A conspiracy spreads on social media about Coronavirus tracing apps, US police find decades’ worth of sensitive data leaked online, and is there a Bitcoin bonanza to be had from watching Elon Musk YouTube videos?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by BBC technology reporter Zoe Kleinman.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Zoe, the thing is, Carole thinks she invented the phrase "take heed." It goes back a few years in our relationship.
No, I just— what happened is I used it once, the first time ever that it was ever mentioned between either of us, in a very, very funny context, and we both cried with laughter, and then therefore I own that fucking statement.
That's how it works.
That's how it works.
And so she insists on putting "TM Carole Theriault" after I say "take heed." Are you like the Taylor Swift of this relationship, just trying to trademark everything?
Because he takes a lot.
He's a taker. That's all I'm going to say. He's a taker. You've got to protect your assets. They're all assets.
Smashing Security, Episode 184: Vanity Bitcoin Wallets, BlueLeaks, and a Coronavirus App Conspiracy with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 184. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 184. My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
Hello, Graham.
And we are— steady— we are joined by a special guest, someone who hasn't been on the show before.
It is BBC technology journalist and co-host of Backspace and Beyond the podcast, Zoe Kleinman. Hello, Zoe.
It is BBC technology journalist and co-host of Backspace and Beyond the podcast, Zoe Kleinman. Hello, Zoe.
Hello, Graham.
Welcome, Zoe.
Thank you, Carole.
Very exciting to have you here. Now, have you listened to the show before, or is this a baptism of fire?
No, no, I had a listen. In fact, I've been listening to you rather a lot in the last week or so, Carole, while I, you know, familiarized myself with the podcast.
As if lockdown wasn't bad enough now.
Now, Zoe, I did a little recon on you because we've never met.
We haven't.
And I just plugged your name in my search engine. And after all your socials came up, an article written by you came up from 2010 in the BBC News.
Do you know what article it might be?
Do you know what article it might be?
Oh my word, a 10-year-old article.
Yep, it was number 4 hit after your social media stuff.
Is it? Something I wrote 10 years ago?
Oh, hello. I've just—
Yep, it's okay. So it's in the show notes.
Oh my word.
Look at that.
Wow.
How Photographs Are Airbrushed.
Yes.
Yeah, in the first of a 5-part series about technology in modern culture. This is 2010. BBC News looks at the rise of image manipulation. So what a cool thing to come up.
Well, I tell you what, I wish I still looked like that.
You do.
These days I'd settle for the before photo, I really would.
Which one's the before? I haven't pressed play yet. Which one's the before and which one's the after?
Oh, Graham, you are such a charming man. The one on the right. Sorry, can you not see the one on the left with the sparkling eyes and the gleaming white straightened teeth.
That's not me.
That's not me.
I think they look beautiful in both, and it's fantastic.
Links in the show notes, folks. Links in the show notes. So, Carole, what's coming up on the show this week?
First, thanks to this week's sponsors, MetaCompliance and LastPass. Their support helps us give you this show for free.
Now, on today's show, Graham shares bitcoin investment advice, Zoe Kleinman gives us the latest on COVID track and trace apps, and I share what I've learned about the BlueLeaks archive.
All this and much more coming up on this episode of Smashing Security.
Now, on today's show, Graham shares bitcoin investment advice, Zoe Kleinman gives us the latest on COVID track and trace apps, and I share what I've learned about the BlueLeaks archive.
All this and much more coming up on this episode of Smashing Security.
Now, chums, some people have done marvellous things for the world, haven't they? I don't want to blow my own trumpet, but—
Good, don't.
Some celebrities, they've gone the extra mile to wake up the world to the problems which are out there. People like— I'm thinking of people like Bono.
Oh, people like Mother Teresa?
No, not her so much. Bob Geldof, right? And Richard Curtis. They've done their bit to make poverty history, dropping the debt, feeding the world.
And now, of course, we have another— But what about the lizard?
And now, of course, we have another— But what about the lizard?
There's so many more.
Well, yes, he's done a bit of running around in a dress, but I mean—
A bit of running around?
What?
He ran 40 marathons in 40 days.
That is extremely impressive.
That's extraordinary.
That is very good. Well, look, we now have another saviour.
Okay.
We've mocked him in the past, and I think it's time for us to stop doing that, because Elon Musk is literally saving the human race by helping us take our first step into the stars and beyond with his SpaceX exploration.
What a guy.
Okay.
As we saw in last month, we saw that amazing rocket launch, the astronauts with that, they got those new style spacesuits, right? It's so cool.
There are new types of spacesuits now as well.
He is a master of getting attention for himself and his company, of course, whether it's launching a Tesla car into deep space or messing around with Johnny Depp's ex or giving his child a ridiculous name, whatever it might be.
There are new types of spacesuits now as well.
He is a master of getting attention for himself and his company, of course, whether it's launching a Tesla car into deep space or messing around with Johnny Depp's ex or giving his child a ridiculous name, whatever it might be.
You're fascinated by him though. You are.
Everyone is fascinated by him. We find when we do stories about him, everybody wants to know.
Okay, can I ask you both a question?
Yeah, okay.
If you could invite 8 people to your final dinner party, social distancing dinner party.
Right, yes.
Your Zoom dinner party, right? And everyone in the world would attend, would he be one of the 8?
No.
Even though he's a world leader in improving the world, according to you, Graham.
Definitely not, no. Okay, okay. I don't warm to him particularly.
No.
Maybe if he does save the world, then perhaps, you know, just to thank him, give him some dinner. But then he probably wouldn't want my dinner anyway, would he? He wouldn't want it.
He wouldn't fancy it.
He wouldn't fancy it.
What, your bangers and mash?
Fake mash?
What's it called, that stuff?
Smash.
Smash. Smash.
Is that where we got the name from?
Oh, maybe it is.
Sorry, I digress.
Slightly.
Now, with someone like Elon Musk, it wouldn't be a surprise for many people if, you know, because he's so charitable, if you ended up watching a live stream from Elon Musk's own YouTube account telling them about an incredible offer, saying 500 bitcoins up for grabs, that's $5 million, or in British money, £32.50, which you could get your hands on.
And the live stream says that all you need to do, right, is send some bitcoins to Elon's account and he will charitably give you double in return, or maybe even 10 times as much.
Now, with someone like Elon Musk, it wouldn't be a surprise for many people if, you know, because he's so charitable, if you ended up watching a live stream from Elon Musk's own YouTube account telling them about an incredible offer, saying 500 bitcoins up for grabs, that's $5 million, or in British money, £32.50, which you could get your hands on.
And the live stream says that all you need to do, right, is send some bitcoins to Elon's account and he will charitably give you double in return, or maybe even 10 times as much.
So was this an Elon Musk deepfake that was being used, or was it just a slide deck of pictures of him?
Well, I think what was happening on this particular occasion was there was live footage from the NASA and SpaceX rocket launch.
Okay.
And overlaid on it were these— Hey, you know about this, Zoe.
You know how when you're watching BBC News, you get all those tickers and all those— all the things filling up the bottom third of the screen. What are they called?
You know how when you're watching BBC News, you get all those tickers and all those— all the things filling up the bottom third of the screen. What are they called?
Well, the news ticker is the thing that just sort of throws headlines at you.
And then the— where you get the name of the person speaking and their job title or whatever, we call those Astons.
And then the— where you get the name of the person speaking and their job title or whatever, we call those Astons.
Astons?
Yeah, which I think is a brand name. I didn't know that for years, but actually I think it might be a brand name.
All I can think of is Aston Villa.
Maybe it's from Birmingham, I don't know.
Maybe it was invented up there, who knows?
But yeah, so, and then you get a message at the bottom of the screen maybe saying, "Look, here is Elon's wonderful offer to make lots of bitcoin." Now I know what you're thinking.
'Cause you're cynical types, you're skeptical people.
But yeah, so, and then you get a message at the bottom of the screen maybe saying, "Look, here is Elon's wonderful offer to make lots of bitcoin." Now I know what you're thinking.
'Cause you're cynical types, you're skeptical people.
Smart, that's the other word.
Yeah.
