Smashing Security podcast #322: When you buy a criminal’s phone, and paying for social media scams

And he's probably in the meetings going, look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away. I don't want to make it put in there. Yeah, hush, hush. Tell my word.

Smashing Security. Episode 323. Botched Bitcoin Blackmail. I spoof. and Meta's billion dollar data bundle with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security episode 323. My name's Graham Cluley. And I'm Carole Theriault. And Carole, who have we got in the hot seat this week joining us?

We have Zoe Rose of the Impostor Syndrome Network podcast. Hi, Zoe. Hey. Welcome back, Zoe.

That's lovely to be back.

Yeah, it's been a while. It's been a minute. It's been a minute. A minute. Yeah, I that expression a lot. It's saying, I haven't talked to you in ages.

Oh, is it? Oh, I see. Yeah. Fair enough. You could just say it's been an age.

It's been an age. I could say that too. It's been a while. Tell us about your podcast.

Yeah, well, I co-host it. So more credit to my co-host because he probably does a lot more than I do.

It's important to give credits to your co-host, isn't it? Isn't it? That's what I've been told. I've heard that. I've heard that. Imposter Syndrome Network, what is it all about?

Yeah, well, it's basically we're interviewing extremely successful people and talking about their journeys, their careers. It's technical careers. So it's anybody from security to engineering to I don't know anything you really want to do, developers as well. And yeah, we're just talking about why the bloody hell they're there, what they're doing and how they got there. And it's been really interesting because some really good advice has been shared about how to overcome, not just feeling an imposter, but also overcoming mistakes because that's probably been a huge part of my career is I've made slight errors that have been massive.

Who hasn't, though? Well, it's the best way to learn, from my opinion.

Yeah, of course. If you've lived long enough, you haven't fallen flat on your face at least once. What's going on? What kind of shoes are you wearing?

I think the thing is, a lot of us, though, we look around us and we think, oh, those people aren't as idiotic as I am.

But they are. And that's the best part.

I'm not sure there's many people that are more idiotic than Graham. I'm not sure.

Degrees, degrees. But it's awesome because it's we'll interview somebody. And the entire time I've just sat there bloody hell, you're so amazing. And then they're talking about all these simple things that they've done wrong. And I'm just how is that possible? You're just so perfect. It's just really cool.

Well, listeners, go and check out the Impostor Syndrome Network podcast to hear more from Zoe and her co-host and her guests.

Yes. And let's get this podcast on the road. Before we kick off, let's thank this week's wonderful sponsors, Bitwarden, Collide and Centripetal. Their support help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about a bizarre Bitcoin blackmail plot.

Oh, nice alliteration. What about you, Zoe?

I'm talking about Meta's exceptionally large fine for failing to follow GDPR.

And I'm going to talk about why you can't trust caller ID. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I want to take you back to February 2018. That's where my story is going to begin. And it begins in the offices of an Oxford company, Carole, Oxford Biomedica, just down the road from you. Very swanky building, lots of glass. It's near your neck of the woods, Carole. If you know where Lidl is, near the big Tesco's.

I do know where Lidl is.

Right. Opposite Kennington Flooring. If you go down there. Oh, you know them as well?

All right. They did our floors.

Oh. There you go. Oxford Biomedica. They are a gene and cell therapy firm. They worked on Parkinson's disease. They partnered with Microsoft to use their AI and machine learning to work on treatments for a large number of sicknesses, And perhaps most famously, they manufactured a vaccine for COVID-19, Oxford Biomedica. That's right. And well, way back, 27th of February, 2018, actually, they suffered a cyber attack. What happened was a hacker accessed their systems and senior members of the company received a ransom demand from the attacker. Right. Nothing that unusual, really. The kind of thing that happens all the time, right, Zoe?

Well, it happens more than you hear about, to be fair. Yes, exactly. As far as I've been able to work out, Oxford Biomedica never went public about this particular attack. I did search and it doesn't look they ever actually admitted it. But anyway, it's now come out into the open because of the story I'm about to tell you.

Get them to go away.

Exactly. Shh, shh, shh. Here you are. Here's the money. We're busy here. Clear off, clear off. Why don't you?

I mean, that's better than pretending it was a security researcher for a bug bounty, isn't it? Oh, yeah, exactly. Don't take the Uber route. Don't do that. Well, what they decided to do was they brought in the IT boffins. So they have people, obviously, inside their company, IT experts. And they said, look, we've received this email, slightly worrying. Have we been hacked? What should we do? And so they brought in the geeks inside the company, which included a 23-year-old IT security analyst called Ashley Lyles. Security analyst. And Ashley and his, I guess it just means he worked on the IT security team. You know, analyst is one of those sort of names, isn't it?

And they did this on the QT, right? Is this Ashley guy who was under NDA to do it on the hush hush?

Well, Ashley is just one of the employees.

Oh, right. Sorry, sorry, sorry. I thought he was a consultant brought in.

Oh, no, no, no. He's working for Oxford Biomedica. He's on the staff.

I feel I know where the story is going because I'm excited.

I feel for Ashley right now. I think.

