Smashing Security podcast #242: ProtonMail privacy questioned, and Banksy blunder

You don't go to Europol for that, do you? I mean, is that what Europol is for? This guy needs a shower?

Get me Europol on the line.

You call Europol.

And Brexit isn't looking so stupid now, is it?

Wow, you haven't chosen your audience very well.

Smashing Security, episode 242. Ransomware, ProtonMail privacy questioned, and Banksy blunder with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 242. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined this week by returning guest, a semi-regular, it is the CyberWire's Dave Bittner. Hello, Dave.

Hello, hello.

Do you being known as the CyberWire's Dave Bittner? Do you want to be Dave Bittner, popular on?

I don't know. They pay my mortgage, so I'm okay with it.

Yeah, but they aren't paying us, are they? They're not sponsoring. No, not yet. So why are we plugging them?

I mean, we're technically competitors, right? We're friendly rivals, wouldn't you say?

I wouldn't say we're rivals.

I wouldn't say we're friendly.

I mean, we go after some of the, yeah, exactly. We share some of the same advertisers, which is good.

We share Carole Theriault.

We share Carole. Most importantly.

If we're competitors, what the fuck am I doing? I'll have to quit one of you guys.

Yeah. Well, it's pretty good over here in the good US of A, Carole.

It looks great.

My mind's made up. Let's thank this week's sponsors, privacy.com and 1Password. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I will be reporting from La Belle France.

Dave, what about you?

I'm going to be looking into Facebook's algorithmic amplification. Whoa.

Okay. And I'm getting all arty and talking Banksy. All this and much more coming up on this episode of Smashing Security. Almost said CyberWire there.

Now, chums, chums, France.

Ah.

Formidable. La belle France. Home of the beret, the stripy shirt, the guillotine. People smoking chimneys, drinking wine, snorting cheese. You both fans of France? Ho ho ho! Wow.

I hate to say that I find this slightly offensive, just all round.

Dave, have you been to France?

I have been to France. I was only there once when I was a teenager. I was on one of those sort of band and choir trips where you visit all around Europe, and we were in Paris for a day or two, and it was delightful.

You got your little cultural injection.

Yeah.

Cultural injection.

Although I do remember that the waiters were quite rude, but I think that's not a bug, that's a feature, right?

Come, come, come, come. I don't think you'll find rude waiters in Paris. Surely not.

That has never happened to me.

Well, you speak fluent French. I do not.

Oh, you think it's a language thing? They think if you don't speak French, they're rude?

That's what I've heard. I don't know.

Well, I think it's a wonderful country. I think it's wonderful. Paris, fabulous place to visit. But alas—

Paris is just a city. You know that.

Yes, I know Paris is a city. Okay, just checking. I'm just— that's What do you mean, just checking?

Well, you just said, oh, la France, Paris. It's like, well, there's a lot more places.

England, London.

London, so great.

So can I explain how my segment of the show works, right? It's a little bit like watching a movie, right? You have the swooping helicopter shot at the first— the first thing you see is you see the Earth hanging in orbit around the Sun, and we zoom into Europe.

We know where we are.

Okay, like the opening image from Radio Garden. Oh, sorry, I didn't want to bring up a touchy point.

Not again. We swoop into the Arc de Triomphe, the Eiffel Tower.

Out, bang, clash, kapow.

But alas, Paris is changing. The cutesy independent shops and cafes have been swept away by the tide of moneyed gentrification. They've been replaced by luxury brands aimed at tourists and boutiques selling designer gear.

Who don't like coffee.

Well, quite possibly not, or they're selling coffee which is substandard, dare I say, maybe even coffee which comes from American multinationals. So France and Paris in particular are being culturally destroyed, wiped out, and this isn't a good thing. In fact, pas très bien. It means not very good.

I have no idea what you just said. Oh, pas très bien.

Yeah, pas très bien. What does that mean, Carole?

That was not good. Yeah.

Oh, got it.

Now, some people aren't just grumbling into their dark black cups of coffee and listening to sorrowful accordion music.

Going zut alors.

Yeah. Mais non, malheureusement. No. They are revolting. They are protesting. For the past year or so, there is an anti-capitalist group called Youth for Climate. It's probably climate for youth or something. I imagine. Anti-capitalistic or pro-climate? Well, they do a bit of everything. They cover a number of things.

They have a long list of grievances.

They do. They do. They don't like Airbnb. They don't like rising property prices. They don't like posh restaurants. They don't like all the capitalism, all the money coming in. They do not like the gentrification of Paris. And so they have occupied some buildings in part of Paris called Place Sainte-Damien. What? And they are used— what?

Can you spell it, please? Place. P-L-A-C-E. Is that Santa? Santa.

Okay, Santa. And then Marthe, which is like Martha but with an E on the end instead of an A.

Sainte Marthe. Okay.

Place Sainte Marthe. Place Sainte Marthe.

Very good. So they've occupied buildings there, right? And they've been there for about a year.

Are they paying rent? They're not paying rent. That would rather go against the whole anti-capitalist bit, wouldn't it? I was just thinking during COVID maybe the rents were really, you know, slashed and, you know.

