Smashing Security podcast #319: The CEO who also ran IT, Strava strife, and TikTok tall tales

After about four days, he published the whole lot.

What, accidentally?

Yes, he dragged and dropped the entire file. How do you know this?

There's not a single competent person in this story except for the MP who said basically, fuck you. Everyone else is a moron. Okay, great.

Smashing Security, Episode 319: The CEO Who Also Ran IT, Strava Strife, and TikTok Tall Tales with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 319. My name's Graham Cluley.

And I'm Carole Theriault.

And this week on the show, Carole, we are joined by someone from far, far away, a galaxy far, far away. It is the host of the T-Minus Space Daily podcast.

And Sticky Pickles, Maria Varmazis.

Yes, Sticky Pickles goes first, yes. And then T-Minus. He's always first. Hi, everybody.

So Maria, our listeners obviously know you well, but tell them about T-Minus because they may not have heard about it yet.

Yeah, I have a new job. I am the host of T-Minus Space Daily, which is the only daily space intelligence podcast.

In the world.

In the world, yes. We're sort of the sibling show to CyberWire. So think CyberWire but for space, and that's kind of what we're doing. And I'm the host of that show. So it's targeted at space professionals. Yes, there are such a thing. And people who are interested in what's going on in space. So if you're interested, give T-Minus Space Daily a listen.

Someone has been doing some ad spots.

Oh my gosh, yes. We just launched two weeks ago.

So yes, I can tell you did that so, so smoothly in my sleeve curl. How do you guys feel about getting the show on the road?

Psyched.

But before we kick off, let's thank this week's sponsors: Bitwarden, Kolide, and hCaptcha. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be telling you a story about blackmail biting a boss in the bum.

Oh, sounds fun. And Maria, what about you?

Strava's not so entirely private zone.

Ooh. And I'm going down to TikTokers', PIs', and scammers' land. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I'm gonna take you to the beautiful land of Finland. Have you ever been to Finland?

I have.

Have you? What did you reckon?

I loved it.

Yeah, it's a bit nippy.

I was only in Helsinki for a few days, but I loved it, loved it. I'd love to go back. Yeah.

Yep. Pretty cool place to go, I'd say. Are there any benefits to being Finnish, I wonder? I mean, obviously the flag is a big plus.

Hey-oh! Some vexillology humour early in the morning today.

Oh dear.

My goodness.

Anyway, I wanted to tell you about— Well, let me tell you a story. Let me tell you a story. I want to tell you a story.

Okay.

So, there is this woman. Her name is Nina Tapio, and she is a successful psychotherapist.

Mm-hmm.

And she's a psychotherapist who has an idea. And in 2008, she sets up a chain of psychotherapy clinics up and down Finland, offering psychotherapy to anyone who wants them. And she wants the company to be high-tech. She's thinking dot-com, she's thinking, "Oh yeah, that'd be so cool. I'm gonna use computers as much as possible. We're gonna be cutting edge." So who does she get to handle all the techie stuff? Who's the guy who she brings in to sort out all the techie stuff at all of these different therapy clinics up and down the country? She calls in her son, Vil Tapio. That's what you do. You call in your son.

Well, if your son is good at that kind of stuff, maybe. Exactly.

The neighbourhood kid who's good at internet. Just make the website, Vil. You know.

Good at the webs. Why not bring him in? If he's done a bit of work in Dreamweaver, if he's built a few websites. Dreamweaver?

No, Paddy, get out.

Edlin. Well, at first, it was a big success for this firm, which was called Vastamo. It was a big success, and the company grew. And Vil Tapio, the son, eventually became the CEO. And he's a very hands-on CEO. In fact, he is still doing a fair amount of all the techie stuff. And we've worked for bosses, I think. We've worked for people who may have founded large companies, but still think, "I will build an intranet. I will do this. I will program it. We will not have monkeys. We will not pay idiots to write this software."

I can write it myself in this evening. I've written a script that will allow us to tell your partner what you've had for lunch so she doesn't cook the same meal kind of programming would come up.

That kind of CEO we might have worked for in the past.

Very long time ago.

Yeah. Was this— I was trying to remember the software they used. Oh my gosh, forgetting it now.

There was a lot of Lotus Notes. Yes, it was Lotus Notes.

Thank you.

I was remembering all of the homebrew Lotus Notes stuff. My goodness.

Yeah.

Yeah. It was impressive.

Anyway, his job was to ensure all the internal systems are operating properly. But as the company grows more— What happens when a company grows more successful and it doesn't build its IT team? Its technical debt increases. So, you get more and more garbage and things going wrong all the time. And yes, of course, they've got more and more psychotherapists and more and more patients coming through the doors, but there was a constant need to maintain the database which this guy had built himself. Using SQL, and it meant the tech team running the operation had to be able to log in any time, day or night, and fix things. And so they had to make it accessible for remote login.

In other words, it's a bit having a treehouse and then building a number of extensions off it without adding any extra support underneath to hold it all up, right?

Oh, I want a pool.

I'd love a pool up here. That's a great idea.

