Smashing Security podcast #194: Carry on droning

All right. Hi, everyone. Carole here with the shout out to our incredible Patreon community. These are the people that are backing us every show, helping us pay for all the things that a show like this requires. Today's special mentions go to Ragnar Sigurdsson, Mike Hallett, Sharon. What can I say? You guys are awesome. You know, I'm dreading when one of you gives me a really rude or uncomfortable to say username that I need to read out on one of these shows. I mean, it's bound to happen. And if one of you want to be that person, visit smashingsecurity.com/patreon. Now, let's get this show on the road. You're supposed to use the clock. It works way better. Right. So you imagine you're at 12 o'clock. Yes. Right? They're sitting at four o'clock. Okay. You swivel all the way to seven o'clock. Yes. And then back to four o'clock, having two quick views of that person and therefore committed to another. Because you're kind of looking at a corner

of the restaurant and thinking, oh, very nice. And then you go, vroom, you go past them.

Very smart. That's some good spying skills.

If you ever see me and Carole doing that in a restaurant, you know that we're secretly spying on you. Smashing Security. Episode 194. Carry On Droning with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 194. My name's Graham Cluley.

And I'm Carole Theriault. And we're joined once again by a returning guest. It's Jessica Barker, everybody.

Hello, hello. Wonderful to be here.

The new author, Jessica Barker.

Indeed. It's exciting times for me, exciting and terrifying.

So where are you at in the whole process?

Confident Cybersecurity is going to be published in just over a week in the UK and most of the world. And then for the US and Canada, publication date is a little bit later. So that's the 29th of September.

And the name is Confident Cybersecurity. What's it all about?

So it is a comprehensive guide to cybersecurity, looking at the human, the physical and the technical sides. It's aimed at really anyone who wants to know more about this field. It might be someone who's considering cybersecurity as a career, maybe a board member who wants to get up to speed, maybe someone who's just starting out in security or works in one domain, maybe an awareness raising wants to know more about the technical side or vice versa. geopolitics and cyber war.

And I believe that someone close to this podcast actually appears in the book. Gets a mention.

Indeed. I was very honoured when I reached out to Carole to ask her, would she give me some background on her? Would she be featured in the book as one of the professionals that I write about? And she very kindly agreed. So, one chapter shows the diversity of jobs in cybersecurity.

It's an expose. It's an expose of Carole, isn't it? And her background.

I have a much more important question. Okay, yes. Jessica, when you were deciding on the cover for the book, did you have to fight for your name to be in a particular font size? Oh.

No, that's an interesting question. The publishers decide a lot of things. So they pick the colour and it's part of a series of confident books, confident coding, confident web design, etc. But no, so no. Should I have?

Oh, I hope it's not two point, right? Because that would be a really shit move on their part. But I'm sure they're amazing. So they probably did it right.

Maybe it could be like an old GeoCities website. It could have a marquee scrolling or the blink tag in HTML. Wouldn't it be great if books you could do that? Yeah. Redraw attention to it.

It's by me. Ding, ding, ding, ding, ding. Anyway, congratulations. I cannot wait to get my hands on a copy.

Marvellous. Carole, what's coming up on the show this week?

First, let's thank this week's sponsors, LastPass and Immersive Labs. Their support help us give you this show for free. Coming up on today's show, Graham tells us the tale of a Bitcoin robbery. Jessica tells us what can happen when the strongest link is the insider link. And I take to the skies to share the latest on drones. All this and much more coming up on this episode of Smashing Security.

Now, chaps, are you on the Bitcoin?

Chaps, you've got two women here, for God's sake. Oh, is that your joke?

Oh, no. I've reverted. Now, chums, chums, are you on the Bitcoin bus? Jessica, have you jumped aboard the cryptocurrency caravan? I'm interested in whether you've invested any of your shekels in digital currency.

A little. You know, I've got a little stash.

Yeah. Yeah, me too. I've only got a small investment there. Carole, what about you? Anything?

I don't think it's anyone's business, whether I have or haven't.

Okay, well, let's see. It's not like HMRC are listening. Don't do much.

That was the right answer, though.

Because it's going to be big. Or so we're assured. No less an authority than John McAfee.

Oh, my God. No, well-known. I'm obsessed with this man. Well-known for his calm, mild-mannered personality. Never over-hyping anything. He has predicted, of course, that the price of one Bitcoin will reach $1 million, in the words of Dr. Evil, by the end of 2020.

