Google warns security researchers that North Korean hackers are pretending to be their buddies, sensitive information connected to Coronavirus testing is available for sale in the Netherlands, and is a Peeping Tom at your home security provider spying on you through CCTV?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The rather bizarre story of a journalist who disappeared, and it turned out that her last journalistic endeavour was to interview a man on his private submarine.
Yes, submarine! The submarine story!
Yeah, I remember that. Yeah, yeah.
And he didn't— spoilers!
Fucking hell, Carole!
Well, now I don't need to see it. Jesus. And then he. What? Her What?
I was just remembering the story.
Isn't that the guy who went, bloop, bloop, bloop, bloop, bloop, bloop, bloop, bloop, bloop. Anyway.
Smashing security, episode 212 Dutch leaks, peeping toms and Researchers Under Fire With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to smashing security, episode 212. My name's Graham Cluley.
Smashing security, episode 212 Dutch leaks, peeping toms and Researchers Under Fire With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to smashing security, episode 212. My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by podcast listener favourite, it's Maria Varmazis. Hello, Maria.
She's also my favourite.
Hi, Maria. Hi, hi. I'm my favourite too.
Oh, how are you doing? How's 2021 so far?
So far okay.
It's got a lot of opportunity to fuck up, but so you still got white knuckle holding on to whatever is around for Yeah, 4 years of— so, you know, it's gonna be interesting.
It's got a lot of opportunity to fuck up, but so you still got white knuckle holding on to whatever is around for Yeah, 4 years of— so, you know, it's gonna be interesting.
So let's say thanks to this week's sponsors, 1Password. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
Oh, I'm going to be introducing you to someone a bit beardy and wearing a hoodie in the Netherlands. Is he a hacker or not?
Maria, what about you?
There's some North Korean shenanigans going down in Google's Dutch story.
Oh, and I'm We're going to see how low-tech a hacker can get. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, there is a fellow working at a company in the Netherlands.
Okay, I'm in.
He hasn't shaved for a while.
Same.
He's wearing a hoodie.
Same.
And he has an interest in the dark web.
Okay, that's where we diverge a bit.
But he's not a malicious hacker. He is Daniel Vellaarn, who is a cybercrime reporter at the Dutch TV service RTL News.
He's the guy who loves to dig up facts about what's going on on the dark web and amongst cybercriminals and all the hackers. And he's their cool technology guy.
And it's his job to dig up details of what the bad guys are up to and uncover cyber goofs.
He's the guy who loves to dig up facts about what's going on on the dark web and amongst cybercriminals and all the hackers. And he's their cool technology guy.
And it's his job to dig up details of what the bad guys are up to and uncover cyber goofs.
Goofs. Okay, this is what he does for a living, basically.
Yeah. Yeah.
Okay.
For instance, last November, he gained a little bit of notoriety because he gatecrashed a European Union defence minister's video conference call.
This was after the Dutch defence minister accidentally posted the login details on Twitter. And I'll— What? Yes, I'm afraid it's still happening.
So he wanted to show he was hard at work, so he took a screenshot and he posted up, "Oh, I'm about to join this video conference call with the other defence ministers of the EU." And our man decided to join the conference as well.
Well, to the credit of the minister, he didn't reveal all of the PIN code, only some of the digits. So I think there were about 2 missing. And so this inventive young journalist—
This was after the Dutch defence minister accidentally posted the login details on Twitter. And I'll— What? Yes, I'm afraid it's still happening.
So he wanted to show he was hard at work, so he took a screenshot and he posted up, "Oh, I'm about to join this video conference call with the other defence ministers of the EU." And our man decided to join the conference as well.
Well, to the credit of the minister, he didn't reveal all of the PIN code, only some of the digits. So I think there were about 2 missing. And so this inventive young journalist—
Took 20 tries and got it.
Exactly. And he managed to get in.
Well, so that gained him some notoriety, but he's now in the papers again because he has uncovered what appears to be a serious security breach, which has been happening in the Netherlands.
He found that someone for months has been going onto Snapchat, onto Telegram, onto Wickr. What's Wickr? Wickr is an encrypted messaging service, a bit like Signal or Telegram.
Well, so that gained him some notoriety, but he's now in the papers again because he has uncovered what appears to be a serious security breach, which has been happening in the Netherlands.
He found that someone for months has been going onto Snapchat, onto Telegram, onto Wickr. What's Wickr? Wickr is an encrypted messaging service, a bit like Signal or Telegram.
Yeah.
Wickr is particularly beloved of drug users.
Is that the Bluetooth-only one, or am I imagining that?
No, no, no, you're thinking of a different one. Yeah, so Wickr isn't just for local contacts, can be anywhere.
But with Wickr, you don't have to give a phone number, so you can— It's sort of like super secret.
But with Wickr, you don't have to give a phone number, so you can— It's sort of like super secret.
Anyway. So if you want to buy your jazz cigarettes, you do that on Wickr.
Okay, good to know, good to know.
Right, good to know.
And what he found is that someone has been advertising for months up there their access to sensitive data from the Dutch Health Service.
Specifically, these people have access to databases of people who have taken coronavirus tests in the Netherlands.
Specifically, these people have access to databases of people who have taken coronavirus tests in the Netherlands.
Oh no.
Or have been documented in the test and trace system. So, their home addresses, their email addresses, their telephone numbers, their dates of birth, and their BSN.
The BSN is the Dutch equivalent to a Social Security number.
The BSN is the Dutch equivalent to a Social Security number.
Okay, so someone has been advertising this.
Mm-hmm.
Oh boy.
So you can pay between €30 and €50 and say, hey, can you tell me the home address, phone number, email address, and Social Security number of this person?
What, in this Wickr Telegram? Yeah, yeah.
If you contact the hacker via the ad.
Wow, that's a good rate.
So, and you can get all those details.
Jeez.
And you can, of course, request details about more than just one or two people.
You can say, well, could you give me all of the information you have about everyone who lives in Amsterdam aged over 50? It's like doing a, you know, a database.
Well, it is a database.
You can say, well, could you give me all of the information you have about everyone who lives in Amsterdam aged over 50? It's like doing a, you know, a database.
Well, it is a database.
Database dump, yeah.
Yeah, it's a database. It's like a SQL query. Now—
Why? Why?
What do you mean why?
For funsies.
Why would anyone want this?
Yeah, why would anyone want this information? Like, say I've had 4 coronavirus tests or I've had 10 or I've had none. Who cares?