A pool off of a treehouse, just sort of hanging.

Funnily enough, The CEO, who I believe we're obliquely referencing earlier on, that we worked for, I seem to remember he did have a rather extravagant treehouse in the garden of his home.

I feel this is just a trauma revisit in this episode, okay. Someone's ears are burning.

In November 2018, the inevitable happened. Someone breached the database, and so they were able to access information. I know it's a shock about this psychotherapy database, and obviously that would be disastrous. The good news, the saving grace at this point, is of course that all these database notes are encrypted. They're securely encrypted, not using an encryption algorithm. They're encrypted using the really novel but completely brilliant encryption system known as Finnish, which hardly anybody in the world can understand. That's true.

Is it Suomi?

Right?

Yeah, that's right, that's right. They don't understand, let alone you can barely recognise it's a language because it looks so freaking weird.

You know, all two of your Finnish listeners are gonna be really mad at you.

It's true!

No, no, I love, I love the— I love listening to it.

Yep.

We love the Finns, we love the Finns. But boy, oh boy, crazy language.

That, yeah.

So, November 2018, the database gets breached. Nothing happens, there's no public announcement. They must have been holding their breath. Has anything happened? No, okay, we're fine, we're fine. March 2019, round about 6 months later, they got hacked again. And unfortunately, this time it became obvious that they'd been hacked because the hackers, when stealing the database during the intrusion, they also crashed the database.

It's a little obvious.

And who, of course, spots that there's an IT problem, but the CEO, because he's the one who's actually doing the IT for the business. He's running it all himself because he's the only one with the smarts to do it.

Right. He can't trust anybody else to do it.

We don't need a marketing manager.

Yeah.

No. I'll do the marketing.

I'm the only one.

I'll do the IT as well.

So, the CEO knows that they've suffered a hack, but he's got another problem, which is that the company was in the process of being purchased by an investment firm.

Okay.

For millions and millions, and they were doing their due diligence that everything was good at the company. And the last thing he probably wanted was for the people buying the firm to find out that they'd suffered a hack. And so what he did was he held his breath.

That wouldn't last very long. And then he died, and it was very sad.

He passed out and died.

12 minutes later. When they found his body, yes.

So he held his breath and he thought, let's hope the hackers don't do anything, because after all, our data has been properly encrypted with the Finnish language.

Finnish encryption algorithm, yes.

There wasn't any other— yeah, there wasn't any other encryption on it whatsoever. In fact, this database, it turned out later, you could access it just by entering the admin's username. There was no password to actually access this database containing psychotherapy notes of tens of thousands of people.

Okay, this is a greatest hits of all the stuff you should never do, right? I mean, every— it's checking every terrible box, right? But— Oh my god.

But if a cat, if Schrödinger's cat is inside a box with some radioactive isotope or whatever, does the cat really exist, Maria? Does this breach really exist?

I'm gonna open that box.

Well, yeah, because he's not the only one in the world that knows about it. Presumably the person who breached it also knows, right?

But nothing's happened. Months and months have gone past. Months. 18 months have gone past. Nothing's happened. He thinks he's got away with it. Right.

If you don't disclose a breach, no harm, no foul.

If a bear with one hand claps in the wood, you know, if — Anyway, come October 2020, unfortunately, things become public. Clearly, someone who spoke Finnish has gained access to the database and realized what it actually is and can read it. And so Vastaamo goes public. It says, "We've suffered a data breach a while ago." The CEO gets fired, because obviously he's been incompetent. He's been covering this up from everyone else inside the company. He loses his job. And what it turns out had happened was that a hacker had contacted Vastaamo, had demanded payment. He demanded, I think it was something like €450,000 worth of bitcoin. He demanded, this guy called Ransom Man. And when the company refused to pay it, the hacker then contacted each of the individual patients saying, "I am publishing your psychotherapy notes on the darknet unless you pay me €200."

Fuck me.

Oh my God. Okay, now it's gone just—

That's dark.

That's a dark turn. Yeah, real dark turn.

And if you don't pay within a further 48 hours, the price goes up to €500. So you've got people who were seeking mental health assistance, therapy, and now — I mean, it is — It's probably the most horrendous thing I've ever heard of when it comes to extortion and blackmail.

That is really terrible.

Yeah. What do you discuss with your psychotherapist, Graham?

Hmm? Hmm?

What do I discuss? Working relationships, mostly. Relationship with a podcast co-host.

Microphone problems.

So, some people, yeah.

I'm gonna be talking about that one in therapy next week.

So some people weren't ashamed to say, look, you know, I'm gonna put my hands up right now, I'm not gonna pay any money. There was a former MP, Kerssi Piha. What she did was she posted up a screenshot of the blackmail email she received from the hacker, and she said to him, smell the shit, she said, albeit in Finnish.

Oh, that's so badass.