This all about when he said he was going to eat his dick?

I wasn't going to refer to that. But yes, he has made a bet that he will eat a part of his body, own anatomy, yes, on television.

Who's going to want to watch that on TV? How old is this guy? This is very Black Mirror, isn't it? What channel is this? This isn't Jules Holland's Hootenanny, is it? What's happening? Maybe his mouth will be full. Please. We don't offer investment advice on this podcast. Are we convinced that this actually happened because the anonymous investor type just makes a story? Well, when you hear how it happened and some of the background, you may find it a little bit more believable. I was thinking of Cybill Shepherd. Oh, this is Sybil with an S. So, a slightly different kind of Sybil. What? I don't understand. Explain it very slowly to me. Like I'm five.

So we have some software. We have some software called Electrum, which is a Bitcoin wallet, and it has a vulnerability, which means people can be tricked into downloading an update.

Gotcha.

And the developers of the software were really keen for people to download a genuine update for the product in order that they would be patched against the vulnerability. And the only way they could find to try and do that was to exploit the vulnerability in their own software to redirect people to a genuine update. Do you get me?

Yes. Wow. It's like two bads make a right.

So not everyone patched. Maybe some people found it a bit suspicious. I don't know.

Yeah, it's the most secure of all. They were practicing good security.

So some people never patched and they obviously never noticed the warning, which still exists to this day on Electrum's website saying, you've really got to patch because we've got a serious flaw. And one of the people who never noticed this warning on their website was this anonymous user. And he posted on this GitHub thread. He said, I had 1400 Bitcoins in a wallet that I hadn't accessed since 2017. And I think there's probably quite a few people who bought Bitcoins back in 2017, maybe, when Bitcoin was at the real high point of $20,000 or so. And then the price plummeted and they're thinking, oh, crumbs, what am I going to do? And some now it's at about $12,000, maybe thinking, well, maybe I should just cut my losses. You know, maybe I should sell now or something, get some of that money back.

I don't think most people use Bitcoin for extra funds or do you think people actually have all their money in that?

I think some people were so carried away with all the hype. Just listen to the Missing Crypto Queen podcast. You know, there have been lots of people who've been scammed into thinking this is a way to get rich quick. And people have thought that they've heard all the amazing stories of people who made millions and millions through cryptocurrency, and they think that they can do it too. Have either of you become millionaires on Bitcoin?

No.

Well, I mean, that would be telling. I'm following your lead. That's my...

At the moment, HMRC investigating both of you and not me because I've very clearly said, no, no, no, not me. So this chap said that he installed an old version of the Electrum wallet to try and access his funds. And he wanted to transfer about one Bitcoin. So around about £11,000 or whatever. And it was at that point he was unable to proceed. And a pop-up appeared saying, you have to update your security prior to being able to transfer your funds. And of course, he hadn't used anything since 2017. He hadn't tried to access his funds. So he thought that was completely legitimate. And bam, that's when the bad guys ransacked his wallet. Using the information he gave them, they stole 1,400 Bitcoins worth a stonking $16 million.

So they obviously knew that he had Bitcoin, or do you think they were just...

No, no. He wasn't being targeted at all. It was just because he was using an old, vulnerable version of the software, which meant that they were basically lying in wait and able to exploit it. Well, it's worth it for

16 mil. Big payday. Yeah, not bad for a day's work, right, guys?

But don't you think they should have waited until the end of the year when each Bitcoin is going to be worth a million dollars? That would have meant those Bitcoins would have been worth at least $1.4 billion.

Graham, I don't think everyone puts John McAfee's predictions at the top of their list as a fait accompli.

Maybe they're not following him on Twitter and they just, you know, miss the news. Yeah. They'll listen to this and think, shucks, phony at noon.

Well, bad guys are thought to have used the same flaw to steal $25 million since the flaw first existed in this software. So they are doing quite nicely about it. Now, there's a little bit of good news. Because the folks at Binance, the cryptocurrency exchange. Binance. Oh, yeah. Okay. The folks at Binance, the cryptocurrency. Are we sure about that now? Are we definite about that? I don't know. They jumped in because the funds were transferred from this guy's account into an account which was held on Binance. Right. And so they blacklisted those addresses used by the bad guys. And so that money is now frozen. So it's like an escrow. Oh, I don't know. I don't know enough about it.

