Smashing Security podcast #242: ProtonMail privacy questioned, and Banksy blunder

You don't go to Europol for that, do you? I mean, is that what Europol is for? This guy needs a shower?

Get me Europol on the line. You call Europol. And Brexit isn't looking so stupid now, is it? Wow, you haven't chosen your audience very well.

Hello, hello and welcome to Smashing Security episode 242. My name's Graham Cluley and I'm Carole Theriault and we're joined this week by returning guest, a semi-regular. It is the CyberWire's Dave Bittner. Hello, Dave.

Hello, hello.

Do you like being known as the CyberWire's Dave Bittner?

Do you want to be Dave Bittner, popular on? I don't know. They pay my mortgage, so I'm okay with it.

Yeah, but they aren't paying us, are they? They're not sponsoring. No, not yet. So why are we plugging them?

I mean, we're technically competitors, right? We're friendly rivals, wouldn't you say?

I wouldn't say we're rivals. I wouldn't say we're friendly.

I mean, we go after some of the — yeah, exactly. We share some of the same advertisers, which is good. We share Carole. Most importantly —

If we're competitors, what the fuck am I doing? I'll have to quit one of you guys.

Yeah. Well, it's pretty good over here in the good US of A, Carole. My mind's made up.

I will be reporting from La Belle France.

What about you? I'm going to be looking into Facebook's algorithmic amplification.

Whoa. Okay. And I'm getting all arty and talking Banksy. All this and much more coming up on this episode of Smashing Security. I almost said the CyberWire, though.

Wow. Now, chums, chums, France. Ah, formidable. La belle France. Home of the beret, the stripy shirt, the guillotine. People smoking like chimneys, drinking wine, snorting cheese. You both fans of France?

Oh. Wow. I hate to say that I find this slightly offensive just all around. Dave, have you been to France?

I have been to France. I was only there once when I was a teenager. I was on one of those sort of band and choir trips where you visit all around Europe. And we were in Paris for a day or two, and it was delightful.

You got your little cultural injection.

Oh, yeah. Cultural injection? Although I do remember that the waiters were quite rude. But I think that's not a bug that's a feature, right?

Come, come. I don't think you'll find rude waiters in Paris. Surely not.

That has never happened to me.

Well, you speak fluent French.

I do not. Oh, you think it's a language thing. They think if you don't speak French, they're rude. That's what I've heard. I don't know.

Well, I think it's a wonderful country. I think it's wonderful. Paris, fabulous place to visit. But alas.

Paris is just a city, you know that?

Yes, I know Paris is a city.

Okay, just check. That's like, what do you mean just check? Well, you just said, oh, La France, Paris. It's like, well, there's a lot more places. It's like, oh, England, London, London, so great.

Can I explain how my segment of the show works, right? It's a little bit like watching a movie, right? You have the swooping helicopter shot at the first. The first thing you see is you see the Earth hanging in orbit around the sun. And we zoom into Europe. We've all used Google Earth. We know where we are.

Okay. Like the opening image from Radio Garden. Oh, sorry. I didn't want to bring up a touchy point. Not again. Who don't like coffee.

Well, quite possibly not. Or they're selling coffee which is substandard, dare I say. Maybe even coffee which comes from American multinationals. So France and Paris in particular are being culturally destroyed, wiped out. And this isn't a good thing. In fact, pas très bien means not very good.

I have no idea what you just said. Pas très bien. Yeah, pas très bien. What does that mean, Carole?

That was a test.

Not good, yeah. Got it.

Now, some people aren't just grumbling into their dark black cups of coffee and listening to sorrowful accordion music. Going zutalar. Yeah. Mais non, malheureusement. No. They are revolting. They are protesting. For the past year or so, there is an anti-capitalist group called Youth for Climate. It's probably climate pour la youth or something.

Anti-capitalistic or pro-climate which one would you think identify with more? Well — They do a bit of everything, they cover a number of things. They have a long list of grievances. They don't like Airbnb, they don't like rising property prices, they don't like posh restaurants, they don't like all the capitalism and all the money coming in. And they do not like the gentrification of Paris. Just thinking during COVID, maybe the rents were really slashed.

