Smashing Security podcast #306: No Fly lists, cell phones, and the end of ransomware riches?

How do you find the time to write a book? There's constant distraction, there's no time, there's children, there's taxes, there's TikTok, there's—

Children, taxes and TikTok, yes, those are the problems. I only have to deal with one of those.

Smashing Security episode 306: no fly lists, cell phones and the end of ransomware riches with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 306. My name's Graham Cluley. And I'm Carole Theriault. Carole, welcome back. We've all been worried about you.

Thank you. I'm glad you worried about me. I had 24 hours of not-to-be-discussed violent illness.

Holy moly. Let's just say, the perfect cue for our guests. Maria Vermazis— Coming out both ends. Maria Vermazis, yay yay hi Maria, you don't make me sick. Hi, that is a ringing endorsement. I don't think anyone's ever said something nicer about me. I don't make you sick, that's so great, love you too. I am going to be giving some great advice for budding authors. Ooh. And Maria, what about you? How to hack an airline, or not, really. And with me, you'll enter the world of ransomware, if you dare. Now chums, huddle up because I want to ask you a very serious question, which is have either of you ever been interested in writing a book?

We thought about writing, yes, a billion times. Yep, yep. Okay, Maria.

What kind of book have you thought of writing? Oh goodness, I've had a whole bunch of ideas. I don't want to embarrass myself, but I haven't done it, which is the important thing, so nobody has to do the "how's your novel coming along, you're writing a novel." Carole, have you ever thought of writing a book?

Yes, a thousand times. Yes? Yes.

I remember you writing something when you were— well, we used to work at the same company, of course, and you used to spend part of your time writing about, it was sort of an erotic romance about one of the senior members of staff and his body of pink steel. This is you, this is you, Graham, you crazy— He's whisking up our past to be completely different. My goodness. What happened, Graham? Was the security very naked or no? "On paper, he was an impressive catch. As a senior player in a leading IT security company and the founding father of several charities, he wore his great power and wealth lightly. Nothing gave him as much joy as seeing the faces of the children he helped save. As an ex-member of the British Olympic badminton team, women fantasized about him lifting them into his arms and carrying them to a large, silk-draped bed. His simple grey suit sat a body of pink steel with a taut chest that rippled as his perfect ass made women stifle moans."

And the game was, which one was sexier and which one could you identify? And I think you won the prize, Graham. I think you won.

Well, I don't want to blow my own trumpet, which did, of course, occur in Chapter 3. But anyway, I've always wanted— I've always thought it would be wonderful to write maybe my memoir. Maybe, you know, my struggle. You know, how a young lad—

I don't think 20-page books are the big rage. That's a pamphlet.

The thing is, the thing is this: I think many of us would love to write a book or write a novel or something like that. But how do you find the time? How do you find the time to write a book? There's constant distractions. There's no time. There's children. There's taxes. There's TikTok. There's all these things.

Children, taxes, and TikTok. Yes, those are the problems. I only have to deal with one of those.

And maybe more importantly, how can you be sure that you'll actually make any money out of the book? Because it would be such a waste of time, wouldn't it, writing a book and you're not going to make any money out of it. You know, just for years. I don't think you'd write— I don't want to write a book for money. Well, I hope you don't because I think it's quite hard to make money out of a book.

Yeah, you would think that people would understand that, but a lot of people don't. Yeah.

No, you write it for the cachet. The cachet, not the cash. Okay. Anyway, look, I've got the answer. I've got the answer. I've worked out somewhere where you can go. We can spend hours in the privacy of your room, not being disturbed by children, not distracted. You don't have to worry about paying your bills. You don't have to think, "Oh, I've spent too long at Waitrose," you know, popping out to the shops, doing things other than writing. It is the perfect place to be. It is, of course, prison. If you go to prison, they lock you up for hours and hours, 23 hours a day in a cell.

With a brand new Apple Mac.

Well, no, they don't. I don't know that they do give you an Apple Mac.

Lightning speed fiber. So you can surf the internet and not write your novel.