That's where your money goes, you know, before you buy a house and, you know, before the house. Yeah, I'm not sure about that.

The money is kind of locked away. I think what they've done is they've locked those wallets so no one can access them any longer. Yeah. But unfortunately, that doesn't mean that the victim gets his money back. It's locked away. No one's able to access it. The guys at Binance aren't able to access it and the criminals aren't able to access it.

So that means it's just in limbo? No, it's never going to be released?

It's just fairy dust, I suppose. It's just... And I imagine, hey, that probably helps the price of Bitcoin as well, because some of it's been taken out of circulation as a consequence. Schrodinger's Bitcoin horrendous. So what can we learn from this folks? What can we learn? Well, I guess if you're installing software make sure that you're installing the latest version and pay attention to any warnings on websites which are telling you to be wary of old versions because of vulnerabilities.

Patch. Yeah, patch. But he hadn't visited since 2017 so he had the old software. Yeah, yeah. Lame.

There we go. Well, there's the advice from Carole. You can weigh that up versus the advice from the esteemed antivirus industry veteran that is John McAfee. And make your own choices. We're not going to give investment advice here. Jessica, what story have you got for us this week?

Well, the security industry, as we all know, has an unfortunate tradition or temptation to refer to people as the weakest link, despite lots of examples of people actually being the strongest link. But sometimes people being the strongest link doesn't make the news. And yet this week we have seen an example of an insider at an organisation being the strongest link, and it did make headline news. This was a news story I first read about thanks to a contact of mine on LinkedIn, Martin Fell, who pointed me towards an article by Matthew Schwartz about an insider at Tesla. So the term insider usually evokes negative connotations, doesn't it? But not in this case. And so maybe it's time we gave the term insider a bit of an image change. So let me tell you what apparently happened. It's a very interesting story. A Russian chap named Igor Igorovich Kriuchkov. I hope my Russian has not offended anyone there. It's my best attempt. This chap was arrested in LA on the 22nd of August, accused of attempting to recruit an employee at Tesla, seeking to bribe that employee with $1 million to install some customized malware on Tesla's computer systems. And this was an attempt to exfiltrate data and a gang behind the attack, which, you know, Igor was acting apparently on this gang's behalf. This gang was apparently going to use the data that they stole to make Tesla pay a ransom, allegedly of $4 million.

That's what they told this guy, the insider rebranded.

I think so. Certainly, they told him about another attack on another organisation where they'd made $4 million. So, I'm not sure quite what they told him, but these are the details that have emerged.

I can see that though, right? It's 1 million for you, 4 million from them, boom.

Boom, boom, rock and roll. This is something we're seeing, is that organisations are getting targeted by criminal gangs who are sometimes deploying ransomware and encrypting lots of data on people's networks, but they're also exfiltrating the data and then basically holding it to ransom, saying, unless you do something about this, we're going to release it to the press, we're going to publish it online, you're going to have a huge data breach, it's going to be mightily embarrassing for your organisation, so you better pay up. Exactly. But in this case, they've actually approached an employee to get them to plant the thing rather than send a phishing email or something?

I think we're seeing that more and more, Graham. I think it's something that we've known this has happened for a long time, but we're hearing about it publicly a little bit more. And in this case, the employee reported what was happening to management at Tesla.

So he just was like, okay, sure, tell me more. Collected loads of information. And then went back to his boss and went, you won't believe the lunchtime I just had.

And I'll give you more details if you pay me $1.5 million. Only you'd think of that. I sure hope this employee has got a nice bonus. Oh, I would love that. Wouldn't that be wonderful? This is a film. This has got to go on to be a film, surely.

And it does seem that the insider was first approached by Khrushkov via WhatsApp, was introduced through a mutual acquaintance. I believe the employee is also Russian. So a mutual acquaintance introduced them. This does suggest to me, this is quite a well-run operation. Not only because the employees said no, I'd assume 99% of people would say, yeah, you got the wrong person. I'm not that guy or that girl. Yeah, yeah. And I've certainly heard of cases like that before, or cases where an employee has been the victim of a phish, and then the first thing the organisation does is assume that they were involved, assume that they were an insider.

So, this insider at Tesla, they actually met the alleged bad guy in this instance. It wasn't just via WhatsApp, but there was actually an in-person meeting as well.