You're thinking, we've seen scams like this before on Twitter. You're thinking, you know, we've even seen them on YouTube, right?
Mm.
Where, you know, accounts are being created in the name of SpaceX, 130,000 subscribers.
Elon Musk has been used in these scams before.
Yes, yes, it's been done on things like Twitter. Exactly.
Where people have created fake Elon accounts, they've added his picture and tried to trick people into believing it's him making an offer.
So how do we know that this particular scam this particular YouTube channel live streaming is a genuine offer.
And it's not necessarily straightforward because you may have been taken there by YouTube's own recommendation algorithm, right?
If you regularly search on YouTube for things like, I don't know, Tesla or SpaceX or rocket launch and things like that, it's quite possible that this YouTube channel is shown to you as well.
Where people have created fake Elon accounts, they've added his picture and tried to trick people into believing it's him making an offer.
So how do we know that this particular scam this particular YouTube channel live streaming is a genuine offer.
And it's not necessarily straightforward because you may have been taken there by YouTube's own recommendation algorithm, right?
If you regularly search on YouTube for things like, I don't know, Tesla or SpaceX or rocket launch and things like that, it's quite possible that this YouTube channel is shown to you as well.
Would you not think of looking at who produced it? Like, was it from Elon Musk's own channel? For example?
Well, when you look at it, it says it's a verified account and there's Elon's name and there's Elon's photo as well.
Okay, so I'm just going to carry on telling you what I would do so you can— I want you to trip me up. So then I would go look.
Okay, I'd see his name there and I would go look at the playlist or the videos that he had pushed out.
Okay, I'd see his name there and I would go look at the playlist or the videos that he had pushed out.
Oh, okay. Yeah, you could do that.
So I don't know what would happen then in your—
I don't know what it would show. I mean, potentially it could be re-uploaded videos which look quite genuine.
The thing is with Elon Musk as well, he's so unusual, isn't he? That you almost think it's batshit crazy. You're so polite! That is one way of putting it.
I mean, it's not beyond the realms of possibility that he would tweet something like this at 4 o'clock in the morning, is it?
I mean, it's not beyond the realms of possibility that he would tweet something like this at 4 o'clock in the morning, is it?
Exactly. Yeah, he's bananas. I mean, I'm putting it out there right now, right? Elon Musk is going to end up US president one day.
So ironically, ironically though, maybe his craziness works against him in this case because people might go, okay, this could be true and I don't want to miss out.
Right, exactly.
And so people— and what they do is when they look at the Bitcoin address, now normally, I don't know if you've ever looked at a Bitcoin address, it's normally a jumble of random characters.
You know, it's— I don't know, it's probably about 26 characters, something like that long.
You know, it's just all— but in this particular case, these are what appear to be vanity Bitcoin addresses.
So you will have a Bitcoin address which is mostly all jumbled up, but at the beginning, you might have 1 and then Musk, or 1 Elon Musk, maybe with a couple of characters small.
So it looks like these are special vanity bitcoin addresses, which only a crazy tech billionaire would be mad enough to pay the fortune.
And so people— and what they do is when they look at the Bitcoin address, now normally, I don't know if you've ever looked at a Bitcoin address, it's normally a jumble of random characters.
You know, it's— I don't know, it's probably about 26 characters, something like that long.
You know, it's just all— but in this particular case, these are what appear to be vanity Bitcoin addresses.
So you will have a Bitcoin address which is mostly all jumbled up, but at the beginning, you might have 1 and then Musk, or 1 Elon Musk, maybe with a couple of characters small.
So it looks like these are special vanity bitcoin addresses, which only a crazy tech billionaire would be mad enough to pay the fortune.
Is that a bit like a personalised number plate? I kind of like the idea of it.
It is like a personalised number plate.
Zoe, what would yours be? Your personalised number plate, if you had a rockin' roadster?
I am blessed, blessed and cursed with a very, very short name, aren't I? I always struggle with these things, you know. My name is Zoe, which is only 3 letters.
Yeah, you could have Zoe Rocks.
Yeah, but I would never get that. I would have to be Zoe 1597230AB or something, and then I'd just look like a scammer, wouldn't I?
You could have Z03 in leet speak.
Oh yeah, leet speak.
Because you're the tech journo.
Do you think anyone would get that joke?
Could be kind of cool.
But okay, I would argue that people already with web and phishing are already a little bit clued up to what if an address just mildly indicates a name, it might actually be a bad place to go.
So—
So—
You don't think that would reassure people, that it's more likely to be legitimate?
Well, starting with a 1 and then being followed by 10 to 20 different, you know—
Yeah, but they all have bitcoin addresses, but this is one where his actual name is in the middle of it as well.
Yeah, I can see that could look legit for some people.
Anyway, take heed, obviously, is our warning here.
Sorry, where's the TM?
Because Zoe, the thing is, Carole thinks she invented the phrase, take heed. It goes back a few years in our relationship.
No, I just, what happened is I used it once, the first time ever that it was ever mentioned between either of us in a very, very funny context. And we both cried with laughter.
And then therefore I own that fucking statement. That's how it works.
And then therefore I own that fucking statement. That's how it works.
And so she insists on putting TM Carole Theriault after I say take heed. I'm just—
Are you the Taylor Swift of this relationship? Just trying to trademark everything.
Look, he takes a lot.
He's a taker. That's all I'm gonna say. He's a taker. You gotta protect your assets. They're all assets.
Exactly. So, chums, let me explain what is going on here. Hackers are hijacking people's YouTube account. YouTube accounts which have hundreds of thousands of followers in some cases.
YouTube accounts which aren't properly protected or maybe are reusing passwords, don't have multifactor authentication. They are changing the names of those YouTube accounts.
Is that easy to do? Yes, it's an absolute doddle.
YouTube accounts which aren't properly protected or maybe are reusing passwords, don't have multifactor authentication. They are changing the names of those YouTube accounts.
Is that easy to do? Yes, it's an absolute doddle.
Okay.
They're then changing the names to say Elon Musk, and then they're live streaming and they're changing the profile photo as well.
And they've already got hundreds of thousands of followers. And YouTube then begins to point people to these videos.
And they've already got hundreds of thousands of followers. And YouTube then begins to point people to these videos.
Well—
And because they're live streaming genuine footage of something like a Tesla launch or an Elon Musk space flight or something like that, but they're adding extra graphics and extra messaging about the bitcoin offer, it seems quite convincing to people.
Yeah, the New York Times put out a podcast recently called The Rabbit Hole, and they talk a lot about how YouTube is suggesting videos that are maybe not necessarily appropriate for the viewer.
And basically they're helping form the whole world that we live in.
And basically they're helping form the whole world that we live in.
In the past, scammers have posed as everybody from Kate Winslet, Bill Gates, John McAfee, football manager Alex Ferguson. In April— oh, Zoe, there was a fake BBC News report.
Was there?
Not fake news, don't panic.
Oh God.
A faked BBC News report which used images of Prince Harry and Meghan Markle. We're not supposed to call her Meghan Markle anymore, are we, now she's married?
No, she's—
The Duchess.
The Duchess of something. And that was intended to dupe Bitcoin investors as well.
Oh dear.
Oh, it's too freaking sad. It's too freaking sad.
Can I tell you my bitcoin story?
Yes, yes, please do.
So a few years ago, I was sent to the Isle of Man by the BBC, and the Isle of Man was trying to sort of promote itself as being like Bitcoin Island, basically.
They were sort of saying, you know, this is going to be our currency, you will be able to live here just on bitcoin. So I went along with my producer, a good friend of mine, Sarah.
We went for the weekend and the thing we were trying to do for the radio, we were trying to survive for a weekend on bitcoin on the Isle of Man.
So I discovered that it's quite hard to do that. We managed to get a taxi and pay in bitcoin for the taxi, which was cool.
And we managed to get a pint of beer in a pub and pay for it with bitcoin. But that was kind of it. So we were pretty hungry and pretty drunk most of the weekend.
They were sort of saying, you know, this is going to be our currency, you will be able to live here just on bitcoin. So I went along with my producer, a good friend of mine, Sarah.