You sound rather skeptical, but my attention was brought this week to a report in the Marshall Project. It's a non-profit news organization. They've taken a close look at the use of cell phones behind bars, behind prison bars. Prison bars, okay. Yes, prison bars. Not behind the bar, not Mo's bar. Nothing like that.

Wow, 90s references. Love it. Get everything on this podcast. It's great. He stopped living then. Early Simpsons. I'm with you. I got it. He just started using the word woke. So, you know. Oh, no.

I'm ignoring you. In most prisons.

Is Yeet going to be next? No. Okay.

In most prisons, you're not allowed phones. They don't like it. Right. But it doesn't mean people don't have phones. They definitely do have phones. Sometimes they have very tiddly tiny phones. I looked up on Amazon. There's a phone called the Zanko Teeny Tiny T1.

All right, I need to Google this. What is this?

It claims to be the world's smallest phone. It's about the size of your thumb. Fits into any orifice. Exactly.

Oh, that is definitely going up somebody's bum. Oh, my God.

I don't know if it has a vibrating ringtone or not. I don't know if it can help you play chess to a grandmaster level or not. But it's known as the boss beater because it's designed to beat a body orifice security scanner known as the boss. You can listen to music, albeit muffled. You can text with your friends. You can make calls. But it's so tiny. I mean, it's about the size of your ear. Because if you hold it up to your ear with this tiny little speaker, I wonder whether you're also covering the microphone, which is meant to be near your mouth, whether you're constantly sort of sliding it back and forth. I don't know. But it is presumably, as we've already said, well, as you've said, rather rudely. It is probably fairly easy to smuggle into a prison, albeit somewhat uncomfortable. So mobile phones are apparently one of the most smuggled items into prisons after cakes with files in them.

Well, it's how you do your business, right?

Exactly. It's how you do your business.

You contact Uncle Joe and say, Uncle Joe, remember the meeting. Don't be late.

Well, I don't know if they're meeting in the prison.

Maybe, you know, you're conducting business outside the prison if you have a phone. You have an ability to do that.

I don't think they're calling cell to cell. I know they're called cellular phones, but I don't think they're calling from cell to cell. It's the outside world that they want to talk to, isn't it? Because, of course, you might still. That's what I'm saying. You might still. Is that what you were saying? Yes. Oh, okay. Anyway, the thing is, normally a phone, right? If you've got a phone in the prison, it's being monitored, isn't it? You're only allowed to call certain people, like your brief or your mum outside. But the thing is that the phone calls are being monitored and supervised for understandable reasons.

Exactly, and they're being recorded at all times. All the time. So it's not like you're going to conduct illegal business. No, a prisoner never would do something shady like that.

Never do anything like that. So the prisoners might want their own phone. And some are using these just to stay in touch with their families, which is understandable because you would be worried. I would be worried. I might call up the dog, see that he's doing okay. I might call up my child. I might just want to check they've done their homework or something. So I'd give someone a bell. So you might want it for legitimate reasons and simply not be restricted to the times when you're allowed to use the phone and who you're allowed to call. But also, people are using their mobile phones in prisons, especially in America, to traffic guns and drugs and even sextortion scams are being operated from inside prison. You know these scams where they pretend to be nubile young women and get you to take your clothes off and do things in front of the webcam?

I've heard of them, yeah. Do you know the coolest prison racket that I've ever heard of?

Go on, tell me.

Poetry. Hey? There was a prisoner who would coordinate with other prisoners that he would write erotic poetry for the loved ones back home for a certain amount of money or cigarettes or whatever because he was a very good writer. So he would actually people, other prisoners would pay him and he would do a Cyrano de Bergerac thing.

Oh, without the big nose. Oh, that's quite romantic. I quite like that.

Yes. Poetry for prison, yeah.

Erotic poetry. Oh, it's erotic poetry.

Yes. Yeah, it was erotic poetry. Yeah.

It's quite difficult, isn't it, finding rhymes for certain things?

You can do it if you try.

