Smashing Security podcast #230: Flash card f-up and energy pipe pilfering

Imagine some ninjas came in to sort of commandeer the nuclear base, or someone like Bruce Willis, or who would it be? It'd be Alan Rickman, wouldn't it?

So Alan Rickman, when he was alive.

I hope he was alive.

It's not a Weekend at Bernie's situation. Jesus.

So, Smashing Security, episode 230, Flashcard Ransomware, Bitdefender, and energy pipe pilfering with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 230. My name is Graham Cluley.

I'm Carole Theriault.

And this week, Carole, we are joined by somebody who doesn't actually exist.

No, we have nobody this week for a number of different reasons, including childcare, I think, Graham.

That's right.

Yes.

And so there's just a vacant seat at our virtual table today?

Well, we'll give her a name. We'll call her Lola. We don't have enough women on this show.

All right.

I mean, I know I'm here all the time, but I mean in guests, you know?

Okay, so, well, thank you, Lola, for joining us, and maybe we'll hear some more from you later.

Oh, I'm so excited to be here! I love Carole so much. Thanks to this week's sponsors: 1Password, Deep Security, and JumpCloud. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got? Flash!

Aya! Is it really great?

In English? Sorry, sorry, I just didn't understand.

I'm going to be talking about, well, not Adobe Flash, but a different kind of flash.

Okay, and I'm talking about jazz cigarettes. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, a question for you. Do you want to play a game?

Do you? Oh my God.

Do you want to play a game?

Yes, I can't wait. Play us. I'd love to play a game.

Well, no, no, those are the words, Carole. That is a famous phrase from a movie from yesteryear. It's the famous line that a computer spits out at Matthew Broderick in the movie WarGames from 1983. Have you ever seen it?

I don't know if I have.

I've never seen it.

Yeah, but I'm

Yeah.

I bet my husband's seen it though. He's a bit of a film buff thingy.

He would have done it. Well, in that movie, a young hacker, a teenage hacker, unwittingly accesses a US military supercomputer programmed to predict and execute nuclear war against the Soviet Union.

kind of surprised I haven't. It's a comedy?

I don't know. I haven't seen it, Carole.

It's gotta be a comedy.

Do you think?

With Matthew Broderick? Right? How can anyone take his little face seriously?

I think you're mixing it up with Ferris Bueller. That was fun.

Yes, no, I'm not mixing it up. I know that that line is not in that movie, 'cause I've watched that movie a lot.

Well, it would be pretty dangerous, wouldn't it, if a hacker, young or otherwise, Matthew Broderick or someone else, were able to access a US military computer which had that kind of power, which was working out game plans as to how to react during the Cold War. It'd be absolutely terrifying.

You can't even tell me how they were able to access this computer in 1983.

Via an acoustic coupler, I imagine. Oh, gosh.

With a wee wee wee wee wee wee wee.

It would have been like dialling up a bulletin board.

Of course.

I mean, I haven't seen the movie, but I'm guessing that's what happened.

The land of disinformation is closer than you think.

Listeners, I'm sure 98% of our listeners have seen the movie and would be able to confirm that I'm completely correct.

Yes, let us know. Tweet us.

And tell us we're bad for not having ever seen WarGames. And have you ever seen the movie Hackers with Angelina Jolie?

Yes.

Oh, I haven't.

But not for a long time.

Sneakers with Robert Redford?

Yes.

I haven't seen that one either. I think we might have to have a movie night. Anyway, listen. That was all a movie, wasn't it? WarGames and real nuclear weapons based in countries around the world are obviously carefully secured with their locations often kept officially secret. Now, my understanding is some people say that the reason why the locations of where nuclear weapons are held is kept secret is not so much because they really think it will be kept secret and that Johnny Foreigner won't be able to work it out, but rather that they're worried about public reaction in those countries as to how they would feel knowing that they have nuclear weapons down the end of their street. Obviously that potentially makes you a target.

So rather, we don't want people to know that they actually have deadly missiles in their country, 'cause that's not good public awareness.

Well, I mean, some people view it rather dimly, you know? And they think, well, we don't really want those. Yeah, weird about that.

Weird. Weird that people don't like nuclear weapons though, isn't it? It is strange.

