What are prisoners getting up to with mobile phones? Why might ransomware no longer be generating as much revenue for cybercriminals? And how on earth did an airline leave the US government’s “No Fly” list accessible for anyone in the world to download?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
How do you find the time to write a book with this constant distraction?
There's no time!
There's children, there's taxes, there's TikTok, there's—
Children, taxes, and TikTok. Yes, those are the problems.
I only have to deal with one of those.
Smashing Security, episode 306: No Fly Lists. Cell phones and the end of ransomware, itches with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 306. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 306. My name's Graham Cluley.
And I'm Carole Theriault.
Carole, welcome back. We've all been worried about you.
Thank you.
I'm glad you worried about me. I had 24 hours of not-to-be-discussed violent illness. Holy moly.
Let's just say the perfect cue for our guest, Maria Varmazis, coming out both ends. Maria Varmazis. Yay!
Yay!
Hi, Maria.
You don't make me sick. Hi.
That is a ringing endorsement. I don't think anyone's ever said something nicer about me. I don't make you sick. That's so great. Love you too.
Before we kick off, let's thank this week's sponsors: Bitwarden, ManageEngine PAM360, and NordLayer. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be giving some great advice for budding authors.
Ooh. And Maria, what about you?
How to hack an airline, or not really.
And with me, you'll enter the world of ransomware, if you dare. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, huddle up because I want to ask you a very serious question, which is, have either of you ever been interested in writing a book?
Have you thought about writing a book?
Have you thought about writing a book?
Yes. A billion times.
Yep, yep, yep.
Oh, okay. Maria, what kind of book have you thought of writing?
Oh goodness, I've had a whole bunch of ideas. I don't want to embarrass myself, but I haven't done it, which is the important thing.
So nobody has to do the, how's your novel coming along?
So nobody has to do the, how's your novel coming along?
You ready?
Would it be romance-y or crime-y?
No.
Or sci-fi-y?
No.
Sexy?
Erotica?
No.
No.
Memoir? Memoir.
A memoir.
A memoir. Yeah.
Carole, have you ever thought of writing a book?
Yes, 1,000 times.
Yes?
Yes.
I remember you writing something when you were, well, we used to work at the same company, of course, and you used to spend part of your time writing about, it was sort of an erotic romance about one of the senior members of staff and his body of pink steel.
This is you ranking crazy, he's whisking up our past to be completely different.
My goodness.
What happened, Graham, was—
Was the security very naked or no?
What happened was that I bought Graham for his birthday a how-to book for dummies, you know, those dummies books, and it was how to write erotic romance novels, and it was fantastic.
And then we challenged ourselves and we both wrote one about senior members of staff at Sophos.
And then we challenged ourselves and we both wrote one about senior members of staff at Sophos.
On paper, he was an impressive catch. As a senior player in a leading IT security company, money and the founding father of several charities.
He wore his great power and wealth lightly. Nothing gave him as much joy as seeing the faces of the children he helped save.
As an ex-member of the British Olympic badminton team, women fantasized about him lifting them into his arms and carrying them to a large silk-draped bed.
His simple gray suit hid a body of pink steel with a taut chest that rippled as his perfect ass made women stifle.
He wore his great power and wealth lightly. Nothing gave him as much joy as seeing the faces of the children he helped save.
As an ex-member of the British Olympic badminton team, women fantasized about him lifting them into his arms and carrying them to a large silk-draped bed.
His simple gray suit hid a body of pink steel with a taut chest that rippled as his perfect ass made women stifle.
And the game was which one was sexier and which one could you identify. I think you won the prize, Graham. I think you won.
Well, I don't want to blow my own trumpet, which did of course occur in Chapter 3.
But anyway, I've always wanted, I've always thought, wouldn't it be wonderful to write maybe my memoir? Maybe, you know, my struggle, you know, how a young lad—
But anyway, I've always wanted, I've always thought, wouldn't it be wonderful to write maybe my memoir? Maybe, you know, my struggle, you know, how a young lad—
I don't think 20-page books are a big rage.
That's a pamphlet.
The thing is, the thing is I think many of us would love to write a book or write a novel or something that, but how do you find the time? How do you find the time to write a book?
There's constant distraction.
There's constant distraction.
There's no time.
There's children, there's taxes, there's TikTok, there's—
Children, taxes, and TikTok. Yes, those are the problems.
I only have to deal with one of those.
And maybe more importantly, how can you be sure that you're actually making any money out of the book? Because it was— Such a waste of time, wouldn't it?
Writing a book and you're not going to make any money out of it. You know, just—
Writing a book and you're not going to make any money out of it. You know, just—
I don't think you write a book for money.
Well, I hope you don't, because I think it's quite hard to make money out of a book.
Yeah, you would think that people would understand that, Carole, but a lot of people don't.
No, you write it for the cachet.
The cachet, not the cash.
Okay.
Wait a minute, look, I've got the answer. I've got the answer. I've worked out somewhere where you can go.
You can spend hours in the privacy of your room, not being disturbed by children, not distracted. You don't have to worry about paying your bills.
You don't have to think, oh, I've spent too long at Waitrose, you know, popping out to the shops, doing things other than writing. It is the perfect place to be.
It is, of course, prison. If you go to prison, they lock you up for hours and hours, 23 hours a day. In a cell.
You can spend hours in the privacy of your room, not being disturbed by children, not distracted. You don't have to worry about paying your bills.
You don't have to think, oh, I've spent too long at Waitrose, you know, popping out to the shops, doing things other than writing. It is the perfect place to be.
It is, of course, prison. If you go to prison, they lock you up for hours and hours, 23 hours a day. In a cell.
With a brand new Apple Mac.
Well, no, they don't. I don't know that they do give you an Apple Mac.
Lightning speed fibre.
Well—
So you can surf the internet and not write your novel.
You sound rather sceptical, but my attention was brought this week to a report in The Marshall Project. It's a non-profit news organisation.
They've taken a close look at the use of cell phones behind bars. Behind prison bars.
They've taken a close look at the use of cell phones behind bars. Behind prison bars.
Prison bars, okay.
Yes, prison bars. Not behind the bar of— Not Moe's Bar.
Okay.
Amanda Hugginkiss. Nothing that.
Wow.
'90s references. Love it. Get everything on this podcast. It's great.
He stopped living then.
Early Simpsons. I'm with you. I got it.
He just started using the word woke. So, you know.
Oh no.
I'm ignoring you. In most prisons—
Is yeet gonna be next? No? Okay, sorry.
In most prisons, you're not allowed phones. They don't it.
Right.
But it doesn't mean people don't have phones. They definitely do have phones. Sometimes they're very, very tiny phones.
I looked up on Amazon, there's a phone called the Zanco Teeny Tiny T1.
I looked up on Amazon, there's a phone called the Zanco Teeny Tiny T1.
Alright, I need to Google this. What is this?
It claims to be the world's smallest phone. It's about the size—
Oh my god.
Fits into any orifice.
Exactly.
Oh, that is definitely going up somebody's bum. Oh my God.
I don't know if it has a vibrating ringtone or not. I don't know if it can help you play chess to a grandmaster level or not.
But it's known as the BOSSBeater because it's designed to beat a body orifice security scanner known as the BOSS. You can listen to music, albeit muffled.
You can text with your friends. You can make calls. But it's so tiny, this thing. I mean, it's about the size of your ear.
Because you hold it up to your ear with its tiny little speaker.