I was thinking of the family China and, you know, things like that. Anyway, some people get up to naughtiness, more naughty than that. I heard of one guy who was on death row and he was making threatening calls to a Texas state senator. So we're gonna make did it work but anyway the Marshall Project they report that they can also be used for good so they say that some people are smuggling contraband phones into the prison to take public Harvard classes so they're

Oh right oh to study right

Yes to study so to improve themselves which is a wonderful thing isn't it or they're learning medical care. So maybe, you know, Jimmy Fingers just got slashed down in the showers. So if you've got a gaping wound and you don't want to go to the screws or the, what's the phrase for prison guards? I don't know.

You definitely want your doctor to be called Jimmy Fingers and not Jimmy Stump. Jimmy Sutures.

And so people are going up on these sites and they're checking out all these videos. And they're sort of fixing people up with, I don't know, pipe cleaners and a bit of a spring they find down the back of a bunk bed or something. They're doing first aid. And they're using YouTube and TikTok to develop new skills. It's wonderful, really, isn't it? Now, one guy was able to FaceTime his mum before she passed away. I mean, that's a great thing, isn't it? Isn't that lovely?

From the phone that he smuggled up his bum. With a faint poop stink.

You must put it in a condom or something before you slap it up your butt. Some have even self-published books on Amazon, which they wrote. They've typed on the tiny phone's keyboard. Well, no, OK. I knew you were going to say this. They're not necessarily using the tiny, teeny Zanko T1, which has the world's smallest keys to press. Some of them have actually smuggled in smartphones, of course, which include voice dictation. Might be a bit quicker, maybe. I don't know, but this is what's going on. Some are taking online classes. Some are participating in Zoom classrooms.

That's kind of admirable, though. I mean, getting your master's degree from prison, that's kind of great. Can I ask how they know this? Is this what they said? They've gone to interview somebody?

The Marshall Project have been talking to prisoners and finding out what's going on.

Honest to God, if I was a prisoner and I'd pull this off, I would tell everybody. I would be like, yeah, I did that. Only when you're out, though. Well, I mean, you know, if I got in in the first place, I probably wasn't the smartest. But yeah, I would be bragging like hell.

And some are doing this to participate in Zoom classrooms. Others, you know this online gig hustle which you can do. You know how everyone's remote working these days. You say to the boss, oh, yeah, as long as I get the work done, you know, don't worry about the hours I do. I'll get the work done. And you either farm it out to Fiverr or something and get someone in Indonesia to do the work for you. Or you have about three or four different jobs on the go at the same time. You're employed by all these different companies and you say, yes, yeah, I'm there. You just got different windows open. Well, some of these guys in prison apparently are doing online gig work. So maybe they're helping the rest of us.

They're on Fiverr. They're like, listen, I don't care if that task, I'm only getting five bucks for it. I'm in prison. It's more than I would wait. It is incredible, though. You can be incarcerated physically, but you can still, you know, as long as you've got one of these little gadgets.

This is the wonder of technology.

Isn't there a famous character from some TV show who gets his law degree from prison?

Probably. There are people who've done that, haven't they? Where they've been in prison and they've basically trained themselves up because they feel that they got stitched up.

Well, what else are you going to do, right? You've got all that time. That'd be the one time in my life I'd be like, yeah, I will commit to this now. You've made me. I'm going to sell. Yeah, I'll do it.

There's one prisoner who's managed to sign up 300 other prisoners at different prisons across the United States. They're all signed up now for a Harvard computer science course. Good for them. And so, you know, and freelance writing, right? I could work anywhere because I do a bit of writing, right? I write blogs and things. I could do that anywhere. Maybe I could actually do this from a prison cell. I'd have unfettered internet access. Why don't you try?

You should go to prison. I think that is the plan. You should do that. Just go try it out.

Anyway, I think this is a fine thing, as long as it's not being used for scams. If there was some way to get people to use this for good rather than bad, and not engage in the bad stuff, maybe we just need net nanny. Maybe we just need more surveillance as to what people are doing. I don't know. What would you do if you had a life sentence and an internet connection?

Life sentence and an internet connection? Yes, that's what the pandemic felt like honestly.

What have you got for us this week?

Mine is actually about security. I don't know if that's okay.

Mine was definitely about security. Mine was about BYOD.