Well, because imagine you wanted to scam somebody.
You could then send them a message or an SMS saying, oh, you know, we know that you took your test on this date and we've now got the results for you.
Or can you pay this amount of money to get— you know, we've decided we're going to give you some treatment. Go to this site, enter your credit card details.
But more than that, Carole, you also get their Social Security number. And you can begin to do all kinds of fraud with that. Or, and this is a bit scary.
You could then send them a message or an SMS saying, oh, you know, we know that you took your test on this date and we've now got the results for you.
Or can you pay this amount of money to get— you know, we've decided we're going to give you some treatment. Go to this site, enter your credit card details.
But more than that, Carole, you also get their Social Security number. And you can begin to do all kinds of fraud with that. Or, and this is a bit scary.
Okay.
They discovered that the private data of celebrities was also on sale, and even crime journalists.
There is a chap in the Netherlands called— you have to excuse my accent because it's very, very good— Jan van den Heuvel.
There is a chap in the Netherlands called— you have to excuse my accent because it's very, very good— Jan van den Heuvel.
He is— I'm sure everyone's going to recognise him or her.
Well—
Our Dutch friends probably will.
In the Netherlands.
From that, yes, from—
He is famous because he is a crime journalist, a former, I think, police chief. He receives the same kind of full-time police protection which is afforded to the Dutch royal family.
So he probably has a squadron of bicycles following around after him with wicker baskets.
So he probably has a squadron of bicycles following around after him with wicker baskets.
Oh my god.
But seriously, because he's considered so much of a target due to his work in the past assisting in the capture of criminals.
And you can read all about him on Wikipedia and what he's been up to.
And you can read all about him on Wikipedia and what he's been up to.
What, so he goes around town with a dozen people?
Protecting him. Yes, he's got bodyguards. He's got the police looking after him. And so he doesn't want his personal address.
How tall is this guy?
Jesus.
Sorry.
Well, he's Dutch. He's gonna be quite tall.
Yeah, I know. I say that about a lot of Dutch people. I'm like, how tall are y'all? Jeez.
So yeah, so it puts him in danger because of course, he's a person of interest to criminals.
And these are criminals saying, can you tell me where he lives and his phone number and his Social Security number? You can imagine he's not terribly pleased about this.
So this journalist, Daniel, et cetera, he got the prior consent of individuals, a number of people, a few hundred people, and he did a request.
He said, "I would like information about these hundreds of people." He approached the scammers and said, "Hey, you know, I'm thinking of making a purchase.
Just as a little test, can you give me details about these people?" And he confirmed the authenticity of the information which had been offered for sale, and it was correct.
This is the legitimate information. They even were posting screenshots of the computers with access to the databases.
Now, the Dutch Health Service, they say they haven't found any evidence that they've been hacked, but these screenshots suggest—
And these are criminals saying, can you tell me where he lives and his phone number and his Social Security number? You can imagine he's not terribly pleased about this.
So this journalist, Daniel, et cetera, he got the prior consent of individuals, a number of people, a few hundred people, and he did a request.
He said, "I would like information about these hundreds of people." He approached the scammers and said, "Hey, you know, I'm thinking of making a purchase.
Just as a little test, can you give me details about these people?" And he confirmed the authenticity of the information which had been offered for sale, and it was correct.
This is the legitimate information. They even were posting screenshots of the computers with access to the databases.
Now, the Dutch Health Service, they say they haven't found any evidence that they've been hacked, but these screenshots suggest—
Inside job, inside job.
Exactly.
Yeah.
There are 26,000 workers and call centre employees working inside the Dutch Health Service who've had access to this information.
And many of them, of course, at the moment, where are they working?
And many of them, of course, at the moment, where are they working?
At home.
At home. Perfect.
What a key.
Perfect pitch.
Mm-hmm.
And that makes it easier, I would argue, for them to pass on the data to criminals or even just photograph their screens or—
Well, you can't photograph your screen in the office.
Well, you can, but people might notice, you know. Not really.
Do you think anyone would have noticed? Anyone doing that?
You get your Polaroid camera out.
Give me a break.
You might do.
Look at this killer meme. I don't know how to share it, so I'm gonna take a picture of it and just text it to my mom. Yeah, there you go. There's your cover story.
Done.
Yeah.
Now, I don't know if either of you have ever been employed by the Dutch Health Service call centre for coronavirus testing. Yes, you do.
You know that neither of us have been.
No, no, not lately.
Well, you are typically paid around €11 per hour for doing that work. But of course, you can receive hundreds for every person's details that you pass on.
Mm-hmm.
So here's my question for you. What can be done about this? How could you try and fix this problem? Have you got any ideas at all?
I was thinking they could do a thing where everybody's login is shown somewhere on the screen in a way that can't be obfuscated.
So you could then try and track down who's been doing the screencaps. I don't know.
So you could then try and track down who's been doing the screencaps. I don't know.
I think that's quite a good idea, but it might be obvious that, oh, that's my user ID in the corner.
I was thinking, what if you had a field in the data and it wasn't obvious what it was, but it was somehow sorted with your user ID?
So if someone did share that data, not knowing what that particular field was, you'd be able to extract it and say, oh, this is from this particular user.
We know where it's come out. So if it was less obvious. That was one idea I had.
I was thinking, what if you had a field in the data and it wasn't obvious what it was, but it was somehow sorted with your user ID?
So if someone did share that data, not knowing what that particular field was, you'd be able to extract it and say, oh, this is from this particular user.
We know where it's come out. So if it was less obvious. That was one idea I had.
Or you could do a honeypot user.
Yes. Yeah, exactly. You know, or something like— Carole, did you have some ideas?
No, no, no, go ahead.
We're just being brilliant without Carole Theriault. Okay.
It happens often.
So what the Dutch Health Service do, the GGD as they're called, is they get their employees to sign a certificate of good conduct.
Oh, well that sorts it.
Yeah.
Guys, I like that!
Well, I'm not saying it's bad.
No, no, but you know, okay, so you're saying the person who's doing this is obviously malevolent in his intent or her intent if they are working internally and leaking all this info, right?
And you're thinking it is an inside job.
And you're thinking it is an inside job.
Well, it's quite possible.
It does seem quite possible.
Well, it seems more than possible. It seems more likely.
They're also conducting random checks, and people have been fired in the past for being naughty.
