Smashing Security podcast #241: Flipping dating apps, and crypto rewards for criminals

You're not willing to take a journey across town to shag, then—

Wow. It's an equation, isn't it? Right? You look at their picture and you think—

I'm gonna get 2 minutes of joy.

They're 5.2 miles away, whereas this one is 3.7 miles away. Are they significantly hotter to justify the extra distance? Seriously?

Well, remember, Carole, you may not have a lot of blood in your brain when you're thinking about this.

Smashing Security, episode 241, phishing, dating apps, and crypto rewards for criminals with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 241. My name's Graham Cluley.

241. And I'm Carole Theriault.

And this week, we're joined by an oldie but a goldie. It's Maria Varmazis.

Hi.

Hi, Maria.

Hi.

Actually, not as old as either of us, is she?

Getting older every day.

Maria, host of Sticky Pickles, and, oh, maybe you've heard of it, often guest host of Smashing Security. Maria, how the heck are you? Haven't talked to you in, well, at least weeks and weeks.

I'm relaxed from a nice vacation and have no idea what's going on in the broader world, so here I am jumping back in.

You went on vacation? Where'd you go, down the end of your garden?

Yeah, no, I went about an hour north of myself to Maine. Yeah, which feels like a world away even though it's a very quick drive. So it was very nice and enjoyed a whole week by the ocean. It was lovely.

Oh yeah, the world of security has not gone on vacation, has it?

It hasn't. But first, let's thank this week's sponsors, privacy.com and 1Password. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got?

I've got a very important question, which is this: what is the flipping point of dating apps?

To have sex, I think. Maria, what about you?

Oh, me the question or my story?

What's your story?

My story is along the lines of dating out. No, it's not. It's about biometric data and the Taliban.

And my story's about a wacky cryptocurrency snafu brought to us by a Patreon supporter who I'm gonna call the Chubster. All this and much more coming up on this episode of Smashing Security. The Chubster!

I was not—

I wasn't ready for that. I did a total spit take. There's coffee everywhere.

Oh God. Sorry. We had spilt tea last week.

This week.

Anyway, right.

I miss Freya so much.

Now, chums, chums.

You have to wait.

Are you alright there?

Okay, I'm gonna mute my—

Breathe.

Okay, I'm good.

Do you know what chubster means? You know, it's a euphemism.

I wanted to anonymize, pseudo-anonymize the person, but I wanted them to recognize that I knew who they were, that I knew what— yeah, so we all understand each other in a private sort of way.

I'm good, I'm great. This is really great.

Welcome back, Maria.

Dating, dating apps, that's what I want to talk about. Dating apps, we've talked about them before. I think we may have even admitted, some of us, that we might have met our partners online.

I did.

Was it IRC or ICQ or something?

No, not ICQ. In my case, it was OKCupid. Yeah, that's where I met my husband.

Yeah, I didn't. I met mine the old-fashioned way.

You didn't go to Wookiees R Us or something like that?

Yes, exactly. I went to Planet Wookiee.

Well, you know, these dating apps, especially under lockdown, you know, that's the way you're going to meet the ladies or the gents or the small furry creatures from Alpha Centauri, whatever it is that you fancy, because you're probably not going down bars as much. You're not going to— mind you, I've never been to— would I go to a bar ever, or a pub? But you know, you're not going to your chess club.

Coffee house.

Yes, whatever it is.

You know, Craig doesn't leave the house and do anything normal.

Oh, you're not— yeah, exactly, you're not doing that as much. Now, have you heard of a dating app called Bumble?

Yeah, I have. Yes.

It's an interesting name for a dating app, isn't it? Bumble. I mean, it's like— It's not Bum Ball. We've sort of covered— You've covered both sides of the equation there, haven't you?

Bumble. Jeez.

I was thinking Bumblebee.

Exactly.

Bum Ball.

Yeah.

Oh, Bumblebee.

Bum Ball Bee.

So, one of the things that the Bumble dating app, and I imagine other dating apps do as well, is they tell you how far away you are from your potential date. So you look someone up and it says, ooh, they're 13 miles away.

1 meter away!

They're outside your window! Watching you pee!

I find that so creepy. Creepy! Holy moly.

They're just looking at you through the ceiling tiles at the moment.

It's Ceiling Cat!

Ceiling Cat knows what you've been up to. Bringing that meme back.

Oh, they just give you, they give you 2 minutes away or 2 miles away, something like that?

Yeah, exactly. They'll say 2 miles away or 3 miles away.

All right. In any direction. So you have to run in circles to find them.

Right, exactly. So all you can think is a circle. Now, of course it is possible that you might be on some sort of, maybe you're on a pier or something which is a bit of a jetty going out into the sea, and then you think, well, they're probably not in a boat, and you might be able to work out roughly where they are. But most of the time, that is not the case.