You think? I don't think so. I feel you're uncovering.

I'm gonna believe in them until proven.

Quite right, Carole. Quite right. I your attitude. Zoe, you're just so cynical.

But it's an interesting story and interesting stories always have a not so ethical situation. So I feel I know where it's going.

All right. Come on. I'm excited, though. Can everyone just calm down, right? I'm telling you the story. Here we go. Right, so Ashley and his colleagues are looking into the incident. They've got the blackmail email. They've got the communications which are going on. They're trying to work out, have we been compromised? Has any data been taken? They're working alongside the police. The thing is, Ashley's company, Oxford Biomedica, and his colleagues and the cops didn't know that Ashley had plans of his own.

Oh, darn it. It's not to give it to charity, right?

The giveaway was that they were actually named because you're saying Ashley and colleagues.

The fact that I'd named an individual. You're so clever, Zoe.

No, I'm just a little bit suspicious.

It's watching an Agatha Christie. If you have a... It's not going to be the extra who hasn't got a name. You know, it's going to be someone with a name. You're absolutely right. Special guest star. Right. Okay. It was the typical kind of ransom email, right, which just says, pay us or you're toast, just pay X hundred thousand pounds worth of Bitcoin into this cryptocurrency wallet. And maybe you can understand why an IT guy inside your company would want to see that email, maybe want to access the member of staff's email account with their permission once or twice to see what the hacker had demanded, if there were any follow up emails, etc. That, I think, would be understandable. Oh, yeah. Doesn't have a good memory.

And what's more, he took the original blackmail email, stored on their email server, and he changed it. He changed the account numbers. The ransom demand, which included a Bitcoin wallet.

Can you just send it to Barclays?

He changed it so it was a different Bitcoin wallet where the money had to be sent. Invoice redirection.

I kind of admire Ashley. I do. I love the, this is going to work. This is going to work.

Who's going to find out? Business email compromise, you know. He's Dexter, man. He's on both sides.

You see, when I heard that he'd changed the ransom email, I thought it would change the demand. So he'd say something, please, can we eat doughnuts again in the office? Or can the toilet paper be approved in the blues?

Can we not get fired if we photograph our butts on the photocopy machine?

Don't serve fish on Fridays. It makes the whole office stink. You could, all kinds of things, you could put in the ransom demand for a bit of fun. But no, he changed the Bitcoin wallet address to which the ransom should be paid.

And so he's playing the game. Are they going to pay it? Are they not going to pay it? And he's probably in the meetings going, look, I really think you should probably pay it. I'm just thinking, you know, it makes sense, right? They'll go away. I don't want to make it from there. Hush, hush. Tell no one.

And also, who's going to believe the criminal? The cyber criminal is, you didn't pay it. It's, yeah, we did. We have proof.

Poor old criminals are going to feel they've been defrauded. They say, hang on, hang on a minute. Meanwhile,

He's flying out of there. Sayonara. That's brilliant.

So he changed the crypto wallet address. Brilliant. So he would end up with the cash if the company decided to pay.

Well, I guessed that. I didn't think you would. I would watch this movie. I'm just saying, anyone out there who's a movie writer, this is a good one.

Furthermore, he created an almost identical email address to the one which was used by the original hacker, and he began to email his employers at Oxford Biomedica, pressurizing them to pay the money. It was just sort of applying the thumbscrews, going, you know, your data is going to get leaked, you know.

Do you think people that work there that would get these emails are pretty smart, might have spotted the little, you know.

Well, no, they were leaving it with the IT security team. The board member wouldn't notice.

Oh, that's true. He'd bring it down to IT and go, this is weird. And he'd go, no, no, no, that's perfectly normal. That happens all the time, Ashley would say. He basically has an argument with himself.

Yes. He arrives on Ashley's desk and he says, no, this looks legit. It looks like it's from a hacker to me. Great story, Graham. So police officers from Southeast Regional Organised Crime Unit, the cybercrime unit there, they identified that someone had been accessing the board member's email, traced the hack back to Lurl's home address, presumably his IP address, which makes me think he didn't cover his tracks properly. It's unclear whether he's using a VPN or not.

Well, let's be honest, though. Security and IT are different things. And then also, even in security, operational security and, you know, those are different paths. So I could understand he maybe didn't think of all of the solutions.

And it takes one time, right? Yeah, you only have to goof once. Anyway, the police, they grabbed his computer, laptop and phone and a USB stick to analyse them. Now, apparently Ashley Lurl had realised the police investigation was heating up. So a few days before he was raided. Can you imagine how he felt? So he wiped all the data from his devices.

And you'd be snapping at everybody. Shut up.

I mean, I think this guy, it's quite genius. But I do actually feel bad for him. I know that's silly because, you know, obviously.

He's 23. He was young at the time. He was 23.

I mean, technically his brain is fully developed because that's like 21, isn't it?

He might never have thought about doing this unless the hackers did it in the first instance. And he just got on the train and thought. Opportunistic, I think. Yeah, opportunistic. Exactly what he should put in his CV.