So, and one thing you could do, of course, and this is a bit controversial, and this will get Crowell's goat, is that you could run some kind of software on the computers of the people working from home to observe what they are doing.
So, and one thing you could do, of course, and this is a bit controversial, and this will get Crowell's goat, is that you could run some kind of software on the computers of the people working from home to observe what they are doing.
Oh no. Oh, oh no.
I know, yeah.
You mean video surveillance?
Well, either that or—
Basically spyware. He's taking a picture of the screen!
You know what I mean? You know what that means? Yeah, how are you gonna— yeah.
Call voodoo hooter! Or maybe unusual behaviour if people are accessing individuals and they don't have a good reason to. I don't know, some kind of audit trail. I'm not sure.
Anyway, clearly it's not easy. Last Saturday, police in the Netherlands arrested two suspects. A 21-year-old from the city of Hulloo.
Anyway, clearly it's not easy. Last Saturday, police in the Netherlands arrested two suspects. A 21-year-old from the city of Hulloo.
Hulloo!
And a 23-year-old from the city of Good mooded. No, no, no. Al-Blassabdamm. Unfortunately, it would have been good if it was. Computers have been seized and houses searched.
Yeah.
And apparently these chaps were working at health service call centres.
Yeah, my gut says inside job and it's for a little— Yeah, it's you said, it's for some chump change.
But it's a bit of a worry, isn't it? Because you want the public to have confidence in these systems and the data's been properly collected.
And if you are someone who's got police protection to keep your identity secret and your location, you're going to be pretty miffed that this is so easy to access.
And if you are someone who's got police protection to keep your identity secret and your location, you're going to be pretty miffed that this is so easy to access.
When a 21-year-old from Hilloo goes around.
The other thing is, though, with a certificate of good conduct and confidentiality agreement, that is not just to say, oh, I'm an upstanding person.
It's also a liability issue, right? Because if they're able to find them, they can go, yeah, you're the bad guy and we're going after you now. Yes, because—
It's also a liability issue, right? Because if they're able to find them, they can go, yeah, you're the bad guy and we're going after you now. Yes, because—
Yeah, so you said you wouldn't do it and then you did it. Oh, you're in trouble now.
Yeah, so if you are a Dutch celebrity, be very careful about—
Graham, your connection seems weird.
Yeah, you sound like a deceased actor from the James Bond franchise. From Zardoz. Excuse you, we have to go over that again. Seriously, we did that.
Oh my God, I can't believe we did that. It's not my proudest moment.
Oh my God.
Links in the show notes. So Maria, what have you got for us this week?
Well, last evening when I was trying to figure out what I wanted to cover for the show, there was a story breaking on Twitter, and I was so happy because I think both of y'all were asleep, so I was like, I get dibs on this story.
The 5-hour difference helps a little bit.
The 5-hour difference helps a little bit.
5-hour time advantage.
So the story that was breaking, which I'm so fascinated by this one, is Google says that North Korean state hackers are targeting security researchers.
Researchers.
Researchers. So the news that broke last night via Google's Threat Analysis Group, which specializes in what us nerds call advanced persistent threats or APTs.
Malware for the rest of us.
Yeah. Okay.
So anyone who's normal.
An APT is a highly targeted and extremely cutting edge attack. So usually these are only used on high-value targets like a government official or, you know, a CEO of a company.
They're super valuable. So the average person doesn't really need to lose sleep over APTs, even though they get really cool headlines and they are really fascinating.
But this APT, we actually might want to lose a little sleep over this one.
So in this case, the attack that Google was outlining starts out with some good old-fashioned social engineering.
So the North Korean attackers for months apparently were reaching out to their victims via email or social media or even comments in blog posts.
They were using Twitter DMs, LinkedIn messages, Keybase, Telegram, and Discord.
They're super valuable. So the average person doesn't really need to lose sleep over APTs, even though they get really cool headlines and they are really fascinating.
But this APT, we actually might want to lose a little sleep over this one.
So in this case, the attack that Google was outlining starts out with some good old-fashioned social engineering.
So the North Korean attackers for months apparently were reaching out to their victims via email or social media or even comments in blog posts.
They were using Twitter DMs, LinkedIn messages, Keybase, Telegram, and Discord.
Okay.
Posting fake research on GitHub. And they themselves are posing as benevolent security researchers saying, I found this cool exploit.
And they were establishing themselves in the security community online, having legitimate conversations for weeks, months with some people who are actually quite well known in the security field and well respected.
Crikey. Yeah. And so they really took their time to establish themselves using fake profiles, of course.
And they were establishing themselves in the security community online, having legitimate conversations for weeks, months with some people who are actually quite well known in the security field and well respected.
Crikey. Yeah. And so they really took their time to establish themselves using fake profiles, of course.
And the research must have had some quality to it because people were reading it and probably going, oh, good paper, nice find, or whatever.
Well, yeah, Google said that some of these proofs of concepts were fake and were provable as fake, but others, they're still kind of like, they actually might be real.
And the thinking is that maybe the North Koreans actually really did have some exploits that they were willing to burn just for the sake of building credibility for these attacks.
Yeah, anyway, so after these attackers took their time to build rapport, they would then, when the time was right, deploy their ruse, which was that they had a new proof of concept on exploiting a new or previously patched vulnerability, or saying they had a new method to exploit a known bug, that kind of thing.
And the thinking is that maybe the North Koreans actually really did have some exploits that they were willing to burn just for the sake of building credibility for these attacks.
Yeah, anyway, so after these attackers took their time to build rapport, they would then, when the time was right, deploy their ruse, which was that they had a new proof of concept on exploiting a new or previously patched vulnerability, or saying they had a new method to exploit a known bug, that kind of thing.
Okay.
So that would work.
That's the little fishy, the little worm on the hook. Right.
And again, as Google said, as I mentioned, Google said some of these proofs were faked, but a lot of them were made convincing enough that it fooled a few people, even savvy researchers.
So when the attacker would DM a researcher saying, hey, do you want to collaborate on this research because I need specific expertise and you have it and I don't, that sounds like a legit ask.
Like people do that in the research field.
So when the attacker would DM a researcher saying, hey, do you want to collaborate on this research because I need specific expertise and you have it and I don't, that sounds like a legit ask.
Like people do that in the research field.
Yes, they do. Oh my God.
So if you've spent weeks or months ingratiating yourself in a not too scammy way, a researcher might go, you know what, I'll— yeah, let's collaborate.
