Heating systems are left vulnerable to attack in the high courts, cybercrime unicorns have become a reality (but what are they?), over 15 Terabytes of NFTs are made available for anyone to download … and Carole reveals her Pick of the Year.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mikko Hyppönen.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This is Mikko Hypponen. I'm an infosec rock star and I listen to Smashing Security podcast every time I go to a sauna. And I go to a sauna a lot.
Smashing Security, episode 253. Cybercrime unicorns, HVAC hacks, and NFT piracy with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 253.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And this week we're joined by a special guest, a name familiar to all of us who work in cybersecurity, is Mikko Hypponen. Hello, Mikko.
Thank you very much, and thank you for having me.
Thank you for being here. You're a hard man to get a hold of. You're our busy, busy man.
Well, I'm planning on the rest of the things I have to do before I leave for my summer holiday. And I've actually restarted traveling. I've done 18 flights this year already.
Oh, traveling. I heard trolling. I was like, whoa.
Yes, I thought you were trolling on the internet. Yeah. 18 already this year. That's rather impressive.
Yeah. Yeah. But, you know, I can't wait for this year to be over with. I can't wait for normalcy to return.
Yeah. I'm going on my first plane ride in a few weeks and I'm nervous. Were you nervous the first time you went on a plane after all this stuff?
I forgot my passport on the first flight. That's pretty bad. As someone who used to fly 140 flights a year, that's pretty bad.
Yeah, I'm going to make a note. Okay. Now let's thank this week's sponsors, 1Password, Perimeter 81, and Thinkst. Their support helps us give you this show for free.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
Oh, well, I've got a boiling, bubbling question for you all about cybersecurity and heating systems.
Okay. Mikko, what about you?
Well, I've got cybercrime unicorns and what they mean for offensive artificial intelligence and machine learning.
Oh my God.
Okay.
I'm going to be learning a lot there. And I'm doing NFTs meets Pirate Bay and has a love child. All this and much more coming up on this episode of Smashing Security.
Now, chums, order, order, because the podcast today is coming to you from the echoey halls of the Royal Courts of Justice in London, where in the past judges have ruled on all kinds of cybercrime cases.
The likes of Julian Assange, Lori Love, Gary McKinnon. They've all had their day in front of the beak.
The likes of Julian Assange, Lori Love, Gary McKinnon. They've all had their day in front of the beak.
So that's a fellow Finn, Lori Love.
Well, yes, he got off it, didn't he, in the end?
That's what I remember. I actually don't know him personally, but I do think he got off. Yeah.
You don't know everyone who's from Finland?
Well, only most of them.
Okay.
Until very recently, if you had a reason to visit the Royal Courts of Justice in London and you took your laptop out or your smartphone and thought, oh, I'll just go and check Twitter or, you know, just go and read my email or something, you might try and connect to the Wi-Fi and you would find a variety of Wi-Fi hotspots available.
Until very recently, if you had a reason to visit the Royal Courts of Justice in London and you took your laptop out or your smartphone and thought, oh, I'll just go and check Twitter or, you know, just go and read my email or something, you might try and connect to the Wi-Fi and you would find a variety of Wi-Fi hotspots available.
Like anywhere, like a Costa or a Pret or a Mickey D's.
Yeah, exactly. Anywhere like that. And amongst the Wi-Fi hotspots you would find would be ones called Boiler Pump 1, Boiler Pump 2, Boiler Pump 3. And can you guess?
How many boiler pumps do they have?
4 boiler pumps, all with Wi-Fi. And according to The Register, that scurrilous rag beloved by IT followers everywhere and aficionados. And yes, we love The Register.
Those wireless networks were unsecured and passwordless. So you could connect to those wireless networks if you wanted to.
Those wireless networks were unsecured and passwordless. So you could connect to those wireless networks if you wanted to.
Surely those were honeypots. Tell me they were honeypots.
Well, it may surprise you. I mean, that would make sense, wouldn't it? That maybe some security researchers set that up in case some criminals come in and try and access their email.
And, you know, maybe that'd be some way of intercepting their messages as they're about to have their day in court. But no, it appears not.
Because if you did connect to them, you would find yourself at the login page of the Royal Courts of Justice HVAC system. Carole, do you know what HVAC is? I'm sure Mikko does.
And, you know, maybe that'd be some way of intercepting their messages as they're about to have their day in court. But no, it appears not.
Because if you did connect to them, you would find yourself at the login page of the Royal Courts of Justice HVAC system. Carole, do you know what HVAC is? I'm sure Mikko does.
Yeah, it's like vacuum stuff, isn't it? Like heating?
Isn't it?
Yeah. Air conditioning.
Ventilation.
Ventilation.
Air conditioning.
Yeah.
That's it. That's exactly it.
But I don't know what it stands for. It must stand for something.
Yeah, well, I just told you. Heating, ventilation, air conditioning.
Oh, goodness sake.
Oh, this is going to be a good show. It's going to be a great show.
Anyway, so—
I'm blushing.
Big buildings or big organizations will have an HVAC system to keep everything, you know, tickety-boo, make sure there's air circulating so no one corks it.
Particularly important post-COVID that we have a lot of that stuff.
Right. Yeah. Well, a lot of theatres I know in London sort of ramped up the ventilation system. So air was moving more quickly.
Your hair is going, you can hardly hear the artist on stage.
So in other words, you were now just one password away because you're at the login page of these boilers from accessing the industrial control system that these courts Top Courts in London run to control its heating and air conditioning, as supplied by a company called Armstrong Fluid Technology.
Now, if you knew that password, you would be able to access the admin system, which would let you, for instance, I don't know, what sort of mischief could you cause by meddling with a ventilation system or heating system?
Now, if you knew that password, you would be able to access the admin system, which would let you, for instance, I don't know, what sort of mischief could you cause by meddling with a ventilation system or heating system?
I think the biggest problem probably wouldn't be the ventilation system themselves, but using these as a vector to gain access to something even more interesting.
Yeah. And I think we saw that before, didn't we?
Because when Target, for instance, was hacked back in 2013, I think it was, they used a password which they'd stolen from the HVAC supplier to the big retailer in order to gain access to Target systems.
So that can be a problem, especially if default passwords have been used. But you could, even if you just meddled with the heating system, imagine you turned off the heating pumps.
Because when Target, for instance, was hacked back in 2013, I think it was, they used a password which they'd stolen from the HVAC supplier to the big retailer in order to gain access to Target systems.
So that can be a problem, especially if default passwords have been used. But you could, even if you just meddled with the heating system, imagine you turned off the heating pumps.
Or stop the ventilation, so all the air gets all stagnant. People start getting headaches and, you know.
Right. You could have that. Or maybe the water pipes might freeze. It's terribly cold here. You wouldn't believe how cold it is in England.
It's not cold at all. I'm Canadian, Mikko. It's ridiculous. They're whining you wouldn't believe.
It's actually snowing outside right now, so just shut up.
Luxury. Luxury. I reckon it's too cold here to snow. You've got the balmy heights of Helsinki there.