Hush now Graham. It's Maria's turn. So the teaser for my segment is how to hack an airline or not. Is it really hacking something if you just walk into something and just find an unsecured list of names on an unsecured server? Is that really hacking if you just pick it up?

It sounds more like stumbling doesn't it? Stumbling upon it, yes. No, I think the hacking bit is taking it, isn't it? Or has one just found it? So our listeners I'm sure will understand what I'm about to say. Shodan has struck again, struck gold. In a CSV file. So it's not encrypted.

Yeah, you can just use it with Notepad or whatever. Textpad. Just plop it open. And it apparently has about 1.5 million entries in it and includes names and birth dates, multiple aliases for some people who may be trying to evade the government. This is the official US government terrorist screening database and the official US government no-fly list, which has been extremely controversial in the United States for the past 20 plus years, by the way. But it ballooned in size ever since 9-11 for probably very obvious reasons.

Have we searched the list for names of people we know? You know, I bet you could. I actually have not gone to look to see if someone has put a CSV online, although maybe we could just go find it.

Yeah, I remember that.

Yeah.

And I think it caused them some difficulties, didn't it? I imagine it would. My husband ran into some issues with that and his name, I don't know if it was on it or not, but he had an issue with getting flagged from that. I mean, it's a goof, isn't it?

It's quite a goof, though. It's a goof that someone found it. It's not a goof that it exists.

Yeah, but do you think it was maliciously taken or left there? It's more like it to be a cock-up, isn't it? Oh, yeah. I mean, Crimea just stumbled across it. I'm reading the blog post right now. And the way they put it is, holy shit, we actually have the no-fly list. Holy bingo what various emojis.

It doesn't take a whole long time for crime you to find this file and be like oh that's what this is. It's just ridiculous.

So this isn't just people's names this is also passport details and license numbers and addresses and all sorts of information about crews as well as actual people on the no-fly list.

Yeah, Crime you was able to find a bunch of other files that were exposed openly to the internet, including that information that had serious PII like that you mentioned. The no-fly list had just, I believe, names and birth dates, which again, not a small thing either. But yeah, all sorts of other sensitive information was also wide open to the internet. I mean, it's like, is it really a hacking story if it's just yet another bucket misconfig? It is, but it's just oh my God. But it keeps disemployed, I guess. If I left, you know, if I left a golden statue in my front garden, would I expect it to disappear? Yes, I would. And that's kind of what they did. They kind of just left something, but they didn't leave it out front. Someone had to go, you know, it's like I left it in my back garden in the corner.

I wouldn't say necessarily this was in the back garden at the corner. It feels like it was maybe.

Right on the curb. Yeah, like right there. Somebody went, "Oh, it's on the curb. This must be available for," and they just looked at it. Yeah, just like somebody is donating this or it's going to trash, whatever. Like it's unclear. But it goes to show, I wonder if all small airlines have access to the no-fly list. Like does everyone have that? Is this like, I would imagine they must, because if you fly within the United States, you have to comply with the United States federal air laws. But do you

Need it as a great big list? Or should there be a system whereby you can sort of look up a name or something? I suspect that's how it works, and someone has the whole list. Yeah, or maybe it was a centralized database and someone's like, "I'm going to make a local copy." I mean, I don't know how it works on the back end. I'll keep it on the cloud in CSV form with no protection.

Well, that's true. I mean, if you had to access some sort of shared resource, and if you were a baddie getting onto a plane and you realize you're on the do not fly list, then the thing to do is to DDoS the do not fly server, I suppose, isn't it? So people wouldn't be able to access it to look you up. So I guess people must have access to this data somehow. Yeah. And did Maya get in touch with them to tell them that they found this? That's a good question. So it's not responsible disclosure, really, if you're slapping this out there. So what happened? Yeah, but they haven't released the data to the wild, as it were, have they? They haven't published it for any Thom, Dick, and Harry to see.

No, they're just telling their story. I suppose you're right.

They're just telling their story, I think, and sharing it with journalists to corroborate their story.

Okay. Given the outcome, could one classify this as, I hate saying this phrase, but hacktivism? I think if they'd put it, if they put the list out for everyone to see, yes.