I wonder whether you're also covering the microphone, which is meant to be your mouth, whether you're constantly sort of sliding it back and forth. I don't know.
But it is presumably, as we've already said— well, as you've said, Maria, rather grubbily— it is probably fairly easy to smuggle into a prison, albeit somewhat uncomfortable.
But it's known as the BOSSBeater because it's designed to beat a body orifice security scanner known as the BOSS. You can listen to music, albeit muffled.
You can text with your friends. You can make calls. But it's so tiny, this thing. I mean, it's about the size of your ear.
Because you hold it up to your ear with its tiny little speaker.
I wonder whether you're also covering the microphone, which is meant to be your mouth, whether you're constantly sort of sliding it back and forth. I don't know.
But it is presumably, as we've already said— well, as you've said, Maria, rather grubbily— it is probably fairly easy to smuggle into a prison, albeit somewhat uncomfortable.
Okay.
So mobile phones are apparently one of the most smuggled items into prisons, after cakes with files in them.
Well, it's how you do your business, right?
Exactly. It's how you do your business.
Do you contact Uncle Joe and say, "Uncle Joe, remember the meeting."
Don't be late. Well, I don't know if they're meeting— What, you mean meeting in the prison? No.
Maybe, you know, you're conducting business outside the prison if you have a phone. You have ability to do that.
I don't think they're calling cell to cell. I know they're called cellular phones, but I don't think they're calling from cell to cell.
It's the outside world that they want to talk to, isn't it? Because of course you might still—
It's the outside world that they want to talk to, isn't it? Because of course you might still—
That's what I'm saying.
You might still— Is that what you were saying?
Yes.
Oh, okay. Anyway, the thing is, normally a phone, right? If you've got a phone in the prison, it's being monitored, isn't it?
You have to sort of— you're only allowed to call certain people your brief or your mole outside.
But the thing is that the phone calls are being monitored and supervised for understandable reasons.
You have to sort of— you're only allowed to call certain people your brief or your mole outside.
But the thing is that the phone calls are being monitored and supervised for understandable reasons.
Exactly. Yeah.
And they're being recorded at all times. So it's not you're going to conduct illegal businesses or—
No, a prisoner never would do something shady that.
Never do anything that. So prisoners might want their own phone.
And some are using these just to stay in touch with their families, which is understandable because you would be worried. I would be worried.
You know, I might call up the dog, see that he's doing okay. I might call up my child. I might just want to check they've done their homework or something.
So I'd give, you know, I'd give someone a bell.
So you might want it for legitimate reasons and simply not be restricted to the times when you're allowed to use the phone and who you're allowed to call.
But also, people are using their mobile phones in prisons, especially in America, to traffic guns and drugs. And even sextortion scams are being operated from inside prison.
You know, these scams where they pretend to be naïve young women and get you to take your clothes off and do things in front of them.
And some are using these just to stay in touch with their families, which is understandable because you would be worried. I would be worried.
You know, I might call up the dog, see that he's doing okay. I might call up my child. I might just want to check they've done their homework or something.
So I'd give, you know, I'd give someone a bell.
So you might want it for legitimate reasons and simply not be restricted to the times when you're allowed to use the phone and who you're allowed to call.
But also, people are using their mobile phones in prisons, especially in America, to traffic guns and drugs. And even sextortion scams are being operated from inside prison.
You know, these scams where they pretend to be naïve young women and get you to take your clothes off and do things in front of them.
I've heard of them, yeah.
Yeah?
Do you know the coolest prison racket that I've ever heard of?
Go on, tell me.
Poetry.
Hey?
There was a prisoner who would coordinate with other prisoners that he would write erotic poetry for the loved ones back home for a certain amount of money or cigarettes or whatever.
Because he was a very good writer. So he would actually— other prisoners would pay him, and he would do a Cyrano de Bergerac thing.
Because he was a very good writer. So he would actually— other prisoners would pay him, and he would do a Cyrano de Bergerac thing.
Oh!
Without the big nose. Ah, that's quite romantic. I quite like that.
Yes. Poetry from prison. Yeah.
Erotic poetry.
Oh, it's erotic poetry.
Yes. Yeah, it was erotic poetry. Yeah, yeah.
You have to— It's quite difficult, isn't it, finding rhymes for certain things?
You can do it if you try.
I was thinking of the family china and, you know, things that. Maybe— Anyway, some people get up to naughtiness. So more naughty than that.
I heard of one guy who was on death row, and he was making threatening calls to a Texas state senator, saying, you know, we're gonna kill you, mate.
I heard of one guy who was on death row, and he was making threatening calls to a Texas state senator, saying, you know, we're gonna kill you, mate.
Did it work? No, I'm just kidding.
But anyway, the Marshall Project, they report that they can also be used for good.
So they say that some people are smuggling contraband phones into the prison to take public Harvard classes. So they're actually—
So they say that some people are smuggling contraband phones into the prison to take public Harvard classes. So they're actually—
Oh, right. Oh, to study, right.
Yes, to study. So to improve themselves, which is a wonderful thing, isn't it? Or they're learning medical care.
So maybe, you know, Jimmy Fingers, you just got slashed down in the showers.
So if you've got a gaping wound and you don't want to go to the Rozzers or the Nurks, what's the phrase for prison guards? I don't know.
So maybe, you know, Jimmy Fingers, you just got slashed down in the showers.
So if you've got a gaping wound and you don't want to go to the Rozzers or the Nurks, what's the phrase for prison guards? I don't know.
You definitely want your doctor to be called Jimmy Fingers and not Jimmy Stumps.
Jimmy Sutures.
And so, people are going up on these sites and they're checking out all these videos and they're doing their, they're sort of fixing people up with, I don't know, pipe cleaners and a bit of, you know, a spring they find down the back of a bunk bed or something.
They're doing first aid and they're using YouTube and TikTok to develop new skills. You know, it's wonderful really, isn't it?
Now, one guy was able to FaceTime his mum before she passed away. I mean, that's a great thing, isn't it? Aw. Isn't that lovely?
They're doing first aid and they're using YouTube and TikTok to develop new skills. You know, it's wonderful really, isn't it?
Now, one guy was able to FaceTime his mum before she passed away. I mean, that's a great thing, isn't it? Aw. Isn't that lovely?
From the phone that he smuggled up his bum.
With a faint poop stink. You must put it in a condom or something.
Some have even— Charming. Some have even self-published books on Amazon, which they wrote.
They've typed on the tiny phone's keyboard.
Well, no. Okay. I knew you were going to say this. They're not necessarily using the tiny teeny Zanco T1, which has the world's smallest keys to press.
Some of them have actually smuggled in smartphones, of course, which include voice dictation. Might be a bit quicker, maybe. I don't know. But this is what's going on.
This is what's going on. Some are taking online classes. Some are participating in Zoom classrooms. So—
Some of them have actually smuggled in smartphones, of course, which include voice dictation. Might be a bit quicker, maybe. I don't know. But this is what's going on.
This is what's going on. Some are taking online classes. Some are participating in Zoom classrooms. So—
That's kind of admirable, though. I mean, getting your master's degree from prison, that's kind of great.
Can I ask how they know this?
Because—
Is this what they said? They've gone to interview somebody?
The Marshall Project have been talking to prisoners and finding out what's going on.
Honest to God, if I was a prisoner and I'd pulled this off, I would tell everybody. I would be, yeah, I did that.