We went for the weekend and the thing we were trying to do for the radio, we were trying to survive for a weekend on bitcoin on the Isle of Man.
So I discovered that it's quite hard to do that. We managed to get a taxi and pay in bitcoin for the taxi, which was cool.
And we managed to get a pint of beer in a pub and pay for it with bitcoin. But that was kind of it. So we were pretty hungry and pretty drunk most of the weekend.
At least you got home safely.
Zoe, what is your story for us this week?
So I want to talk to you about a story that really divided opinion, I think.
It had a lot of the kind of tech heads rolling their eyes and a lot of normal people getting very freaked out. It's one of those sorts of stories.
So the story is about COVID-19, as all stories are at the moment.
But specifically, you know, there's been this saga, hasn't there, of the track and trace app that was going to happen, wasn't going to happen, was trialled on the Isle of Wight, didn't work.
Apple and Google said, look, we've come up with a tool that could help. And the UK said, no, no, we don't want your tool. We want to do our own thing.
And now they've sort of said, actually, can we use that tool as well, please? And, you know, negotiations are ongoing.
Anyway, as part of the fairly recent updates to both the iPhone and Android phone operating systems, this little widget appeared which says COVID-19 tracing tool.
And probably it's been on people's phones for several weeks in some cases, and nobody's noticed it because it's kind of hidden away, I think, in Apple's iPhone, it's sort of hidden in the privacy settings.
It had a lot of the kind of tech heads rolling their eyes and a lot of normal people getting very freaked out. It's one of those sorts of stories.
So the story is about COVID-19, as all stories are at the moment.
But specifically, you know, there's been this saga, hasn't there, of the track and trace app that was going to happen, wasn't going to happen, was trialled on the Isle of Wight, didn't work.
Apple and Google said, look, we've come up with a tool that could help. And the UK said, no, no, we don't want your tool. We want to do our own thing.
And now they've sort of said, actually, can we use that tool as well, please? And, you know, negotiations are ongoing.
Anyway, as part of the fairly recent updates to both the iPhone and Android phone operating systems, this little widget appeared which says COVID-19 tracing tool.
And probably it's been on people's phones for several weeks in some cases, and nobody's noticed it because it's kind of hidden away, I think, in Apple's iPhone, it's sort of hidden in the privacy settings.
Yeah, you go into settings, don't you? And I think it's under privacy.
Yeah, in an iPhone it's under privacy, and in an Android phone it's under Google services.
Okay, I'm trying. I'm in privacy section, but I don't seem to have anything.
On iPhones, go into the settings app. Yep. Go to the Privacy menu.
Yep.
And then Health subsection.
Health. Okay. Yeah. Oh yes.
Look at that.
There you go. COVID-19 exposure logging.
There you go.
And mine's turned off.
Yeah. So they're all turned off by default.
What this is, is the API that Google and Apple have built together, which would enable any future tracing app, bear in mind there isn't one, to work.
So, if we were to get an app, and you were to download it and use it, and you were to activate that thing, you would be tracked and traced via the app that we don't have, right?
What this is, is the API that Google and Apple have built together, which would enable any future tracing app, bear in mind there isn't one, to work.
So, if we were to get an app, and you were to download it and use it, and you were to activate that thing, you would be tracked and traced via the app that we don't have, right?
Yeah.
But anyway, the point is, is that everyone has just freaked out because it looks like, sort of sneakily, this tracing thing has appeared on people's phones.
And the conspiracy theories have gone nuts. People are furious, whether it's the government or Google and Apple, the tech giants, doesn't seem to make any difference.
They're still furious that this has sneaked on.
And the conspiracy theories have gone nuts. People are furious, whether it's the government or Google and Apple, the tech giants, doesn't seem to make any difference.
They're still furious that this has sneaked on.
Let me take a guess at random.
Would this crazy conspiracy theory that they'd secretly installed a tracing app onto our phones, would that perhaps have been spread on a site like Facebook, maybe?
Would this crazy conspiracy theory that they'd secretly installed a tracing app onto our phones, would that perhaps have been spread on a site like Facebook, maybe?
I mean, imagine if such a thing were to happen, Graham. I think social media has certainly had a field day with it.
And I was in the position where I was working on Saturday, right, which is, you know, never a good spot to find oneself in, but there I am working on Saturday and I'm seeing this going nuts.
I'm like, I wouldn't normally write a story about an operating system update, you know, unless it was spectacular.
And this is not in itself spectacular, it's just, it's pretty obvious what it is, but the chat and the fear around it is so great that I feel like we need to spell it out.
So I wrote this little story about it, just basically saying what I've said to you, you know, and I put in the headline, the headline of this story was, 'New COVID-19 tracing tool is not an app,' right?
And then hundreds of people got in touch going, 'Oh my God, what is this app?' And I'm like, 'Oh my word, have you actually even read the headline?
You know, it is not an app.' And one person I had a back and forth with on Twitter, because I don't believe that you should be smug about these things, just because you know something doesn't necessarily mean that someone else does.
I'm trying to be calm and reasoned. And in the end, I'm like, I really can't say this in any other phrase, you know, I don't know how else to put this to you. It is not an app.
And I was in the position where I was working on Saturday, right, which is, you know, never a good spot to find oneself in, but there I am working on Saturday and I'm seeing this going nuts.
I'm like, I wouldn't normally write a story about an operating system update, you know, unless it was spectacular.
And this is not in itself spectacular, it's just, it's pretty obvious what it is, but the chat and the fear around it is so great that I feel like we need to spell it out.
So I wrote this little story about it, just basically saying what I've said to you, you know, and I put in the headline, the headline of this story was, 'New COVID-19 tracing tool is not an app,' right?
And then hundreds of people got in touch going, 'Oh my God, what is this app?' And I'm like, 'Oh my word, have you actually even read the headline?
You know, it is not an app.' And one person I had a back and forth with on Twitter, because I don't believe that you should be smug about these things, just because you know something doesn't necessarily mean that someone else does.
I'm trying to be calm and reasoned. And in the end, I'm like, I really can't say this in any other phrase, you know, I don't know how else to put this to you. It is not an app.
Yeah, so it is complicated though. So basically, make sure I understand it correctly, because maybe I've got this wrong.
So Google and Apple work together to build some kind of system that would allow tracing apps to work better with Bluetooth connectivity and phone distance and all that.
So Google and Apple work together to build some kind of system that would allow tracing apps to work better with Bluetooth connectivity and phone distance and all that.
Exactly right.
The UK government decided to go a different route, go down a centralized route, didn't want to go down this route, but then started changing its mind.
So this stuff is just there as laying the groundwork on our phones or devices for a subsequent app that the government might put out.
So this stuff is just there as laying the groundwork on our phones or devices for a subsequent app that the government might put out.
Which might use their technology, that's right.
Which might use their technology.
But in much the same way as, you know, your phone comes preloaded, doesn't it, with all sorts of stuff that would enable you to do things that you might choose not to do.
You know, you have Apple or Google Pay, you might not want to use it, but your phone is set up so that you can use Apple, Google Pay if you want to.
And this is really an extension of that. But I think there's so much anxiety and fear around it.
And, you know, some of the sort of tech bros were like, well, didn't they read the update to terms and conditions?
You know, you have Apple or Google Pay, you might not want to use it, but your phone is set up so that you can use Apple, Google Pay if you want to.
And this is really an extension of that. But I think there's so much anxiety and fear around it.
And, you know, some of the sort of tech bros were like, well, didn't they read the update to terms and conditions?
Well, I was just thinking that because I did do an update recently, maybe 5 days ago or something on the weekend.
And obviously that's when that update might have happened, and I didn't read it.
Normally I'm a bit of a stickler for that, but because I guess I trust Apple and its updates and I can't, you know, I'm not going to leave it unprotected anyway, I just sometimes do it blindly.
Yeah, that means that I can understand why people might have gotten freaked out by seeing this. So good that you wrote the story to tell people.
And obviously that's when that update might have happened, and I didn't read it.
Normally I'm a bit of a stickler for that, but because I guess I trust Apple and its updates and I can't, you know, I'm not going to leave it unprotected anyway, I just sometimes do it blindly.