Yes, yes, indeed. So it seems that Khrushkov flew out to the States and I believe they met in person quite a few times. And so the employee, who obviously hasn't been named, was able to gather these recordings. And they would have been wired up by the FBI to record things. Oh, it'd be very exciting. Directional mics hidden in pens. Oh, I like the way you're thinking. Graham, do you remember when I showed you how to look at someone without looking at someone? Is it possible to explain this audibly, Carole, rather than... I don't know. We'll find out. You're supposed to use the clock. It works way better.

Because you're kind of looking at a corner of the restaurant and thinking, oh, very nice. And then you go, vroom, and you go past them.

Very smart. That's some good spying skills.

If you ever see me and Carole doing that in a restaurant, you know that we're secretly spying on you.

Well, they'll never know because it's that subtle. So Igor reached out to the unnamed Tesla employee via WhatsApp. Do you think it would have been more successful if they'd reached out via something like Tinder? I'm not sure why you have to change the Sexes for that to happen. Well, OK. You've got to go with the times, clearly. OK, sorry. Yes. All right. I suppose it depends whatever you're up for. Exactly. Yeah. OK. It's just my little fantasy. I've always wanted to be seduced by an Igor. Well, when you write this up, you know, as a screenplay, you can add a few extra dimensions, Graham. We'll look forward to it.

I wanted this as well, you know. Does he take a down payment? Because these guys are criminals, right?

Yeah, who are you going to complain to? Right? I tried to bring down Tesla. I failed. They promised me a million quid. Never got it. Can you go after them, please? What are you going to do, right? And the article that I mentioned does break down some of the finances, apparently. The idea was that a million would go to the insider. Two million would go to the crime gang boss. Don't know who that is, obviously. And then $250,000 would be paid to the individual who created and customized the malware. And then the rest would go to the gang's associates.

So does the creator of the bespoke malware. Jeez, that's a house payment. You know, I mean, that's like you buy a house for that.

It's a lucrative endeavor, isn't it? If they had got their 4 million or even maybe more. Yeah, but J-Lo's gotten beaten.

Hang on, J-Lo was involved?

She just makes more cash for shit. Jenny from the block?

Yeah, yeah. She don't care about the size of a rock. Exactly. I can't remember the words. I bet Jess, no, Jess isn't into all that. Whoa. No, she is. She talked before about hip hop and rap and stuff. But

It's not hip hop or rap. No, but Jenny,

J-Lo is down. I'm not talking about Jennifer Aniston. I'm talking about Jennifer Lopez. Stop ticking. Stop ticking. Carole, what have you got for us this week?

Well, we are, as I said earlier, taking to the skies because on Monday this week, the Federal Aviation Administration, FAA, told us they had issued a Part 135 air carrier certificate to Amazon's fleet of drones. What on earth does that mean? It means that they will be able to fly if they can meet certain stipulations. Oh, my goodness. And this is all in the name of commercial everythingism, right? Improved package deliveries.

No, what this is, is all in the aim of Skynet. This is the end of time. I've seen Terminator. This is how it all starts, is with Amazon deliveries.

Oh, this is a perfect story for you. You're going to have so many ideas. Yeah, yeah, yeah. Okay, so first, do you want to guess what the Amazon fleet of drones might be called? Skyweb? That's good, but think Amazon terms.

There's a river, there's a forest, there's a canopy. The company.

Okay. Geoff. Prime Air, of course. Now, according to the New York Times, the company said it was required to submit evidence of the safety of its operations and to demonstrate those operations for the FAA. And a VP of the company said, quote, we would work closely with the FAA and other regulators around the world to realize our vision of 30-minute delivery. 30 minutes. Now, this is where I need your help.

It's a bit lazy of them, isn't it? Couldn't they do it quicker than that?

Can you give me a scenario in your day-to-day life where this might prove very beneficial or necessary?

Condoms. Condoms, definitely. Condoms. Yes. Yep, that's a good point. You haven't got one and you really need one. Yeah, cling film won't cut it.

Exactly. Have no Ziplocs. Yeah. Okay.

Bandages. If you cut yourself, I got a bad cut the other day.

You might bleed to death in 30 minutes. Okay. Depends where you're. Yeah. You know not to remove the knife if you get stabbed, right, Lou?

Oh, is that right?

