PC manufacturer Acer might have received a $50 million ransom demand, a warning spreads on Facebook about a trick being used by hackers, and why are the City of London’s police not happy about Sci Hub?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Alex Eckelberry.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
My visage is used for a large variety of romance scams, and so I'm—
Are you kidding? Are you fucking kidding?
Smashing Security, Episode 220: Ransoms, Scandals, and Glitter Bombs with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 220.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And this week we are joined by a returning guest, but a guest returning from the mists of time. Can you believe almost to the minute it is 4 years?
Pre-Rona, pre-Brexit, pre-Trump.
Since we had Alex Eckelberry on the podcast. Alex, how are you? What have you been up to for the last 4 years? What's happened to the world?
Can you make it quick?
Nah, nothing really. You know, it's been slow. It's slow, you know, but I'd love to be back at the show. And it is bizarre that we're at 4 years. I mean, almost to the day.
It's actually very cool.
It's actually very cool.
Is there anything you want to tell anybody about who you are and what you do and why they should care?
Yeah, well— Simply the last bit.
Why they should care? I've been told I have a good radio voice. You do. Yeah, but so I, look, I've worked in security for many, many years.
And, you know, I had an antivirus software company, company called Sunbelt Software that's now Viper Security.
I sit on the board of a company called Malwarebytes, which is a wonderful product, endpoint security.
And, you know, I was also an early board member of a company called KnowBe4, which is a security awareness training company. So I've done a lot of work on the board side.
Also was a board member of StopBadware, which is the originally Google-backed outfit to help with malware on the web. So, you know, look, I love security.
I live it, eat it, breathe it. And I'm definitely in the mix.
And, you know, I had an antivirus software company, company called Sunbelt Software that's now Viper Security.
I sit on the board of a company called Malwarebytes, which is a wonderful product, endpoint security.
And, you know, I was also an early board member of a company called KnowBe4, which is a security awareness training company. So I've done a lot of work on the board side.
Also was a board member of StopBadware, which is the originally Google-backed outfit to help with malware on the web. So, you know, look, I love security.
I live it, eat it, breathe it. And I'm definitely in the mix.
And you love the show, right?
Well, I was going to say that of all the shows I listen to, this is not one of them.
So thanks to this week's sponsors, 1Password and SailPoint. Their support helps us give you this show for free. Now coming up on today's show, Graham, what do you got?
I'm going to be sharing everyone a warning about Facebook.
Okay, fresh. Alex, what about you?
Oh, I want to talk about evil, which is, you know, this ransomware as a service operation.
Cool. And I'm going to be asking whether academic research should be free for all and at what cost. So all this and much more coming up on this episode of Smashing Security.
Now, chums, chums, have you ever had a slightly rough night on the tiles? Have you been out partying? Maybe there you were at a security conference in Prague.
I never partied.
No, you didn't do that?
I never went out, never had fun.
Alex, have you ever maybe enjoyed yourself a little bit too much?
You know, I—
Come home with a swollen head, as it were?
I take the fifth. I hear B vitamins and water helps, but maybe you have a better idea.
Well, maybe if you did return to your hotel room or to your home and you were slightly inebriated or the worst for wear, you may think, You know what I'm going to do?
What I'm going to do right now, while my judgment is obviously slightly squiffy—
What I'm going to do right now, while my judgment is obviously slightly squiffy—
Massively impaired.
Massively impaired is I'm going to send a message to my boss, or I'm going to contact my ex-girlfriend or my ex-wife, and I'm going to tell her exactly what I think because I've worked out precisely what I mean to say.
Yeah. And you're kind of — you're feeling it and you're like, and I'm going to tell you something else, you mother fairy.
At that moment, at that moment, you believe you're Oscar Wilde.
I wouldn't know, but I imagine it's very, very clear that you feel you can handle that situation at that moment.
Yes, yes.
Nothing could go wrong.
Nothing could go wrong. No, there's no way that anything could go wrong.
You're on top of the world!
Exactly. And obviously you then send a message and it's offensive or it's, you know, something which you later regret.
Can you have one? Can you give us an example of something?
Well, it's not something I've ever done.
No, no, but in your story, I'm presuming you have a story to back up this. This isn't for chit-chat.
You make a lot of assumptions about my story.
Okay, sorry, sorry.
I think maybe you should wait and see.
Okay, sorry.
So, you know, you could send something maybe inappropriate.
You know, you could criticise someone's food or their hairdo, how they have spinach stuck between their teeth on Zoom calls or whatever it is.
You could send off some message or tell your wife that she has halitosis or who knows what.
You know, you could criticise someone's food or their hairdo, how they have spinach stuck between their teeth on Zoom calls or whatever it is.
You could send off some message or tell your wife that she has halitosis or who knows what.
What do you mean, text them? What do you mean?
Hmm?
What do you mean, tell them, text them?
Well, you could send them an email maybe, or you could post a message.
Maybe even worse than texting would be if you were to publish it publicly and tag them, post it on Twitter or maybe post it on their Facebook wall and say, "You look fat in that dress." I don't know if, Alex, if you've ever been accused of looking a bit fat in a dress.
Maybe even worse than texting would be if you were to publish it publicly and tag them, post it on Twitter or maybe post it on their Facebook wall and say, "You look fat in that dress." I don't know if, Alex, if you've ever been accused of looking a bit fat in a dress.
Kilts?
Definitely a problem.
So word has begun to spread that there is a new way for hackers to hurt and insult Facebook users, and that's why I'm talking about this.
As if it weren't painful enough carrying the stigma of being a Facebook user, it turns out that hackers can send hurtful comments to your Facebook contacts which look like you sent them or you posted them up on their wall, but — And here's the sneaky bit.
Your contacts can see the messages, but you can't see what you post. A bit like —
As if it weren't painful enough carrying the stigma of being a Facebook user, it turns out that hackers can send hurtful comments to your Facebook contacts which look like you sent them or you posted them up on their wall, but — And here's the sneaky bit.
Your contacts can see the messages, but you can't see what you post. A bit like —
So you get a — oh God.
A bit like you can't see the offence when you texted or you called up someone or left them a voicemail when you were drunk. Yeah, right? Because it's invisible to you.
You can't see what's wrong with it. Well, similarly, you can't see what you've posted up on the Facebook.
You can't see what's wrong with it. Well, similarly, you can't see what you've posted up on the Facebook.
Oh, I see what you've done there. Good analogy, Graham.
Right? Right.
Yeah.
So thousands of Facebook users are sharing this warning across the social network and asking their friends and loved ones to share it further across Facebook.
Tell all your contacts that if they get an offensive or inappropriate message from you, it's not really you.
Which I think is a rather fantastic alibi because you've now been given free rein to say whatever the hell you want to whoever you want.
Tell all your contacts that if they get an offensive or inappropriate message from you, it's not really you.
Which I think is a rather fantastic alibi because you've now been given free rein to say whatever the hell you want to whoever you want.
Oh, okay, well, why don't you tell us your top 3?
Because —
No, come on, let's do this.
Well, I'm not on Face — Carole, are you on Facebook?
No, let's imagine we're — let's do it on Smashing Security. Okay, so what honest message do you want to send?
Well, it wouldn't have — well, I mean, well, I have — is there anything that you've ever wanted to say to a podcast co-host, Carole?
No, I'm not— I have no interest in any of this.