I don't think it's much of a protest if you're there with the permission of the landlord and paying rent. I think it just means you've moved in. So this is part of the protest. Their headquarters is part of the protest. They've occupied these buildings.

Right.

And French police have been trying to identify who is operating the group's email account. And this is an email account hosted at ProtonMail. Are you familiar with ProtonMail, guys?

Yep.

Right. For any listeners who are—

You use it, don't you? Yeah.

Yeah. I've got ProtonMail. I don't use it as my main account, but I do have a ProtonMail account. It's a really simple, easy way to get end-to-end encrypted email, which means that they can't read your messages and the authorities can't read your messages either because they're all encrypted. And it's much, much easier than setting up PGP or something like that.

Now, Graham, is ProtonMail a closed system? In other words, can you only communicate with other ProtonMail users?

So it is completely end-to-end encrypted if you are speaking to other ProtonMail users. If you're speaking to the outside world, you do have the option of importing their PGP keys, and then you can very easily communicate encrypted with the outside world as well. But by default it wouldn't be encrypting with the outside world, but certainly ProtonMail to ProtonMail, it's all end-to-end encrypted.

Mm-hmm.

Now, ProtonMail has become really popular over the last few years because it's got this really strong focus on privacy. A lot of the messaging on their website makes emphasis of the fact that they are based in Switzerland. Their servers aren't based in America, they're in Switzerland. All the user data is protected by strict Swiss privacy laws.

Yeah. And word on the street, if you kind of listen in to little forums

Yeah. And not just people who are sort of privacy conscious for legitimate reasons, but also bad guys and cybercriminals will often use ProtonMail, or you will see messages inside ransom notes where they'll ask you to contact them via ProtonMail. Spammers, scammers, and so forth will use that. And ProtonMail, to its credit, you know, it would obviously regard that as a breach of its terms and conditions because it's criminal activity, and they would shut down accounts.

where a lot of techies hang out, they all kind of go, oh, ProtonMail, ProtonMail,

So ProtonMail, you pay for it by subscription. You can get a free account as well, but use it full blast, you pay some money.

ProtonMail. So yeah, it's got a kind of cachet, doesn't it?

So it's not advertisers. And so that's another big difference from using things—

It sounds like an advertising for it. Okay. Well, USBs. Jesus.

Well, is it?

Is it?

Is it?

But wait, there's more.

Because ProtonMail, I said, makes this big thing about our encryption can't be bypassed. The email content can't be compromised by legal orders. But if you read the privacy policy, which I'm sure, Carole, you would have done if you were a user, it does admit that it can access some information. So what is accessible is the sender and recipient's email addresses, the IP addresses that incoming messages originate from, message subjects, and message sent and received times. So there is some—

So basically everything except for the content of the message.

Well, yeah, but that's really to do with the SMTP specification.

Yeah.

Which is as old as time itself because the email headers aren't encrypted.

Mm-hmm.

So not really necessarily enough for the authorities to sort of hang their hat on. Anyway, French police, they wanted to identify who was operating this account, but ProtonMail, which is based in Switzerland, when they got the request from the French police, they'd kind of go, pshh. Ah, you've got no jurisdiction over us. You are French.

Not Swiss.

Yeah, yeah, exactly. You're not Swiss. Why should we do anything for you? We obey Swiss law. So the French went to Europol, and Europol got a Swiss court order which compelled ProtonMail to play ball and saying, you've got to gather some information, details of who is using this account. And this has kicked up an enormous stink amongst all the privacy wonks. It's like, oh, ProtonMail, you told us we were secure, but you've now gone and assisted French police with this investigation. It's not this guy was a cyber criminal or, you know, something that. He was an activist. And why are you doing this? And ProtonMail is saying, well, we have to abide by Swiss law.

I kind of agree with that. I mean, I don't know what this activist group have done, right? I don't know if they have broken the law in ways that are as dangerous for the public or whatever.

I mean, obviously they're occupying some property without permission and they might be causing a nuisance. Maybe they haven't washed their hair enough. But again, you know, these are things which you could charge against many people in Paris.

You don't go to Europol for that. Do you? I mean, is that what Europol is for? This guy needs a shower?

Mm-hmm.

Get me Europol on the line.

You call Europol.

And Brexit isn't looking so stupid now, is it?

Wow, you haven't chose your audience very well.

First Radio Garden, now this. So I imagine the French managed to convince the Swiss authorities that this would be a crime under Swiss law as well as French law, whatever it might be. ProtonMail says, if you are breaking Swiss law, we can be legally compelled to log your IP address as you log in as part of a Swiss criminal investigation, and that is what's happened.

Well, and that was part of their marketing, was that even if they were able to see stuff, they weren't logging it, right?

That's right. They don't log it by default, all of this stuff, but they can be compelled under Swiss law to begin to log stuff. The thing is, ProtonMail said that if we are compelled to begin to log your IP address as you log into ProtonMail, we will inform you again under Swiss law. You're required to tell the user you are being monitored, right? But under certain circumstances, the notification of the user, quote, can be delayed. Under Swiss law. So if the authorities put together a convincing argument as to why, well, we don't really want you to tell the user that we're watching them right now.