They're in an aeroplane!

But I think, yes, they're 3 miles away above you at the moment. Oh, they're going to look closer very quickly.

And now they're gone.

And now it's splat. So, I'm trying to be serious here, guys. So it's obviously a good thing that dating apps don't tell you precisely where somebody is, right? Because that could be used for stalking. Or maybe, you know, somebody uses a dating app who's a business rival, or maybe you're a spy and you're trying to track somebody. So you don't want your dating app giving out your precise location.

No. Well, I think by default it shouldn't do any of that.

But anyway, no, they shouldn't.

Uh-oh.

But maybe they're still leaking enough information.

What happened, Graham?

What did you do?

Not me. Not me. I'm not a user of Bumble. But a chap called Robert Heaton, who is a software engineer at Stripe, the payments company, he found a problem with Bumble. And Bumble only tells you oh, they're 3 miles away, right? They're 4 miles away. And what you're able to do is you're able to use trilateration.

Hmm.

In order to find out their location. Now you're wondering what is trilateration?

No, I'm guessing it's 3 points, right?

Well, we all know about triangulation, don't we? Because you see that all the time on TV.

Yeah.

Trilateration is kind of similar. So what he was able to find, and this was a problem as well with Tinder a while back, but they were able to fix it, is that if a dating app is too specific about the distance, if they say something oh, it's 3.56 miles away from you, then if you had a number of different dating profiles located in different places, then you'd all be able to look at that particular person, find the distance, and then go choo choo choo with your three lines and work out where they were, right?

Yeah, yeah, yeah.

So you don't want a precise distance. And so for that reason, dating apps hopefully normally round the distance instead. Okay. So if you use Bumble, it will round the distance. So if it's, for instance, 3.3 miles or 3.32 miles, rather than being really precise like that, it will actually say 3 miles.

Mm-hmm.

Okay. Instead. And that means that if you use trilateration, then you'll only be able to locate them within about a mile by mile square, which probably is vague enough.

Is this just for the lazy? I mean, literally, what's wrong with just the town or the city name? Are you thinking, oh, they're all the way across town, that's annoying, forget it? They have to be—

Can't you just meet up?

I mean, yeah, I think the thing is this, right? There are some dating apps which offer romantic dates, and there are other dating apps which might be for hooking up.

Oh, right.

If you're all hot and horny, you're not willing to take a journey across town to shag, then—

Wow.

It's an equation, isn't it? Right?

You look at their picture and you think, I'm going to get 2 minutes of joy.

So, yes, they tell you how far away somebody is. Now, obviously it would not be a good thing if they They're 5.2 miles away, whereas this one is 3.7 miles away. Are they significantly hotter to justify the extra distance? Seriously? said to you not only how far away they were, but that they were on the corner of, you know, Marcham

Well, remember, Carole, you may not have a lot of blood in your brain when you're thinking about this at that moment. So doing that kind of math in your head might not be successful.

Street and Jubilee Close. If they said something like that, that would be a bit bad. So I think— And also there are dating apps. Is it Grindr and—

Grindr, actually, is how it's pronounced.

Grindr. Grindr. So you might want someone who's within 50 metres or something, mightn't you? I don't know. You might do, right?

You might turn around and be engaged. Exactly, exactly.

Be engaged.

So imagine you're trying to find out someone's real location, right? And the dating app is rounding the number. What you can do, according to Robert Heaton, is you can use the API to slightly shift the location by 0.01 degrees of latitude or longitude on every occasion. So you've got these 3 profiles, right, for your 3 lines. And what you do is you move them slightly further out or adjust one ever so slightly. And at some point, the distance is going to flip from being 4 miles away to suddenly it's now 5 miles away, and you only just went a very small distance. Do you see what I mean?

Yes. Yeah, yes.

You're pinpointing the exact location by just sniffing around, waiting for everything.

Exactly, because that point where you go from 4 miles to 5 miles, that's probably 4.5 miles distance.

Tell you what, listeners, if you're in the dating sphere and someone admits to doing this to you, can you run away?

Oh yeah, that's a red flag if I've ever heard one.

What a humongous red flag, right?

I trilateralled you. No, wait, tri—

Trilateralized you.

Trilateralized you. And that's how much I'm attracted to you.

So Robert Heaton did this.

You're worth the trilateralization.

He did this with a few profiles, right? Where he wrote a little routine and he was using the Bumble API to slightly change his location, and he was expecting it to change at the 3.5. That would be the flipping point, right? That's why I'm talking about the flipping point of dating apps.

Yeah, what is the—

What is the point of this?