You're just saying that you now have got a free card.
Yeah, you've got a get-out-of-jail-free card, right?
Right. 'Cause you can say, "It wasn't me. I must have been hacked." So you can see me saying, "Your feet are very big," or something like that, but I can't see it.
So it must have been a hacker.
So it must have been a hacker.
I find that interesting.
And also it means that when the person calls you up and goes, "WTF?" you can go, "What are you talking about?" You can say, "Oh, what, what, what, what?" Which is the best thing to do, right?
What?
And also it means that when the person calls you up and goes, "WTF?" you can go, "What are you talking about?" You can say, "Oh, what, what, what, what?" Which is the best thing to do, right?
What?
Alex, are you on Facebook at all?
Yeah, but I always thought this had to do with those sunglass ads I would get from friends, and they would always say, "No, I wasn't hacked." But you're saying you could actually use this for other things.
You could use it for all kinds of things.
Ray-Bans. I don't know why I keep getting Ray-Ban ads from friends that are, "Hey, I was hacked. Don't click on the Ray-Ban ad." I wouldn't click on the Ray-Ban ad anyway.
I was looking for sunglasses. But yes, I am on Facebook and I can definitely see that situation.
I was looking for sunglasses. But yes, I am on Facebook and I can definitely see that situation.
And would you find it useful? Do you think you'd quite like occasionally to use this threat as a sort of alibi, as a cover for abusing people?
Yeah, yeah. But you know, I think people will just do that anyway. I think we've seen that on Twitter. Somebody says something embarrassing and it's, "Oh, I was hacked.
I really didn't say this terrible thing." Well, this is true.
I really didn't say this terrible thing." Well, this is true.
It's true. A lot of people do claim that they've been hacked when they haven't really.
There's been a series of— I think I've lost count the number of times a rapper, for instance, has said something homophobic or misogynistic.
And I think there've been some politicians who in the past have liked tweets by Pornhub and things like that, and then said, "Oh no, no, no, I didn't do that." Awkward.
There's been a series of— I think I've lost count the number of times a rapper, for instance, has said something homophobic or misogynistic.
And I think there've been some politicians who in the past have liked tweets by Pornhub and things like that, and then said, "Oh no, no, no, I didn't do that." Awkward.
It seems to me there's a few options here though, right?
So either there is some kind of threat going around, in which case Facebook should come clean pretty soon and go, "Whoa, this is happening." Or people are actually getting drunk, sending the messages, and then playing—
So either there is some kind of threat going around, in which case Facebook should come clean pretty soon and go, "Whoa, this is happening." Or people are actually getting drunk, sending the messages, and then playing—
Or—
Or—
There is another alternative.
Exactly. I think it's a hoax.
You are absolutely correct.
There was no other option.
Your warning is entirely bogus. I've fooled you. Well, I almost fooled you, apart from I didn't fool you. Because pivot, everyone. It's a pivot. It's a pivot in Smashing Security.
We're pivoting now. We're pivoting. Right? Because the whole warning is absolute nonsense.
People are spreading this message saying, "Oh my goodness, hackers are posting messages on walls.
You'll see offensive things, but it's not been sent by you and you can't see it." Facebook has now come out and said, "No, no, no, this is all a load of old cobblers." Right?
This isn't actually happening.
We're pivoting now. We're pivoting. Right? Because the whole warning is absolute nonsense.
People are spreading this message saying, "Oh my goodness, hackers are posting messages on walls.
You'll see offensive things, but it's not been sent by you and you can't see it." Facebook has now come out and said, "No, no, no, this is all a load of old cobblers." Right?
This isn't actually happening.
Okay, then what's the motivation? It's just for people to spread it? People to tell people of something fake? That's the— what's— I don't understand.
This is the whole thing, Carole. This is the whole problem with disinformation generally, right?
Is that people believe that they are being helpful to each other, that they believe, I found something out. I can help my pals. I can warn them about this as well.
Is that people believe that they are being helpful to each other, that they believe, I found something out. I can help my pals. I can warn them about this as well.
I read a headline. I'm now an expert.
How many times do we see the person posting, you know, from this point forward, all my information is copyrighted by the federal code, blah, blah, blah.
You know, this is a hoax, dude.
You know, this is a hoax, dude.
Yes.
Yeah, exactly.
If Facebook uses any of my data without first giving me so many dollars, it's just, oh, for goodness' sake.
But yes, because you see Mimi, your friend Mimi, posting this message, you think, well, Mimi's lovely.
But yes, because you see Mimi, your friend Mimi, posting this message, you think, well, Mimi's lovely.
Yeah, I love Mimi.
You're right. So you just reshare her message. Maybe you type it up yourself. Maybe you go and talk about it at your online book club.
Maybe you discuss it in other places off Facebook as well and say, oh, by the way, did you know this is going on on Facebook?
And so people are spreading this left, right, center, upwards, downwards. And it's an old school hoax.
In fact, this hoax, if you just spent a couple of minutes researching it before you shared it with other people, you would have found it on Snopes, which has been debunking this particular claim since 2012.
So it's been going around for a while.
Maybe you discuss it in other places off Facebook as well and say, oh, by the way, did you know this is going on on Facebook?
And so people are spreading this left, right, center, upwards, downwards. And it's an old school hoax.
In fact, this hoax, if you just spent a couple of minutes researching it before you shared it with other people, you would have found it on Snopes, which has been debunking this particular claim since 2012.
So it's been going around for a while.
But then you get the thing that you put the Snopes article and then they go, no, no, no, Snopes is owned by George Soros or something. So you can't win.
I just got in an argument on Facebook yesterday about somebody posted a huge picture of this tree that's 2.5 miles wide. It's a fossil and it went up 10 miles.
And it's a picture of this, it looks this giant tree. And I looked at it and I said, well, obviously you can't have a tree that goes up 10 miles. It makes no sense.
You can't have a tree that's 2.5 miles wide. So of course this is people, oh my God, when giants roamed the earth.
I'm, okay, so I do a quick Google search, find out it's some mesa in Tunisia. And then, you know, I say, guys, this is a mesa in Tunisia. I move on. Of course, how do you know?
How do you know that for sure?
I just got in an argument on Facebook yesterday about somebody posted a huge picture of this tree that's 2.5 miles wide. It's a fossil and it went up 10 miles.
And it's a picture of this, it looks this giant tree. And I looked at it and I said, well, obviously you can't have a tree that goes up 10 miles. It makes no sense.
You can't have a tree that's 2.5 miles wide. So of course this is people, oh my God, when giants roamed the earth.
I'm, okay, so I do a quick Google search, find out it's some mesa in Tunisia. And then, you know, I say, guys, this is a mesa in Tunisia. I move on. Of course, how do you know?
How do you know that for sure?
Because I use Google.
I don't know.
Have you tried this, guys? Go to google.com. Listeners, try this as well, right? Go to google.com. Other search engines are available, but on this occasion—
We'll wait while you get yours.
And I want you to Google the phrase, "Who invented blinking?" Right? Who invented blinking? Put that into Google, and you will get the following answer.
Alex, are you in front of a computer?
Alex, are you in front of a computer?
Can you try that? Who invented blinking?
Who invented blinking? Oh. What does it say?
Richard Blink. Blinking was invented in 1638 when Richard Blink tried to blink twice at the same time.