But imagine your water pipes freeze over overnight and burst, that could cause the building to close and court cases to be delayed. Or what if the heat was raised?
So the judges, there they are in their great big British wigs, sweating and sweltering. Oh, I can't cope. People are beginning to put their bikinis on.
It would just be, you know, so if you were maybe someone who didn't want to be extradited, or you knew someone who didn't want to be extradited, then maybe you might hack into this system.
But of course, you wouldn't know the password to log into the boilers, would you?
But imagine your water pipes freeze over overnight and burst, that could cause the building to close and court cases to be delayed. Or what if the heat was raised?
So the judges, there they are in their great big British wigs, sweating and sweltering. Oh, I can't cope. People are beginning to put their bikinis on.
It would just be, you know, so if you were maybe someone who didn't want to be extradited, or you knew someone who didn't want to be extradited, then maybe you might hack into this system.
But of course, you wouldn't know the password to log into the boilers, would you?
I think I can guess. I would to guess.
Okay.
I've done no research on this. I'm going to guess.
Alright, go on then. Go on, let's try it. Let's try the cruel brain. Let's try it.
Number 1. Is it 'boilerpump1'?
No. No.
Okay.
That would be a password with both letters and numbers in it.
Yes, but the same as the username or the Wi-Fi port. So I thought that would be fine.
Yeah, it's not a bad guess. It's not a bad guess. I think you've gone a bit sophisticated on the password though.
Okay, so, okay, 1111. Okay, then the third, 1234.
Well, I can neither confirm nor deny, but if you happened to visit the Armstrong Fluid Technology, remember, they're the people who make these boilers.
If you visit their website, you can download some very helpful PDFs which detail the default passwords which they use.
Or you could just use Google because Google has indexed those PDFs as well. So now, no one obviously is dumb enough to never change the default password, right?
Everyone always changes the default passwords, right? They would. Of course they would. Of course they would.
Someone at the Royal Courts of Justice, especially if it was accessible from a public place or from the street outside, maybe the Royal Courts of Justice, where often you get protesters.
Who are campaigning for someone not to be extradited or someone, you know, to be let off whatever they're being charged with.
If you visit their website, you can download some very helpful PDFs which detail the default passwords which they use.
Or you could just use Google because Google has indexed those PDFs as well. So now, no one obviously is dumb enough to never change the default password, right?
Everyone always changes the default passwords, right? They would. Of course they would. Of course they would.
Someone at the Royal Courts of Justice, especially if it was accessible from a public place or from the street outside, maybe the Royal Courts of Justice, where often you get protesters.
Who are campaigning for someone not to be extradited or someone, you know, to be let off whatever they're being charged with.
I feel so bad for the IT intern that was the guy who set this up.
And this does remind me of Hollywood movies, because when you think about Die Hard 2 or Mission: Impossible, it's always John McClane or Ethan Hunt crawling through the ventilation systems to hack the systems.
So isn't it the same thing basically? It's just a more digital version of the same idea.
So isn't it the same thing basically? It's just a more digital version of the same idea.
Yeah, you'd have to be quite so flexible. You don't have to have wires which can support your weight if you use Wi-Fi.
You don't need a harness.
So thankfully, the Register tipped off the Royal Courts of Justice about this snafu, and they say that they've taken immediate action to secure the systems.
However, interestingly, the Register also points out that just yesterday, a journalist reported that the temperature at the court was ludicrously cold, and the jurors had been told they could keep their hands, coats, and gloves on if they want.
However, interestingly, the Register also points out that just yesterday, a journalist reported that the temperature at the court was ludicrously cold, and the jurors had been told they could keep their hands, coats, and gloves on if they want.
Surely they can if they want anyway, no?
Well—
I have to go do jury duty soon, so I'm a little nervous about this. What, there's a dress code?
Well, I'm a little bit surprised they tell people that they could leave their hands on if they wanted. So that's an option.
Now, it's not new, as Mikko has already said, it's not new for HVAC systems to be the weak link in the chain.
We saw the Target breach, for instance, where they managed to then sort of spread laterally through the organization by the HVAC.
And I also remember earlier than that, in 2009, a security guard at a Dallas hospital hacked into computers as well as the HVAC system in order to launch DDoS attacks.
There was a guy, Jesse McGraw, he called himself Ghost Exodus or Phantom Exodismo, and he was the self-proclaimed leader of the Electronic Tribulation Army.
And he used his knowledge as a security guard to bypass physical security, and he ran a password cracker on the HVAC computer.
And he had the ability to change the temperature at this hospital and its environmental controls, which could obviously have affected people's treatment.
He also had potentially access to patients' medical records and all kinds of impacts it could have had.
He ended up being sentenced to 9 years in jail, but the most notable thing about him, it's funny you mentioned Mission: Impossible, actually, Mikko, because he made a video of himself doing this so-called botnet infiltration where he made no attempt to hide his face, but he did wear a hoodie.
And while doing this, he had the Mission: Impossible theme playing on a CD player in the background.
Now, it's not new, as Mikko has already said, it's not new for HVAC systems to be the weak link in the chain.
We saw the Target breach, for instance, where they managed to then sort of spread laterally through the organization by the HVAC.
And I also remember earlier than that, in 2009, a security guard at a Dallas hospital hacked into computers as well as the HVAC system in order to launch DDoS attacks.
There was a guy, Jesse McGraw, he called himself Ghost Exodus or Phantom Exodismo, and he was the self-proclaimed leader of the Electronic Tribulation Army.
And he used his knowledge as a security guard to bypass physical security, and he ran a password cracker on the HVAC computer.
And he had the ability to change the temperature at this hospital and its environmental controls, which could obviously have affected people's treatment.
He also had potentially access to patients' medical records and all kinds of impacts it could have had.
He ended up being sentenced to 9 years in jail, but the most notable thing about him, it's funny you mentioned Mission: Impossible, actually, Mikko, because he made a video of himself doing this so-called botnet infiltration where he made no attempt to hide his face, but he did wear a hoodie.
And while doing this, he had the Mission: Impossible theme playing on a CD player in the background.
Brilliant. Hey, what's up everybody? It's Ghost Exodus.
You're on a mission with me, infiltration.
I just happen to be the only person here, and you know what? We're going for a spin in the elevator with a card that only I have right now. Good old Phantom Exodus moment.
Yeah, Phantom Exodismo was a bit of a dick, wasn't he?
Never mind.
Mikko, what story have you got for us this week?
Well, artificial intelligence and machine learning has been all the rage for quite a while already. And I've been thinking about this a lot lately.
You see, I've spent the pandemic downtime writing a book. I had my book come out last month.
You see, I've spent the pandemic downtime writing a book. I had my book come out last month.
Oh, we didn't even talk. Can you give us the name of the book?
It's called Internet, isn't it? Is that right?
It's called The Internet, which is a great name for a book, especially since nobody had written a book called Internet before. So I did it.
Mikko, you say it's a great name for a book. I have to tell you that if you Google The Internet, you're probably—
I was just going to say the SEO will be expensive.