I don't think it's much of a protest if you're there with the permission of the landlord and paying rent. I think that just means you've moved in. So this is

Part of the protest. Their headquarters is part of the protest. They've occupied these buildings. Right. French police have been trying to identify who is operating the group's email account, right? And this is an email account hosted at ProtonMail. Use it, don't you? Yeah.

Yeah, I've got ProtonMail. I don't use it as my main account, but I do have a ProtonMail account. It's a really simple, easy way to get end-to-end encrypted email, which means that they can't read your messages, and the authorities can't read your messages either because they're all encrypted. And it's much, much easier than setting up PGP or something like that.

Now, Graham, is ProtonMail a closed system? In other words, can you only communicate with other ProtonMail users?

So it is completely end-to-end encrypted if you are speaking to other ProtonMail users. If you're speaking to the outside world, you do have the option of importing their PGP keys, and then you can very easily communicate encrypted with the outside world as well. But by default, it wouldn't be encrypting with the outside world. But certainly, ProtonMail to ProtonMail, it's all end-to-end encrypted. Now, ProtonMail has become really popular over the last few years because it's got this really strong focus on privacy. A lot of the messaging on their website makes emphasis on the fact that they are based in Switzerland. Their servers aren't based in America. They're in Switzerland. All the user data is protected by strict Swiss privacy laws.

Yeah, and word on the street, like if you listen in to little forums where a lot of techies hang out, they all go, oh, ProtonMail, ProtonMail, ProtonMail. So, yeah, it's got a kind of cachet, doesn't it?

Yeah, and not just people who are sort of privacy conscious for legitimate reasons, but also bad guys and cyber criminals will often use ProtonMail. Or you will see messages inside ransom notes where they'll ask you to contact them via ProtonMail. Spammers, scammers, and so forth will use that. And ProtonMail, to its credit, it would obviously regard that as a breach of its terms and conditions because it's criminal activity. And they would shut down accounts. So ProtonMail, you pay for it by subscription. You can get a free account as well. But to use it full blast, you pay some money. So it's not advertisers. And so that's another big difference from using things like…

It sounds like an advertising for it. Well… All the USBs. Jesus. Well, is it? Is it? Is it? Everything except for the content of the message. Well, Yeah, but that's really to do with the SMTP specification, right? Yeah. Which is the oldest time itself because the email headers aren't encrypted.

Law. I kind of agree with that. I don't know what this activist group have done. I don't know if they have broken law in ways that are as dangerous for the public or whatever.

I mean, obviously, they're occupying some property without permission. And they might be causing a nuisance. Maybe they haven't washed their hair enough. But again, you know, these are things which some which you could charge against many people in Paris. You don't go to Europol for that.

Do you? I mean, is that what Europol is for? This guy needs a shower?

Get me Europol on the line. You call Europol. And Brexit isn't looking so stupid now, is it?

Wow, you haven't chosen your audience very well.

First radio garden, now this. So I imagine the French managed to convince the Swiss authorities that this would be a crime under Swiss law as well as French law, whatever it might be. ProtonMail says, if you are breaking Swiss law, we can be legally compelled to log your IP address as you log in as part of a Swiss criminal investigation. And that is what's happened.

Well, and that was part of their marketing was that even if they were able to see stuff, they weren't logging it, right?

That's right. They don't log it by default. All of this stuff. But they can be compelled under Swiss law to begin to log stuff. Now, the thing is, ProtonMail said that if we are compelled to begin to log your IP address as you log into ProtonMail, we will inform you. Again, under Swiss law, you're required to tell the user you are being monitored, right? But under certain circumstances, the notification of the user, quote, can be delayed under Swiss law. So if the authorities put together a convincing argument as to why, well, we don't really want you to tell the user that we're watching them right now.

This is properly Dickensian. This is just, and Orwellian.

There's a lot of aliens. Yes. So ProtonMail did, it appears, delay notifying Youth for Climate that they were being monitored. At least the owner of that email account, for eight months.

So were they compelled by Europol not to tell them or they chose not to tell them? Do you know?

I would assume that they were told you may not tell them. I want to come to the defence of ProtonMail here. I really believe ProtonMail are the equivalents of these guys who are protesting in Paris. They are activists as well. They are really hot on security and privacy, and they do seem to really believe in it. And I think this would have pained them greatly, but I think they were forced by the Swiss authorities to not tell their user that they were being monitored.