This is properly Dickensian. This is just— and Orwellian. This is just—

There's a lot of -ians. Yes. So ProtonMail did, it appears, delay notifying Youth for Climate that they were being monitored. At least the owner of that email account, for 8 months.

So were they compelled by Europol not to tell them, or they chose not to tell them? Do you know?

I would assume that they Well, no, I want to come to the defense of ProtonMail here. I really believe ProtonMail are the equivalents of these guys who are protesting in Paris. They are activists as well. They are really hot on security and privacy, and they do seem to really believe in it. were told, you may not tell them. And I think this would have pained them greatly, but I think they were forced by the Swiss authorities to not tell their user that they were being monitored for 8 whole months.

You see this Europol guy going, "Of course, if you choose not to comply with our wishes, we could make life very difficult for you." Yeah, we'll cut off your supply of cuckoo clocks.

And holy cheese.

I think Europe will have more jurisdiction than that.

Do you think?

Yeah, I don't think they're just sticking in, you know, the Swiss food market.

So everyone's ganging up on ProtonMail right now, saying, oh, it's outrageous what you've done. And ProtonMail, I think, reasonably, reasonably, are saying, well, you know, it doesn't matter who you use unless you are based 15 miles offshore in international waters. The company you use to handle your email has to comply with the law, and it feels that it's done everything that it could to reduce the amount of information it was collecting and to play by the law in Switzerland. And Switzerland does clearly have stronger privacy laws than many other countries around the world.

Hmm. I see a market opportunity here.

Yes.

Right?

Yeah, I see it too. When are we going to get our rowing boat? Exactly. When are we going to get our pedal out?

All right, a solar-powered barge 15 miles offshore. Come on.

What is this, Waterworld all of a sudden? Who was it, Kevin Costner? Was that who it was?

Satellite? Yeah, satellite internet. Why not? I think we're on to something here, Graham.

Yeah, I'll visit occasionally.

Dave, what have you got for us this week?

Well, let's talk about Facebook, shall we? None of us are active on Facebook. Is that right?

No.

Graham?

No, I'm not on Facebook, no.

No, me neither. I didn't actually delete my account, but I made it inactive. So it's sort of there in—

A memorial to Dave Bittner.

Exactly. You can go look me up there, but I haven't done anything on there in probably about two years. Now, why did you choose not to be on Facebook? Carole, why don't you start off? What was your decision there?

So I think I was early to the game. But actually, within a year, I found it really quite like, oh my God, my life's so great. I think it was— I didn't like where social media was going even then. So I kind of— and then people used to post pictures of me on it a lot. And I hated it tagging me. You know, I hated all that when people didn't ask. Yeah.

Graham, what about you?

Yeah, I, you know, I had an account for a while promoting my blog and things. But, you know, it's just vile, isn't it? And of course we shut down the Smashing Security Facebook page as well. We used to have it to promote the podcast, and then we thought, no, we shouldn't be doing this. But generally it's looking at Mark Zuckerberg and just thinking, oh, just wanting to give him a slap, really. Just thinking, oh, this is just so unpleasant and vile and just like—

Okay, two islands, Piers Morgan or Mark Zuckerberg. Which one do you swim to?

God, I just want to be eaten by the shark scroll. I don't— I'll drown. I'll drown. I mean—

It's like the end of Titanic. He'll just sink, sink to the bottom. Well, so we're talking this week about a story from Mother Jones, which, full disclosure, is a left-leaning nonprofit publication. They have a decidedly progressive bent, so take everything we're gonna talk about that comes from this article with that in mind. They did some digging into Facebook's algorithms and the way that they work. This is an article titled—

I'm sure it was perfect.

It's titled Why Facebook Won't Stop Pushing Propaganda. It's written by Monica Bowerline and Clara Jeffery. And Mother Jones admittedly has a horse in this race. They saw their numbers fall off significantly when Facebook made some adjustments to their algorithms.

Assume, you—

But really, this article is focused on what they refer to as algorithmic amplification. And that is the tools that Facebook has to amplify the things that it thinks are going to make you more engaged with the platform. So as anyone who's been on Facebook knows, there are the things you see from your friends and family, your baby pictures and friends on vacation and just all the things that remind you how much better everyone else's life is than yours.

Yeah. Oh my God, it's so brilliant!

Right. So all of that stuff comes by, but then there's things that just sort of pop up randomly. They could be news things, they could, you know, all sorts of things. But Facebook figures out based on it analyzing your interests and things that you click on, it gives you more of the things that it thinks are going to lead to more engagement. And that's really the key thing here is that it's not giving you more things that it thinks you're generally interested in from a learning point of view, from a bettering yourself point of view. It's really about getting you to spend more time on Facebook.

It's like having a baby and going, gee, baby likes applesauce. Let's feed him applesauce, more applesauce. Give him applesauce, applesauce.

So every time the baby is crying, I give it applesauce and it's happy. Yeah, right. Next thing you know, the baby's dead.

Exactly.

Right.

Right. Right.

So Facebook is looking for the stickiest content, the stuff which it knows you're going to keep on coming back for in order that you keep on coming back to Facebook. Is that right?