To be honest, it's rubbish. It's a rubbish name for a book.
Yeah, okay, but it's too late to change it.
So, nevertheless, I mean, I'm happy to tell you about the book, but you can't read it because it's only been published in my native language of Finnish so far.
But Finnish isn't that hard. Even small children speak Finnish, so you can easily learn it. It's true. You come to Helsinki, you'll see small kids speaking fluent Finnish.
So if you can't learn it, you must be thick. However, it will be published internationally in 2022. So you will be able to check it out.
In that book, one of the topics I cover is everything that we've been doing with machine learning and artificial intelligence on the defense side, the how security companies use machine learning, which then brings us to the obvious question, which is that how are we going to see and when will we see the attackers using machine learning for offensive use.
And when I was thinking about this, I actually went back to my notes from 2016 because in 2016 I invented a new term, which was cybercrime unicorns.
And here unicorns is a reference to unicorn companies.
So, nevertheless, I mean, I'm happy to tell you about the book, but you can't read it because it's only been published in my native language of Finnish so far.
But Finnish isn't that hard. Even small children speak Finnish, so you can easily learn it. It's true. You come to Helsinki, you'll see small kids speaking fluent Finnish.
So if you can't learn it, you must be thick. However, it will be published internationally in 2022. So you will be able to check it out.
In that book, one of the topics I cover is everything that we've been doing with machine learning and artificial intelligence on the defense side, the how security companies use machine learning, which then brings us to the obvious question, which is that how are we going to see and when will we see the attackers using machine learning for offensive use.
And when I was thinking about this, I actually went back to my notes from 2016 because in 2016 I invented a new term, which was cybercrime unicorns.
And here unicorns is a reference to unicorn companies.
Oh well, I was going to say my niece would be in love with you if you actually could personify them in some way.
No, no, it means unicorn company. Do you know what unicorn companies are?
Aren't they companies that get a lot of investment very quickly and become a huge bet with very little sustained growth?
That's a pretty good definition.
I guess the way they officially define it is that it's a private technology company, which is valued at over $1 billion, which typically are exactly what you described, early stage companies with massive funding or huge growth wishes.
I guess the way they officially define it is that it's a private technology company, which is valued at over $1 billion, which typically are exactly what you described, early stage companies with massive funding or huge growth wishes.
Like Theranos, for example.
Yeah. Except it's no longer a unicorn because it's no longer valued like that. Today, let's say SpaceX would be a unicorn company or Reddit.
Really?
Reddit? Yeah, absolutely. It's the third most common or popular website in the world or fourth most popular website in the world. Of course it's a unicorn and it's a private company.
So it's a unicorn. Airbnb and Uber used to be unicorns, but now they're public, so they're no longer unicorn companies.
So what I was thinking in 2016 is that I wonder if we one day will see cybercrime unicorns, organized online crime gangs, which should be considered to be unicorns because they have wealth of over $1 billion.
And 5 years ago, it was sort of a gag or a word to chuckle. We didn't actually have them 5 years ago.
Unfortunately, they have become a reality and they've become a reality for two different reasons.
Reason number one, the amount of money being made with business email compromise attacks and with ransomware has just skyrocketed, which is a big part of this.
But even more importantly, these online crime gangs keep their wealth in Bitcoin or in Monero or in Zcash.
And 5 years ago, we knew of several online crime gangs which had $10 million of wealth.
Well, if you had $10 million 5 years ago in Bitcoin, if you still have them in Bitcoin, you've become a unicorn automatically because today, I mean, the value of Bitcoin has grown 100-fold in 5 years.
So it's a unicorn. Airbnb and Uber used to be unicorns, but now they're public, so they're no longer unicorn companies.
So what I was thinking in 2016 is that I wonder if we one day will see cybercrime unicorns, organized online crime gangs, which should be considered to be unicorns because they have wealth of over $1 billion.
And 5 years ago, it was sort of a gag or a word to chuckle. We didn't actually have them 5 years ago.
Unfortunately, they have become a reality and they've become a reality for two different reasons.
Reason number one, the amount of money being made with business email compromise attacks and with ransomware has just skyrocketed, which is a big part of this.
But even more importantly, these online crime gangs keep their wealth in Bitcoin or in Monero or in Zcash.
And 5 years ago, we knew of several online crime gangs which had $10 million of wealth.
Well, if you had $10 million 5 years ago in Bitcoin, if you still have them in Bitcoin, you've become a unicorn automatically because today, I mean, the value of Bitcoin has grown 100-fold in 5 years.
Yeah.
The question becomes, if we really have cybercrime unicorns as our enemies today, how are the attacks changing?
When the enemy can afford to invest money into their attacks, how will we see the change?
And some things we've already seen include that these guys, the professional crime gangs, are becoming more and more organized.
In some senses, they start to resemble traditional real-world crime gangs, organized crime gangs. We know they run professional data centers.
We know they hire lawyers and business analysts.
And I think an especially eye-opening case was the case with FIN7 crime gang, which has now twice created these fake front-end companies to hire pen testers, basically recruiting from our side proposing as a security company hiring security researchers to do penetration tests against companies which have not ordered a pen test.
So of course they will then find ways in which will then be used by the criminals.
When the enemy can afford to invest money into their attacks, how will we see the change?
And some things we've already seen include that these guys, the professional crime gangs, are becoming more and more organized.
In some senses, they start to resemble traditional real-world crime gangs, organized crime gangs. We know they run professional data centers.
We know they hire lawyers and business analysts.
And I think an especially eye-opening case was the case with FIN7 crime gang, which has now twice created these fake front-end companies to hire pen testers, basically recruiting from our side proposing as a security company hiring security researchers to do penetration tests against companies which have not ordered a pen test.
So of course they will then find ways in which will then be used by the criminals.
It's astonishing that.
So those penetration testers, they aren't aware that they're part of a criminal gang or that they're pen testing companies without the company's permission, I guess.
So those penetration testers, they aren't aware that they're part of a criminal gang or that they're pen testing companies without the company's permission, I guess.
Yeah, well, this was the idea. I mean, Smashing Security and Bastion Secure are the two companies we know of that have been set up like this.
And I suppose the whole point of setting up a fake company is that you're trying to recruit professionals without them realizing that you're working for criminal organizations.
And I suppose the whole point of setting up a fake company is that you're trying to recruit professionals without them realizing that you're working for criminal organizations.
Makes it a bit easier though for law enforcement maybe to shut down some of those operations. You can just go to LinkedIn.
I imagine if you're working for them, you don't worry about saying, oh yes, I work for this company.
I imagine if you're working for them, you don't worry about saying, oh yes, I work for this company.
Yeah, but the company can just dissolve, right? So if the company dissolves and suddenly you're left holding the, well, I was a consultant for, you know, blah, blah, blah company.
And I, yeah, no, I did do that and the company told me to, you know, and here's some write-ups, but the addresses go nowhere. 404, 404, 404.
