Germany tells consumers to stop using Kaspersky anti-virus products, OSINT reveals a secret government department (with help from an Apple AirTag), and the UK says it’s taking a hard line on dick pics.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Chris Kirsch.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Is this a German joke?
This is a very German joke, and you know Germans are really not funny.
We found a German joke.
I just didn't get it, but I won't.
They've been saving it up for years. Now it's been revealed on the Smashing Security podcast.
Jokes die when you explain them, right?
Smashing Security, episode 266: Cyberphishing, Kaspersky, and Secret Spies. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 266.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
Hi, Carole. And who have we got on the show this week?
We have Chris Kirsch. Hi, Chris.
Hi there. Thanks for having me.
Now guys, Chris is CEO at Rumble.run, a solution for asset inventory and network discovery. That sounds so, I don't know, complicated, Chris.
That's the title.
CEO. CEO.
Yeah. CEO of Rumble.run.
You've been on the show before.
Yes, I have.
He still came back. Isn't that extraordinary? Yeah.
After Graham told me to fuck off on the podcast, I wasn't quite sure if I'd be invited back.
I'm British. That's quite polite, really. Are you sure I did that? It must have been Carole. It wouldn't have been me.
Maybe Carole.
Maybe we need to discuss this at the end of the show. How about we thank this week's sponsors, Collide and Drata? It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
To AV or not AV? That is the question, particularly when it comes to Kaspersky.
Okay. And what about you, Chris?
So we'll have a story that I'll just call Tinker Tailor Soldier AirTag. I'm gonna leave it at that. You can dive in later.
Okay. I'm gonna call mine Ding Dong, the PIC is dead. This and much more coming up on this episode of Smashing Security.
Now, chums, round about a week ago, I received an email from a listener. Always love an email from a listener. Thank you to everyone who drops us a line.
We get a lot less than people think, you know, I think.
Do you think?
Yeah.
Oh, well, maybe that's just you, Carole. I seem to get plenty.
Oh, maybe. You get inundated? Of course you do.
We get a lot of fan mail. Anyway, John wrote to me and he had a question for me.
He said, in view of the current situation, do you think it's wise to continue to use Kaspersky antivirus software? Hmm. I thought that'd be an interesting one to discuss.
John is 83 years old, he tells me. He's retired. He's well into our demographic.
He said, in view of the current situation, do you think it's wise to continue to use Kaspersky antivirus software? Hmm. I thought that'd be an interesting one to discuss.
John is 83 years old, he tells me. He's retired. He's well into our demographic.
Hi, John.
And he doubts he has anything much on his PC that would be of interest to a Kremlin-backed hacker when they could be attacking a government department instead.
But it is a valid question, one I think many other people might be asking themselves at the moment, because Kaspersky, of course, as we all know here, is one of the most famous names in antivirus.
And it is Russian. And Russia's been in the news lately, hasn't it?
But it is a valid question, one I think many other people might be asking themselves at the moment, because Kaspersky, of course, as we all know here, is one of the most famous names in antivirus.
And it is Russian. And Russia's been in the news lately, hasn't it?
Really?
I haven't noticed. Can you tell us more about that?
So—
But this isn't the first time that Kaspersky's been called into question, right?
Well, no, and that's what we're going to look at. We're going to look back at some of the past claims which have been made against Kaspersky and what the situation is right now.
So Kaspersky, multinational company, hundreds of millions of users around the world, headquartered in Moscow, founded and run by Eugene Kaspersky.
He's been writing antivirus programs since 1989.
So Kaspersky, multinational company, hundreds of millions of users around the world, headquartered in Moscow, founded and run by Eugene Kaspersky.
He's been writing antivirus programs since 1989.
It's incredible.
It is. You'd think he'd have got it right by now, but yeah, he's been writing them all that time. Still having a go. Now, Eugene's very well known in the industry.
I probably first met him back in the 1990s. Always seemed like a friendly chap.
I probably first met him back in the 1990s. Always seemed like a friendly chap.
Yeah, in the industry, he certainly has a kind of character, right? It's kind of bigger than he is. He's not the tallest man, is he?
Well, sort of normal sort of height.
Nothing wrong with—
He's not Napoleon.
I was just surprised. It's a bit like meeting Bono, you know, in the industry and you meet him, you're like, oh, you're—
Oh, well, I don't know. Anyway, but he's always keen to have a giggle. Anyway, the thing is, he's always seemed like a very friendly guy to me.
You know, he likes nothing more than a drink, trip to the sauna with his mates. And it's who Eugene's mates might be that has often got him into a bit of a pickle.
A few years ago, for instance, Bloomberg and the Wall Street Journal, they claimed that Kaspersky had close ties to Russian spies.
And they even said that Eugene was regularly visiting the sauna with intelligence officers from the FSB.
You know, he likes nothing more than a drink, trip to the sauna with his mates. And it's who Eugene's mates might be that has often got him into a bit of a pickle.
A few years ago, for instance, Bloomberg and the Wall Street Journal, they claimed that Kaspersky had close ties to Russian spies.
And they even said that Eugene was regularly visiting the sauna with intelligence officers from the FSB.
That's oddly specific. Yeah. Was that the COVID story?
Did he deny it at the time?
Well, what Eugene said is, I often go for a sauna with my mates, and it's not impossible there might have been Russian intelligence officials visiting the same sauna at the same time, but I don't know them, he said.
But some people tried to construe that this was part of some conspiracy, and they said, whoa, isn't it weird that Kaspersky is always reporting on American and Western state-sponsored malware attacks rather than those ones which originate in Russia.
Maybe he's hushing those up.
And I remember at the time I thought, well, actually, if you look back over the Kaspersky blog, there have been plenty of occasions when they have talked about Russian hackers.
And they have talked about Russian campaigns which appear to have originated from there. So it felt a little bit unfair to me.
But some people tried to construe that this was part of some conspiracy, and they said, whoa, isn't it weird that Kaspersky is always reporting on American and Western state-sponsored malware attacks rather than those ones which originate in Russia.
Maybe he's hushing those up.
And I remember at the time I thought, well, actually, if you look back over the Kaspersky blog, there have been plenty of occasions when they have talked about Russian hackers.
And they have talked about Russian campaigns which appear to have originated from there. So it felt a little bit unfair to me.
Was the reporting that the campaigns that he highlighted, was it cybercrime or was it state-sponsored?
There were some which were, suggestion was, well, it was a state-sponsored and highly organized, you know, against other governments.
And so what Kaspersky, the company, used to say was, we don't care where the malware was written, we are going to detect it, we're going to write about it.
And sometimes, you know, feathers were ruffled.
I mean, sometimes I suspect the NSA, for instance, would think, well, fine that you detect our malware, but do you then have to do a press release saying that we did it and pointing the finger at us as well?
I don't know. Anyway.
And so what Kaspersky, the company, used to say was, we don't care where the malware was written, we are going to detect it, we're going to write about it.
And sometimes, you know, feathers were ruffled.
I mean, sometimes I suspect the NSA, for instance, would think, well, fine that you detect our malware, but do you then have to do a press release saying that we did it and pointing the finger at us as well?
I don't know. Anyway.
This began to cause big problems, and there were warnings which came out from America a few years ago saying government departments shouldn't be using Kaspersky software because maybe it could be meddled with, maybe it could be tampered with.
Kaspersky set up a transparency center in Switzerland and other places around the world trying to quell any concerns that the software could be subject to supply chain exploitation.
They even said, look, you can look at all of our code. If you want to, come to Switzerland. They took their biggest customers there.
And there's no doubt it affected their sales in the West, at least, although they were doing still quite well in the East.
Kaspersky set up a transparency center in Switzerland and other places around the world trying to quell any concerns that the software could be subject to supply chain exploitation.
They even said, look, you can look at all of our code. If you want to, come to Switzerland. They took their biggest customers there.
And there's no doubt it affected their sales in the West, at least, although they were doing still quite well in the East.
I'm such a conspiracy theorist. This is what's happened to me over the last 10 years. Right now I'm thinking, oh, he did write about Russian state-sponsored hacks.
That did not impress the current administration, who then contacted the Trump administration and said, put the kibosh on the Kaspersky stuff, just to hurt them financially.
There you go.
That did not impress the current administration, who then contacted the Trump administration and said, put the kibosh on the Kaspersky stuff, just to hurt them financially.
There you go.
Well, yeah, you do love a conspiracy theory.
Who knows?