Yeah, yeah. Seriously. I'm not kidding. If you stab yourself, leave the knife in there, put pressure around it, call 911. No, not 911. Call 999. 911 is not going to work for you. Okay. Now, Amazon is not the first company to have their drones certified by the FAA. First came Wing Aviation, which is owned by Google's parent company, Alphabet, and UPS Flight Forward. Not as catchy a name there, but neither of the companies have implemented drone delivery widely, Amazon seems to be the one to watch for the commercialization of the drone. Okay. Now, last I heard, I don't know about you guys, but last I heard, drones are kind of the bane of FAA's life. Because, you know, you have all these yahoos flying incompetently around neighborhoods at night, all to look at Mrs. Conway's baps or something.

What? Sorry? Who? She's faking. Kellyanne Conway. It's a thing I haven't heard about. What are you talking about?

But it could be that the FAA seems to actually be on board with this drone tech now. So they've apparently just donated $7.5 million in grants to universities for research on the safe integration of drones into our national airspace.

So this is for 30-minute delivery. Is that really necessary? Is that what's driving this, is the need to deliver things faster? Because it's pretty astonishing right now here in the UK. If I order something on Amazon, it'll arrive the next day. I mean, sometimes it even arrives the same day, you know, late at night, which is astonishing. You have to understand, though,

You do live in the UK, where the Amazon fleet office is probably, what, 45 minutes from your door? I don't know. Probably, because you live fairly close to London. Whereas if you were in Canada or Russia or United States, I'm going to give you a few interesting drone facts that I learned.

Okay. It's drone fact time, everybody.

Yes, exactly. So the commercial drone market is expected to reach 6.3 billion by 2026. So in 5.5 years, that's big money.

About 10 bitcoins by the end of the year. Yes.

Yeah. The most common type of waiver being approved by the FAA is nighttime operation.

Oh, so they're mostly going to be flying at night, are they? It's condoms again. It's condoms. So is

This for a 30 minute delivery at 3 a.m.? This is just

Drone facts for commercial drones. Yeah. And 50% of airspace authorizations were approved for controlled airspace. So that means out of every two people that ask for authorization, one gets it, which is pretty high. The company that's the biggest in the market for drones is DJI. They own nearly 80% of the market in the United States.

Yes, I've heard of them. Oh, have you? Interesting. They do the Mavic drone, don't they? Aren't they a Chinese company? Is that right? Probably. I don't know. Every company

Is, let's face it. So, yeah. Okay. So this, of course, is the Smashing Security podcast. So we should foray into the security areas, shall we, chums? Okay. So what issues might you foreshadow when thinking of the dawn of the drone? Is there anything that you see this is going to not be good?

Hack drones, obviously, you know?

Yeah. Yeah. Well, I can also think of drone robbery. So you might want to send a denial of service attack to a drone while it goes over your house and you can pick up all the deliveries.

Could you do, do you think you could do Wi-Fi jamming, Graham?

If a drone was going over my house.

Could you hijack it by sending a deauthentication process?

Yes, that's exactly what. And then jam the intended drone frequency? You've taken the words out of my mouth. All you need is a Raspberry Pi, apparently. Yeah, I would think, yeah, I'd use one of those.

So yeah, you could totally do data interference, interception. This is based on a number of drone research papers, which I have linked in the show notes. Also the idea of privacy, right? Drones can basically give any viewer of the content that drone is collecting the bird's eye view of anything whenever it decides to be activated or used, right?

Observational. I mean, when you're out in your garden. Minding your own business. If Mrs. Conway is sunbathing. Yeah, exactly. Fermenting her baps. Please. Okay. But the thing is... Carry on. Carry on

Droning. Yeah, I'm going to drone on. The thing is, is drones are apparently proving to be actually quite life-changing outside the commercial realm. All right. So they provide healthcare deliveries in Rwanda. So you have really steep hills and poor roads. And if you need to get emergency blood to the hospital up there, it takes hours with a drone, 30 minutes. Right and in Mongolia they use it to monitor endangered vultures just to make sure the population is healthy. They are using drones to map industrial emissions so that we can hold people accountable if they're not following the rules. Farmers can assess their crops and help plant seeds and seedlings and the coolest one is pipeline inspections but not just oil or gas, but water. So water goes through huge pipelines via the desert. And rather than having to have people actually go out and check it, you can actually have infrared cameras on drones that can see water leakages in the hot desert and be able to isolate and tell them where it is, which is pretty amazing. So drones are cool as long as they're used

Ethically. Any technology, isn't it? It's what you use it for.