Yeah, that means that I can understand why people might have gotten freaked out by seeing this. So good that you wrote the story to tell people.
Well, thank you. It was one of those where some people were saying, oh well, you are— what is it somebody said to me? You exist to downplay these sorts of things.
And I was like, you know what, in terms of my life's priorities, you know, I'm a mother, I'm a journalist, I'm working, I've got family.
Existing to downplay operating system updates is pretty low down in terms of my techniques.
But, you know, a lot of people did say thank you very much because they were frightened by it.
And I think the more people were, you know, like you just did, Carole, like, what's this?
And then you sort of go through the menu because somebody tells you about it, you're like, whoa, I've got it as well! When did I get it?
And that, you know, it all kind of became a big fear thing, right?
And I was like, you know what, in terms of my life's priorities, you know, I'm a mother, I'm a journalist, I'm working, I've got family.
Existing to downplay operating system updates is pretty low down in terms of my techniques.
But, you know, a lot of people did say thank you very much because they were frightened by it.
And I think the more people were, you know, like you just did, Carole, like, what's this?
And then you sort of go through the menu because somebody tells you about it, you're like, whoa, I've got it as well! When did I get it?
And that, you know, it all kind of became a big fear thing, right?
So it's not just, you know, a lot of people would say, I know more about technology than the average person, and still I was a bit—
And I think the use of the word logging is quite emotive, isn't it?
Immediately you think, oh, hang on, some— you know, even though you know that those devices are harvesting data left, right, and center. That's what they do.
But still, seeing it written down like that is potentially alarming, isn't it?
Immediately you think, oh, hang on, some— you know, even though you know that those devices are harvesting data left, right, and center. That's what they do.
But still, seeing it written down like that is potentially alarming, isn't it?
Well, when you were explaining it, I was going through to kind of see how they explain it.
So there's read more, read more, and I can't say that it's done in a very friendly manner, accessible to all. You know, people that are 13 have iPhones, right?
People that are 90 have iPhones.
So there's read more, read more, and I can't say that it's done in a very friendly manner, accessible to all. You know, people that are 13 have iPhones, right?
People that are 90 have iPhones.
Exactly. I mean, my mum would totally freak out. I haven't even told her about this. I'm like, just don't look at the BBC News today because, you know, she will freak out about this.
Well, I suddenly got contacted by people as well who'd seen this thing, and they said, Graham, 'Have you seen what they've done?
They've secretly installed an app onto our phones.' And I said, 'No, no, no, they haven't. This is just your regular iOS or Android.' Did you use your Jesus voice?
'No, no, children, calm down.' I don't know if they had that.
'Let me advise you.' I don't know if they had such a classy English accent as that, but— Carole, what have you got for us this week?
They've secretly installed an app onto our phones.' And I said, 'No, no, no, they haven't. This is just your regular iOS or Android.' Did you use your Jesus voice?
'No, no, children, calm down.' I don't know if they had that.
'Let me advise you.' I don't know if they had such a classy English accent as that, but— Carole, what have you got for us this week?
Okay, so this one is a little tricky, tricky.
So this is all according to investigative security blogger Brian Krebs, that hundreds of thousands of potentially sensitive files from police departments across the US were leaked online last week.
And the whole thing has been named the BlueGeek Archives. So this is not a tiny, tiny little dump. This is a huge treasure trove, 270 gigs strong.
I don't know, I was trying to work out how many pieces, if you're printing that off, how many files that would be. It's a lot, a lot, a lot.
Apparently it's the size of the typical computer back in 2009. So if your entire computer was just this, that's what it would be.
So this is all according to investigative security blogger Brian Krebs, that hundreds of thousands of potentially sensitive files from police departments across the US were leaked online last week.
And the whole thing has been named the BlueGeek Archives. So this is not a tiny, tiny little dump. This is a huge treasure trove, 270 gigs strong.
I don't know, I was trying to work out how many pieces, if you're printing that off, how many files that would be. It's a lot, a lot, a lot.
Apparently it's the size of the typical computer back in 2009. So if your entire computer was just this, that's what it would be.
If you printed out a lot of polar bears are going to drown, basically, right? So don't do it.
Exactly.
How many pages? Exactly. We should write a little script that does that. That would be a very good thing to measure all this stuff.
So a group called Distributed Denial of Secrets, or DDoSecrets, I guess that's the way I could do it. So they're dubbed as alternative to WikiLeaks.
So a group called Distributed Denial of Secrets, or DDoSecrets, I guess that's the way I could do it. So they're dubbed as alternative to WikiLeaks.
Because we need another WikiLeaks, don't we?
We need another one. It worked out so well for them. They've claimed responsibility for publishing the Blue Leak archive.
And on Twitter, they have this Latin strapline, I guess, that loosely translates to something like, "To know the truth, let justice be done." All right.
You know, or expose the truth, let justice be done, something like that. My Latin's pretty rusty.
And on Twitter, they have this Latin strapline, I guess, that loosely translates to something like, "To know the truth, let justice be done." All right.
You know, or expose the truth, let justice be done, something like that. My Latin's pretty rusty.
I'm sure it sounds better in Latin.
I actually studied Latin for 3 years. I should know exactly what it says, but I don't know.
I think I'd be really rubbish at being a data thief like this, because obviously we can't have, you know, you can't have any stolen data, you can't access it.
And I sort of think, thank goodness, because if somebody presented me with, what did you say, a load of files that would fit on a 2009 computer, pages and pages, I just think I can't be bothered.
I might read first 3 lines, go and have a cup of tea.
And I sort of think, thank goodness, because if somebody presented me with, what did you say, a load of files that would fit on a 2009 computer, pages and pages, I just think I can't be bothered.
I might read first 3 lines, go and have a cup of tea.
Very interesting, Zoe. Put that in your pocket. That's going to come up later. Very interesting.
So they said, so this DDoSecrets group on Twitter said that the BlueLeaks archive indexed 10 years of data from over 200 police departments and centralized interjurisdictional centers and law enforcement training and support resources.
Basically all the kind of systems that the authorities use across America.
And the perps behind this said that among the hundreds of thousands of documents were police and FBI reports, bulletins, guides, and more. So they reported this on Twitter.
So they said, so this DDoSecrets group on Twitter said that the BlueLeaks archive indexed 10 years of data from over 200 police departments and centralized interjurisdictional centers and law enforcement training and support resources.
Basically all the kind of systems that the authorities use across America.
And the perps behind this said that among the hundreds of thousands of documents were police and FBI reports, bulletins, guides, and more. So they reported this on Twitter.
Okay.
Now this group, DDoS Secrets, I hate this name.
I'm very annoyed by their name.
Me too. You know, this is maybe going to tell new people who are going to try this to get a better name because podcasts matter.
They need better PR, don't they?
Yeah, exactly. DDoS secrets. Now, they started issuing tweets listing a smattering of agencies that were included in this big data dump.
So you had things like Austin Regional Intelligence Center, Boston Regional Intelligence Center, California Narcotic Officers Association, Delaware.
So you can say I'm going alphabetically. So it went on and on and on.
An official confirmed the leak to Brian Krebs from the authority side, saying that the data in the leak actually didn't span 10 years, but probably 24 years.
From August '96 through to June 19th, 2020.
And he says the documents included names, email addresses, phone numbers, PDF docs galore, images, large numbers of text, video, CSV, zip files. So a huge gamut of information.
So you had things like Austin Regional Intelligence Center, Boston Regional Intelligence Center, California Narcotic Officers Association, Delaware.
So you can say I'm going alphabetically. So it went on and on and on.
An official confirmed the leak to Brian Krebs from the authority side, saying that the data in the leak actually didn't span 10 years, but probably 24 years.
From August '96 through to June 19th, 2020.
And he says the documents included names, email addresses, phone numbers, PDF docs galore, images, large numbers of text, video, CSV, zip files. So a huge gamut of information.
Right.
Now, it appears that the data published in the BlueLeaks archive was due to a security breach at a company called Netsential.
These guys are in Houston, Texas, and they are a web development firm that basically provide web managed services to loads of law enforcement agencies across the state.
These guys are in Houston, Texas, and they are a web development firm that basically provide web managed services to loads of law enforcement agencies across the state.
