Why are students faking their own kidnappings? What’s the story behind Garmin’s ransomware attack? And a genetic genealogy website suffers a hack or two.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Ray [REDACTED]
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hi everyone, Carole Theriault here. We just wanted to reach out and give a huge thank you to some of our amazing Patreon supporters.
This week we give a shout out to Fantastic Wolf, Divorced Pop, Andrew Minko, 636B, Dave Barker, Susie V, Heisenberg, Eric Hoople, Robert Martin, Dave B, Habmala, Thom Courtney, Matt Weir, and Alex.
Thank you all. We couldn't do this without you. If you want to join our Patreon community, we would be thrilled to have you.
Check out more information at smashingsecurity.com/patreon. Now let's get this show on the road. RAY [REDACTED].
Last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.
This week we give a shout out to Fantastic Wolf, Divorced Pop, Andrew Minko, 636B, Dave Barker, Susie V, Heisenberg, Eric Hoople, Robert Martin, Dave B, Habmala, Thom Courtney, Matt Weir, and Alex.
Thank you all. We couldn't do this without you. If you want to join our Patreon community, we would be thrilled to have you.
Check out more information at smashingsecurity.com/patreon. Now let's get this show on the road. RAY [REDACTED].
Last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.
Oh my God, they didn't know where they— where am I? RAY [REDACTED]. You certainly did not know where you were.
What is the point of living anymore if my steps are not being counted?
Smashing Security, Episode 189: DNA Cockup, Garmin Hack, and Virtual Kidnappings with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 189. My name is Graham Cluley.
Smashing Security, Episode 189: DNA Cockup, Garmin Hack, and Virtual Kidnappings with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 189. My name is Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined by a special guest, someone who's never been on the show before. It is the mysteriously named Ray [REDACTED].
Newbie Ray. RAY [REDACTED]. Well, hello.
Hello, Ray.
Hi, Ray. RAY [REDACTED]. Hello, it's good to be here. I'm a super fan. So now I get to actually be on the podcast.
Oh, that's very exciting. Now, what three things should our listeners know about you? RAY [REDACTED]. First of all, my name is Ray [REDACTED].
Second of all, I was not born with that name. That was not the name that my parents gave me when I was born.
And third of all is I have a brand new podcast called Tribe of Hackers Podcast. That's tohpodcast.com that I've just launched during the pandemic.
Second of all, I was not born with that name. That was not the name that my parents gave me when I was born.
And third of all is I have a brand new podcast called Tribe of Hackers Podcast. That's tohpodcast.com that I've just launched during the pandemic.
And what happens on Tribe of Hackers? RAY [REDACTED]. Well, we actually talk to members of the tribe of hackers. There have been several books written by Marcus J.
Carey and Jennifer Jenn, including Security Leaders, including Red Team, and an upcoming Blue Team book.
And we basically just chit-chat and talk about current events and everything security-related.
Carey and Jennifer Jenn, including Security Leaders, including Red Team, and an upcoming Blue Team book.
And we basically just chit-chat and talk about current events and everything security-related.
Hang on a minute. What made you think that there was space in the marketplace for another cybersecurity podcast? Did you not think actually—
Graham, Graham, Graham, didn't you hear him? He talks to the bad guys. We talk to the good guys. RAY [REDACTED]. Oh, no, no, no.
We're not letting you use the hacker term as a negative connotation. No way.
We're not letting you use the hacker term as a negative connotation. No way.
Carole, what is coming up on the show this week?
Well, first, let's say thanks to this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free.
Now, coming up on today's show, Graham delves into a DNA cock-up, Ray questions whether Garmin should pay the ransomware or not, and I'll be looking at an international phishing scam with pretty shitty stakes.
All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham delves into a DNA cock-up, Ray questions whether Garmin should pay the ransomware or not, and I'll be looking at an international phishing scam with pretty shitty stakes.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I want to take you back in time once again.
It's always going back in time.
I love going back in time. The thing is, Carole, I am—
What, when you were young and hip?
Hey, look, Ray understands, right? There's a global pandemic going on, right? Our hair makes us look like we're living in 1974 right now, okay?
That's true. I'm more of a Farrah Fawcett now than I was six months ago.
Well, between 1974 and 1986, there was a serial killer and rapist known as the Golden State Killer operating in California. RAY [REDACTED]. Yes.
He was at large. Oh, have you heard of this?
Oh yeah, yeah, yeah. This was a big deal. This was a huge deal in my neck of the woods too.
Oh really?
Yeah.
Well, he was also known as the Original Night Stalker and the Diamond Knot Killer.
And he is thought to have killed at least 13 people, been responsible for 50 rapes and over 100 burglaries. Not a terribly nice chap.
And he is thought to have killed at least 13 people, been responsible for 50 rapes and over 100 burglaries. Not a terribly nice chap.
I was just gonna say, thanks so much for bringing us joy. Me and our listeners.
Well, there might be a happy ending, or there might not. Let's find out. For decades, the cops investigated.
Yeah, they were interviewing suspects left, right, and center, and then they'd clear them.
They'd say, oh, well, your alibi turns out, yes, all right, you were with Granny that night, or the DNA doesn't match the evidence.
And the evidence wasn't pointing in any particular direction.
There was a good chance that they were never going to solve the crime and unmask the Golden State Killer, because, you know, coming on for almost 50 years. RAY [REDACTED].
Cold case getting really cold after 50 years.
Yeah, they were interviewing suspects left, right, and center, and then they'd clear them.
They'd say, oh, well, your alibi turns out, yes, all right, you were with Granny that night, or the DNA doesn't match the evidence.
And the evidence wasn't pointing in any particular direction.
There was a good chance that they were never going to solve the crime and unmask the Golden State Killer, because, you know, coming on for almost 50 years. RAY [REDACTED].
Cold case getting really cold after 50 years.
Until April 2018, when they arrested a chap called Joseph James DeAngelo, 72 years old. And DeAngelo, well, he coughed up and he admitted it.
He said, "Yep, it's me." He had a good reason to do that, which was he wanted to be spared the death sentence.
So he did a plea deal and he said, "Yep, I admit killing these 13 people, the kidnappings, numerous other crimes, the rapes, everything else." Wasn't he a former cop or something?
Yes, he was. RAY [REDACTED]. Yes!
He said, "Yep, it's me." He had a good reason to do that, which was he wanted to be spared the death sentence.
So he did a plea deal and he said, "Yep, I admit killing these 13 people, the kidnappings, numerous other crimes, the rapes, everything else." Wasn't he a former cop or something?
Yes, he was. RAY [REDACTED]. Yes!
You do know about this. Yes, he was a former police officer. Yeah, yeah. Now, whether that gave him any advantages in covering his tracks, I don't know.
So, interesting thing was, how after all of this time did the police manage to find him? And it's quite a fascinating story.
I knew nothing about this particular case until I began reading about this in the last day or so.
It turns out the vital clue was DNA, which was collected at the scene of a double murder in Ventura in 1980.
And what the cops managed to do was they used an online genetic genealogy database, and they built a complex family tree dating all the way back to the 1800s with a partial match on the DNA.
And they found someone who was DeAngelo's great-great-great-great-grandfather. RAY [REDACTED]. Oh, wow.
So, interesting thing was, how after all of this time did the police manage to find him? And it's quite a fascinating story.
I knew nothing about this particular case until I began reading about this in the last day or so.
It turns out the vital clue was DNA, which was collected at the scene of a double murder in Ventura in 1980.
And what the cops managed to do was they used an online genetic genealogy database, and they built a complex family tree dating all the way back to the 1800s with a partial match on the DNA.
And they found someone who was DeAngelo's great-great-great-great-grandfather. RAY [REDACTED]. Oh, wow.
Now, obviously, it wasn't the great-great-great-great-grandfather with a time machine and a stick of bubble gum or something, who traveled through time and committed the murders.
But that meant was they were able to go down the family tree and say, okay, well, who's descended from them? Who may be related to them?