It is strange. Very strange. So that's the kind of information you wouldn't expect to be in the public domain. Now, there are, as we've mentioned sometimes before, some amazing wizards at Bellingcat. They're experts at OSINT. They're experts at finding out information which you would imagine people would want to keep secret. And they were interested as to what information might be just lying around in the public domain about nuclear weapon bases across Europe.

So what, you just slap in that search term in Google? I wouldn't know what that is. What is that?

Well, they came up with a number of them. Phrases like PAS, which stands for Protective Aircraft Shelter, and WS3, which stands for Weapons Storage and Security Systems. Words like that and vault apparently are the kind of thing which will then reveal all kinds of information. So you're wondering, well, where is this information held? Is it on the web pages? Is it on the public official web pages of these military bases?

Yes, here's the photo gallery.

Here we are. No, it's not on those at all.

It's on Google Maps.

No.

It's on Google Maps.

Well, it might be by now, but no, it's on flashcards.

Flashcards?

Do you know what flashcards are?

No.

So flashcards is a way of learning dull, boring information.

Oh no, I know that. I know that.

Oh, okay.

Yeah, yeah. I know, like flashcards to learn stuff. Yes. Sorry, I thought there was some digital term.

See, I didn't know this.

Well, yeah. You only speak one language though, right?

You tell me. I can speak dolphin as well. You tell me if I've got this wrong about how flashcards work. A flashcard is like a postcard, and on one side you ask the question, and on the other side you write the answer, and then you shuffle them up and you look at them and you have this repetition of— is that basically it? Well, don't just go to Quora and ask the question, where are the nuclear weapons

Or you could have, so if you're learning a language, you'll create some flashcards for yourself with the English word, for example, for me on one side, and then maybe the Japanese word on the other side, right?

bases? But you're right, they did use a highly advanced tool known as Google to

And then you can show the Japanese word to someone who speaks Japanese and you see the word that you understand and you then, and they go, "Ah-ah," or "ka-ting." Oh, I like the noises.

search the internet for certain phrases associated with nuclear weapons technology and bases. That's interesting 'cause I heard that Duolingo have a flashcard app. And of course—

Oh, I don't know about apps. I've never done it with apps.

Well, there are flashcard apps as well.

Right.

For people who don't wanna carry around lots of postcards, I guess.

My husband made one out of a cornflake box actually. He still has it to this day. He made it when he was about 12.

What, to learn what?

Some language. I don't know, one of the 15 languages he speaks.

Probably Elvish.

No, no, no. He's cool. Come on.

Wookiee. Okay, so there are flashcard apps out there and it turns out that soldiers and contractors, people who are working in military bases, need to know a lot of information and they need it at their, well, their sort of mental fingertips, if you can imagine mental fingertips. So they need to have it top of their brain. And the way in which they learn these things is by using flashcard apps. There's one called Cram and one called Chegg.

Right, so if you were a student, you would totally know about these, right? Well, yeah, right, right, right.

And so they just plugged in this information which they needed to know into these flashcard apps, and then along comes the Bellingcat group with a copy of Google, and they're searching, and they find themselves on public flashcards related to nuclear weapon facilities.

Wow. I was just going to ask, okay, give me a name of one of these apps and I will check it up on the App Store just to see what they're—

There's one called Cram, C-R-A-M.

Okay.

And there's Chegg with a double G, C-H-E-G-G. Yeah.

Flashcards with Cram. Okay, I'm going down to their security stuff.

All right.

Okay. No details provided. The developer will be required to provide privacy details when they submit their next app update. So there you go, interesting. And the other one was Chegg.

Chegg with two Gs, as in Cheggers.

I've heard of that, actually. Okay, yeah, it's called Homework Help. Oh, wow. Data linked to you: purchases, user content identifiers, diagnosis, contact info, search history, usage data, and other data. So, well done, guys.

So there's a fair amount of information which you reckon at least Chegg is collecting from its users. But these flashcards are of course information which people have entered into the app.

Yep.

To use as flashcards and—

And they haven't turned off the make private only to me.

Well, this is the thing.

I'm guessing, I'm guessing.

It turns out that many of these flashcard apps appear to be public by default. Yeah, so when you put the information in them... So let me give you some examples of the kind of information which people were putting into their flashcards.

It won't mean much to me, but let's just try.