Yeah, only when you're out though.
Yeah, well, I mean, you know, if I got in in the first place, I probably wasn't the smartest, but yeah, I would be bragging like hell.
Well, and some are doing this to participate in Zoom classrooms. Others, you know, this online gig hustle, which you can do, you know how everyone's remote working these days.
You say to the boss, oh yeah, yeah, as long as I get the work done, you know, don't worry about the hours I do, I'll get the work done.
And you either farm it out to Fiverr or something and get someone in Indonesia to do the work for you, or you have about 3 or 4 different jobs on the go at the same time.
You're employed by all these different companies and you say, yes, yeah, I'm there. You just got different windows open.
Well, some of these guys in prison apparently are doing online gig work. So maybe they're helping the rest of us.
You say to the boss, oh yeah, yeah, as long as I get the work done, you know, don't worry about the hours I do, I'll get the work done.
And you either farm it out to Fiverr or something and get someone in Indonesia to do the work for you, or you have about 3 or 4 different jobs on the go at the same time.
You're employed by all these different companies and you say, yes, yeah, I'm there. You just got different windows open.
Well, some of these guys in prison apparently are doing online gig work. So maybe they're helping the rest of us.
They're on Fiverr.
Yeah.
They're like, listen, I don't care if that task, I'm only getting $5 for it. I'm in prison. It's more than I would make.
It is incredible though. Like you can be incarcerated physically, but you can still, you know, as long as you've got one of these little gadgets.
This is the wonder. Isn't there a famous character from some TV show who gets his law degree from prison?
Probably. There are people who've done that, haven't they? Where they've been in prison and they've basically trained themselves up because they feel that they got stitched up.
Well, what else are you gonna do, right?
You've got all that time. Yeah, it'd be the one time in my life I'd be like, yeah, I will commit to this now.
You've made me. I'm in a cell.
I'll do it.
There's one prisoner who's managed to sign up 300 other prisoners at different prisons across the United States. They're all signed up now for a Harvard computer science course.
Good for them.
And so it's, you know, but it's— and freelance writing, right? I could work anywhere because I do a bit of writing, right? I write blogs and things. I could do that.
A little bit, yeah.
Maybe, maybe I could actually do this from a prison cell. I'd have unfettered internet access. Why don't you try?
You should go to prison. I think that is the plan. You should do that. Just go try it out. Try!
Anyway, I think this is a fine thing as long as it's not being used for scams.
If there was some way to get people to use this for good rather than bad and not engage in the bad stuff, maybe we just need Net Nanny.
Maybe we just need more surveillance as to what people are doing. I don't know. What would you do if you had a life sentence and an internet connection, Maria Varmazis?
If there was some way to get people to use this for good rather than bad and not engage in the bad stuff, maybe we just need Net Nanny.
Maybe we just need more surveillance as to what people are doing. I don't know. What would you do if you had a life sentence and an internet connection, Maria Varmazis?
Life sentence and an internet connection.
Yes.
That's what the pandemic felt like, honestly.
Maria, what have you got for us this week?
Mine is actually about security. I don't know if that's okay, but let's try it out.
Mine was definitely about security. Mine was about—
Hush, hush, hush now, Graham. Hush, hush.
It's now Maria's turn.
BYOD. It was BYOD.
Yeah. So the teaser for my segment is how to hack an airline or not. And is it really hacking something if you just walk into something?
What?
And just find an unsecured list of names on an unsecured server? Is that really hacking if you just pick it up?
It sounds more like stumbling, doesn't it?
Stumbling upon it.
Yes. No, I think the hacking bit is taking it, isn't it?
Is it, or has one just found it? Yeah. So our listeners, I'm sure, will understand what I'm about to say. Shodan has struck again. Struck gold.
A person who goes by the name of— okay, I'm gonna get this name incorrect, hold on a second— Maya Arsen Crimeu is a Swiss hacker and used Shodan to scan unsecured servers on the internet, as one does with Shodan, because that's what Shodan does, and happened to find an unsecured server run by the U.S.
national airline Commute Air, which I have never heard of, but they must be a smaller provider.
A person who goes by the name of— okay, I'm gonna get this name incorrect, hold on a second— Maya Arsen Crimeu is a Swiss hacker and used Shodan to scan unsecured servers on the internet, as one does with Shodan, because that's what Shodan does, and happened to find an unsecured server run by the U.S.
national airline Commute Air, which I have never heard of, but they must be a smaller provider.
Okay.
And found a text file on that server, you know, wide open to the internet, called no-fly.csv.
Their no-fly list, we're not flying that person.
It is not Commute Air's no-fly list. It is the United States' no-fly list. In a CSV file.
So it's not encrypted. It's just plain text. It's not even an Excel spreadsheet format, is it? It's just anything you can open with, right?
Yeah, you can just use it with Notepad or whatever. TextPad. Just plop it on open. And it apparently has about 1.5 million entries in it.
And it includes names and birthdates, multiple aliases for some people who may be trying to evade the government. This is the official— Jesus, Webb. —U.S.
government terrorist screening database, and the official U.S.
government no-fly list, which has been extremely controversial in the United States for the past 20-plus years, by the way, but it ballooned in size ever since 9/11 for probably very obvious reasons.
And it includes names and birthdates, multiple aliases for some people who may be trying to evade the government. This is the official— Jesus, Webb. —U.S.
government terrorist screening database, and the official U.S.
government no-fly list, which has been extremely controversial in the United States for the past 20-plus years, by the way, but it ballooned in size ever since 9/11 for probably very obvious reasons.
Have we searched the list for the names of people we know?
You know, I bet you could.
I actually have not gone to look to see if someone has put this CSV online, although maybe we could just go find— we could just go on Shodan right now and be like, "Hey, no-fly to CSV!" Graham wants to Google his name, you see.
I actually have not gone to look to see if someone has put this CSV online, although maybe we could just go find— we could just go on Shodan right now and be like, "Hey, no-fly to CSV!" Graham wants to Google his name, you see.
He wants to see if he's on it.
No, no, no.
I remember that— in fact, Maria, we all three of us worked at a company where a certain person who worked in the virus lab shared the name with someone who was on the do-not-fly list.
I remember that— in fact, Maria, we all three of us worked at a company where a certain person who worked in the virus lab shared the name with someone who was on the do-not-fly list.
Yeah, I remember that.
Mm-hmm. Yeah. Yeah. And I think it caused them some difficulties, didn't it?
I imagine it would. Yeah. My husband ran into some issues with that, and his name, I don't know if it was on it or not, but he had an issue with getting flagged from that.
It's a big problem if you're flagged and you just— there's really no recourse for you if you feel like you've been incorrectly included. It's a big problem. Yeah.
So according to Crimeu, who's— by the way, their website is maya.crimeu.gay. Amazing, just amazing URL.
That apparently a lot of the people on the list, their names were of obvious Arabic or Middle Eastern descent. There are some names that are Hispanic or Anglican sounding.
But there are also a lot of Russian-sounding names. I don't know what we want to do with that information, but it's just interesting, I guess. Yep.
And apparently the TSA says it is, quote, aware of a potential cybersecurity incident with Commute Air, and we are investigating in coordination with our federal partners.
And further investigation showed that this no-fly list is apparently from 2019. So it's a few years old.
It's a big problem if you're flagged and you just— there's really no recourse for you if you feel like you've been incorrectly included. It's a big problem. Yeah.