And they came up with 1,000 people, a shortlist, as it were, of 1,000 people. And over a few months, the investigators eliminated them based upon their age or their sex.
But that meant was they were able to go down the family tree and say, okay, well, who's descended from them? Who may be related to them?
And they came up with 1,000 people, a shortlist, as it were, of 1,000 people. And over a few months, the investigators eliminated them based upon their age or their sex.
It's just incredible.
I mean, it is incredible.
I mean, 1,000 people, I mean, still sounds a lot of people. The number of cops that were on this during his reign of terror, you're looking at 10 million people.
So the cops had done this incredible thing, and they'd eliminated all the potential 1,000 suspects until only DeAngelo remained. But they have to prove that it really is DeAngelo.
So they tailed him, right? You know, you tail someone, Ray, right? You're American, yeah? RAY [REDACTED]. Sure.
So they tailed him, right? You know, you tail someone, Ray, right? You're American, yeah? RAY [REDACTED]. Sure.
Yeah, you get your box of doughnuts, right? And you just hang out outside their house for a while, right? And you follow them around. Yeah, that's what you do. You have a buddy.
Do you have a buddy?
Do you have a buddy?
Wouldn't it be smarter to offer him a doughnut? Get the DNA that way, and it's to give it back.
I don't know if that's legal. I don't know.
Once you've given someone a doughnut, to then take it back and use it as criminal evidence, you might need a warrant for that, I don't know.
Anyway, they tailed him and they picked up some of his DNA. Now, you have to be careful picking up people's DNA to make sure that it's evidence you can actually enter.
Once you've given someone a doughnut, to then take it back and use it as criminal evidence, you might need a warrant for that, I don't know.
Anyway, they tailed him and they picked up some of his DNA. Now, you have to be careful picking up people's DNA to make sure that it's evidence you can actually enter.
What, rather than putting your DNA all over it?
Well, you can't, for instance, grab a piece of his hair, you know, or do a swab without his permission. Apparently, he helpfully discarded some of his DNA.
In all the reports I've read, they've not gone into detail. Okay, well, there you go.
In all the reports I've read, they've not gone into detail. Okay, well, there you go.
The way they always did it in Law & Order, right, was that they would have a chat with someone, offer someone a coffee, and then when they'd throw it out, grab the cup, right?
Oh, I see. I was thinking maybe he'd blown his nose or something and just chucked the tissue into a garbage can. RAY [REDACTED]. Well, we're constantly discarding DNA all the time.
The challenge for the police officers is to maintain the chain of custody. We all learned this during the O.J. Simpson trial way back in the day, remember?
The challenge for the police officers is to maintain the chain of custody. We all learned this during the O.J. Simpson trial way back in the day, remember?
Yeah, Graham must love that story too. That's old.
Well, bingo, they made a match to his DNA. And hurrah, huzzah, huzzah, everybody was happy, right, that they caught this chap.
Well, except for him, I imagine.
Well, you know, maybe he's relieved. Wouldn't have to worry about it, right?
Yeah, he's not—
Finally, I've got meals for life. I've got a roof over my head.
Yeah, my retirement plan wasn't very smart. This is excellent.
Now, some people weren't happy. Because some people gave their DNA details to sites like GEDmatch, G-E-D-match, to work out their family trees, not for the cops to dig through.
So when this really high-profile case was publicized and how the cops got them, GEDmatch did get it in the neck a bit from some of the users who said, hang on a minute, what do you do?
This isn't why I did this. What I want to do was increase my family tree, not to help law enforcement searches. So GEDmatch gave its million-plus users the choice to opt in.
Yeah, I was surprised too. Opt in if they wanted their data to be available for law enforcement.
So when this really high-profile case was publicized and how the cops got them, GEDmatch did get it in the neck a bit from some of the users who said, hang on a minute, what do you do?
This isn't why I did this. What I want to do was increase my family tree, not to help law enforcement searches. So GEDmatch gave its million-plus users the choice to opt in.
Yeah, I was surprised too. Opt in if they wanted their data to be available for law enforcement.
I think that's excellent.
Isn't it?
It should be.
They did all the right things. Big privacy warning, opt in if you want.
Well done, GEDmatch.
And apparently a couple of hundred thousand people did opt in, right? They thought, yeah, I want to help, those sort of things.
So, you know, good that they did it the right way around. Everything was fine and dandy, and there ends the story. A success. Not so good.
So, you know, good that they did it the right way around. Everything was fine and dandy, and there ends the story. A success. Not so good.
What a lead-up.
Because—
10 minutes in.
When—
Dun dun dun!
When users logged into GEDmatch on July 19th, they got a nasty surprise.
Because what happened was everybody's profile, the settings had been updated so they were no longer hidden from the police.
They were all now configured to be available for the cops.
Because what happened was everybody's profile, the settings had been updated so they were no longer hidden from the police.
They were all now configured to be available for the cops.
So did the company GEDmatch, did they change their default setting? Is that what happened?
No, the company hadn't done it.
What happened was a hacker had come in and changed everyone's setting, which meant that profiles were updated so the police could use them for their own investigations.
Not very good at all.
What happened was a hacker had come in and changed everyone's setting, which meant that profiles were updated so the police could use them for their own investigations.
Not very good at all.
Interesting that a hacker would make them available to authorities, isn't it? RAY [REDACTED]. RAY [REDACTED]. And questionable. But, you know, that's actually called something.
That's actually called involuntary opt-in. And Facebook has kind of pioneered the involuntary opt-in when it comes to your privacy rights changing.
That's actually called involuntary opt-in. And Facebook has kind of pioneered the involuntary opt-in when it comes to your privacy rights changing.
Are you suggesting Mark Zuckerberg did this? RAY [REDACTED]. No, I'm suggesting that an interested party may have had a motive to change those settings across the board.
Who possibly would have a motive for searching many, many more people's DNA data?
I don't know. Let me think. This is going to get political really quickly, isn't it?
So that's a little bit odd. And that happened on July 19th. And then, so that was the first hack, and then two days later something else happened.
Another genealogy website, one based in Israel called MyHeritage, said that its users have been targeted by a phishing attack trying to steal their passwords.
And what was the common denominator between all those targeted users of MyHeritage was that their email addresses had been the ones they had also been using at GEDmatch.
So a hacker had taken email addresses from GEDmatch and targeted MyHeritage users as well in order to gather more data.
So this appears like a concerted effort to get hold of an awful lot of data about people. RAY [REDACTED]. Sure.
Another genealogy website, one based in Israel called MyHeritage, said that its users have been targeted by a phishing attack trying to steal their passwords.
And what was the common denominator between all those targeted users of MyHeritage was that their email addresses had been the ones they had also been using at GEDmatch.
So a hacker had taken email addresses from GEDmatch and targeted MyHeritage users as well in order to gather more data.
So this appears like a concerted effort to get hold of an awful lot of data about people. RAY [REDACTED]. Sure.
Yeah. And it's problematic because, for example, you, Graham, might decide never to take part in one of these sites, right? However, your brother might say, yeah, yeah, I love this.
Right.
And then if for whatever reason someone wanted to get at you.
Oh, yeah. My brother's always been very free and easy with his DNA. It's going here, left, right, and center.
Do you mean he has lots of girlfriends?
And maybe I'm— I wouldn't like that. RAY [REDACTED].
And that's actually the main key issue is that any one of your distant relatives can make that choice and you are therefore dragged in as well. Yes!
And that's actually the main key issue is that any one of your distant relatives can make that choice and you are therefore dragged in as well. Yes!
Mad Uncle Andy. RAY [REDACTED].
And I will tell you, one of the things that I always recommend to people, you know those knowledge-based authentication questions like what street did you grow up on or what was your first pet?
I always tell people to lie on those, right? But with DNA, you can't.
If you send in fake DNA to 23andMe or one of these other companies, they will reject it and send it back and say you violated our terms of service, and they'll even threaten to sue you.