So as part of that process, the attacker would then direct their target researcher to a Visual Studio project with the source code to their exploit, you know, so they could look at it and collaborate on it.
So the hitch is that hidden in that Visual Studio project, there would be a little hidden DLL, which is a little program that would install backdoor malware on the researcher's machines.
So that researcher's machine would now be hooked up to a North Korean-owned command and control server.
So as part of that process, the attacker would then direct their target researcher to a Visual Studio project with the source code to their exploit, you know, so they could look at it and collaborate on it.
So the hitch is that hidden in that Visual Studio project, there would be a little hidden DLL, which is a little program that would install backdoor malware on the researcher's machines.
So that researcher's machine would now be hooked up to a North Korean-owned command and control server.
Presumably with the intention of either stealing other work that those researchers were working on or that company was working on, or—
Keeping an eye on what they're up to.
Yeah, spreading throughout that company, because of course that company may be in the business of unlocking North Korean threats, right?
Yeah, yeah.
So cunning, isn't it?
Did they want access to the lab, or they wanted just to kind of compromise the researcher's system and just have whatever access they had?
I imagine whatever they could get access to is probably worth —was Bitdefender.
And that would be pretty good. Okay.
Yeah. And to the credit of many researchers, many of them saw that little hidden DLL and went, wait a second. So, and they caught it, but not everybody did.
And here's the thing, what I just described was the simple version of the attack. There's actually a much more sophisticated one that's still a mystery.
And this is actually what really grabbed the headlines last night.
So sometimes when the North Korean attacker would do that whole social engineering song and dance, they would just send the researcher over to their own website, which was set up to look like a legitimate research blog.
And even though these researchers were all using the most updated and patched versions of Windows 10 and Chrome, and they were otherwise presumably locked down because, you know, they're researchers, somehow just by visiting that fake research blog, the targets would then get malware installed on their machine calling into that CNC server.
So this is why Google's involved. This is why their APT team is on this because it seems that the North Korean group is exploiting a heretofore unknown Chrome vulnerability.
So that is a Chrome zero-day in the wild, y'all. That's— and that's what the news was last night. So kind of scary.
And here's the thing, what I just described was the simple version of the attack. There's actually a much more sophisticated one that's still a mystery.
And this is actually what really grabbed the headlines last night.
So sometimes when the North Korean attacker would do that whole social engineering song and dance, they would just send the researcher over to their own website, which was set up to look like a legitimate research blog.
And even though these researchers were all using the most updated and patched versions of Windows 10 and Chrome, and they were otherwise presumably locked down because, you know, they're researchers, somehow just by visiting that fake research blog, the targets would then get malware installed on their machine calling into that CNC server.
So this is why Google's involved. This is why their APT team is on this because it seems that the North Korean group is exploiting a heretofore unknown Chrome vulnerability.
So that is a Chrome zero-day in the wild, y'all. That's— and that's what the news was last night. So kind of scary.
So that means basically anyone that uses Chrome is potentially vulnerable to this, but really they're only currently attacking researchers.
Well, if you visit the blog, yeah, you're vulnerable right now. There's no fix for this.
So the Google Smashing Security Threat Analysis Group wrote in their blog post that, "We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with." So like I said earlier, most APTs are like sexy headlines but don't make much of a difference to the average person.
But this one, the thought of a compromised security researcher does make me lose a bit of sleep last night, especially if they're working on behalf of your supposedly benevolent government.
So that's kind of a yikes. So as you said, is this just something a researcher needs to worry about? No, it's wicked important.
Note, so we don't all get hacked by North Korea, don't visit the blog that Google put in their blog post. The link to the North Korean blog is in a lot of the media coverage.
Did they hyperlink it?
They put a little note in parentheses after it like, "Don't visit this." But oh my God, you know what, they'll obfuscate it by just saying a period goes here in the URL.
It's not very difficult to just put it in yourself. And I'm just like, I'm a very curious person. Part of me wants to be like, what does this thing look like?
So the Google Smashing Security Threat Analysis Group wrote in their blog post that, "We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with." So like I said earlier, most APTs are like sexy headlines but don't make much of a difference to the average person.
But this one, the thought of a compromised security researcher does make me lose a bit of sleep last night, especially if they're working on behalf of your supposedly benevolent government.
So that's kind of a yikes. So as you said, is this just something a researcher needs to worry about? No, it's wicked important.
Note, so we don't all get hacked by North Korea, don't visit the blog that Google put in their blog post. The link to the North Korean blog is in a lot of the media coverage.
Did they hyperlink it?
They put a little note in parentheses after it like, "Don't visit this." But oh my God, you know what, they'll obfuscate it by just saying a period goes here in the URL.
It's not very difficult to just put it in yourself. And I'm just like, I'm a very curious person. Part of me wants to be like, what does this thing look like?
No, Maria, do not do it, Maria.
Yeah, it is very tempting. I had to really stop myself from visiting. So don't go to that website. Slap that hand.
You know, I've been going on a lot of walks during lockdown and I go through a field full of sheep.
Are you allowed to go for walks? Yes, I am. Are you walking 7 kilometers from your house like BoJo did and got in trouble? Don't do too much either.
But anyway.
But there's an electric fence, and there is a sign on there saying, "Do not touch electric fence." And there's something about me which makes me think, "Oh, I wonder if that really is electrified." Did you touch it?
Did you lick your fingers first?
Then touch it? For the extra— Yeah.
Yeah, for the extra zing and the flavour.
I cannot stop myself touching electric fences.
That's— Okay, Graham, this is the wrong show. You need to come on Sticky Pickles for that.
That explains a lot. I'm not touching it with my pickle.
Not yet. Oh God. Depends how long lockdown goes on for. Carole, what have you got for us?
Well, interesting, this follows very well from Ria's story. I wanted to start by asking you guys to define the word grubby for me. Grubby.
What kind of actions would you say would be labeled grubby?
What kind of actions would you say would be labeled grubby?
Grabby. Grubby, grabby. Something where there's a podcast and it's meant to be about a serious topic, but they just keep on getting a little bit lavatorial. Something like that.
Well, if like 2019, I would have said not washing your hands after a poop, but now that's up there with murder, right? Don't screw around. It might be murder.
But I think our main character in this story, a Mr. Aviles, is most definitely, inarguably, in fact, grubby. Do you want to know what he did? He's a digital peeping Thom.
At 35 years old, Mr. Aviles was a technician for ADT, the well-known home security company. And he helped people install their systems.