So what did they do? Did they leave a bucket open or something, or some sort of—
Well, they told Brian Krebs they think that a compromised web user account was used, and that they used the web upload feature to upload malicious content.
And I wanted to ask you, can you harden a website against that?
And I wanted to ask you, can you harden a website against that?
But if you're accepting people's uploads, surely you would say, "Yeah, but no, no, no exes, please." Well, yeah, it depends what they're uploading, but I imagine they were uploading a bit of script or something, and hopefully you'd be able to sanitize that and prevent it.
So it doesn't look great on the authorities.
No, it doesn't. No.
It doesn't look great on the authorities that that got through. From what I've read so far, there's no accountability on their side on that front.
They're just saying they got through this way. Now, also, BlueLeaks Archive released on June 19th, which was known as Juneteenth.
This is the oldest nationally celebrated commemoration for the end of slavery in the US. So, all those are important facts for my— we're now going into the weeds, Zoe and Graham.
They're just saying they got through this way. Now, also, BlueLeaks Archive released on June 19th, which was known as Juneteenth.
This is the oldest nationally celebrated commemoration for the end of slavery in the US. So, all those are important facts for my— we're now going into the weeds, Zoe and Graham.
Okay.
From my point of view, right? From a political standpoint, the message is clear.
You cops don't play fair in your communities and across the state, so we're fighting back by putting all this information online. But there are a number of concerns online.
So Reddit has a number of posts on this with thousands and thousands of comments.
And it appears that when the documents were initially published, both victims of crimes and suspects of crimes were initially searchable in the database that they published.
You cops don't play fair in your communities and across the state, so we're fighting back by putting all this information online. But there are a number of concerns online.
So Reddit has a number of posts on this with thousands and thousands of comments.
And it appears that when the documents were initially published, both victims of crimes and suspects of crimes were initially searchable in the database that they published.
Oh, so this isn't just data about police?
No. Oh.
One Redditor said that the BlueLeaks archive was searchable by reason for investigation, suspect's name, suspect address, suspect's birth date, known associates, bank account numbers, bank account routing, etc., etc., etc.
One Redditor said that the BlueLeaks archive was searchable by reason for investigation, suspect's name, suspect address, suspect's birth date, known associates, bank account numbers, bank account routing, etc., etc., etc.
And this goes back to the mid-1990s?
'96.
The—
This commenter also explained something interesting because explained that there would probably be next to no police misconduct findings in this treasure trove.
And that's echoed by someone else, a lawyer that was representing one of the officials on this, because most of the information comes from these Interjurisdictional Investigation Coordinating Service.
So basically, if you were in Texas and you need to work with cops in Delaware, you would use these services to share information.
And you tend to use that in an investigative sense, not to put in reports of misconduct, because misconduct doesn't necessarily happen across jurisdictional borders.
And that's echoed by someone else, a lawyer that was representing one of the officials on this, because most of the information comes from these Interjurisdictional Investigation Coordinating Service.
So basically, if you were in Texas and you need to work with cops in Delaware, you would use these services to share information.
And you tend to use that in an investigative sense, not to put in reports of misconduct, because misconduct doesn't necessarily happen across jurisdictional borders.
Yeah, yeah, understood.
So you have this wave of people now saying, holy moly, guys, you just made things a heck of a lot worse for a fuckton of victims out there, right, who maybe are frightened of abusers.
Is that a metric, fuckton, or an Imperial.
Yes, it's a very important fuckton. Right.
So it's kind of frightening for people that, you know, if you think of abusers and criminals being able to find victims that have not been protected.
So it's yeshi, yeshi, yeshi, yeshi.
So it's kind of frightening for people that, you know, if you think of abusers and criminals being able to find victims that have not been protected.
So it's yeshi, yeshi, yeshi, yeshi.
I mean, I think the idea of leaking data and people's personal information is horrendous anyway, regardless whether it's police people or criminals as well.
But if it's going back that length of time, then people will have moved house or their phone numbers will change.
But if it's going back that length of time, then people will have moved house or their phone numbers will change.
Or changed jobs or no longer be cops.
Right.
Or changed whatever. You know?
Well, they really are a true reflection of the way WikiLeaks used to work, aren't they?
This is really interesting because once the information got out that this database was available and accessible, getting accessed quite a lot, and people started stamping their feet online— this is only a week old, right?
And the DDoS Secrets team started redacting victims' names. But as I said, it's a humongous dataset, right? So people are saying they've definitely missed some.
You know, people are now online going, I've seen one here and I've seen one there. So in a way, they're kind of helping the been rejected, but how many times has it been downloaded?
And the DDoS Secrets team started redacting victims' names. But as I said, it's a humongous dataset, right? So people are saying they've definitely missed some.
You know, people are now online going, I've seen one here and I've seen one there. So in a way, they're kind of helping the been rejected, but how many times has it been downloaded?
That's going to take a while, isn't it?
I think my big worry here is that they got their hands on the data, and because they definitely wanted to get it out on Juneteenth for the PR impact, they didn't have enough time to do their due diligence.
Oh, I see.
And they didn't scrub the data properly. So, you know, I kept reading this going, why didn't they just wait? Why didn't they just do it properly?
And it's because they wanted to hit that date. It's a very important date, not only this year, but in the States every year. So I can understand that.
But at the same time, you know, when you are going to out some wrong, you need to protect the innocent. Otherwise, it turns you into a villain.
And it's because they wanted to hit that date. It's a very important date, not only this year, but in the States every year. So I can understand that.
But at the same time, you know, when you are going to out some wrong, you need to protect the innocent. Otherwise, it turns you into a villain.
I don't think you should call it scrubbing the data, by the way. I think you should probably call it airbrushing, which is the term of the podcast, I think.
The term of the podcast, airbrushing.
If we had an airbrushing expert on the podcast, we'd be able to talk to them about that.
I tell you what interests me about this story, actually, moving away from the airbrushing. This is a debate that we have at work sometimes.
Time is for me, there was a real change in tech reporting at about the time of WikiLeaks.
Because up until then, the way in which a message was communicated was as interesting as the message itself.
You know, going back into the archives, we did stories that are, man orders pizza on internet, you know, because it was so amazing that he'd done it.
Now these days, that would not be the story. The story would be what was on the pizza, or what happened to the pizza, or did the man die, or you know what I mean.
And with WikiLeaks, it felt like a shift from, you know, this is not a tech story because this information was leaked via email.
And in the old days, that would be, "Oh, right, email, that's a tech story." But actually, the global politics of the content of those messages was much more important.
And so it became not a tech story, it became, you know, a global politics story. And I sort of feel I struggle still with that now.
I'm thinking about this BlueLeaks story of yours and thinking, is the story the leak itself, or is the story, as you said, the victims who are named within the leak?
Is it a data story, or is it a politics story? Where would you put it? It's interesting, isn't it?
Time is for me, there was a real change in tech reporting at about the time of WikiLeaks.
Because up until then, the way in which a message was communicated was as interesting as the message itself.
You know, going back into the archives, we did stories that are, man orders pizza on internet, you know, because it was so amazing that he'd done it.
Now these days, that would not be the story. The story would be what was on the pizza, or what happened to the pizza, or did the man die, or you know what I mean.
And with WikiLeaks, it felt like a shift from, you know, this is not a tech story because this information was leaked via email.
And in the old days, that would be, "Oh, right, email, that's a tech story." But actually, the global politics of the content of those messages was much more important.
And so it became not a tech story, it became, you know, a global politics story. And I sort of feel I struggle still with that now.
I'm thinking about this BlueLeaks story of yours and thinking, is the story the leak itself, or is the story, as you said, the victims who are named within the leak?
Is it a data story, or is it a politics story? Where would you put it? It's interesting, isn't it?
No, it's completely interesting. I kind of get it. I get their idea of, hey, if we're going to gain trust into everything, we need to have full transparency.
But, you know, but as we learned with Julian Assange's Icarus moment, there's also— Responsibility is an important role to play.
You can't just put out information with people's names in it and expect everyone to go, "Oh, well done. Thanks so much for that," especially if there's victims through it.