Don't we all? Don't we all? We love it. We love it until people begin to believe them.
Yeah, don't believe it. I have no proof at all.
Until people turn up at pizza parlors in Washington with a gun and all that sort of nonsense. Anyway, Eugene, he likes a sauna. He's high profile. He's also very successful.
Forbes estimate he's worth about $1.8 billion.
Forbes estimate he's worth about $1.8 billion.
Shut up.
Wow.
Shut up!
That's almost double what we have in our bank accounts, Carole.
Pfft.
Chris, how do you compare to that?
Not quite there yet.
You're not quite there yet, but maybe we'll pull together. Just—
That is a ridiculous amount of money.
There's a lot of money, it turns out, in cybersecurity. Huh, who would have known? Now, Eugene, not least his company, is in hot water again, but not of the sauna variety.
It all comes down to Russia's invasion of Ukraine. So obviously, when something like that happens, people are going to look to high-profile Russians working in tech.
I mean, Eugene, in a way, he's a bit like Richard Branson or Lord Sugar or—
It all comes down to Russia's invasion of Ukraine. So obviously, when something like that happens, people are going to look to high-profile Russians working in tech.
I mean, Eugene, in a way, he's a bit like Richard Branson or Lord Sugar or—
He certainly has the haircut, or did. He did have the hair.
Yeah, the Branson. But he's a high-profile entrepreneur, got bags of cash. Where does he stand on this?
And he put out a tweet where he said he welcomed the start of negotiations to resolve the, quote, current situation in Ukraine and hoped it would lead to a cessation.
How do I say cessation?
And he put out a tweet where he said he welcomed the start of negotiations to resolve the, quote, current situation in Ukraine and hoped it would lead to a cessation.
How do I say cessation?
That's right.
I think that's right. Pronunciation tips from a German.
Hoped it would lead to a cessation of hostilities and a compromise.
Now, well, you can't say war, right? Because then he goes to prison.
Exactly.
Yeah, I think he's in a really crappy situation, right? Because I do think that Kaspersky produces genuinely good technology. But then—
Absolutely.
Right? But then the question is, who has oversight? Who has oversight? You know, if you live in Russia and you are in a role where you can have geopolitical impact on Russia, right?
Undermining Kaspersky is a big asset for the Russian state. So there is a motive there, and it's really hard to prove a negative.
So I used to sell crypto software in Germany to German companies, right? And all we needed to say is, hey, do you really trust the Americans? We didn't need to prove anything, right?
And we didn't have to be specific. And it's just so hard for them to disprove that. Then we got acquired by an American cryptocurrency company.
Undermining Kaspersky is a big asset for the Russian state. So there is a motive there, and it's really hard to prove a negative.
So I used to sell crypto software in Germany to German companies, right? And all we needed to say is, hey, do you really trust the Americans? We didn't need to prove anything, right?
And we didn't have to be specific. And it's just so hard for them to disprove that. Then we got acquired by an American cryptocurrency company.
And your messaging changed.
And our marketing changed, right? So funny how that works.
But you know, if I had to choose between different antivirus companies, you know, quite honestly, for a corporation especially, and for anything to do with government, I probably wouldn't pick Kaspersky now, even though I think they do a very good job.
But it's just impossible for them to prove a negative or for me or anybody who's buying that to prove a negative, and that's really tough.
But you know, if I had to choose between different antivirus companies, you know, quite honestly, for a corporation especially, and for anything to do with government, I probably wouldn't pick Kaspersky now, even though I think they do a very good job.
But it's just impossible for them to prove a negative or for me or anybody who's buying that to prove a negative, and that's really tough.
Even if there's the tiniest sliver of a possibility that in the future Vladimir Putin might get Eugene Kaspersky's testicles in a vice, you don't want that to be a possibility, do you?
Well, it's not like he's walking around with your private secrets all the time. What are you worrying about? Kaspersky's own gonads or your information?
I don't really care about the state Eugene's balls too much. Well, I mean, I hope— no, no, I mean, it's not something I've pondered very often. Well, not that close.
Obviously, I wouldn't want that to happen to him.
Obviously, I wouldn't want that to happen to him.
What, you wouldn't go in the sauna with him?
It would be awkward with a vice in the sauna, right?
The thing is, the thing is the supply chain.
If a piece of software is running at a low level on hundreds of millions of computers around the world, and it's regularly updated by other people in a way which you frankly don't actually choose when it updates or not because it's updating continuously to deal with new malware.
The potential is there for someone either maliciously without the knowledge of Kaspersky the company to do it or to apply pressure and say, this is what you're going to do.
That's the risk, the supply chain.
If a piece of software is running at a low level on hundreds of millions of computers around the world, and it's regularly updated by other people in a way which you frankly don't actually choose when it updates or not because it's updating continuously to deal with new malware.
The potential is there for someone either maliciously without the knowledge of Kaspersky the company to do it or to apply pressure and say, this is what you're going to do.
That's the risk, the supply chain.
Yeah.
Yeah, but that's the risk with any piece of software at all.
Oh, absolutely, and American software. NSA could do this to American security companies and the GCHQ could do this to British security companies. You're absolutely right.
Yeah, with antivirus, there's another thing. If you're scanning desktops, right, you have a file scanner and you're looking at the contents of each file and looking for signatures.
So I think one of the allegations, and I'm not sure if it was an allegation or if somebody tested it or whatever.
The idea was, hey, if Kaspersky just added a signature for certain keywords, right?
Certain projects, certain people's names, email addresses, any identifier that they're interested in, and just say, hey, every time you see that on a disk, just upload that for analysis.
So I think one of the allegations, and I'm not sure if it was an allegation or if somebody tested it or whatever.
The idea was, hey, if Kaspersky just added a signature for certain keywords, right?
Certain projects, certain people's names, email addresses, any identifier that they're interested in, and just say, hey, every time you see that on a disk, just upload that for analysis.
Put it in the log. Yeah.
You know?
So this is something which appears to have happened, not quite exactly what you're describing, but what appears to have happened is that some of the white hat hackers who work for the NSA part of Equation Group, which is basically the state-sponsored US hacking group, were writing malware.
One of them took his work home with him, put it on his home computer, which was running Kaspersky.
Kaspersky, with its heuristics or whatever, thought, hmm, this looks a little bit malicious. I will upload these files to Kaspersky servers for further analysis.
And then there was this big freakout that Kaspersky was stealing NSA secrets.
One of them took his work home with him, put it on his home computer, which was running Kaspersky.
Kaspersky, with its heuristics or whatever, thought, hmm, this looks a little bit malicious. I will upload these files to Kaspersky servers for further analysis.
And then there was this big freakout that Kaspersky was stealing NSA secrets.
And it was probably already in the terms and conditions that they would do that if they saw something suspicious on a home user license.
I would question the qualifications of this person because if you're writing malware for the US government, you know, number one, don't take it home.
Number two, don't put Russian software on your computer. Number three, don't put antivirus on your computer if you're developing malware, right?
Number two, don't put Russian software on your computer. Number three, don't put antivirus on your computer if you're developing malware, right?
So if we make the assumption that Eugene Kaspersky is a decent chap, which I think, let's hope that he is, you can understand why he's trying to tread very carefully and not get himself embroiled in this situation.
It's bad for business and also possibly bad for him.
Six months ago, the founder of another security company, Group-IB, he was arrested in Moscow on treason charges after he criticized the Russian government for not taking action against Russian ransomware gangs.
And after he allegedly provided the US government with information about Russian interference with the presidential election of 2016. So Eugene wants to be careful.
It's bad for business and also possibly bad for him.
Six months ago, the founder of another security company, Group-IB, he was arrested in Moscow on treason charges after he criticized the Russian government for not taking action against Russian ransomware gangs.
And after he allegedly provided the US government with information about Russian interference with the presidential election of 2016. So Eugene wants to be careful.
Yeah, I think there's a lot of people in the world right now who are trying to be very careful, particularly those based in specific geographies.
Yeah.
And the very latest development on this is that German authorities have just issued an advisory telling consumers that they should look for alternatives to Kaspersky antivirus.
They're telling them to uninstall it and switch to another antivirus because of the risk that pressure could be applied or that it could be hacked.
And this really comes back to John's question. Remember, John sent me an email about whether you should use Kaspersky or not.
I think, who can put their hand on their heart and say that isn't possible in the current political climate, that pressure wouldn't be put on them?
To take advantage of the fact that so many hundreds of millions of computers are running it.