Right. Absolutely. Absolutely. And some interesting things I pulled from this article here that speak to this. There was a scholar from the Stanford Internet Observatory named Renee DiResta, and they said free speech is not the same as free reach. And I think that's really— isn't that interesting? Yeah.

And so what does that mean? I'm a little bit stupid. What does that mean? Free speech? Well, same as free reach?

Well, the ability to say things without someone deleting the thing you say is not the same thing as having the thing you said amplified and spread around to millions of people.

So if you're Graham Cluley tweeting versus you're Carole Theriault tweeting, you will just naturally get way more reach. Now, I would argue that Graham gets way more reach because he's spent a fuck ton more time, you know, curating his following and posting stuff and being hilarious in his socials. Right? So deserving, you know, of this class of people. And I haven't. So, and I don't have it. So I can't.

What this reminded me, this notion of free speech not being the same as free reach reminded me of when former President Trump was kicked off of Twitter and went to start his own blog where he could basically do the same sort of information sharing that he had done on Twitter. His blog was a flop, right? So it wasn't what he was saying. It was the amplification that came from the platform. It was that there were hundreds of millions of people who had this automatically spoon-fed to them every day as part of their feed. That was the real power from social media. At least that's my interpretation of it.

Also, the power came from naysayers, right? Naysayers may not go to his blog, but it's there in front of them on Twitter. And by dissenting, they're still contributing to the conversation, not making him irrelevant, right?

Right. And incentivizing other people to chime in with their opinions.

Yeah, yeah, I agree. Yeah.

A couple other points here. It says the real problem is that Facebook profits partly by amplifying lies and selling dangerous targeting tools that allow political operatives to engage in a new level of information warfare. Its business model exploits our data to let advertisers aim at us, showing each of us a different version of the truth and manipulating us with hyper-customized ads.

I don't disagree with that.

No, I think this is interesting too, because imagine if you had a billboard on the side of the road, right? And you put something provocative on that billboard that half of the population would agree with and half would find very offensive. Well, chances are the people who found it offensive would reach out to the billboard company. They'd reach out to the people who paid for the billboard and so on and so forth. But if they never saw that ad, if that ad was only shown to the people who would already agree with it, that's a very different proposition, isn't it? And Facebook enables advertisers to do that in a much more powerful way than I think was available previously.

Oh, totally.

Easily, yeah.

So the article talks about how there are some legislators who are trying to kick in what they're calling algorithmic accountability. Senator Cory Booker from New Jersey, Ron Wyden from Oregon, he's always on top of these sorts of things. Yvette Clarke from New York. They have introduced legislation that would require companies to analyze and disclose highly sensitive automated decision systems on social platforms and in artificial intelligence tools. I have thought about this, and I wonder if we don't need an algorithmic equivalent of the FDA, where before you turn loose an algorithm on the general public, at the scale of which companies like Facebook, companies like Google operate, that first you must prove that it will do no harm. It must be— there's some regulatory organization will analyze it, and that doesn't necessarily mean that it has to be shared with the general public. Maybe it is still kept a trade secret the way that drugs are, but at least you have to demonstrate— a third party has to agree that this algorithm will do no harm. I realize people are going to say that's going to stop innovation and they won't be able to iterate on their algorithm and so on and so forth. But I think we've just seen that the way these algorithms function, and when you combine that with the fact that, in my opinion anyway, when given the choice, Facebook will always do what is in the best interest of Facebook.

Of course.

You cannot trust Facebook to do the right thing. And again, some people will say, well, that's capitalism. Yes, it's partially capitalism. But I think there are also capitalistic companies who are good citizens, who are within the confines of doing their business and making their money, are also trying to do the right thing. And I'm not convinced that that's a core value that Facebook believes in.

Yeah, capitalism without any morals or lacking in morality or ethics kind of is chaos, really.

And let's not forget Facebook's origin story, right? I mean, Facebook was, it's a website to judge female college students by their looks. Hot or not.

Yeah.

Yeah. So that is the foundation on which this was built. And I think it's worth remembering.

So good. We're all doomed. We're all doomed.

Another fun topic.

There's no fix. Zuckerberg has ruined Save us, Carole.

Save us. You're our only hope.

I always do.

Carole, what have you got?

You may remember a little while ago, we did an intro to NFTs on Smashing Security. So that was episode 226. And by we, I mean, of course, me, because Graham, you were there, but I did the story.

I wasn't really there. I wasn't really present during that bit.

That's so nice.

Non-fungible tokens, right?

That's right. It's an identification of ownership of something original in the digital or physical realm. Okay. And it's not the same as copyright. It's an identification of ownership. So now loads of people are playing around, well loads, a smattering of people are playing around with it and making a fast buck. Others are testing its mettle. Some are saying it's the biggest scam since doctors advertising cigarettes as good for us. And enter graffiti art god Banksy. Now, everyone listening has heard of Banksy. What do you know of him, Dave Graham?

Well, he's certainly, he's a hot property, isn't he? Whether or not you like his stuff, and I do think that there is a good amount of talent there. I don't know that I agree with the enthusiasm that comes with the collectors of his work. But that's my opinion. I mean, art is worth whatever someone's willing to pay for it. So there you go.