And I, yeah, no, I did do that and the company told me to, you know, and here's some write-ups, but the addresses go nowhere. 404, 404, 404.
Yep.
Doesn't look that good on the CV either, does it?
And of course the pandemic has worked great to help all of this happening. You can work remotely, just do pen testing from your home. And of course these companies pay really well.
They are unicorns.
They are unicorns.
Fascinating.
Now I believe the main reason why we haven't seen AI attacks yet is that there's such a lack of skill. I mean, it's hard to hire security experts.
It's even harder to hire AI and ML experts, artificial intelligence, machine learning experts, and even harder to hire artificial intelligence, machine learning experts who work in cybersecurity.
It's even harder to hire AI and ML experts, artificial intelligence, machine learning experts, and even harder to hire artificial intelligence, machine learning experts who work in cybersecurity.
Yeah. Smaller pool.
Yeah.
There you go.
So criminals haven't been able to do this, but now as they are starting to be able to compete with salaries with these small pool of skills that it could happen.
And this is what worries me. And this is why I believe we are on the verge of starting to see the enemy start to use machine learning in their attacks.
And this is what worries me. And this is why I believe we are on the verge of starting to see the enemy start to use machine learning in their attacks.
Totally. Hey, you want healthcare? You want dental? Come here. We've got you. You want a pension? We've got you covered. You know?
Yeah. And then the question becomes, what will the first attacks using machine learning look like?
And of course, we don't know, but I've been throwing this idea back and forth here at our labs.
And I think a pretty common consensus would be that the easiest thing for them to do first would be to replace the humans that operate the malware campaigns that we are seeing today.
So if you think about a typical malware campaign, let's say ransomware campaign, there's multiple moving parts. It's made by multiple different persons, but there's an operator.
So let's say they want to send out emails with a malicious link to a website which has an exploit, which then drops a ransomware binary on your Windows computers.
There's an operator which prepares the email and selects the address list which to target and start sending out the emails and then monitors how well do the emails go through spam filters, adjusting as needed so they will go through better and then monitoring how well the exploit works.
Is it being detected by IDS systems at the companies?
And if so, they modify it and then monitoring how well the binary goes through endpoint protection system and compiling and changing it as needed.
All of that could easily be replaced with a short Python script which would do all of this and adjust accordingly and learn how the situation changes.
And I believe this is what will be the first step. I mean, the humans running the operations will be replaced by learning systems which will run these systems automated.
And of course, we don't know, but I've been throwing this idea back and forth here at our labs.
And I think a pretty common consensus would be that the easiest thing for them to do first would be to replace the humans that operate the malware campaigns that we are seeing today.
So if you think about a typical malware campaign, let's say ransomware campaign, there's multiple moving parts. It's made by multiple different persons, but there's an operator.
So let's say they want to send out emails with a malicious link to a website which has an exploit, which then drops a ransomware binary on your Windows computers.
There's an operator which prepares the email and selects the address list which to target and start sending out the emails and then monitors how well do the emails go through spam filters, adjusting as needed so they will go through better and then monitoring how well the exploit works.
Is it being detected by IDS systems at the companies?
And if so, they modify it and then monitoring how well the binary goes through endpoint protection system and compiling and changing it as needed.
All of that could easily be replaced with a short Python script which would do all of this and adjust accordingly and learn how the situation changes.
And I believe this is what will be the first step. I mean, the humans running the operations will be replaced by learning systems which will run these systems automated.
I'm worried that these poor old cybercriminals are going to be put out of a job.
There'll be many of them who used to run these malware campaigns who are going to be kicking around now looking for something else to do.
There'll be many of them who used to run these malware campaigns who are going to be kicking around now looking for something else to do.
Well, maybe we should add a section to Smashing Security where we can have confessions and then they can kind of say how they feel remorse for their actions and we could have a little, you know, I don't know.
Will anybody think about the criminals?
Yeah, exactly. We'll boohoo for them.
And when I've been speaking about this, I've been surprised how many people have been surprised about the fact that we haven't seen this yet.
A lot of people assume AI attacks are happening already and they're not.
I mean, when something like this would happen, of course it would be very visible to us and we haven't seen it yet.
A lot of people assume AI attacks are happening already and they're not.
I mean, when something like this would happen, of course it would be very visible to us and we haven't seen it yet.
But why would it be visible?
Yeah. How would we know if they were doing this or not?
Yeah, we would know because they would be much faster in their reaction time.
It's basically a game of ping pong where our end, the pong part of this, would be automated, security companies automatically feed us samples, automatically analyze, detect them, create detections and ship them automatically.
So there comes a pong from the criminals and the ping comes right away. Then there's a delay and a pong again. So it's a game of ping pong. Ping pong.
When they automate their end, then it's going to be ping pong, ping pong, ping pong, ping pong. The only thing which will stop a bad AI will be a good AI.
And this change will be so obvious that, you know, we would detect it.
It's basically a game of ping pong where our end, the pong part of this, would be automated, security companies automatically feed us samples, automatically analyze, detect them, create detections and ship them automatically.
So there comes a pong from the criminals and the ping comes right away. Then there's a delay and a pong again. So it's a game of ping pong. Ping pong.
When they automate their end, then it's going to be ping pong, ping pong, ping pong, ping pong. The only thing which will stop a bad AI will be a good AI.
And this change will be so obvious that, you know, we would detect it.
I can't believe we're talking about the pong of cybercriminals. It feels like we need to improve the ventilation. Maybe it doesn't sound that good, does it?
Carole, what have you got for us this week?
Carole, what have you got for us this week?
Okay, I'm going to start with a question. Have you heard of the term tulip mania?
Is it something to do with the tulip craze when everyone went bonkers buying tulips?
Like in the 16th or 17th century?
Yeah, before cryptocurrency existed.
1634, Golden Dutch Age, when contract prices for some bulbs of the new and fashionable tulips reached super high levels.
And then there was a major acceleration that started in 1634 and then collapsed 3 years later. And some are referring to the whole NFT as a similar blip.
Have you got views, Mikko, on NFTs?
And then there was a major acceleration that started in 1634 and then collapsed 3 years later. And some are referring to the whole NFT as a similar blip.
Have you got views, Mikko, on NFTs?
Well, I've been following the whole thing around NFTs. I don't own any NFTs myself. And of course, there's a massive amount of hype around it. Who knows?
There might be some real innovation there as well.
There might be some real innovation there as well.
Hmm, I've covered a number of stories on this. But at the moment, my view is those that are investing are playing a risky game, right?
Because the bubble will maybe pop, likely to pop is my gut. But there's this one guy by the name of Geoffrey Huntley.
And he has pointed the finger at what I was going to call a ginormous fly in the NFT ointment.
So if you're thinking of dabbling with NFTs or you already have dabbled, this might be some food for thought. Okay. So NFTs, should we do a quick refresher for some listeners?
Because it is a crazy term. It's hard to get your head around, I think.
Because the bubble will maybe pop, likely to pop is my gut. But there's this one guy by the name of Geoffrey Huntley.