And I will tell you, one of the things that I always recommend to people, you know those knowledge-based authentication questions like what street did you grow up on or what was your first pet?
I always tell people to lie on those, right? But with DNA, you can't.
If you send in fake DNA to 23andMe or one of these other companies, they will reject it and send it back and say you violated our terms of service, and they'll even threaten to sue you.
Oh, so I can't send in my dog's DNA, for instance? RAY [REDACTED].
Well, certainly not the dog's, but I'm talking about if you wanted to put an entire different human DNA in there, you're going to have to co-conspire with a lot of your relatives because they use genealogy databases to cross-correlate.
Well, certainly not the dog's, but I'm talking about if you wanted to put an entire different human DNA in there, you're going to have to co-conspire with a lot of your relatives because they use genealogy databases to cross-correlate.
They could probably sue you as well, only on the basis of you stealing someone else's DNA, because you can't make up DNA. RAY [REDACTED].
Oh, actually, there is synthetic DNA, but it does not look very human at all.
Oh, actually, there is synthetic DNA, but it does not look very human at all.
Exactly. I don't know if it's gonna fool them. RAY [REDACTED]. But people have tried these things, right? When 23andMe first came out, that was the first big commercial enterprise.
You know, they sold it as, "Oh, we're gonna find all these diseases that you don't know you have, or these things that you can take for yourself." But what they didn't really tell you is that they were also looking at the diseases of your cousins and your grandparents and your uncles.
You know, they sold it as, "Oh, we're gonna find all these diseases that you don't know you have, or these things that you can take for yourself." But what they didn't really tell you is that they were also looking at the diseases of your cousins and your grandparents and your uncles.
And if they share that with insurers, fun times.
So anyway, GEDmatch, they say they were victims of a sophisticated attack. RAY [REDACTED]. Sophisticated.
Yes, exactly. Oh, those are the worst kind, aren't they? No one ever says, "It was really dumb, actually. Yeah, our password was password1.
That's how they got in." No, it's always a sophisticated attack. On one of its servers, via an existing user account. I'm not sure what that means.
I wonder whether maybe the hacker came in through a staff account or something.
But as a result of the breach, they say all users permissions were reset, making profiles visible to all users. They say it was only open for everybody for 3 hours. RAY [REDACTED].
It certainly cannot be exfiltrated in 3 hours. I mean, my goodness, right? That's mathematically impossible.
That's how they got in." No, it's always a sophisticated attack. On one of its servers, via an existing user account. I'm not sure what that means.
I wonder whether maybe the hacker came in through a staff account or something.
But as a result of the breach, they say all users permissions were reset, making profiles visible to all users. They say it was only open for everybody for 3 hours. RAY [REDACTED].
It certainly cannot be exfiltrated in 3 hours. I mean, my goodness, right? That's mathematically impossible.
Absolutely impossible. Utterly impossible. You'd have to have something like a computer to help you.
But surely they'd have log systems to be able to see what's being ciphered out. RAY [REDACTED]. Oh, but the logging was disabled miraculously and weirdly, right?
At the same time, Carole. I will tell you, I was actually shocked to find out how small our DNA files are.
They're really not nearly as— you would expect yours to be hundreds of gigabytes or something, but it'll actually all fit on a single DVD or I think even maybe even a CD-ROM if you remember those.
At the same time, Carole. I will tell you, I was actually shocked to find out how small our DNA files are.
They're really not nearly as— you would expect yours to be hundreds of gigabytes or something, but it'll actually all fit on a single DVD or I think even maybe even a CD-ROM if you remember those.
A LaserDisc, a 360K floppy? RAY [REDACTED]. No, not the floppy. Even the one with the hole punch on the other side so that you can flip it over.
That's not going to hold your entire DNA, but it's not a super amount of code. And, you know, it can be compressed as well. So.
That's not going to hold your entire DNA, but it's not a super amount of code. And, you know, it can be compressed as well. So.
Hmm. Well, one thing I found is that some of these genealogy sites actually publish transparency reports.
So they're open and they say, look, we have disclosed our user details to law enforcement. So 23andMe and Ancestry, for instance, they do that.
So they've been a little bit more open things. GEDmatch doesn't offer that. RAY [REDACTED]. Yes.
And on the transparency reports in the United States, they cannot publish if they have an NSL. That's a national security letter.
By law, you're not allowed to divulge if you've even gotten one of those, much less if you've acted on it.
So they're open and they say, look, we have disclosed our user details to law enforcement. So 23andMe and Ancestry, for instance, they do that.
So they've been a little bit more open things. GEDmatch doesn't offer that. RAY [REDACTED]. Yes.
And on the transparency reports in the United States, they cannot publish if they have an NSL. That's a national security letter.
By law, you're not allowed to divulge if you've even gotten one of those, much less if you've acted on it.
But you could have a canary, I suppose, couldn't you? RAY [REDACTED]. We haven't seen that work yet, Graham.
In theory, people have said that that might work, but it has not been widespread adopted to success.
In theory, people have said that that might work, but it has not been widespread adopted to success.
Right, right.
Well, certainly big questions as to who might have been behind this hack, and also questions, I suspect, as to whether GEDmatch is going to be trusted by users in future with their DNA data, whether people will begin to delete their accounts instead.
But do not fear, because they have now emailed all of their users, telling them they take security very seriously. RAY [REDACTED]. Well, that's good. That's a relief.
Well, certainly big questions as to who might have been behind this hack, and also questions, I suspect, as to whether GEDmatch is going to be trusted by users in future with their DNA data, whether people will begin to delete their accounts instead.
But do not fear, because they have now emailed all of their users, telling them they take security very seriously. RAY [REDACTED]. Well, that's good. That's a relief.
Sleep well, kids. Don't have nightmares. Anyway, Ray, what is your story for us this week? RAY [REDACTED].
Well, my story is not nearly as thrilling as the tale of DNA and murder, but it does involve some criminals, and they're actually really sophisticated cybercriminals that historically were known as the Dridex gang until in December of 2019, the United States Department of Justice issued several indictments.
And in the process, or right around that same time, the Dridex gang did what any major corporation does when it faces a lot of negative press. They rebranded.
And so they have henceforth become known as Evil Corp, which is a pun on Mr. Robot, the Mr. Robot show. They did not choose F Society, which would have made the most sense.
They actually chose Evil Corp.
And in the process, one of the other things that they did was this organization has a very sophisticated, what's called a kill chain, a way of actually infecting companies and inserting ransomware.
What they decided to do was to target highly specific companies in the Fortune 500 with individual malware that actually has the name of the company that they're targeting.
And they went after manufacturing, and they went after oil companies, and they went after all of the major companies in that space.
Well, my story is not nearly as thrilling as the tale of DNA and murder, but it does involve some criminals, and they're actually really sophisticated cybercriminals that historically were known as the Dridex gang until in December of 2019, the United States Department of Justice issued several indictments.
And in the process, or right around that same time, the Dridex gang did what any major corporation does when it faces a lot of negative press. They rebranded.
And so they have henceforth become known as Evil Corp, which is a pun on Mr. Robot, the Mr. Robot show. They did not choose F Society, which would have made the most sense.
They actually chose Evil Corp.
And in the process, one of the other things that they did was this organization has a very sophisticated, what's called a kill chain, a way of actually infecting companies and inserting ransomware.
What they decided to do was to target highly specific companies in the Fortune 500 with individual malware that actually has the name of the company that they're targeting.
And they went after manufacturing, and they went after oil companies, and they went after all of the major companies in that space.
No resources spared, right? RAY [REDACTED]. Yes, and so Evil Corp is going after these. Now fast forward to the COVID pandemic, and everybody is cooped up at home.
And the one solace that many of us actually have, because we certainly cannot go to restaurants or movie theaters, is actually running or walking outside.
And last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.
And the one solace that many of us actually have, because we certainly cannot go to restaurants or movie theaters, is actually running or walking outside.
