We’re back from our summer break as we ask how did a cryptomining campaign stay unspotted for years, quiz special guest and infosec rockstar Mikko Hyppönen about his book, and ponder what spiders teach us about misinformation.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This is Mikko Hypponen. I'm an infosec rock star and I listen to Smashing Security podcast every time I go to a sauna. And I go to a sauna a lot. Smashing Security, episode 287.
Lost in Translation, Spiders, and Slapping Tortillas with Carole Theriault and Graham Cluley.
Lost in Translation, Spiders, and Slapping Tortillas with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 287. My name's Graham Cluley.
Hi, and I'm Carole Theriault.
Welcome back, Carole. We've had our little summer holiday and we're back, folks, and we're joined by a special guest. Carole, who've we got in the hot seat this week?
We have cybersecurity czar Mikko Hypponen, who has just written a new book called If it's smart, it's vulnerable.
And we're gonna chat all about that during your section, aren't we today, Mikko?
And we're gonna chat all about that during your section, aren't we today, Mikko?
Well, yes we are. And thanks for having me, both of you, Graham and Carole.
We love having you here, and especially on our first show after the holidays, which is gonna be probably a car crash. So we're glad someone to witness it.
We've forgotten how to make podcasts, haven't we?
Exactly.
4 weeks off.
Exactly. But let's, what, should we kick off, Graham?
Should we try this?
Sure, go for it. All right.
Well, now before we kick off, let's just thank this week's sponsors, Bitwarden, Kolide, and Gigamon. It's their support that helps us give you this show for free.
Coming up on today's show, Graham, what do you got?
Coming up on today's show, Graham, what do you got?
Oh, I'm going to be completely lost in translation.
Ooh, Mikko, what about you?
Well, I'm just here to plug my new book.
That's good.
And I will be entering the world of creepy crawlies. All this and much more coming up on this episode of Smashing Security.
Ustavaat, ustaavaat, chums, chums. Pun sinuul panaan Google... I'm speaking to you today by Google Translate because Mikko Hypponen is in the room.
And Mikko... Did he make any sense?
This is painful. Please make it end.
I'm trying to make you feel comfortable. I'm using Google Translate to use some of those phrases you may be familiar with. I've done some research online.
I found that Finns, they aren't ever in a very bad mood. They're "kuunpirsasin ammutukahu." Yeah, it's like a bear shot in the ass. Is that right?
I found that Finns, they aren't ever in a very bad mood. They're "kuunpirsasin ammutukahu." Yeah, it's like a bear shot in the ass. Is that right?
Does he sound like a native, Mikko?
Yes. No, he doesn't. No, no. It's actually, it's said "kuunpirsäsen ammutukahu." That's how you would say it.
Yeah, well, more or less.
It's kind of sexy the way he says it.
People aren't crazy. They have— one of the moulins has left the valley or something. Is the phrase having a coupon short of a toaster rack.
All of these wonderful— Finns don't apparently get big-headed. They have piss coming up their head. Is that right? Nussekkusipahan?
All of these wonderful— Finns don't apparently get big-headed. They have piss coming up their head. Is that right? Nussekkusipahan?
Nussekkusipahan, indeed.
Yes, yes.
How can you describe that? Can you explain piss coming up to their head?
Yes, yes. Basically, you know, I suppose the idea is that if you never take a leak, eventually the piss will reach your brains.
And not taking a leak is big-headed?
I don't know.
It's an unwise thing maybe in Finland, although you'd think with all that cold, it would actually be sensible not to have a wee sometimes.
But Mikko, I've never failed to be impressed by people who speak another language fluently. You're at all impressed with me?
But Mikko, I've never failed to be impressed by people who speak another language fluently. You're at all impressed with me?
I'm very impressed.
Thank you.
Yes, this is amazing. Well, I have to add you one of the phrases we use here, maybe the most Finnish of them all.
When we tell someone to get the hell out of here, we simply tell them to ski to a—
When we tell someone to get the hell out of here, we simply tell them to ski to a—
And that beep you heard was for the benefit of our sponsors this week.
And our American listeners.
But the truth is, it's not very easy for some of us to take on a foreign language. And that's why many of us will use a translation tool like Google Translate.
Google Translate is amazing. It's been around since 2006. We probably all take it for granted by now. It's been around over 15 years.
Hundreds of millions of people are using it all of the time. It's not perfect, of course. Sometimes it struggles with some language combinations.
I see that it's still not handling Klingon, for instance.
Google Translate is amazing. It's been around since 2006. We probably all take it for granted by now. It's been around over 15 years.
Hundreds of millions of people are using it all of the time. It's not perfect, of course. Sometimes it struggles with some language combinations.
I see that it's still not handling Klingon, for instance.
That's outrageous.
Well, Carole, I'm not surprised you're outraged, because of course you managed to convince the developers at Sophos to translate Sophos antivirus into Klingon not so many years ago.
Well, I say not so many years ago, 2009. In the before times.
Well, I say not so many years ago, 2009. In the before times.
So that's what happened.
Antivirus companies were busy doing rather than stopping malware, translating their software into Klingon way back then.
And just like Google, you know, people were suspicious of Google because they give you all these free tools, but of course they're really data mining you and finding out what you're up to and learning all about you.
And just like Google, you know, people were suspicious of Google because they give you all these free tools, but of course they're really data mining you and finding out what you're up to and learning all about you.
Well, both are true. I don't think those are mutually exclusive things, right?
Well, no, but I mean it. I mean, with the Klingon antivirus, we were also using that in an underhand way to find information about our customers. Yes, yes.
Shut up.
You may have forgotten, Carole, that we did a press release naming the capital cities for Klingon speakers around the world.
'Cause we looked at—we analysed the data for where the Klingon antivirus was being downloaded.
'Cause we looked at—we analysed the data for where the Klingon antivirus was being downloaded.
Yes, where the next Klingon Empire might show up on Earth. We were ready.
And the number one city in the world? Helsinki. And who do we have here?
Mikko!
Beating Manchester. And I can't—
I can't explain that either, and I don't speak Klingon myself.
Strange, isn't it? So why am I talking about Google Translate?
Well, the boffins at Check Point have just released some research about some malware they've discovered just recently called NitroCod. What do you—
Well, the boffins at Check Point have just released some research about some malware they've discovered just recently called NitroCod. What do you—
You obviously have something to say about the name. What do you think about that name?
What, NitroCod? Bit fishy. I could say that, maybe. It's—be an obvious one to do, but—
I missed you, Clue.
I missed you.
Yeah.
Yeah, they picked the name because the domain was available.
Yes, probably. NitroCod, it sounds like a fish superhero really, doesn't it? Something from the Marvel Universe.
But NitroCod is apparently a crypto mining— yes, people are still crypto mining— a crypto mining malware campaign which has infected computers in at least 11 countries.
They reckon thousands of computers may have been infected.
And what's interesting about it is that NitroCod has been distributed for years without anyone noticing on free software download sites.
And these weren't download sites you'd never heard of at some dodgy domain.com, places like Softpedia, which is a fairly, you know, well-established place where millions and millions of downloads are happening every day.
And so NitroCod was being downloaded, posing as tools with names like Google Translate Desktop.
And the blurb for this download says that it's the desktop version of the free Google Translate online service that we all know and love. Says that it's 100% clean.
But NitroCod is apparently a crypto mining— yes, people are still crypto mining— a crypto mining malware campaign which has infected computers in at least 11 countries.
They reckon thousands of computers may have been infected.
And what's interesting about it is that NitroCod has been distributed for years without anyone noticing on free software download sites.