Like you were saying, Chris, earlier on, people are going to question you if you buy Kaspersky, I think, for a corporation, rather like they wouldn't have questioned you for buying IBM in the old days.
It's like, well, that's a decision which no one's going to criticize. People might criticize you for taking a risk on Kaspersky.
They're telling them to uninstall it and switch to another antivirus because of the risk that pressure could be applied or that it could be hacked.
And this really comes back to John's question. Remember, John sent me an email about whether you should use Kaspersky or not.
I think, who can put their hand on their heart and say that isn't possible in the current political climate, that pressure wouldn't be put on them?
To take advantage of the fact that so many hundreds of millions of computers are running it.
Like you were saying, Chris, earlier on, people are going to question you if you buy Kaspersky, I think, for a corporation, rather like they wouldn't have questioned you for buying IBM in the old days.
It's like, well, that's a decision which no one's going to criticize. People might criticize you for taking a risk on Kaspersky.
Oh, I think they probably will. Absolutely.
Tricky times.
Well, one reason why you might want to buy Kaspersky though is because I think Russia won't be able to process payments, so maybe you get it for free because they can't charge your credit card.
Yeah. Oh, that model. We've not seen that before.
If you're worried about that, Chris, I can point you to some cracks on the internet you can download from a few torrents.
Great.
If you'd like some free software.
Much better alternative. Yeah.
Chris, what have you got for us this week?
So, fascinating story about how an ordinary citizen, quote unquote ordinary, she's not all that ordinary, investigated a secretive government agency and basically uncovered how secretive government agencies are connected in Germany.
And it reminded me a lot of Bellingcat. Bellingcat is a news outlet that is run by ordinary citizens who use what's called OSINT, open source intelligence.
It's a method where you just take what's out in the public, basically fancy Googling, and then put the puzzle pieces together to find out something that's actually highly confidential or secretive.
And it reminded me a lot of Bellingcat. Bellingcat is a news outlet that is run by ordinary citizens who use what's called OSINT, open source intelligence.
It's a method where you just take what's out in the public, basically fancy Googling, and then put the puzzle pieces together to find out something that's actually highly confidential or secretive.
Yeah, there's remarkable work they've done in the past, isn't there? By analyzing photographs and—
Yeah.
Yeah, it is quite extraordinary.
Super interesting. And I myself got into OSINT, you know, when I participated in the social engineering CTF at DEF CON a few years ago. And so there's a lot of OSINT involved there.
You won.
You won.
You won, didn't you? Yeah, you're being modest here.
But that's how I really got into it. And I developed an appreciation for OSINT and how hard it is, but also about the power of what it can yield.
And so this story was mostly published in German. All the English coverage was extremely short and it missed a lot of the interesting stuff.
And to me, it really read basically like a German spy novel.
And so this story was mostly published in German. All the English coverage was extremely short and it missed a lot of the interesting stuff.
And to me, it really read basically like a German spy novel.
OK, go, go, go.
I'm all ready.
Got the popcorn. I'm ready.
So our protagonist is a lady by the name of Lilith Wittmann. She is a white hat hacker. She's exposed some vulnerabilities in the past.
And she's also a specialist for digital transformation in government.
And so she was doing research and looking at all the different government agencies on a website that just really lists, line by line, all the agencies with a very short description.
And she stumbled across an agency that she hadn't heard of before. And it's called Bundesdienst Telekommunikation. So, Graham, we're going to have a lot of long German words in here.
And she's also a specialist for digital transformation in government.
And so she was doing research and looking at all the different government agencies on a website that just really lists, line by line, all the agencies with a very short description.
And she stumbled across an agency that she hadn't heard of before. And it's called Bundesdienst Telekommunikation. So, Graham, we're going to have a lot of long German words in here.
Oh, lovely. So, Frankfurter Allgemeine.
Yeah, exactly.
Ich bin dein Chef.
I can do it. 99 Ritter Balloons.
Oh my God.
I'm not going to comment or coach on German pronunciation in this podcast. I'll just refrain from that.
So the Bundesdienst Telekommunikation, it translates as Federal Service of Telecommunications. Couldn't be more bland, right? We're going to abbreviate this as BST.
And actually, back in the day, we sometimes used to joke that there is an agency called the Federal Agency for Telecommunication Statistics.
And so this is actually eerily close to that joke because it turns out that it is actually an intelligence agency that nobody's heard of before.
So the Bundesdienst Telekommunikation, it translates as Federal Service of Telecommunications. Couldn't be more bland, right? We're going to abbreviate this as BST.
And actually, back in the day, we sometimes used to joke that there is an agency called the Federal Agency for Telecommunication Statistics.
And so this is actually eerily close to that joke because it turns out that it is actually an intelligence agency that nobody's heard of before.
Is this a German joke?
This is a very German joke. And you know, Germans are really not funny.
We found a German joke.
I just didn't get it, but I— Oh, sorry.
They've been saving it up for years. Now it's been revealed on the Smashing Security podcast.
Jokes die when you explain them, right? Oh God. So, all right, back to the story.
So Wittmann, she looked at the description of this agency and it said, hey, this agency is tasked with digital transformation and government.
And this was weird because she's a specialist in that area and she's never heard of this agency before. Right? So that kind of raised some questions.
And so she phoned the phone number, which was a fax. Then she phoned the fax number, which was no answer. And so she couldn't get anywhere with that.
And so she started a FOIA request, a Freedom of Information Act request.
The first response she got fairly quickly from somebody with a title Geheimschutzbeauftragte, which basically translates as Secrets Protection Officer.
So it's a role in counterespionage. So that was a little bit weird for a digital transformation agency.
And then she got a second email and said, oh, the first email, ignore that one. We were wrong on that one. We actually, we have no record of this agency existing.
And at the same time, the BST disappeared from the official listing.
So Wittmann, she looked at the description of this agency and it said, hey, this agency is tasked with digital transformation and government.
And this was weird because she's a specialist in that area and she's never heard of this agency before. Right? So that kind of raised some questions.
And so she phoned the phone number, which was a fax. Then she phoned the fax number, which was no answer. And so she couldn't get anywhere with that.
And so she started a FOIA request, a Freedom of Information Act request.
The first response she got fairly quickly from somebody with a title Geheimschutzbeauftragte, which basically translates as Secrets Protection Officer.
So it's a role in counterespionage. So that was a little bit weird for a digital transformation agency.
And then she got a second email and said, oh, the first email, ignore that one. We were wrong on that one. We actually, we have no record of this agency existing.
And at the same time, the BST disappeared from the official listing.
This is fantastic. Okay, so cover up, cover up, backtrack.
We've accidentally published the existence of our top secret agent.
Exactly. So the story gets better. So then she looks around and says, hey, you know, let me see if I can find any other entries in other directories that might be out there.
And she found in, I think it was some X500 directory or something, and she finds a physical address in another directory for this agency and has a physical address somewhere in Berlin, but it's not an official building that is occupied by any government agency.
So she's got a following and she tweets out and one of her followers says, hey, I checked out the website of the landlord of this building and the tenants list a generic government agency.
So she actually gets in the car, she drives up to Berlin and she goes to the building and it's a very boring average office building, right? Quite big.
But the government agency is occupying, I think it was 2,500 square meters, which is quite a big floor. So that's enough space for about 100 people.
And so she looks at the mailboxes and the BST is on there. And there is a mailbox next to it for Bundesministerium des Innern. So this is the BMI. This is the Interior Ministry.
And the BMI heads up a lot of the civilian intelligence agencies in Germany.
So the BND, Bundesnachrichtendienst, which is the equivalent of the CIA, the BSI, which is the Bundesamt für Sicherheit in der Informationstechnik, please repeat that, which is the equivalent of the NSA, and the BfV, which is, it's Bundesamt für Verfassungsschutz, which is the federal agency for the protection of the constitution.
See, it's even long in English, right?
And she found in, I think it was some X500 directory or something, and she finds a physical address in another directory for this agency and has a physical address somewhere in Berlin, but it's not an official building that is occupied by any government agency.
So she's got a following and she tweets out and one of her followers says, hey, I checked out the website of the landlord of this building and the tenants list a generic government agency.
So she actually gets in the car, she drives up to Berlin and she goes to the building and it's a very boring average office building, right? Quite big.
But the government agency is occupying, I think it was 2,500 square meters, which is quite a big floor. So that's enough space for about 100 people.