But eight whole months. You see this Europol guy going, of course, if you choose not to comply with our wishes, we could make life very difficult for you.

Yeah. We'll cut off your supply of cuckoo clocks and holy cheese.

I think Europol will have more jurisdiction than that. Do you think? I don't think they're just sticking in, you know, the Swiss food market. So everyone's ganging up on ProtonMail right now saying, oh, it's outrageous what you've done. And ProtonMail, I think reasonably, are saying, well, you know, it doesn't matter who you use, unless you are based 15 miles offshore in international waters, the company you use to handle your email has to comply with the law. And it feels that it's done everything that it could to reduce the amount of information it was collecting and to play by the law in Switzerland. And Switzerland does clearly have stronger privacy laws than many other countries around the world. Right? I see it too. When are we going to get our rowing boat?

Exactly. When are we going to get our pedal?

All right, a solar-powered barge 15 miles offshore. Come on.

Is this Water World all of a sudden? Who was it? Kevin Costner? Was that who it was?

Yeah, satellite internet. Why not? I think we're on to something here, Graham.

Yeah, I'll visit occasionally. Dave, what have you got for us this week?

Well, let's talk about Facebook, shall we? None of us are active on Facebook. Is that right?

No.

No, I'm not on Facebook, no.

No, me neither. I didn't actually delete my account, but I made it inactive. So it's sort of there in frozen in time.

A memorial to Dave Bittner. Exactly. You can go look me up there, but I haven't done anything on there in probably about two years.

So I think I was early to the game, but actually within a year I found it really quite oh my god my life's so great. I think it was I didn't like where social media was going even then so I kind of right and then people used to post pictures of me on it a lot and I hated it tagging me you know.

I hated all that when people didn't ask. Yeah Graham what about you?

Yeah I you know I had an account for a while promoting my blog and things, but, you know, it's just vile, isn't it? And of course, we shut down the Smashing Security Facebook page as well. We used to have it to promote the podcast, and then we thought, no, we shouldn't be doing this. But generally, it's looking at Mark Zuckerberg and just thinking, just wanting to give him a slap, really, just thinking, oh, this is just so unpleasant and vile and just...

Okay, two islands, Piers Morgan or Mark Zuckerberg. Which one do you swim to?

Oh, God. I just want to be eaten by the sharks. I'll drown.

It's like the end of Titanic. He'll just sink to the bottom. Well, so we're talking this week about a story from Mother Jones, which full disclosure is a left-leaning nonprofit publication. They have a decidedly progressive bent. So take everything we're going to talk about that comes from this article with that in mind. They did some digging into Facebook's algorithms and the way that they work. Well, it's titled Why Facebook Won't Stop Pushing Propaganda. It's written by Monica Bauerlein and Clara Jeffrey. And Mother Jones admittedly has a horse in this race. They saw their numbers fall off significantly when Facebook made some adjustments to their algorithms. But really, this article is focused on what they refer to as algorithmic amplification. And that is the tools that Facebook has to amplify the things that it thinks are going to make you more engaged with the platform. So as anyone who's been on Facebook knows, there are the things you see from your friends and family, your baby pictures and friends on vacation and just all the things that remind you how much better everyone else's life is than yours. So all of that stuff comes by. But then there's things that just sort of pop up randomly. They could be news things, all sorts of things. But Facebook figures out based on it analyzing your interests and things that you click on, it gives you more of the things that it thinks are going to lead to more engagement. And that's really the key thing here is that it's not giving you more things that it thinks you're generally interested in from a learning point of view, from a bettering yourself point of view. It's really about getting you to spend more time on Facebook.

It's like having a baby and going, gee, baby likes applesauce. Let's feed him applesauce, more applesauce, give him applesauce, applesauce, applesauce.

Every time the baby is crying, I give it applesauce and it's happy. Next thing you know, the baby's dead.

Right. So Facebook is looking for the stickiest content, the stuff which it knows you're going to keep on coming back for in order that you keep on coming back to Facebook. Is that right?

Right. Absolutely. And some interesting things I pulled from this article here that speak to this. There was a scholar from the Stanford Internet Observatory named Rene DiResta, and they said free speech is not the same as free reach. And I think that's really – isn't that interesting?

What does that mean? I'm a little bit stupid. What does that mean, free speech is not the same as free reach?