And these weren't download sites you'd never heard of at some dodgy domain.com, places like Softpedia, which is a fairly, you know, well-established place where millions and millions of downloads are happening every day.
And so NitroCod was being downloaded, posing as tools with names like Google Translate Desktop.
And the blurb for this download says that it's the desktop version of the free Google Translate online service that we all know and love. Says that it's 100% clean.
I trust that.
Right.
And Google would never say that.
Their lawyers wouldn't let them, probably. Exactly.
Exactly.
We guarantee you nothing. You know, it may well obliterate your drive. Who knows what? So why would you want a desktop version of Google Translate anyway?
Yeah, why would you do that? I mean, if you have a computer, you could just go to the web.
Yeah.
That's what I do.
Yeah. You would if you have an internet connection. I mean, there are situations possibly where you don't have an internet connection.
Maybe you're in the European Union, you've visited Europe, and your country has left the European Union, and so data plans are now very, very expensive when you go overseas.
And so you think, I'm turning off my bloody internet while I'm over there.
But you want to translate, you know, 'avez-vous' and 'baguette' or whatever it is into— Well, that was actually in French, wasn't it?
Maybe you're in the European Union, you've visited Europe, and your country has left the European Union, and so data plans are now very, very expensive when you go overseas.
And so you think, I'm turning off my bloody internet while I'm over there.
But you want to translate, you know, 'avez-vous' and 'baguette' or whatever it is into— Well, that was actually in French, wasn't it?
Do you have a baguette, Graham? Not at the moment.
No, Carole. I mean, it's not that sort of podcast. What do you— Just joking. But it'd be handy to translate something, even if you're offline sometimes.
But the weird thing is this: this desktop app actually works. The way in which it works is it runs a Chromium browser inside an app. So it takes you to— What?
Have you noticed there are quite a lot of these so-called apps which actually run a web browser inside a sort of frame. No. Have you not seen this?
But the weird thing is this: this desktop app actually works. The way in which it works is it runs a Chromium browser inside an app. So it takes you to— What?
Have you noticed there are quite a lot of these so-called apps which actually run a web browser inside a sort of frame. No. Have you not seen this?
Well, I don't download enough apps, I guess. Like what? Can you give us examples?
Well, there are things like, for instance, you— there may be like, oh, so Gmail, right?
People use Gmail, but— and people want the Gmail user experience, but they'd like it in an app for their particular flavour of computer.
And so you install this app and then you find out, hang on a minute, this is so much like Gmail. Oh, it actually is Gmail.
What they've done is they've put a Chromium browser inside the app, which is going to Gmail. What is the bloody point of this? I don't know.
So you still need an internet connection for the darn thing to work. So not really as useful as you might imagine. Quite pointless, really.
And of course, some people choose to download it because they think that's what they really need and it's free. And surprise, surprise, these particular desktop apps are malicious.
They don't really come from Google, of course.
And even though they do translate your words because they're just running Google Translate in a browser inside an app, what they're doing is something rather fishy underneath, which is that after 4 weeks or so of you running it, something like a month after you first install it, it is actually beginning to do the crypto mining.
It's beginning to mine for cryptocurrency in the background, using up your Windows computer's resources.
Chugging away while you're trying to translate, "My hovercraft is full of eels." Thank God you're here, Mikko.
People use Gmail, but— and people want the Gmail user experience, but they'd like it in an app for their particular flavour of computer.
And so you install this app and then you find out, hang on a minute, this is so much like Gmail. Oh, it actually is Gmail.
What they've done is they've put a Chromium browser inside the app, which is going to Gmail. What is the bloody point of this? I don't know.
So you still need an internet connection for the darn thing to work. So not really as useful as you might imagine. Quite pointless, really.
And of course, some people choose to download it because they think that's what they really need and it's free. And surprise, surprise, these particular desktop apps are malicious.
They don't really come from Google, of course.
And even though they do translate your words because they're just running Google Translate in a browser inside an app, what they're doing is something rather fishy underneath, which is that after 4 weeks or so of you running it, something like a month after you first install it, it is actually beginning to do the crypto mining.
It's beginning to mine for cryptocurrency in the background, using up your Windows computer's resources.
Chugging away while you're trying to translate, "My hovercraft is full of eels." Thank God you're here, Mikko.
Thank God.
Yeah, so it's doing all this dirty work, but it's deliberately taken a long time before it begins.
And so the antivirus research labs, the people who are analyzing the malware or the automated systems which are analyzing files, trying to determine whether it's something malicious, Well, they're not running for a month.
They're not doing multiple restarts of the device. They're not going to that extent to see if anything strange ever happens.
And so the antivirus research labs, the people who are analyzing the malware or the automated systems which are analyzing files, trying to determine whether it's something malicious, Well, they're not running for a month.
They're not doing multiple restarts of the device. They're not going to that extent to see if anything strange ever happens.
So what you're saying is they make it actually work for a long time and everyone's comfortable with how it works and then they start data mining.
Exactly. Well, not data mining. Crypto mining. Crypto mining. Yeah, crypto mining. Which I'm surprised, I didn't know anyone was still doing.
I thought crypto mining was sort of a bit 2018.
I thought crypto mining was sort of a bit 2018.
It is a bit passé. It is, you know.
Well, it depends on what they're mining for. Obviously not for bitcoin or Ethereum. It's going to be something more niche.
But if there's money to be made, someone's going to try to make it.
But if there's money to be made, someone's going to try to make it.
Mm-hmm.
Yeah. Yeah. So it's an attempt to avoid detection in sandboxes.
And it's also looking for known virtual machine processes to see if someone's trying to analyze what it does inside of sort of secure bubble.
It's also looking for security products if they're on the computer, because if they are, it thinks, oh, I don't want anything behavioral picking up what I'm doing.
And then it will just simply exploit. But according to Check Point, this has allowed this campaign to successfully operate under the radar for years, and it's been unnoticed.
This Turkish developer, they say, NitroCod, has been popping it out.
And it's also looking for known virtual machine processes to see if someone's trying to analyze what it does inside of sort of secure bubble.
It's also looking for security products if they're on the computer, because if they are, it thinks, oh, I don't want anything behavioral picking up what I'm doing.
And then it will just simply exploit. But according to Check Point, this has allowed this campaign to successfully operate under the radar for years, and it's been unnoticed.
This Turkish developer, they say, NitroCod, has been popping it out.
It's quite clever, actually. I mean, not just from the point of view of security companies, but also from the point of view of the victims.
I mean, of course, they might notice that, you know, my fan is going crazy on my laptop and my machine is really hot, but they don't really realize what's going on and which app it might be because they didn't install anything recently.
If they installed something a month ago, they're gonna forget all about it.
I mean, of course, they might notice that, you know, my fan is going crazy on my laptop and my machine is really hot, but they don't really realize what's going on and which app it might be because they didn't install anything recently.
If they installed something a month ago, they're gonna forget all about it.
And also they're thinking, maybe I need to get a new laptop, it's not working properly.
Well, it occurs to me that you could write a piece of crypto mining malware which only activated during the summer months. So we've just had a heat wave across much of Europe.
A piece of malware could do a lookup at a local weather site or something.
A piece of malware could do a lookup at a local weather site or something.
Oh, the climate crisis is actually a good thing. Is that what you're trying to say?
I think they're just going to say, oh, you know, well, this is an ideal time to turn on the fan and all the rest of it and use up lots of GPU or CPU and all cycles on the computer because their fan's going to be going hell for leather anyway, trying to keep cool in this weather.
Graham, once again, I hate the way you think.
Yes.
So—
Hear, hear.
My advice. Don't install—
Don't listen to his advice, people.
Don't install desktop translation software. If you need a quick translation offline, hire a Finnish person. Mikko's available in between plugging his book.