And so she looks at the mailboxes and the BST is on there. And there is a mailbox next to it for Bundesministerium des Innern. So this is the BMI. This is the Interior Ministry.
And the BMI heads up a lot of the civilian intelligence agencies in Germany.
So the BND, Bundesnachrichtendienst, which is the equivalent of the CIA, the BSI, which is the Bundesamt für Sicherheit in der Informationstechnik, please repeat that, which is the equivalent of the NSA, and the BfV, which is, it's Bundesamt für Verfassungsschutz, which is the federal agency for the protection of the constitution.
See, it's even long in English, right?
Wow. Okay. So let's just recap here. So she's interested in digital transformation.
She goes to a webpage where it lists all the departments which to do with the government, and she finds one and it says, we deal with digital transformation.
She rings them up and they say, oh no, we don't really exist. Don't contact us again.
She then goes to their office, finds a name plaque or something, and alongside it, it says, basically, this is associated with the part of the government which looks after all the intelligence agencies.
She goes to a webpage where it lists all the departments which to do with the government, and she finds one and it says, we deal with digital transformation.
She rings them up and they say, oh no, we don't really exist. Don't contact us again.
She then goes to their office, finds a name plaque or something, and alongside it, it says, basically, this is associated with the part of the government which looks after all the intelligence agencies.
Yeah, the hush-hush bit.
Yes. So they put a nameplate up announcing their presence as well.
They must be shitting themselves if they did any recon on her from the beginning, because she's not an unknown ethical hacker, right?
So when they went, "Oh, sorry, they must have been hacking." Yeah, she found vulnerabilities in some, I think, some apps for political parties and some other things, and she's associated with the Chaos Computer Club and so on.
So she's not an unknown entity. So then she does some more digging, and she looks up if she can find anything in the RIPE database.
So the RIPE database is where companies register their public IP spaces.
And so she finds a few other IP addresses associated with physical addresses that are associated with the Ministry of the Interior.
And she finds one that's a little bit odd because it's in Cologne. There's no office for the BMI in Cologne. And the email address is a generic email address.
It's not a person, but it's a department and group number. And so you can look that up in the German government, it's very organized, right? As you might expect.
So she's not an unknown entity. So then she does some more digging, and she looks up if she can find anything in the RIPE database.
So the RIPE database is where companies register their public IP spaces.
And so she finds a few other IP addresses associated with physical addresses that are associated with the Ministry of the Interior.
And she finds one that's a little bit odd because it's in Cologne. There's no office for the BMI in Cologne. And the email address is a generic email address.
It's not a person, but it's a department and group number. And so you can look that up in the German government, it's very organized, right? As you might expect.
Really? It's not a Hotmail address. They're a bit more organized than that.
So each department has their own email address that follows a certain nomenclature, right? So she reads, this is the email address for Department 7, Subgroup Z2.
Okay.
Problem is that neither Department 7 nor Subgroup Z2 exist in any official org charts.
Yeah. So it's either fake or super duper secret.
Exactly. So then she looks up for some other things. She finds information about the BfV, the Verfassungsschutz, in RIPE as well.
And her goal right now is she's just—curiosity has bitten off her left hand, and she just needs to follow the breadcrumbs.
Exactly.
She's kind of got that loose piece of string on her jumper, and she's pulling it, pulling it. Oh, it keeps on unraveling. What's gonna be at the end of this?
She's not gonna end up topless, Graham.
Okay, I was hoping. She's German.
So, she finds some more entries.
I think there's also a football club, a soccer club involved in Colombia for the Ministry of the Interior, but the Ministry of Interior doesn't have an office in Cologne.
It's only the Verfassungsschutz, which is an intelligence agency.
And so she finds all of these things and she finds a few phone numbers and decides at 3 AM in the morning to phone these cell phones.
And so the person on the other end picks up, is wide awake, and basically it doesn't say it exactly. He doesn't deny that it's the BfV, but he doesn't acknowledge it either.
And the phone number is disconnected the next morning.
I think there's also a football club, a soccer club involved in Colombia for the Ministry of the Interior, but the Ministry of Interior doesn't have an office in Cologne.
It's only the Verfassungsschutz, which is an intelligence agency.
And so she finds all of these things and she finds a few phone numbers and decides at 3 AM in the morning to phone these cell phones.
And so the person on the other end picks up, is wide awake, and basically it doesn't say it exactly. He doesn't deny that it's the BfV, but he doesn't acknowledge it either.
And the phone number is disconnected the next morning.
What's she doing calling at 3 AM?
Well, she wanted to catch them off guard, right?
She wanted to catch them off guard. I don't know. I would be really irate if that happened. I'd be like, that is not playing fair.
It wasn't a booty call.
I don't think she was aiming to please. So all of this so far is a very cool but pretty standard OSINT investigation, right?
If you read Bellingcat or follow any of the OSINT-related stories, it's typically pulling on the string and finding little breadcrumbs and putting them together.
But this next part is what I thought made this story worth sharing.
So she says, okay, so I've got a few PO boxes in Cologne that are associated with the BMI, which doesn't have an office in Cologne.
And there is also one associated with the Verfassungsschutz, the BfV. And they're close to each other in the post office. They're right next to each other.
And she's like, I wonder where the mail goes for these PO boxes. Right?
If you read Bellingcat or follow any of the OSINT-related stories, it's typically pulling on the string and finding little breadcrumbs and putting them together.
But this next part is what I thought made this story worth sharing.
So she says, okay, so I've got a few PO boxes in Cologne that are associated with the BMI, which doesn't have an office in Cologne.
And there is also one associated with the Verfassungsschutz, the BfV. And they're close to each other in the post office. They're right next to each other.
And she's like, I wonder where the mail goes for these PO boxes. Right?
So does she put herself into a parcel?
Almost. So Apple just came out with the Apple AirTags, right? Apple comes to the rescue.
The AirTags, for those listeners that are not familiar, they look like a pound coin or a quarter, you know, about that size.
And they contain a little battery and a Bluetooth transmitter, low-energy Bluetooth. So they can run for about a year. They don't have GPS.
They don't have a GSM chip or anything to actually communicate out over long distance, but they can communicate over short distances.
The AirTags, for those listeners that are not familiar, they look like a pound coin or a quarter, you know, about that size.
And they contain a little battery and a Bluetooth transmitter, low-energy Bluetooth. So they can run for about a year. They don't have GPS.
They don't have a GSM chip or anything to actually communicate out over long distance, but they can communicate over short distances.
You have to be nearby. Yeah.
Yeah.
What Apple did that I thought was really clever is any iPhone, not just your iPhone, but any iPhone in the world, can now detect these AirTags and deliver the current location of that AirTag to the cloud.
And then it ends up with the owner of the AirTag. So the owner of the device nearby doesn't know that it's happening or can't see what the AirTag is, but the owner can.
What Apple did that I thought was really clever is any iPhone, not just your iPhone, but any iPhone in the world, can now detect these AirTags and deliver the current location of that AirTag to the cloud.
And then it ends up with the owner of the AirTag. So the owner of the device nearby doesn't know that it's happening or can't see what the AirTag is, but the owner can.
So she sends a letter.
She sends a letter.
She takes—
She takes a Norwegian cruise line catalog or something like that, cuts out a little bit in the middle.
Puts in this AirTag and sends it off to the address of the BMI in Cologne, which doesn't officially have offices there.
And sure enough, you know, German postal service is very efficient.
Ten o'clock the next morning, she sees a ping and it shows up at the offices of the Verfassungsschutz, which is the domestic intelligence agency.
And so that proves to her that the BMI is a cover organization for some of its intelligence branches, that the BMI in Cologne is actually Verfassungsschutz, et cetera.
So I thought that was a really clever use of AirTags.
Puts in this AirTag and sends it off to the address of the BMI in Cologne, which doesn't officially have offices there.
And sure enough, you know, German postal service is very efficient.
Ten o'clock the next morning, she sees a ping and it shows up at the offices of the Verfassungsschutz, which is the domestic intelligence agency.
And so that proves to her that the BMI is a cover organization for some of its intelligence branches, that the BMI in Cologne is actually Verfassungsschutz, et cetera.
So I thought that was a really clever use of AirTags.
Very cunning. Yeah.
Yeah. And that made it—
It's scary for the rest of us though, because if someone dropped an AirTag in my house, well, I guess, what would that matter?
Because they would just go, oh, she's still at her house. It's still at her house.
Because they would just go, oh, she's still at her house. It's still at her house.