And last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.
Oh my God, they didn't know where they— where am I? RAY [REDACTED]. You certainly did not know where you were.
What is the point of living anymore if my steps are not being counted? RAY [REDACTED]. And to make matters worse, Garmin also supplies data to folks like the Weather Service.
Lots and lots of airline pilots use it for both flight plan fighting. It's using satellite technology, Garmin Explore, GPS navigation, etc.
And all of this is being held up for reportedly $10 million in ransomware. But here's where the story gets a little bit tricky.
Lots and lots of airline pilots use it for both flight plan fighting. It's using satellite technology, Garmin Explore, GPS navigation, etc.
And all of this is being held up for reportedly $10 million in ransomware. But here's where the story gets a little bit tricky.
Okay. RAY [REDACTED]. Most people would say you make $4 billion a year. Okay, $10 million is almost pocket change that you would find on the floor.
However, because of the indictments against the Evil Corp last December, it would actually be a violation of the federal sanctions placed on Russia for them to do so.
And so they have an entire other legal quandary about they could be breaking federal law by violating international sanctions to simply send that money in.
However, because of the indictments against the Evil Corp last December, it would actually be a violation of the federal sanctions placed on Russia for them to do so.
And so they have an entire other legal quandary about they could be breaking federal law by violating international sanctions to simply send that money in.
Right, right. So, so, okay. So right now we have a situation where Garmin have to decide to pay or they've already decided and it's all back to normal. RAY [REDACTED].
No, they've not paid and everybody is still locked out.
No, they've not paid and everybody is still locked out.
Right. RAY [REDACTED]. As of right now, they still are not functioning.
I read on the BBC this morning that they are beginning to come back online. Some people are now uploading their data. RAY [REDACTED].
So, well, so get this, Graham, you made the joke about if you exercise and it doesn't count on your watch, then does it really count?
Restoring from backups for them might very well mean that you lose a couple of weeks worth of exercise activity on this, on the tracker, so to speak. Right.
So, well, so get this, Graham, you made the joke about if you exercise and it doesn't count on your watch, then does it really count?
Restoring from backups for them might very well mean that you lose a couple of weeks worth of exercise activity on this, on the tracker, so to speak. Right.
I know people that would go apeshit crazy if that happened to them. RAY [REDACTED]. For sure.
But the other thing that it really shows off that I wasn't that aware of is how many other services use Garmin underneath.
So just like so much of the internet relies on Cloudflare or AWS, so much of navigation services including cars and everything else, actually relies on Garmin data without you actually knowing it.
But the biggest lesson here is the fact that to my knowledge, this is the first time when a company has actually been prohibited from paying ransom because of federal sanctions.
But the other thing that it really shows off that I wasn't that aware of is how many other services use Garmin underneath.
So just like so much of the internet relies on Cloudflare or AWS, so much of navigation services including cars and everything else, actually relies on Garmin data without you actually knowing it.
But the biggest lesson here is the fact that to my knowledge, this is the first time when a company has actually been prohibited from paying ransom because of federal sanctions.
So that's extraordinary.
But I don't get this because surely Evil Corp, if presumably they've been in negotiations with Garmin and Garmin have said, well, look, we'd love to pay you.
Unfortunately, we can't because of this. Can't Evil Corp rebrand themselves again? Say, "Oh no, we're not Evil Corp."
But I don't get this because surely Evil Corp, if presumably they've been in negotiations with Garmin and Garmin have said, well, look, we'd love to pay you.
Unfortunately, we can't because of this. Can't Evil Corp rebrand themselves again? Say, "Oh no, we're not Evil Corp."
We're not those guys." Take 10% of the fee.
We're Apple Corp or something. We're another one entirely. You know, don't worry about— No, no, no, no, no. We're different criminals. Don't mix us up with those bad guys over there.
RAY [REDACTED].
Well, now, Graham, as a fan of Smashing Security, I do know that you once had a story about where the negotiations had been made public and people could see the gangs negotiating with the ransomware authors the victims.
But in the Garmin case, we really don't have visibility to that particular aspect.
RAY [REDACTED].
Well, now, Graham, as a fan of Smashing Security, I do know that you once had a story about where the negotiations had been made public and people could see the gangs negotiating with the ransomware authors the victims.
But in the Garmin case, we really don't have visibility to that particular aspect.
Hello, hello. Sorry for the interruption, but since we recorded the podcast, there have been some developments in this story.
Here is the human known as Ray [REDACTED] to give you an update. RAY [REDACTED]. Hey guys, just a real quick update.
Since we recorded this podcast, apparently Garmin has, quote, acquired the decryption key and begun decrypting files and restoring services.
Now, that's an interesting choice of words.
It's not clear whether they paid or somebody else paid, or perhaps the government got a hold of it, or the law enforcement, or maybe there was a GoFundMe and I just wasn't invited to it.
But regardless, Garmin has apparently acquired the decryption key and services are being restored.
Here is the human known as Ray [REDACTED] to give you an update. RAY [REDACTED]. Hey guys, just a real quick update.
Since we recorded this podcast, apparently Garmin has, quote, acquired the decryption key and begun decrypting files and restoring services.
Now, that's an interesting choice of words.
It's not clear whether they paid or somebody else paid, or perhaps the government got a hold of it, or the law enforcement, or maybe there was a GoFundMe and I just wasn't invited to it.
But regardless, Garmin has apparently acquired the decryption key and services are being restored.
Crazy, crazy goings-on. Well, hopefully things will begin to get back to normal. Do you think it would be right if the bad guys did get paid for this or not? RAY [REDACTED].
Again, I mean, this is a mathematical exercise to me. $4 billion in revenue. This has got to be costing them hundreds of millions of dollars in lost business, right?
Again, I mean, this is a mathematical exercise to me. $4 billion in revenue. This has got to be costing them hundreds of millions of dollars in lost business, right?
Why not call the Kremlin directly and say, look, can I just pay you directly? And then you could just talk to these dudes and get them to back off for a bit.
And then, you know, they don't need a cut. RAY [REDACTED]. For sure.
And then, you know, they don't need a cut. RAY [REDACTED]. For sure.
You know, I think Carole's onto something, right? She's basically saying go to Vladimir Putin.
Or one of his cronies.
Well, no, no.
I wouldn't wait to get him on the phone.
Vladimir, from what I've seen from some of the photos, he's quite an outdoorsy kind of guy, right? He takes his shirt off and getting out there. I bet he's probably a Garmin user.
He's probably just as frustrated.
He's probably just as frustrated.
Let's go re-examine the photographs and see if we can see the watch strap. RAY [REDACTED]. I can guarantee you he's not a Garmin user.
They would have never attacked something that Vladimir Putin was actually using himself.
They would have never attacked something that Vladimir Putin was actually using himself.
Carole, what have you got for us this week?
Okay, so Graham, you have a son.
I do.
Okay, and one day, a decade or so from now, imagine he says to you, "Papa, I want to be an international peace negotiator." Right, and you're like, "Atta boy, good lad, go take on the world." And he says, "Well, okay, great.
The best school for me to study at is actually in Russia." Oh, and you're like, uh, sorry, we live in Oxford. And he's like, yeah, forget that, Dad.
I need to learn Russian cultural norms. I need to learn directly from the Russians. Don't you get it? Geez, Dad.
The best school for me to study at is actually in Russia." Oh, and you're like, uh, sorry, we live in Oxford. And he's like, yeah, forget that, Dad.
I need to learn Russian cultural norms. I need to learn directly from the Russians. Don't you get it? Geez, Dad.
Okay, just remember, he's my son, right? He's not gonna be using language like geez.
So you acquiesce, right? You acquiesce. He goes, all is fine, until you get a crazy call from your son and he is freaking out.
And he tells you— I'm going to ask you what you're going to do at the end of this, okay? So pay attention.
And he tells you— I'm going to ask you what you're going to do at the end of this, okay? So pay attention.