Yeah, hit him up on Twitter for translations.
Anyway, Mikko, mitä tarina sinula on niitä tala orkkojolla? Mikko, what story do you have for us this week?
Well— I actually want to add something on top of what you just said about Chromium being embedded into applications.
And it just reminded me of something I learned last week, which is that Google Chrome, the web browser, actually has a full-blown antivirus program built in.
Oh, yes, it's the Chrome Cleanup, which you can actually access from the address bar by typing in chrome://settings/cleanup, and then it will scan your computer and find malicious programs and clean them up.
Apparently they licensed this from ESET, so it is a real full-blown antivirus product.
Our programs have become so huge, you can just throw in an additional antivirus and no one's going to notice.
And it just reminded me of something I learned last week, which is that Google Chrome, the web browser, actually has a full-blown antivirus program built in.
Oh, yes, it's the Chrome Cleanup, which you can actually access from the address bar by typing in chrome://settings/cleanup, and then it will scan your computer and find malicious programs and clean them up.
Apparently they licensed this from ESET, so it is a real full-blown antivirus product.
Our programs have become so huge, you can just throw in an additional antivirus and no one's going to notice.
I'm also surprised no cybersecurity companies have launched an antitrust suit against Google for, you know, shipping this antivirus in with all of their popular browsers.
Maybe they could claim it's anti-competitive. I don't know.
Maybe they could claim it's anti-competitive. I don't know.
Well, they didn't know. They're going to learn about it now from the Smashing Security podcast.
Exactly. This is where news breaks, people. This is it.
Anyway, I've been busy for the last two years on my book project, so I'm really happy I have a book out now.
It was released in early August by Wiley globally in a language all of the listeners can understand, which is English.
I did write the book originally in Finnish, and it came out here in Finland already last year, but now it's published by Wiley, and it's called "If It's Smart, It's Vulnerable." And that wasn't the original title either.
The original name for the book here in Finland was simply "Internet," because surprisingly, nobody had written a book called "Internet" before, so I did.
It was released in early August by Wiley globally in a language all of the listeners can understand, which is English.
I did write the book originally in Finnish, and it came out here in Finland already last year, but now it's published by Wiley, and it's called "If It's Smart, It's Vulnerable." And that wasn't the original title either.
The original name for the book here in Finland was simply "Internet," because surprisingly, nobody had written a book called "Internet" before, so I did.
But there might be a reason, Mikko, why they hadn't written a book called "Internet" before, because it would be terrible search engine optimization for anyone trying to find it online.
Oh, okay. Well, that's true. That's true.
And I did get a couple of funny-looking screenshots from people who were downloading ebook version of my book, which simply says downloading internet. Please wait.
Anyway, we had to change the title, not just because maybe of the reasons you mentioned, but my international publisher didn't the title.
We went through tons of different English titles. Finally, Wiley simply told me that, hold on, Mikko, there's a law named after you, the Hyppönen Law.
We should use that as the book title.
And I did get a couple of funny-looking screenshots from people who were downloading ebook version of my book, which simply says downloading internet. Please wait.
Anyway, we had to change the title, not just because maybe of the reasons you mentioned, but my international publisher didn't the title.
We went through tons of different English titles. Finally, Wiley simply told me that, hold on, Mikko, there's a law named after you, the Hyppönen Law.
We should use that as the book title.
And this wasn't a law because you had done something wrong?
It wasn't a law that was like, yeah, you're a murderer and we need— It wasn't throttling people with a ponytail or some sort of thing like that? No.
It wasn't a law that was like, yeah, you're a murderer and we need— It wasn't throttling people with a ponytail or some sort of thing like that? No.
Okay. No, Graham. No, it's not. Funnily enough, now that you mention it, Mikko Hypponen is not a rare name.
There's plenty of people called Mikko Hypponen, including a convicted murderer.
There's plenty of people called Mikko Hypponen, including a convicted murderer.
So, oh, oh, that's interesting. Conspiracy theory, conspiracy theories.
And this is one of the reasons why I've been trying to get verified on Twitter. Ah, but, you know, no such luck.
So you've written a book for the last— so basically, while most of us were wearing pajamas for the last two years during the pandemic, you wrote a book. And so what did you cover?
Can you give us an outline for our listeners that haven't, you know...
Can you give us an outline for our listeners that haven't, you know...
Well, the title is a reference to smart devices and IoT devices, and that's one of the big themes of the books, why everything is going online, why all the devices are becoming smart.
How is that a problem for security? What could we be doing about it? However, it's not just about that.
It's actually a combination of the things that I think I've learned over the last 31 years.
So there's lots of topics covered— malware evolution, organized cybercrime gangs, online espionage, cyberwar, future of information security, and then tons of stories because I know people like stories and I've collected the best stories from my career.
How is that a problem for security? What could we be doing about it? However, it's not just about that.
It's actually a combination of the things that I think I've learned over the last 31 years.
So there's lots of topics covered— malware evolution, organized cybercrime gangs, online espionage, cyberwar, future of information security, and then tons of stories because I know people like stories and I've collected the best stories from my career.
Yeah. And anyone who's listening to Mikko now and going, God, he sounds good, right? But does he really know his stuff? I can promise he does.
And you could actually— didn't you do a TED Talk once?
And you could actually— didn't you do a TED Talk once?
I did, yeah.
Yeah, actually, this book project started after I did my TED Talk in 2011 because I was back then contacted by multiple publishers and they were all telling me that, you know, you should write a book, write a book, we'll publish it for you.
All TED speakers publish a book. You should do a book, Mikko.
And I tried for all this time, I tried, but with the travel rate I've been sustaining for the last 10 years, it wasn't going anywhere.
So it did really take a pandemic for me to finish this project.
Yeah, actually, this book project started after I did my TED Talk in 2011 because I was back then contacted by multiple publishers and they were all telling me that, you know, you should write a book, write a book, we'll publish it for you.
All TED speakers publish a book. You should do a book, Mikko.
And I tried for all this time, I tried, but with the travel rate I've been sustaining for the last 10 years, it wasn't going anywhere.
So it did really take a pandemic for me to finish this project.
So Mikko, you've been working in the world of cybersecurity for so very long.
Well, he's not that old. He's not ancient.
Well, he's about as old as me. I mean, what is—
Oh, he doesn't look it.
What are the—
Carole, please behave.
What are some of the craziest things you've heard about? What sort of things have surprised you or just been shocking to you?
Maybe when it comes to things like— Well, you talked about Mikko's Law, which is that if it's smart, it's vulnerable.
When it comes to IoT devices, what are some of the maddest things you've heard about there?
Maybe when it comes to things like— Well, you talked about Mikko's Law, which is that if it's smart, it's vulnerable.
When it comes to IoT devices, what are some of the maddest things you've heard about there?
Well, I remember when the first Mirai botnet versions came out, that was the first major botnet infecting IoT devices to build denial of service botnets.
Before that, all denial of service botnets were being built from infected computers, and now these attackers were going after something else than computers.
And we were fingerprinting infected devices and we found all kinds of weird things, including heat pumps. So these things people keep in their houses for AC and for heating.
And while doing IP range scanning, we found infected heat pumps from this one company. And we actually were able to identify the company.
So I called them up and I ended up speaking with this—
Before that, all denial of service botnets were being built from infected computers, and now these attackers were going after something else than computers.
And we were fingerprinting infected devices and we found all kinds of weird things, including heat pumps. So these things people keep in their houses for AC and for heating.
And while doing IP range scanning, we found infected heat pumps from this one company. And we actually were able to identify the company.
So I called them up and I ended up speaking with this—
Did you call them up? You dialed the number?