I'm not ashamed of seeking help and therapy, and neither should anyone else. That's really badass. There was some good news as well. Because in the ransomware demand messages, the hacker asked people to pay via a particular Finnish bitcoin or cryptocurrency transfer site, and that transfer site shut it down. And so you couldn't make payments through it. You could make payments in other ways if you knew how to use bitcoin and things, you could do it. But essentially the hacker didn't actually make very much money. But this was the biggest criminal case in Finnish history. Where about 30,000 mental health patients suffered as a result of this. And when the breach became public, it was so big, the Finnish police crime reporting portal on the web went down. It crashed.

Oh my God.

Because so many people were going there to report this. So, you might think this was the work of a criminal genius. But no, no, no. Because it turned out, although he was planning to slowly leak people's data, 100 patients at a time, after about 4 days, he published the whole lot.

What, accidentally?

Yes. He dragged and dropped the entire file. How do you know this?

There's not a single competent person in this story, except for the MP who said basically, "Fuck you." Everyone else is a moron. Okay, great.

But the reason why I know it's an accident, Carole, is he also took his entire desktop and his home folder and published those.

It's just too—

As I said, not a single intelligent person to be found in the story. Okay.

And that included his SSH keys, it included links to other things, and there were—

Oh, love it.

Now, he quickly realised his mistake and went— He actually posted, oops. And he deleted some of that information.

Wait, did he actually post, "Oops"?

Yes, yes. But not before— But not before— Not before security researchers grabbed the archive and began to look at it. Now, there's a lot more to this story. Let me just give you the headlines of what has happened since. The Starmo, the psychotherapy clinic, they went bankrupt, right? Quite right too. Who's going to trust them in future? Even though They contacted their patients and said, "Look, we're really sorry about this. We'd like to offer you a free psychotherapy session. And we can tell you that we won't record any notes as to what happens in this therapy session." Oh my God. Oh, well, that's all right then. It's okay.

She wasn't in with it, right? So she was assuming, trusting her son.

Well, it's not just her. There were lots of these therapists who were working. Right. There were something like 400 people who were working for this company. And it was just the IT guy who also happened to be the CEO who'd clearly goofed.

The IT guy who happened to be the CEO. It's just, you just know that that's going to go sideways.

I mean, it happens so much though. It happens so much. Verstamo declared itself bankrupt.

The patients get fuck-all.

Yeah.

But what of the criminal? What of the hacker? Because of course, we've got some clues about him. For the last few years, the Finnish police have been digging through this archive, trying to put together a solid case as to who he might be. And late last year, I think it was November last year, they put out a warrant. He's on the Europol top wanted list. His name is Julius Kivimäki, and he's no stranger to cybercrime because he has actually been involved in a number of attacks in the past. He is a member of a group called Lizard Squad, and they launched a DDoS attack on the Sony PlayStation Network one Christmas Day. They stopped Sony PlayStation Network working.

Such an annoying hack.

Yeah.

It's everyone gets their Christmas presents and no, you can't play.

He even appeared in a Sky News report. There was a Sky News report. Friend of the show, Joe Tidy, interviewed him on Sky News. Do you not feel guilty that you've taken so much enjoyment of gaming away from more than 100 million people over this Christmas period? I'd be rather worried if those people didn't have anything better to do than play games on their consoles on Christmas Eve and Christmas Day. I mean, I can't really say I feel bad. I might have forced a couple of kids to play, spent their time with their families instead of playing games.

Ooh.

He hasn't disguised his face. He just talks about, yeah, yeah, I'm a— he called himself Ryan at the time. I was the guy who was behind this attack on Sony PlayStation. So he had no empathy. He was found guilty back in 2015 for orchestrating more than 50,000 cybercrimes, this Julius Kivimäki, back in 2015. But because at the time he was only 17, he got a suspended sentence.

Right.

But now he's been implicated in the Verstamo breach. And I can tell you that earlier this year, French police responding to a domestic violence report— apparently someone had been out with a woman in a suburb of Paris at a nightclub. They'd got into an argument. Someone called the police. Police went to knock on this guy's door. French police.

French police?

And they are French police. We're in Paris now.

French police. Okay, I was looking—

It's like an episode of one of my Pick of the Week this week.

So we're in France now. Okay, alright.

They woke up this guy, and they said, 'Give us your ID.' And he gave them a passport which said he was Romanian. And they looked at him, and he was a blonde, 6-foot-3-inch, green-eyed man. When you see a picture of Julius Kivimäki, you know he is not Romanian. They were like, come on, mate.

Hey, don't make assumptions.

Yeah, well, I'm just saying he looks very Finnish to me, right? He looks Nordic at the very least, right?

Anyway, they said they don't get born anywhere else.

Yeah, they suspected he wasn't Romanian, and it turned out he was on this Europol list. He has been extradited from France to Finland. And meanwhile, just last week— and this is why I'm talking about it now— last week, Ville Tapio, remember him, the CEO, the IT expert?

Yes.

He was in court. And they said the severity of the crime, the length of time it went on, the highly sensitive detail wasn't adequately protected. You've been a complete and utter muppet. They said you must receive a prison sentence for what you've done.

Two months.