Well, he thought it would be at 3.5. He thought at 3.5 it would then turn to 4, but it didn't. What happened was it went all the way up to 3.99999 and then became 4. So Bumble, it turned out, was actually rounding down. So whatever the number was, even if it was 3.9 miles, it would round down to 3, and at 4 it then became 4 until it was 5.

Well, of course it did, because they thought, oh my God, there's more fish in a 4-mile radius than there are in a 3-mile radius.

So let's make it sound like they're closer than they are.

Yeah, it's the marketing thing. That's interesting.

Oh yeah, that's the— math doesn't come into play when we talk about marketing. You start fudging stuff all left and right.

Right. Okay, cool. And so he found that he was able to precisely locate individuals, not because he was looking for dates or something like that, but he thought this would be useful for snooping and surveillance. He also found there was a separate bug he found where it was possible— normally, if you want to swipe yes on people and sort of say yes, there's a match, or someone who swiped yes on you, normally you have to pay a $1.99 fee to the app. And he found that it was possible to bypass that as well.

Oh well, yeah.

So another kind of useful—

Sure, they fixed that one immediately. Yeah, that one, well, you can cheat us out of our money and yeah, we're gonna fix that. So, but that's really scary though in terms of someone being a bit of a psycho and taking advantage of this. So did they fix it?

Yes, he did. He was good, man. He reported it to them via HackerOne, yeah, bug bounty initiative. Sophos. He's got $2,000 as a result. The bug was fixed within 72 hours of reporting, which is a good happy ending, I think, which is what you want if you're dating, I suppose. But I think it's an interesting thing because clearly they designed it with the thought that we don't want to be precise about location, but there was enough information in there if the API was abused to actually find out people's location really, really specifically.

Sometimes people don't think about how this stuff can be used maliciously, but don't put it past somebody who's got stalkery tendencies to put in the work, because they will. And like I said, even if it's not romantic, it might be a business rival. It could be anything, you know. Business rival, that sounds like a meet cute for a rom-com. That's like, we were business rivals and I was stalking her on Bumble, and then ends up we went on a date and we matched and now we're in love, or something.

I don't know, ever the romantic, Maria.

Except I'm a crazy stalker and that's terrible.

Please don't fall in love with me. Anyway, yes.

Maria, what's your story for us this week?

Well, mine is also a really upbeat and uplifting story. It's about the Taliban.

So are they on a dating app at all? Can you choose to date the Taliban?

I don't even want to touch that.

No, don't even laugh.

It's terrible. Yeah, what?

Yeah, yeah, just—

Yeah, no, no, no, no. This story is about— I have been reading all the headlines I can find about the U.S. withdrawal from Afghanistan and the large amount of equipment that has been left behind and has now fallen into Taliban hands. So there are a lot of competing stories, and there's a lot of, we left this much behind, no we didn't, yes we did, kind of how much did the U.S. leave behind, how much is actually accessible to the Taliban? It's still really unclear right now. There's the hypotheticals of $83 billion, and then there's people saying, no, that's not accurate, that's how much we paid that's not what it's worth, whatever. We do know that there's quite a bit of tech that the Taliban now has its hands on that was used by US forces and US allies over the last 20 years. And one piece of kit that has been getting a lot of headline news is the databases of biometric data that were gathered over the years by US forces and allies.

This is my worst nightmare.

Yeah, yeah. This, so I might be putting some of your fears to rest, but also giving you new ones. So here we go. So the US military used biometric collection devices called— I'm gonna say they're called HIIDE machines, H-I-I-D-E machines— and they use them to scan the fingerprints and irises and facial geometries of not just allies but people that they were looking for. So it's said that actually biometrics were used in identifying Osama bin Laden when they hunted him down about 10 years ago. So biometrics were a big, big part of identifying allies, identifying potential bomb makers that were sort of hiding amongst the general public. So the Taliban now has their hands on all these HIIDE machines. Those were left behind. And at least in the U.S., the news is painting the picture that a whole bunch of Afghanistan— their data has been hoovered up biometrically, and all of that information is basically on these HIIDE machines. So digging into this a little bit, I think I was misinformed drastically. It seems like vast swaths of this data is potentially in the Taliban's hands. This biometric data is potentially something they can access. However, it seems like the biometric data that was scanned by these HIIDE on these machines has been remotely stored, and very likely, or at least we're hoping, the Taliban can't access it.

Oh, so it's been stored maybe on a cloud server or something?

Correct. And maybe on US servers remotely. It's really unclear because we're getting a lot of settings.

They're good.

Yeah, yeah. So it's like, there might be data at rest on these devices, we don't know. There might be data remotely stored they can't access unless they have enough training, we don't know. I don't want to paint a rosy picture being like, it's fine, they don't know how to use these devices, because it's not good for them to have any of this stuff. And the manuals for using these devices are readily available on the internet, and you can buy them on eBay. Seems like right now a lot of the hope with the biometric data is that the database of information or whatever's at rest on the devices is gonna be too hard for them to sift through without really knowing what they're doing. So maybe they won't be able to access it, or they'll see the data and they won't know what to do with it.