Well, the ability to say things without someone deleting the thing you say is not the same thing as having the thing you said amplified and spread around to millions of people. So if you're Graham Cluley

tweeting versus you're Carole Theriault tweeting, you will just naturally get way more reach. Now, I would argue that Graham gets way more reach because he spent a fuck ton more time curating his following and posting stuff and being hilarious in his socials. Right. So deserving of this class of people. And I have it. So and I don't have it. What this reminded me, this notion of free speech not being the same as free reach reminded me of when former President Trump was kicked off of Twitter and went to start his own blog where he could basically do the same sort of information sharing that he had done on Twitter. His blog was a flop, right? Also, the power came from naysayers, right? Naysayers may not go to his blog, but it's there in front of them on Twitter. And by dissenting, they're still contributing to the conversation, not making them irrelevant, right?

Right. And incentivizing other people to chime in with their opinions. A couple other polls here. It says, the real problem is that Facebook profits partly by amplifying lies and selling dangerous targeting tools that allow political operatives to engage in a new level of information warfare. Its business model exploits our data to let advertisers aim at us, showing each of us a different version of the truth and manipulating us with hyper-customized ads.

I don't disagree with that. No, I think this is interesting too because imagine if you had a billboard on the side of the road, right? And you put something provocative on that billboard that half of the population would agree with and half would find very offensive. Yeah, capitalism without any morals or lacking in morality or ethics is chaos, really, right?

And let's not forget Facebook's origin story, right? I mean, Facebook was — it's a website to judge female college students by their looks. Hot or not. Yeah. Yeah. So that is the foundation on which this was built. And I think it's worth remembering.

So good. We're all doomed. We're all doomed. Another fun topic. There's no fakes. Zuckerberg has ruined the world. Save us, Carole. You're our only hope.

I always do. Girl, what have you got?

You may remember a little while ago, we did an intro to NFTs on Smashing Security. So that was episode 226. And by we, I mean, of course, me, because Graham, you were there, but I did the story.

I wasn't really there. I wasn't really present during that. That's so nice. Non-fungible tokens, right?

That's right. It's an identification of ownership of something original in the digital or physical realm. And it's not the same as copyright. It's an identification of ownership. So now loads of people are playing around with it and making a fast buck. Others are testing its mettle. Some are saying it's the biggest scam since doctors advertising cigarettes as good for us. And enter graffiti art god Banksy. Now, everyone listening has heard of Banksy. What do you know of him, Dave, Graham? Well, he's certainly a hot property, isn't he? Whether or not you like his stuff, and I do think that there is a good amount of talent there.

I think he's awesome. I think he's great. I think he's a good artist. And he regularly will take the side of someone's rubbish building and dramatically increase its worth by daubing on it overnight. And I think it's great. He's one of the top earners in the art world, like Damien Hirst, earning well over a million quid for some of his well-known works.

And do you remember, Graham, one of his early art coup d'etats was in 2004 at the Notting Hill Carnival. He handed out fake 10-pound notes with the face of Lady Di replacing the Queen's. And it was stamped Banksy of England.

2004? I was only 14 at the time, so I don't really remember that. You were 14. I was a bit young. I don't remember that one. But anyway, carry on. What

Is going on? The biggest thing about Banksy is that no one seems to know who he is. Well, obviously, some people know who he is, but the public, the general public does not know who he is because he does everything on the down low, right? And you often have to wait till after the event of his unveiling of his artwork for him to take, you know, his invisible bow and take ownership. Okay. So setting the scene here. Last Tuesday morning, a piece of digital art popped up on Banksy's official website. Okay. Right. And this was like banksyco.uk/nft. And on this page was a JPEG. The JPEG was called the Great Redistribution of the Climate Change Disaster. And with this was a digital image showing a pixelated man in shades puffing on a cigarette in front of some smoking chimneys. Now, no surprise to our super switched-on listeners that the blockchain tech is seen by many as an environmental shit show. Politely put, it's extremely energy hungry, right? Like those hot dog eating contestants, none of us stand a chance. And so maybe this was a commentary from Banksy on the climate change blockchain thing going on because underneath was a link to the auction site OpenSea, a crypto NFT site. Okay, so you could buy the NFT of this image. Right. The picture obviously doesn't look like much. It's kind of very pixelated, very basic. But then I would say a lot of the hype around the NFT market is ridiculously simple pixel artwork. Like all that, you know, all that stuff, that CryptoPunks hype. You guys remember that? Yeah. Where you've got these kind of like, there's like 10,000 plus little drawings that people are selling on Ethereum. Yeah, yeah. Right. The million dollar webpage. Remember that? Exactly. They're at a billion dollars now. They're at a billion dollar market now.