And this is an answer which Google has found on Alexa Answers for some reason. So you can't trust Google about that tree, can you? No. Maybe they're lying about it.
No, exactly.
It's possible, isn't it?
And also Soros is involved, I assure you.
Soros has got to be involved somehow, hasn't he? So.
Okay, but you know what? I kind of think it gives me hope for humanity. Oh really? The fact that all these people want to help other people by telling them. So the engine is working.
It's just the start of the information being shite, right? The engine of communication is working fine. We can't blame that.
It's just the start of the information being shite, right? The engine of communication is working fine. We can't blame that.
Yeah.
It's just that the information was wrong.
Yeah, but good intentions, you know, aren't always—
What, Graham?
What, is that why you never have any?
Oh, Carole, that was funny.
I think maybe we should get a seatbelt for internet users that they have to wear, you know, or something which just prevents them from— Well, something which stops— Do you remember back in 2008, right?
This isn't just a Facebook problem, but email, as you mentioned. 2008, Google introduced a feature to Gmail called Mail Goggles. I think they got the name from beer goggles.
So, you know, the experience when you go to a bar or something and you drink too much beer and suddenly everyone becomes 3 times more attractive than they are in reality.
I think maybe we should get a seatbelt for internet users that they have to wear, you know, or something which just prevents them from— Well, something which stops— Do you remember back in 2008, right?
This isn't just a Facebook problem, but email, as you mentioned. 2008, Google introduced a feature to Gmail called Mail Goggles. I think they got the name from beer goggles.
So, you know, the experience when you go to a bar or something and you drink too much beer and suddenly everyone becomes 3 times more attractive than they are in reality.
Are you explaining the one thing that every fucking person in the entire universe knows?
But yes, go ahead.
Now, with Mail Goggles on Gmail, if you enabled the feature, what it would do is it would ask you to complete a few simple maths problems in a limited period of time.
So say 29 plus 14 and things like that, right?
Before it would send an email and it would activate automatically late at night on weekends when they thought you were most likely to be drunk emailing your ex-girlfriend or telling your boss what you thought of him.
And maybe that was a good idea.
And maybe we should have something like that on WhatsApp and Signal and Slack and everything else, just in case people are, you know, doing things before thinking.
Now, with Mail Goggles on Gmail, if you enabled the feature, what it would do is it would ask you to complete a few simple maths problems in a limited period of time.
So say 29 plus 14 and things like that, right?
Before it would send an email and it would activate automatically late at night on weekends when they thought you were most likely to be drunk emailing your ex-girlfriend or telling your boss what you thought of him.
And maybe that was a good idea.
And maybe we should have something like that on WhatsApp and Signal and Slack and everything else, just in case people are, you know, doing things before thinking.
Well, food for thought, Graham. Food for thought.
Thank you very much. Alex, what story have you got for us this week?
Well, we all know what ransomware is, right? And it is a plague. And there's this one particularly vile piece of ransomware called REvil.
The name is actually inspired by the Resident Evil movie series. And REvil is a ransomware as a service.
So if you're an aspiring lowlife criminal, you can contact the REvil folks and say, "Hey, can I become an affiliate?" And then REvil will cut you in for part of the profits, and then you go off and try to hack into somebody.
The name is actually inspired by the Resident Evil movie series. And REvil is a ransomware as a service.
So if you're an aspiring lowlife criminal, you can contact the REvil folks and say, "Hey, can I become an affiliate?" And then REvil will cut you in for part of the profits, and then you go off and try to hack into somebody.
Software as a service.
It is exactly that.
And the REvil folks, they even went so far as to have a blog, which they call with great irony, Happy Blog, where they post— it's literally what it's called— where they post examples of stolen data and then threaten to release the files if they don't get paid the ransom.
So you get hacked and then they post a bunch of— they almost always hack corporate networks and they'll post a picture of here, we've got this spreadsheet of all your customers or your— this spreadsheet, whatever.
And then of course that's public.
Because of this Happy Blog, some very enterprising security researchers, including people at Bleeping Computer and a few other places, discovered that REvil is claiming they have attacked Acer and are demanding a $50 million extortion.
Now, they put some leaked documents allegedly from Acer, including financial spreadsheets and bank balances and that sort of thing.
And there's kind of this weird back and forth, and I guess some security researchers can kind of figure this out, that the REvil folks have actually been enterprising and are offering a 20% discount if they got it by March 17th, which of course has already passed.
Now, it's up till March 28th to meet the demands. And after that, it goes double, $100 million. This is the biggest one we've seen from this group.
I think last year, there was one for around $30 million. This is rough.
Of course, Acer has said, in their defence, they've said there is an ongoing investigation and they're unable to comment. They haven't actually confirmed this.
To their credit, this is still an ongoing situation.
And the REvil folks, they even went so far as to have a blog, which they call with great irony, Happy Blog, where they post— it's literally what it's called— where they post examples of stolen data and then threaten to release the files if they don't get paid the ransom.
So you get hacked and then they post a bunch of— they almost always hack corporate networks and they'll post a picture of here, we've got this spreadsheet of all your customers or your— this spreadsheet, whatever.
And then of course that's public.
Because of this Happy Blog, some very enterprising security researchers, including people at Bleeping Computer and a few other places, discovered that REvil is claiming they have attacked Acer and are demanding a $50 million extortion.
Now, they put some leaked documents allegedly from Acer, including financial spreadsheets and bank balances and that sort of thing.
And there's kind of this weird back and forth, and I guess some security researchers can kind of figure this out, that the REvil folks have actually been enterprising and are offering a 20% discount if they got it by March 17th, which of course has already passed.
Now, it's up till March 28th to meet the demands. And after that, it goes double, $100 million. This is the biggest one we've seen from this group.
I think last year, there was one for around $30 million. This is rough.
Of course, Acer has said, in their defence, they've said there is an ongoing investigation and they're unable to comment. They haven't actually confirmed this.
To their credit, this is still an ongoing situation.
It's what we call a brown alert in the industry, isn't it? That's what they're currently experiencing.
Exactly.
Do you think they're going to pay?
From what I can see, there is a negotiator. There's an interlocutor.
Going, "Look, $10 million, guys."
"Come on, $10 million." It's exactly that according to this one website, that was actually— $10 million was proposed.
Oh, really? There you go, I can be a negotiator. Anyone need a— yeah, I'm there.
Yeah, exactly. Now, and again, we don't really know much about what's going on back and forth. So, you know, again, we shall see what happens, but it's certainly a heck of a story.
And, you know, it might have even come— we don't know this for sure, but it might have even come from this really nasty Exchange server exploit that's been going around.
And, you know, it might have even come— we don't know this for sure, but it might have even come from this really nasty Exchange server exploit that's been going around.
Yeah, we covered it actually a few weeks ago. Exactly.
Yeah. Oh, and so, you know, I mean, is Microsoft doing an out-of-band patch for Exchange Server? You know, if you're running Exchange Server, definitely get updated. So we don't know.
Again, there's a lot of speculation, but, you know, it really goes to show, though, there's these holes that ransomware folks go after, and including, you know, Remote Desktop Protocol, which is how a lot of people enter remote networks.
That's a bad one.
You know, again, patch your systems, disable RDP, you know, get a security expert to audit your systems and check it, because when you get this stuff, it's very bad.