And one day, he decided if he could secretly access the footage of some of his customers' surveillance systems. Oh no.
Why do people put these cameras inside, pointing inwards to their living room or bedrooms or house? Why? Why do they need their internals always under constant digital surveillance?
But I think our main character in this story, a Mr. Aviles, is most definitely, inarguably, in fact, grubby. Do you want to know what he did? He's a digital peeping Thom.
At 35 years old, Mr. Aviles was a technician for ADT, the well-known home security company. And he helped people install their systems.
And one day, he decided if he could secretly access the footage of some of his customers' surveillance systems. Oh no.
Why do people put these cameras inside, pointing inwards to their living room or bedrooms or house? Why? Why do they need their internals always under constant digital surveillance?
We might be worried about getting robbed. You might be worried about the cleaners, or, you know, some workmen, or the nanny, or, yeah, somebody working for you in your house.
I don't ascribe to that kind of viewpoint, but I— that's my understanding. Yeah.
Okay, so you're so worried about things being stolen from you that you basically live under constant surveillance?
Well, I don't because I don't have these cameras, but I think some people will think it's— they're probably not worried about so much about their privacy.
I bet it's for insurance, actually. You know, it's like, here's video of the guy, you know, stealing my phones or whatever. So this guy, Mr.
Aviles, managed to gain access to 200 different ADT customer video surveillance feeds in and around Dallas. All right. And can you guess what his motivation was according to Gizmodo?
Butts.
Aviles, managed to gain access to 200 different ADT customer video surveillance feeds in and around Dallas. All right. And can you guess what his motivation was according to Gizmodo?
Butts.
Was it that he's a superhero in the making and he really wanted to see if a crime was being committed? And if he saw someone uncouth— Grubby man flying through the stars.
I thought he was going to swoop in and save the day. Is that not the case? As Grubster in his underpants.
I thought he was going to swoop in and save the day. Is that not the case? As Grubster in his underpants.
Over his tights. No, he wanted to spy on women and letch over couples doing the nasty butts. Exactly. Just butts. Yeah, butts. Exactly. Half butts, full butts.
He did this for years, years until he was caught. He accessed 200 streams almost 10,000 times.
He did this for years, years until he was caught. He accessed 200 streams almost 10,000 times.
He had some favorites is what it sounds like.
Let's be generous. Let's be generous. Let's say that, you know, over years, let's say they mean 5 years, right?
So that's 200 times a year he's accessing these streams, 4 times a week, right?
So that's 200 times a year he's accessing these streams, 4 times a week, right?
I'm thinking he not only saw pickles, he probably had quite a sore pickle himself. Talk about grubby.
The authorities say that the IT technician, Mr. Aviles, took note of which homes had attractive women. No shit.
Then repeatedly logged into these customers' accounts in order to view their footage for sexual gratification.
Then repeatedly logged into these customers' accounts in order to view their footage for sexual gratification.
This is horrendous.
Yeah, I'll get to how he pulled off this incredible hacky feat, right?
Because of course, presumably it should be not impossible to gain access to someone's unauthorized stream, digital stream, right?
Because of course, presumably it should be not impossible to gain access to someone's unauthorized stream, digital stream, right?
Was he doing this from his office? Was he doing this from his workplace?
That's a good question. That's a good question.
Had he not signed the good behavior agreement, the sign of good conduct?
Maybe he needs to reread it.
A little reminder.
So I wanted to know, I'm sure people who are thinking about putting this kind of surveillance into their house obviously go and research who has access to the video stuff.
So there is a very helpful ADT FAQ that I was able to find very easily, and the question was, are the internal IP cameras secure?
That is, can someone else access the wireless camera signal and view the images captured by the cameras in and around my home?
And ADT answered that ADT requires authorized users to log in through a personal ADT smart home website, and there's TLS protocol, and they say it's similar to what the banking industry uses in order to offer you secure online banking features.
Okay, so sounds impressive.
So there is a very helpful ADT FAQ that I was able to find very easily, and the question was, are the internal IP cameras secure?
That is, can someone else access the wireless camera signal and view the images captured by the cameras in and around my home?
And ADT answered that ADT requires authorized users to log in through a personal ADT smart home website, and there's TLS protocol, and they say it's similar to what the banking industry uses in order to offer you secure online banking features.
Okay, so sounds impressive.
Sounds a little vague to me. I don't really under— I'm like, I don't— that's not enough information for me, but okay. So obviously Mr.
Avilés had Harrison Ford archenemy level of sophistication, right? Because they use bank security practically. What is—
I think Maria and I are both thinking the same thing. You're thinking, what? What are these Harrison Ford qualifications you're talking about?
I'm going to tell you, I'm going to tell you. These Harrison Ford archenemy qualifications is shooting first. Is basically go low tech. So Mr.
Olivas was no computer mastermind, but just a cunning little pervert. And he gained access by adding an email address to the customer's account.
So whilst he's installing the system, he just makes sure that his private email address also had access to all the surveillance material.
Olivas was no computer mastermind, but just a cunning little pervert. And he gained access by adding an email address to the customer's account.
So whilst he's installing the system, he just makes sure that his private email address also had access to all the surveillance material.
Oh, so he set it up for them. He's setting it up and he goes, okay, lady of the house got a nice rocking bod.
Let me make sure I leave my little calling card so I can check back later. Exactly, yeah. Okay, this is about as gross as I imagined it was.
Let me make sure I leave my little calling card so I can check back later. Exactly, yeah. Okay, this is about as gross as I imagined it was.
After years, right, of grubby behavior, a single ADT customer in South Dallas reported an unauthorized email address on her account.
Listed inside the ADT's own app, which is called ADT Pulse.
So yeah, the company launched immediately an internal investigation, discovered the employee's personal email address in 220 different accounts of ADT. The same email address.
Listed inside the ADT's own app, which is called ADT Pulse.
So yeah, the company launched immediately an internal investigation, discovered the employee's personal email address in 220 different accounts of ADT. The same email address.
Not subtle is what that is. That's someone who's pretty sure he's not going to get caught or doesn't care.
But he didn't get caught for years. You said for years.
Yeah, he got away with that red-handed, if you will.
220 different accounts, right? Maria, it's only 10 in the morning for you.
I know, it's really early for me. It's way too early for me to be saying shit like this. Oh my Lord, I just had my morning coffee.