So I think they got this huge treasure trove and they didn't read it. So the same as you were saying earlier, someone put that on my desk, would I go through it all?
I think they said exactly the same thing.
But, you know, but as we learned with Julian Assange's Icarus moment, there's also— Responsibility is an important role to play.
You can't just put out information with people's names in it and expect everyone to go, "Oh, well done. Thanks so much for that," especially if there's victims through it.
So I think they got this huge treasure trove and they didn't read it. So the same as you were saying earlier, someone put that on my desk, would I go through it all?
I think they said exactly the same thing.
Julian Assange's Icarus moment. You make it sound like he launched himself from the Ecuadorian balcony.
Balcony.
That's not how he came out.
Do you think he's feeling a bit burned now? Maybe you want to read your—
Maybe from his tanning salon. Well, he had the tanning machine in there, didn't he?
Really?
I think so.
Anyway, you know, look, we all poop, right? But very few of us chose to do it publicly. So I just think you shouldn't.
How do you know we all poop? Have you got any evidence of that?
But I know you poop. You're an innocent pooper.
Stop making assumptions. When I'm around your house and I go to the lavatory, you've got no idea what goes on.
Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager.
LastPass by LogMeIn is a password manager both for consumers and the enterprise.
In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication.
Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out— lastpass.com/smashing.
LastPass by LogMeIn is a password manager both for consumers and the enterprise.
In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication.
Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out— lastpass.com/smashing.
The folks at MetaCompliance are fabulous, not only because they're sponsoring our podcast this week, but also because they're offering listeners a free cybersecurity awareness for dummies book.
In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness best practices, and oodles, oodles more.
Grab a free copy of the Cybersecurity Awareness for Dummies book from MetaCompliance now at smashingsecurity.com/cyberaware.
In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness best practices, and oodles, oodles more.
Grab a free copy of the Cybersecurity Awareness for Dummies book from MetaCompliance now at smashingsecurity.com/cyberaware.
Back to the show.
And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Zoe, I'm sorry.
Can you say it too? Oh, sorry. Yeah. Pick of the Week. Yay.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be.
Well, mine's not security-related, but it is maybe privacy-related.
Mm.
So, you know how people have been taking up new habits over lockdown? You know, they thought, "Oh, maybe I'll become an artist. Maybe I'll do something." Is that a dick? No, no, no.
Better not be.
Maybe I'll read a book about, I don't know, whatever, or learn to play the piano.
I have a website, and I like nothing more, if I have a spare moment, to tinker around with my website. And I think, oh—
I have a website, and I like nothing more, if I have a spare moment, to tinker around with my website. And I think, oh—
Oh my God, is your website your pick of the week? You finally get a bit of traffic?
No, no, not quite, not quite.
So freaking obvious. Oh my God.
Is that how this works? I didn't realise.
So it's a WordPress website, right? And I had Jetpack installed, which was mostly for WordPress stats, but it slowed down my site.
I also had Google Analytics, which is free in quotes. I didn't really like that they were getting all that data and it felt uncomfortable.
And I want stats on my website because I have sponsors on my website and occasionally they say to me, do you get any visitors on your website, Graham?
And so it'd be nice to be able to say to them, yes, I do. I do, but I don't want to use Google Analytics anymore, right? And I don't want to use WordPress's Jetpack thing.
I also had Google Analytics, which is free in quotes. I didn't really like that they were getting all that data and it felt uncomfortable.
And I want stats on my website because I have sponsors on my website and occasionally they say to me, do you get any visitors on your website, Graham?
And so it'd be nice to be able to say to them, yes, I do. I do, but I don't want to use Google Analytics anymore, right? And I don't want to use WordPress's Jetpack thing.
So?
So I started looking for something more privacy-conscious to measure my traffic instead, and I came across something which doesn't track bounce rates, which I couldn't care about, or the time a visitor spends on a page, and it is called KokoAnalytics.
Koko with Ks. It is a free open-source WordPress plugin and it's marvelous. Marvelous.
Koko with Ks. It is a free open-source WordPress plugin and it's marvelous. Marvelous.
And so how long have you been using KokoAnalytics to call it marvelous?
I've been using it for a few weeks.
Okay.
Quite happily. And there is an equivalent service called Fathom Analytics, which will work on any website. They seem to be based on the same code base.
That is one which you pay for, although there's also an open source version on GitHub as well.
That is one which you pay for, although there's also an open source version on GitHub as well.
So this is a pick of the week for people that run websites and would like to remove some of the sluggishness and the privacy issues from Google Analytics. Right. Yeah.
There's loads of people out there who run little websites and just by default are using Google Analytics, which is overkill, and it's given all that data and information to Google.
Was it hard to move over?
Oh, golly, no. It's an absolute doddle.
So you can—
So if you have any trouble moving over, just tweet Graham and he'll give you a hand. Fantastic. Graham, you're awesome. You guys.
It's a bit nerdy, but there you go. Zoe, what's your pick of the week?
Well, I was going to tell you about a TV show, but now I'm wondering whether my pick of the week should be my podcast.
Definitely should be.
But first, let me tell you about my actual pick of the week, because I am not a great binge watcher of TV. I don't know why. A busy life, I just, I can't be bothered to, you know.
When you see a series and they go, there's 5 series of this and each series has got 30 episodes, and everyone goes, yeah, brilliant.
And I think, oh no, that's half my life that I'm not going to get back.
When you see a series and they go, there's 5 series of this and each series has got 30 episodes, and everyone goes, yeah, brilliant.
And I think, oh no, that's half my life that I'm not going to get back.
Oh, that's when I go make a ginormous bowl of buttered peppered popcorn, settle down for about 5 hours.
You'd dive in, would you? Oh, I can't. I very rarely do it. I find it really hard to do it. But my partner told me about this series on Amazon Prime.
I've sort of forgotten about Amazon Prime. There's so much video streaming out there now, isn't there? I'd forgotten all about it. But they've made this show called Upload.
And I watched it all in 3 days. They're only 25, 28 minutes or something, I think, each episode. So, it's doable and there's about 10 of them.
And what really freaked me out about it and gripped me was that it's set in the not-so-distant future, really.
So, basically, there's a guy is killed in a driverless car crash, right? The car drives into a parked vehicle and he dies.
And there is this company that's, I guess, kind of Google-esque in a way, that offers a digital afterlife.
They found out a way of uploading your brain at the point of death and then kind of recreating you within this virtual world as an avatar, and you just carry on.
I've sort of forgotten about Amazon Prime. There's so much video streaming out there now, isn't there? I'd forgotten all about it. But they've made this show called Upload.
And I watched it all in 3 days. They're only 25, 28 minutes or something, I think, each episode. So, it's doable and there's about 10 of them.
And what really freaked me out about it and gripped me was that it's set in the not-so-distant future, really.
So, basically, there's a guy is killed in a driverless car crash, right? The car drives into a parked vehicle and he dies.
And there is this company that's, I guess, kind of Google-esque in a way, that offers a digital afterlife.
They found out a way of uploading your brain at the point of death and then kind of recreating you within this virtual world as an avatar, and you just carry on.
I watched this, actually. I watched—
You've seen it?
Yes.
Oh, you've seen it? Have you, Chris?
Yeah, because there's one scene — so that avatar thing, right? At one point, doesn't she — because she's real, his girlfriend's still alive, and he's dead.
They don't get it on, do they? Virtually.
Yes.
Oh, for goodness sake.
You have to pay, don't you? It costs a fortune to fuck the dead.
What?
What?
Oh, sorry.
You have to pay for — you have to pay a fortune to be uploaded. And so this guy has this very rich, beautiful heiress girlfriend who pays for him to have this.
And there's sort of scenes where he's staying in what looks like a big hotel by a lake, and when he goes to the fridge to get a drink, it's an in-app purchase, you know.
And his clothes, he has to sort of buy an in-app purchase. And I just loved — I mean, it's funny. It's had mixed reviews, but it's quite funny, isn't it?
And there's sort of scenes where he's staying in what looks like a big hotel by a lake, and when he goes to the fridge to get a drink, it's an in-app purchase, you know.