Again, there's a lot of speculation, but, you know, it really goes to show, though, there's these holes that ransomware folks go after, and including, you know, Remote Desktop Protocol, which is how a lot of people enter remote networks.
That's a bad one.
You know, again, patch your systems, disable RDP, you know, get a security expert to audit your systems and check it, because when you get this stuff, it's very bad.
Yeah. I wonder if ASaR has cyber insurance?
Because the REvil gang, there was an interview done with a member of the REvil gang in the last week or so, a chap going by the name Unknown.
The guys at Recorded Future interviewed him.
And one of the things which he said was that they target organizations that have cyber insurance because they presumably think they're more likely to pay up because they've already spent money on the insurance.
Because the REvil gang, there was an interview done with a member of the REvil gang in the last week or so, a chap going by the name Unknown.
The guys at Recorded Future interviewed him.
And one of the things which he said was that they target organizations that have cyber insurance because they presumably think they're more likely to pay up because they've already spent money on the insurance.
Yeah, they're not personally liable or whatever. They're not going to go get tanked.
And the fascinating thing about this is that the REvil gang claim that what they actually are doing is they're hacking the insurers first to get their customer base to find out who's insured.
They then hack those who are insured, and then afterwards they hit the insurer as well. So it's quite clever and quite targeted, some of the things which they're doing right now.
They then hack those who are insured, and then afterwards they hit the insurer as well. So it's quite clever and quite targeted, some of the things which they're doing right now.
And also insidious though, to the whole model of insurance, right?
At the end of the day, whether they're targeting insured companies or not, which by the way, I would not be surprised.
Really, if you run a business and you're in IT and you're a smart person, there's some very basic things you can do to protect yourself against ransomware.
There's plenty of good advice out there, but realize that it is a real issue. It was heartbreaking.
A few years ago, I had a very close friend of mine who got hit with ransomware and he called me up and he had 3 servers. He's running an internet business.
He got hit and it was a lot of money and it's terrible when it happens. So not to be a downer, but it's just basic security. Put it in, put it in place, put it in hard.
It's not the world is coming to an end, but it's definitely when it happens, it's not something you want to have to experience.
Really, if you run a business and you're in IT and you're a smart person, there's some very basic things you can do to protect yourself against ransomware.
There's plenty of good advice out there, but realize that it is a real issue. It was heartbreaking.
A few years ago, I had a very close friend of mine who got hit with ransomware and he called me up and he had 3 servers. He's running an internet business.
He got hit and it was a lot of money and it's terrible when it happens. So not to be a downer, but it's just basic security. Put it in, put it in place, put it in hard.
It's not the world is coming to an end, but it's definitely when it happens, it's not something you want to have to experience.
Wise words from Alex there. Security, put it in, put it in hard. Good. Excellent.
You know that's why they have me on Podsecurity Podcast.
Carole, what have you got for us this week?
Right, so we're talking about Sci-Hub. Have you guys ever even heard of that?
Sci-Hub? How do you spell sci? As in—
Science, S-C-I.
Oh, okay. Alright.
Okay?
No, I haven't heard of that.
Okay, perfect, perfect, perfect. This weekend, I was seeing these headlines, you know, police warn students to stay away from illegal and dangerous website Sci-Hub.
Asking IT departments to block access to Sci-Hub on networks. And I'm like, oh, this is interesting, right? So I start doing a little digging.
Asking IT departments to block access to Sci-Hub on networks. And I'm like, oh, this is interesting, right? So I start doing a little digging.
Yeah, what is it?
Okay, so Sci-Hub, created in 2011, and it's a series of websites that basically gives visitors free access to published scientific papers.
Oh, right.
Any scientific discipline.
So if I published a scientific paper about, I don't know, my toenails or something.
Oh yeah, sure, your toenails.
I'm just looking at what I can see in front of me, and we're not directly— they're not on the tabletop.
But anyway, you know, but then other people could look that up and read about my research.
But anyway, you know, but then other people could look that up and read about my research.
Yeah, exactly. Now this site was created by this Kazakhstani-based computer programmer called Alexandra Elbakyan, okay?
And she was born in the mid-'80s, and no surprise, she seems to be a super strong supporter of the whole open access movement, OA, for short.
And it's basically this set of principles where research outputs are distributed free of cost and without barriers. So anyone can access it anytime.
And she was born in the mid-'80s, and no surprise, she seems to be a super strong supporter of the whole open access movement, OA, for short.
And it's basically this set of principles where research outputs are distributed free of cost and without barriers. So anyone can access it anytime.
All right.
So, okay, so before we get into it, what do you think of that as a general sense? Do you think research should just be made available? Or do you think—
So I've actually experienced this because I'm a fiend for reading these types of things, especially during COVID you know, you're just sitting at home and you want to learn more about this.
And I certainly ran into this where I would start to Google various epidemiological studies and that sort of thing, just understand what we were dealing with.
And of course you do hit the paywalls. Now, whose economic benefit?
I don't know if the researchers are getting— I mean, if somebody at Stanford or Harvard or, you know, or even my local University of Florida here is doing some postdoctoral research on some sort virus strain, I don't think they're getting paid for that, right?
And so there's some economic interest on these aggregators of data, and but there's a value to what they do.
They manage a peer review process, they manage how people get the data disseminated, they ensure that the data is vetted, there's an editorial process.
And I certainly ran into this where I would start to Google various epidemiological studies and that sort of thing, just understand what we were dealing with.
And of course you do hit the paywalls. Now, whose economic benefit?
I don't know if the researchers are getting— I mean, if somebody at Stanford or Harvard or, you know, or even my local University of Florida here is doing some postdoctoral research on some sort virus strain, I don't think they're getting paid for that, right?
And so there's some economic interest on these aggregators of data, and but there's a value to what they do.
They manage a peer review process, they manage how people get the data disseminated, they ensure that the data is vetted, there's an editorial process.
So you—
We have to respect that, but the actual research itself is in many cases coming out of public dollars, right? So it's a tough one.
No, no, you're exactly right. So, not everyone is a fan of this because me, in principle, I am totally a fan of this.
I think information, once vetted, should be made accessible to everyone rather than all the junk we have available, to wade through a pile of shit to get anything valuable on the internet.
And there's companies, publishing companies like Elsevier, who make their cash by providing paid access to research, exactly as you said.
So, on average, Elsevier will charge $31.50 per paper for access. Access, whereas repository outfits like Sci-Hub will offer them for free. Okay.
And Elbakyan's whole position is taxes pay for universities, universities produce research, they then pay publishing companies to publish the research, and then they have to pay to access said research and research from other universities or science labs.
And that's a big problem with someone who supports open access, because it's a very different model, isn't it? All this to say, Sci-Hub and Elsevier are not the best buddies.
I think information, once vetted, should be made accessible to everyone rather than all the junk we have available, to wade through a pile of shit to get anything valuable on the internet.
And there's companies, publishing companies like Elsevier, who make their cash by providing paid access to research, exactly as you said.
So, on average, Elsevier will charge $31.50 per paper for access. Access, whereas repository outfits like Sci-Hub will offer them for free. Okay.
And Elbakyan's whole position is taxes pay for universities, universities produce research, they then pay publishing companies to publish the research, and then they have to pay to access said research and research from other universities or science labs.