But they haven't done that. They haven't done that. No. I mean, yeah, it is. I mean, again, expose server to the wide open internet. Like it's, but at the same time, I mean, these things happen and it happens a lot. You know, sometimes I get emails from people saying, "Would you like the contact details of 50,000 people who are interested in a particular product or something like this? Would you like this mailing list?" And I'm thinking, if I ran a multinational evil conglomeration and I wanted to get together all the baddies around the world for some mega conference, probably underneath a volcano, then this is the kind of list which I would really like. This would be fantastic, wouldn't it?

Yeah, you could hit them up.

Hit them up. Yeah, you know, make a sort of, I've got another whole new James Bond plot in the making here.

I was gonna say you're really entering your James Bond villain phase.

Yeah, yeah, yeah, yeah.

What have you got for us this week? If you wanted to rob a bank, you need some guts, right? Because you'd have to storm in, you'd have to figure out the best time to do it when it was quiet and the security guy was having a poop or something. You'd have to cover your face to make sure no one could see you to describe you. You'd have to scare people into cooperating, hoping to god that in 30 seconds you'd have a fat bag of money and you'd be diving in your getaway car peeling out to dodge and scarper. It's not for the faint-hearted. There's a lot that could go wrong there, you know. And today, if you want to steal cash, you just go down the ransomware route. You're unlikely to get killed, you're unlikely to be recognized. Unlikely, but not guaranteed, but much less likely. A lot of crims are doing it. They're working from home in their pajamas, and ransomware as a service big model now. It's thriving.

Maybe they're in prison. Maybe they're in prison coordinating by their mobile phone, which would be a cybersecurity angle. Oh, full circle. We did it. We did it, everybody. Well, the same people behind the technology, I guess, but it could be different criminals who are actually launching them, couldn't it?

Well, this is where Chainalysis comes in because they look at blockchain wallet activity. Right. And they say that often the ransomware attackers reuse wallet for multiple attacks. So in other words, there's loads of strains, but it's being admitted by a small group of folks. Worthy. I'm with you. But this doesn't really explain the 40% drop in ransomware return. 40%. Yes. Feels a lot. Doesn't it feel a lot? That does, especially considering the fever pitch every year of ransomware is out of control. I mean, it's not a small issue. I'm not going to. I'm going to try and convince you now. Okay, try and convince us. Okay. So Conti was a prolific ransomware strain for a few years, taking in more revenue than any other variant in 2021. But in February, following Russia's invasion of Ukraine, the Conti team publicly announced its support for Vladimir Putin's government. Soon after, a cache of Conti's internal communications leaked and indicated connections between the cybercrime organizations and the FSB, the Russian Federal Security Services. Ipso facto, many ransomware victims and incident response firms decide that paying Conti attackers was too risky, as the FSB is a sanctioned entity. Oh, I see. So Conti is not a sanctioned entity, but because there's connections with the FSB, people were, I don't want to get in trouble. So Conti basically eventually responded by announcing its closure. Right. So they just said we're not doing anymore. Conti's closure drove many affiliates or people to conduct attacks for other ransomware strains where ransom victims were more likely to pay because people weren't paying with these ones. And notably not tied to the FSB, as they could see. But because the people reuse the same wallets, Chainalysis are able to better understand the ransomware ecosystem. So it all kind of makes sense. You're following me? Yep, I'm with you. I'll tell you what I don't understand. If you're saying that Conti stopped getting ransomware payments because organizations didn't want to pay a criminal organization associated with the FSB, wouldn't it be in the interests of the US authorities, for instance, to name lots of other ransomware groups as being affiliated with the FSB as well? I've linked to the Chainalysis report. So they do do a bit of that saying here are the other ransomware attached with the same wallets. Right. So they're using the wallets as a way to link the people who are behind it. They say the upshot of all this is that it may be more productive to think of the ransomware ecosystem not as a collection of distinct different strains, but instead of a small group of hackers who rotate brand identities regularly. So they basically just rebrand them. Like a corporation. Bill Siegel, CEO and co-founder of Coveware, says the number of core individuals involved in ransomware is incredibly small versus perception. Maybe a couple hundred. Wow. So he says it's the same criminals. They're just repainting their getaway cars. Fascinating. Wow. Well, it definitely changes my perception of ransomware a little bit. That's not at all what I would have expected. I thought it was just a huge wide web of thousands upon thousands. And they were all just casting wide nets. I would not have thought just a couple hundred. I think what's kind of cool about it for me as well is they're keeping to one wallet. You have also ransomware researchers looking at the actual nuts and bolts inside the code to see how they're operating, how they're encrypting, how they're working, whether it's a service, whatever, whatever. And you put those things together, you get a much different picture of what's going on. And that's kind of cool. So, yeah, interesting reading. Wow. News you can use. Amazing.