But if someone drops it in your bag, for instance, yeah, there've been a lot of stalking cases reported. So, and it's actually, I think it's pretty hard to protect against.
If I remember correctly, Apple actually created—
If I remember correctly, Apple actually created—
There is some kind of anti-stalking functionality, isn't there?
But it only works if you have an iPhone yourself.
It basically tells you if you are close to, if you're moving around and you're close to an AirTag, but the owner of the AirTag is not also with you.
Because if your husband has an AirTag on the key ring, you know, you don't want it alerting.
So I think that's an interesting countermeasure, I guess, against stalking, but it's not foolproof. Yeah.
It basically tells you if you are close to, if you're moving around and you're close to an AirTag, but the owner of the AirTag is not also with you.
Because if your husband has an AirTag on the key ring, you know, you don't want it alerting.
So I think that's an interesting countermeasure, I guess, against stalking, but it's not foolproof. Yeah.
So she basically proved that there was a secret government organization that was even more secret than the secret government agencies that already operated to probably do the real dirty work.
Was that something like that?
Yeah.
Yeah.
And she did this mostly sitting from home and Googling. The only thing she did is she went up to the mailbox of the address and she, you know, sent an AirTag through the mail.
But otherwise she just consulted open databases on the internet, which is really cool.
But otherwise she just consulted open databases on the internet, which is really cool.
It's kind of scary though, too. Shows, you know what I mean? If they're sitting there lying open, it means, you know, most of us are.
Yeah. Yeah.
And that's why the show exists, listeners.
Yeah.
So yeah.
Lock down your personal details online. Right. Reduce your online footprint. That's right.
Don't answer emails.
Don't answer emails and don't post to a secret government agency on a public website.
Yeah.
And so this is not a call for hacking other nations. So don't be a cowboy.
You know, if you have an inclination and interest and a passion for OSINT, I encourage you, you know, go digging because you might find something really cool like Lilith Wittmann did.
And I don't know, I probably wouldn't publish it under my own name like she did.
She's got a profile in that space, and I think that somewhat protects her, but I probably wouldn't, you know, poke the bear, so to speak, if we're thinking about the current conflict.
You can pass it on to your local authorities if you like and trust them, and if you know somebody there, you can pass it on to Bellingcat if you find something meaningful, and they can then verify it.
You know, if you have an inclination and interest and a passion for OSINT, I encourage you, you know, go digging because you might find something really cool like Lilith Wittmann did.
And I don't know, I probably wouldn't publish it under my own name like she did.
She's got a profile in that space, and I think that somewhat protects her, but I probably wouldn't, you know, poke the bear, so to speak, if we're thinking about the current conflict.
You can pass it on to your local authorities if you like and trust them, and if you know somebody there, you can pass it on to Bellingcat if you find something meaningful, and they can then verify it.
Yeah, that's a good suggestion.
Follow your chain of custody, and if they believe that it's accurate, then they can publish it under their brand. Those are probably some good options.
Very interesting.
Yeah.
And well done, Chris, on all those difficult German words. I'm very impressed with you.
Yes, I know. I practised for hours.
For years.
Your pronunciation was okay. It was pretty good.
Carole, what have you got for us this week?
Well, we are in the UK for this story. So this week, the UK government confirmed that it will be updating the Online Safety Bill. So this has been happening and going on for years.
But they have confirmed they're going to include a new cyber flashing law as a specific criminal offense.
So this is where a person sends another person— it's like someone they know or someone they don't know— an unsolicited sexual image, right?
And this could be via social media, it could be by dating apps, it could even be by Bluetooth or AirDrop.
But they have confirmed they're going to include a new cyber flashing law as a specific criminal offense.
So this is where a person sends another person— it's like someone they know or someone they don't know— an unsolicited sexual image, right?
And this could be via social media, it could be by dating apps, it could even be by Bluetooth or AirDrop.
What do you mean by sexual image? Do you mean an image of people having sex?
Your junk.
Your bits, your private parts.
Yeah. Cyber flashing.
Okay. All right. So I get that. And obviously we're going to talk about that. But what about some people have a fetish for different parts of the body, don't they?
Like some people have a foot fetish. So would you get in trouble if you had particularly sexy feet or you thought you did and you sent someone a picture of your feet?
Like some people have a foot fetish. So would you get in trouble if you had particularly sexy feet or you thought you did and you sent someone a picture of your feet?
That's an excellent question. I'm writing it down right now.
Okay.
And we'll come back to that, I'm sure.
All right. Elbows as well. Well. Okay.
Okay.
All right.
Yeah, you're— there's loads. Yeah. So in some instances, a preview of said unsolicited sexual image can appear on a device, even if the person hasn't accepted it.
So even if the transfer is rejected, they're forced at seeing maybe a thumbnail of the image or saying, do you want to accept this image before it fully loads onto your—
So even if the transfer is rejected, they're forced at seeing maybe a thumbnail of the image or saying, do you want to accept this image before it fully loads onto your—
Or just a text, right?
Or just a text.
Yeah.
What kind of systems are those though? Because if you send somebody a text or a chat app or whatever, usually images, especially images just get displayed.
If it's something that's larger and potentially malicious, like a, I don't know, spreadsheet or something like that.
If it's something that's larger and potentially malicious, like a, I don't know, spreadsheet or something like that.
Oh, you mean a larger file size? Sorry, I was trying to understand what you meant.
I should be, I should learn to be very specific on this podcast.
Yes, Mr. German.
If someone sends you a particularly large file, sometimes you'll get the option to download it, won't you, before you—
Yes. So if, for example, we were travelling nearby and you wanted to send me something via AirDrop and it was an image, I would see that image before I accept that image.
Ah, now AirDrop's interesting, isn't it? Because to text you, I need to know your mobile phone number.
Exactly.
If I was on, you know, public transport or something and wanted to send you an image of my then I could just maybe send it via AirDrop, perhaps, depending on their settings.
Mm.
Right. Gotcha.
So, so this is now a criminal offense.
So the idea is that this change means that anyone who sends a photo or film of a person's genitals for the purpose of their own sexual gratification or to cause the victim humiliation, alarm, or distress may face up to two years in the clink.
So the idea is that this change means that anyone who sends a photo or film of a person's genitals for the purpose of their own sexual gratification or to cause the victim humiliation, alarm, or distress may face up to two years in the clink.
Oh, crumbs. Picture or video? Is it photo or video?
Yep.
What about a doodle?
You see, I'm ahead of you, way ahead of you on that one.
What about an emoji?
Well, yeah, an eggplant emoji.
Or, you know, you used to do smiley faces with the letters, you know, before emojis existed. They were fun.
You can imagine that a number of Redditors had a field day with this announcement.
So, I'll paraphrase a few, but things like, "Would authorities need to match the junk with the face that sent it?" for example.
Or, "An attentive—" I'm paraphrasing here, but like, "An attentive member may look very different from a sleeping one." Right?
So, would one need to show it in full glory to the authorities, would the police get their very own cock squad?
So, I'll paraphrase a few, but things like, "Would authorities need to match the junk with the face that sent it?" for example.
Or, "An attentive—" I'm paraphrasing here, but like, "An attentive member may look very different from a sleeping one." Right?
So, would one need to show it in full glory to the authorities, would the police get their very own cock squad?
Will it go in the penal code? That one's actually quite good. I like that one. Now— I've had this happen to me.
Oh, I'm intrigued now.
A talk for a Microsoft conference. There were thousands of people in the audience, huge auditorium. And I was doing my bit and I was talking about IoT or whatever it was.
And my phone bleeped while I was up there, because I'd obviously been professional, hadn't turned it off.
And someone in the audience had sent me a picture of what I can only describe as a small button mushroom. It was, and it was, I mean, I, that's not really to my taste.
I don't love mushrooms, but I, it's still, did you see that? It was quite off-putting. And I mean, I can only— Did you lose your stride?
No, I mean, you know, we're giggling about it a little bit, but actually it wouldn't be very nice to receive an unsolicited one of those, particularly if you thought it was someone in the vicinity of you, and particularly if you thought it might, you know—
And my phone bleeped while I was up there, because I'd obviously been professional, hadn't turned it off.
And someone in the audience had sent me a picture of what I can only describe as a small button mushroom. It was, and it was, I mean, I, that's not really to my taste.
I don't love mushrooms, but I, it's still, did you see that? It was quite off-putting. And I mean, I can only— Did you lose your stride?