And that's a big problem with someone who supports open access, because it's a very different model, isn't it? All this to say, Sci-Hub and Elsevier are not the best buddies.
Elsevier aren't going to be sponsoring our podcast anytime soon, are they?
Yeah, I guess we just lost them.
And problem number 2 is Sci-Hub got really, really, really big, really, really fast, okay? So for context, just know that Facebook managed 6 million users in its first year. Okay.
So in 2017, 6 years after Sci-Hub had launched, it had 70 million papers represented. That's two-thirds of all published scientific research available.
So in 2017, 6 years after Sci-Hub had launched, it had 70 million papers represented. That's two-thirds of all published scientific research available.
They just scooped them up and made them accessible.
Wow.
And today it's now 80% of the current available scientific papers out there. Okay. Now listen to this volume of data. Is roughly 2.5 times the size of Wikipedia.
Oh my goodness. So you can imagine why many people might want to use that site.
Well, exactly. If you're a student and you're doing some research and you need to learn about something, what better place than this?
It's a juggernaut of a site, but there is a little issue. Let me get to that in a sec. So she's basically saying, fuck you, academic publishers, right?
I don't think you should be putting a paywall here. And she also has a ginormous amount of clout because she's got a lot of articles up there.
So, I was like, how— I'm sure you're wondering the same thing. How did she scoop them all up, right? They are behind paywalls. So, let me tell you how it works.
This is based on the Scholarly Kitchen. So, let's say you want to learn about something. You may do a Google search and you would see Sci-Hub pop up somewhere.
You would click on Sci-Hub and a captcha would show up to verify that you're not a bot, of course. Ironic, but there you go.
Now Sci-Hub works with a repository called Library Genesis, or LibGen, and that is basically where all its research sits. You put a copy in, it then puts the request to LibGen.
LibGen, if it has the research you're looking for, it then sends you a copy.
However, if it does not have a copy in LibGen, then it uses multiple institutional access systems okay, to search across publisher platforms like Elsevier perhaps and others, bypassing any access control barriers, and it retrieves a copy of the item.
It delivers a copy to the user who requests it, and it stores a copy in LibGen so it's easier to serve up next time.
So effectively, it's stealing the research and making it available to all.
It's a juggernaut of a site, but there is a little issue. Let me get to that in a sec. So she's basically saying, fuck you, academic publishers, right?
I don't think you should be putting a paywall here. And she also has a ginormous amount of clout because she's got a lot of articles up there.
So, I was like, how— I'm sure you're wondering the same thing. How did she scoop them all up, right? They are behind paywalls. So, let me tell you how it works.
This is based on the Scholarly Kitchen. So, let's say you want to learn about something. You may do a Google search and you would see Sci-Hub pop up somewhere.
You would click on Sci-Hub and a captcha would show up to verify that you're not a bot, of course. Ironic, but there you go.
Now Sci-Hub works with a repository called Library Genesis, or LibGen, and that is basically where all its research sits. You put a copy in, it then puts the request to LibGen.
LibGen, if it has the research you're looking for, it then sends you a copy.
However, if it does not have a copy in LibGen, then it uses multiple institutional access systems okay, to search across publisher platforms like Elsevier perhaps and others, bypassing any access control barriers, and it retrieves a copy of the item.
It delivers a copy to the user who requests it, and it stores a copy in LibGen so it's easier to serve up next time.
So effectively, it's stealing the research and making it available to all.
So these papers aren't necessarily hosted on Sci-Hub's own servers, but it will, it finds a way of giving you a link where you can access them. Is that right?
No, no, no. It downloads it, gives you a copy, right? Because you've asked for it. But it also keeps it in its LibGen. So it grows every time you search for something new.
Basically Google, for every search it can add or, you know, add or use something that it already has. And during this whole process, Sci-Hub asked for donations.
Which is how it makes its money. Bitcoins are preferred. So you can see why Elsevier are very pissed, right? And they've been pissed for a while.
Basically Google, for every search it can add or, you know, add or use something that it already has. And during this whole process, Sci-Hub asked for donations.
Which is how it makes its money. Bitcoins are preferred. So you can see why Elsevier are very pissed, right? And they've been pissed for a while.
So they're grabbing the credentials of maybe legitimate students and staff at a university to then use the university's own search engine.
So it's not really search engine. Every university has logins to these publishing firms, right?
So that they can access the research and they have authentication processes to go through in order to access that research.
And authorities in the US and the UK are saying that Sci-Hub uses techniques like phishing to get a hold of these legit authentication logins to get into these research papers, and then using them to scoop up the research.
And this is where it gets kind of interesting, because obviously we can all understand why Elsevier and other publishing firms are really pissed off, because it's cutting off— it's hitting their business model.
Now, of course, Elbakyan strongly denies this, right?
She says that it mostly came from exploiting libraries and university subscriptions, saying that she gained access to around 400 universities that way.
And she says also that many academics have offered in their login information. But, you know, 2.5 times the size of Wikipedia.
So that they can access the research and they have authentication processes to go through in order to access that research.
And authorities in the US and the UK are saying that Sci-Hub uses techniques like phishing to get a hold of these legit authentication logins to get into these research papers, and then using them to scoop up the research.
And this is where it gets kind of interesting, because obviously we can all understand why Elsevier and other publishing firms are really pissed off, because it's cutting off— it's hitting their business model.
Now, of course, Elbakyan strongly denies this, right?
She says that it mostly came from exploiting libraries and university subscriptions, saying that she gained access to around 400 universities that way.
And she says also that many academics have offered in their login information. But, you know, 2.5 times the size of Wikipedia.
Well, why would anyone give their login information to Sci-Hub knowingly and consciously?
A, because you want lots of people to read your frickin' paper. Maybe. And they might be pissed off that it cost a fuckton of money to access this research normally.
Is that a metric fuckton or a regular fuckton?
Big-ass fuckton.
Okay.
So huge brouhaha ensues, and Sci-Hub end up getting sued successfully twice by US-based publishers. This happened both in 2015 and in 2017, but the site continues to operate.
Because it's in Russia, outside US jurisdiction. PayPal blackballed them as well, but now they use bitcoin. So it's kind of like the WikiLeaks of science research.
Do you think it's kind of like that? It's like we're publishing information that's not ours for the benefit of all.
Because it's in Russia, outside US jurisdiction. PayPal blackballed them as well, but now they use bitcoin. So it's kind of like the WikiLeaks of science research.
Do you think it's kind of like that? It's like we're publishing information that's not ours for the benefit of all.
But they've also allegedly, according to the UK police at least, they've also grabbed people's login credentials and passwords, and presumably they are storing them in some fashion on their servers.
And do we have any confidence that that is being done safely and securely?
And do we have any confidence that that is being done safely and securely?
Do we have that with any company, to be fair?
Yeah, but this is—
Yeah, I know, I mean, but, you know, I mean, you know. Anywho, the City of London Police late last week issued a press statement saying students stay away from the site.
IT guys at universities block access to Sci-Hub as well because A, it's an illegal site, and B, they operate in a way that is deemed dangerous.
I'd love to know what they mean by illegal site though. I mean, I think, is it just like Pirate Bay?
IT guys at universities block access to Sci-Hub as well because A, it's an illegal site, and B, they operate in a way that is deemed dangerous.
I'd love to know what they mean by illegal site though. I mean, I think, is it just like Pirate Bay?