But then they said, 'But because you've never done anything bad in the past, we're gonna give you a suspended sentence instead.' And so he's now effectively got away with it, as long as he doesn't get up to any more mischief. He was a very naughty boy. He won't do it again.

He didn't do it out of malice though, right? He did it out of incompetence. I don't know. I mean, he knew they'd been breached. Oh yeah, I was thinking it's before GDPR, isn't it? It was 2018 or something.

Oh no, when did GDPR come in? I don't remember. I don't remember. I think GDPR was in by 2018. Listeners, listeners, don't us. We don't care. It doesn't matter. Don't tell us, don't write in. Maria, what have you got for us this week?

I'm bringing up a topic that we actually talked about in 2018 on episode 63. Wow.

The pre-GDPR days. Yes, yes.

When we were a lot younger and a lot more, you know, excited about things going on in the security world. No, I'm just kidding. So we were talking in that episode, actually, I was on that episode, which is funny. I didn't realize that I was, but I was. We were talking about this app called Strava and Carole, I think actually this was your story and it was about, all right, so Strava for people who don't know, it's a fitness app and you use it to track your activity and compare yourself to past performance. And it's mainly for people who do cycling and running, but other sports too. But those are usually the two things. And it's a big part of the app is that it's location-based. So that's a huge part of the appeal because that's how you can compete against other people who maybe ride on the same paths that you do or the same roads. And then you can sort of own segments and saying, you know, like, I'm the fastest person on that segment, or I'm a local legend for owning this part of my neighborhood. Yeah. It's totally bragging rights, but that is a humongous part of the Strava appeal, to be honest with you. So yeah, I mean, I'm a big Strava user, so this story is important to me too. So in 2018, Carole, in your story, you talked about how a soldier on a US military base, do you remember this? He went for a run around the base, which was in one of those undisclosed locations and with Strava enabled, and he kind of gave away military location secrets through Strava.

Yeah. They would basically map it out. Yeah. Yeah.

It wasn't super great. And that was user error though, right? Because it was, okay, well he shouldn't have had that app enabled. I mean, why is somebody in the military using a location-based app when they're on a secret base? That's kind of a PEBCAC, right? Okay. So folks who give a damn about privacy, which is us presumably, said maybe showing every step I take through the Strava app is not a great idea. Maybe it's not totally necessary. So maybe some of the information about my run or my ride can stay between me and the app. And some of it, at least where I'm starting or ending, can stay private. Because I don't know about you, Carole, maybe you've heard about this and Graham, you might have as well. Sometimes people stake out Strava users. They'll look at what's going on locally and they'll say, hey, that person's got a really nice bike. Maybe I can find out where they live and steal that bike from their garage when they're sleeping.

What?

Oh, wow.

Yeah. I don't use any of these apps, so yeah.

Yeah.

I'm a total noob.

I'm on Strava, but I wouldn't post up any photographs of my bike or anything like that. Not that anyone would want it.

But say you go on the same route, you're right. And then someone kind of goes and spots at the same time every week or whatever. Right. And they can spy your $3,000 bike.

Oh, $10,000 in these cases or whatever.

$10,000, whatever.

Yeah.

I mean, if you have a $10,000 bike, you were probably plastering photos of it everywhere on your profile picture and your ride reports everywhere. You're like, look at my bike. Isn't it great? And this is exactly where I live.

So if I had that much money, I'd pay someone else to do the riding for me and post it up on Strava.

Fair enough. Not how most people use Strava though. So anyway, back in 2021, Strava decided to sort of catch up to what other fitness apps were doing and they said, "We'll allow you to adjust your location privacy a bit so you can turn the location tracking off completely." But if you do that, you can't be a contender in any of the segment competitions, which again, sort of the appeal of Strava. So that essentially neuters Strava for you, but you can do it if you want to use it that way. And the other rollout that they made in 2021 is what they're calling a privacy zone, an endpoint privacy zone. And that allows you to hide your location from where you start and end your route up to within a mile or a kilometer. So it kind of just draws a giant circle around where you start and end your ride, and it blanks it out.

Okay, that's kind of cool. No, right?

But, and you can't compete in any segments in that privacy zone. But yeah, it basically says you can't see anything that happened within the circle, so you have to guess where this person maybe started their ride. So privacy problem solved, maybe, right? Fast forward to today. Two PhD researchers at KU Leuven in Belgium have pointed out to Strava that actually it's really, really, really easy to figure out someone's home location from the app, even if the user has Endpoint Privacy Zones set up. And they said in their research that about 85% of the protected end zone locations can be easily sussed out by an attacker.

Okay. Is that poor programming that led to this or is it just they were trying to just obfuscate that they actually hadn't done anything to improve security?

Yeah. So, yeah. So, some of it's just kind of math. So, the researchers released their findings in a study actually in December or November last year and it's called "A Run a Day Won't Keep the Hacker Away: Interference Attacks on Endpoint Privacy Zones and Fitness Tracking Social Networks." And they wrote, "Despite the usage of spatial cloaking, we show that these protected locations can still be discovered reliably. Our attack leverages the reported distance traveled within the endpoint privacy zone, as well as the layout of the street grid to de-anonymize protected locations with a success rate of up to 85%."