Or there's rootkits on all the devices or some kind of spyware. Ooh.

That suggests that the Americans would have had to have planned that in advance. I got the impression they had a lot of things on their plate.

Yeah, I feel like if they had the time to do that, they should have just not left the devices behind or just literally destroyed them. The other thinking is that the Taliban might use these devices to make their own biometric database of allies or enemies, or these devices could— they could bring them to the Pakistan spy agency, which might know how to actually extract all this info. So there's a lot of hypotheticals with the biometric data. When I had originally heard these stories, it sounded like it was a done deal. This information is out there. Everybody is at crazy risk. And it is possible. It sounds like there's a lot of hope in a security by obscurity that maybe they won't know what to do with all this stuff, which is a really, really shitty way to operate.

Maybe it's all protected by a really strong password. Maybe the Taliban have now got the US Army's Netflix password and they're being preoccupied watching that instead.

They won't notice us creating a new profile over here on the side. If we just say it's a kid's profile, maybe they won't notice.

Disney Plus. Fantastic. We'll do that. Yeah, we'll work our way through The Mandalorian.

I found this quote when I was researching the story that was great. It's by Welton Chang, the chief technology officer for Human Rights First, and he's a former Army intelligence officer. He said, I don't think anyone ever thought about data privacy or what to do in the event of the HIIDE system falling into the wrong hands. Moving forward, the US military and diplomatic apparatus should think carefully about whether to deploy these systems again in situations as tenuous as Afghanistan.

Oh, do you think it might be a good idea to think about it?

He's totally right.

I mean, I think that is the most ridiculous thing I've ever heard. They didn't think— that people didn't think about that? I can't imagine you'd have this powerful technology and go, look, we must consider what if this gets in the wrong hands. Give me a break. That didn't happen. If it didn't, shame on you.

Yeah, and that— it is pretty incredible that nobody thought, like, what, what? Yeah, there is no policy about this at all. So on the biometric data thing, I don't want to be like everything's fine, they don't know how to use it, don't worry about it. We just generally do not know. So of course, it is possible that the iris and fingerprint scans and the facial scans are not as much in danger as we thought, but they could be. We don't know yet. I think it's kind of a keep a pin on that. So that's actually not what I wanted to talk about primarily. I also wanted to mention there's a big but to this story, and I don't mean a big butt, not a derrière, but a caveat, if you will. Our friends at the MIT Technology Review did some digging on this story because they were also curious about what the heck is going on with it. And they talked to some sources who are familiar with what's going on, and they had to anonymously protect their sources. I'm guessing these are folks who either worked on this or helped set it up. And they said that all this attention we've been paying to these biometric HIIDE systems is really misplaced because there's a lot of unknowns there, right? What the Taliban has almost guaranteed access to is not getting as much press, and it's not as sexy as biometrics, but it turns out that the Taliban has access to a whole lot of PII for Afghan police and soldiers.

Oh.

Yeah. So a US-funded but not controlled database called the Afghan Personnel and Pay System, or APPS, that's what's at risk. So this database was set up starting in 2016 to make sure that we're paying national army and police in Afghanistan and not frauds who are posing as soldiers to get money. According to the sources at MIT Tech Review who they spoke to, there was no data retention or deletion policy on this database, not even the contingency of, say, the Taliban coming in and taking over. And the kicker is that unlike the HIIDE systems, which have all their data remotely stored, apparently the APPS data is held entirely on local Afghan government servers. So it is basically guaranteed that the Taliban has this data right now, and there's no complex biometric data machinery needed to access this. It's literally just a database. They just hit print on this. So the data on the APPS includes about 40 different data points, which includes the basics you would expect, like the name, place of birth, date of birth for the soldier or the police officer.

It is quite important though to know what someone's favorite vegetable — I mean, or rather their least favorite vegetable. It's like, oh, don't give him sprouts. Come on.

Everything you need to get a passport, for example.

Right. It also includes things like their military specialization, their favorite fruit.

If I brought over okra fingers, for example. Right, right. What?

Yeah, favorite fruit.

Like kiwi.

Right. Favorite vegetable.

Okay.

Favorite flavor ice cream. This sounds a bit like Smash Hits magazine when they'd have these teenage interviews of pop stars.

Yeah, not a happy story. But please, when you're thinking about data policy, it has real life implications, and this is one terrifying example. Those two are kind of funny, the fruit and vegetable. You're kind of like, what? But it goes on, and this is where it starts — I start sweating. The names of two tribal elders who serve as guarantors of that person's service, who can basically vouch for them. The names of the soldier or police officer's father, mother, uncle, and grandfathers, as well as a unique ID number that connects them to a biometric profile that is kept by the Afghan Ministry of the Interior.