No, I mean, you know, we're giggling about it a little bit, but actually it wouldn't be very nice to receive an unsolicited one of those, particularly if you thought it was someone in the vicinity of you, and particularly if you thought it might, you know—
If you didn't feel safe. Yeah, if you didn't feel safe. 100%.
So some of the comments though on Reddit were a little bit more thoughtful because how do you fully define solicited versus unsolicited?
So some of the comments though on Reddit were a little bit more thoughtful because how do you fully define solicited versus unsolicited?
I think that's really where the rub is, right?
No pun intended here. So juvenile. I can't believe we allowed Chris on this show.
It's really lowered the tone. That was actually not intended.
So would there need to be proof of the request for the image?
Yeah, it would have to stand up in court, that's for sure. Come on, that was quite good. That was quite good. Please, Carole, give me something. It's not as good as Chris's.
It's not as good as Chris's. Just work, try harder. Another concern is that cyber flashing cases might be too difficult to prosecute because of a lack of evidence. Right.
So we risk seeing women's confidence in the criminal justice system reduce even further because they bring it forward and they go, well, look, we don't have enough evidence.
Sorry, it was on Snapchat. Oh God, everything's erased. Don't know. Sorry. Yeah.
So we risk seeing women's confidence in the criminal justice system reduce even further because they bring it forward and they go, well, look, we don't have enough evidence.
Sorry, it was on Snapchat. Oh God, everything's erased. Don't know. Sorry. Yeah.
It reminds me of revenge porn problems, right? So let's say somebody posts pictures of you online and you want to get those pictures taken down.
You actually need to prove— I think this is in the US— I think you need to prove to the police that it's you.
So you need to either, you know, send the images plus a picture of your driver's license or some proof of identity.
If your head isn't in there, then you need to include a full body shot plus your driver's license and so on.
And it just— yeah, and it just makes it really hard for somebody who's already in a bad place and probably traumatized to get this stuff off the internet, right?
You actually need to prove— I think this is in the US— I think you need to prove to the police that it's you.
So you need to either, you know, send the images plus a picture of your driver's license or some proof of identity.
If your head isn't in there, then you need to include a full body shot plus your driver's license and so on.
And it just— yeah, and it just makes it really hard for somebody who's already in a bad place and probably traumatized to get this stuff off the internet, right?
Yes. 100%.
I was listening, this one woman was saying that someone was basically doing this kind of revenge porn, but they'd taken her head and put it on a different body and then shared it around a bunch of forums.
So apparently that's not illegal, right? It's not illegal to do that at the moment because it's not your body, right?
I was listening, this one woman was saying that someone was basically doing this kind of revenge porn, but they'd taken her head and put it on a different body and then shared it around a bunch of forums.
So apparently that's not illegal, right? It's not illegal to do that at the moment because it's not your body, right?
So anyway, so it becomes— It is illegal, just to stress to the audience, so it is illegal to actually detach someone's head and sew it onto someone else's body.
Yes, maybe we should be clear, we're talking digitally. We're talking digitally.
So jokes aside, though, it's a big problem because one place, like you mentioned earlier, Graham, is public transport. So this is from Stylist magazine.
So this was someone writing a kind of, you know, this happened to me type of story. So she says, I was on the train to London for work.
I had a series of 5 images sent to me via AirDrop. Weirdly, they were telling a story. The first was a picture of someone getting on the train, a CGI mockup.
It was followed by a topless photo of a guy with his face covered, then by a picture of his crotch. I received messages saying, want more? But I had declined all of them.
So jokes aside, though, it's a big problem because one place, like you mentioned earlier, Graham, is public transport. So this is from Stylist magazine.
So this was someone writing a kind of, you know, this happened to me type of story. So she says, I was on the train to London for work.
I had a series of 5 images sent to me via AirDrop. Weirdly, they were telling a story. The first was a picture of someone getting on the train, a CGI mockup.
It was followed by a topless photo of a guy with his face covered, then by a picture of his crotch. I received messages saying, want more? But I had declined all of them.
Oh my God, this is absolutely—
I was trying to figure out how to turn off my AirDrop, right? I didn't even realize it was on, and I wasn't aware I could manage it.
And in the meantime, I got another picture, a full-on nude of his privates. And the thing was, there's only a few people in the carriage at this point.
It was really intimidating as I was the only female, and my phone would have showed up with my name. It isn't nice. Nima Elmi, she's head of public policy for Europe at Bumble.
So they did some big research into this.
And they said the research showed that almost half of women between the ages of 18 and 24 have received sexual photo that they did not ask for in the last year. Oh, crap.
In the last year? Yes. Public transport's a place it's happening, but also it happens in schools, okay?
Someone reported just after a math lesson, this woman's 14-year-old daughter received not one but five unsolicited pictures from different classmates' penises.
Okay, and they ganged— because they ganged up and thought it would be funny to send them all at once, said the mom.
And they watched her reaction as she opened them, and she got really upset, which they found hilarious. What?
So TESS, okay, so they work with 25,000 schools across 100 countries, right?
So they've done a bunch of research into this, and they said that 76% of girls between the ages of 12 and 18 have been sent unsolicited nude image of boys or men, which is, that's 3/4 of teens.
And the thing is, basically apparently what they say in tests is basically if you use Snapchat, you will be sent a dick pic.
And the biggest problem, the reason why this law is, in my view, a good idea is because the problem is school politics, right? Girls who get these are encouraged to laugh it off.
Yeah. Or called a snitch if they report the sender. And there's, of course, the shame factor that you're being targeted.
Claire McGlynn, she's a QC of Durham University, and she specializes in cyber flashing.
And she says this law is interesting, but the government must go further if it's going to live up to the rhetoric.
The current proposal only covers cyber flashing where you can prove that the person that sent the image for sexual gratification or to cause distress.
This leaves a significant gap where men send the penis image for a laugh or a joke among their friends, in this case in the school, you can imagine that would be the retort.
We were just having a laugh. It wasn't to make her feel, you know, harassed. Yeah, it's so rampant.
And in the meantime, I got another picture, a full-on nude of his privates. And the thing was, there's only a few people in the carriage at this point.
It was really intimidating as I was the only female, and my phone would have showed up with my name. It isn't nice. Nima Elmi, she's head of public policy for Europe at Bumble.
So they did some big research into this.
And they said the research showed that almost half of women between the ages of 18 and 24 have received sexual photo that they did not ask for in the last year. Oh, crap.
In the last year? Yes. Public transport's a place it's happening, but also it happens in schools, okay?
Someone reported just after a math lesson, this woman's 14-year-old daughter received not one but five unsolicited pictures from different classmates' penises.
Okay, and they ganged— because they ganged up and thought it would be funny to send them all at once, said the mom.
And they watched her reaction as she opened them, and she got really upset, which they found hilarious. What?
So TESS, okay, so they work with 25,000 schools across 100 countries, right?
So they've done a bunch of research into this, and they said that 76% of girls between the ages of 12 and 18 have been sent unsolicited nude image of boys or men, which is, that's 3/4 of teens.
And the thing is, basically apparently what they say in tests is basically if you use Snapchat, you will be sent a dick pic.
And the biggest problem, the reason why this law is, in my view, a good idea is because the problem is school politics, right? Girls who get these are encouraged to laugh it off.
Yeah. Or called a snitch if they report the sender. And there's, of course, the shame factor that you're being targeted.
Claire McGlynn, she's a QC of Durham University, and she specializes in cyber flashing.
And she says this law is interesting, but the government must go further if it's going to live up to the rhetoric.
The current proposal only covers cyber flashing where you can prove that the person that sent the image for sexual gratification or to cause distress.
This leaves a significant gap where men send the penis image for a laugh or a joke among their friends, in this case in the school, you can imagine that would be the retort.
We were just having a laugh. It wasn't to make her feel, you know, harassed. Yeah, it's so rampant.
I don't think you can have really a truly technical solution to this, right? I mean, there are some things that you can do.
You can turn off AirDrop, or you can reduce, you know, limit AirDrop to only known contacts, which would have helped for the public transportation, but not in school with her friends, right?
You can turn off AirDrop, or you can reduce, you know, limit AirDrop to only known contacts, which would have helped for the public transportation, but not in school with her friends, right?
Exactly, exactly, exactly. So it is on, that's a really good point. So AirDrop is on iPhones turned on for contacts by default.
Now, if you're anything like me, I've got hundreds of contacts, hundreds and hundreds of contacts in my phone.
And not all of them do I want them to be able to AirDrop me willy-nilly. You know, some people are just work contacts, like podcast contacts.