So according to Crimeu, who's— by the way, their website is maya.crimeu.gay. Amazing, just amazing URL.
That apparently a lot of the people on the list, their names were of obvious Arabic or Middle Eastern descent. There are some names that are Hispanic or Anglican sounding.
But there are also a lot of Russian-sounding names. I don't know what we want to do with that information, but it's just interesting, I guess. Yep.
And apparently the TSA says it is, quote, aware of a potential cybersecurity incident with Commute Air, and we are investigating in coordination with our federal partners.
And further investigation showed that this no-fly list is apparently from 2019. So it's a few years old.
So presumably it's gotten bigger since then.
So my gut says, okay, you'll tell me if I'm right or wrong, maybe you'll know, but I guess there's an employee who could have a little cut and paste while they are working for the TSA, and now they find themselves working at CommuteAir and just plopped it in the database as their kind of welcome gift for hiring them.
So my gut says, okay, you'll tell me if I'm right or wrong, maybe you'll know, but I guess there's an employee who could have a little cut and paste while they are working for the TSA, and now they find themselves working at CommuteAir and just plopped it in the database as their kind of welcome gift for hiring them.
I mean, it's a goof, isn't it? It's quite—
It's a goof that someone found it.
It's not a goof that it exists. Yeah, but do you think it was maliciously taken or left there, or it's more likely to be a cock-up, isn't it?
Oh yeah, I mean, Maia Crimew just stumbled across it. It didn't take super long for them to find it either. That was, their blog post is super funny.
And it's just basically using Shodan, looking for exposed Jenkins servers, all of a sudden, doink! What is this file? Oh my God, look at this.
Apparently a lot of the process in the blog post was actually trying to find journalists who'd be interested in this story.
And a lot of them did not understand what Maia Crimew was trying to tell them, which is hilarious.
And it's just basically using Shodan, looking for exposed Jenkins servers, all of a sudden, doink! What is this file? Oh my God, look at this.
Apparently a lot of the process in the blog post was actually trying to find journalists who'd be interested in this story.
And a lot of them did not understand what Maia Crimew was trying to tell them, which is hilarious.
I'm reading the blog post right now, and the way they put it is, "Holy shit, we actually have the no-fly list. Holy fucking bingo, what?" Various emojis.
Yeah, it doesn't take a whole long time for Maia Crimew to find this file and be "Oh, that's what this is." It's just, it's ridiculous. So this isn't just people's names.
This is also passport details and license numbers and addresses and all sorts of information about crews as well as actual people on the no-fly list.
Yeah. Maia Crimew was able to find a bunch of other files that were exposed openly on the internet, including that information that had serious PII that you mentioned.
The no-fly list had just, I believe, names and birth dates, which again, not a small thing either.
But yeah, all sorts of other sensitive information was also wide open to the internet. I mean, it's really a hacking story if it's just yet another bucket misconfig.
It is, but it's oh my God. No, I know, but it keeps us employed, I guess.
The no-fly list had just, I believe, names and birth dates, which again, not a small thing either.
But yeah, all sorts of other sensitive information was also wide open to the internet. I mean, it's really a hacking story if it's just yet another bucket misconfig.
It is, but it's oh my God. No, I know, but it keeps us employed, I guess.
But yeah, if I left, you know, if I left a golden statue in my front garden, would I expect it to disappear? Yes, I would, right? And that's kind of what they did.
They kind of just left something, but they didn't leave it out front. Someone had to go, you know, it's I left it in my back garden in the corner off to the side.
They kind of just left something, but they didn't leave it out front. Someone had to go, you know, it's I left it in my back garden in the corner off to the side.
I wouldn't say necessarily this was in the back garden at the corner. It feels it was maybe it was right on the curb.
Yeah, right there. Somebody went, oh, it's on the curb, this must be available. Yeah, it's somebody's donating this or it's going to trash, whatever. it's on— it's unclear.
Yeah, but it goes to show, I wonder if all small airlines have access to the no-fly list. Do— does everyone have that?
Is this— I would imagine they must, because they all have— if you fly within the United States, you have to comply with the United States federal air laws.
But do you need it as a great big list, or should there be a system whereby you can sort of look up a name or something?
Well, I suspect that's how it works, and someone has the whole list.
Yeah, or maybe it was a centralized database and someone's like, I'm gonna make a local copy. I mean, I don't know how it works on the backend.
I mean, keep it on the cloud in CSV form with no protection.
Maybe their internet went down at some point and they're like, well, we can't fly unless we have this list, so we better have a local backup. Like, I could totally see that.
I mean, keep it on the cloud in CSV form with no protection.
Maybe their internet went down at some point and they're like, well, we can't fly unless we have this list, so we better have a local backup. Like, I could totally see that.
Well, that's true.
I mean, if you had to access some sort of shared resource and you were— if you were a baddie getting onto a plane and you realize you're on the do not fly list, then the thing to do is to DDoS the do not fly server, I suppose, isn't it?
So people wouldn't be able to access it to look you up. So I guess people must have access to this data somehow.
I mean, if you had to access some sort of shared resource and you were— if you were a baddie getting onto a plane and you realize you're on the do not fly list, then the thing to do is to DDoS the do not fly server, I suppose, isn't it?
So people wouldn't be able to access it to look you up. So I guess people must have access to this data somehow.
Yeah. And did Maya get in touch with them to tell them that they found this?
That's a good question. So she's—
It's not responsible disclosure really if you're slapping this out there. So what happened?
So at the bottom of their blog post it says what happens next with the no-fly data. I'll just read what they wrote.
Said, so while the nature of this information is sensitive, I believe it is in the public interest for this list to be made available to journalists and human rights organizations.
So if you are a journalist, researcher, or other party with legitimate interest Please reach out to .
I will only give this data to parties I believe will do the right thing with it. Alternatively, the data is now available for access upon request via DDoS Secrets.
So the TSA knows now. They know. Yeah. No, I know.
Said, so while the nature of this information is sensitive, I believe it is in the public interest for this list to be made available to journalists and human rights organizations.
So if you are a journalist, researcher, or other party with legitimate interest Please reach out to .
I will only give this data to parties I believe will do the right thing with it. Alternatively, the data is now available for access upon request via DDoS Secrets.
So the TSA knows now. They know. Yeah. No, I know.
But we do tap dance about, you know, responsible disclosure. And I think it's important. Yeah.
But they haven't, they haven't released the data to the wild, as it were, have they? They haven't. Publishing for any Thom, Dick, and Harry to see.
No, they're just telling their story. I suppose you're right.
They're just telling their story, I think, and sharing it with journalists to corroborate their story, maybe.
Okay. Given the outcome, could one classify this as, I hate saying this phrase, but hacktivism?
I think if they put the list out for everyone to see, yes.
Yeah, but they haven't done that.
They haven't done that, no.
I mean, yeah, it is, I mean, again, expose server to the wide open internet, like it's, ah, but at the same time, I mean, these things happen and it happens a lot.
And I guess this is a better outcome than someone going, I'm just going to put it on Pastebin, go nuts.
I mean, yeah, it is, I mean, again, expose server to the wide open internet, like it's, ah, but at the same time, I mean, these things happen and it happens a lot.
And I guess this is a better outcome than someone going, I'm just going to put it on Pastebin, go nuts.
So I don't know.
You know, sometimes I get emails from people saying, would you like the contact details of 50,000 people who are interested in a particular product or something like this?
Would you like this mailing list?