Don't doze off like normal. Yeah, okay.
Okay, he's freaking out.
He tells you the British Embassy in Russia, okay, or some other authority has just contacted him and said he's been implicated in a crime in Russia and that he needs to pay thousands of pounds to avoid getting arrested.
And they told him not to contact you, but he trusts you or something. And he's like, what do I do, Dad? So what would you say to him?
He tells you the British Embassy in Russia, okay, or some other authority has just contacted him and said he's been implicated in a crime in Russia and that he needs to pay thousands of pounds to avoid getting arrested.
And they told him not to contact you, but he trusts you or something. And he's like, what do I do, Dad? So what would you say to him?
So I'd ask him for more details and then say, no, of course you're not going to pay them, just come home.
So what if you were Chinese and your son was studying in Australia? Do you think that might change things?
Oh, so, okay, so now I'm Chinese and my son has gone to Australia to study.
I want to go to Australia.
Yeah, good for you, Bruce, go for it.
Exactly, right? Yeah, except it turns out things get really bad when you get scammed. Okay, I'll flesh it out.
Okay, tell me more.
Okay, so in this Chinese Oz permutation, things get heavy very quickly. This is basically a new type of scam. There's only been 25 cases reported in Oz so far, 8 in 2020.
My guess is this has all been underreported, but you guys let me know at the end what you think. RAY [REDACTED]. Sure.
My guess is this has all been underreported, but you guys let me know at the end what you think. RAY [REDACTED]. Sure.
So this is how it works. A fake authority like a Chinese embassy rings international students based down under.
If someone picks up the phone, the fraudster informs them all in Mandarin that they've been implicated in a crime in China or facing some other threat, that their loved ones back home are at risk as well.
This appears to be involving a blitz of automated phone calls sent to anyone with a Chinese surname in the public phone records. That's how they're kind of contacting them now.
They threaten the victims with risk of legal action and possible arrest in China and persuade them to transfer money in order to avoid arrest or deportation.
So they really kind of scramble up a huge sense of urgency. This is where things get absolutely insane.
In some cases, the students are even convinced to cease contact with their family and friends, rent a hotel room, and fake a hostage situation to obtain funds from their relatives overseas.
If someone picks up the phone, the fraudster informs them all in Mandarin that they've been implicated in a crime in China or facing some other threat, that their loved ones back home are at risk as well.
This appears to be involving a blitz of automated phone calls sent to anyone with a Chinese surname in the public phone records. That's how they're kind of contacting them now.
They threaten the victims with risk of legal action and possible arrest in China and persuade them to transfer money in order to avoid arrest or deportation.
So they really kind of scramble up a huge sense of urgency. This is where things get absolutely insane.
In some cases, the students are even convinced to cease contact with their family and friends, rent a hotel room, and fake a hostage situation to obtain funds from their relatives overseas.
What?
What?
Wow.
All with messages saying, "Help me, help me.
I need this ransom money for my safe release." I remember when I was at college, I sometimes ran out of cheese sandwiches and I'd send an urgent note home.
And my Auntie Hilda came around once with a hamper. But I mean, this seems a little bit extreme. RAY [REDACTED]. I've gotten calls like this before.
If you are in the United States and you get robocaller calls in Mandarin, it's probably this exact scam. And I've gotten tons of those on some phone lines I have.
I need this ransom money for my safe release." I remember when I was at college, I sometimes ran out of cheese sandwiches and I'd send an urgent note home.
And my Auntie Hilda came around once with a hamper. But I mean, this seems a little bit extreme. RAY [REDACTED]. I've gotten calls like this before.
If you are in the United States and you get robocaller calls in Mandarin, it's probably this exact scam. And I've gotten tons of those on some phone lines I have.
That's really interesting because they say it's happening more in the States and New Zealand. There are cases there as well. Let me show you some of these pictures. RAY [REDACTED].
Oh, these pictures are crazy. These pictures are crazy.
Oh, these pictures are crazy. These pictures are crazy.
So these are pictures of people who are sort of bound by their arms and legs.
They have bound themselves. RAY [REDACTED]. Oh, they stage it themselves.
Oh, they're staging this. RAY [REDACTED]. Wow, it looks very real. She ripped her shirt and everything.
Yes, because the ransomware are saying if you don't convince them, you're in deep, deep trouble. RAY [REDACTED].
Oh, she added bruises to her ankles so it looks like she'd been bound.
Oh, she added bruises to her ankles so it looks like she'd been bound.
People did all this based upon a phone call.
Well, no, not just a phone call. I imagine it went on and on. How they got them to this psychological state of you are a controlled— RAY [REDACTED].
Well, they start with those automatic phone calls, right? The automatic phone calls.
And then the people that fall for it call back that number, which is, you know, the spoof caller ID is showing a Chinese voiceover IP number or something that they answer as if it was the embassy or whatever.
And then they basically set the hook at that point. Right, so it all starts with robocalling. But eventually people really do start to fall for it.
And I'm assuming these are people with parents that have money.
Well, they start with those automatic phone calls, right? The automatic phone calls.
And then the people that fall for it call back that number, which is, you know, the spoof caller ID is showing a Chinese voiceover IP number or something that they answer as if it was the embassy or whatever.
And then they basically set the hook at that point. Right, so it all starts with robocalling. But eventually people really do start to fall for it.
And I'm assuming these are people with parents that have money.
Hang on, hang on, hang on, Carole, please explain to me. So they're being scammed and the scammer who's pretending to be from Chinese law enforcement or something, right?
Or Chinese authorities.
Or Chinese authorities.
Yes.
They suggest to the victim that they pretend to be a kidnap victim and the person being targeted thinks, yes, that sounds legitimate.
Well, I don't think they're always using the embassy line. I think that is in some cases using embassy, but other times they're saying you're at risk, you're in danger.
And then they suggest you pretend to be a kidnap victim rather than saying just convince your parents to sort out the money. It just seems—
Well, maybe, maybe, for example, the phone calls are, I can't, they won't give me any money. Or, you know, I mean, you have to imagine this is serious cash, okay?
So there were 8 known virtual kidnappings this year and it has netted $3.2 million Australian dollars.
So there were 8 known virtual kidnappings this year and it has netted $3.2 million Australian dollars.
What?
Yes.
So payments normally range between $20,000 and $300,000, but in one case, a father paid more than $2 million Australian— that's more than a million pounds or $1.5 million USD— in ransom payments before receiving a video of his daughter gagged and bound in an unknown location.
So already having paid a million quid— wow— he then got a video of his daughter gagged and bound, and then is when he contacted the Sydney Police, who after an hour's search found her safe and well in a hotel room in the city.
RAY [REDACTED]. But she was hiding though, right? She was hiding under instruction. She was told to go hide, make sure you hide and turn off your phone and everything else, right?
So payments normally range between $20,000 and $300,000, but in one case, a father paid more than $2 million Australian— that's more than a million pounds or $1.5 million USD— in ransom payments before receiving a video of his daughter gagged and bound in an unknown location.
So already having paid a million quid— wow— he then got a video of his daughter gagged and bound, and then is when he contacted the Sydney Police, who after an hour's search found her safe and well in a hotel room in the city.
RAY [REDACTED]. But she was hiding though, right? She was hiding under instruction. She was told to go hide, make sure you hide and turn off your phone and everything else, right?
Exactly.
What are parents to do? Are parents supposed to wait for a severed ear or something? Mind you, some of these guys probably would have done that, right.
They think, oh, little pink ear. RAY [REDACTED]. Well, you could check the DNA. You could just run it against the GEDmatch database and see if it matches.
They think, oh, little pink ear. RAY [REDACTED]. Well, you could check the DNA. You could just run it against the GEDmatch database and see if it matches.
Or send your dog's ear, maybe. No, don't do that to dogs.
I mean, I think the reason this might— so apparently they're saying this type of scam is on the rise. It's rearing up its head now. And why is Oz a hotbed for this?