And now you can hand the comedy baton to me.

Please, I hope you have a happier story than mine. Oh God. So going beyond the initial fear that this data could be used to identify people who worked with the Americans, if the geeks at the Taliban know what they're doing — and who's to say that they don't — they may be able to one by one hunt down service members' families and people who just vouch for them and carry out wide-ranging reprisals on anyone they suspect is just a political opponent. So the story about the HID devices and the biometric devices is not a red herring, but it's getting all the sexy press because we're talking biometrics, and that is terrifying. You can't change that, obviously — can't change your fingerprint. But these databases that are locally stored provide more than enough information to find people, and it also has that identifier tying them back to a biometric profile. So if the Taliban figure out what they're doing with those HID devices, I don't even want to finish the sentence because that's terrifying.

Carole Theriault, I'm sure you do. I'm sure you're going to rescue us this week. What have you got?

So it needs to be said again, there was absolutely no data retention or protection policies in place for any of this. I really hope anytime a government entity wants to start collecting data on people, that they'll listen to this podcast. Whether it's PII or biometric data, I want them to ask themselves, what kind of data are we collecting and why? What are the benefits and drawbacks of collecting it? And do we really need it at all?

Okay, okay, you guys shake your heads out a little bit because quick, quick, quick, quick, without

Why do we need favorite fruit and vegetable? I mean, what was the need of the father and the grandfather? I mean, I'm sure they were justifying it somehow. But really, did that need to be recorded?

Googling, I want you to give me your best guess at what you think the current bitcoin valuation is at the time of recording, which is Tuesday afternoon.

I don't know. $34,000.

John McAfee's penis. Didn't he eat it or something? Oh wait, no, he died.

Oh wait, what a way to go.

I, I — yeah, I don't know because I only trade in Monero. I'm just kidding, I'm just kidding, I'm just kidding. I actually have 5 cents. I have no idea.

$50,000 USD at the moment. $48,000. That's a lot of wonka. Now, what would you do if someone actually gave you $50,000 just now? If I just handed you, you know, a bitcoin worth this money, what would you do?

I think I'd probably start — I'd halt the recording of this podcast and try and turn it into hard cash.

It's a cool coffee break. It's when you sit

See ya.

You turn it into hard cash pronto. Yeah, yeah, yeah.

Oh, definitely.

You wouldn't kind of go, oh, it's going to go up, it's going to go up. down with a cup of coffee and a piece

I don't care if it's going to go up. You've just given me $50,000. That's brilliant. I'm very happy with that.

Same.

Okay, here's another interesting question. Imagine you have this bitcoin, but you've done something bad, like prison-worthy bad, and you have to go to the clink for a number of years, right? of cake and have a little moment. Fika. What happens to your bitcoin?

Wouldn't it be seized by the authorities? Don't the authorities have piles of digital currency lying around wondering what to do with it.

From my understanding, and listeners correct us if I'm wrong here, but I think it has to be successfully argued that the monies or the crypto has been gained from illegal activities.

Okay.

And then it's confiscated, perhaps to pay fees or restitution to victims, that kind of thing. Yeah. So, back to me, back to me. So back in 2019— okay, we're in Sweden here— back in 2019, 3 Swedish drug dealers were charged.

Yeah, I don't think the authorities can just

Yeah.

Yeah.

Okay, and the prosecutor Tove Kullberg argued that the 36 bitcoins seized by Swedish police should be confiscated because they were earned through online drug sales. Ipso facto, illegal activity. Ipso facto, all of ours, right? All over.

Yeah. Yeah.

But sometimes this whole thing can go badly wrong. So we are heading to Sweden, land of detective noir series, ABBA, IKEA, and fika. And the courts agreed. Okay. When Tove was communicating the value of this bitcoin in the Swedish courts, remember, this is back in 2019, maybe these are people that weren't particularly au fait with crypto and how it worked. And so she argued that these

grab your money just because you've been arrested.

Do you know what fika is? Prosecutor Tove Kullberg provided a valuation in Swedish krona. 36 bitcoin were equal to 1.3

That would... It probably varies though. I don't know what fika is.

Fika or flika.

million krona, or about $120,000. Fika. F-I-K-A.

It sounds like you just did a little commercial for it. Just put some guitar music behind that. A little coffee and a cake, a little moment.

Loganberries, isn't that what they like as well?

Yeah, they're very delicious actually. No? Okay, just me.

Oh, I heard Yeah. that's quite scary. Yeah, that movie.

Okay, okay. Yep, following you. Yep, yep, yep, yep.