So it wasn't just the names of bases, but also details of the exact shelters which had so-called hot vaults. And hot vaults are those which are likely to actually contain the nuclear weapons. So you may have a site with a number of shelters, but the hot vaults are the ones where the nukes are kept, right? They also put on the flashcards the position of security cameras.

What do you mean they put the position? They took photos?

So, no, no, no.

And someone was able to work out the position?

No, they would put on one side of the digital postcard, they would put, where are the security cameras? And on the other side, they would put, well, we've got one on the north perimeter wall, 38 metres along.

Okay.

And we have another one here. So anything which they felt they needed to know.

So these are people working there, and they need— they're going to have an exam, or they're going to be tested, and they need to know all this information.

They feel they need to know the information in order to do their job properly. Can I tell you some more things they put on these flashcards?

Yes.

The frequency of security patrols around the vaults. The secret words that guards could use if they were being threatened or under duress. Imagine some ninjas came in to sort of commandeer the nuclear base, or someone, who would it be? It'd be Alan Rickman, wouldn't it? So Alan Rickman coming in.

When he was alive, I hope.

When he was alive.

It's not a Weekend at Bernie's situation. Jesus.

So if they've got a gun against a guard's head, right? The guard, if he has to radio into HQ, if he uses a word like pom-pomoose or something like that, that would indicate that he was being threatened, right? And something was going down.

Yeah, yeah, yeah.

But this way, the baddies know what those words are.

Don't they do this in adult playtime as well?

I'm not sure it's the same as safe words, Carole. Okay, you mean when people are nailing parts of their partner's anatomy to a plank of wood?

I wouldn't know. Carry on.

If you just say an ouch, that's not good enough. You have to say pom-pomoose. And also what to yell at intruders in their local language to make them stop. Because it may be a US service.

I understand though. I get it.

I get it.

They are trying to learn all this stuff and they're thinking, I can't cram this in my head. I need help. Why use pen and paper, right?

Yeah.

I've got this computer, this supercomputer in my hand. Yeah. And I've got it all the time with me. Yep.

So Bellingcat were able to discover cards used by military personnel serving at all 6 European military bases reported to store nuclear devices.

Oh, fuck. You know what? I really feel for the kids though that are being absolutely bombed out right now.

It's not kids, bro. They're not being protected by kids.

What? I don't mean children. There aren't that many toddlers. I just mean younger than me, probably.

Yeah.

Okay.

Younger than you. Okay. That's a much bigger age range, yes. So some of these personnel were storing huge amounts of information. One guy noted down over 100 things he had to know regarding his job, including the location of modems that connected vaults to the monitoring facility. Not only where the security cameras were, but their line of sight. Yeah. You know, which way they were pointing and how passwords should be chosen and usernames and some of the rules regarding that as well. Some of these had been available and publicly visible online. Going back as far as 2013.

Jesus. So this is down to bosses, isn't it down to the head honcho going, "You better know every single thing about this facility. I mean the camera light. I mean what you see. I mean how many people in the room every single time." Or whatever, whatever, whatever, on and on. So they're saying, "Fuck, fuck, fuck, fuck." And then they, yeah. So who is really at fault here?

So your solution, Carole, is that the sergeant majors or whoever should just be much nicer and fluffier. And just say, "Oh, there, there, don't worry about it. Nuclear weapons. Give them a call. You don't have to learn too much."

And say, don't store any of this shit on your phone anywhere. I would think that had been around for a while. That's what I think is most shocking about the story. No?

I'm sure they're making that point now. But the thing is, even when people are told not to do things for the sheer convenience, if they are cramming for a test or if they're worried that—

No, no, no. If you're working for nuclear weapons and say, do not put any fucking thing on your phone, you wouldn't. Unless you're a dweebo, I think.

Well, in the past, Bellingcat have, for instance, they've found out where security personnel were running around the base, the perimeter of bases, haven't they? They've looked at things it was Strava, which they were able to find people's public routes. There's all kinds of information. There was even that beer app as well. I think we've spoken about this before. Favorite beers which military personnel were drinking.

It's kind of scary though, right? All these people are walking around with all that information as well. Yes.

And then have posted it publicly on the internet. And some of them—

No, they didn't mean to. They didn't mean to. Come on. You don't think anyone did this on purpose?

Well, I suppose.

No, I don't think so.

Right?

And none of them are experts in cybersecurity. So get off, you know, let's be a little gentle here.