Description you've given me, the website is illegally accessing without proper authorization, the servers of universities and accessing material there.
So it doesn't have legitimate authorization to do that. So it is doing things which appear to be illegal. So there's a simple solution here.
Well, I say simple, it's not that simple, but there is a solution to this, which is two-factor authentication.
If these universities had two-factor authentication rather than simply username and password, then the username and password won't be able to be abused by Sci-Hub, as the police are alleging, because that magic 6-digit token or whatever would be changing every 30 seconds.
So the legitimate student would be able to enter it. But it would be useless for Sci-Hub, right?
So it doesn't have legitimate authorization to do that. So it is doing things which appear to be illegal. So there's a simple solution here.
Well, I say simple, it's not that simple, but there is a solution to this, which is two-factor authentication.
If these universities had two-factor authentication rather than simply username and password, then the username and password won't be able to be abused by Sci-Hub, as the police are alleging, because that magic 6-digit token or whatever would be changing every 30 seconds.
So the legitimate student would be able to enter it. But it would be useless for Sci-Hub, right?
And you also think if this phishing shit is going on, you—
I think phishing shit, by the way, I think that's a different name for caviar.
Yeah.
Basically, the takeaway is whether you're pro or against open access as a concept, right? If you were a student, make sure you have a long and unique password for all your accounts.
That's just an easy no-brainer. And put on two-factor authentication if at all possible.
Two, this site is considered illegal, and I'm not sure exactly what that means for you as a visitor of those sites.
And I did try and look, but I think that means be very careful before you visit the site or share links to it.
I saw a number of articles about people saying, would it be illegal to share a link to an illegal site, right?
Even if you don't go to the site, there's a whole legal quagmire there.
That's just an easy no-brainer. And put on two-factor authentication if at all possible.
Two, this site is considered illegal, and I'm not sure exactly what that means for you as a visitor of those sites.
And I did try and look, but I think that means be very careful before you visit the site or share links to it.
I saw a number of articles about people saying, would it be illegal to share a link to an illegal site, right?
Even if you don't go to the site, there's a whole legal quagmire there.
Yeah, and I think the other thing that universities could do perhaps, if people are accessing this from the university campus rather than from their home, so it depends on where you are being a student, is of course you could block access to this site.
They keep repeating that, that's what you could do as the IT people is to block access to the site.
You can also go to archive.org, that's A-R-X-I-V dot org, that's currently the largest legal source of open access papers. So that one at least is legal.
And you know what, ask the person who wrote the paper. 9 times out of 10 they'll just say, "Oh yeah, I'm so delighted, here you go." Done.
You can also go to archive.org, that's A-R-X-I-V dot org, that's currently the largest legal source of open access papers. So that one at least is legal.
And you know what, ask the person who wrote the paper. 9 times out of 10 they'll just say, "Oh yeah, I'm so delighted, here you go." Done.
You know, it's actually— the point you make is very valid there.
I actually had a COVID paper that I was very curious about, about the vaccine, and I just emailed the author and I said, you know, I have some questions on this.
He's a professor at a major university. He emails me back and answers my question. So it's not like it's all ivory tower. A lot of these folks are accessible.
And, you know, a lot of these people are in this field because they want to help.
I actually had a COVID paper that I was very curious about, about the vaccine, and I just emailed the author and I said, you know, I have some questions on this.
He's a professor at a major university. He emails me back and answers my question. So it's not like it's all ivory tower. A lot of these folks are accessible.
And, you know, a lot of these people are in this field because they want to help.
Yes, totally.
I had my first vaccine jab last week, actually. It was great. I had the Oxford AstraZeneca one. No side effects at all. I'm completely— No, it was all right, really.
Well, let's move on.
Well, let's move on.
Wow. Okay, pop quiz. How do you get the highest level of privacy without sacrificing convenience? Choosing 1Password for your business, that's how.
It offers end-to-end encryption you can count on.
You get auto-lock and manual lock for the 1Password app, multifactor authentication, safe autofill on secure websites, privacy cards, and loads more.
Plus, if you switch to 1Password, you can receive its switching bundle.
It includes a subscription credit towards your current password manager, hands-on migration support, and free family accounts for every single member of your team.
Go to smashingsecurity.com/1password. And thanks to 1Password for sponsoring the show.
You know you can't do business without technology, and you also know you can't securely access technology without identity security.
Enter SailPoint, identity security for the cloud enterprise.
It enables access and protects businesses with automated, managed, and governed access in real time with AI-enhanced visibility and controls.
SailPoint lets companies run with speed, security, and scale in a cloud-critical, threat-intensive world.
Plus, it tracks usage and enforces policies for all users, apps, and data continuously. Want to learn more? I bet you do. Check out smashingsecurity.com/sailpoint.
That's smashingsecurity.com/sailpoint. And thanks to SailPoint for supporting the show.
It offers end-to-end encryption you can count on.
You get auto-lock and manual lock for the 1Password app, multifactor authentication, safe autofill on secure websites, privacy cards, and loads more.
Plus, if you switch to 1Password, you can receive its switching bundle.
It includes a subscription credit towards your current password manager, hands-on migration support, and free family accounts for every single member of your team.
Go to smashingsecurity.com/1password. And thanks to 1Password for sponsoring the show.
You know you can't do business without technology, and you also know you can't securely access technology without identity security.
Enter SailPoint, identity security for the cloud enterprise.
It enables access and protects businesses with automated, managed, and governed access in real time with AI-enhanced visibility and controls.
SailPoint lets companies run with speed, security, and scale in a cloud-critical, threat-intensive world.
Plus, it tracks usage and enforces policies for all users, apps, and data continuously. Want to learn more? I bet you do. Check out smashingsecurity.com/sailpoint.
That's smashingsecurity.com/sailpoint. And thanks to SailPoint for supporting the show.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Should not be.
Well, my pick of the week this week is a little bit cybersecurity-oriented, I'm afraid, but it is also quite entertaining. It's all to do with phone scammers.
Now, are you familiar with the YouTuber Mark Rober? He is a YouTube star. He's got gazillions of subscribers, including my 10-year-old son.
He's famous for making videos about obstacle courses for ninja squirrels. Filling swimming pools with jelly.
And also he did a great video a couple of weeks ago about the Perseverance Mars rover, which actually he had worked on. He'd worked on some previous Mars rover type thing.
So he knows all about the science as well. He is a social media star and does some great videos. Quite entertaining.
Now, are you familiar with the YouTuber Mark Rober? He is a YouTube star. He's got gazillions of subscribers, including my 10-year-old son.
He's famous for making videos about obstacle courses for ninja squirrels. Filling swimming pools with jelly.
And also he did a great video a couple of weeks ago about the Perseverance Mars rover, which actually he had worked on. He'd worked on some previous Mars rover type thing.
So he knows all about the science as well. He is a social media star and does some great videos. Quite entertaining.
Are you jealous of him?
Yes, completely.
Okay.
Now, one of the things he's done in the past is he has produced a glitter bomb trap.
Which he has devised himself, contains a camera inside it, and it explodes with lots of glitter, and it records people and even sprays fart smell over people who steal packages from people's doors.
So what happens is the Amazon driver comes along, he dumps something on your porch, and then a criminal comes along walking down the road, an opportunist, and thinks, oh, I'll have that.