I'm still in my pajamas, although it has nothing to do with the time of day anymore. Seriously.
I'm still in my pajamas, although it has nothing to do with the time of day anymore. Seriously.
Now, news of this scandal initially emerged last April.
When ADT reported the breach publicly pretty darn quickly, and they said, "We deeply regret this incident, remain committed to working with law enforcement to support them in whatever they need to help bring justice to the victims of this former employee," the company wrote on its website.
The company said it implemented procedures to prevent similar attacks from taking place in the future, including sending notifications to customers when users are added to accounts.
Although it wouldn't have helped here because if you added up during setup, yeah, you would just— Anyway, but this week, two federal class action lawsuits.
You knew they were coming around the corner.
These have been filed on behalf of the hundreds of ADT customers who recently learned that their accounts with a home security company were compromised by a former employee. Oh boy.
Each lawsuit is in excess of $5 million. And I think this is where we all have to remember to regularly check your settings, right?
If ever there was a remember to check your settings regularly, right? This is it.
When ADT reported the breach publicly pretty darn quickly, and they said, "We deeply regret this incident, remain committed to working with law enforcement to support them in whatever they need to help bring justice to the victims of this former employee," the company wrote on its website.
The company said it implemented procedures to prevent similar attacks from taking place in the future, including sending notifications to customers when users are added to accounts.
Although it wouldn't have helped here because if you added up during setup, yeah, you would just— Anyway, but this week, two federal class action lawsuits.
You knew they were coming around the corner.
These have been filed on behalf of the hundreds of ADT customers who recently learned that their accounts with a home security company were compromised by a former employee. Oh boy.
Each lawsuit is in excess of $5 million. And I think this is where we all have to remember to regularly check your settings, right?
If ever there was a remember to check your settings regularly, right? This is it.
And not just on something like your cameras, but also your email account, because you may have additional email addresses associated with your Google account, for instance, or places where your messages are being forwarded to or delegation.
Yeah, I wonder, he probably just had an email address like or something like that. Anyway, so years, no one noticed.
220 different people did not notice that someone else's name was listed in the "I can access this feed." So, and why didn't ADT notice that the same email address was across 220 different accounts?
220 different people did not notice that someone else's name was listed in the "I can access this feed." So, and why didn't ADT notice that the same email address was across 220 different accounts?
I'm sure they were not monitoring for that. Why would they be monitoring? Well, I think they will be now. Yeah, now they will be.
Yep. Wake-up call to the rest of us.
So what's happening to this guy? Has he been sentenced?
Yeah, he's facing 5 years in jail. He's facing 5 years.
Has he admitted it?
Yeah, yeah, he's come clean.
Okay. Are they gonna put a CCTV camera in his cell?
Oh yeah, 'cause you'd be watching that, wouldn't you? Grubby, grubby little pervert.
Oh, you know, this story reminds me a little bit of, I think it was Google that implemented some sort of feature now where a person is added to an account, everyone gets notified.
And there was a lot of hubbub about it because it had something to do with underage accounts being notified if a parent is adding themselves.
And it's like, the reason is because shit like this happens, and you know, people have a right to know who's monitoring their accounts.
I understand people are like, "My teenager shouldn't have to consent to stuff like this," I don't agree with it, but I mean, totally, 100%.
Somebody's gonna do something like this on the down low, I want to get an email about it saying, "Hey, is monitoring your camera, do you want this to continue?"
And there was a lot of hubbub about it because it had something to do with underage accounts being notified if a parent is adding themselves.
And it's like, the reason is because shit like this happens, and you know, people have a right to know who's monitoring their accounts.
I understand people are like, "My teenager shouldn't have to consent to stuff like this," I don't agree with it, but I mean, totally, 100%.
Somebody's gonna do something like this on the down low, I want to get an email about it saying, "Hey, is monitoring your camera, do you want this to continue?"
Exactly. I know. Listeners, listeners, this is call to action time.
Can any of you that have surveillance systems specifically inside the house or outside, can you please go check, make sure everything is kosher and as expected?
Yeah, check those settings. Check those freaking settings, guys. Freaking settings.
Can any of you that have surveillance systems specifically inside the house or outside, can you please go check, make sure everything is kosher and as expected?
Yeah, check those settings. Check those freaking settings, guys. Freaking settings.
Check those settings. Sorry, everyone else had said it.
I thought maybe I should as well. You need to be involved. You have to join us. Hey, Graham.
Hey.
Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?
Why are you saying that? Are you thinking I'm getting forgetful?
Yes. Often. Very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time.
I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?
I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?
Yeah, well, I use a good password manager.
I, in fact, use 1Password. 1Password, that's one with a one, right? That's right. 1Password.
It's a great password manager. It works for home use, it works for families, it works for business.
So I run a little business here at home, and it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce.
I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.
So I run a little business here at home, and it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce.
I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.
Oh, and tell you what, now that all of us are working from home and your computer is being used not just for work, but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.
You know what I mean?
You know what I mean?
Yeah. And listeners can find out more and they can try 1Password for free for 14 days at 1password.com. And thanks to them for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, for the last few days, I thought, you know what, how should I spend my evenings?
I thought I could do my normal trick of just watching chess on Twitch, or maybe I should do what everyone else in the world seems to be doing, which is binging on TV shows.
And I found a Scandi noir docudrama. Scandi noir. It's already been shown in Scandinavia, but it's currently available on BBC iPlayer as well. It's called The Investigation.
It is a real-life crime drama from Denmark. And it's all about— do you remember the rather bizarre story of a journalist who disappeared?
And it turned out that her last journalistic endeavour was to interview a man on his private submarine. Yes! Submarine! The submarine story!
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Better not be. Well, for the last few days, I thought, you know what, how should I spend my evenings?
I thought I could do my normal trick of just watching chess on Twitch, or maybe I should do what everyone else in the world seems to be doing, which is binging on TV shows.
And I found a Scandi noir docudrama. Scandi noir. It's already been shown in Scandinavia, but it's currently available on BBC iPlayer as well. It's called The Investigation.
It is a real-life crime drama from Denmark. And it's all about— do you remember the rather bizarre story of a journalist who disappeared?
And it turned out that her last journalistic endeavour was to interview a man on his private submarine. Yes! Submarine! The submarine story!
Oh yeah, I remember that.
Yeah. Yeah. And he didn't he? Spoilers! Fucking hell, Carole.
Well, now I don't need to see it. Jesus. And then he what her what?