I think he's awesome. I think he's great. I think he's a good artist. And he regularly will take some— the side of someone's rubbish building and dramatically increase its worth by daubing on it overnight. And I think it's great.

He's one of the top earners in the art world, like Damien Hirst, earning well over a million quid for some of his well-known works. And do you remember, Graham, one of his early art coup d'états was in 2004 at the Notting Hill Carnival. He handed out fake £10 notes with the face of Lady Di replacing the Queen's. And it was stamped "Banksy of England." 2004.

I was only 14 at the time, so I don't really remember that. What?

2004? You were 14?

I was a bit young. I don't remember that one. But anyway, carry on. Hmm.

What is going on? The biggest thing about Banksy is that no one seems to know who he is. Well, obviously, some people know who he is, but the public, the general public, does not know who he is, 'cause he does everything on the down low. Right. And you often have to wait till after the event of his unveiling of his artwork for him to take, you know, his invisible bow and take ownership of it. Okay. So setting the scene here. Last Tuesday morning, a piece of digital art popped up on Banksy's official website. Okay.

Right.

And this was Banksy.co.uk/NFT. And on this page was a JPEG. The JPEG was called The Great Redistribution of the Climate Change Disaster. And with this was a digital image showing a pixelated man in shades puffing on a Gasper in front of some smoking chimneys. Now, no surprise to our super switched on listeners that the blockchain tech is seen by many as an environmental shit show. Politely put, it's extremely energy hungry, right? Like those hot dog eating contestants. Like none of us stand a chance. And so maybe this was a commentary from Banksy on the climate change blockchain thing going on because underneath was a link to the auction site OpenSea, a crypto NFT site.

Okay, so you could buy the NFT of this image, right?

The picture obviously doesn't look much. It's kind of very pixelated, very basic. But then I would say a lot of the hype around the NFT market is ridiculously simple pixel artwork. All that, you know, all that stuff, that CryptoPunk hype. You guys remember that?

Yeah.

Where you've got these kind of, there's 10,000+ little drawings that people are selling on Ethereum. Yeah, yeah.

Right.

The million-dollar webpage. Remember that?

Exactly. They're at a billion dollars now. They're at a billion-dollar market now.

But I mean, even if it looks amateurish, if it's an image which, you know, an NFT from Banksy, someone's gonna want that 'cause it's by Banksy, right?

Exactly.

Yeah. Right.

It's a little bit different than his normal style, but then if he's poking fun at this whole NFT game and, you know, mocking the whole CryptoPunk hype and maybe you're gonna give the money afterwards to some charity. So we get this art collector, right? Who gets wind of this webpage. And he's perusing the official website and he sees this and he's, I have to act quick, right? You know, to get ahold of this NFT, because this is fricking gold. And thank the gods that he was rich enough to play this NFT game. So this art dude being no chump, you know, gets his skates on and goes to the auction. And you know, there's people bidding, there's people bidding, and he jumps in and offers 90% more than any of the rival bidders.

Boom.

That's £250,000. Over $300,000. And no one else bids. And he secures the NFT for the Banksy GIF work making him the owner. And bada bing, bada boom. Or is it? Is it? It turns out that the GIF was not created by the graffiti king Banksy. And it turned out that the official Banksy website got hacked. And the image and the link uploaded was uploaded by an unauthorized third party.

So, okay, so the thing being auctioned on Banksy's website wasn't authorized by Banksy, wasn't a Banksy, and someone has just made off with, what did you say, $300,000? Yeah. Crumbs.

There was just a link from the Banksy official website to the OpenSea crypto market for this particular work. And as soon as it was achieved, right, as soon as it was accepted, this huge offer of $300,000, the money went straight off to the scammer, not to Banksy Incorporated or whatever.

Via cryptocurrency.

Via cryptocurrency.

Or so Banksy says. Well, yes, we're going to come to that.

We're going to come to that. We're coming to that. So yeah, keep that head on, Dave. Now apparently the art collector explained to Joe Tidy, friend of the show, right, on the BBC, said, I confirmed the URL on PC and mobile before bidding. I only made the bid because it was hosted on his site, meaning Banksy's. When the bid was accepted, I immediately thought it was probably fake. And I don't know why he says— why would he think that? Maybe because it was too low. Maybe he thought, like, you know, maybe he was just doing a dumb bid, right? Because maybe he doesn't have $300,000. He's oh my God.

We've all been there. Yeah.

So who was this digital scallywag that took all his cash, right? The auction, you know, the art collector wants to know. So he goes out on Twitter, talks to people and tweets out and makes a bit of a stink. And funnily enough, the money gets returned to his Ethereum account.

Hmm.

So that's interesting, right?

Mm-hmm.

Now he got all his money back except for the transaction fee that OpenSea takes. So £5,000 or $6,000, $7,000. Oh, and I haven't told you the name. Well, the moniker of this art collector who's been going around to the press.

Okay.

Are you ready for this?

Graham Cluley.

No, no, it's about that. It's almost— it's close. It's close. Are you ready? Are you ready?

I'm ready.