They take it, and then he records, and these videos come out, and they're covered in glitter so the police know who they were, right? So he's done that in the past.
Which he has devised himself, contains a camera inside it, and it explodes with lots of glitter, and it records people and even sprays fart smell over people who steal packages from people's doors.
So what happens is the Amazon driver comes along, he dumps something on your porch, and then a criminal comes along walking down the road, an opportunist, and thinks, oh, I'll have that.
They take it, and then he records, and these videos come out, and they're covered in glitter so the police know who they were, right? So he's done that in the past.
So he's basically a vigilante taking the law into his own hands. He's doing him fair. Glitterifying the—
The video is schadenfreude. I've watched that video. It is total schadenfreude. It's like, yeah.
So the latest video from him, which has come out in the last week, targets not these people who steal the actual parcels, but instead it targets phone scammers.
So the people who ring up little old ladies and trick them into— well, the specific confidence trick is they ring you up, they say, "We owe you a refund for something or other," and then they trick the little old lady into believing they've been given maybe $20,000 rather than $200.
So the people who ring up little old ladies and trick them into— well, the specific confidence trick is they ring you up, they say, "We owe you a refund for something or other," and then they trick the little old lady into believing they've been given maybe $20,000 rather than $200.
Is it always a lady, or do guys get fooled? Are they too smart?
Can happen to guys as well.
Okay, I just want to make sure. Yeah.
But it principally happens, it appears, to people who are elderly, who are particularly susceptible to this.
So the scam is, you accidentally, you believe that you've had $20,000 put into your account because you can see it on your online bank account, and the scammer has remotely accessed your computer and has changed the appearance of what's on your screen.
And then the phone scammer says, "Oh, I'm going to lose my job, this is disastrous," but we can fix this. Can you mail me back via UPS or FedEx the difference?
So please send me $19,000 or whatever it is to make up for it. Right. And people do this. People put huge amounts of money in the post.
Now, what Rober did was he intercepted with the help of some other fantastic YouTubers who fight phone scammers like Jim Browning. He intercepted some of these calls.
Told the people who were about to be scammed about what was going to happen.
And in the place of the parcel they were going to send, instead sent a parcel with a glitter bomb inside it. So it didn't have money inside, it had a glitter bomb instead. And so—
So the scam is, you accidentally, you believe that you've had $20,000 put into your account because you can see it on your online bank account, and the scammer has remotely accessed your computer and has changed the appearance of what's on your screen.
And then the phone scammer says, "Oh, I'm going to lose my job, this is disastrous," but we can fix this. Can you mail me back via UPS or FedEx the difference?
So please send me $19,000 or whatever it is to make up for it. Right. And people do this. People put huge amounts of money in the post.
Now, what Rober did was he intercepted with the help of some other fantastic YouTubers who fight phone scammers like Jim Browning. He intercepted some of these calls.
Told the people who were about to be scammed about what was going to happen.
And in the place of the parcel they were going to send, instead sent a parcel with a glitter bomb inside it. So it didn't have money inside, it had a glitter bomb instead. And so—
And a remote camera.
With a remote camera and GPS and everything else.
And you love it, right? You love it.
You've got to check out the video. It's quite entertaining.
You know what? Your birthday's coming up and I'm going to give you two presents.
Anyway, go and check it out. Links in the show notes. Alex, what have you got as your pick of the week?
I love it. I love it. Well, I mean, the scams online are wicked. Unbelievable.
And I mean, you know, there was my daughter was shopping for some car or some— she was shopping for a golf cart. And, you know, there's this incredible deal on the golf cart.
Of course, you contact this person, well, they want to contact you offline, and then there's all this stuff.
And of course, you're going to end up having to send some money to somebody that you're never going to get anything for. So be careful out there.
And I mean, you know, there was my daughter was shopping for some car or some— she was shopping for a golf cart. And, you know, there's this incredible deal on the golf cart.
Of course, you contact this person, well, they want to contact you offline, and then there's all this stuff.
And of course, you're going to end up having to send some money to somebody that you're never going to get anything for. So be careful out there.
Yeah.
And, you know, I just got a bizarre little side note. My visage is used for a large variety of romance scams. And so I'm—
Are you kidding? Are you fucking kidding?
Yeah, yeah. So I get— I get—
Alex, you— you— Alex, you are a good-looking— you're a good-looking fellow.
Oh no, no, no, this is— this is bad. No, it targets a particular woman of a certain age. Let's be honest.
But I get these— I get these— I honestly— all joking— I get these heart-wrenching, heart-wrenching texts or people—
But I get these— I get these— I honestly— all joking— I get these heart-wrenching, heart-wrenching texts or people—
This one woman, you know, emailed me, said, I'm sorry, your phone number is included.
Oh, what? Hang on, do they do a reverse image search and find you?
They do a reverse— they find me.
And then this one woman, she emails me, she got me, she got my Gmail address for some reason, and she goes, I'm sorry that you had to, you know, you just no longer talk to me and you've broken up with me.
And I emailed her back, I have no idea what you're talking about. Yeah, the scammer took her for something $9,000. I mean, but it happens routinely, and you bastard, Alex.
And then this one woman, she emails me, she got me, she got my Gmail address for some reason, and she goes, I'm sorry that you had to, you know, you just no longer talk to me and you've broken up with me.
And I emailed her back, I have no idea what you're talking about. Yeah, the scammer took her for something $9,000. I mean, but it happens routinely, and you bastard, Alex.
You bastard.
I know, exactly. I actually— apparently I adopted a woman, an Indian adopt woman's child in Indonesia. So yeah, yeah, yeah, yeah. No, this is, this is, this is real.
I mean, I've got— this happens to me literally on a constant basis.
I mean, I've got— this happens to me literally on a constant basis.
I think I would feel I'd feel phantom guilt even though it had nothing to do with me. Yeah, just for existing.
100%. I feel—
And being you.
I feel awful.
That's what he tells Mrs. Eckelberry. Sorry.
Anyway, yeah, but, you know, I have to blame myself for, you know, listen, obviously I posted pictures of myself online on Facebook, so I've had to, you know, get my—
Are you nude in these?
No, in the Speedos? Is it?
No, no, this is budgie smugglers.
No. Okay, if you're not sending romantic Fabio-like pictures of you in the, you know, Tarzan getup or something.
Yeah, yeah, no, that was, that was definitely when I was in my 20s, and those pictures, you know, maybe it's the Garry Kasparov photo shoot in Playboy.
Maybe it's that. They're all at it. The hairy shoulders.
Garry Kasparov had a photo shoot in Playboy?
Yeah.
Yeah.
Yeah. He was on our show recently.
Yeah. Okay.
Well, that's something I really didn't need to know, but thank you. So yeah, anyway, this does happen. These romance scams are out there. I don't know why we got into them.
We're talking about scams but this is something that is— I mean, you know, we could do a show on this because apparently I've become an expert.
We're talking about scams but this is something that is— I mean, you know, we could do a show on this because apparently I've become an expert.
I think we should. I think we should. Yeah, specifically, why have we done all the rest of this show? It should all have been about Alex Eckelberry, the romance scam.
Let's re-record.
Yeah, it's humiliating. Please, please, please.
Fall in for a romance scam with Alex Eckelberry's face. Carole, what's your pick of the week?
Okay, well, mine is definitely not security related. My pick of the week is a new Netflix show that I know you've watched, Graham.