How much money do these guys actually need? I mean, I can understand why Boris Johnson might need to keep on having dodgy loans given to him. But I mean, what are they going to do with all of this money? Even if their numbers have gone down by 40 percent.

Still a fuck ton of money, though. Yeah. I think Graham's hurting financially right now. And he's like, why does anyone need more than when they need? Because then I could have a bit more. Give me some.

I don't understand what drives them because, you know, if you've made your fortune through ransomware, isn't that enough? Do you have to keep on going and maybe get yourself in more trouble?

Yeah, we've seen people step down when they have enough like Geoff Bezos and Mark Zuckerberg and, yeah, all of them, Elon.

I think you'll find Elon is letting loose a lot of money. He's burning money. Oh yeah, he's burning that money. Didn't

he get the Guinness World Record for the person who's lost the most amount of money? Yeah.

Yes, lost the most money in history.

Amazing. All imaginary money that never existed to begin with, but he lost it. Amazing. So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass. Now, that allowed hackers to steal customers' password vaults. And unfortunately, there were parts of those password vaults which were astonishingly unencrypted. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. One hour or whatever, 10 minutes to yourself on the bike.

45 minutes, thank you very much. And 45 minutes, and this is how you choose to spend your time.

This is how I'm choosing to spend my time. Okay. Rather than running some sort of dodgy scam from my prison cell. Instead, I'm on my exercise bike watching Lux Listings Sydney on my tiny little teeny Z1 phone.

I'm with you. You have to watch trashy TV when you're doing bike stuff. I do the same thing.

You've got to do it. You've got to do it. You've got to. Anyway, this is one of those reality programs where, in this case, we've got a buyer's agent. His name is Simon Cohen. He is someone who's helping people buy houses. And there's also two real estate agents, Gavin Rubenstein and Gavin Rubenstein, and it's all fast cars, flashy cars, you know, flashy suits, complete wankers. What? It's just – maybe I should restart that sentence.

Is that what you're doing on the bike? That's why you called it porn?

Oh, God. I don't have the energy. I don't want to watch people wanking. Thank you. But the point is that they're going around incredible high-end luxury properties. It's like $25 million, $30 million that we're dealing with. It's just disgusting. The way the other half lives, you know. I'm not sure it's a half, half a percent perhaps, but it is quite astonishing. And so I've been watching this because I'm currently in the market for a new property. I'm looking around. The properties I'm looking at don't really compare with these, but I'm quite enjoying it. I find it quite enjoyable. And so I am watching, and I'm not ashamed to say it. I am enjoying Lux Listings Sydney on Amazon Prime, and it is my pick of the week.

I wish you were. Graham, I have to make a confession. Before I came on this show, I was agonizing what I was going to do as my pick of the week, and I was like, what's a show I've been watching lately? Oh, I can't mention any of them because they're all trash I watch when I'm on my bike. I'm not even joking. I was like, I can't because they're all just stupid reality TV that I can sort of zone out to while I'm biking.

Tell us one. Tell us one, Carole. Come on. Own up.

Yeah, there's this one called The Traitors. It's basically like the mafia party game, but they did it on TV.

Oh, yes. That's been on UK TV, but I think there's also an American version, isn't there?