So men go to prison in 2019, in May 2019, and it fell to Sweden's state enforcement authority to auction off these proceeds of the drug crime, including the bitcoin. But due to bureaucracy, a pandemic, and a plethora of other headaches, this process of getting the assets, including the bitcoin, to auction took two whole years. Now, what happened in that two-year period, do you think?

It's worth a lot more money now, right? Uh-huh. Right.

The value of the 36 bitcoin skyrocketed.

Well, that's good news, isn't it? The authorities— well, they've got spare money.

It sells nice holiday.

Yeah.

Yes, in 2019, a single bitcoin averaged $8,000, and today we know what it's worth, right? What is it worth?

5 cents?

$50,000? $48,000?

$48,000. Thank you very much.

Oh wait, my decimals are off. Sorry about that.

Now, where does this excess of $40,000 where does a bitcoin go?

My pockets?

No, I would think it would go to the police Christmas party, but that would be a pretty sexy Christmas party, let me tell you. Sweden, it's going to be a sexy party. There's going to be birch twigs and saunas and fires.

Yeah, ice hotels. So the Swedish state has been forced to return the surplus in value to the convicted drug dealers because they hardcoded the value of the bitcoin into krona.

Oh, so they said it's worth about $120,000, right?

1.3 million krona.

And since then it's become a humongous amount? And so actually these criminals basically got—

They had to pay a little bit for their blunder for getting caught, right? They had to pay a little, but they come out with some pocket change.

Squids in.

Yeah, this is a bit costly error, obviously. One done in good faith, right? But God Almighty, would you feel a dumbass if you're the prosecutor? You imagine all the people looking at you and you're walking around the halls of justice just going, oh yeah, there's that numpty. So do you think it's a bobo error, or do you think this is probably actually not written correctly in legal documents now across everywhere?

Yeah, I would just think of current market value at whatever.

Yeah, I agree.

Yeah, why would they hard go with the— I mean, markets

But what would have happened if the price of bitcoin had crashed?

Tough shit.

Would they then have gone to the criminals and said, I'm so terribly sorry, but you actually owe us a bit more cash? You actually got to give us more because it turns out—

fluctuate. That feels like a rookie error to me.

I bet.

Yeah, yeah, I would say yeah. If it's if you owe the government a certain amount of money, they're going to get their money. So you pay up in terms of cash, however you need to get it, or bitcoin if the value is over blank. You know, make up that money however it's owed. Tough shit. I don't know.

The prosecutor, Tove Kohlberg, apparently said on national radio— and I quite this, I really the feel of this— she goes, it is unfortunate in many ways. It has led to consequences I was not able to foresee at the time.

Okay.

Yeah. But she says others should learn from this. It's unfortunate that it has ended up this way. The lesson to be learned is to keep the value in bitcoin, that the proceeds of a crime are 36 bitcoin regardless of the value of bitcoin at the time. So expensive lesson. But interestingly, so you guys were talking about how much money seizures make for people. So I was just looking in fiscal year 2019, the FBI said they had about $700,000 worth of crypto seizures. In 2020, it was up to $137 million.

Wow.

And so far in 2021, $1.2 billion. So this is going to be a focus area for the authorities for obvious reasons.

Oh yeah.

Anyway, the word to the wise, check the fine print.

As I always say, hire Carole to read your terms and conditions. Because she will.

It's going to cost you a lot. I hate doing it.

One bitcoin.

But I do.

This episode is brought to you by the folks at Privacy.com. Privacy lets you buy things online using virtual cards instead of having to use your real ones, protecting your identity and bank information on the internet. What a fantastic idea that is, and a great way of keeping your details out of the hands of the bad guys. Right now, new customers will automatically get $5 to spend on their first purchase. All you've got to do is go to privacy.com/smashing to sign up now. And thanks to privacy.com for supporting the show. Cybercrime is at an all-time high and it's not slowing down, so why should you? This August, you are invited to Security Summer School, a brand new webinar series hosted by the 1Password team. Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and at work. You can get exclusive perks like 1Password swag for attending events, the chance to network with top security leaders, and much, much more. Find out more and enroll now at www.smashingsecurity.com. Www.onepasswordsummerschool.com. That's www.onepasswordsummerschool, all one word,.com. And welcome back, and you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or app, whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related.

Excellent.

My pick of the week this week is musical.

Oh, mine is too.

Oh, is it?

Interesting. Okay.

Interesting.

Well, it's musical related. Not musical as in, you know, show tunes, but it is a documentary on Netflix all about Miles Davis.

Oh yeah.

It's called Miles Davis: This Birth of the Cool.

That is so weird. I was just talking this week about Miles Davis to somebody. Yeah, because I was listening to it. I was doing some painting and it was pretty awesome. Yeah.