Yep.
Personally? I spoke to them. I spoke with them. And they were like, yeah, hello, and I explained, hello, this is Mikko Hypponen, we work with information security.
They said, you're not the Mikko Hypponen who's the murderer, they said, you know, just reassurance.
I was going to say, Mikko what? Sorry?
You're not verified on Twitter, you can't be, you know, who are you calling us?
I should have never told them about the murderer, you know.
Nevertheless, I explained to them that, you know, there's this massively large outbreak going around, they've built this botnet, which is right now launching an attack against the root DNS servers of the internet.
So the whole internet has been slowed down because of this attack. And one of the nodes which is doing the attack is the heat pump in your office.
And they were like, oh, well, interesting. And they were like, well, it works fine. They're not going to do anything about it.
Like, why would we care as long as it works and pumps heat, why do I care? And that's when I realized that these kind of problems will not be fixed by the end users.
It has to be fixed by the manufacturers.
Nevertheless, I explained to them that, you know, there's this massively large outbreak going around, they've built this botnet, which is right now launching an attack against the root DNS servers of the internet.
So the whole internet has been slowed down because of this attack. And one of the nodes which is doing the attack is the heat pump in your office.
And they were like, oh, well, interesting. And they were like, well, it works fine. They're not going to do anything about it.
Like, why would we care as long as it works and pumps heat, why do I care? And that's when I realized that these kind of problems will not be fixed by the end users.
It has to be fixed by the manufacturers.
Yeah, 100%. We had someone on recently who was talking about his relationship with law enforcement as a journalist. He was an investigative journalist.
Have you been able to work with law enforcement to catch people? Do you talk about that in the book?
Have you been able to work with law enforcement to catch people? Do you talk about that in the book?
Yep, there's stories in the book about that as well.
I've been involved in multiple cases where we've tracked down people, at least, we believe the right persons behind various different cases.
Then we worked with the law enforcement, and of course we can't arrest people. We're just company, you know, we're civilians.
But there have been arrests and convictions based on the work we've done, and I cover some of those cases in the book. And that is very rewarding.
But then again, I've also learned through these years that when you work with law enforcement with cases like this, it is a very one-way road.
I mean, they're very happy to accept information and evidence and logs and things, but then they don't really tell you what they're doing until something like an arrest happens.
I've been involved in multiple cases where we've tracked down people, at least, we believe the right persons behind various different cases.
Then we worked with the law enforcement, and of course we can't arrest people. We're just company, you know, we're civilians.
But there have been arrests and convictions based on the work we've done, and I cover some of those cases in the book. And that is very rewarding.
But then again, I've also learned through these years that when you work with law enforcement with cases like this, it is a very one-way road.
I mean, they're very happy to accept information and evidence and logs and things, but then they don't really tell you what they're doing until something like an arrest happens.
Oh, you see, so it's unfulfilling at the time. I imagine that because you pour your heart out trying to do the right thing and you hear nothing. You don't even get a pat on the head.
Yep, yep.
Have you ever felt frustrated by that, Mikko? Have you ever wanted to go in Dirty Harry style and actually round— because it is frustrating, isn't it?
If you know who's behind an attack and maybe the law enforcement in that particular country are turning a blind eye, or maybe the process is taking far, far too long, have you ever thought, you know, there should be another way of dealing with this?
If you know who's behind an attack and maybe the law enforcement in that particular country are turning a blind eye, or maybe the process is taking far, far too long, have you ever thought, you know, there should be another way of dealing with this?
Well, I've been frustrated especially with the sentences, especially in Western countries, let's say EU countries or European countries.
It's, we're not really giving the kind of sentences that we should be giving if we really would like to show the example to potential new online criminals that crime doesn't pay.
It's, we're not really giving the kind of sentences that we should be giving if we really would like to show the example to potential new online criminals that crime doesn't pay.
This is fascinating. What do you think the typical sentence is and what should it be?
Well, I've worked with many cases where people have been caught for computer crime before, they've been sentenced before, they've got a probation sentence, they would have gotten jail time, but it's first-timers, so you go free.
Then they get caught again, they get sentenced again.
And me, as not an expert of law, I would always assume that if you are already sitting a probation sentence and you get caught again, now you're going to go to jail.
Turns out that's not the case. There's been multiple cases where they get found again and sentenced again, and they're still not going to jail.
And that's not really giving any kind of an example for potential newcomers. So yeah.
Then they get caught again, they get sentenced again.
And me, as not an expert of law, I would always assume that if you are already sitting a probation sentence and you get caught again, now you're going to go to jail.
Turns out that's not the case. There's been multiple cases where they get found again and sentenced again, and they're still not going to jail.
And that's not really giving any kind of an example for potential newcomers. So yeah.
And it's scary for us because normally the people that get really hurt in these situations, like in ransomware situations or all this, it's the customer.
It's the customer whose data has been stolen or computer has been infected from through some provider that they're using. And it can be difficult, right?
Like no one's there to save you.
It's the customer whose data has been stolen or computer has been infected from through some provider that they're using. And it can be difficult, right?
Like no one's there to save you.
Yeah.
And the upsides are so obvious. The last time I was here as your guest, we spoke about cybercrime unicorns and about how much money these biggest gangs are making.
So there's plenty of young people seeing these criminal hackers as their heroes.
Like these guys are driving around in Rolls-Royces and Lambos and, you know, they want to do the same. And that's not what we want to see happening.
So there's plenty of young people seeing these criminal hackers as their heroes.
Like these guys are driving around in Rolls-Royces and Lambos and, you know, they want to do the same. And that's not what we want to see happening.
I don't even want to see a Lamborghini on the roads. Like, I don't know if they know about the energy crisis, but yeah, can you just, can you just not? Electric cars, please.
So I've got a follow-on question from that.
Sometimes what we've seen is cybercriminals who've become so notorious that they actually have a bit of a public image and they can then be the bad boys and they can start a career maybe as a security consultant or maybe as, dare I say, a TED speaker or a public speaker or something like that.
So people— Yes, I know people who end up, they go from the criminal world to the good world, but they're almost trading on their past crimes. What do you think about that?
Do you think, I mean, it's better than them carrying on committing crimes, I suppose, Does it leave a bad taste in the mouth?
Sometimes what we've seen is cybercriminals who've become so notorious that they actually have a bit of a public image and they can then be the bad boys and they can start a career maybe as a security consultant or maybe as, dare I say, a TED speaker or a public speaker or something like that.
So people— Yes, I know people who end up, they go from the criminal world to the good world, but they're almost trading on their past crimes. What do you think about that?
Do you think, I mean, it's better than them carrying on committing crimes, I suppose, Does it leave a bad taste in the mouth?
You can say pass on that one.
It does for me.
When someone gets caught for breaking the law and they get sentenced and they pay their dues, they pay their debt to the society, of course, we as a society should welcome them back as much as we can.
That's why we want to rehabilitate all kinds of criminals, including cybercriminals.
So I might not be interested in hiring people with a criminal record, but if they can turn their past into a future career, I'm not really going to hold that against them.
That's why we want to rehabilitate all kinds of criminals, including cybercriminals.
So I might not be interested in hiring people with a criminal record, but if they can turn their past into a future career, I'm not really going to hold that against them.
Especially if it helps people, right? If they're providing good advice and solid information. It's okay, Graham. Some people do bad stuff. I've done bad stuff before. Now I'm good.
Oh, tell us, No! Well, please.
Of course I'm not going to.
Anyway, it's a great book. I've had a chance to read it. Thank you so much, Mikko.
Tell us again the name of the book.
It is If It's Smart, It's Vulnerable.