And he has pointed the finger at what I was going to call a ginormous fly in the NFT ointment.
So if you're thinking of dabbling with NFTs or you already have dabbled, this might be some food for thought. Okay. So NFTs, should we do a quick refresher for some listeners?
Because it is a crazy term. It's hard to get your head around, I think.
Okay. Yeah, no, good idea.
So non-fungible tokens, and it's an identification of ownership, not a copyright, of something that's in the digital or physical realm.
Think of it as a unique token that designates ownership of a digital good. Would that be fair?
Think of it as a unique token that designates ownership of a digital good. Would that be fair?
Basically, it's a way of creating artificial scarcity. Well, I mean, digital things typically can be copied and you won't be able to tell the copy from the original one.
If you make a copy of an MP3, it's going to be the same thing as the original. An NFT makes it different from the original.
If you make a copy of an MP3, it's going to be the same thing as the original. An NFT makes it different from the original.
And this can be like a video clip, an image, a tweet, an article, and it goes up for auction and the transaction results are recorded in the blockchain.
A blockchain eBay of sorts, and the winner or the purchaser of the NFT or of said digital good has a contract coded and then minted in a blockchain network.
And this is a permanent part of the blockchain. So effectively, there's a digital receipt of purchase. Is that fair?
A blockchain eBay of sorts, and the winner or the purchaser of the NFT or of said digital good has a contract coded and then minted in a blockchain network.
And this is a permanent part of the blockchain. So effectively, there's a digital receipt of purchase. Is that fair?
I think anyone who's going to understand it will understand it now.
No, because there's not a lot of people who get it.
Oh no, I agree. No, that's what I'm saying. Anyone who will understand it.
Yeah, it is hard.
The other day I had a listener contact me who said, you were talking about IoT, but I never really understood what IoT was. So it's always difficult with these terms, isn't it?
To know how much detail to go into and try and explain these things.
To know how much detail to go into and try and explain these things.
But I think IoT is a lot easier.
Yeah, well, we forgot to do it. One of our listeners wasn't happy.
Okay. I'm sorry, listener. We'll do that better in future. Basically, artists, content creators, some of them out there see this as the natural evolution of art collecting.
Also, there's a glut of peeps out there with dollar signs for eyes, jumping on the bandwagon to make a really quick buck. Buy low, sell high, yada yada yada.
Because there's been some articles of huge amounts of money being transferred for digital pictures and digital images.
Also, there's a glut of peeps out there with dollar signs for eyes, jumping on the bandwagon to make a really quick buck. Buy low, sell high, yada yada yada.
Because there's been some articles of huge amounts of money being transferred for digital pictures and digital images.
Lots of hype.
Yeah, lots of hype. And also lots of money.
Yeah. Oh yeah.
Seriously, lots of money.
Yep.
So I actually was asked by someone if I wanted to do an NFT of some of my work. So I do art, right? And so we went and had a chat so they could pitch me the idea.
And so I'm listening and the main takeaways were that people want digital things. So the fact that I have a physical original wasn't that exciting to them.
They wanted digital art, but I don't do that. And they also a series of collectibles.
So each of them original, but also related to each other so that you can build a whole team of stuff and it's worth more value.
And so I'm listening and the main takeaways were that people want digital things. So the fact that I have a physical original wasn't that exciting to them.
They wanted digital art, but I don't do that. And they also a series of collectibles.
So each of them original, but also related to each other so that you can build a whole team of stuff and it's worth more value.
Oh, yes. Someone will want the entire set, or if there's one missing, they will pay over the odds to complete the set.
Exactly. It's like baseball cards almost, right?
Right.
Hold on, hold on. Carole, tell me about your art. Do you paint?
I do paint. And I will give you a link. You can check it out at carole.wtf.
For real? NFT WTF?
Not NFT. Well, this is interesting that you've said this. What are some of the problems as far as you guys have heard of NFTs?
Do you see any issues with the concept or things that make you feel a bit like, this seems— this is where I don't feel like it sits comfortably for me?
Do you see any issues with the concept or things that make you feel a bit like, this seems— this is where I don't feel like it sits comfortably for me?
Well, you can't hang it on the wall.
You could print it.
Well, but you could print it anyway. I mean, you could go to an art museum and take a photograph and then print it out and shove it on your wall if you wanted, but wouldn't—
Right. So it's impossible to regulate, right? Because you can't enforce someone not to do a save as of a JPEG or a print, you know, a PNG.
Yeah. Whenever someone posts about NFTs, the first comments always are that I made a copy of your million-dollar NFT. I just clicked, right-click and saved it.
Although you could always argue that, sure, you have a copy of the original NFT, but your copy is not worth $1 million and the original is.
Although you could always argue that, sure, you have a copy of the original NFT, but your copy is not worth $1 million and the original is.
Okay, other problems. Climate impact, of course, right?
Because it takes a huge amount of energy to do all the calculations required to generate the certificate for the blockchain ownership of this NFT. Also the valuation, right?
The cryptocurrency is, people are, oh, that was bought for £69 million. And it's, well, that was yesterday. You know, the prices are at the value, you know, at the time of sale.
If you leave it in there and it devalues, then obvious what happens.
Because it takes a huge amount of energy to do all the calculations required to generate the certificate for the blockchain ownership of this NFT. Also the valuation, right?
The cryptocurrency is, people are, oh, that was bought for £69 million. And it's, well, that was yesterday. You know, the prices are at the value, you know, at the time of sale.
If you leave it in there and it devalues, then obvious what happens.
The funny thing about bitcoin valuation is that if you go to bitcoin subreddits, you'll find plenty of people who used to use bitcoin to buy drugs from Silk Road 5 years ago.
So they paid 50 bitcoins for 2 grams of hash.
So they paid 50 bitcoins for 2 grams of hash.
Yeah.
Most expensive product in the universe now.
And then of course there's liquidity issues because just because you've bought something, there's a lot of shady stuff out there and you may not be able to realize the cash from the purchase because there's lots of new kind of players on the market.
Not all are shipshape. But the thing that surprised me the most is that ownership, of course, is not required.
So just like Mikko is on my website looking at my art right now, he could save as, slap it up for an NFT for sale. Now, here's the thing.
There's no guarantee that the artist knows if someone has done this.
And if they do happen to find out by going looking or someone telling them, they have to go through the whole rigmarole of trying to prove that they actually own it and it was taken from them.
So a takedown notice, effectively. All in all, a huge pain in the butt. So, hmm, here is walking with Geoffrey Huntley. Okay, now he's got this FAQ page about him.
It's my press page, and it says a little bit about me. He says, my full name is Geoffrey Huntley. Please do not use Geoff Huntley. Then he goes, hi, I'm Geoff.
And then of course there's liquidity issues because just because you've bought something, there's a lot of shady stuff out there and you may not be able to realize the cash from the purchase because there's lots of new kind of players on the market.
Not all are shipshape. But the thing that surprised me the most is that ownership, of course, is not required.
So just like Mikko is on my website looking at my art right now, he could save as, slap it up for an NFT for sale. Now, here's the thing.