And I'm thinking, if I ran a multinational evil conglomeration, and I wanted to get together all the baddies around the world for some mega conference, probably underneath a volcano, then this is the kind of list which I would really like.
This would be fantastic, wouldn't it?
You know, sometimes I get emails from people saying, would you like the contact details of 50,000 people who are interested in a particular product or something like this?
Would you like this mailing list?
And I'm thinking, if I ran a multinational evil conglomeration, and I wanted to get together all the baddies around the world for some mega conference, probably underneath a volcano, then this is the kind of list which I would really like.
This would be fantastic, wouldn't it?
Yeah, you could hit them up, right? Hit them up.
Yeah, you know, make a sort of— I've got another whole new James Bond plot in the offing here.
I was going to say, you're really entering your James Bond villain phase. Yeah, yeah, yeah, yeah.
Crow, what have you got for us this week?
If you wanted to rob a bank, you need some guts, right? Because you'd have to storm in.
You'd have to figure out the best time to do it when it was quiet and the security guy was having a poop or something.
You'd have to cover your face to make sure no one could see you to describe you.
You have to scare people into cooperating, hoping to God that in 30 seconds you'd have a fat bag of money and you'd be diving in your getaway car peeling out.
Yeah, it's not for the faint-hearted.
You'd have to figure out the best time to do it when it was quiet and the security guy was having a poop or something.
You'd have to cover your face to make sure no one could see you to describe you.
You have to scare people into cooperating, hoping to God that in 30 seconds you'd have a fat bag of money and you'd be diving in your getaway car peeling out.
Yeah, it's not for the faint-hearted.
No, it's not. What could go wrong there, you know?
And today, if you want to steal cash, you just go down the ransomware route, right? You're unlikely to get killed, you're unlikely to be recognized.
Unlikely but not guaranteed, but much less likely.
Unlikely but not guaranteed, but much less likely.
A lot of crims are doing it.
That's true, a lot of crims are doing it.
Yeah, they're working from home in their pajamas.
And ransomware as a service, big model now, right? It's thriving.
Maybe they're in prison. Maybe they're in prison coordinating a ransomware operation by their mobile phone, which would be a cybersecurity angle. Oh, full circle.
We did it. We did it, everybody.
But last year, there was a notable shift in the ransomware ecosystem. Really?
Yes, because had you asked me last year, I would have said that based on the fact that everyone's putting every digital thing they've ever done online in a cloud somewhere to keep, from nudes to prescriptions to photos to everything, it seems inevitable that ransomware is going to continue to plague both the lowly user and enterprises and companies and hospitals and all that.
However, according to Chainalysis, this is a company that claims to be the blockchain data platform, they recently shared some ransomware findings and it's receiving more than its fair share of press because the news is rather surprising.
Cybercrime gangs have had a 40% drop in earnings in 2022. That's huge. So in 2021, extortions were estimated at $765 million, whereas 2022 was estimated at $460 million. 40% drop.
So why? Sadly, it's not because ransomware has had its heyday. Despite the drop in revenue, the numbers of unique ransomware strains in operation have reportedly exploded in 2022.
But despite this so-called explosion, there's a strong whiff of affiliations in the ransomware world.
So while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to these strains seem to be carried out by the same people.
Microsoft security researchers back this up by analysis on similarities between attacks of different strains. And saying, look, how they're carried out is very, very similar.
Must be the same people behind it.
Yes, because had you asked me last year, I would have said that based on the fact that everyone's putting every digital thing they've ever done online in a cloud somewhere to keep, from nudes to prescriptions to photos to everything, it seems inevitable that ransomware is going to continue to plague both the lowly user and enterprises and companies and hospitals and all that.
However, according to Chainalysis, this is a company that claims to be the blockchain data platform, they recently shared some ransomware findings and it's receiving more than its fair share of press because the news is rather surprising.
Cybercrime gangs have had a 40% drop in earnings in 2022. That's huge. So in 2021, extortions were estimated at $765 million, whereas 2022 was estimated at $460 million. 40% drop.
So why? Sadly, it's not because ransomware has had its heyday. Despite the drop in revenue, the numbers of unique ransomware strains in operation have reportedly exploded in 2022.
But despite this so-called explosion, there's a strong whiff of affiliations in the ransomware world.
So while dozens of ransomware strains may technically have been active throughout 2022, many of the attacks attributed to these strains seem to be carried out by the same people.
Microsoft security researchers back this up by analysis on similarities between attacks of different strains. And saying, look, how they're carried out is very, very similar.
Must be the same people behind it.
Well, the same people behind the technology, I guess, but it could be different criminals who are actually launching them, couldn't it?
Well, this is where Chainalysis comes in because they look at blockchain wallet activity. And they say that often the ransomware attackers reuse wallets for multiple attacks.
So in other words, there's loads of strains but it's being administered by a small group of folks.
So in other words, there's loads of strains but it's being administered by a small group of folks.
Okay, we're with you.
But this doesn't really explain the 40% drop in ransomware return. 40%? Yes. Feels a lot. Doesn't it feel a lot?
That does, especially considering the fever pitch every year of ransomware is out of control. I mean, it's not a small issue. I'm not going to—
I'm going to try and convince you now.
Okay, try and convince us.
Yep. So Conti was a prolific ransomware strain for a few years, taking in more revenue than any other variant in 2021.
But in February, following Russia's invasion of Ukraine, the Conti team publicly announced its support for Vladimir Putin's government.
Soon after, a cache of Conti's internal communications leaked and indicated connections between the cybercrime organizations and the FSB, the Russian Federal Security Services.
Okay. Ipso facto, many ransomware victims and incident response firms decide that that paying Conti attackers was too risky as the FSB is a sanctioned entity.
But in February, following Russia's invasion of Ukraine, the Conti team publicly announced its support for Vladimir Putin's government.
Soon after, a cache of Conti's internal communications leaked and indicated connections between the cybercrime organizations and the FSB, the Russian Federal Security Services.
Okay. Ipso facto, many ransomware victims and incident response firms decide that that paying Conti attackers was too risky as the FSB is a sanctioned entity.
Oh, I see. Okay. Yep.
So Conti is not a sanctioned entity, but because there's connections with the FSB, people were like, I don't want to get in trouble.
So Conti basically eventually responded by announcing its closure, right? So they just said we're not doing any more.
Conti's closure drove many affiliates or people to conduct attacks for other ransomware strains where ransom victims were more likely to pay because people weren't paying with these ones and notably not tied to the FSB as they could see.
But because the people reused the same wallets, Chainalysis are able to better understand the ransomware ecosystem. So it all kind of makes sense. You're following me? Yep.
So Conti basically eventually responded by announcing its closure, right? So they just said we're not doing any more.
Conti's closure drove many affiliates or people to conduct attacks for other ransomware strains where ransom victims were more likely to pay because people weren't paying with these ones and notably not tied to the FSB as they could see.
But because the people reused the same wallets, Chainalysis are able to better understand the ransomware ecosystem. So it all kind of makes sense. You're following me? Yep.
I'm with you.
I'll tell you what I don't understand is if you are saying that Conti stopped getting ransomware payments because organizations didn't want to pay criminal organization associated with the FSB.
Wouldn't it be in the interests of the US authorities, for instance, to name lots of other ransomware groups as being affiliated with the FSB as well?
And people wouldn't pay them either. Why not claim that they're all working for the Kremlin?