Pranksy.

Pranksy.

Pranksy.

Of course, of course. He's the purchaser, or he was this—

He's the purchaser, and apparently he created this moniker or pseudonym or whatever ages ago in honor of Banksy, but it doesn't bode very well during this little media parade.

Okay, right. I'm beginning to get a bit suspicious.

Okay, talk to me, talk to me. I'm listening.

Well, first of all, Banksy's a bit of a prankster himself, isn't he? Do you remember he was having that famous piece of art? I think it was the one with the girl.

Yeah, girl with the heart balloon. Yeah.

And the balloon. Yeah. It was being auctioned and it was a televised auction. And then as the auction finished and someone had won it, and then the frame sort of stirred into action and went— and the art was shredded. So it became a new piece of art.

Well, half of it.

Yeah. Which was awesome, wasn't it? But obviously—

It was. And it's interesting because it's just now going back up to market. So the guy who bought it for $1.1 million probably got bored of seeing half a work of art.

Yeah, but it's now even more famous, right? Because—

Well, I know, but is it going to be worth more money? It's just—

Because is that not modern art itself? So if the— So let's— Right. Okay. This is really interesting. I didn't know all this about this Banksy thing. If Banksy's website got hacked and someone managed to direct people to an auction and they stole $300,000, a large amount of money.

Yeah, not a wonga.

It feels unlikely that they would return the money. It's the kind of stunt which Banksy himself would pull off because he has been brilliant at manipulating the media over the years.

Well, he has, but also interestingly, he is very much not a fan of copyright or any of this, and that's a source of a lot of his dramas because it means that people can reproduce his images, card companies, and use his images, and he's not going to claim rights. And the reason he doesn't have copyright is because you have to declare who you are as the owner.

Oh, really?

So I don't know why he wouldn't just say someone else is the owner, but then that would give them legitimate rights over all his artwork. So he trades and trades, or he works in trademarks, not copyrights.

Could you not claim that the copyright owner is someone who is in a permanent vegetative state in some hospice or something? And so they wouldn't be able to—

Banksy, if you're listening, you know, take notes.

Okay, so I think either Banksy was in on it or maybe Pranksy—

So ridiculous—

Was someone who found a vulnerability on Banksy's website, set up this fake thing, put in this ridiculous bid knowing that he was going to get his money back, and got plenty of attention. Which is—

And now he's getting tons of press attention, including on Smashing Security.

And so is Banksy as well.

What if it was someone who wasn't expecting this much money and now is afraid of the amount of heat that could be—

Oh, I'm sure— put on your poll, right?

Oh no, well, we don't know where they are, but I mean, because this isn't the first— this isn't the only incident here where cryptocurrency is being returned.

No, no, no. People are maybe getting nervous if it's too much moolah. Yeah, right. Now the last thing in the tale is a US-based ethical hacker has recently come out saying they had previously noticed the Banksy site was vulnerable, quote, allowed you to create arbitrary files on the website and post your own pages and content, they told the BBC. And they said they reached out and told them and even tried to reach them out on Instagram and got no response from Team Banksy.

Even on Instagram, they didn't get a response. I know, I know. From them, they should have made a TikTok video. That's how you get attention these days. You can't just use Instagram.

That's right, you gotta— yeah, find a song.

Yeah, should have had it amplified on Facebook.

This all seems a bit of a rum old story to me.

The Banksy team have said nothing to do with us, we have nothing to do with NFTs, nothing. They have not made a comment about their website being hacked or anything like that, but they are saying nothing to do with us, gov.

Hmm. Do we know from the ethical hacker whether the vulnerability still exists?

No, the page has been taken down. I haven't gone and checked the website out to see.

It does point to a serious security issue that lots of companies fall victim to, which is that people can gain access to their website and then they're able to post something using the actual URL from the website. As you said, Carole, the buyer here checked on mobile and on desktop to make sure the URL was correct, and it was.

I know, I know. And you kind of think, well, Team Banksy, look, you probably have a lot of wonga in the bank. Maybe you need to hire a better IT, you know, risk assessors and get your site up to scratch. But then they were never expecting— they weren't doing NFTs. It was just some web page. Yeah, it's, I don't know, as a fellow artist, you know?

Well, more publicity for Banksy, right? So there's that.

Are you a fellow artist, Carole? Do you have a website where you are promoting your art?

I do, I do, which is gonna be updated soon, Graham. So watch this space.

Is it securecarole.wtf? Is that website?

It will be by the time the show goes out, right, Cluley?

This episode is brought to you by the folks at Privacy.com. Privacy lets you buy things online using virtual cards instead of having to use your real ones, protecting your identity and bank information on the internet. What a fantastic idea that is, and a great way of keeping your details out of the hands of the bad guys. Right now, new customers will automatically get $5 to spend on their first purchase. All you've got to do is go to privacy.com/smashing to sign up now. And thanks to Privacy.com for supporting the show. Around 80% of business data breaches result from weak or reused passwords. Using 1Password in your company can close the gaps in your security, combat shadow IT, and help your workers stay both productive and secure wherever they are. With the right tools and the right mindset, you can create a culture with 1Password where your employees feel empowered to share responsibility for security risk management. Everyone needs to be on board, working together to stay protected. Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for sponsoring the show. And welcome back. And you join us for our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

Better not be.