There's no guarantee that the artist knows if someone has done this.
And if they do happen to find out by going looking or someone telling them, they have to go through the whole rigmarole of trying to prove that they actually own it and it was taken from them.
So a takedown notice, effectively. All in all, a huge pain in the butt. So, hmm, here is walking with Geoffrey Huntley. Okay, now he's got this FAQ page about him.
It's my press page, and it says a little bit about me. He says, my full name is Geoffrey Huntley. Please do not use Geoff Huntley. Then he goes, hi, I'm Geoff.
Well, no, he doesn't mind being called Geoff. He doesn't want to be called Geoff Huntley. I think there is a difference.
He is calling his work an art project.
He's a nutter.
The name being called The Billion Dollar Torrent. Okay.
Right.
And he says, hey, I'm Geoff. After many previous adventures involving cycling through many countries on a unicycle—
I think you've told me enough.
Now live a minimalist lifestyle in a van that is slowly working its way around Australia.
Oh boy.
Okay.
Yeah.
But he's come up with a brilliantly simple idea.
Has he?
And I think it does underline the massive problem in the NFT thing is that most of these are hyperlinks to images hosted on Google Drive or Web 2.0 web hosts.
The images in lots of cases are not being stored within the blockchain. The image, he writes, these images are not stored on the blockchain contract.
Anyone who finds them can save and have an exact digital copy of what you're trying to buy to sell.
So he has basically created this website, a site of 17 terabytes, all available from a single source.
And he is showing that you are buying the notification of owning a worthless piece of crap, in my view.
On his FAQ page, it says, did you know an NFT is just a hyperlink to an image that is usually hosted on Google Drive, other Web 2.0 web hosts?
People are dropping millions on instructions on how to download images. That's why you can right-click, save as, because they're just standard images.
The image is not stored in the blockchain contract. And the problem is, is obviously web hosts are known to go offline, 404 errors, right?
So this handy torrent contains all of the NFTs.
The images in lots of cases are not being stored within the blockchain. The image, he writes, these images are not stored on the blockchain contract.
Anyone who finds them can save and have an exact digital copy of what you're trying to buy to sell.
So he has basically created this website, a site of 17 terabytes, all available from a single source.
And he is showing that you are buying the notification of owning a worthless piece of crap, in my view.
On his FAQ page, it says, did you know an NFT is just a hyperlink to an image that is usually hosted on Google Drive, other Web 2.0 web hosts?
People are dropping millions on instructions on how to download images. That's why you can right-click, save as, because they're just standard images.
The image is not stored in the blockchain contract. And the problem is, is obviously web hosts are known to go offline, 404 errors, right?
So this handy torrent contains all of the NFTs.
How many terabytes?
17 terabytes.
Handy. Handy.
It's basically a backup.
Yeah, it's basically a web archive. And he's saying at the end of this, he says, the reason I'm doing this is so future generations can study this generation's tulip mania.
And collectively go, what the fuck? We destroyed our planet for this. Signed, Jeffrey Huntley. Not Geoff. So, well, interesting.
And collectively go, what the fuck? We destroyed our planet for this. Signed, Jeffrey Huntley. Not Geoff. So, well, interesting.
Extraordinary.
However, there is something about NFTs I want to mention since we mentioned my book.
Plenty of the people here in Finland who have bought the book have bought the ebook, not the paper book. Some of them asked me, could you sign my book?
And of course, physical book, I sign it, I'm happy to sign it. But how do you sign an ebook? There doesn't seem to be any solution to this.
And I'm sort of waiting for someone to come up with something, something along the lines of NFTs, where I could actually somehow sign it with a public key and have the ebook be wrapped up in a contract, which would be stored in blockchain or something like that.
That actually wouldn't be as stupid as many of the things we have here. If you're next to an order of something you have, and he could somehow sign it for you.
So it would actually, you know, show that you actually did meet this person.
And since NFTs are contracts, it could even work so that if someone would then sell a copy of the signed good, part of the price of that resale would go back to the original artist or original author.
So maybe something like that could actually be useful.
Plenty of the people here in Finland who have bought the book have bought the ebook, not the paper book. Some of them asked me, could you sign my book?
And of course, physical book, I sign it, I'm happy to sign it. But how do you sign an ebook? There doesn't seem to be any solution to this.
And I'm sort of waiting for someone to come up with something, something along the lines of NFTs, where I could actually somehow sign it with a public key and have the ebook be wrapped up in a contract, which would be stored in blockchain or something like that.
That actually wouldn't be as stupid as many of the things we have here. If you're next to an order of something you have, and he could somehow sign it for you.
So it would actually, you know, show that you actually did meet this person.
And since NFTs are contracts, it could even work so that if someone would then sell a copy of the signed good, part of the price of that resale would go back to the original artist or original author.
So maybe something like that could actually be useful.
Yeah, that's a very interesting idea. Mikko, do you ride a unicycle at all? Have you driven a camper van around Australia?
Right, right.
No, no, but I am with you because, you know, doing art and stuff, it would be really nice that if you sold your piece of art to someone and they went, oh, I love it.
Oh, actually I don't love it, I'm gonna sell it on, that you get a kind of tiny bit of that wonga. And I think this is probably a foray into that.
I just don't think they've got it down pat yet. So just one last thing. If users want to check whether their NFT is really on the blockchain, as opposed to being hosted on Web 2.0.
I have no NFTs, but this was recommended by Jeffrey Huntley himself, so make of that what you will. The site is checkmynft.com.
It now effectively looks at the contract definition, so you can also just look at the freaking contract and read the T&Cs before you get involved. Love you all.
Oh, actually I don't love it, I'm gonna sell it on, that you get a kind of tiny bit of that wonga. And I think this is probably a foray into that.
I just don't think they've got it down pat yet. So just one last thing. If users want to check whether their NFT is really on the blockchain, as opposed to being hosted on Web 2.0.
I have no NFTs, but this was recommended by Jeffrey Huntley himself, so make of that what you will. The site is checkmynft.com.
It now effectively looks at the contract definition, so you can also just look at the freaking contract and read the T&Cs before you get involved. Love you all.
Perimeter 81 is the first ever cybersecurity experience, a VPN experience platform designed around instant deployment, unified management, integrated security, and full visibility.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as zero-trust network access, firewall as a service, device posture check, and more.
Learn more and request a demo at perimeter81.com. That's perimeter81.com. Most companies discover they've been breached way too late. Well, Thinkst Canary fixes this.
Just 3 minutes of setup, no ongoing overhead, nearly zero false positives, and you can detect attackers long before they dig in.
Simply go to canary.tools to find out why its physical, VM, and cloud-based canaries are deployed and loved on all 7 continents.
And what's more, listeners who mail in referencing Smashing Security get a 10% discount on their order. Can't say fairer than that. So go and check it out now, canary.tools.
1Password 8 for Windows is out right now. 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system.
From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more.
Try 1Password free for 14 days at 1password.com. And thanks to the folks at 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as zero-trust network access, firewall as a service, device posture check, and more.