Yeah. But I mean, even if it looks amateurish, if it's an image, which, you know, an NFT from Banksy, someone's going to want that because it's by Banksy, right? Exactly. Yeah.

Right. Like it's a little bit different than his normal style. But then if he's poking fun at this whole NFT game and, you know, mocking the whole CryptoPunks hype and maybe going to give the money afterwards to some charity. So we get this art collector, right, who gets wind of this web page and he's perusing the official website and he sees this and he's like, I have to act quick, right, you know, to get a hold of this NFT because this is freaking gold. And thank the gods that he was rich enough to play this NFT game. So this art dude, being no chump, gets his skates on and goes to the auction. And there's people bidding, there's people bidding, and he jumps in and offers 90% more than any of the rival bidders. Boom. That's £250,000. Okay? Over $300,000. And no one else bids, and he secures the NFT for the Banksy artwork and making him the owner. And bada-bing, bada-boom. Or is it? Is it? It turns out that the GIF was not created by the graffiti king, Banksy. And it turned out that the official Banksy website got hacked. And the image and the link uploaded was uploaded by an unauthorized third party.

So, okay. So the thing being auctioned on Banksy's website wasn't authorized by Banksy, wasn't a Banksy and someone has just made off with, what did you say, $300,000? Yeah. Yeah.

There was just a link from the Banksy official website to the OpenSea crypto market for this particular work. And as soon as it was achieved, right, as soon as it was accepted, this huge offer of $300,000, the money went straight off to the scammer, not to Banksy Incorporated or whatever. Via cryptocurrency.

Via cryptocurrency. Or so Banksy says. Well, yes, we're going to come to that. We're going to come to that. We're coming to that. So yeah, keep that head on. We've all been there yeah

So who was this digital scallywag that took all his cash, right? You know, the art collector wants to know. So he goes out on Twitter, talks to people and tweets out and makes a bit of a stink. And funnily enough, the money gets returned to his Ethereum account. So that's interesting, right? Now he got all his money back except for the transaction fee that OpenSea takes. So £5,000 or £6,000, $7,000. Oh, and I haven't told you the name, well, the moniker of this art collector who's been going around to the press. Okay. Are you ready for this? Clam Glooly. No. No, it's not that. It's close. It's close. Are you ready? Are you ready? I'm ready. Pranksy. Pranksy. Pranksy. Of course. Of

course. He's the purchaser.

He's the purchaser. And apparently he created this moniker or pseudonym or whatever ages ago in honor of Banksy, but it doesn't bode very well during this little media parade. Okay, right. I'm beginning to get a bit suspicious.

Okay, talk to me. Talk to me. I'm listening. Well, first of all, Banksy's a bit of a prankster himself, isn't he? Do you remember he was having that famous piece of art? I think it was the one with the girl.

Yeah, girl with the heart balloon. And

The balloon, yep. It was being auctioned, and it was a televised auction. And then as the auction finished and someone had won it, and then the frame sort of stirred into action and went, and the art was shredded. So it became a new piece of art. Half of it. Yeah, which was awesome, wasn't it?

It was, and it's interesting because it's just now going back up to market. So the guy who bought it for $1.1 million probably got bored of seeing half a work of art. Yeah, but it's now even more famous, right? Well, I know, but is it going to be worth more money? Like, it's just ridiculous. Because is that not modern

Art itself? So, let's... Right. Okay, this is really interesting. I didn't know all this about this Banksy thing. If Banksy's website got hacked and someone managed to direct people to an auction and they stole three... How much did you say? $300,000. A large amount of money. Yeah, a lot of wonga. It feels unlikely that they would return the money. It's the kind of stunt which Banksy himself would pull off because he has been brilliant at manipulating the media over the years. Well, he has. But also, interestingly, he is very much not a fan of copyright or any of this. And that's a source of a lot of his dramas because it means that people can reproduce his images like card companies and use his images, and he's not going to claim rights. Could you not claim that the copyright owner is someone who is in a permanent vegetative state in some hospice or something? And so they wouldn't be able to take notes.