Interesting. Anyway, it's a great documentary all about the origins of Miles Davis, where he came from, how he revolutionised jazz with his trumpet.

Do you like him?

Well, I— okay, here's the thing. First of all, interesting question. Do I like him or do I like his music? I think Miles Davis is a rather difficult character to like. He wasn't necessarily a terribly nice chap.

Okay, so this show goes into that, I'm guessing, the private—

Oh yeah.

Art versus artist. Yes.

I know absolutely nothing about that, actually. I know his music fairly, medium well.

Yeah.

Because my dad was a fan, so I kind of got exposed really young.

So some of his music is much more accessible than others. So if you were to, for instance, he had an album called A Kind of Blue, which is very famous, came out in the late 1950s. It's an amazing piece of work, very accessible, I would think, to most people.

Yes.

It's beautiful and all the rest of it.

Yes.

But by the time you get to the late '60s and early '70s, there is a, what is considered a groundbreaking LP, which he did in around about 1971 called Bitch's Brew.

Mm-hmm.

And which I have heard, and I was thinking, what on earth is this?

Maybe your ear is not refined enough to appreciate it.

Oh, here's the thing, Carole. The reason why I was listening to Bitches Brew is that I was invited to a concert to see a group perform the Bitches Brew LP in its entirety. So I thought I'd better listen to it in advance. So I've got to think. And then I started listening to it, thinking, oh my God, how am I going to tell— But when I saw it live, the magic of live performances, if you remember those, yeah, I actually thought this is pretty cool and I actually enjoyed it seeing people perform it. I really enjoyed listening to it on Spotify.

Do you know what though? I would put it to you, Graham, that you could now listen to it on Spotify or wherever and you might find it much more exhilarating because I've seen quite a few jazz acts in my time.

I think you're probably right. I think I probably could.

What a whole new cool world to explore. I'm so pleased for you.

Indeed. And I will be wearing my turtleneck from now on.

Snapping.

Go check out Miles Davis: Birth of the Cool on Netflix. Great documentary, really interesting. And you can understand why people rave quite so much about Miles Davis. And that is my pick of the week.

Well, Miles Davis's music.

Yes, yes, yes, yes.

And I just made that point. I just want to underline it. Yeah.

Maria, what's your pick of the week?

My pick of the week is a show that is returning for its third season, right now actually. I think it's coming out in the next few days, so when this episode airs, it'll be the premiere. The show is called What We Do in the Shadows, and I did not think I was gonna enjoy the show because it uses my least favorite recent innovation of comedy, which is that fake documentary thing that The Office made very popular. I can't stand that whole thing. I just can't. I think it's just— at least to me, it seems overdone now, so I just can't do it.

Yeah, yeah.

No, I love the original UK Office. That was really funny. But I just can't do— but Jermaine Clement, yes, and Taika Waititi— I think I pronounced his last name correctly. Yeah. So this show is about three vampires living on Staten Island now, and it's actually— the show is— It's not so much about them as it is about their sort of assistant/familiar, who's the best part of the show. And I don't want to give too much away, but the thing that I about this show is there's a very clear story that they're following. And it's not just we're following them and they have hijinks and it's super funny. There's a very clear story arc that's happening and it's very, very smart. So yeah, you see all these mythical creatures, werewolves and witches and vampires, as they're sort of just living in modern society and dealing with their dry cleaning and all that kind of stuff, but also dealing with weird occult stuff from the past.

And it came from a movie, didn't it? Yeah, it was a movie first, which we— I saw on my husband's 40th birthday. I remember it very clearly.

The pilot was successful, now they've made a TV show out of it. So season three is starting this week. I have no idea how you watch it outside of the US. I don't know, I'm sure there's a way, but in the US it's on FX and I watch it on Hulu. So, really, really funny show. I enjoy it a great deal, so I'm looking forward to season three starting.

Fantastic pick of the week.

Well, Jermaine Clement, he's hilarious. He's from Flight of the Conchords.

Yes, yes.

And that other chap, they're both from Flight of the Conchords.

They're like the dream team. So yeah, they, basically almost everything they do, I find myself really enjoying it. So yeah, this show's great. And they're in it too, like they sometimes make little cameos. Oh my gosh, why am I blanking out? Matt Berry is one of the stars, so obviously the show's hilarious because he's in it. So I don't know, he's great.

Terrific. Great pick of the week. Carole, what's your pick of the week?

Okay, I invite you guys to go to a website.

Oh yeah.

That website is called radio.garden.

Radio garden, okay.

Radio.garden. Listeners, you can go too, as long as you're not operating any machinery.

Radio Garden. Radio dot garden. Yeah, I know what it is, Carole, because we've had it as a Pick of the Week before. Yeah, episode 215 earlier this year. It was my Pick of the Week. Oh no, this is the second week that someone has come on this show with a Pick of the Week which has already occurred, but this is the first time I think that a co-host has actually had the audacity to bring a Pick of the Week.