And some of the explanations seem quite interesting to me. So one was Australia relies a lot on international students.
So something like there's 750,000 international students and they make a huge hotbed of money for the universities and for, you know, renters and landlords and restaurants and everything.
But international students were not approved for government welfare during the pandemic.
Okay, so number one, they don't have any cash from the government, from the Australian government. RAY [REDACTED]. Interesting.
And some of the explanations seem quite interesting to me. So one was Australia relies a lot on international students.
So something like there's 750,000 international students and they make a huge hotbed of money for the universities and for, you know, renters and landlords and restaurants and everything.
But international students were not approved for government welfare during the pandemic.
Okay, so number one, they don't have any cash from the government, from the Australian government. RAY [REDACTED]. Interesting.
Second, they also tend to rely more on casual work to help ends meet, and a lot of those hotels, restaurants, etc. had to close during the pandemic.
Australia universities apparently have long been accused by researchers of not providing better support for international students.
So they're saying there's some struggles to develop social bonds with Australian-born peers. There's some prejudices. So there's a number of pieces of research suggesting that.
There's also the political skirmish that's heating up.
So you might remember that Australia kind of sided with the US when the US said, hey China, we would really like to have a bit of a dig into this whole virus thing and how it started.
Since then, China's been poo-pooing students who chose to stay or return in Australia.
Beijing said in a statement in June that students should be cautious— is the word they used— when choosing to go or return to Australia.
That said, quote, "The spread of the new global COVID-19 outbreak has not been effectively controlled, and there are risks in international travel and open campuses." And during the epidemic, there were multiple discriminatory incidents against Asians in Australia.
So Oz retorted, and they're kind of saying, no, no, no, we provide world-class education. We're one of the safest countries in the world.
So there's a bit of a spitting fight there between the two nations.
Australia universities apparently have long been accused by researchers of not providing better support for international students.
So they're saying there's some struggles to develop social bonds with Australian-born peers. There's some prejudices. So there's a number of pieces of research suggesting that.
There's also the political skirmish that's heating up.
So you might remember that Australia kind of sided with the US when the US said, hey China, we would really like to have a bit of a dig into this whole virus thing and how it started.
Since then, China's been poo-pooing students who chose to stay or return in Australia.
Beijing said in a statement in June that students should be cautious— is the word they used— when choosing to go or return to Australia.
That said, quote, "The spread of the new global COVID-19 outbreak has not been effectively controlled, and there are risks in international travel and open campuses." And during the epidemic, there were multiple discriminatory incidents against Asians in Australia.
So Oz retorted, and they're kind of saying, no, no, no, we provide world-class education. We're one of the safest countries in the world.
So there's a bit of a spitting fight there between the two nations.
These photos, Carole, are unbelievable. And I choose my words carefully because the cynic in me wonders whether this is all a load of old nonsense.
I wonder whether word has got round the Chinese student population in Australia. Here's a scam to get a whole load of money out of your parents. Pretend that you've been kidnapped.
And then when people investigate, say, oh, I got this phone call and it told me this and it told me that. And so I had to do it. RAY [REDACTED]. Oh, I disagree. I disagree, Graham.
I understand your skepticism and it certainly does kind of set off some alarm bells about skepticism, but that would easily be uncovered by now.
I mean, it's very difficult to keep a secret like that, right? I mean, some of these pictures have knives in them and cash in them, etc.
You don't think that that's being investigated extremely heavily after the fact?
I wonder whether word has got round the Chinese student population in Australia. Here's a scam to get a whole load of money out of your parents. Pretend that you've been kidnapped.
And then when people investigate, say, oh, I got this phone call and it told me this and it told me that. And so I had to do it. RAY [REDACTED]. Oh, I disagree. I disagree, Graham.
I understand your skepticism and it certainly does kind of set off some alarm bells about skepticism, but that would easily be uncovered by now.
I mean, it's very difficult to keep a secret like that, right? I mean, some of these pictures have knives in them and cash in them, etc.
You don't think that that's being investigated extremely heavily after the fact?
It's Australian money, right? Doesn't really count.
Graham, the other thing is that thought glanced past my mind, but I immediately said, well, what? Because I was thinking the pictures look so staged. RAY [REDACTED]. Sure.
Right. But what's to say that some guy who was actually doing this would actually be a good photographer? RAY [REDACTED].
Like, just because the TV show would have showed it, made it look more real.
Like, just because the TV show would have showed it, made it look more real.
The guy was just taking a snap of me, was actually holding me at ransom. Would it be a great pic? You know? RAY [REDACTED]. Yeah.
So you do have to wonder if any students would engage in copycatting it though.
That, to Graham's point, you might actually see people doing this now themselves just to get that laundry money or those cheese sandwiches.
So you do have to wonder if any students would engage in copycatting it though.
That, to Graham's point, you might actually see people doing this now themselves just to get that laundry money or those cheese sandwiches.
Buddy, I'm right now, I'm at the bottom of my garden. My family haven't seen me for a while.
I might tie myself up now and send them a text message, see if I can get some cash out of them.
I might tie myself up now and send them a text message, see if I can get some cash out of them.
They're just going to empty your own account, Graham.
That's—
Well, could you just give my bank details? First off, the thing, a little bit of advice.
If you know of any international students that are outside of their country and they happen to be living in the States, in the UK, anywhere in the world, can you please just make sure they're okay?
Is really hard, potentially, during— because a lot of people couldn't travel due to money, they didn't have enough cash to go home and they're stuck where they are.
If you know of any international students that are outside of their country and they happen to be living in the States, in the UK, anywhere in the world, can you please just make sure they're okay?
Is really hard, potentially, during— because a lot of people couldn't travel due to money, they didn't have enough cash to go home and they're stuck where they are.
Yes.
And if you do get threatening calls, tell someone. Do not sit quiet and try and deal with it yourself by deciding to do these hammed up— it's awful.
I'm still a bit scared. RAY [REDACTED].
And Carole, in the United States, by the way, anytime somebody contacts you and says they're from the IRS or the FBI— the FBI actually has a number that you call to verify and check whether they are actually who they say they are.
So you should always do that rather than calling back the number that's sent on the caller ID.
And Carole, in the United States, by the way, anytime somebody contacts you and says they're from the IRS or the FBI— the FBI actually has a number that you call to verify and check whether they are actually who they say they are.
So you should always do that rather than calling back the number that's sent on the caller ID.
I know my advice would be, yeah, it'd be thank you very much. Then call the embassy directly and say, hi, this is Carole Theriault. I hear that you're looking for me.
I'm just returning your call. And if enough people do that, they'll realize something's going on. RAY [REDACTED]. And I bet you the embassy immediately says, no, that's a scam.
We've been dealing with it all week long.
I'm just returning your call. And if enough people do that, they'll realize something's going on. RAY [REDACTED]. And I bet you the embassy immediately says, no, that's a scam.
We've been dealing with it all week long.
And yeah, these are students, these are smart people studying overseas, you know, they're not dumbos.
Well, hey, you know, Trump's president of the United States, I don't know what to tell you. RAY [REDACTED].
You know, I think as a parent though, when your child goes away to college, if you do happen to have, you know, $200,000 in bitcoins or something and you get these photos, I would absolutely want to pay that ransom immediately.
This is not Garmin, this is actually my child.
You know, I think as a parent though, when your child goes away to college, if you do happen to have, you know, $200,000 in bitcoins or something and you get these photos, I would absolutely want to pay that ransom immediately.
This is not Garmin, this is actually my child.
Yeah, well, Graham's not going to do it. Graham's gonna be no, no, no, this is a scam, you figure it out, my son, you're a smart boy. RAY [REDACTED]. Get a better camera.
Get a better camera next time.
Get a better camera next time.
Come on, Carole. Your dad would be the same. Would your dad pay up for it?
No, of course he wouldn't have. RAY [REDACTED]. Ever.