So, oh, so Strava still records accurately your precise distance, for instance, that you traveled. But it won't actually sort of plot it within that circle. Is that right?

That's exactly it. So that's the keys to the kingdom in this hack. So the high precision API metadata is being reported back to Strava and anybody can view it. Like you just need to view source in your browser. There's not some crazy sophisticated hacking tool you need to do. It's being sent back to Strava. And in that metadata is the full distance of your entire run or ride. And that includes the bit that's supposed to be hidden by the endpoint privacy zone. So I mean, you combine that with the fact that I know in my case, I just crank up the privacy zone to its maximum. So it's a mile in my case. So it's a circular zone being drawn. So if you're living in somewhere that's not super population dense, outside of a city or a typical American suburb especially, it's kind of a basic geometry problem. It's okay, here's your circle. You know, the distance within it, where does it meet? It's really not super hard. So unless you're maybe departing from an extremely dense city, in most cases it kind of gives it away. So the researchers reached out to Strava late last year and they published their findings. And Strava has said since then, thank you for your research, but we have no evidence of anyone doing anything naughty with this information. So we're all good.

I love it. Don't you always love it when companies say, well, we haven't seen anyone actually exploiting this, so I think everything's actually fine, so we'll wait.

Yeah.

Until someone gets murdered or kidnapped and then maybe we'll act upon this.

Or their bike gets stolen, you know, and that's already happening anyway. So I was trying to figure out as a person who uses Strava a lot, what I could do to maybe keep my home location a little more private. And one little hack that I've seen people talking about on forums was don't start up Strava until you're a certain distance away from your house and then start it and then scramble that location from time to time. So start your Strava app in different locations from maybe where you're actually starting, sort of fake that data.

So sad though, right?

Yeah.

Or don't use Strava. I don't know, just go for a ride.

Don't use Strava, but everybody loves Strava.

Well, but Maria, don't you have a choice as an athlete, as you are?

I'm not.

Do you not have a choice when logging your data with Strava as to who you share it with? It's not public by default, is it? Can you not just say, only my friends or something?

Yeah, but I think—

If you're careful as to who your friends are.

That's true. I can't remember about how visible the maps are, and I should remember this off the top of my head, but I believe you can do a sort of a friend-only thing. But for a lot of people, having all of that information public is sort of a way of saying, who did I pass by on my route? Like, hey, I saw this person with this really awesome bike and they were killing it on the route. And I just want to know, how did I stack up against that person? It's a lot of competitiveness.

You make it sound like these people are just cycling in hope of bumping into each other and saying, oh, look at this girl.

They're all looking at each other's butts on the bikes.

Wearing tight Lycra. You know how it is. But I think some of it is— All the mammals. The good old mammals, yes. The public social aspect of it is a big part of the appeal for a lot of people. So it is the bragging rights of being able to say, I was the fastest person in this segment. People are always competing against each other, but also knowing who else is riding on the same route as you or running on the same route. That's part of the thing. And if you lock down to friends only, you're not going to make that discovery. So I don't know how they're going to fix this, but other apps have figured it out. Like Komoot is another one and they allow people to draw sort of weird, irregular shapes for the privacy zone. So you can't sort of draw a circle and be like, what's in the middle of it? So they make it— other people have sort of figured out ways to do this. And so it's not an impossible problem. Just, I don't know if Strava's got the motivation to do it. But hopefully they will.

They don't. They won't.

They don't and they won't, but maybe they will.

They said, they said, they said, we're not taking it, we're not paying any attention. Fine.

Yeah, I mean, I do appreciate that the researchers brought this to bear because I didn't know about this and I use Strava a lot. So I'm like, okay, I need to take this seriously. So note for me.

Yep.

Crow, what have you got for us this week?

So earlier today I was perusing the webs for an interesting story to cover today. And I find one with legs, right? I find a good one. But then I veered left and I slipped down a fascinating rabbit hole. One that I'm going to share with you guys because it's a world that I know nothing about. The world of PIs, private investigators. I've watched a lot of TV, read books. PIs are gold, right, in fiction always.

They're fascinating. Yes.

And I was thinking, why are they fascinating? Because they don't have to go through bureaucracy, right? There's no red tape. You pay them so they work for you. So you get them to do whatever, you know, you need them to do. And they skulk around in the night watching stuff that they shouldn't be watching, taking pictures. It all sounds very, I don't know. Fascinating. And we have a PI to meet. But first, before we get to that, I want to tell you about this story that piqued the interest of our specific private investigator. So we start off in Johannesburg, South Africa, and we have TikToker known as SpillTheTea007 goes live with a special message. And in this session, she talks about a friend of hers, a TikTok influencer who goes by the name of Bianca Iron. And apparently Bianca had been going through a tough time. And she even lost a child a few months earlier, she said on her thing. And she was sharing this on her channel. And she wasn't in a good place. She even reportedly took sleeping pills on air.