Okay. Yeah, yeah. I'll think much more kindly as the nuclear weapon begins to—

You won't have time to think if that happens. Don't worry, baby.

Now, some of these flashcards had usernames associated with them, some of which were the full names of the individuals who created them. Some even had avatars which were the same image these people were using on LinkedIn. So again, there's all kinds.

I wonder how many stupid things I have somewhere that are defaulted to public and I have no idea that I don't even play with anymore, right? From the olden days, I have no idea. I wouldn't, how would one go about checking that? You don't even know.

Carole, I wasn't planning to reveal this for another few months or so, but I've been working on a project. For the last couple of years, spotlighting you and your online activity.

Stalking me? You mean?

Collecting information.

Right. Great. Everyone heard that. Good.

Anyway, Lola, what have you got for us this week?

Let's just go to Carole. She's so smart.

Okay. Carole, what have you got for us this week?

Okay, Graham, first I need your help. I need you to describe to me what an English nerd is.

An English nerd?

If I say the word nerd, what does that mean to you?

Someone who's maybe really keenly enthusiastic about a particular niche topic. You could be a sort of sci-fi nerd.

Socks.

Socks?

Yeah.

Well, I think what you're thinking about there is a fetish, not a— But yes, you know, it would be you could be into science fiction and fantasy, or you could be into a Game of Thrones nerd, or you could be into, oh, I don't know, trainspotting or something. That would all kind of—

Right, into something is your definition?

Yes, I mean, fairly harmless, I would say, you know.

Okay, what about a geek? Oh well, nerd and geek, what's the difference?

I think there is a difference. I think geeks tend to be more into technology, so in a way, they could almost be a subset of nerd. I think there's some overlap. There's a bit of a Venn diagram going on.

Venn diagram. Love that. Okay, okay, cool. So that's interesting. And let's put that in our back pocket for this story because we are heading to a Tipton industrial estate. Now, this is about 30 minutes northwest of Birmingham in the UK. And this particular industrial estate is called Great Bridge. Actually, why don't we go to Great Bridge Industrial Estate, Graham? Why don't you come along with me?

Am I allowed to under lockdown? Is this allowed? Okay, here I am. Okay, I'm here. I'm at a Street View thing.

Yeah.

There's an articulated lorry.

Right. You've got to imagine it's kind of just lots of buildings, lots of trucks, a lot of cars, a lot of working people.

It's actually on a street with some fairly ordinary looking houses. Yeah, it's, you know, it's not a wasteland, is it?

No, it's not a wasteland.

No, despite being near Birmingham. Whoa, sorry, Brummie friends. Okay, so, so now you've got our scene, right? This is the scene. Right.

And one anonymous owner of a unit nearby said there were 3 men who looked a bit nerdy and dodgy, had been coming to this empty unit on and off for around 8 months.

Is it possible to look nerdy and dodgy?

So what could they be doing in there? These aren't kids as far as we know, so they're going into a lock-off. And according to the police tip-off, it was being used as a jazz cigarette farm.

Oh, the old Mary Jane.

The old Mary Jane. Hmm. So the West Midlands cops, being pretty modern, sent over a drone.

Oh, that's so cool.

And guess what? The drone records a sizable heat source from the unit. And that ties totally with growing laganja indoors because you need to use things heat lamps, which produce light and heat.

It could just

It could be. I'm imagining if it was 22 degrees, they probably wouldn't have done anything with it. But maybe if it was belting it out.

be bad air Right. Okay.

So based on the information they were able to collect, the police organized a forced entry event.

A forced entry event. conditioning or something, couldn't it?

That's— yeah, that's what the Birmingham Mail called it. A forced entry event. So this was for the 18th of May.

Why don't they just call it a raid?

It's a raid, right?

They call it a forced entry.

It's a raid. It's basically where they show up unannounced and bust in like Arnie.

That's so typical of the police. We initiated a forced entry event. No, we didn't. We went round with a sledgehammer.

Yeah.

Yeah.

Now, of course, they're going in and they're expecting to find a unit full of Mary Jane. Maybe 3 stoned-out nerds in the corner. In a heap. Not a sledgehammer. But instead they find this. Now let me see if I can share this with you. One of those doorbuster things.

Oh, look at this. So what we've got here is racks and racks of— oh, racks and racks of computing stuff.

Those incredible things. Yeah.