If It's Smart, It's Vulnerable.
Available in all good bookshops and probably on Amazon as well.
Excellent.
There you go, listeners. Run, don't dawdle.
Carole, what have you got for us this week?
So creepy crawlies, and more specifically the 8-legged kind. And I actually should probably issue a trigger warning, right?
Because I'm sure some of our listeners might pale at the thought of a spider. And if that's the case, skip forward about 12 minutes to the Pick of the Week section.
So let's start with you, Mikko. What's your relationship with spiders?
Because I'm sure some of our listeners might pale at the thought of a spider. And if that's the case, skip forward about 12 minutes to the Pick of the Week section.
So let's start with you, Mikko. What's your relationship with spiders?
Well, I do like the World Wide Web.
And that's why you're on a comedy podcast. No, but if there was a big spider in the corner of your room in your house, what's your immediate reaction?
And is it different from anyone else in your household?
And is it different from anyone else in your household?
I don't know. I don't really mind them. There's plenty of spiders around here.
I think my attitude changed a couple of years ago when I saw a photo special in some magazine or newspaper where they had close-ups of spiders and their faces, because spiders have faces and they look...
they look friendly. They don't look scary at all.
I think my attitude changed a couple of years ago when I saw a photo special in some magazine or newspaper where they had close-ups of spiders and their faces, because spiders have faces and they look...
they look friendly. They don't look scary at all.
They've got a nice smile, haven't they? Yeah, they've got a glint in their eyes. Yeah, they're all right.
They've got a smile.
Yeah. So I don't mind them.
They're good at tap dancing as well.
Cluley, what about you? If there's a spider in the corner of your house?
Well, yeah, I mean, I'm in England, which means that, you know, the spiders are completely harmless. So I'm fine with that.
Oh, you think so?
Interesting. I think they are, aren't they?
Interesting. Yeah, no, we're going to talk about that later. Because we've had a friend, Graham, actually, do you remember?
About 10 years ago, a friend, we were still at work and a colleague called us in a panic because they wanted to have a barbecue, but they had a great massive huge spider that made the barbecue lid its home.
About 10 years ago, a friend, we were still at work and a colleague called us in a panic because they wanted to have a barbecue, but they had a great massive huge spider that made the barbecue lid its home.
Yeah, we won't name her, but it's Yogi you're talking about, isn't it? Yeah.
And we drove over in an emergency because she was panicked, you know, and tiny, tiny little spider in the lid of a barbecue, right?
At least it wasn't a butterfly. Those she was particularly terrified of.
Anyway, I want to introduce you to an arachnologist at McGill University in Montreal named Catherine Scott, Dr. Catherine Scott.
And apparently when she tells people she's an arachnologist, she often gets told the story about how that one time the spider bit me. And the thing is, Dr.
Scott told Annette, if you don't see a crushed up spider near you or you don't see one on your body, it's very likely the bite mark came from something else because there's an estimated 50,000 known species of spiders in the world and only a very few can hurt humans.
And it turns out that these fears and misunderstandings about our eight-legged friends are reflected in the news, which is probably why we have such fears of them.
And apparently when she tells people she's an arachnologist, she often gets told the story about how that one time the spider bit me. And the thing is, Dr.
Scott told Annette, if you don't see a crushed up spider near you or you don't see one on your body, it's very likely the bite mark came from something else because there's an estimated 50,000 known species of spiders in the world and only a very few can hurt humans.
And it turns out that these fears and misunderstandings about our eight-legged friends are reflected in the news, which is probably why we have such fears of them.
Right? Yeah.
So recently, more than 60 researchers from around the world, including Dr. Scott, collected more than 5,000 news stories about spider bites published online between 2010 and 2020.
And this is from 81 countries in 40 different languages. And the idea was whether or not the article had a factual error or emotionally fraught language.
And the aim was to find out how much misinformation about spiders was actually spreading and what could that tell us about our world today, which feels inundated with misinformation.
And this is from 81 countries in 40 different languages. And the idea was whether or not the article had a factual error or emotionally fraught language.
And the aim was to find out how much misinformation about spiders was actually spreading and what could that tell us about our world today, which feels inundated with misinformation.
Yeah. Ah.
Well, I was wondering where this is going. So you're going towards misinformation.
Uh-huh.
Suddenly you thought you were on National Geographic or something.
I was about to change the channel.
No, hey, hey, hey. Okay, you guys, now you guys, it's now active time, Mikko. So you guys have to guess the percentage.
So what percentage of articles of this 5,000 they looked at do you think they rated as sensationalistic?
So what percentage of articles of this 5,000 they looked at do you think they rated as sensationalistic?
Oh, but hang on, hang on.
These are I'll tell you what sensationalism means if you want.
No, you don't need to. You don't need to. I know what it means. But the thing is— well, you can if you want.
No, no, I'm just saying they had a method of measuring it because all 60 researchers had to do the same thing.
All right, all right.
But it's just— so what you've said is they were analyzing stories to find out which of them were sensational, which had a factual error or something like that.
I can just imagine some spider nerd saying, oh, they've called it Arachnus minuscus, and in fact it's Arachnus moroscus. You know, it's a lovely outside, lovely outside.
But it's just— so what you've said is they were analyzing stories to find out which of them were sensational, which had a factual error or something like that.
I can just imagine some spider nerd saying, oh, they've called it Arachnus minuscus, and in fact it's Arachnus moroscus. You know, it's a lovely outside, lovely outside.
And do you know what's really funny? That actually happened.
I thought that when I was reading actually the stuff, because at one point they said they called it an insect and actually it was a rat. So that does happen.
I thought that when I was reading actually the stuff, because at one point they said they called it an insect and actually it was a rat. So that does happen.
And similarly, we in the cybersecurity industry might say, oh well, they called it a virus, actually it's a Trojan horse, you know.
And it's just, of course they're going to be sensational because they're trying to sell newspapers. So you will cyber attack, you know, rather than a cyber infection.
And it's just, of course they're going to be sensational because they're trying to sell newspapers. So you will cyber attack, you know, rather than a cyber infection.
You're defending your way of doing news, right?
No, I'm defending the way news— I mean, news has to be interesting to get people to read it in order to learn something.
And sometimes you have to use a little— you don't want to be completely and utterly dull and academic. And similarly, some of the details—
And sometimes you have to use a little— you don't want to be completely and utterly dull and academic. And similarly, some of the details—
Yeah, why— yeah, get rid of the truth, guys. Just make it fun.
No, no, I'm not saying get rid of the truth.
I'm just saying that I suspect the spider industry, the spider academic world, is probably similar to the cybersecurity world in being a little bit nerdy and precious about some of this.
I'm just saying that I suspect the spider industry, the spider academic world, is probably similar to the cybersecurity world in being a little bit nerdy and precious about some of this.
Okay, I want to know what you think. If I say killer spider loose in London, okay? That's my title, okay?
Would you say that saying killer is actually he has killed something before 'cause he has to eat?
Would you say that saying killer is actually he has killed something before 'cause he has to eat?
Yeah, he's killed flies.
You know?
Yeah, killed flies. That's fair enough.
Exactly. So you would argue that and you'd think that was okay? Not clickjacky at all.
Is this a headline from the Daily Mail?
I made it up.
I made it up.
Also, Graham, I don't think there actually is a spider industry.
Oh, right.
Okay. I'm going to quote the New York Times here. Okay. So errors, which tended to cluster around sensationalized stories, of which they were almost 50%, right?
So 50% of them almost were either rated sensationalistic because they had words nightmare, terror, nasty devil killer, that kind of thing.
So 50% of them almost were either rated sensationalistic because they had words nightmare, terror, nasty devil killer, that kind of thing.