I'll tell you what I don't understand is if you are saying that Conti stopped getting ransomware payments because organizations didn't want to pay criminal organization associated with the FSB.
Wouldn't it be in the interests of the US authorities, for instance, to name lots of other ransomware groups as being affiliated with the FSB as well?
And people wouldn't pay them either. Why not claim that they're all working for the Kremlin?
I've linked to the Chainalysis report. So they do do a bit of that, saying here are the other ransomware attached with the same wallets. Right.
So they're using the wallets as a way to link the people who are behind it.
They say the upshot of all this is that it may be more productive to think of the ransomware ecosystem not as a collection of distinct different strains, but instead of a small group of hackers who rotate brand identities regularly.
So they basically just rebrand them.
So they're using the wallets as a way to link the people who are behind it.
They say the upshot of all this is that it may be more productive to think of the ransomware ecosystem not as a collection of distinct different strains, but instead of a small group of hackers who rotate brand identities regularly.
So they basically just rebrand them.
Mm-hmm. Okay. Right? Yeah, yeah. Like a corporation.
Yeah. Mm-hmm. Bill Siegel, CEO and co-founder of Coveware, says the number of core individuals involved in ransomware is incredibly small versus perception. Maybe a couple hundred.
Wow. So he says it's the same criminals, they're just repainting their getaway cars. Fascinating. Wow.
Wow. So he says it's the same criminals, they're just repainting their getaway cars. Fascinating. Wow.
Well, it definitely changes my perception of ransomware a little bit. It's— that's not at all what I would have expected.
I thought it was just a huge wide web of thousands upon thousands and they were all just casting wide nets. I would not have thought just a couple of hundred.
I thought it was just a huge wide web of thousands upon thousands and they were all just casting wide nets. I would not have thought just a couple of hundred.
I think what's kind of cool about it for me as well is they're keeping to one wallet.
You have also ransomware researchers looking at the actual nuts and bolts inside the code to see how they're operating, how they're encrypting, how they're working, whether it's a service, whatever, whatever.
And you put those things together, you get a much different picture of what's going on. And that's kind of cool. So yeah, interesting reading.
You have also ransomware researchers looking at the actual nuts and bolts inside the code to see how they're operating, how they're encrypting, how they're working, whether it's a service, whatever, whatever.
And you put those things together, you get a much different picture of what's going on. And that's kind of cool. So yeah, interesting reading.
Wow. News you can use. Amazing.
How much money do these guys actually need?
I mean, I can understand why Boris Johnson might need to keep on having dodgy loans given to him, but I mean, just what are they gonna do with all of this money?
Even if their numbers have gone down by 40%, which—
I mean, I can understand why Boris Johnson might need to keep on having dodgy loans given to him, but I mean, just what are they gonna do with all of this money?
Even if their numbers have gone down by 40%, which—
Still a fuck ton of money though, yeah.
Yeah, I think Graham's hurting financially right now, and he's now why does anyone need more than when they need? 'Cause then I could have a bit more.
Give me some. I turn around and say, what drives them?
Because, you know, if you've made your fortune through ransomware, isn't that enough? Do you have to keep on going and maybe get yourself in more trouble?
Yeah, we've seen people step down when they have enough, Geoff Bezos, and Mark Zuckerberg, and yeah, all of them. Elon.
I think you'll find Elon is letting loose a lot of money. He's burning money.
He's burning that money. Oh yeah. Yes. Didn't he get the Guinness World Record for the person who's lost the most amount of money?
Yeah. Yes, lost the most money in history.
Amazing. All imaginary money that never existed to begin with, but he lost it. Amazing.
So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass.
Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted.
There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state, but one password manager that isn't making that mistake is our sponsor Bitwarden.
Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including, unlike LastPass, the URLs for the websites which you have saved passwords for.
You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy.
And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy.
They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate.
And stay safe. Today's podcast is also brought to you by NordLayer. Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.
As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.
Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.
Simply go to nordlayer.com/smashing and get 1 month free. NordLayer is easy to start as it takes less than 10 minutes to onboard your entire business on a secure network.
NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.
And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.
So if you want to secure your business network, go to nordlayer.com/smashing to get your first month free. And thanks to NordLayer for supporting the show.
Over 80% of all breaches occur when bad guys get their hands on the credentials of critical resources.
Well, an efficient way to combat threats is using a Privileged Access Management, or PAM, solution.
An enterprise PAM tool like ManageEngine PAM 360 offers a holistic picture of all the privileged devices, users, and credentials in your IT infrastructure.
ManageEngine is part of Zoho that offers IT management solutions to over 280,000 enterprises around the world, so you're in good company.
PAM360 is a fully functional Privileged Access Management suite that is easy to adopt and implement.
From managing and governing access to all your enterprise resources to automating the access management lifecycle in your organization, PAM360 does it all.
It's also recognized by the Gartner Magic Quadrant.
Additionally, PAM360 offers excellent round-the-clock support for all customers and onboarding assistance for enterprises that need fine-grained customizations.
PAM360 is the solution for value-oriented enterprises looking to achieve world-class Privileged Access Management without making a dent in their IT budget.
Find out more and see for yourself at smashingsecurity.com/pam360. Smashingsecurity.com/pam360. That's smashingsecurity.com/pam360. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.
Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted.
There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state, but one password manager that isn't making that mistake is our sponsor Bitwarden.
Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including, unlike LastPass, the URLs for the websites which you have saved passwords for.
You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy.
And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy.
They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate.
And stay safe. Today's podcast is also brought to you by NordLayer. Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.
As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.
Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.
Simply go to nordlayer.com/smashing and get 1 month free. NordLayer is easy to start as it takes less than 10 minutes to onboard your entire business on a secure network.
NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.
And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.
So if you want to secure your business network, go to nordlayer.com/smashing to get your first month free. And thanks to NordLayer for supporting the show.
Over 80% of all breaches occur when bad guys get their hands on the credentials of critical resources.
Well, an efficient way to combat threats is using a Privileged Access Management, or PAM, solution.
An enterprise PAM tool like ManageEngine PAM 360 offers a holistic picture of all the privileged devices, users, and credentials in your IT infrastructure.
ManageEngine is part of Zoho that offers IT management solutions to over 280,000 enterprises around the world, so you're in good company.
PAM360 is a fully functional Privileged Access Management suite that is easy to adopt and implement.
From managing and governing access to all your enterprise resources to automating the access management lifecycle in your organization, PAM360 does it all.
It's also recognized by the Gartner Magic Quadrant.
Additionally, PAM360 offers excellent round-the-clock support for all customers and onboarding assistance for enterprises that need fine-grained customizations.
PAM360 is the solution for value-oriented enterprises looking to achieve world-class Privileged Access Management without making a dent in their IT budget.
Find out more and see for yourself at smashingsecurity.com/pam360. Smashingsecurity.com/pam360. That's smashingsecurity.com/pam360. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
It is a particular niche form of pornography, which I'm interested in, which I'm going to explain. All right. Yeah.
So the particular branch of pornography I'm most interested in is property porn, which is—
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
It is a particular niche form of pornography, which I'm interested in, which I'm going to explain. All right. Yeah.
So the particular branch of pornography I'm most interested in is property porn, which is—
Oh, not chess porn. No, no, no. Chest porn?
Oh no. I am actually a member of the chess porn subreddit, which isn't— it's mostly people drooling over lovely pieces rather than anything more fruity than that.