Learn more and request a demo at perimeter81.com. That's perimeter81.com. Most companies discover they've been breached way too late. Well, Thinkst Canary fixes this.
Just 3 minutes of setup, no ongoing overhead, nearly zero false positives, and you can detect attackers long before they dig in.
Simply go to canary.tools to find out why its physical, VM, and cloud-based canaries are deployed and loved on all 7 continents.
And what's more, listeners who mail in referencing Smashing Security get a 10% discount on their order. Can't say fairer than that. So go and check it out now, canary.tools.
1Password 8 for Windows is out right now. 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system.
From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more.
Try 1Password free for 14 days at 1password.com. And thanks to the folks at 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related.
A computer program for the Apple Macintosh, for macOS, which I use umpteen times a day, and it's probably the best program I have on my computer.
A computer program for the Apple Macintosh, for macOS, which I use umpteen times a day, and it's probably the best program I have on my computer.
I don't even know if, okay, it's gonna be fascinating to know when you say it, if I recognize it, go.
The program is called Mailmate.
I didn't know about it.
And Mailmate, I probably shouldn't mention this on a security-related podcast, to be honest. I shouldn't really tell you what my email client is. Too late.
Click on the link I just mailed to you.
Let me attach a zip bomb or something malicious. Mailmate is, yeah, it's what I use for email. And I have used just about every ruddy email client that exists for Apple Macs.
And I couldn't find one which I really got on with until a few years ago, I discovered Mailmate.
And in its own description, it says, "Mailmate isn't the most widespread, the cheapest, or the greatest looking email client, but I have no aspiration to make Mailmate ever be one of those.
Instead, it aspires to be the most powerful, the most flexible, the most efficient, the most standards compliant, and the most secure email client." And I have to say, I love it.
And I couldn't find one which I really got on with until a few years ago, I discovered Mailmate.
And in its own description, it says, "Mailmate isn't the most widespread, the cheapest, or the greatest looking email client, but I have no aspiration to make Mailmate ever be one of those.
Instead, it aspires to be the most powerful, the most flexible, the most efficient, the most standards compliant, and the most secure email client." And I have to say, I love it.
Okay, what does it do?
It's so powerful, Carole. It's so easy.
Okay, what does it do?
It can do anything.
Can it make me coffee?
Yes. No, it can't. No, it can't. You're lying. God.
But it can do anything with email.
Like?
And it organises my email and it has rules and smart filters and folders. So it's IMAP compliant.
So if your email's in Gmail or something like that, it can connect to that and you'll be able to meddle with it on your thing.
I'm trying to think of other really clever stuff it can do.
I'll tell you one thing clever that it can do is if, for instance, so I have a form on my website, right, where people can ask me to go and speak at an event, right?
And I get an email to myself from a particular address on my website.
And if I accidentally reply to myself rather than the person I was meant to reply to, it will pop up and say, whoa, whoa, whoa, Graham, you've CC'd this internal address, which you didn't mean to.
So there's all kinds of little itsy bitsy configurations. Or I've got another thing which says every time I send an email, because sometimes I'm a little bit curt in my emails.
I'm not as polite as I should be.
So if your email's in Gmail or something like that, it can connect to that and you'll be able to meddle with it on your thing.
I'm trying to think of other really clever stuff it can do.
I'll tell you one thing clever that it can do is if, for instance, so I have a form on my website, right, where people can ask me to go and speak at an event, right?
And I get an email to myself from a particular address on my website.
And if I accidentally reply to myself rather than the person I was meant to reply to, it will pop up and say, whoa, whoa, whoa, Graham, you've CC'd this internal address, which you didn't mean to.
So there's all kinds of little itsy bitsy configurations. Or I've got another thing which says every time I send an email, because sometimes I'm a little bit curt in my emails.
I'm not as polite as I should be.
Really?
Yeah, I know, hard to believe. Sometimes, well, so what my email client does is it puts any email I send into a 90-second limbo and I could make that 3 minutes.
I could make it an hour if I wanted. And so I can go back to my email.
I could make it an hour if I wanted. And so I can go back to my email.
I love the idea of it being an hour. Graham's in the bath. Doop-a-doop-doop-doop-doop. Holy shit!
Exactly. Or I can schedule an email. So if I think, I want to reply, but I don't want them to, I don't want people to think I'm too keen. I'll send it to them in 90 minutes' time.
So then it does it. And anyway, it is developed by just one Danish guy.
You can buy it for a one-off fee of $49, but it is so essential to my work life that I actually give him cash every 3 months.
I pay the equivalent of subscription, which is entirely optional, but I choose to do it because I would be screwed if Mailmate ever went away.
Excellent software should be supported, so I'm happy to pay for it.
So then it does it. And anyway, it is developed by just one Danish guy.
You can buy it for a one-off fee of $49, but it is so essential to my work life that I actually give him cash every 3 months.
I pay the equivalent of subscription, which is entirely optional, but I choose to do it because I would be screwed if Mailmate ever went away.
Excellent software should be supported, so I'm happy to pay for it.
Question.
Yes.
Would you be screwed if our friendship dissolved? Because I'm thinking a quarterly fee paid to me would be really useful.
You know, I think we'll have to discuss who's going to pay who. Anyway, Mailmate for macOS is my Pick of the Week. Links in the show notes. Cool one.
Cool one.
Mikko, what's your pick of the week?
Well, since we are in a podcast, of course I am going to recommend a competing podcast. So stop listening to Smashing Security right now.
Look for the Ted Dabney Experience podcast and hit play. Well, it's another podcast.
It's an English language podcast, but it's not really about cybersecurity or InfoSec or any of the fun stuff. It's about retro gaming.
Look for the Ted Dabney Experience podcast and hit play. Well, it's another podcast.
It's an English language podcast, but it's not really about cybersecurity or InfoSec or any of the fun stuff. It's about retro gaming.
Ah, your passion.
I bought a brand new 1993 Judge Dredd pinball machine, which is the best thing ever. So, you know, yeah, they're great. Nevertheless, this one is not about pinball.
It's about old video arcade games. This is a podcast made in UK by Paul Drury, Tony Temple, and Richard May. Tony Temple is the world record holder in Missile Command.
He actually just wrote a book about Missile Command history and how he made the world record.
It's about old video arcade games. This is a podcast made in UK by Paul Drury, Tony Temple, and Richard May. Tony Temple is the world record holder in Missile Command.
He actually just wrote a book about Missile Command history and how he made the world record.
Oh, that sounds good.
It's really good. I recommend the book. The book is called Missile Commander.
And the podcast interviews people who were involved in the early days of the arcade gaming revolution, especially people involved in the early days of Atari.
The name Ted Dabney Experience comes from Ted Dabney, who was one of the guys who started Atari together with Nolan Bushnell. It is really well done.
Production qualities are there, really good interviews, and they have access to people who typically don't give interviews.
So if you are into old gaming, classic gaming, or retro gaming, check out teddabneyexperience.com.