And his clothes, he has to sort of buy an in-app purchase. And I just loved — I mean, it's funny. It's had mixed reviews, but it's quite funny, isn't it?
You say it's Black Mirror light.
Yeah. And you know, there's that they are able to communicate with people who are still living.
So he's got this girlfriend who's still alive, who's very beautiful, but they don't really get on. They fancy each other, don't they?
So there's some really interesting scenes in which they're sort of using this.
So he's got this girlfriend who's still alive, who's very beautiful, but they don't really get on. They fancy each other, don't they?
So there's some really interesting scenes in which they're sort of using this.
She's so much more polite than me. It's true.
It's not difficult.
This virtual reality suit to try and sort of —
You might be into that, Graham, getting on one of those suits. It's like a sumo wrestler suit with feelers.
Yeah. It's really sexy.
It's very sexy. Yeah.
Zoe, tell us about your podcast.
Oh, have you had enough of this now?
And there's one bit where he decides he doesn't want to be sort of sponging off the heiress girlfriend anymore, and he wants to go alone, but he hasn't got any money.
And so he — the lowest tier that you can have is something that I think all phone users will recognise. You get a data limit, you have a data plan, right?
And once your data plan runs out, you're just kind of frozen until the next month rolls around.
And there's one bit where he decides he doesn't want to be sort of sponging off the heiress girlfriend anymore, and he wants to go alone, but he hasn't got any money.
And so he — the lowest tier that you can have is something that I think all phone users will recognise. You get a data limit, you have a data plan, right?
And once your data plan runs out, you're just kind of frozen until the next month rolls around.
I forgot that.
That was a really good one. Interesting.
Yeah, and it was just such a — and they're like, you know, everything uses data, so you can't think too much because that uses data, and you've got to try and kind of slow your life right down so that you eke out enough data to kind of exist, you know, because you can't carry anything.
It was just a really interesting idea.
Yeah, and it was just such a — and they're like, you know, everything uses data, so you can't think too much because that uses data, and you've got to try and kind of slow your life right down so that you eke out enough data to kind of exist, you know, because you can't carry anything.
It was just a really interesting idea.
I think the Clueleys would like it.
You should try it.
Shall we let Zoe plug her podcast now?
Oh, thank you. Yeah, so Backspace and Beyond, which is my other pick of the week, is a podcast that I do with a friend of mine, Susanna.
She's a business journalist and I'm a tech journalist, and we just sort of started doing this thing where we thought, you know, we just want to chat about some of the week's news.
And because we come at it from very different perspectives— she knows all about the investment and the money, and I sort of know more about the tech and the gadgets, I guess— it's just kind of become something that's worked really well.
We started doing it thinking nobody's going to listen to it, and then about a month ago we got a call from Radio 2 because Steve Wright, of all people, had found it and liked it.
I know, and I know it's a— I know you're going 'Yeah, well, you work at the BBC, you guys know each other.' No, no, but we really don't.
We really don't, I was amazed that he'd sort of found it. So, it's just a little kind of project that's become a really fun thing to do.
And then lockdown happened and we were like, 'Well, what on earth are we going to talk about? You know, we haven't got any content anymore. We can't see each other.
This is going to be really hard.' But actually, it's not that bad, is it?
Like, we're doing it now, you know, you sort of get used to talking remotely and I guess sort of broadcasting remotely and it's not been as difficult as we thought to keep it going.
So yeah, we're quite proud of it.
She's a business journalist and I'm a tech journalist, and we just sort of started doing this thing where we thought, you know, we just want to chat about some of the week's news.
And because we come at it from very different perspectives— she knows all about the investment and the money, and I sort of know more about the tech and the gadgets, I guess— it's just kind of become something that's worked really well.
We started doing it thinking nobody's going to listen to it, and then about a month ago we got a call from Radio 2 because Steve Wright, of all people, had found it and liked it.
I know, and I know it's a— I know you're going 'Yeah, well, you work at the BBC, you guys know each other.' No, no, but we really don't.
We really don't, I was amazed that he'd sort of found it. So, it's just a little kind of project that's become a really fun thing to do.
And then lockdown happened and we were like, 'Well, what on earth are we going to talk about? You know, we haven't got any content anymore. We can't see each other.
This is going to be really hard.' But actually, it's not that bad, is it?
Like, we're doing it now, you know, you sort of get used to talking remotely and I guess sort of broadcasting remotely and it's not been as difficult as we thought to keep it going.
So yeah, we're quite proud of it.
Talk about all kinds of interesting things. Fortnite skins, lingerie searches, and orgasm algorithms.
Did you say foreskins?
That's a different podcast.
No.
It's 'cause it's after dark.
I don't think I— I'm just trying to get her some clicks. I'm just saying some keywords here, which I've seen. Carole, what's your pick of the week?
Well, from Blue Leak Archives to the Magnus Archives. Oh yes, I've chosen that one specifically for this week.
So this is by no means a new podcast, it's been around for years, but I hadn't gotten around to listen to it until the Rona hit.
So, this podcast has won many awards, strong, strong Patreon backing, consistently puts out high-quality shows.
I've listened to over 100 of them, but they're nothing like us, they're nothing like Smashing Security. They're really good, Graham.
So, okay, it's a weekly horror fiction anthology podcast. Okay, so I know right now it's not for either of you two.
Zoe, you've made it clear that it's like hearing that there's more than 100 shows, you're probably just—
So this is by no means a new podcast, it's been around for years, but I hadn't gotten around to listen to it until the Rona hit.
So, this podcast has won many awards, strong, strong Patreon backing, consistently puts out high-quality shows.
I've listened to over 100 of them, but they're nothing like us, they're nothing like Smashing Security. They're really good, Graham.
So, okay, it's a weekly horror fiction anthology podcast. Okay, so I know right now it's not for either of you two.
Zoe, you've made it clear that it's like hearing that there's more than 100 shows, you're probably just—
Oh no, yeah, exactly, sick. Sorry.
And Graham hates anything that's fictitious. So, so you guys are not my audience. I'm talking to you listeners out there. Okay, we're ignoring these two.
We'll just go, shall we, Graham?
Yeah, yeah, you guys just go. It's basically, think Sherlock Holmes with an X-Files-y twist. Okay, that's the easiest way I can explain it.
So you've got stories are written and really written really well and narrated super well by Jonathan Sims. And they're directed by Alexander Newell. They're a great little team.
There was one, for example, where the person kills a spider, right? Spider, they move into a flat, they see a spider, they kill the spider.
The next day, spider's in the same spot looking at them directly with their little 8 eyes.
She kills again, shows up closer, and ends up being in her face when she wakes up in the morning.
So you've got stories are written and really written really well and narrated super well by Jonathan Sims. And they're directed by Alexander Newell. They're a great little team.
There was one, for example, where the person kills a spider, right? Spider, they move into a flat, they see a spider, they kill the spider.
The next day, spider's in the same spot looking at them directly with their little 8 eyes.
She kills again, shows up closer, and ends up being in her face when she wakes up in the morning.
Oh my word.
So it's all kind of cute, old-school kind of scare stuff.
So I also hate spiders, so you're scaring me even more. There's 100 episodes and they're all about spiders.
Yeah, I know, you'd hate that episode. You'd hate that episode.
One of the worst spider stories I think I ever heard was on Planet Earth, you know, in this big nature documentary thing.
Oh my God, this thing is called something like the spider viper, right? It's a massive snake, enormous, scary snake, poisonous snake.
And it hides in spiders in the little crevices in the cliff tops. And on the end of its tail is this thing that looks like a big spider.
So it sticks its tail out the end, waves it about, so it looks like this big spider, right? And the birds fly and go, "Ooh, that looks like a spot of lunch.
I'll go and have that." Get close to the spider viper, at which point it flips around and goes, "Aha, you idiots!" What kind of evil thing is that?
Oh my God, this thing is called something like the spider viper, right? It's a massive snake, enormous, scary snake, poisonous snake.
And it hides in spiders in the little crevices in the cliff tops. And on the end of its tail is this thing that looks like a big spider.
So it sticks its tail out the end, waves it about, so it looks like this big spider, right? And the birds fly and go, "Ooh, that looks like a spot of lunch.