Spiders are murdering now as well, are they?
Exactly. So these sensationalized stories would shoot around the world in days, from India to China to Poland to Argentina to the US.
And these would often start at a very regional level, where the story would then be amplified by national and then international news outlets.
And I think we can attest to that, because when I used to work for a news blog, we would be looking around for a brand new angle or weird way to explain something.
And we found something in Kathmandu that happened to someone that was related to our news blog, we would have probably tried to report it and say, you know.
Now according to misinformation scientists, this is a defining characteristic of modern misinformation, the magnification of small errors that support a certain narrative.
So basically what we used to call Chinese whispers. That sounds terribly inappropriate now.
But you know that idea that as you tell someone and then they tell someone and they tell someone, the story morphs into something completely new.
Now Mikko, this is fascinating for both you and Graham because the coverage of spiders differed wildly by country, or widely and wildly by country.
In the US, we'll start there where spider coverage was mixed, right? So there was publications with an international or national audience.
They were more likely to sensationalize spider news than the regional ones. Okay, in the US.
Australia, the home to more dangerous spiders than almost any other country in the entire world, publications were consistently accurate, rarely charged with emotion.
And these would often start at a very regional level, where the story would then be amplified by national and then international news outlets.
And I think we can attest to that, because when I used to work for a news blog, we would be looking around for a brand new angle or weird way to explain something.
And we found something in Kathmandu that happened to someone that was related to our news blog, we would have probably tried to report it and say, you know.
Now according to misinformation scientists, this is a defining characteristic of modern misinformation, the magnification of small errors that support a certain narrative.
So basically what we used to call Chinese whispers. That sounds terribly inappropriate now.
But you know that idea that as you tell someone and then they tell someone and they tell someone, the story morphs into something completely new.
Now Mikko, this is fascinating for both you and Graham because the coverage of spiders differed wildly by country, or widely and wildly by country.
In the US, we'll start there where spider coverage was mixed, right? So there was publications with an international or national audience.
They were more likely to sensationalize spider news than the regional ones. Okay, in the US.
Australia, the home to more dangerous spiders than almost any other country in the entire world, publications were consistently accurate, rarely charged with emotion.
Right.
Spider stories in Mexico were deemed almost entirely sensational, while spider news in Finland—
Mikko, hey—
was wholly arachnologist-approved. One hundred percent.
Ah, even the story I read about the photos of the close-ups of spiders, I'm sure was scientifically accurate.
I just wonder—
There you go. There's a huge spider industry in Finland. That's why. It's telecoms. Nokia then expanded into spiders. That's what they did.
Stop it.
Now we head to Old Blighty, Graham, which is apparently the source of the greatest amount of spider misinformation. Despite having very few dangerously venomous spider species.
So again, to quote the New York Times about speaking about the UK, they have had to close schools many times because of reports of this false black widow, Dr.
Mamola said, noting that black widows are almost never found in Britain or confused notably with the false widow, which has much less venomous bite.
And there were cases of people burning down their houses because of spiders.
So again, to quote the New York Times about speaking about the UK, they have had to close schools many times because of reports of this false black widow, Dr.
Mamola said, noting that black widows are almost never found in Britain or confused notably with the false widow, which has much less venomous bite.
And there were cases of people burning down their houses because of spiders.
What?
This is what he says. Now, Finland versus UK, does that say anything about your characters, do you think, as well?
Because misinformation land versus, you know, proper information, or our media maybe.
Because misinformation land versus, you know, proper information, or our media maybe.
Yes.
Yeah, yeah, it's the Mirror and the Daily Mail. That's what you have to blame for.
Yes, I agree. I agree.
So someone, Javin West, an information scientist at the University of Washington, sees parallels between this, you know, spread of sensationalized spider news and the circulation of misinformation in the 2020 American election.
So someone, Javin West, an information scientist at the University of Washington, sees parallels between this, you know, spread of sensationalized spider news and the circulation of misinformation in the 2020 American election.
Oh.
But now we have the 2022 election, which is upcoming, and people are kind of concerned about misinformation circling again, because many of the most circulated articles in 2020 were picked up by national publications, television shows, and social media.
So it makes sense to us, right? So tiny little news stories get kind of magnified.
And studies show that people often trust their local publications more than national ones because it tells you about recent relevant events in your community.
But as that information goes national, factual errors end up adding to a narrative of misinformation because you want to add sensationalism, as you were arguing earlier, right?
Because you want clicks, you want people to read your article. So what do you do? Do you have any advice on how to avoid falling in a trap of misinformation?
So it makes sense to us, right? So tiny little news stories get kind of magnified.
And studies show that people often trust their local publications more than national ones because it tells you about recent relevant events in your community.
But as that information goes national, factual errors end up adding to a narrative of misinformation because you want to add sensationalism, as you were arguing earlier, right?
Because you want clicks, you want people to read your article. So what do you do? Do you have any advice on how to avoid falling in a trap of misinformation?
I do. I do have some advice, which I'm very happy to share. Mikko has his law, which is, "If it's smart, it's vulnerable." I'd to introduce you to Cluley's law now, which is—
I'm making notes.
If you see the word "spider" in a headline, replace it with "guinea pig" and see if you still think it makes sense.
If it says, "Killer guinea pig rampages across London," you instantly think, "No, that's probably not true." Or man dies after being bitten by guinea pig. Probably not true, right?
Or radioactive guinea pig attacks nuclear power station. It's again, not true. So that would be my suggestion.
If it says, "Killer guinea pig rampages across London," you instantly think, "No, that's probably not true." Or man dies after being bitten by guinea pig. Probably not true, right?
Or radioactive guinea pig attacks nuclear power station. It's again, not true. So that would be my suggestion.
I love that.
Exactly. Because you've already got a lovely view of a guinea pig. A guinea pig's a gorgeous thing with a little fluffy little thing going around eating grass and all that.
Now, what if it was a political leader or incumbent? Can we still replace it with the word guinea pig?
In some cases, a guinea pig would be a better choice. So why not? Might have similar hair. Who knows?
Might be, might be.
But of course, the real advice regarding misinformation and fake news and all of that is to double-check the news, check the sources, make a Google search, don't believe everything by first sighting.
And I'm glad to tell you that in my experience, the younger generation is much better to be suspicious of news which might not be true.
When the internet came around, it was the parents warning their children not to believe everything you read online.
Now it seems to be the other way around, and it's the parents who fall for every single goddamn conspiracy theory.
But of course, the real advice regarding misinformation and fake news and all of that is to double-check the news, check the sources, make a Google search, don't believe everything by first sighting.
And I'm glad to tell you that in my experience, the younger generation is much better to be suspicious of news which might not be true.
When the internet came around, it was the parents warning their children not to believe everything you read online.
Now it seems to be the other way around, and it's the parents who fall for every single goddamn conspiracy theory.
Yeah, listen to your kids. They're always right 100% of the time. They're never bullshitting you ever.
That's Carole Theriault's law.
Yes, right.
Anyone who's listened to Smashing Security over the years will know that we believe that everyone, whether you're a single end user or a business, should use a password manager.
And the password manager we're recommending is Bitwarden.
Millions of users around the world, including many of the world's largest organizations, trust Bitwarden to protect their online information using a transparent, open-source approach to password management.
You can effortlessly manage all your passwords and logins backed by end-to-end 256-bit encryption.
And for the enterprises out there, Bitwarden recently added SCIM support, making it even easier to provision and manage users.
For password security you can trust, get started today with Bitwarden. Learn more at bitwarden.com/smashing.
Take security of your passwords and logins more seriously by visiting bitwarden.com/smashing. And thanks to Bitwarden, they're great folks for supporting the show.