Now, if you're anything like me, I've got hundreds of contacts, hundreds and hundreds of contacts in my phone.
And not all of them do I want them to be able to AirDrop me willy-nilly. You know, some people are just work contacts, like podcast contacts.
What if we took these photos, right?
When a photo's sent, and what we did was rather than, you know, very funny or something, or delete it or something, maybe there should be a way of actually blowing it up, you know, to a huge size and putting it on the side of the school or on a side, or, you know, putting it up in assembly on the big screen and say, oh, here.
Oh, shame them. Shame them. Absolutely. And saying, here's little Tommy Coggins or whatever from year 5, and this is his penis, everybody, which he wanted you all to see.
Let's all discuss it.
When a photo's sent, and what we did was rather than, you know, very funny or something, or delete it or something, maybe there should be a way of actually blowing it up, you know, to a huge size and putting it on the side of the school or on a side, or, you know, putting it up in assembly on the big screen and say, oh, here.
Oh, shame them. Shame them. Absolutely. And saying, here's little Tommy Coggins or whatever from year 5, and this is his penis, everybody, which he wanted you all to see.
Let's all discuss it.
You're so, you're so 4 years ago. You're so 4 years ago because Cosmo, I went back and Cosmo had put out an article called 13 Genius Ways to Respond to Unsolicited Dick Pics.
Okay, I'll share a few with them, with you. One of them was critique them on a scale of 1 to 10, which is basically what you're saying to do, right?
The other one is, why is your pinky so ugly? That's what she would reply.
Okay, I'll share a few with them, with you. One of them was critique them on a scale of 1 to 10, which is basically what you're saying to do, right?
The other one is, why is your pinky so ugly? That's what she would reply.
Oh, like the little finger. Yeah, I get it.
Yeah. And the other one was, I'd send pics of my poop, which, you know—
What? Cosmopolitan suggested that?
That would maybe put off a dick picker for life, actually, if that's what they got in return.
This is a horrible, horrible problem, and I'm really annoyed about it.
If I found out any son of mine were doing something like this, you just take their bloody phone away and say, don't be so bloody, you know, apologize to the girl and you're not having your phone until you're 18 years old.
And yeah, but yeah. Oh, I'm quite tough, aren't I?
If I found out any son of mine were doing something like this, you just take their bloody phone away and say, don't be so bloody, you know, apologize to the girl and you're not having your phone until you're 18 years old.
And yeah, but yeah. Oh, I'm quite tough, aren't I?
Manly, I'd even say. Very masculine.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. Smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide.
Enter your email when prompted and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/kolide. Smashingsecurity.com/kolide. And thanks to Kolide for supporting the show.
Is your organization finding it difficult to achieve compliance and scale its security posture?
At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance.
Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database.
They say it's like having your cake and securing it too.
Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance.
Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database.
They say it's like having your cake and securing it too.
Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process.
Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Please God, don't be.
Well, my pick of the week this week is not security-related. I'm sure we are all familiar with the popular podcast format of a true crime investigation.
The likes of Serial and all of the others. I mean, oh, you're just, you're listening to them and you're thinking, oh, this is fantastic. Isn't it? This is extraordinary.
Well, I have got an investigative mystery podcast for you headed by a journalist called Brian Thompson.
And the name of his podcast, which has been running for the last 5 years, over 240 episodes, is Whatever Happened to Pizza at McDonald's?
The likes of Serial and all of the others. I mean, oh, you're just, you're listening to them and you're thinking, oh, this is fantastic. Isn't it? This is extraordinary.
Well, I have got an investigative mystery podcast for you headed by a journalist called Brian Thompson.
And the name of his podcast, which has been running for the last 5 years, over 240 episodes, is Whatever Happened to Pizza at McDonald's?
It's a niche audience. It's been going for 5 years.
And he goes in depth.
He started off quite simply ringing up his local McDonald's and asking them if they had pizza and them saying no and him saying, well, do you know why you don't have pizza any longer?
Because I believe you used to have pizza because apparently McDonald's used to do pizza in order to try and win the pizza business from all those pizza companies.
And he's trying to get to the bottom of it. Over time, the podcast has broadened out a little.
One of the latest episodes of the podcast, he looks into, as well as the pizza issue, which is central to the podcast, he also looks into Rod Stewart's model train set.
How the hell is that related?
He started off quite simply ringing up his local McDonald's and asking them if they had pizza and them saying no and him saying, well, do you know why you don't have pizza any longer?
Because I believe you used to have pizza because apparently McDonald's used to do pizza in order to try and win the pizza business from all those pizza companies.
And he's trying to get to the bottom of it. Over time, the podcast has broadened out a little.
One of the latest episodes of the podcast, he looks into, as well as the pizza issue, which is central to the podcast, he also looks into Rod Stewart's model train set.
How the hell is that related?
I mean, I get ice cream at Starbucks or something like that.
The thing is, you've got to go deep into the conspiracy, Chris, right, to find out how all of these things are connected. Have you listened to any of it? Yes, I have.
All 240 episodes?
Not all 240, I must admit. There is a few, probably about 230 in the middle I missed. But Brian Thompson, he's quite deadpan. I think you'd quite like this.
He's got a voice a little bit like the robot voice who introduces our podcast each week. So he says, "And so I called McDonald's to find out what they've got." I love that.
And I think it's amusing and it's done very well. And it is my pick of the week.
He's got a voice a little bit like the robot voice who introduces our podcast each week. So he says, "And so I called McDonald's to find out what they've got." I love that.
And I think it's amusing and it's done very well. And it is my pick of the week.
I will check that out and I will judge you incessantly if it's not good.
Whatever Happened to Pizza at McDonald's, it's called.
Chris, what's your pick of the week? All right, my pick of the week is a virtual reality game. So I think in the last one, I also presented a virtual reality game.
This is a different one because it's not one that you play by yourself, but then you play with others.
And I was looking for something, you know, my niece and nephew live over in Europe and I'm in the States. And so we don't get a lot of real FaceTime.
And, you know, even when we're having video chats or something, it's hard to keep a conversation going with little kids.
But if you can play together, then you can actually have a joint experience. And so I found this game called Cookout: A Sandwich Tale. And so you need at least two VR headsets.
I think it's available on other platforms as well. I have the Oculus. And essentially you are making sandwiches in a shop as line cooks and you're collaborating, right?
It's not working against each other. It's actually working with each other. And that I think makes it more fun.
And so you take orders from customers that are mice or rabbits or werewolves who like the bigger sandwiches. And it's really good fun because you can talk over the VR headset.
Obviously, you don't see the real person, you see an avatar. And you can talk and communicate.
The kids started squirting ketchup and mustard bottles all over the place and throwing plates at the werewolf, which I both do not recommend in real life.
This is a different one because it's not one that you play by yourself, but then you play with others.
And I was looking for something, you know, my niece and nephew live over in Europe and I'm in the States. And so we don't get a lot of real FaceTime.
And, you know, even when we're having video chats or something, it's hard to keep a conversation going with little kids.
But if you can play together, then you can actually have a joint experience. And so I found this game called Cookout: A Sandwich Tale. And so you need at least two VR headsets.
I think it's available on other platforms as well. I have the Oculus. And essentially you are making sandwiches in a shop as line cooks and you're collaborating, right?
It's not working against each other. It's actually working with each other. And that I think makes it more fun.
And so you take orders from customers that are mice or rabbits or werewolves who like the bigger sandwiches. And it's really good fun because you can talk over the VR headset.
Obviously, you don't see the real person, you see an avatar. And you can talk and communicate.
The kids started squirting ketchup and mustard bottles all over the place and throwing plates at the werewolf, which I both do not recommend in real life.
And they had a really good time, you know. Can I ask how much a headset is about?
I think it's quite expensive. So in the US, I think it's $299. And in Europe, it was extremely expensive. I think it was about double in euros. Wow. And I don't quite know why. So yeah.
So that's kind of like the entry level. I think they have some with more storage and so on that go higher up.
So that's kind of like the entry level. I think they have some with more storage and so on that go higher up.
I'm watching a video of this, the little trailer of it. And it does look quite impressive. I mean, it looks like a proper video game, doesn't it?
And it reminds me a little bit of Overcooked, which is like a more conventional video game where you're sort of helping each other cooking and chopping and things.
It does look like this would be a good way to keep in touch with youngsters and play a fun game with them. I can see why you would do this.