Do you really think it was audacious of me, or do you think that I just didn't go double check?

I just think you can't have been paying attention on that previous episode and thought, that's a great Pick of the Week, Graham. I'm — and would remember that I brought it to the show before, and now you've brought it. What are you going to do about this, Carole? Are you going to fix this problem?

I was going to carry on talking about my Pick of the Week. That's okay, because maybe someone missed it, and maybe I'm just reinforcing your excellent Pick of the Week, which, if you'd let me finish, I would have said Graham mentioned this in an earlier show, and you know what? He was right. I'm right now listening to stations in Bryn Mawr, right?

Explain what it is. It's worldwide radio. Well, they should do episode 215. Zoe Kleinman knows, she was on that show.

Wow, you remember the guests and everything.

No, he's looked — he searched for it, of course.

Oh yeah, because we have a page on our website, Maria, where we list all of our picks of the week. Yeah.

Thanks to our wonderful listeners. But we've been doing this show a long time. So listen, Radio Garden, international radio, but it's done very cutely because you have a little globe that you can spin around and then you can get to, you know, I was worried it had already been mentioned, but I thought, fuck it, I'm going for it anyway. You can actually click. So if you go to the site, for example, why don't you go look close to your hometown, Maria?

Yes.

I'm not.

Yeah, and you may find one close by, and then you can kind of play it and listen to what music is being streamed 24/7 from that station. So that's the one rule, they have to stream at all times.

Yes, so my hometown has one. Yeah, yes, Radio Uganda.

Is that your hometown?

Yes, we have one of the largest Ugandan diaspora populations in the world. Oh, here are they. Yep, so I'm not —

Well, I never —

Yep, so we've — Radio —

I've been enjoying music in France a lot recently. That's where I've been hanging out. But anyway, Graham, I just wanted to say I supported your earlier pick of the week. I didn't know about it at the time, but I've had time to look at it and I think it's excellent. And I think, well done you for coming with such a great pick of the week way back when. That's radio.garden people.

Tune in next week for a repeat of this week's episode.

Oh God.

Well, no, no, you know, it's just, you know, yeah.

I think it was a good save. I think you should give me the save.

Oh no, you've kind of saved it.

Thank you. You're welcome.

Let the listeners decide.

They will decide. They understand.

Yeah. I'm sure they understand what's happened. Whether they're impressed or not is a whole different matter. And on that rather unsatisfactory denouement to the episode, we have just about wrapped it up.

Listeners, shame me publicly. That would be so fun. Yeah, that'd be really fun. I'd love that so much.

It counts as engagement. We need it. It's good.

Shut up, Maria.

Maria, and I know people will have heard this bit before, but I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Go to stickypickles.com.

We'll be back soon.

Yeah, we'll be back soon. So we'll probably be recording this week. So, yeah, yeah, seriously, I don't use Twitter for much anymore, and Sticky Pickles is where I'm spending the rest of my time. So follow me there.

You can follow us on Twitter at Smashing Security, no G. Twitter allows to have a G. And we also have a Smashing Security subreddit. And please don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

Thanks to this week's episode sponsors, privacy.com and 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 240 episodes, check out smashingsecurity.com.

Where there's also a list of all of our past picks of the week.

Yes, we're talking about that.

And until next time.

Whoops.

Cheerio! Bye-bye!

Don't hate me, listeners. Bye-bye! Thanks for the public scolding there, Dad. Mommy and Daddy are fighting. I don't like it. Didn't I have your back earlier today in a non-public fashion? Did I not?

Yeah, you do. You're all right.

Exactly. So, just saying.

Don't fight, you two.

This makes me sad. I'm not bothered. I kind of, honestly, I had a nagging suspicion it had come on the pick the week before because I'd remembered the globe somehow, the visual. I wouldn't remember the name, but I remembered looking at the visual. And then I'd already, yeah. So then I just thought, you know what? He'll remind me, I'm sure. And you did within 10 seconds. So, well done, you, Chris. No clue.

Yeah, I was right on.

You were lightning. Yeah, you still got it, guy. You still got it.

I'm amazed that you remember. I'm amazed that you remember.

Of course it was yours, so of course it was my pick of the week. Yeah, yeah.

But after so many episodes, doesn't it all become a—

You know the blood, sweat, and tears that are created trying to think of a pick of the week each week? You remember your past picks of the week. We don't remember what we say about cybersecurity, but we remember the picks of the week.

Yeah, I don't remember my past ones, honestly. I'm amazed that you do.

Yeah, I'm amazed as well. And pleased, Graham. It was a test.

Oh, you passed.