Yeah. What do you think of people who sort of have drones for their own personal use, it's these vloggers and YouTubers. Are you in favour of everyone setting their drones off and up into the sky?

No, I don't know. If I had a drone over my house, I would not be happy. I've actually wanted to get a baseball bat for that, but of course they can fly a lot higher than that.

We have a near neighbour who has a drone, which upsets my wife mightily because she suspects it might be spying. They're a rather odd couple. Hello, by the way, if you're listening.

Make sure she rises her baps indoors that's all I got to say about that. It's

Those privacy concerns that Carole mentioned isn't it? If you've got drone flying over your back garden it just feels intrusive.

I would hate it. I would hate it. Yep. Anyway there you go there's my story on drones. So, oh before I go, a piece of advice for those who might be looking for a promising new career. Yes. Get down with the drones people, seriously. From developers to engineers to support personnel, to operators, to securing devices, to policy creators. I think this is a huge job market ready to take off. So it'd be a good place to get in early.

Because they're here to stay. I mean, this is a new infrastructure, effectively, isn't it? Going to

agriculture, going to retail, going to industry. So it doesn't matter what area you are focused on already, this is something that's going to come in and they're going to need that kind of bridging between the two industries, between how do you get drones to work safely and securely and effectively within this industry or this market or this company.

That's so true. I wonder how many schools and universities are talking to young people about drone careers. Yep. Well, you've heard it here first. Drone up. Don't drone me out.

Attacks and breaches are sadly a fact of life. They happen. What's most important is how well your organisation responds. And technology isn't really enough. Your staff must be ready too. Immersive Labs delivers hands-on, challenge-based training and exercises to make your team ready to fight real-world threats. Check out their free e-book all about the MITRE attack framework and how you can use it as a part of your cyber skills strategy and improve your security posture by identifying weaknesses. Go to ImmersiveLabs.com slash smashing right now to download your free e-book. That's ImmersiveLabs.com slash smashing. And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week. Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Better not be. Now, my pick of the week this week is not security-related. We are coming to the end of the school summer holidays. And as people will know if they've been listening to the show, I've been recommending lots of games, both board games and computer games, which I've been playing with my son.

I'm guessing none are sticking, right?

No, no, no. We like a variety. This one is one that we've just discovered and we're enjoying. It is available, I believe, for the PC. I believe you can get it via Steam, but we have it on the Nintendo Switch. And it is called the Heave Ho Game. And it's one of these party games. You can play it on your own, or you can play it with a party of people. And it's quite hilarious. So imagine, if you will, that you are an orangutan. And you know how orangutans have those long arms, or chimpanzees, or something like that. And they're sort of going from branch to branch, grabbing hold. And then they swing, and then they grab with the other arm. Well, this heave-ho game is a bit like this. You are a blob, and you're trying to get from one place to another, and you have sticky hands, and you can grab hold of things and swing on a rope or swing on a platform and then grab something else with your other hand. And if you're playing with more than one person, you can create a chain. And then, of course, you're reliant on someone. Don't let go of your right hand, right, because everyone's hanging off it. And you're swinging back and forth and then you let go of your left hand and you may send them spiralling over to your intended destination. I'm not sure this is a very good game to be

advocating right now, Graham.

Why is that?

Fricking global pandemic.

Oh, because hand-holding.

Yes, sticky hand-holding. This is really not on. But virtual. Kids are about to go back to school. You should be teaching him to wash his hands, not celebrating sticky hands.

The graphics are fairly rudimentary, but it doesn't matter because it is immense fun. It is created by a crazy French game development group. Have you noticed how many games which are bonkers are French?

I know. I love French developers for that. They're the best. They're the best. Raving Rabbids. Isn't that French?

Oh, I think it might have been. I think it might have been. So this game is fairly elementary, but hugely enjoyable, especially if you played with a group because you start blaming each other. It's like, let go, let go. Okay, you hold on to this. I'll hold on to that. Okay. Now, on the count of three, on the count of three, we all have to, whoop, okay. And you miss. And it's a lot of fun. And I managed to pick it up for about a Fiver because it was on special offer. I think normally it is less than $10 in the Nintendo e-store. I don't know how much it costs.