But yes, no, I'm talking to you today about property porn. And I've been— I've got a dirty little secret, ladies and gentlemen.
When I'm on my exercise bike lately, I've been watching a TV show. It's— I mean, you know, it's not high culture. It's called Luxe Listings Sydney. And it's on Amazon Prime. Yeah.
Yes. Amazon Prime. Yes. Yep. Luxe Listings Sydney.
But yes, no, I'm talking to you today about property porn. And I've been— I've got a dirty little secret, ladies and gentlemen.
When I'm on my exercise bike lately, I've been watching a TV show. It's— I mean, you know, it's not high culture. It's called Luxe Listings Sydney. And it's on Amazon Prime. Yeah.
Yes. Amazon Prime. Yes. Yep. Luxe Listings Sydney.
You get half an hour or whatever, 10 minutes to yourself on the bike.
45 minutes, thank you very much. And 45 minutes, and this is how you choose to spend your time. This is how I'm choosing to spend my time. Okay.
Rather than running some sort of dodgy scam from my prison cell, instead I'm on my exercise bike watching Luxe Listings Sydney. On my tiny little teeny Z1 phone. It is—
Rather than running some sort of dodgy scam from my prison cell, instead I'm on my exercise bike watching Luxe Listings Sydney. On my tiny little teeny Z1 phone. It is—
Graham, I'm with you. You have to watch trashy TV when you're doing bike stuff. I do the same thing.
You've gotta do it. You've gotta do it. Anyway, this is one of those reality programmes where, in this case, we've got a buyer's agent. His name is Simon Cohen.
He is someone who's helping people buy houses. And there's also two real estate agents, Dillian Lewis and Gavin Rubinstein.
And it's all fast cars, flashy cars, you know, flashy suits, complete wankers. It's just— Maybe I should restart that sentence.
He is someone who's helping people buy houses. And there's also two real estate agents, Dillian Lewis and Gavin Rubinstein.
And it's all fast cars, flashy cars, you know, flashy suits, complete wankers. It's just— Maybe I should restart that sentence.
Is that what you're doing on the bike? You can— Jeez. That's why you called it porn? Oh, God. I don't have the energy.
I don't wanna watch people wanking, thank you.
It's— The point is that they're going round incredible high-end luxury properties. It's $25 million, $30 million that we live in.
It's just disgusting the way the other half lives, you know.
I'm not sure it's a half, half a percent perhaps, but it is quite astonishing. And so I've been watching this because I'm currently in the market for a new property.
I'm looking around, the properties I'm looking at don't really compare with these. But I'm quite enjoying it. I find it quite enjoyable.
And so I am watching, and I'm not ashamed to say it, I am enjoying Luxe Listings Sydney on Amazon Prime. And it is my pick of the week.
I'm looking around, the properties I'm looking at don't really compare with these. But I'm quite enjoying it. I find it quite enjoyable.
And so I am watching, and I'm not ashamed to say it, I am enjoying Luxe Listings Sydney on Amazon Prime. And it is my pick of the week.
Graham, I have to make a confession. Before I came on this show, I was agonizing what I was going to do as my pick of the week. And I was, what's a show I've been watching lately?
Oh, I can't mention any of them because they're all trash I watch when I'm on my bike. I'm not even joking.
I was, I can't, 'cause they're all just stupid reality TV that I can sort of zone out to while I'm biking.
Oh, I can't mention any of them because they're all trash I watch when I'm on my bike. I'm not even joking.
I was, I can't, 'cause they're all just stupid reality TV that I can sort of zone out to while I'm biking.
Tell us one. Tell us one, Maria. Come on, own up.
Yeah, there's this one called The Traitors. It's basically the Mafia party game, but they did it on TV and—
Oh yes, that's been on UK TV, but I think there's also an American version, isn't there?
Oh, I didn't know there were two different ones. I'm presuming I'm watching the American version. Okay.
But yeah, I'm just like, that's not something I would just sit down and watch, but I'm on my bike, I'm— yeah, I absolutely— yeah, why not?
But yeah, I'm just like, that's not something I would just sit down and watch, but I'm on my bike, I'm— yeah, I absolutely— yeah, why not?
Yeah, that's better though than— no, Carole, have you watched Luxe List in Sydney?
I just— anyone who wants to buy a house for $100 million because, oh, we definitely need 50, you know, a 5-bedroom house for the dog.
I just— anyone who wants to buy a house for $100 million because, oh, we definitely need 50, you know, a 5-bedroom house for the dog.
Do you watch Grand Designs?
Just— yeah, occasionally.
Isn't that just sort of similar?
Well, it has some integrity.
Carole, you don't really get to see the actual buyers. It's mostly their agents, people— because when you're that rich, you don't actually buy the property yourself.
You get someone else to do it all for you.
You get someone else to do it all for you.
You just trust their taste. Oh my God, I can't imagine. I cannot imagine. Thank you, Graham.
You've had a great week. You've had a great week.
I feel like I made my confession. I feel better already. I'm enjoying it anyway.
Maria, your pick of the week.
I'm not on TikTok. But this person is very famous on TikTok and also on Twitter, and their videos get reposted. I see them all over everywhere, at least where I live.
His name is Matt Shearer, and he is— he's a local reporter here in the Boston area for a really old-school radio and TV station called WBZ.
So it's the old grandfather of TV and radio around here.
And he's a young reporter, and he has gone viral a gajillion times on TikTok for his hilarious videos about all the weird quirks and foibles and strange characters in the area where I live in Massachusetts.
And he's got— it's one of those things where if you've ever been to this area, you might recognize some stuff, but if you haven't, you would go, is any of this real?
And I can assure you that it is. And he's just got this knack for making these really funny minute-and-a-half videos that are just brutally funny with a very weird sense of humor.
There's a really famous one he did about 3 Market Baskets within on the same street.
The Market Basket is our supermarket chain up here that people are religious about, myself included. It's a whole thing.
He also has a very famous video about how the town of Stowe lost its only Dunkin' Donuts and the entire town was in mourning not having a Dunkin' Donuts.
It's really like that around here. And his videos are super funny. So yeah, Matt Shearer at WBZ. I think his Twitter account is @MattWBZ.
But if you've ever seen a video that's gone viral about something stupid in Massachusetts, it's probably him who made it.
His name is Matt Shearer, and he is— he's a local reporter here in the Boston area for a really old-school radio and TV station called WBZ.
So it's the old grandfather of TV and radio around here.
And he's a young reporter, and he has gone viral a gajillion times on TikTok for his hilarious videos about all the weird quirks and foibles and strange characters in the area where I live in Massachusetts.
And he's got— it's one of those things where if you've ever been to this area, you might recognize some stuff, but if you haven't, you would go, is any of this real?
And I can assure you that it is. And he's just got this knack for making these really funny minute-and-a-half videos that are just brutally funny with a very weird sense of humor.
There's a really famous one he did about 3 Market Baskets within on the same street.
The Market Basket is our supermarket chain up here that people are religious about, myself included. It's a whole thing.
He also has a very famous video about how the town of Stowe lost its only Dunkin' Donuts and the entire town was in mourning not having a Dunkin' Donuts.
It's really like that around here. And his videos are super funny. So yeah, Matt Shearer at WBZ. I think his Twitter account is @MattWBZ.
But if you've ever seen a video that's gone viral about something stupid in Massachusetts, it's probably him who made it.
Ah, fantastic. I love the idea of that. Yeah.