My goodness.

Right. And she, of course, got lots of love from her fans. But of course, not everyone watching these posts, you know, some of them are dicks. So in one of these hosted TikTok affairs, Bianca Irons was bullied, says Spill the Tea 007. So someone she calls Derek started posting all kinds of nasty stuff, right? Calling Bianca in front of it publicly, like a bad mother, a bitch, a murderer.

Oh my God.

Yeah, totally right. And Spill the Tea says that this is the third time this guy has gone after her in this manner. It's super sick trolling, just ugh. But then Spill the Tea goes on addressing Derek directly in her TikTok. She says, "Okay, in the way that you angled Iron, okay, Bianca Iron, in the live post last night and the screen recordings we have, she committed suicide. So Derek, I hope today, after calling a bitch and a bad mother, I hope you're happy." And it goes on. Now this is live. So people are gasping and saying no, and some people start crying. And people are watching this and people share this post and their condolences everywhere, right? Rest in peace, beautiful soul, all this. And bullying online is bad. And weirdly, well, maybe not weirdly, but Bianca Irons' TikTok channel grew. And people were looking at this because people were sharing the message and sharing the videos that supporters were sharing. And people were asking how they could help. And perhaps this is why bank details were shared with the community, allowing followers to provide support. Support for the grief-stricken family members that were left behind.

Oh, okay. Yeah, yeah, yeah.

Enter stage left, private investigator Mike Bolhuis. I don't know how you say his last name. It's B-O-L-H-U-I-S. Have a go.

Uh-huh.

What's that?

Say that again. How do you spell it?

B-O-L-H-U-I-S.

Bolhuis.

Bolhuis.

Bolhuis. Bolhuis.

Okay, great.

Thanks, Mike. It's one of those, probably. Maybe.

We had to get an accent in. Yes, of course he did. So he told the Family Star that when he heard about this TikTok influencer having committed suicide, he wanted to probe the claims. So at this point in my research, I'm who's this Mike Bolhuis, right? Does he have an online presence? Let me just Google him. Well, guess what? He does. He has his very own website.

Oh, right. Has he been investigating a lot of mysteries like this?

Well, I just never saw anything like it in my life. So here I'm putting it in the show notes so you guys can go check it out. And there's a picture of him on the show. So maybe you guys can take a look and see, maybe describe him. Maria?

Oh, he looks a bit like Max Headroom. He's got a big sort of—

Oh, he does look like Max Headroom. My goodness. Some deep cuts from the '80s there.

Let's—

Yeah.

It's not good. I mean, a real suicide wouldn't be good either, Carole. But yeah, a fake one is pretty sick, isn't it?

Fair.

A lot of people do this kind of stuff too for the drama.

But I just wonder if the way they talk their way into this is saying that Bianca Irons was an alias, an online persona. You know, and the people behind the alias want to teach this Derek guy or whatever, who was shit-talking, a lesson. So they decided to kill the persona and call it suicide to get his attention. Or is it just all bullshit, the whole thing?

Tell us.

Yeah, I mean, yes, it could be any of those.

Do you remember we used to get a lot of celebrities committing suicide, fake suicides, in early Facebook years? Do you remember? There was— I remember Arnold Schwarzenegger. Oh yes, it was the big one that happened.

Yeah, I do remember that. Yep.

Yeah, or Michael Jackson. We were told he had killed himself or something, hadn't we? Well, yeah, that sort of thing used to happen. Yeah, and people would rush to go and see it.

And, but it wasn't for money, right? Or for it, but it was just to see how far it could go? Because there was no landing area where people could kind of share that information.

Sometimes it was used to spread malware, I think.

Mm-hmm.

Oh yeah, I remember click this video to see, or you know, something really ghastly. Yeah, I remember that.

Yep, like Rickrolling.

But also there were fake news web pages as well, weren't there? There used to be sort of where you could put in anybody's name and it'll claim that they died in a skiing accident or something.

I don't remember that, but this example goes to show that there are a few people out there that go to incredible lengths to publicly insult and bully people online, right? While others think it's okay to tell jaw-dropping lies faking a suicide just to grow a channel or to get back at someone. Or maybe they're just really, really messed up because they've gone through a heck of a lot of crap.

Whatever.

None of it is healthy.

Yeah.

Surely the best advice is stay off the socials. Maybe check out fan fiction instead. An adult friend of mine is obsessed with all things Harry Potter. I've never read it, watched it, but there you go. But she's discovered a treasure trove of Harry Potter fanfic online, and it has a saucy penchant.

What? Is that what J.K. Rowling's doing these days? Branch now.

I hear she's quite busy.

This episode is sponsored by hCaptcha. Are cyber threats negatively impacting your business? Unleash powerful fraud protection for your online properties with hCaptcha Enterprise, the leading security ML platform. hCaptcha adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats. Whether your bad actors are human or automated, hCaptcha Private Learning is the solution. Easily combine your pre-blinded data with hCaptcha's thousands of signals to rapidly find fraud and abuse in real time. hCaptcha's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com/hcaptcha, that's H-C-A-P-T-C-H-A, to get started with a free trial today. And thanks to hCaptcha for sponsoring the show.

Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval. With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool. And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level. These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashing. That's bitwarden.com/smashing.

Our sponsor Kolide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance. How? If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in zero-trust architecture: device compliance. Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them. Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it. If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Want to learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something that they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

Better not be.

Well, my Pick of the Week this week is not security-related. Carole, my pick of the week is a gift for you.

What?

It's been chosen especially for you.

Okay.

As an act of friendship and kindness. Maria, you can enjoy it as well.

Oh, thank you.

But this is especially honed for Carole. There is a new movie coming out starring Owen Wilson. I don't know how you feel about Owen Wilson, whether you're a fan of his or not and his shtick. But in this particular movie, which is called Paint, Carole, and of course you are a keen popular painter. Owen Wilson has a new look. And I'm going to link to the, in the show notes to the trailer for Paint. And you will see that Owen Wilson now looks rather a lot like Bob Ross.

Yes, he does. Looking at that picture, my goodness.

He so does. I can't imagine a better actor to play Bob Ross as well for this that I know.

Well, I hoped that this movie, which is out now and apparently has middling reviews, but I hoped it would be the Bob Ross story. That's what I wanted. But apparently he's not actually playing Bob Ross.

Oh no.

He's more playing Rob Boss or something. It's for possibly legal reasons. He's playing a painter called Carl Nagel, who appears to look and act remarkably like Bob Ross. And dresses like him.

Okay, alright.

And anyway, it's a bit of a comedy about someone who appears to be exactly like Bob Ross. I don't know if it's done with the permission of Bob Ross's estate or not, but I thought, Carole, you would love this because I know that you love Bob Ross. I haven't bothered to watch the movie because it's not streaming yet, but—

I was going to say, I thought the thing with this movie is that he looks like Bob Ross, but he actually acts like the opposite of Bob Ross, right? Really? He's an asshole. I thought that was the thing. It was an asshole version of Bob Ross. I've never seen it, but—

Ew.

Doesn't seem right.

That doesn't come across from the trailer. In the trailer, he appears pretty nice and lovely, like the real Bob Ross.

So you're recommending this based on watching the trailer?

Well, I'm recommending it for you, Carole. I think you should investigate. And if our readers— readers? If our listeners want to watch it—

What is our medium?

If anyone out there has printed out this podcast, then they are welcome to watch it as well. Now, there is, though, a proper Netflix documentary about Bob Ross, which may be more up your street. That's called Bob Ross: Happy Accidents, Betrayal and Greed, in which I learned Bob Ross was a bit of a flirt and had a bit of an eye for the ladies. And you know that whole whispering thing? You know, it's like, "I just put a little bit of blue here."

That was a shtick, right?

Yes!

That was his shtick!

He did all that and it drove the women crazy.

He also left a family back home in Alaska and escaped to make his fortune on the mainland. I know that.

You're besmirching the name of Bob Ross. I don't know how I feel about that. You're kidding. He self-besmirched. Self-smirched.

You can find out all the scandal involving Bob and all the torrid affairs in this documentary, Bob Ross: Happy Accidents, Betrayal, and Greed. So if you are a fan of Bob Ross, go and check out the documentary and then think about whether you want to see this Owen Wilson comedy or not. And that is my pick of the week.

Thanks for the present.

That's all right. My pleasure. Happy to bring it to your attention. Maria, what's your pick of the week?

My pick of the week. I struggled with this one a lot because it's so predictably me, but I am going to have to give a plug for Star Trek: Picard Season 3. I know neither of you are gonna see it, I know it's not for you, but for listeners who are old school Next Generation fans and who tried to watch Picard season 1 and 2 and were like, "This is awful," I agree with you. Season 3 is fantastic though, and they righted all the wrongs. And you can just skip 1 and 2 and just watch season 3 and enjoy the hell out of it. It just finished, I'm not gonna spoil a damn thing, but if you were hurt by season 1 and 2, you said "I'm never watching this again," please watch season 3.

I have heard, I have heard season 3 is great. And the finale episode in particular is quite emotional for Star Trek devotees. Is that true, Maria?

I will not even pretend that I didn't cry. The final 2 episodes righted a lot of wrongs from the absolutely awful movies from the '90s that I remember leaving the movie theater and crying. That's how bad they were. That's how bad those movies were. They were basically just like, "You like Star Trek: The Next Generation?"

"We hate you."

And that's kind of how those movies felt watching them as a teen at the time. Really, the entire third season fixes everything. It is a nostalgia fest. I don't know if anyone who didn't grow up with the series would even care about it, but if you did and you loved the crew as much as I did, you will enjoy season 3 a lot.

Okay. We might have to do that because we did both grow up with that stuff.

You're slagging off the Next Generation movies. It's not as though all of the original Original Series Star Trek movies were that good. There was the one Shatner directed where they're singing Kumbaya around the campfire.

A classic. Yeah.