Yeah, and now he's getting tons of press attention, including on Smashing Security. And so is Banksy as

Well. What if it was someone who wasn't expecting this much money and now is afraid of the amount of heat that could be put on them?

Oh, I'm sure. Your poll, right? Oh, no. Well, we don't know where they are.

But, I mean, because this isn't the only incident here where cryptocurrency is being returned. No. No. No. People are maybe getting nervous if it's too much moolah. Yeah. Right.

They should have made a TikTok video. That's how you get attention these days. You can't just use Instagram.

That's right. Yeah. Find a song.

Yeah. Should have had it amplified on Facebook. This all seems a bit of a rum old story to me.

The Banksy team have said nothing to do with us. We have nothing to do with NFTs. Nothing. They have not made a comment about their website being hacked or anything like that, but they are saying nothing to do with us, Gov.

Hmm. Do we know from the ethical hacker whether the vulnerability still exists?

No, the page has been taken down. I haven't gone and checked the website out to see.

It does point to a serious security issue that lots of companies fall victim to, which is that people can gain access to their website, and then they're able to post something using the actual URL from the website. As you said Carole, the buyer here, he checked on mobile and on desktop to make sure the URL was correct and it was.

I know, I know, and you kind of think well Team Banksy, look, you probably have a lot of wonga in the bank, maybe you need to hire a better IT risk assessor and get your site up to scratch. But then they weren't ever expecting... They weren't doing NFTs. It was just some web page. Yeah. It's, I don't know, as a fellow artist, you know.

Well, more publicity for Banksy, right? So there's

That. Are you a fellow artist, Carole? Do you have a website where you are promoting your art?

I do. Promoting your art. Which is going to be updated soon, Graham. So watch this space. Is it securecarol.wtf? Is that the website? It will be by the time the show goes out. Well, thanks for making your pick of the week and telling all our thousands and thousands of listeners about it. Well, get right on that.

It was enjoyable, but if you're a Beatles obsessive like me, you've kind of heard it all before. Okay.

Can I ask a question?

Yes.

If you were watching the show and you needed to go for an urgent bathroom break, would you press pause?

I would press pause.

If the remote was on the opposite direction of you, it wasn't on your way to the bathroom, you'd have to walk—

How urgent is the bathroom break? I mean, what sort of— Pretty urgent. Is it a brown alert? What are we talking about here?

Is it going to be a quick bathroom break or are you going to be in there a while?

I don't know. You just have to— Jesus, guys. Guys, guys.

There's a couple of things which annoyed me about this. I do think it's worth watching, but there's — just as with any work of art, there can be some flaws. And McCartney's voice isn't what it was, right? So he doesn't always sing along. Sometimes he sort of hums along.

Is he still alive?

He is still alive, but he's getting on a bit and his voice is broken. Meanwhile, Rik Rubin, who is a very — you know, he did all those Johnny Cash LPs, didn't he? Set up Def Jam or something like that. You know, he's a world-renowned producer. He's a dude, right? McCartney will say something, and Rik Rubin will go, "Wow." Well, of course, you know, all McCartney's saying, "Oh, so what we did was we went one octave lower because we slowed it down." You know, it's and he's going, "Oh, that's amazing." And you think, no, it's not that amazing.

It's the Chris Farley interview on Saturday Night Live, remember that? With Paul McCartney.

Graham, you would love if I did that to you. What if I told you — if every time you spoke I would go, "Wow, Graham, you're so smart. That's an amazing, amazing point you just made. Wow." What great research you've done. Yeah, you've just done in a very sarcastic fashion. I don't think Rik Rubin was doing it out of sarcasm anyway.

There's a series of documentaries from, I don't know, probably a decade ago called Classic Albums. And it's a similar sort of thing where they sit down at the mixing board with the artists and just go deconstruct how the songs were made. And they are fun. I do enjoy those. And so it sounds this is along the same lines.

Along the same lines, but not as good, Dave. To be honest, Classic Albums is better.

So would you to change your pick of the week to Classic Albums?

Yeah, I'm going to change it now to Classic Albums, which is a great documentary series.

You're going to have to figure out how to handle this in the show notes.