Okay, yeah. I was just remembering the story.
Isn't that the guy who went, "Bloop bloop bloop bloop bloop bloop bloop bloop bloop"? Anyway. It's really rather good. It is in Danish and Swedish, English subtitles.
I love a bit of subtitles. In fact, I was watching another Scandi noir drama the other day, which had been dubbed into American. And I was thinking, this is rubbish.
And I ended up changing on Netflix or Amazon Prime or whatever it was, the language to put it back into Swedish and put on English subtitles, and it instantly became better. Yeah.
I love a bit of subtitles. In fact, I was watching another Scandi noir drama the other day, which had been dubbed into American. And I was thinking, this is rubbish.
And I ended up changing on Netflix or Amazon Prime or whatever it was, the language to put it back into Swedish and put on English subtitles, and it instantly became better. Yeah.
But if you put on both the dubbing and the subtitles, there are some very interesting differences in both of them. And it can be a very meta experience to enjoy. Meta fun.
Watching the two fight against each other, because someone's more rude, or someone's more— it's fantastic.
Watching the two fight against each other, because someone's more rude, or someone's more— it's fantastic.
The chap who's made this is a guy called Tobias Lindholm. And what's good about it, I think, is it focuses very much on the police investigation and the family of the victim.
The suspect never ever appears. He's never interviewed throughout the drama. And in fact, apparently, the chief policeman never did interview him throughout the entire investigation.
So it's very respectfully done. It also features the real divers who were trying to bring up the submarine and looking for evidence. It's very, very interesting. I will watch it.
Yeah, it was good. I liked it. So it's called The Investigation, and I will put some links in the show notes where you can read more.
The suspect never ever appears. He's never interviewed throughout the drama. And in fact, apparently, the chief policeman never did interview him throughout the entire investigation.
So it's very respectfully done. It also features the real divers who were trying to bring up the submarine and looking for evidence. It's very, very interesting. I will watch it.
Yeah, it was good. I liked it. So it's called The Investigation, and I will put some links in the show notes where you can read more.
It's almost as good as my pick of the week, Graham.
Great. Maria, what have you got for us?
I also had a TV show recommendation, except I kind of want to make mine a twofer because before I came on the show this morning, I saw some news that I also was like, oh, I need to include that.
So the thing I saw this morning that I have to put a shout out for is Babylon 5, the remaster, is now available on HBO Max.
So for my hardcore nerds who've been missing it on their streaming platforms, you can now see it, and it's in the original— sorry, Babylon 5.
So the thing I saw this morning that I have to put a shout out for is Babylon 5, the remaster, is now available on HBO Max.
So for my hardcore nerds who've been missing it on their streaming platforms, you can now see it, and it's in the original— sorry, Babylon 5.
Oh, Babylon 5. I thought you said Batborn. I thought it's— No, no, Babylon 5.
It's his ears, darling.
Yeah, is it my connection? Sorry. Babylon 5: The Renaissance. No, no, just— it's just a remaster of the original. I should just shut up.
Yeah, it's just— it's just a little crisper, Graham.
It's a little crisper. It's just worth— and it's a great series that sci-fi nerds really love, so, you know, I'm gonna rewatch it now anyway.
But my actual pick of the week for this week, before I saw the Babylon 5 news, is a series that ended in early 2020 that's also on HBO, but I believe it's globally available.
It's called High Maintenance, and it's about a guy who sells weed to a bunch of people in Brooklyn.
And yes, there is some marijuana use in the show, but it's really not about using drugs.
It's really a lot of vignettes about the many, many wonderful different types of people who live in big cities like New York.
So if you're the kind of person who loves slice-of-life stuff that's kind of heartwarming. This show is such comfort food, and it's all pre-pandemic.
So for me, it's like, okay, this is the stuff I love about New York or big cities like London.
That's the kind of stuff I love when you get so many different types of people crammed together, and some of them have some really interesting idiosyncrasies.
But my actual pick of the week for this week, before I saw the Babylon 5 news, is a series that ended in early 2020 that's also on HBO, but I believe it's globally available.
It's called High Maintenance, and it's about a guy who sells weed to a bunch of people in Brooklyn.
And yes, there is some marijuana use in the show, but it's really not about using drugs.
It's really a lot of vignettes about the many, many wonderful different types of people who live in big cities like New York.
So if you're the kind of person who loves slice-of-life stuff that's kind of heartwarming. This show is such comfort food, and it's all pre-pandemic.
So for me, it's like, okay, this is the stuff I love about New York or big cities like London.
That's the kind of stuff I love when you get so many different types of people crammed together, and some of them have some really interesting idiosyncrasies.
Do you ever watch TV now and go, oh, pre-pandemic? Oh, yeah, they're hugging. Yeah, there was this show recently I watched.
I think I was watching 13 Reasons Why, and at one point one of the guys bits in the other guy's face.
I think I was watching 13 Reasons Why, and at one point one of the guys bits in the other guy's face.
And I was like, whoa! Party foul, pandemic!
They are making some dramas where people snog and things. I was reading about this.
People are still having sex, Graham. You know, single people are dating and stuff. I know, I know.
But in some cases, what they've done is they've hired the girlfriend or boyfriend of the actor to act as a body double for their fictional partner. Can you wear this wig?
They're doing the saucy scenes. But in other cases, they're simply— They're testing people every day, and they're full-on snogging. And I'm thinking, seriously?
I mean, I wouldn't do that. Mind you, probably no one would do it to me either. But you know, I don't think I'd want to take that sort of risk. Really?
They're doing the saucy scenes. But in other cases, they're simply— They're testing people every day, and they're full-on snogging. And I'm thinking, seriously?
I mean, I wouldn't do that. Mind you, probably no one would do it to me either. But you know, I don't think I'd want to take that sort of risk. Really?
Diana Rigg rises from her— Yes, lovely.
I was gonna say, she has passed on, so that— She rises. Yeah.
Can you be a little bit more respectful to the Dame?
What? No, she's gorgeous. I adore her. I was just picturing something quite funny. Jesus Christ, I do apologize, Maria.
No, no, no, I'm just, you know— oh no, it's my turn to talk.
What's your pick of the week? Let's say you— anyway, so that's called High Maintenance, isn't it? Yes, excellent.
Thank you, really like it. Yes, I'm sorry, that has nothing to do with shagging dead people. A lot about really nice, happy people.
It's a comfort food show, and you don't need to be high to watch Carole, should we go to your pick of the week now?