Oh, I didn't know there were two different ones. I'm presuming I'm watching the American version. Okay. But yeah, I'm just like, that's not something I would just sit down and watch, but I'm on my bike. Yeah, I absolutely watch that. Yeah, why not? Yeah, that's better, though, than... No, Carole, have you watched Lux Listings Sydney? I just, anyone who wants to buy a house for $100 million because, oh, we definitely need a five-bedroom house for the dogs. Well, it has some integrity. Carole, you don't really get to see the actual buyers. It's mostly their agents, people, because when you're that rich, you don't actually buy the property yourself. You get someone else to do it all for you. You just trust their taste. Oh, my God. I cannot imagine that. I'm enjoying it anyway. Carole, your pick of the week. I'm not on TikTok, but this person is very famous on TikTok and also on Twitter, and their videos get reposted. I see them all over everywhere, at least where I live. His name is Matt Shearer and he's a local reporter here in the Boston area for a really old school radio and TV station called WBZ. So it's like the old grandfather of TV and radio around here. And he's a young reporter and he has gone viral a gajillion times on TikTok for his hilarious videos about all the weird quirks and foibles and strange characters in the area where I live in Massachusetts. Fantastic. I love the idea of that.

Yeah, and he just did a video as we've been talking in my hometown of Chelmsford. So, I just saw it pop up as I was going to put his URL in the show notes. And I was, oh, he just went to my hometown. That's amazing. It's snowy there.

I'm watching the video right now. Oh, blimey.

That's what it's out there. That's what it's out here. This is normal. Actually, this is a small amount of snow for us.

I've never seen snow.

Never, never.

Carole, what's your pick of the week? I have a great one. And I've been saving it because I know she's a bit of sci-fi junkie. Okay, so my pick of the week is a Netflix miniseries called Hot Skull. Have either of you seen it? Has he just got a lot of earwax? Is that how he's immune?

He seems to be able to communicate with other people just fine. But when he's exposed, he tests himself by listening to tapes of Jabber, and his head spikes in temperature, but he recovers, and he never jabbers. Hence, hot skull.

Oh, right. Okay, gets a hot skull.

So he is hunted by those in power, of course, because he's known as the one who is immune. But he wants to elude them because he wants to search for the secret of his hot skull. It's freaking fabulous. I loved it. It's a miniseries. It's on Netflix. It's great. It shows you what a lot of imagination and heart can create.

How does a TV series this get made? Because this is the most bonkers idea for a TV show ever.

There was an episode of Star Trek Deep Space Nine that had this premise. So I'm just saying that. I've never seen this show. And I'm actually wondering if I can watch it in the US. It might not be available. And that might be why I've never heard of it. It's called Hot Skull. I found it on Netflix in the UK. If you a wacky premise and a sci-fi angle, this is for you. Check it out. My pick of the week.

It's certainly wacky if you ask me. Well thank you, that just about wraps up the show for this week. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

Honestly nowadays, I use Mastodon more than Twitter. On Mastodon I am at varmazis at mstdn.social, if you can remember all that. I'm still at mvarmazis on Twitter. And, of course, I'm on the Cyber Wire, and I'm doing the Space Correspondent, so if you listen to the Cyber Wire, you can hear me there as well.

Space! The final front ear. And you can follow us on Twitter, Smash Insecurity. No G. Twitter won't allow us to have a G. No chance of that happening anytime soon, I imagine. Smash Insecurity also is on Mastodon. We love it too. You can find us most easily by going to smashingsecurity.com slash Mastodon, and that will redirect you to our account. And look up the Smashing Security subreddit on Reddit. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

And massive shout out to this episode's sponsors, Bitwarden, NordLayer, and ManageEngine PAM360. And of course, to our wonderful Patreon communities. Thanks to them all that this show is free. For episode show notes, sponsorship information, guests listening to our back catalogue for more than 305 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye bye. Bye.

I'm better. Bye. Yay, I'm glad you're better.

Yay. Welcome back, girl. Thank you, Graham.

Do you know, Maria, I was looking for the show notes for this episode and I mistyped and I didn't notice because your name, you did episode 36 with us on the 3rd of August 2017. Are you serious? Yes. And your topic was Flash. Oh what is Flash what is that it's not dead yet that's what you said. Yeah well I thought you were gonna say Facebook no more Facebook please. There you go blast from the past oh my god 2017 I was a baby yeah.