With some big heavy fans attached to them. Probably to try and keep them cool.

Look at those. Doesn't it look like a sci-fi program? The ginormous extractor, the— what are they called, those extractor fan tubes? Huge, huge tubes going out.

Well, I think I know what this is, Carole.

Oh, have you figured it out?

I think I have. I think this is a cryptocurrency mining rig, isn't it?

Exactly. So it's currently in the press, suspected illegal crypto mining rig, right? And it's made up of about 100 computer units. Can you imagine the noise from that?

Hang on, how is this illegal? Why is it illegal to have a cryptocurrency mining rig?

Well, it's not illegal to have a crypto mining rig. It's illegal to steal someone else's electricity to do it. This is not their unit. They actually dug underground to connect themselves to the energy pipe.

The energy pipe.

The energy pipe.

They didn't just use an extension lead from next door and trail it out the window into their unit.

So they dug down. They dug down to get access to electricity. And now, according to MailOnline, they say that they probably stole around £16,000 worth of electricity to keep this running.

Because isn't this the problem with crypto mining? Is that you spend more money running your mining rig than you manage to make from actually mining the cryptocurrency because of the costs of the electricity.

Right.

Yeah.

Let's explain that actually. So the mining process requires computers to complete rapid calculations to solve the same puzzle. So all the computers are competing to solve the same puzzle, and it always takes 10 minutes. And the winner that managed to do the puzzle is rewarded a tiny amount of digital bitcoin, and then a new puzzle's generated and the whole process repeats every 10 minutes. Now, the more people mining, the harder the puzzle gets, which means it takes more electricity to run the calculations. So Graham, you're absolutely right. In countries like ours and the UK, you ain't gonna make a huge chunk of change if you're paying your leccy bill. But apparently most of the mining, according to Statista, is done out of China. 65% is done there, whereas apparently only about 7% is done in the US and Russia. Anyway, so they were illegally snarfling leccy without paying for it to the tune of $16K, if you believe the MailOnline.

Yeah.

The Beeb did say that inquiries of the local electricity distribution network, Western Power Distribution, found an illegal connection to the electricity supply. But I'll tell you what I think is super weird by this picture. Now, I'm not a pot farmer. I've never been a pot farmer. I've never even visited a pot farm. But it seems to me from the pic that there's a heck of a lot of ventilation ducts.

There are. It's huge. Yes. Yes. They do.

And the idea is, I thought if you're farming something indoors like pot, you want the heat. You don't extract the heat. Right. It's kind of like whacking up the heat in your house and keeping the windows and doors open all the time.

Okay.

Yeah.

You want it to be a greenhouse, I imagine. Yeah.

And you have heat lamps to provide light and heat. So I'm not sure how they thought it would be a pot thing. I mean, what was the stink of pot around?

Yeah, I imagine there's still— I mean, even though they have all the ventilation there, I imagine it was still quite warm in there with that many computers whirring away.

Graham, I just had a serious, serious brain fart. If you lived in a place, right, where farming pot was legal, couldn't— and electricity was cheap— couldn't you combine your efforts, have the crypto mining process going on generating tons of heat and then smoosh that heat over to your pot plants so they can get all— Do you see what I'm saying here? Wouldn't it be great?

Yes, I've just trademarked it. Thank you for that suggestion. That's genius.

There you go. Everyone can have that for free because I'm a citizen of the world.

That's incredible. Chums, if you remember one thing from today's episode, it should be to check out the leading cloud directory platform, JumpCloud. JumpCloud's directory platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass. With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy. Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure, hybrid work model.

Deep Secure Threat Removal is a very cool product which takes incoming poisoned Word documents, booby-trapped PowerPoint slides, and the like, and creates brand new files with just the good stuff and none of the bad. It is a neat way of handling brand new threats coming into organizations via web, email, or file sharing, and it can run along your existing antivirus. Threat Removal gives you the good stuff by delivering files that are 100% threat-free, fully functional, and fully revisable. Adding Threat Removal to your defense can help you reduce administrative costs as it doesn't require signature updates or security patches and reduces the time your security team spends on false positives and remediation. Visit deep-secure.com/smashingsecurity. That's deepsecure with a hyphen dot com smashing security for more information and to set up your free trial today. And deep thanks to Deep Secure for sponsoring the show.

Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are. 1Password makes the secure thing to do the easiest thing to do. Quickly deploy 1Password to a single team, multiple teams, or your entire enterprise.

Right? They're massive.

Provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security. Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show. And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Thanks, Lola. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Better not be.

Now, my pick of the week this week is not security related. My pick of the week this week is to do with magic.

You didn't even choose a pick of the week for me that I would like.

I'm sorry.

I'm just, I'm here on my own.

Okay.

Magic.

Oh no, you'll like this.

Oh, I will?

Yes.

Okay, okay, okay.

This is about— well, I would hope you would. This is about an extraordinary magician called David Berglas. He's still alive. He's 94 years old. Good for him. And he invented—

He's made it.

He has made it. And he invented an incredible card trick, which has become known as the Amazing Berglas Effect. Now, this particular trick which he does is that there's a type of magic trick called any card, any number, right? But he does it in an incredible way. It works like this. He has a pack of cards which he doesn't touch. He gets someone in the audience to say a card. Say a card, any card you like. Are you sure you want that card? You choose whatever card.

Okay, Queen of Hearts. Queen of Hearts.

Then he goes to someone else, like Lola. Hey Lola, say a number between 1 and 52.

12.

Thank you, Lola. So we've got the Queen of Hearts, and we've got the 12. And then somebody picks up the pack of cards, not him, he hasn't touched the cards. And they take each card from the top of the pack one by one, and they turn it over face up, going 1, 2, 3, 4, blah blah blah. They get to number 12. They turn over number 12. And what card is it?

I don't know.

It's the Queen of Flippin' Hearts.

Of course it is. And is that because people are in on it?

No, that's the thing, Carole. There are no stooges.

Okay, but it's a trick. It's a trick.

It's more than a trick. It's an incredible card trick.

Okay, it's an incredible card trick. But the key word here is trick.

Well, of course.

Does he tell us what it is?

No, he does not. And he never has. He's never explained it. And other magicians have been spending the last 50-odd years scratching their heads, trying to work out how this is done. There are variations on the trick, but no one else seems to quite do it without rigging the cards or touching the cards.

It's called a trick for a reason.

It is called a trick. Now, that trick— Okay, so there are ways of doing it without rigging the cards, right?

Okay.

If you had Derren Brown-style mental skills to influence people—

What, like a psychological abuser?

If you were able to influence the people in the audience to saying a particular number or choosing a particular card, then that would go some way towards doing the trick, right?

Well, the whole way if you were really good at it.

You'd have to be really good at it.

You're like, "Oh, a dozen eggs. Oh, look, a dozen doughnuts. Give me a number." 12.

Carole, what if the pack of cards is also shuffled by somebody else?

Okay.

Right. Now I think you're really impressed. Now, there's a great article about this in The New York Times, all about the Berglas effect, where they went and interviewed David Berglas, who is living in London these days. And an interesting chap he seems to be as well.

He's 94 now though, right?

He's 94 now, yeah. But there are videos of him online, and I'm going to also link in the show notes to a video where you see him doing the trick. I think it's actually a school. He's— I think it's like a fundraiser for a school event where he's doing it. He's come out of retirement. He's been retired for 20-odd years. He comes out of retirement and he does this trick and other tricks as well. And this particular video is commentated by other magicians who are just sitting there in awe on an hour of watching David Berglas going, "This is incredible." That's because they want—

They want the secret. Maybe he's saying, you know, they have to stand in awe because maybe they want to inherit all his tricks.

And so, they're sitting there 'cause it's nightfall, and they're like, "Wow, he's amazing!" Well, the thing is, normally in the magic community, magicians do quite often share with others details of how they do their tricks. And there's plenty of YouTube videos showing other ways to do this particular trick. But no one does it quite like David Berglas, because no one can work out quite how he does it. So that is my pick of the week.

Down and out.

Lola, have you got a pick of the week?

I'll just pass on to Kroll, 'cause she's so great.

Okay, Kroll. Maybe you can pick up the tab here.

So my pick of the week is, surprise, surprise, surprise, a podcast.

Oh, lovely.

You know it, Graham, 'cause I got you hooked, I hope, called West Cork.

Oh, yes.