Which was—

Who was that? Was that Search for Spock? I can't remember which one that was.

Yeah. Not all of them were. It was the new boy who directed that one.

Yeah.

Final Frontier, I think it was. I can't remember anyway now.

But yeah. I mean, the Original Series movies were— they had their flops as well. But I mean, TNG had, I think, I would argue the only good one, and good is really relative, was First Contact. And the rest of them, I would be happy if I never saw again. Yeah, yeah, they were all so bad. I saw them all in the movie theaters when they came out and literally was just like, why does the series hate its fans after a lot of those movies? Why do they hate us? And now, with this, with this conclusion to the Picard arc and the TNG arc, I feel like they fixed it, which felt really nice, frankly. So I really encourage people who like the show to watch it.

And where can people see Picard Series 3?

I'm in the US, so we have this streaming channel called Paramount Plus that I watch through Amazon. And then I know through Canada, I think they have Crave. And then UK, I know there's a different one. Google it. Google it. Paramount does this weird thing with rights around the world. It's not my fault. Don't yell at me. I'm not in charge of this. But yeah, Picard Series 3.

Fantastic. That sounds like it was— it does sound like it was a real love letter to Star Trek: Next Generation fans.

It truly, truly was. It truly was. I loved it. Yep.

Fantastic. Carole, what's your pick of the week?

Well, first I have to give an apology because last week in my pick of the week, I featured a series and I said the series was called Colin the Accountant. It is not. It is called Colin from Accounts. And I'm sorry, I screwed up. So, I just got a few messages about it. So, please accept my sincere apologies. Today, my pick of the week is The Diplomat, which exploded across my little slice of Netflix last week. Stars Keri Russell. Have you guys seen it?

I haven't, no.

I've seen it promo'd on my Netflix. I haven't watched it yet. Yeah. Yeah.

Okay. So, it stars, you know, Keri Russell, who I love, right? She was in The Americans, and I really liked that. Shelley is a London-based diplomat. And it's like a geopolitical drama, you know, a bit House of Cards-y, a bit Borgen. You know, basically, you have a lot of intrigue, backstabbing, and cat and mousing, all on an international scale, right? So that's when you mentioned France earlier, Graham, in your story. I was like, "This is the kind of thing." It's like suddenly we're in France, and suddenly we're back in London, and now we're in America. So, Keri Russell plays like an experienced diplomat who normally works in places like Kabul, you know, trouble zones. And she suddenly finds herself due to some unforeseen circumstance to fill the vacant ambassadorship in the UK. And it's kind of like you have the American in London angle, you know, like, you meant trousers, ambassador, not pants.

I always love those, you know, they're hilarious. Yeah, yeah. Not tired of that at all. Not at all.

Anyway, I binged the whole thing. Saturday, I finished it Sunday. I watched it in two days, 8 episodes. It's written, it's tight, it's cute. It's a bit rom-commy, not rom-commy. It's got everything really. I liked it. I liked it. It's worth a gander. I think you guys will both enjoy it. Very cool. And that's why it's my pick of the week.

I'll have to check it out. It's in my queue, so I'll make sure to check it out.

Fantastic.

And if I hate it, I will tell you.

Yes, it'll be my fault. Nice.

And we're sure about the name, aren't we? We're sure.

The Diplomat.

A diplomat. Fantastic. Well, that just about wraps up the show for this week. Maria, I'm sure lots of our listeners would love to know what you're up to and where they can listen to you. What's the best way for folks to do that?

Oh my goodness. So my show, T-Minus Space Daily, you can look for it on any podcast platform that you choose. So T-Minus Space Daily, or you can go to space.n2k.com or just follow me on Twitter @emvarmazis or on Mastodon @. And you know, I'm talking about it there too. So yeah, my phone number is— yeah, here's my phone number and my home address. Please listen to my show.

It's my Strava account.

Actually, you can find me on Strava if you'd like.

Oh God.

And you can follow us on Twitter @smashingsecurity, no G, Twitter and Mastodon have G. Smashing Security is also on Mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.

And of course, big, big thank yous to this episode's sponsors, Kolide, hCaptcha, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship membership information, guest list, and the entire back catalog of more than 318 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye.

Bye.

Bye.

Jaw. How are you doing?

You didn't lisp as far as I could tell.

Oh, good.

I couldn't tell. Really?

Right. So listeners, yesterday I had phase 2 of an incredibly uncomfortable root canal process for a chipped tooth.

How did it feel, Carole?

Oh, it's sore. It feels today like someone— like I got sucker punched last night. Yeah, it's just sore. It's not painful. There's no sharp pain. It's just sore. It's unbelievable though. Don't watch it on YouTube.

Well, no, who would? Who would look up root canal surgery on YouTube for fun?

If anyone—

I hope that Google, if anyone is looking that up, I hope they're passing on their details to the police. So who's this freak who's looking up root canal videos?

Carole, before her surgery, she was, what am I in for?

Well, I kind of thought it'd be responsible to do beforehand, but having now experienced it, I understand that that would have been an absolutely ridiculous idea.