Dave, what's your pick of the week? Well, when we were growing up, I don't know about you, but there was always that one kid in the neighborhood who just seemed to have the coolest swing set or the boys down the street who had dirt bikes and go-karts.

Sean LaRochelle. Well, perfectly said. Thank you, Carole. I was hoping that would pass your muster.

I'm checking it out right now. This is extraordinary.

I love that they have what looks like flamethrowers, which I'm really hoping are just LEDs and smoke machines.

Well, you never know. So he's basically got a mountain with waterfalls and the like in his backyard. It's quite big and a roller coaster going around it as well.

He built a whole western village to go with it. Lockdown was generous to some folk. Well, that's the thing. This was their Covid project. And what's even more amazing, this is not their first one. He built a version of the Matterhorn, which is another Disneyland ride. That's the one with the yeti where you go through the mountain. It's supposed to be like a bobsled run. They built a miniature version of the Matterhorn, tore that one down to have the room to build the Big Thunder Mountain.

Oh my goodness. Isn't this amazing?

So I also included a link here that if this is something you want to get into but you don't have the time to really design your own, I have a link to a company who sells used full-size amusement rides. So full-size. If you ever wanted to, it's amusement-rides.com website here. You'll see in the show notes there. I never really thought about the fact that sometimes theme parks, they turn over their roller coasters and they just don't get scrapped and melt it down for the metal. No, they get put on the used market. And so if you want a roller coaster, if you want a zipper, if you want a drop tower, this company has it all. And you can buy them. And what? I buy them. And then what? That is a good point. My wife and I have often looked at each other at the county fair and said, do we really want to put our children's life in the hands of people who are traveling from town to town?

Does this website give the prices?

Well, if you have to ask, Carole.

I just want to know how much does a double drop tower go for? I don't know. But who knew there was a used market for that? Now we know.

Terrific. And if any listeners have got an amusement park ride in their back garden, let us know. Send us the photographs. Tweet us.

Send us a pic. We'll make a whole show about it. Graham, what have you got for us? A Netflix series that dropped globally just a few weeks ago called Post Mortem: No One Dies in Skarnes.

Although I did start watching based on your recommendation. I started watching What We Do in the Shadows. Very funny, very funny.

I saw a bit of that as well and it was quite fun. I particularly like the modern vampire who... Yeah, totally. Okay, so you might like this then. This might be right up your alley, guys. The show opens with Liv — she's, I don't know, 20-something — being declared dead. Hours later she wakes up on the forensic table just as a knife is about to cut her open. Are you sure it's dubbed? Because, you know, if this does come from — because sometimes what they do is they re-film, don't they? They do every take in different languages.

Yeah. I think you need to watch it and you'll see that I'm pretty on point with that. Yeah. Okay. And the thing is, the writing is excellent. The twists and turns that happen are seriously unexpected. Like I can normally — I normally go, I think I've got it, I've got it, I've got it, but it's taken me about episode five to actually nail it down. So, and it's beautifully filmed. So just watch it. It's called Post Mortem: No One Dies in Skarnes. And it's beautiful in a very dark way. And you can find it on Netflix. Cool. Fantastic. Sounds great.

On Twitter, I am at Bittner. That's B-I-T-T-N-E-R. And other than that, just go to thecyberwire.com.

And you can follow us on Twitter at smashingsecurity. No G. Twitter must have a G. And we're also on Reddit in the smashingsecurity subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. Go on, do it now.

And thanks to this week's episode sponsors, Privacy.com and 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 242 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Bye. Bye-bye. Hello, peeps, it's Carole. So as some of you know, I am trying to make headway into art land. And in learning a skill, you don't make cash. In fact, you spend cash in order to better yourself at the skill. Plus, you have to devote hours and hours every day to get better. Thing is, I wouldn't be able to do it without you listeners, you sponsors, you Patreon supporters, and reviewers. Like Doody Fish, who wrote this week: "This is undoubtedly the best lighthearted, entertaining podcast that covers cybersecurity, technology, and just about everything else. The hosts, Graham and Carole, are wonderfully teamed and have a brilliant rapport. The content is enjoyable and interesting. The guests are part of the family, new or revisiting. Certainly one to try. I listened to one episode recently, and now I'm going through the entire back catalogue. I love it. Keep it up, guys." Stay safe and see you next week.