He would probably pay them to get them to keep you.
He'd be "How much you talking?" "I'll double it," he says.
"I'll give you twice that." Negotiated away.
Keep her!
If you listen to our show regularly, you'll know that hackers never stop innovating.
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week.
Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week.
Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.
Hey, you IT security guys out there, I know that you have a tough job.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass.
They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out.
There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.
And welcome back, and you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. RAY [REDACTED]. Pick of the Week.
Hey!
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is inspired. Inspired by you, Kroll.
Inspired by me, huh?
Yes, because last week your pick of the week was an article which detailed 60 different covers of Hallelujah by Leonard Cohen.
And I went through that list and I have to say, I'm not sure about the Hallelujah song.
You know, I do feel it's been really overplayed, and going through some of those, I thought some of them—
And I went through that list and I have to say, I'm not sure about the Hallelujah song.
You know, I do feel it's been really overplayed, and going through some of those, I thought some of them—
I found it doesn't make it a shit song.
No, I know, but it kind of grates with me. I have to say, I really liked Regina Spektor's version. That I thought was fantastic and a different take on things.
But anyway, you did also give us an exclusive recording at the end of last show of a brand new version of Hallelujah. RAY [REDACTED]. Great, great. It was great.
But anyway, you did also give us an exclusive recording at the end of last show of a brand new version of Hallelujah. RAY [REDACTED]. Great, great. It was great.
But you only came up with 60 different covers. I have been to a website which gave me 366 different versions. It is a website called Secondhand Songs.
And Secondhand Songs, you can go to, and you can find cover versions of just about any song you would like, including links to it on Spotify and YouTube, if they are available as well.
And Secondhand Songs, you can go to, and you can find cover versions of just about any song you would like, including links to it on Spotify and YouTube, if they are available as well.
I was just trying to see if there's a song with the name Graham in it. And it looks like, no, there's not.
There are no Graham songs.
There doesn't seem to be any Graham song, unless I'm not searching for it right.
Oh, Graham. He likes girls and to lay 'em. RAY [REDACTED]. I'm gonna write one right now.
He'll cause lots of mayhem. So I had a look at some songs which I love. For instance, there are 3 different versions of 'My Boomerang Won't Come Back' by Charlie Drake.
Slightly racist song, to be honest, now.
Slightly racist song, to be honest, now.
You can listen to it at 60 years old. 25 versions— What about 'Louie Louie'?
That's a great song.
Look it up, look it up.
I'm doing it right now. 25 different versions of one song. RAY [REDACTED]. 'One Night in Bangkok.' That's kind of related to Carole's story, isn't it?
I thought, ooh, I thought, they've got this great big database. What is the most covered song of all? What would you guess would be the most covered song in history? RAY [REDACTED].
Oh, it's gotta be a Beatles song. It's gotta be the Beatles, right? Something from the Beatles?
Oh, it's gotta be a Beatles song. It's gotta be the Beatles, right? Something from the Beatles?
You're right. It's gonna have to be old. It's gonna have to be old.
Well, I thought it might be 'Yesterday' by the Beatles, 'cause you always hear that's been covered so many times, don't you? RAY [REDACTED].
'What a Wonderful World.' That'd be a good one too.
'What a Wonderful World.' That'd be a good one too.
Oh, what, Louis Armstrong?
Yeah.
Well, according to the database, and we disagree with what the internet says, the most covered song in their database with 2,900 different versions is 'Stille Nacht, heilige Nacht'.
RAY [REDACTED]. What?
RAY [REDACTED]. What?
Which I think, I think is Silent Night, Holy Night.
Happy Birthday should be first, really.
Oh yeah, maybe. Well, anyway, so you can check out Secondhand Songs and it's quite enjoyable.
It's pretty good. It's not as good as my pick of the week, just saying.
Oh, we'll see, we'll see. Ray, I know you're dying to tell us your pick of the week. What have you got for us? RAY [REDACTED]. My pick of the week.
Well, first and foremost, I am not gonna use pick of the week to plug my podcast, The Tribe of Hackers Podcast, because that would just be tacky.
Instead, what my pick of the week is, is actually a mathematical formula or algorithm, if you will.
Now, this is a programmer's parlor trick that will allow you to know what day of the week any date is in history. So it's actually called the Doomsday Algorithm.
And it allows you, if you know the date, the month, the day, and the year, to know what day of the week it is. So the name Doomsday was sort of a pun and kind of a joke.
But because this is the year 2020, I thought Doomsday was very, very relevant.
Well, first and foremost, I am not gonna use pick of the week to plug my podcast, The Tribe of Hackers Podcast, because that would just be tacky.
Instead, what my pick of the week is, is actually a mathematical formula or algorithm, if you will.
Now, this is a programmer's parlor trick that will allow you to know what day of the week any date is in history. So it's actually called the Doomsday Algorithm.
And it allows you, if you know the date, the month, the day, and the year, to know what day of the week it is. So the name Doomsday was sort of a pun and kind of a joke.
But because this is the year 2020, I thought Doomsday was very, very relevant.
Doomsyear, let's change it. RAY [REDACTED]. The way it works is our doomsday for the year 2020 is Saturday. Now we are in a leap year.
So what that means is that Saturdays occur on January 4th, February 29th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, Halloween, November 7th, and December 12th.
So what that means is that Saturdays occur on January 4th, February 29th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, Halloween, November 7th, and December 12th.
Easy peasy to remember. RAY [REDACTED]. That sounds like it's difficult to remember.
Yeah. RAY [REDACTED]. But it's actually really, really easy. And there's a mnemonic trick to how you remember them.
Confused. RAY [REDACTED]. Okay, if you know that Saturday is the doomsday for the year 2020, you can calculate what day of any month or date.
Now, once you actually know this trick and you know the anchor date for each and every year— and I've got them memorized from 1898 to 2100, but other people can go all the way back to the very beginning, right?
But once you actually know that, you can figure out what day of the week anything was. So here's an example.
On November 24th, 2014, the employees that worked at Sony Pictures Entertainment came in and saw that their laptops had been wiped and basically destroyed by North Korean hackers.
Do you guys remember?
Now, once you actually know this trick and you know the anchor date for each and every year— and I've got them memorized from 1898 to 2100, but other people can go all the way back to the very beginning, right?
But once you actually know that, you can figure out what day of the week anything was. So here's an example.
On November 24th, 2014, the employees that worked at Sony Pictures Entertainment came in and saw that their laptops had been wiped and basically destroyed by North Korean hackers.
Do you guys remember?
Oh, yes. Yeah, of course. RAY [REDACTED]. Okay.
Okay. RAY [REDACTED]. Now we know that that year is 2014.
Yeah. RAY [REDACTED]. And 2014, of course, the doomsday is Friday.
Which means that that Friday occurred on January 3rd, February 14th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, and November 7th.
Now, because it happened on 11/7, or November 7th, okay? Because that was a Friday. We now know that 11/24 was a Monday.
Which means that that Friday occurred on January 3rd, February 14th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, and November 7th.
Now, because it happened on 11/7, or November 7th, okay? Because that was a Friday. We now know that 11/24 was a Monday.
So listen to you, Carole, going, yeah. Like, you're— are you— I want you to explain this to me later because I am baffled.
No, no, and I get it now. I get it. No, I'm gonna explain it to you right now. I'm gonna explain it to you right now.
All right.
You need to know what the last day in February is. So it's either the 28th or the 29th. You need to know what day of the week that is. Like it's gonna be Monday or Saturday or Friday.
This year, the last day of February is the 29th and it's a Saturday. And once you know that, you can use this mnemonic to work out every day of the week. RAY [REDACTED].
So give me a name, name a year for me real quick. Just name any year.
This year, the last day of February is the 29th and it's a Saturday. And once you know that, you can use this mnemonic to work out every day of the week. RAY [REDACTED].
So give me a name, name a year for me real quick. Just name any year.