I have a question for you, actually. I have a game that I would like you and maybe your son to test out for the show. Okay. It's an old game. Did you ever play Oregon Trail? Oh, I've heard of it. I never played it. Apparently, it's the way that kids can actually learn American history. And apparently, it's amazing and it's fun and you remember it for life. So, you should check it out. They have loads of emulators online. And I was going to check it out, but it might be cooler if you and your son do it. It's about pioneers, isn't it? Yeah. Making sure you don't die of dysentery. But apparently, you can die of hunger if you don't have enough food. And you've got to make sure you talk to the right people and go to the right places. Sounds good. Oh, well, okay. Thank you. Sorry to hijack you. Well, exactly. You just usurped my fun game to one about trying to survive. It is a pandemic, not sticky hands. What the marketing meeting. Do we care? Do we care about the sticky hands? Should we change the whole thing? No, shut up. It's too late. It's done. It's too

Late. Get it out the door. Sell it with hand sanitizer.

Jess, what is your pick of the week?

Well, Graham, you spoke about Bitcoin earlier. And so I thought I would bring us full circle with a show about cryptocurrency. Oh, I thought you were going to give away a Bitcoin to all our listeners. Kind of about cryptocurrency. It's not really, but it sort of is. And this is a show, it's been out for a while, but I have just finished watching it on Amazon. And it's called Startup. And it's a great cast. It includes Adam Brody, who finally you forget about him on The O.C. and his character. Eddie Gathegi, who I was not familiar with before Startup, but an absolutely amazing actor, fantastic in this show. Ron Perlman, Martin Freeman, Miro Sorvino, who turns up later on. So a really good cast, really well-written characters. And it's essentially about a sort of unlikely group of people, small group of people who kind of stumble into launching a tech startup. And what surprised me is it's actually quite a gritty show. So it tackles corruption, organized crime, racism, sexism, and throughout this kind of thread of a critical look at VC funded tech bro culture. But another fun point is that, of course, they get some of the tech very wrong. So you have to go in knowing that, expect it. And rather than getting annoyed, just decide that's going to be your Easter eggs is looking out for the, for example, the time where they show an IP address of 285. And of course, we know they don't go past 255, stuff like that. Quite simple stuff.

You know, it's funny, though, actually, because we all are kind of, we have this romantic idea of startups, right, which is basically a small company with not much necessarily in terms of experience getting a wad full of cash and amount of stress to produce really quickly, high caliber, earth shatteringly amazing software in the shortest amount of time possible. It's, you know, no wonder a lot of them get it wrong and fall over. Absolutely. And one interesting thing, I don't want to give it away, but one interesting thing is the extent to which and the speed by which they monetize it.

Yeah. Was he the guy who was the beast in Beauty and the Beast with Linda Hamilton? Yes, I believe he was. I believe he was. That was with makeup, though. So my pick of the week, I'm just talking, scrolling because a podcast, it's an audio drama. I know, your favorite, but I think you would like this one.

You thought we wouldn't notice. You thought we wouldn't notice. She's like a security chief, and it's Matt's first day at the facility. So you kind of get walked around with Matt, and you kind of get to understand how it all works. Oh, I love Battlestar Galactica. Me too, me too. And Dac is just a great strong character. She reminded me a bit of Starbuck's character, so that might be something. And honestly, one of the best audio drama pods I've heard in like a long, long time. I was literally at one point, like, you know there's like tension moments and I was literally like all clenched up. Nice. Well, we're all waiting for the aliens in 2020. Like, that's what's next, surely. So it seems quite apt, even though you said it was a long ago.

I think they might already be here.

Good point. Good point.

And that just about wraps it up for this week. Jessica, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

You can find me on Twitter at Dr Jessica Barker. Also check out our Cigenta website, cigenta.co.uk and our blog site, blog.cigenta.co.uk. And finally, I may have mentioned I have a book coming out soon. It's called Confident Cyber Security, published by Kogan Page. And you can find out more at confidencecyber.com.

Very cool. And you can follow us on Twitter at Smash Security. No G, Twitter wouldn't let us have a G. And you can also join our subreddit. Just look for Smashing Security up on Reddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast app, such as Apple Podcasts, Overcast, Spotify or Pocket Casts.

And socially responsible winks to you all for listening, supporting the show via Patreon and sharing this podcast with your people. Also, high five to this week's Smashing Security sponsors, Immersive Labs and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details and information on how to get in touch with us.

Until next time, cheerio! Bye bye, bye bye.

Boom, in the bag. Thank you.