of course. But they wanted to— no, no, no, it's just— I just have jet lag, you know.
So what we're doing is that we've got two tiers on Patreon, $2 a month, which basically means that you love us very, very, very much.
But if you want to be a really schmancy fancy pantsy supporter of the show, you can give us $5 a month, which means you get everything for the $2 tier plus early release episodes when possible and behind-the-scenes bonus content.
Now, the point behind all this is basically I would like to do a lot more on podcasts, but in order to do that, we need to fund it.
Rather than, you know, doing other things to make money, we could make money here in this thing that we really love. So we're trying it out, we'll see what happens.
Rather than, you know, doing other things to make money, we could make money here in this thing that we really love. So we're trying it out, we'll see what happens.
I think it's important to underline that the podcast remains free for everyone. That's not changing. You can still listen to us for free, you don't have to support us on Patreon.
We just love that you're listening, actually, to be honest. But if you can afford it and if you want to support us, go to patreon.com/smashingsecurity.
And thanks to those people who've already supported us up there, even before we announced it on the podcast. That's pretty impressive, isn't it?
We just love that you're listening, actually, to be honest. But if you can afford it and if you want to support us, go to patreon.com/smashingsecurity.
And thanks to those people who've already supported us up there, even before we announced it on the podcast. That's pretty impressive, isn't it?
It's awesome.
Wow. So thanks to Angela, Cheyenne, David, Dimitri, Jonathan, Macaulay, Marcus, Pete, Richard, Ruben, Ruben Scotia Thomas and Thomas, who've already supported us.
We really appreciate it, thank you so much. Mwah! Oh my goodness, that's not for you, Carole. I don't think we can promise that to everyone who supports us.
We really appreciate it, thank you so much. Mwah! Oh my goodness, that's not for you, Carole. I don't think we can promise that to everyone who supports us.
There's only one David in that list. That's surprising, I thought we had a lot of Davids.
Come on, Davids. Yeah, yeah, Davids, you know who you are.
The whole league of Davids. It's really, they need to activate.
No, no Marias either, actually. Before she begins to point the finger.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs — IEEE.
- Academics steal data from air-gapped systems via a keyboard's LEDs — ZDNet.
- How I Could Have Hacked Any Instagram Account — The Zero Hack.
- How any Instagram account could be hacked in less than 10 minutes — Hot for Security.
- Takeru Kobayashi – hotdog-eating world record holder — Wikipedia.
- Smashing Security 092: Hacky sack hack hack.
- Porn pirating lawyer jailed for five years — BBC News.
- Stiff penalty: Prenda Law copyright troll gets 14 years of hard time for blue view 'n sue scam — The Register.
- Prenda Law boss John Steele to miss 2020 Olympics… unless they show it in prison — The Register.
- InspiroBot.
- What football will look like in the future — (Maria says don’t try to read it on your smartphone)
- The Life Of A Rock.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