Gigamon is the leading deep observability company.
It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks.
Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis.
So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. And thanks to Gigamon for supporting the show.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. K-o-l-i-d-e.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
And the password manager we're recommending is Bitwarden.
Millions of users around the world, including many of the world's largest organizations, trust Bitwarden to protect their online information using a transparent, open-source approach to password management.
You can effortlessly manage all your passwords and logins backed by end-to-end 256-bit encryption.
And for the enterprises out there, Bitwarden recently added SCIM support, making it even easier to provision and manage users.
For password security you can trust, get started today with Bitwarden. Learn more at bitwarden.com/smashing.
Take security of your passwords and logins more seriously by visiting bitwarden.com/smashing. And thanks to Bitwarden, they're great folks for supporting the show.
Gigamon is the leading deep observability company.
It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks.
Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis.
So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. And thanks to Gigamon for supporting the show.
Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack.
Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.
So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems.
Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. K-o-l-i-d-e.
Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates.
You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide.
That's smashingsecurity.com/k-o-l-i-d-e. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week this week is not security related. It's also not a book that I've read, a funny story, a TV show, a movie, a record, a podcast, a website, or an app.
What it is, is I was out. I popped round to a friend's house the other evening, and I was chatting to some other people there I hadn't met before.
And they were telling me about a party game that they'd played.
What it is, is I was out. I popped round to a friend's house the other evening, and I was chatting to some other people there I hadn't met before.
And they were telling me about a party game that they'd played.
Hmm.
I didn't— I haven't actually played this party game yet, but they described it to me. They'd been at a party.
Go on.
And it sounded like it was a bit of fun. And I thought maybe some of our listeners, like me, are intrigued and might want to try it. Try it next time they have a party.
Or maybe some listeners have already tried this.
Or maybe some listeners have already tried this.
And they can report to us what happened.
They can report back to me whether I should bother doing it.
Or maybe someone should invite Graham to a party.
Yeah.
That would be nice.
Yeah, and meanwhile, Graham will attest that it's fantastic and give it a huge amount of advertising. Let's go, Graham.
My pick of the week this week is not a game you can buy. It's a game you can just play. All you need to do is buy some tortilla wraps, okay?
Get yourself some tortilla wraps and a quantity of water. And what you do is you fill up your mouth with water, right? So your mouth is full of water, right? Imagine that.
I can't speak while my mouth is actually full of water, so I'm asking you to use your imagination at this point.
Get yourself some tortilla wraps and a quantity of water. And what you do is you fill up your mouth with water, right? So your mouth is full of water, right? Imagine that.
I can't speak while my mouth is actually full of water, so I'm asking you to use your imagination at this point.
I'm picturing it right now. It looks beautiful.
You and the other person have got their mouths full of water, right? Like almost to bursting.
Yeah.
And the important thing is that you should not laugh and you should not drink the water or of course spew it out.
And then you take a tortilla wrap and you put it in your hand, and you play with the other hand, you play rock-paper-scissors.
So, you know, rock, rock, rock, scissors, or whatever, you know. And whichever one beats the other one— you know how rock-paper-scissors works.
And then you take a tortilla wrap and you put it in your hand, and you play with the other hand, you play rock-paper-scissors.
So, you know, rock, rock, rock, scissors, or whatever, you know. And whichever one beats the other one— you know how rock-paper-scissors works.
So you're holding a tortilla in one hand, you're holding water in your mouth.
Water in your mouth, yes.
Yeah. And with the other hand, you're playing rock-paper-scissors.
Rock-paper-scissors.
You know how to party. My oh my freaking God.
Right, and one of you is going to win the game of rock-paper-scissors.
Okay.
At which point you slap the other person round the face with the tortilla wrap.
Okay, now it's got more fun.
Their job— Their job is not to laugh or spew out the water. And indeed, you mustn't laugh at their reaction of being slapped with the tortilla wrap.
That, ladies and gentlemen, is what the middle classes are playing in England today. And I thought I would share that with the world.
That, ladies and gentlemen, is what the middle classes are playing in England today. And I thought I would share that with the world.
Don't you think that 3 weeks off was fantastic for you? Look!
It's a lot better than some of my past Picks of the Week, let's be honest.
What's really sad is you didn't even frickin' play this! You had 3 weeks off, you're just recording! I'm going to.
I'm going to next time I'm at a party and have some tortilla wraps, I'm gonna say, "Ooh, I know what we should do now." I'll come round to yours, Carole.
Have you got tortilla wraps at your place? Mikko, would you play this?
Have you got tortilla wraps at your place? Mikko, would you play this?
Ugh, no, no.
I would not.
Why? Because the hair or dignity?
I'm sure we can come up with much better party games, I'm sure.
I look forward to you coming on the show again and telling us what your new party game is.
It's going to be my pick of the week next time.
Fantastic.
Mikko, what's your pick of the week?
Well, my pick of the week is actually going to be a movie because I spent the beginning of August doing the full hacker summer camp in Las Vegas.
So that's B-Sides Las Vegas, then Black Hat and then DEF CON. And that's like a week in Vegas.
So that's B-Sides Las Vegas, then Black Hat and then DEF CON. And that's like a week in Vegas.
That's enough.
Well, you know, Vegas is a tough place to be for a week, but actually this time around it wasn't that bad.
My favorite place to hang out in Vegas is Pinball Hall of Fame, which has 400 pinballs.
I'm a big pinball fan and they've moved, they actually built a whole new facility on the Strip.
So it's actually now close, it's actually walkable from the Mandalay Bay Hotel, which is where the Black Hat is held nowadays.
My favorite place to hang out in Vegas is Pinball Hall of Fame, which has 400 pinballs.
I'm a big pinball fan and they've moved, they actually built a whole new facility on the Strip.
So it's actually now close, it's actually walkable from the Mandalay Bay Hotel, which is where the Black Hat is held nowadays.
So does anyone walk in Vegas though? Seriously?
Well, no, it's very hard.
In fact, my step counter for the first day of DEF CON told me I did 16 kilometers of walking, which was just going back and forth between the different hotels.
So it's quite crazy how big it is. But nevertheless, Pinball Hall of Fame is walkable from Mandalay Bay, that's what all that mattered to me.
Now, my pick of the week isn't going to be Pinball Hall of Fame. It's going to be a DEF CON movie, a movie called DEF CON: The Documentary. Let me read the description from here.
DEF CON is the world's largest hacking conference held in Las Vegas. In 2012, it was held for the 20th time.
The conference has strict no-filming policies, but for DEF CON 20, a documentary crew was allowed full access to the event.
The film follows the 4 days of the conference, the events, and the people, and covers the history and philosophy behind DEF CON.
So that was 10 years ago, and I spent the return flight from Vegas watching this film, and it's great.
It's almost 2 hours going through the history and how DEF CON works, and it interviews everybody who's involved.
Obviously, Geoff Moss, who founded DEF CON, Geoff who wrote the foreword for my book, is of course very much in there.
And this whole project was organized by Jason Scott, which some of you and some of the listeners would know from his work at the Internet Archive, which is the place where you can download this documentary for free.
We'll have a link in the show notes.
In fact, my step counter for the first day of DEF CON told me I did 16 kilometers of walking, which was just going back and forth between the different hotels.
So it's quite crazy how big it is. But nevertheless, Pinball Hall of Fame is walkable from Mandalay Bay, that's what all that mattered to me.
Now, my pick of the week isn't going to be Pinball Hall of Fame. It's going to be a DEF CON movie, a movie called DEF CON: The Documentary. Let me read the description from here.