2023. RAY [REDACTED]. Okay, 2023. The doomsday is a Tuesday and it's a non-leap year. Okay. So Tuesdays occur on January 3rd, May 9th, September 5th, 4/4, 6/6, 8/8, 10/10, and 12/12.
So, you know, all of those days are Tuesdays. So to figure out any other day of the week, you can actually just go forward and backwards.
So, you know, all of those days are Tuesdays. So to figure out any other day of the week, you can actually just go forward and backwards.
I have to say, this is hard to do on radio, Ray. I got to say, you are a brave man. RAY [REDACTED]. RAY [REDACTED].
But here's— well, we're going to link to some ways that you can actually memorize this and stuff. But here's another example. Do you guys remember Y2K?
But here's— well, we're going to link to some ways that you can actually memorize this and stuff. But here's another example. Do you guys remember Y2K?
Yes. Yes, of course. RAY [REDACTED]. Do you remember what day of the week Y2K occurred?
No. RAY [REDACTED]. Well, of course you should remember that because we know in the year 2000 that doomsday was a Tuesday. So January 1st must have been a Saturday.
It's very easy to do it in your head once you actually get this down. It's a great parlor trick.
It's a good way to impress people because you know what date their birthday is of any given year or anniversaries.
You can even use it to calculate bank holidays and other things like that as well. That's the Doomsday Algorithm.
It's very easy to do it in your head once you actually get this down. It's a great parlor trick.
It's a good way to impress people because you know what date their birthday is of any given year or anniversaries.
You can even use it to calculate bank holidays and other things like that as well. That's the Doomsday Algorithm.
Are you married? RAY [REDACTED]. I am.
Have you had sex? RAY [REDACTED]. Yes, I have. I have children.
Oh my goodness. Congratulations.
Graham, Graham, I think we should wipe our schedules tomorrow and just learn this. RAY [REDACTED].
I don't like to talk about wiping schedule, wiping and DNA and sex all in one paragraph. It's a little bit uncomfortable.
I don't like to talk about wiping schedule, wiping and DNA and sex all in one paragraph. It's a little bit uncomfortable.
Carole, what's your pick of the week?
I'm putting this down as one of the best picks of the week we've ever had.
Brave.
Okay. Number 1, this is not just for you guys or for all us listeners. It's also for your gran and your kids. Everyone can do this.
Okay.
Okay, I want you to go to this website, incredibox.com. This gives you a demo of their app, which is available both for iPhone and Android.
There are some funny cartoon characters and it says Little Miss.
Just press the play button.
And there's a play button. All right. Okay, okay, so there are these weird icons at the bottom. Oh, oh, hang on. Oh, oh, oh, I like this crow.
Yes, keep going. I'll explain what it is while you keep playing. Incredibox is a musical beatbox game and website developed and published by French company So Far So Good.
And the concept is extremely simple, which is why I didn't want to explain everything, so you could see even Graham picked it up in about 20 seconds.
You drag and drop sound icons onto different characters— there's about, what, 8 on the page— and you make them beatbox.
You drag and drop sound icons onto different characters— there's about, what, 8 on the page— and you make them beatbox.
This is seriously cool.
I told you.
I mean, it's a great design. The user interface is wonderful anyway, but also such fun. I mean, the audio and everything is—
Plus the player can find combos to— this is where you can get your kid involved, right? Can find combos to unlock animated bonuses and record mixes to integrate a ranking.
And there's an automatic mode, so you can actually go to the automated mode and you can just go, okay, jam with my beats. And you optimize my beats into a new jam.
And there's an automatic mode, so you can actually go to the automated mode and you can just go, okay, jam with my beats. And you optimize my beats into a new jam.
And what are they doing here? What are they trying to sell me? Nothing.
Well, not the demo version anyway. RAY [REDACTED]. They're actually grabbing your DNA through the computer and then calculating what day of the week your birthday is. This is great.
It's awesome. So there you go. I'm putting that down as one of the best picks of the week in the world. Please check it out, everybody. It's worth it. The incredibox.com.
From So Far So Good. Very good.
From So Far So Good. Very good.
Well, that's pretty cool. And that just about wraps up the show for this week. Ray, I'm sure lots of our listeners would love to follow you online.
Yeah, they want to ask you about doomsday algorithm. RAY [REDACTED]. Yes. If you want to learn about the doomsday algorithm, you can find me at—
Contact Ray directly, please. RAY [REDACTED]. I am at Ray [REDACTED].com. The podcast is at tohpodcast.com, like Tribe of Hackers podcast.
And I look forward to seeing you all on Twitter and online.
And I look forward to seeing you all on Twitter and online.
And you can follow us on Twitter as well at Smashing Security, no G. Twitter must have a G. And also join our subreddit, just look for Smashing Security up there.
And don't forget, if you want to never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
And don't forget, if you want to never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.
And a huge, huge thank you from us for listening, for supporting us, for sharing our work with friends, family, and even enemies.
Also, hot kisses to this week's Smashing Security sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, hot kisses to this week's Smashing Security sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye.
Bye. RAY [REDACTED]. Bye-bye. Now, Graham, I really, really, really do want to teach you this JingZai rhythm.
Okay? RAY [REDACTED]. Really, really do. Okay. So this is—
Christ. RAY [REDACTED]. Listen, listen. I just want you to repeat after me. Okay? I just want you to repeat after me.
Okay. RAY [REDACTED]. 4, 4, 6, 6, 8, 8, 10, 10, 12, 12.
4, 4, 6, 6, 8, 8, 10, 10, 12/12. RAY [REDACTED]. Okay. And in the United States, we put the month first. So 4/4 is April 4th, 6/6 is June 6th, right? August 8th.
4/4, 6/6, 8/8, 10/10, and 12/12.
4/4, 6/6, 8/8, 10/10, and 12/12.
It doesn't matter because the numbers are the same. Yeah, it doesn't matter which order you have them in. Yeah. RAY [REDACTED].
And they're always those are always the same day of the week, and they're always the Doomsday. Okay. But the Doomsday is either February 28th or in leap years, 29th.
And then you will now know where that day is on February. And you will also know 4/4, 6/6, 8/8, 10/10, and 12/12.
Okay, then the other ones, the ones that you've already lost I don't know, those are always the same day.
And they're always those are always the same day of the week, and they're always the Doomsday. Okay. But the Doomsday is either February 28th or in leap years, 29th.
And then you will now know where that day is on February. And you will also know 4/4, 6/6, 8/8, 10/10, and 12/12.
Okay, then the other ones, the ones that you've already lost I don't know, those are always the same day.
I don't understand. RAY [REDACTED]. So if I tell you 19 and if I tell you 1972 to the doomsday I get away from this man.
I'm gonna press stop.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Ray [REDACTED] – @RayRedacted
Show notes:
- Tribe of Hackers Podcast.
- Golden State Killer pleads guilty to 13 murders — BBC News.
- Joseph James DeAngelo — Wikipedia.
- Hackers Attacked Two Leading Genetic Genealogy Websites — Buzzfeed News.
- GEDmatch confirms data breach after users’ DNA profile data made available to police — TechCrunch.
- Garmin outage caused by confirmed WastedLocker ransomware attack — Bleeping Computer.
- Charges Announced in Malware Conspiracy — FBI.
- Garmin staggers back online after ransomware attack — Graham Cluley.
- Coronavirus: China warns students over 'risks' of studying in Australia — BBC News.
- Chinese students in Australia targeted in virtual kidnapping scam — BBC News.
- Chinese students in Australia are being targeted in kidnapping scams, police warn — South China Morning Post.
- Chinese Students in Australia Are Faking Their Own Kidnappings. Here’s Why — Vice.
- SecondHandSongs.
- Doomsday Algorithm — Just in case you didn’t understand Ray’s explanation…
- Incredibox.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Immersive Labs
Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats.
Listeners can signup at immersivelabs.com/smashing to get instant access to more than 24 hours of free labs AND a new lab to try out each week.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