Well, my Pick of the Week this week is not security related. I have been watching something called the television. And on this invention called the television, I've been watching a streaming program available on Hulu and Disney+ called McCartney 321, which you won't be surprised to hear is all about Paul McCartney. Rik Rubin, who's basically Gandalf, he's the Gandalf of record producers. He has a cosy black and white chat with the former Beatle about his songwriting and songs. And they're basically sat there at a mixing board, fiddling with their buttons and listening to some old songs and asking, why did you do that? Or what's all this about? It's not, okay, although this is my pick of the week and I did enjoy it, there's 6 episodes, 30 minutes. It's not incredible.

Well, thanks for making it your pick of the week and telling all our thousands and thousands of listeners about it.

Well, get right on that.

It was enjoyable, but if you're a Beatles obsessive like me, you've kind of heard it all before.

Okay, can I ask a question?

Yes.

If you're watching the show and you needed to go for an urgent bathroom break, would you press pause?

I would press pause.

If the remote was on the opposite direction of you, it wasn't on your way to the bathroom, you'd have to walk—

How urgent is the bathroom break? I mean, what sort of—

Pretty urgent.

Is it a brown alert? What are we talking about here?

I don't know.

Is it going to be a quick bathroom break or are you going to be in there a while?

I don't know. You just have to— Jesus, guys, guys, guys, guys, guys.

There's a couple of things which annoyed me about this. I do think it's worth watching, but there's just as with any work of art, there can be some flaws. And McCartney's voice isn't what it was, right? So he doesn't always sing along. Sometimes he sort of hums along.

Is he still alive?

He is still alive, but he's getting on a bit and his voice is broken. Meanwhile, Rik Rubin, who is a very— you know, he did all those Johnny Cash LPs. Didn't he set up Def Jam or something like that? You know, he's a world-renowned producer.

Dude.

He's a dude, right? McCartney will say something and Rik Rubin will go, wow. Like, well, of course, you know, Paul McCartney saying, well, so what we did was we went one octave lower because we slowed it down. You know, it's like, and he's going, oh, that's amazing. And you think, no, it's not that amazing.

It's like the Chris Farley interview on Saturday Night Live.

Remember that?

With Paul McCartney.

Graham, you would love if I did that to you.

What, if I told you? Every time you spoke, I would go, wow, Graham, you're so smart. That's an amazing, amazing point you just made. Yeah, you've just done it in a very sarcastic fashion. I don't think Rik Rubin was doing it out of sarcasm. Anyway, there's great music in it. You do get to hear some incredible bass playing, and it's worth checking out. It's McCartney 321. It's on Disney Plus and Hulu. I've enjoyed it, but I just thought it could have been a bit better. What I'm actually looking forward to is Peter Jackson's Get Back documentary. That's going to be awesome.

There's a series of documentaries from, I don't know, probably a decade ago called Classic Albums.

Oh, yes.

And it's a similar sort of thing where they sit down at the mixing board with the artists and just go deconstruct how the songs were made. And they are fun. I do enjoy those. And so it sounds like this is along the same lines.

Along the same lines, but not as good, Dave. To be honest, Classic Albums is better.

So would you like to change your pick of the week to Classic Albums?

Yeah, I'm going to change it now to Classic Albums, which is a great documentary series.

You're going to have to figure out how to handle this in the show notes.

Dave, what's your pick of the week?

Well, when we were growing up, I don't know about you, but there was always that one kid in the neighborhood who just seemed to have the coolest swing set, or, you know, the boys down the street who had dirt bikes and go-karts, yeah, BB guns, you know, everything. They had all the Star Wars action figures and just like, they had everything. Right. Typically it was a group of boys. They also had permissive parents who would just let them run wild throughout the neighborhood. And so no one could compete with them. Well, my pick of the week this week is someone who is definitely out there trying to be the home in the neighborhood that no one can compete with. And this is a gentleman by the name of Sean LaRochelle.

Sean LaRochelle. Well, perfectly said.

Thank you, Carole. I was hoping that would pass your muster. He has built a backyard roller coaster called Little Thunder, which is inspired by Big Thunder Mountain at Disney World and Disneyland. All the Disney parks have their Big Thunder Mountains. And he and his family and friends have built a small-scale version of Big Thunder Mountain Railroad, and it is amazing. They have a YouTube ride-through of the ride.

Oh my goodness. I'm checking it out right now.

Yeah.

This is extraordinary.

I love that they have what looks like flamethrowers, which I'm really hoping are just LEDs and smoke machines.

Well, you never know.

So he's basically got a mountain with waterfalls and the like in his backyard.

Yep.

It's quite big and a roller coaster going round it as well.

Built a whole western village to go with it.

And lockdown is generous to some folk.

Yeah.

Well, that's the thing. This was their COVID project. And what's even more amazing, this is not their first one. Right? He built a version of the Matterhorn, which is another Disneyland ride. That's the one with the Yeti where you go through the mountain.

Wow. Oh my goodness.