And the podcast interviews people who were involved in the early days of the arcade gaming revolution, especially people involved in the early days of Atari.
The name Ted Dabney Experience comes from Ted Dabney, who was one of the guys who started Atari together with Nolan Bushnell. It is really well done.
Production qualities are there, really good interviews, and they have access to people who typically don't give interviews.
So if you are into old gaming, classic gaming, or retro gaming, check out teddabneyexperience.com.
Yeah.
And trust Mikko because he really takes gaming seriously.
Yeah, no, that sounds great. I'll definitely check that out. That sounds a lot of fun.
Cool.
Terrific. Carole, what's your pick of the week?
Okay. I got a truly special, special, special one, not compared to yours, but compared to the previous ones maybe that I've maybe dabbled with.
And it's a movie currently available on my instance of Netflix called Ruben Brandt Collector. Have either of you seen it?
And it's a movie currently available on my instance of Netflix called Ruben Brandt Collector. Have either of you seen it?
I have seen the trailer. You have recommended it to me. I haven't had a chance to watch the actual movie yet.
I don't have Netflix, but I have heard of it.
Okay, it's that— I would say buy it. I would say don't walk, run, run, run.
Okay, it looked wonderful from the trailer. It looks wonderful.
So beautiful. So it's basically the story is 4 expert thieves attempt to steal every famous piece of artwork that is haunting their mutual psychotherapist.
Okay, so the psychotherapist suffers violent nightmares inspired by these legendary works of art, and 4 of his patients, expert thieves all of them, offer to steal the works since the psychotherapist, of course, as one would, believes that once he owns them, the nightmares will disappear.
And he becomes a wanted criminal known as the Collector. And there is a detective attempting to find out who this Collector is. Okay? That's basically the premise of the whole thing.
It is so beautifully illustrated. Oh my God. And the animation is to die for. I mean, I—
Okay, so the psychotherapist suffers violent nightmares inspired by these legendary works of art, and 4 of his patients, expert thieves all of them, offer to steal the works since the psychotherapist, of course, as one would, believes that once he owns them, the nightmares will disappear.
And he becomes a wanted criminal known as the Collector. And there is a detective attempting to find out who this Collector is. Okay? That's basically the premise of the whole thing.
It is so beautifully illustrated. Oh my God. And the animation is to die for. I mean, I—
How would you describe some of the characters? I saw a lot of them seem to have 3 eyes or 2 faces. It is a bit sort of Picasso-like.
Well, yes. It's so beautiful to watch because it's a bit meta in that sense. So you can literally watch it and try to—
Hang on, you have to be careful with the word meta these days.
It's copyrighted.
That fucker. Yeah, yeah. He is an ass, isn't he?
You can kind of find pastiches or elements of art. So you can actually watch and go, oh, there, there, there's the Venus de Milo. Or there, there's the, you know, that's from Warhol.
And you can try and spot them. And some of them are quite obvious, but some are very hidden within the fabric of this. Wonderful, beautiful, just stunning piece of work.
So without delay, get your hands on Ruben Brandt Collector, and it's the best thing I have seen all year and maybe in the last 5 years. I just absolutely love it, love it.
There you go, can't get higher than that. That is seriously a Pick of the Year. There you go.
And you can try and spot them. And some of them are quite obvious, but some are very hidden within the fabric of this. Wonderful, beautiful, just stunning piece of work.
So without delay, get your hands on Ruben Brandt Collector, and it's the best thing I have seen all year and maybe in the last 5 years. I just absolutely love it, love it.
There you go, can't get higher than that. That is seriously a Pick of the Year. There you go.
Oh wow, oh wow, we haven't got a— we haven't got a jingle for Pick of the Year.
Well, maybe I'll find one.
Boom! Whoa, Pick of the Year! Wow, okay, well, that just about wraps up the show for this week.
Mikko, I'm sure lots of our listeners love to follow you online, find out more about what you are up to. What's the best way for folks to do that?
Mikko, I'm sure lots of our listeners love to follow you online, find out more about what you are up to. What's the best way for folks to do that?
Well, they can find me on Twitter as Mikko, that's M-I-K-K-O, or on my website, which is mikko.com.
Fantastic. And you can follow us on Twitter at Smashing Security, no G. Twitter doesn't allow us to have a G.
And we also have a Smashing Security subreddit where you can chat about the latest episodes. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts.
And we also have a Smashing Security subreddit where you can chat about the latest episodes. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts.
And massive shout out to this episode's sponsors, the fabulous 1Password, the great Thinx, and the wonderful Perimeter 81.
And to our tremendous Patreon community, it's thanks to them all this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 253 episodes, check out smashingsecurity.com/podcast.
And to our tremendous Patreon community, it's thanks to them all this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 253 episodes, check out smashingsecurity.com/podcast.
Smashingsecurity.com. Until next time, cheerio. Bye-bye.
Bye-bye. I'm making an NFT of this episode already.
Mikko, would you buy mikko.wtf?
No, I have the best domain already.
I have the .com, so I don't want, but that could be for all your like, I don't want to have this on my legit site.
But I have nothing to hide.
Sure, they all say that. They all say that.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mikko Hyppönen – @mikko
Show notes:
- Royal Courts of Justice HVAC systems had unsecured Wi-Fi AP — The Register.
- Tweet by Tristan Kirk, court correspondent of the London Evening Standard.
- Target Hackers Broke in Via HVAC Company — Brian Krebs.
- Former Security Guard Who Hacked Into Hospital’s Computer System Sentenced to 110 Months in Federal Prison — FBI.
- Video by Jesse McGraw (aka "PhantomExodizzmo") — YouTube.
- Cybercrime Unicorns: How Hackers Are Building Empires That Rival Tech's Most Sophisticated, Highly Valued Startups — International Business Times.
- Will we see a cybercrime unicorn? — Comic strip featuring Mikko Hyppönen.
- 'Piracy' website offers NFT art as free downloads — BBC News.
- Someone Made a Pirate Bay for NFTs — Motherboard.
- The NFT Bay.
- NFTs are causing chaos in online artist communities — Polygon.
- Think cryptocurrency is bad? NFTs are even worse — Mashable.
- MailMate.
- The Ted Dabney Experience — Podcast about vintage video games.
- Ruben Brandt, Collector — IMDB.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
- Support us on Patreon!
Sponsor: Perimeter 81
Perimeter 81 is the first-ever Cybersecurity Experience Platform, designed around Instant Deployment, Unified Management, Integrated Security, and Full Visibility.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as Zero Trust Network Access, Firewall as a Service, Device Posture Check, and more.
Learn more and request a demo at perimeter81.com
Sponsor: 1Password
1Password 8 for Windows has been reimagined to feel right at home on the world’s most popular desktop operating system.
From Dark Mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before.
Take the 14 day free trial now at 1password.com
Sponsor: Thinkst Canary
Most companies discover they’ve been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in.
Go to canary.tools to find out why its Physical, VM and Cloud Based Canaries are deployed and loved on all 7 continents…
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