It's a comfort food show, and you don't need to be high to watch Carole, should we go to your pick of the week now?
Okay, this week I have a brand spanking new podcast, Sticky Pickles.
Oh no, no, it's not brand new, but from Wondery called The Apology Line.
Now it's only two episodes in, podcast for those of us not using the Wondery app, but I'm so hooked already. And Graham, I think this is right up your street.
Maria, I'm not sure, you let me know. So I'm gonna get the annoying things out of the way first, because there's two. One are the ads.
Okay, Wondery just jams a fuckton of ads inside their 45-minute program. It reminds me TV from the days of yore.
Maria, I'm not sure, you let me know. So I'm gonna get the annoying things out of the way first, because there's two. One are the ads.
Okay, Wondery just jams a fuckton of ads inside their 45-minute program. It reminds me TV from the days of yore.
Is that a metric fuckton or an imperial fuckton?
A lot. And remember, Wondery has the backing of 20th Century Fox, and the Wall Street Journal reported that Amazon's in talks to get it at $300 million. That's the valuation.
So it's not like independent show like Smashing Security or Sticky Pickles or whatever. Two, the other annoying thing is episodes are coming out only weekly.
So you have to wait a whole week and it's done. You just want to know what's happening. But the content makes it worthwhile.
So the Apology Line was the name of a confessional hotline that existed in the '80s in New York, right? And it slowly consumed Mr.
Apology, the pseudonym for the creator, who turned out to be Alan Bridge. Now the whole point of this was to call this answerphone machine and confess your wrongdoings, right?
And quote, apparently Alan was a petty criminal in his early life, and he worried that people could fall too easily into either being predator or prey.
So he wanted to try and make the world a better place. So he ran this hotline off a basically nondescript souped-up 386SX. That's for my geek friends. I remember them well.
And he funds the whole operation himself for 15 years. It ran and amassed literally thousands of hours worth of messages. And some were, you know, banal.
Some were really grubby— word of the day— and some were downright terrifying.
And the problem was the creator, Alan Bridge, became obsessed with some of his callers and got deeply involved in their lives. Oh, okay.
So from '80 to '95, Alan Bridge ran this hotline. He was kind of like a secular priest. He was offering potential forgiveness through the catharsis of tape confessions.
And I was like, "How is this coming out now? Because he's not on the show." Turns out he died. He was killed by a jet skier who ran over him while he was swimming. That's awful.
And then fled the scene and was never identified. And you think, "Hmm, he got death threats." Right. So my conspiracy theory is, was he murdered?
So it's not like independent show like Smashing Security or Sticky Pickles or whatever. Two, the other annoying thing is episodes are coming out only weekly.
So you have to wait a whole week and it's done. You just want to know what's happening. But the content makes it worthwhile.
So the Apology Line was the name of a confessional hotline that existed in the '80s in New York, right? And it slowly consumed Mr.
Apology, the pseudonym for the creator, who turned out to be Alan Bridge. Now the whole point of this was to call this answerphone machine and confess your wrongdoings, right?
And quote, apparently Alan was a petty criminal in his early life, and he worried that people could fall too easily into either being predator or prey.
So he wanted to try and make the world a better place. So he ran this hotline off a basically nondescript souped-up 386SX. That's for my geek friends. I remember them well.
And he funds the whole operation himself for 15 years. It ran and amassed literally thousands of hours worth of messages. And some were, you know, banal.
Some were really grubby— word of the day— and some were downright terrifying.
And the problem was the creator, Alan Bridge, became obsessed with some of his callers and got deeply involved in their lives. Oh, okay.
So from '80 to '95, Alan Bridge ran this hotline. He was kind of like a secular priest. He was offering potential forgiveness through the catharsis of tape confessions.
And I was like, "How is this coming out now? Because he's not on the show." Turns out he died. He was killed by a jet skier who ran over him while he was swimming. That's awful.
And then fled the scene and was never identified. And you think, "Hmm, he got death threats." Right. So my conspiracy theory is, was he murdered?
What are you like? Everything's a bloody conspiracy theory of you, isn't it?
So this is all being told by his second wife, Marissa Bridge.
What did she do with her inheritance? Did she buy a new jet ski?
Jet ski. Yeah, last one out of the internet.
I'm the asshole. Anyway, I'm utterly hooked. It's called The Apology Line. It's from Wondery. Check it out. It's just fascinating and I love it. So that's my pick of the week.
Excellent. Well, that just about wraps it up for this week. Maria, thank you so much for joining us yet again. I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Yeah, @mvarmazis. I'm on Twitter. Come find me there.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G. And we're also up on Reddit. So just look for the Smashing Security subreddit.
And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
And huge thank you to this week's episode sponsor, 1Password, and to our wonderful Patreon community. Thanks to them, this show is free for all.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 210 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 210 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye.
Oh, I was hoping you'd do your friend's one. Bye! Cool.
And no technical problems. Hooray. Marvelous.
There we go. Another one wrapped. I'm stopping the record.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- Illegale handel in privégegevens miljoenen Nederlanders uit coronasystemen GGD — RTL News.
- Video conference of EU Defence Ministers where a Dutch journalist gatecrashed the system — YouTube.
- John van den Heuvel — Wikipedia.
- Dutch COVID-19 patient data sold on the criminal underground — ZDNet.
- Smashing Security episode 175: Zoom deepfakes, Zardoz, and 'Rona tracing.
- Bonus: Smashing Security After Dark #2 – Zardoz commentary. — Smashing Security on Patreon.
- New campaign targeting security researchers — Google Threat Analysis Group (TAG).
- Google: North Korean hackers have targeted security researchers via social media — ZDNet.
- ADT Employee: I Spied on Naked Customers Through Security Cams — Gizmodo.
- ADT sued after employee accessed more than 200 customers’ home security systems in Dallas area — Dallas Morning News.
- The Investigation — BBC iPlayer.
- The Investigation: why my drama about Kim Wall doesn't name her killer — The Guardian.
- Tobias Lindholm on his take of the Kim Wall murder investigation — Nordisk Film & TV Fond.
- ‘Babylon 5 Remastered’ now available to buy or stream on HBO Max — Engadget.
- High Maintenance — HBO.
- Hear the New Trailer for Wondery's Podcast 'The Apology Line' — Rolling Stone.
- Allan Bridge — Wikipedia.
- The Apology Line — Wondery.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