And it reminds me a little bit of Overcooked, which is like a more conventional video game where you're sort of helping each other cooking and chopping and things.
It does look like this would be a good way to keep in touch with youngsters and play a fun game with them. I can see why you would do this.
Yeah. And, you know, I think there is some good, it's good fun and it's also some good teaching opportunities because it's collaborative.
You can learn should we work on sandwiches together or split plates and— Yeah, so there's strategy involved. Yeah. You can teach them how to work in a corporate sweatshop.
You know, it's a good skill to have for later. And you don't have to clean up your kitchen afterwards. So it's really a good package. And I think it's about $20 or so.
So the game itself isn't too expensive if you've already invested in the headset. Obviously, the headset's quite expensive.
You can learn should we work on sandwiches together or split plates and— Yeah, so there's strategy involved. Yeah. You can teach them how to work in a corporate sweatshop.
You know, it's a good skill to have for later. And you don't have to clean up your kitchen afterwards. So it's really a good package. And I think it's about $20 or so.
So the game itself isn't too expensive if you've already invested in the headset. Obviously, the headset's quite expensive.
I think I'm too old though to do all this VR headset stuff. I think I'd— No, because I think I'd just feel nauseous, I imagine.
You host a technology podcast, Graham.
Yeah, I know, but my position is really to be the chief curmudgeon on the show.
You excel at it. You excel.
Carole, what's your pick of the week?
Okay, mine is a website, so I'm going to get you guys to go there now while I introduce it. So you'll see it in the show notes. If you see it. So it's stars.chromeexperiments.com.
Now this is an amazing site all about the stars, not celebs, right? But the real stars in the sky.
Now this is an amazing site all about the stars, not celebs, right? But the real stars in the sky.
I'm zooming in. Hmm.
Oh, wow. Right? And you tour the solar system as you would Google Earth. Oh my goodness. Wow. And they've mashed it with high-level details from Wikipedia.
So when you click on a specific star, it provides you with tidbits and information.
So Graham, if you're there, you can see they give you a high-level tour and tell you how to use it. Oh yeah, I found it quite relaxing.
I imagine at night playing on this site would be quite beautiful if you couldn't sleep, right? Because it's quite beautiful the way you move around it, and it doesn't—
So when you click on a specific star, it provides you with tidbits and information.
So Graham, if you're there, you can see they give you a high-level tour and tell you how to use it. Oh yeah, I found it quite relaxing.
I imagine at night playing on this site would be quite beautiful if you couldn't sleep, right? Because it's quite beautiful the way you move around it, and it doesn't—
Wouldn't you just—couldn't you just go outside and look up?
Well, we live in the UK, and we see stars maybe 4% of the time because it's normally cloudy. So, and I also live in a city so that kind of kills that as well.
But yeah, totally, if you've got the real thing. So I don't know, I think it was quite beautiful. I think it's quite fun.
If you want to learn a bit about the stars that burn hot way, way up in the sky, this might be for you, and might be a great way to spend your tea break.
So check it out at stars.chromeexperiments.com, and of course, link will be in the show notes.
But yeah, totally, if you've got the real thing. So I don't know, I think it was quite beautiful. I think it's quite fun.
If you want to learn a bit about the stars that burn hot way, way up in the sky, this might be for you, and might be a great way to spend your tea break.
So check it out at stars.chromeexperiments.com, and of course, link will be in the show notes.
And that's my pick of the week. I quite like this, Chris. I'm quite—in fact, it's my little boy's birthday coming up, and I've bought him a telescope.
Well, there you go.
We're going to be looking at the moon and maybe at some of the stars.
And then you can use this site to go—have you found this? Because some of them are, you know, obviously the big ones that are there are the ones that you're probably going to see.
Very interesting. Very cute site. I like it. Cool. Wonderful. Well, that just about wraps up the show for this week.
Chris, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Chris, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
So easiest is probably @Chris_Kirsch, that's K-I-R-S-C-H on Twitter. You can also find me on LinkedIn by the same name.
And if you'd like to try out Rumble, you can do that at rumble.run as in run and scan your networks in minutes. So check that out. Thank you.
And if you'd like to try out Rumble, you can do that at rumble.run as in run and scan your networks in minutes. So check that out. Thank you.
Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows us to have a G, and we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And massive shout out to this episode's sponsors, Kolide and Drata, and to our wonderful Patreon community. It's thanks to them and best of all, this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 265 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 265 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye. Auf Wiedersehen. Auf Wiedersehen.
Do you know, I learned a German song once.
Okay. Oh, this could be dangerous.
Now you're telling us.
I'm going to sing it now. Okay. And you can tell them what it means because I'm not actually sure. I know it's not right. That's the only words. And you just changed. Okay.
That's all I know.
That's all I know.
And you don't know what it means?
Well, I think it has something to do with beer drinking. Yes. Right?
Is that right? Obviously.
All German songs have something to do with beer drinking, correct? It was a lucky guess on his part.
Yeah, no, it's either— Yeah, they're either beer drinking or fairy tales where something horrible happens and you tell it to kids. So those are the two types of German songs.
See, today I learned.
Basically, loosely translated, because it's a really weird song and the lyrics aren't very complicated, it means like, oh, one more, you can fit one more in, meaning one more beer, right?
Hopefully we're not thinking of the segment that Carole presented earlier, right?
See, today I learned.
Basically, loosely translated, because it's a really weird song and the lyrics aren't very complicated, it means like, oh, one more, you can fit one more in, meaning one more beer, right?
Hopefully we're not thinking of the segment that Carole presented earlier, right?
I'm going to stop this podcast.
Yes, please. Please.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Chris Kirsch – @chris_kirsch
Show notes:
- Kaspersky Has Close Ties to Russian Spies — Bloomberg.
- Kaspersky hit by new below-the-belt sauna spy attack — Graham Cluley.
- A practical guide to making up a sensation — Eugene Kaspersky.
- US intelligence chiefs don’t trust Kaspersky. But why? — Graham Cluley.
- UK cyber agency targets Kaspersky in warning on Russian software — Reuters.
- Group-IB founder arrested in Moscow on state treason charges — The Record.
- BSI warning about using Kaspersky.
- Kaspersky statement regarding the BSI warning — Kaspersky.
- Collateral Damage — on Cybersecurity — Open letter from Eugene Kaspersky.
- Apple's AirTag uncovers a secret German intelligence agency — Apple Insider.
- Bundesservice Telekommunikation — wie ich versehentlich eine Tarnbehörde in der Bundesverwaltung fand — Lilith Wittmann.
- Bundesservice Telekommunikation — enttarnt: Dieser Geheimdienst steckt dahinter — Lilith Wittmann.
- Loophole in law means men will still get away with sending penis pictures — Cambridgeshire Live.
- Cyberflashing to be criminalised under new online safety bill — The Independent.
- ‘Cyberflashing’ to become a criminal offence — UK Government.
- Is there hidden sexual abuse going on in your school? — TES Magazine.
- 13 genius ways to respond to unsolicited dick pics — Cosmopolitan.
- Whatever Happened to Pizza at McDonald's?
- A Podcast Answers a Fast-Food Question That Nobody Is Asking — The New York Times.
- Forget Adnan and Richard Simmons, ‘Whatever Happened to Pizza at McDonald’s?’ Is the Mystery-Solving Podcast You Need — Vulture.
- Cook-Out on Oculus Quest — Oculus.
- Cook-Out: A Sandwich Tale trailer — YouTube.
- 100,000 Stars.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Kolide
At Kolide, we believe the supposedly Average Person is the key to unlocking a new class of security detection, compliance, and threat remediation. So do the hundreds of organizations that send important security notifications to employees from Kolide’s Slack app.
Collectively, we know that organizations can dramatically lower the actual risks they will likely face with a structured, message-based approach. More importantly, they’ll be able to engage end-users to fix nuanced problems that can’t be automated.
Try Kolide Free for 14 Days; no credit card required.
Sponsor: Drata
Is your organization finding it difficult to achieve compliance and scale its security posture? As G2’s highest rated cloud compliance software, Drata streamlines your SOC 2, ISO 27001, PCI DSS, GDPR & HIPAA compliance and provides 24-hour continuous control monitoring so you focus on scaling securely. Drata is also the only compliance automation platform with a private tenant database. That’s like having your cake and securing it too
Countless security professionals from companies including Notion, FullStory, & BambooHR have shared how crucial it has been to have Drata as a trusted partner in the compliance process.
Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