And he just did a video as we've been talking in my hometown of Chelmsford. So I just saw that pop up as I was going to put his URL in on the show notes.
And I was like, oh, he just went to my hometown. That's amazing.
And I was like, oh, he just went to my hometown. That's amazing.
Oh, it's snowy there, Maria. I'm watching the video right now. Oh, yeah? It's— oh, blimey.
That's what it's like. That's what it's like out there. That's what it's like out here. This is normal. Actually, this is a small amount of snow for us. Graham's never seen snow.
No, I never, never.
Crow, what's your pick of the week? I have a great one and I've been saving it for Maria because I know she's a bit of a sci-fi junkie. Oh, indeed. Yeah. Okay.
So my pick of the week is a Netflix miniseries called Hot Skull. Have either of you seen it?
So my pick of the week is a Netflix miniseries called Hot Skull. Have either of you seen it?
Hot Skull. Hot Skull. S-K-U-L-L. Yeah. H-O-T.
I've never even heard of it.
Oh yeah, thank you. I appreciate that clarification. Okay, I'm setting up the premise right now.
You guys are going to be hooked. You ready? You ready? Yeah, yeah, I'm ready. For the past 8 years, a worldwide epidemic has been affecting how people communicate.
I know, I know, I know. It's called ARDS, A-R-D-S, okay? And the main symptom is the people infected speak nonsense, okay? They are called jabberers.
The virus is spread via the jabberer, okay? If someone who doesn't jabber is exposed to a jabberer's speech, they would become infected.
So to protect themselves, people around wear ear muffs, noise-cancelling headphones throughout the streets of Istanbul.
I know, I know, I know. It's called ARDS, A-R-D-S, okay? And the main symptom is the people infected speak nonsense, okay? They are called jabberers.
The virus is spread via the jabberer, okay? If someone who doesn't jabber is exposed to a jabberer's speech, they would become infected.
So to protect themselves, people around wear ear muffs, noise-cancelling headphones throughout the streets of Istanbul.
At set.
Okay. And enter our hero, Murat Syavus. He somehow found himself immune to the Jabber virus, right? He's the only one.
Has he just got a lot of earwax? Is that how he's immune?
He seems to be able to communicate with other people just fine.
But when he's exposed, he tests himself by listening to tapes of Jabber, and his head spikes in temperature, but he recovers, and he never jabbers. Hence, hot skull. Oh, right. Okay.
Okay? Gets a hot skull. So, he is hunted by those in power, of course, 'cause he's known as the one who, you know, is immune.
But he wants to elude them 'cause he wants to search for the secret of his hot skull. It's frickin' fabulous. I loved it. It's a miniseries. It's on Netflix. It's great.
It shows you what a lot of imagination and heart can create. I'm gonna—
But when he's exposed, he tests himself by listening to tapes of Jabber, and his head spikes in temperature, but he recovers, and he never jabbers. Hence, hot skull. Oh, right. Okay.
Okay? Gets a hot skull. So, he is hunted by those in power, of course, 'cause he's known as the one who, you know, is immune.
But he wants to elude them 'cause he wants to search for the secret of his hot skull. It's frickin' fabulous. I loved it. It's a miniseries. It's on Netflix. It's great.
It shows you what a lot of imagination and heart can create. I'm gonna—
How does a TV series get made? 'Cause this is the most bonkers idea for a TV show ever.
There was an episode of Star Trek: Deep Space Nine that had this premise. So, I'm just saying that. Oh! I've never seen this show.
And I'm actually wondering if I can watch it in the US. It might not be available. And that might be why I've never heard of it.
And I'm actually wondering if I can watch it in the US. It might not be available. And that might be why I've never heard of it.
I hope so. It's called Hot Skull. I found it on Netflix in the UK. If you a wacky premise and a sci-fi angle, this is for you. Check it out. My pick of the week.
It's certainly whack if you ask me. Well, thank you. That just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Honestly, nowadays I use Mastodon more than Twitter. On Mastodon, I am @varmazis, @mstdn.social if you can remember all that. I'm still @mvarmazis on Twitter.
And of course, I'm on the CyberWire and I'm doing— I'm the space correspondent. Darknet. So if you listen to the CyberWire, you can hear me there as well.
And of course, I'm on the CyberWire and I'm doing— I'm the space correspondent. Darknet. So if you listen to the CyberWire, you can hear me there as well.
Space.
Space. Final front ear. Front ear. Yes.
Yes. And you can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us to have a G. No chance of that happening anytime soon, I imagine.
Smashing Security also is on Mastodon. We love it too. You can find us most easily by going to smashingsecurity.com/mastodon and that will redirect you to our account.
And look, check up the Smashing Security subreddit on Reddit and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
Smashing Security also is on Mastodon. We love it too. You can find us most easily by going to smashingsecurity.com/mastodon and that will redirect you to our account.
And look, check up the Smashing Security subreddit on Reddit and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And massive shout out to this episode's sponsors, Bitdefender, NordLayer, and ManageEngine PAM360. And of course to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalogue of more than 305 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalogue of more than 305 episodes, check out smashingsecurity.com.
Until next time, cheerio.
Bye-bye. Bye. I'm better. Yay. I'm glad you're better.
Yay. Welcome back, Carole.
Thank you, Graham.
Do you know, Maria, I was looking for the show notes for this episode and I mistyped and I didn't notice because your name, you did episode 36 with us on the 3rd of August, 2017.
Oh my God, are you serious? Yes, and your topic was Flash. Oh, Flash, what is Flash? It's not dead yet.
Do you know, Maria, I was looking for the show notes for this episode and I mistyped and I didn't notice because your name, you did episode 36 with us on the 3rd of August, 2017.
Oh my God, are you serious? Yes, and your topic was Flash. Oh, Flash, what is Flash? It's not dead yet.
That's what you said. Yeah, well, I thought you were gonna say Facebook. No more Facebook, please.
There you go. Blast from the past.
Oh my God, 2017. I was a baby.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Episode links:
- The Complete Idiot’s Guide to Writing Erotic Romance – Amazon.
- The Many Ingenious Ways People in Prison Use (Forbidden) Cell Phone – The Marshall Project.
- How Did They Run an Elaborate “Sextortion” Scam From Prison? Cellphones – The Marshall Project.
- Alarm Over Death Row Cell Phone Threats – CBS News.
- U.S. airline accidentally exposes ‘No Fly List’ on unsecured server – Daily Dot.
- Cyber-crime gangs’ earnings slide as victims refuse to pay – BBC.
- Ransomware Revenue Down As More Victims Refuse to Pay – ChainAnalysis.
- Leaked Ransomware Docs Show Conti Helping Putin From the Shadows – Wired.
- Luxe Listings Sydney trailer – YouTube.
- Luxe Listing Sydney – Wikipedia.
- Matt Shearer WBZ – Twitter.
- Hot Skull – Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Bitwarden vaults are end-to-end encrypted with zero-knowledge encryption, including, the URLs for the websites you have accounts for. Migrate to Bitwarden for a more secure password manager.
- ManageEngine PAM360 – A fully functional privileged access management suite that offers a holistic picture of all the privileged devices, users, and credentials in the IT infrastructure. From managing and governing access to all your enterprise resources to automating the access management life cycle in your organization, PAM360 does it all.
- NordLayer – NordLayer safeguards your company’s network, securing and protecting remote workforces as well as business data. It can even help you ensure security compliance. Get your first month free.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