By Yarn FM. Now, I'll give everyone the premise first, right? And then we can discuss it. Okay, so 1996. 1996, French film producer Sophie Toscan du Plantier is found dead near her holiday home in Ireland, near Cork. There are no witnesses and no known motive, but police suspect one man in the community, but they can't make the charge stick. And you'd think that people in that situation would just leave town. Because everyone thinks you're a murderer. Yeah, yeah, suspect. But he refuses to leave. So the documentary has been made by Sam Bungey. He's a Guardian, Daily Beast journalist, and his wife, TV documentary maker Jennifer Ford. And it was published in 2018 but only on Audible, but earlier this year it was made freely available to everybody on iTunes and Spotify. So Graham, where are you? I finished it this morning.

Have you?

14 episodes.

Yeah, I have just finished episode 7.

Right. Okay. And what are you thinking so far? What makes this interesting, if at all?

Well, it was a bit of a slow burner for me, to be honest. I think I had to listen to probably two or maybe three episodes before I was hooked.

Yep.

But once that had happened—

As soon as you meet the suspect.

Well, this is the thing, because this chap, as you mentioned, who stayed in West Cork despite the murder twenty-five-odd years ago, he participates in the podcast. And you're listening to him, and how can I put this? He's not very likeable.

Right?

You're listening and you're thinking, I'm trying to keep an open mind here, but I'm kind of thinking it's kind of plausible you might have done it, mate.

Yeah. It makes you realise though, if ever you're in a court of law and you've got jurors that are making the decision for you, be likeable.

Yes.

Because it really does impact your side. So, I feel very similar to this as I did Weiner Gate and Staircase, where you had both utterly delicious documentaries, listeners, but where the key protagonist is also the person who is the commentator or they participate in the documentary. Yeah, but they're also the key—

Yeah, it's almost central to the whole documentary. Yes, both of those were great.

The main dick of the story, if you will.

Now, now.

Yeah, that was for Weiner.

Because I thought that with this particular chap, it seems like he almost craves the— although he complains constantly, you know, "Nobody likes me," and all the rest of it, he kind of can't resist it, can he? He likes the notoriety, I think. He likes the attention.

I think I can say this. I'll say this, and then you tell me if I have to take it out or not. But one thing I think I can give away, because it's given away quite early in the pod, is that he is also the main journalist in the area covering the murder story locally. And he is basically meeting with the cops and having interviews, and then he's reporting on that, but he's never declaring that he is actually being interviewed by the cops. Freaky. That's what got me hooked with that, when I was, oh, this is now super interesting.

Imagine if Elon Musk had been killed in some bizarre ritual sacrifice thing.

You'd cry for days.

And no, I would not. And then Rory Cellan-Jones was reporting on it for the BBC, and then it emerges that Rory had been hanging around with him or had some sort of interest in Elon Musk, maybe researching his new book. And it's kind of, oh, interesting. But of course, Rory's really likable. I don't want to suggest that.

It's like the cop saying to Rory, hey, we think you did it. And then he's reporting on it going, you won't believe it.

They found a suspect.

It's crazy. Anyway, really fascinating. They're apparently making three movies of this. Three different houses are making movies of this, and some might be already published, some are soon to be published.

Yeah, I heard there's a Netflix show about to come out.

Yeah, there's two more. Anyway, so I don't know, I quite like it, and I like the pacing of it a lot as well, and I think he's quite an interesting character. So it's called West Cork by Yarn FM, and you can find it wherever you get your good podcasts, or maybe just on Apple and Spotify.

It's not a great name for a podcast, or is it?

I remember it. There's many I don't remember.

You don't? Yeah, but you don't see the name and, you know, you know.

Yeah, but there's so many like death, you know, I don't know. I like it.

I like it. Okay, all right, excellent. Well, that just about wraps up this very special show. Lola, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Just listen to Sticky Pickles.

And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and we're also up on Reddit as well. Don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And huge thank you to this week's episode sponsors, 1Password, JumpCloud, and Deep Secure, and to our wonderful Patreon community. It's thanks to all of them this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 229 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye! Oh, nicely done, Lola. Hey, that wasn't too painful for you, I hope. She checked out. Oh, she's probably drunk already. She's probably on the jazz cigarettes. She got excited when I told my story. Hello, Carole Theriault here from Smashing Security. More enchanting news for you. So, wanna know how many reviews we've received worldwide to date? According to Chartable, we have received a whopping 586 ratings. Oh!