I know you know what this is, and I know, yeah, you've got some issues because it's called The One.
Yes, and it has a very similar premise to the Amazon show which I reviewed a few weeks ago, and I can't remember the name of—
I know you know what this is, and I know, yeah, you've got some issues because it's called The One.
Yes, and it has a very similar premise to the Amazon show which I reviewed a few weeks ago, and I can't remember the name of—
Soulmates.
Soulmates, exactly. Similar to that one, but a little bit different.
So this one's love and lies kind of spiral out of control when this DNA researcher discovers a way to find the perfect love, the one true love, and then creates this bold new matchmaking service.
So that's the premise as you open, right? And the whole first episode is she's at the top of her, you know, find your number one love game.
And, you know, she's the CEO of the company.
So this one's love and lies kind of spiral out of control when this DNA researcher discovers a way to find the perfect love, the one true love, and then creates this bold new matchmaking service.
So that's the premise as you open, right? And the whole first episode is she's at the top of her, you know, find your number one love game.
And, you know, she's the CEO of the company.
She's Elon Musk or the CEO of the company.
Yeah, she's Elon Musk.
Yeah.
But then a body's recovered from the Thames, and it's someone she knows, and the cops are sniffing around.
And you've got founders, and you got all kinds of action-packed type deception stuff. And it's— but I found it a very solid piece of entertainment, you know? Graham?
And you've got founders, and you got all kinds of action-packed type deception stuff. And it's— but I found it a very solid piece of entertainment, you know? Graham?
Well, I think the premise was quite fun, because I have watched this on your recommendation.
The premise was quite fun, which was imagine a world where you can sign up for a service, and it will tell you the one person you are guaranteed to fall in love with and they will fall in love with you on a biological level.
The premise was quite fun, which was imagine a world where you can sign up for a service, and it will tell you the one person you are guaranteed to fall in love with and they will fall in love with you on a biological level.
Were you hoping they would have a little questionnaire at the end or something?
No, I just, I thought, oh, that could be fun because imagine how that would change the world if that were to happen and people would get divorced and, you know, all the melancholy if your true one love got crushed by a steamroller or something.
You know, I thought, oh, this could be interesting. But what a load of old cobblers it was watching this show. I'm sorry, Carole.
You know, I thought, oh, this could be interesting. But what a load of old cobblers it was watching this show. I'm sorry, Carole.
I was getting so annoyed by— So it made you feel something, check.
It did.
Annoyance?
Yeah.
Well, anything, anything at this point.
I seem to remember I was halfway through episode 2 when I texted you and I said, does this get any better? Is it worth watching anymore?
And you said, oh yes, there's going to be twists and turns. And so I watched all ruddy 8 episodes. Yeah.
And I— okay, I don't want to be— I don't want to slag off your pick of the week.
And you said, oh yes, there's going to be twists and turns. And so I watched all ruddy 8 episodes. Yeah.
And I— okay, I don't want to be— I don't want to slag off your pick of the week.
Oh, well, no, you haven't done that yet. No.
But it wasn't for me. It wasn't for me. I have to say, I found some of the plotting absolutely ridiculous. And I was just—
This from a Doctor Who fan.
I spent a lot of my time just going, "That wouldn't happen." From a Doctor Who fan.
Yeah, but Doctor Who's different. That's about time travel, which we know occurs.
You get garbage cans turned upside down coming after you. And that could happen. That could happen. The plunger is coming at you. The whisk. Oh no, not the whisk. Okay.
Anyway, I thought it was great. She has excellent clothing. If nothing else, guys, watch for the stylish, stylish, stylish Rebecca Webb. And I thought it was great.
Anyway, I thought it was great. She has excellent clothing. If nothing else, guys, watch for the stylish, stylish, stylish Rebecca Webb. And I thought it was great.
And Graham, can we watch it together? Look at the dresses and stuff?
It's on Netflix. It's called The One. Choose your side, Graham or Karl.
Yeah, that's all I can say. They'll quit after episode 2, I'm sure.
Yeah, well, you know, if you're gonna throw out a movie, I'm just gonna throw out one. I'm gonna say Afterlife with Ricky Gervais is delightful.
Oh yes, I've not watched all of it. Is it good?
Oh, it's so delightful. It's just very, very— a lot of heart. Good show.
Well, on that note, we've just about wrapped it up for this week.
Alex, I'm sure lots of our listeners would love to follow you online, maybe get into a romantic relationship with you.
Alex, I'm sure lots of our listeners would love to follow you online, maybe get into a romantic relationship with you.
Get your phone number.
555. @AlexEckelberry on Twitter. So @AlexEckelberry. Okay.
Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have G. And we're also on Reddit. Just look for the Smashing Security subreddit.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app.
And if you want to do something for the show, sure, you could become a patron, but you know, hey, that's going to cost some money.
Maybe just tell your friends about Smashing Security. Spread the word. That's one of the best ways in which you can help us.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app.
And if you want to do something for the show, sure, you could become a patron, but you know, hey, that's going to cost some money.
Maybe just tell your friends about Smashing Security. Spread the word. That's one of the best ways in which you can help us.
But hey, listen, you already help us by listening to the show. Special thanks go out to 1Password and SailPoint, as well to all our Patreon supporters.
All these people help make this show free for all.
For additional information on any of the stories we've covered here, sponsorship details and the entire back catalog of 219 episodes, check out smashingsecurity.com.
All these people help make this show free for all.
For additional information on any of the stories we've covered here, sponsorship details and the entire back catalog of 219 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye.
Oh, what, you're not going to say bye, Alex?
Oh, God.
It's just a bit antisocial.
Bye. Well, it's always hard when you're on someone else's podcast. You don't always know the rules. You kind of just—
I don't know. We're just teasing you.
Okay, so bye-bye-bye.
Take 2.
Take 3. Bye-bye-bye. You can see me on the internet.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Alex Eckelberry – @alexeck
Show notes:
- Hackers cannot post Facebook comments on your behalf without you seeing it — AFP Fact Check.
- Does a Facebook Hack ‘Hurt and Offend’ Friends? — Snopes.
- Stop sending mail you later regret — Gmail blog.
- April Fools Check: Did Google Really Release Mail Goggles? — TechCrunch.
- When was blinking invented?
- Computer giant Acer hit by $50 million ransomware attack — Bleeping Computer.
- Ransomware gang says it targets firms who have cyber insurance. And what’s more, it will hack insurance firms to identify them… — Graham Cluley.
- Is the staggeringly profitable business of scientific publishing bad for science? — The Guardian.
- Police warn students and universities of accessing an illegal website to download published scientific papers — City of London Police.
- Meet the pirate queen making academic papers free online — The Verge.
- Sci-Hub: How Does it Work? — The Scholarly Kitchen.
- Glitterbomb Trap Catches Phone Scammer (who gets arrested) — YouTube.
- After Life — Netflix.
- The One — Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now at 1password.com
Sponsor: Sailpoint
SailPoint Identity Security can help you enable your business and manage the cyber risk associated with the explosion of technology access in the cloud enterprise – ensuring each worker has the right access to do their job – no more, no less.
Gain unmatched visibility and intelligence while automating and accelerating the management of all user identities, entitlements, systems, data and cloud services.
Learn more at smashingsecurity.com/sailpoint
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