I'll go and have that." Get close to the spider viper, at which point it flips around and goes, "Aha, you idiots!" What kind of evil thing is that?
You know what, that's deepfakes. That's a true deepfake.
I couldn't believe it. I watched it with the children and I was— they thought it was amazing, of course, and I was hiding behind the sofa.
Oh my word, I need to find out where these things are so I can permanently avoid them. I feel like, you know, oh, even talking about it is making me shiver.
Oh my word, I need to find out where these things are so I can permanently avoid them. I feel like, you know, oh, even talking about it is making me shiver.
I don't even listen to horror. I never watch horror, don't listen to the stuff, I don't seek it out. But I really, really love listening to this.
So thank you so much, whoever recommended me. I can't remember who it was. It's great. Magnus Archives, a great horror podcast with excellent pace, writing, and delivery.
Check it out wherever you get your podcasts from, and I'll put some links on our Smashing Security page.
So thank you so much, whoever recommended me. I can't remember who it was. It's great. Magnus Archives, a great horror podcast with excellent pace, writing, and delivery.
Check it out wherever you get your podcasts from, and I'll put some links on our Smashing Security page.
Marvelous. Well, I think that just about wraps it up for this week. Zoe, I'm sure lots of our listeners would love to follow you online and see what you're up to.
What is the best way for folks to do that?
What is the best way for folks to do that?
I am most commonly found on Twitter, where I am @ZSKleinman. ZSK.
How cool is that? You have a 3-letter—
So cool. You must be so jealous, Graham.
Well, do you know what? There's also a German rock star who— I can't quite figure it out. I think it could be a band actually.
His or their Twitter handle is the capital ZSK, because I always know when he's in concert because suddenly all these amazing German rock fans start tweeting me about how brilliant I am in the stadium, and I'm like, yeah!
His or their Twitter handle is the capital ZSK, because I always know when he's in concert because suddenly all these amazing German rock fans start tweeting me about how brilliant I am in the stadium, and I'm like, yeah!
I love that. And you can follow us on Twitter @SmashInSecurity, no G and no German rock stars. Twitter wouldn't allow us to have a G.
And you can also join us on Reddit in the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, Apple Podcasts, Spotify, or Pocket Casts.
And you can also join us on Reddit in the Smashing Security subreddit.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app, Apple Podcasts, Spotify, or Pocket Casts.
And of course, huge, huge thank yous from us for listening, for supporting us, for sharing the pod. It means the world to us.
Also, thank you to this week's Smashing Security sponsors, MetaCompliance and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, thank you to this week's Smashing Security sponsors, MetaCompliance and LastPass. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye.
Bye.
Zoe?
Oh, bye. But at one point I had a problem with my bitcoin wallet that I was using the local exchange and I had a problem with it.
And the guy who ran the exchange, who I'd also interviewed for this piece, he said, oh, look, I'll just stick a little bit in there for you just so that you can — I think it was, I think it was when we were buying the pints.
For some reason it wasn't working. And he put whatever it would be, £4 or £5 worth of bitcoin in this account, right, so that I could buy these drinks for the thing.
And afterwards came back, did the piece, whatever, forgot all about it. And then suddenly there was that thing, wasn't there?
It's Christmas one year when suddenly bitcoin was worth 20 grand.
And the guy who ran the exchange, who I'd also interviewed for this piece, he said, oh, look, I'll just stick a little bit in there for you just so that you can — I think it was, I think it was when we were buying the pints.
For some reason it wasn't working. And he put whatever it would be, £4 or £5 worth of bitcoin in this account, right, so that I could buy these drinks for the thing.
And afterwards came back, did the piece, whatever, forgot all about it. And then suddenly there was that thing, wasn't there?
It's Christmas one year when suddenly bitcoin was worth 20 grand.
Oh yeah, right, yeah.
And everyone at work is sitting there going, oh, if only we had bitcoin. And suddenly I went, oh, hang on, I've got bitcoin!
Because I can't remember, I couldn't remember, but you know, he'd put in a little bit more money than the drinks actually cost.
There was a little bit of bitcoin sitting in this long-forgotten wallet of mine. So I was right, I gotta dig this out. So I dug it out, found it.
It was quite hellish 'cause of course I couldn't remember what on earth I'd used to get into it, but I managed to get back in and it was worth about £200, right?
This little bit of bitcoin. I thought, well, you know, this is an interesting scenario. I don't know what I'm gonna have to do with this.
I'm gonna have to give it to charity or something. I can't keep it, but you know, I'd to sort of access it.
So I went all the way through this, I want to withdraw my bitcoin, yes, I want to do it in British pounds, yes, blah, blah, blah, through we go.
And then I hit this wall where it goes, currently you can't withdraw your bitcoin in pounds, but try later. So I'm oh, okay.
So I, you know, do that thing where you refresh, refresh, refresh, it's not happening. Oh God, I'm going to have to wait till tomorrow. So I wait till the next day, still nothing.
I wait a month, still nothing. I wait 6 months. And actually, I think I last tried it about a fortnight ago and I still can't get it.
And now I don't know 'cause bitcoin has massively slumped back down again.
I don't know whether — because I hit exchange it to pounds at that moment — I don't know whether it's still worth £200 or whether it's now 54p or something.
I feel completely in limbo here.
Because I can't remember, I couldn't remember, but you know, he'd put in a little bit more money than the drinks actually cost.
There was a little bit of bitcoin sitting in this long-forgotten wallet of mine. So I was right, I gotta dig this out. So I dug it out, found it.
It was quite hellish 'cause of course I couldn't remember what on earth I'd used to get into it, but I managed to get back in and it was worth about £200, right?
This little bit of bitcoin. I thought, well, you know, this is an interesting scenario. I don't know what I'm gonna have to do with this.
I'm gonna have to give it to charity or something. I can't keep it, but you know, I'd to sort of access it.
So I went all the way through this, I want to withdraw my bitcoin, yes, I want to do it in British pounds, yes, blah, blah, blah, through we go.
And then I hit this wall where it goes, currently you can't withdraw your bitcoin in pounds, but try later. So I'm oh, okay.
So I, you know, do that thing where you refresh, refresh, refresh, it's not happening. Oh God, I'm going to have to wait till tomorrow. So I wait till the next day, still nothing.
I wait a month, still nothing. I wait 6 months. And actually, I think I last tried it about a fortnight ago and I still can't get it.
And now I don't know 'cause bitcoin has massively slumped back down again.
I don't know whether — because I hit exchange it to pounds at that moment — I don't know whether it's still worth £200 or whether it's now 54p or something.
I feel completely in limbo here.
You should hold on, Zoe, because John McAfee is pretty convinced that by the end of the year, one bitcoin will be worth a million dollars.
Yeah, he's so smart too.
Oh, okay.
I definitely take tips from him.
They definitely won't let me take it out there will they?
He has promised to eat a part of his anatomy live on TV if it's not found to be true. So, you know, there's your incentive.
Okay, well, it must be true if that's the case. I'll hang on until — did he give an exact date for this? Is it the sort of that Mayan calendar thing?
Yeah, plus he has a vanity bitcoin address that you can use.
Oh yes, excellent. Is it John McAfee loves you?
Yeah.
3, 2, 1.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Zoe Kleinman – @zsk
Show notes:
- How photographs are airbrushed — A 2010 BBC News article, starring Zoe Kleinman.
- Elon Musk Bitcoin vanity addresses used to scam users out of $2 million — ZDNet.
- Kate Winslet responds to Bitcoin scam faking her endorsement — Decrypt.
- Bitcoin scam uses Prince Harry, Meghan Markle to dupe would-be investors — Decrypt.
- Covid-19 tracing tool on smartphones is 'not app' — BBC News.
- ‘BlueLeaks’ Exposes Files from Hundreds of Police Departments — Krebs on Security.
- Koko Analytics — A privacy-friendly analytics plugin for WordPress.
- Fathom — Fast, simple and privacy-focused website analytics.
- Upload trailer — YouTube.
- Backspace and beyond — Audioboom.
- The Magnus Archives — Horror podcast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