Yeah, isn't this amazing?

Yeah.

So I also included a link here that if you— if this is something you want to get into, but you don't have the time to really design your own, I have a link to a company who sells used full-size amusement rides. So full-size, full-size. So if you ever wanted to, it's amusement-rides.com website here. You'll see in the show notes there. I never really thought about the fact that sometimes theme parks, they turn over their roller coasters and they just don't get scrapped and melted down for the metal. No, they get put on the used market. And so if you want a roller coaster, if you want a zipper, if you want a drop tower, this company has it all and you can buy them. And what, I buy them and then what? Anyone can just come on and I put it together? Just put it in the back garden. Yeah.

Right.

Why not?

You know, the Oxford St. Giles' Fair is on right now.

Yeah.

Yeah. And that has rides. Yeah, I don't go on those rides either.

No, that is a good point. My wife and I have often looked at each other at the county fair and said, do we really want to put our children's life in the hands of people who are traveling from town to town?

Yeah.

I don't know, but, and yet we do. But yeah, there are, I mean, you can get a Ferris wheel, you could get a carousel, but you could get a full-sized roller coaster that Well, if you have to ask, Carole. can carry 28 people at a time on this website.

I just wanna know how much does a double combo tower go for? Right. I don't know. I don't know. We all do now. We all do now.

Right. And so the backyard Little Thunder Railroad and the amusement rides used market for full-size theme park rides combined, those are my pick of the week. Terrific. And if any listeners have got an amusement park ride in their back garden, let us know.

Yeah, send us a pic. A Netflix series that dropped globally just a few weeks ago called Post Mortem: No One Dies in Skarnes. Yeah, we'll make a whole

Right.

Now, first, this is probably not for you, D-Dog, because I know that you're not a fan of the horror scary stuff. show about it.

Although I did start watching, based on your recommendation, I started watching What We Do in the Shadows.

Good, right?

Very funny, very funny, very funny.

I saw a bit of that as well and it was quite fun. I particularly like the modern vampire who—

Yeah, yes, yes, yes, yeah, totally. Okay, you might like this then. This might be right up your alleys, guys. The show opens with Liv, okay, she's, I don't know, 20-something, being declared dead. Hours later, she wakes up on the forensic table just as the knife is about to cut her open. And she realizes that she's developed a dislike for food, but a yearning for blood. And the only funeral place in this small town is run by her brother, who is facing mounting debt to people's refusal to die as they used to. No one dies in Skarnes. That's probably why the name of the show is named this. Now, it is a bit spooky and a bit gross, but it's also very funny. It's a perfect dark comedy. And I think one of the things that I loved most, and I don't know if this is the case, so I'd love for you to watch it, Dave, and tell me if in the States it's the same. But the dubbing, so I'm watching it, and I never do that. I normally watch in original language and read it. But for some reason, we were watching it dubbed. And in the UK, at least, it's bloody fantastic. Whoever chose the voice of actors. They're all UK voices from all around, but it's just a hat tip to them because there's really strong characters in the voices and they're just done with really great care.

Does this website give the prices?

They're beautiful. Are you sure it's dubbed? Because if this does come from— Yes. Because sometimes what they do is they refilm, don't they? They do every take in different languages. Yeah.

I think you need to watch it and you'll see that I'm pretty on point with that. Yeah. And the thing is, is the writing is excellent. The twists and turns that happen are seriously unexpected. I normally go, "I think I've got it, I've got it, I've got it," but it's taken to about episode 5 to actually nail it down. And it's beautifully filmed, so just watch it.

Right. Carole, what

It's called Post Mortem: No One Dies in Skarnes, and it's beautiful in a very dark way. And you can find it on Netflix. Cool.

have you got for us? Fantastic. Sounds great. Well, a good and motley collection of picks of the week this week, which just about wrapped up the show for this week. Dave, I'm sure lots of our listeners would love to follow you online. What is the best way for folks to find out what you're up to? On Twitter, I am @Bittner. That's B-I-T-T-N-E-R. And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G. And we're also on Reddit in the Smashing Security subreddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. Go on, do it now.

And thanks to this week's episode sponsors, Privacy.com and 1Password, and to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 242 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye-bye.

Hello peeps, it's Carole. So as some of you know, I am trying to make headway into art land and in learning... When you're learning a skill, you don't make cash. In fact, you spend cash in order to better yourself at the skill. Plus, you have to devote hours and hours every day to get better. Thing is, I wouldn't be able to do it without you listeners, you sponsors, you Patreon supporters, and reviewers. Like Doodie Fish, who wrote this week: This is undoubtedly the best lighthearted entertaining podcast that covers cybersecurity, technology, and just about everything else. The hosts Graham and Carole are a wonderful team and have a brilliant rapport. The content is enjoyable and interesting. The guests are part of the family, new or revisiting. Certainly one to try. I listened to one episode recently and now I'm going through the entire back catalog. I love it. Keep it up, guys. 5 stars from Doodie Fish. So from the bottom of this little artist wannabe's heart, and on behalf of Graham, we thank you all for supporting the Smashing Security community, because you make a difference. Stay safe and see you next week.

Oh!