DEF CON is the world's largest hacking conference held in Las Vegas. In 2012, it was held for the 20th time.
The conference has strict no-filming policies, but for DEF CON 20, a documentary crew was allowed full access to the event.
The film follows the 4 days of the conference, the events, and the people, and covers the history and philosophy behind DEF CON.
So that was 10 years ago, and I spent the return flight from Vegas watching this film, and it's great.
It's almost 2 hours going through the history and how DEF CON works, and it interviews everybody who's involved.
Obviously, Geoff Moss, who founded DEF CON, Geoff who wrote the foreword for my book, is of course very much in there.
And this whole project was organized by Jason Scott, which some of you and some of the listeners would know from his work at the Internet Archive, which is the place where you can download this documentary for free.
We'll have a link in the show notes.
Amazing.
Fantastic. Sounds like a really good watch, thank you for that, Mikko. Carole, what's your pick of the week?
Okay, I'm kind of regretting my pick of the week now.
Oh.
Because it's me. It's me.
What? You're picking yourself?
Yes, because listeners, I'm not talking to Graham. I've got my blinders on. As you know, I've been working on doing art stuff and becoming an artist in the last few years.
And earlier this year, I was part of Oxford Art Weeks and sold some paintings, and that was exciting.
And largely because many of you sent me words of support and encouragement, I thought, screw it, I'm going to enter a few paintings into the Oxford Art Society Open Exhibition.
And one of them got selected, and it was a super big honor. And Graham, you even came, didn't you?
And earlier this year, I was part of Oxford Art Weeks and sold some paintings, and that was exciting.
And largely because many of you sent me words of support and encouragement, I thought, screw it, I'm going to enter a few paintings into the Oxford Art Society Open Exhibition.
And one of them got selected, and it was a super big honor. And Graham, you even came, didn't you?
I did. I came to the exhibition. And can I— what a great special. Your art, it was fantastic, by the way, Carole. I haven't told you this yet.
It was so great seeing your art up there on the wall.
It was so great seeing your art up there on the wall.
I was so excited. I was so excited.
All alongside these other childish scribblings by other artists.
Oh, come on, there's so much great stuff.
No, to be honest, there were— everything was— well, no, there was a couple of rubbish things, but most of it was really good.
And I was very, very impressed by the selection of art which are up there, and very proud as well to see one of your paintings. It was tremendous.
And I was very, very impressed by the selection of art which are up there, and very proud as well to see one of your paintings. It was tremendous.
Thanks, buddy.
Well, Carole, I'm browsing through your website right now. Actually, you are good. And, you know, this is great.
Thank you.
Mikko, I'm blushing. Now, what makes the story even cuter is the painting was inspired by a snap that my mom took of her neighborhood in Ottawa, Canada over the summer.
And even better is the first time in 4 years my parents are visiting me in the UK and they're going to get to see the painting of her photo in the show, and she doesn't know yet.
And even better is the first time in 4 years my parents are visiting me in the UK and they're going to get to see the painting of her photo in the show, and she doesn't know yet.
Ah, yes.
So as Mikko said, if you want to see my art, you can. Okay, carole.wtf. That's a website, really. carole.wtf. And it works.
But I would suggest also, and I'll put this in the show notes, the Oxford Art Society has the whole exhibition online.
I wouldn't say it's a super slick user experience, but you can totally see all the art that's there, and you can even buy.
And if you're in Oxford, get your butt down to SJE on Iffley Road and go see more than 200 paintings of Oxford artists. And it's really—caliber's high. It's quite cool.
But I would suggest also, and I'll put this in the show notes, the Oxford Art Society has the whole exhibition online.
I wouldn't say it's a super slick user experience, but you can totally see all the art that's there, and you can even buy.
And if you're in Oxford, get your butt down to SJE on Iffley Road and go see more than 200 paintings of Oxford artists. And it's really—caliber's high. It's quite cool.
It was really good. It was really good.
And can I have two more minutes? I want to say thank you really for helping me. So I have a painting called Treehouse Two, which I'm going to send the original to a lucky listener.
Listener.
So if you the stuff and you think it's cool and you would like to own an original, okay, that was painted just last week, all you gotta do is write a 4-line poem about Mikko or Smashing Security.
Your choice.
Your choice.
What?
Yeah, Mikko or Smashing Security or both.
Nothing rhymes with Mikko.
Send your entry to by Monday, September 5th at midnight, and the winner will be announced on the show.
And maybe, Mikko, if we get a winner, you'll want to send them one of your books as well.
And maybe, Mikko, if we get a winner, you'll want to send them one of your books as well.
Yeah, absolutely.
We will.
We will. With an autograph and dedication. Absolutely.
Exactly.
All right.
This is now becoming a goodie bag.
But the poem thingy, because nobody can come up with a word which rhymes with Mikko unless they're some kind of a weird sicko.
Make it rhyme with Hypponen instead. That'd be smart. So much easier.
Anyway, that's my pick of the week. Me and the Oxford Art Society, which has been a brilliant experience.
Okay, so get your poems about the podcast, about Mikko, or about Carole's art or whatever to by the end of Monday the 5th.
Yep.
To be in with a chance. Terrific. Yay. Well, that just about wraps up the podcast this week.
Mikko, I'm sure lots of our listeners would love to follow you online, find out more about your book. What's the best way for folks to do that?
Mikko, I'm sure lots of our listeners would love to follow you online, find out more about your book. What's the best way for folks to do that?
That's mikko.com, M-I-K-K-O.com.
Fantastic. And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And we've also got a Smashing Security subreddit as well.
So find us up there and don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
So find us up there and don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And massive, massive thank you to this episode's sponsors, Bitwarden, Kolide, and Gigamon. And of course, to our wonderful Patreon community.
It's thanks to them all this show is free.
If you want to see episode show notes, sponsorship information, guest list, and the entire back catalog of more than 286 episodes, check out smashingsecurity.com.
It's thanks to them all this show is free.
If you want to see episode show notes, sponsorship information, guest list, and the entire back catalog of more than 286 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye.
Thank you.
Bye-bye. Cheers, Mikko!
Oh, that was painful.
Was it?
No, it was fine. That was great.
It was you were great. We talked a lot about your book. We had a cute angle, right? I think the angle's cute there.
The angle for this episode is self-promotion.
I think you'll find my pick of the week was the best this week. I'll just say that.
Slap a tortilla.
I'm going to try that with my parents tonight. Okay, bye.
Thank you. Thank you so much, Mikko. I really appreciate it.
Yeah, you're a god. Thank you. Cheers.
Bye-bye.
Cheers.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mikko Hyppönen – @mikko
Show notes:
- The 20 Funniest Finnish Expressions (and How To Use Them) – Matador Network.
- Sophos punts anti-virus for Klingon – The Register.
- Helsinki named Klingon-speaking capital of the world – Naked Security.
- Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications – Check Point Research.
- If It’s Smart It’s Vulnerable – Book by Mikko Hyppönen.
- Psychological inoculation improves resilience against misinformation on social media -Science Advances.
- Let’s flatten the infodemic curve – WHO.
- The global spread of misinformation on spiders – Current Biology.
- A Journey Into Misinformation on Social Media – The New York Times.
- Google Looks to Vaccination to Combat Misinformation In Searches – The New York Times.
- Spiders Are Caught in a Global Web of Misinformation – The New York Times.
- DEF CON: The Documentary.
- Smashing Security Painting competition – Carole.wtf.
- Open Exhibition, Summer 2022 – Oxford Art Society.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Gigamon – Gigamon is the leading deep observability company. Download their latest report into the state of ransomware to learn why deep observability is the new frontier for tackling the ransomware crisis.
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