So he tried to delete the data before the police got there. And he did zap the data, but apparently he didn't do it very securely. So that's his mistake number two. There's another skill set as well. Yeah, empty trash doesn't always work, right? So he'd failed to properly wipe the data. He needs to upskill. Yeah. Put that on his CV, training required. So the cops were able to recover his data. Anyway, back in 2018, he denied any involvement. It's taken forever to go through the courts. He asked for £300,000 ransom. He was denying everything until this week at Reading Crown Court. He did finally plead guilty and he is due to be sentenced, I think, in July.

I was a juror, so I would have loved this case. I would have loved it.

Well, they could have called on you, Carole. You are local. You could have gone down there. Yes. You know, shared your expertise.

This would have been awesome.

If you were popping down to Lidl or Kennington Flooring, you could have just popped over the road. Zoe, what are you going to talk to us about this week?

My story is about Meta and we all know that social media is not really well known for privacy practices, but Meta decided somewhere in their processes that if people signed standard contractual clauses, apparently is the term. But people signed it, the consumers of Facebook specifically, this fine is related to Facebook, then they can transfer the data from the EU to the US. And it was since the 16th of July 2020. So at the time, they had the whole agreement with transfer data between US and EU. But obviously, that was recently decided that wasn't good enough. But they were still sending massive amounts of data consistently from the EU to the US because people signed those clauses and they're like it's okay.

So the users are agreeing to the terms and conditions is that what you're saying?

Essentially yeah, you sign up for Facebook, you say you know you accept their policy, whatever the terms and conditions that nobody reads including myself. Well no that's not true, there are privacy people that do actually read these things, they are excellent people like me, Carole Theriault exactly. Not something I'm good at but you know.

Carole does it for us so we don't have to.

And that's why we love you.

I just like looking to see what they try and hide in them. It's a weird hobby.

Things they tried to hide I suppose. So the argument's really interesting so basically you're saying inside the EU privacy notice they're saying yeah yeah we transfer data to and back from the states, we've got an agreement cool, cool, cool. And then when you sign it, you've effectively agreed to it. And that's what they're using as their argument.

And that's what they're using as their argument.

Essentially, yeah, because it's just the way that they're processing the data. So in organizations, you know, you send data to wherever you store your data, and you process it or whatever, and it makes sense. The problem is, they did the EU data in America, which you're not allowed to do without having appropriate protections. And I think the reason it was that the American agreement or whatever was declined essentially is because they didn't have appropriate protections protecting European data from the spy agencies or something oh the intelligence

Agencies yeah intelligence surveillance yeah yeah

That's why it was declined or whatever but the thing is because they did this on a consistent process and it's essentially all the data like it's a massive amount of data they are being issued with, or they've been issued with, the largest GDPR fine ever. How much is it? 1.2 billion euros.

It's a lot of money.

It's a lot of money. I mean, let's be honest, how likely are they actually going to pay that amount? I don't know. This

Does feel like a good opportunity to have an enormous party. We should stop the podcast right now just because the thought of Facebook possibly having to pay over a billion dollars is rather wonderful, isn't it?

But let's look at that, though. I looked at another article, and it says, the 25th of May will be the fifth anniversary of GDPR, blah, blah, blah. Privacy Affairs has tracked the fines, and all 1,701 of them for a grand total of over $4 billion. Meta accounts for 50% of all GDPR fines. Wow. 50%. Yeah. Yeah. They are keeping EU running.

Well, the GDPR fines, as I recall, it can be based upon how much money your company makes, can't it?

I think it's like, don't quote me, I think it's 4% of the annual turnover. I think you're right. I think

That sounds right. I believe, I could be wrong, but I believe they chose to do the full amount that they can actually owe. And I feel like this probably has something to do with the fact that they've been fined multiple times. So I think they've just been like, bloody hell, like, I'm done. I'm done. Just bloody pay us because we're, you know. But here's the other part that I found really interesting. It wasn't just that they have to pay a fine. It's also that they have to become compliant. So it says yeah so actually if you follow Privacy Matters on Twitter he's a lovely man and he clarifies a lot of privacy issues and concerns and like news I found him so interesting but so he's highlighted on his Twitter the three demands essentially require Meta Ireland to suspend any future transfers of personal data to the U.S. within a period of five months That might sound long. That is not long. I remember when we had a year to prepare for GDPR and there were people, there were organizations that were like, within this year, we won't even know if we're able to be compliant. But they've got to do this in five months. And then they've got that 1.2 billion euro fine, which is quite exceptional. And then also, they have to bring its processing operations into compliance with Chapter 5 of the GDPR by ceasing any unlawful processing, including storage in the US, personal data of EU EEA users within six months. So in the next five to six months, they have to have a massive, massive digital transformation. They also have to pay an exceptional fee.

But you know what? I'm just looking here. Apparently, in 2022, Facebook's ad revenues hit $135.9 billion. It's still a hefty fine, though, Carole. It's

A hefty fine. And it's

All the upheaval caused by trying to fix this to try and become compliant is going to be a challenge.

Business process, right? And they have to change their entire business process, which, as we know, is very difficult to do, especially at that scale. What's wrong they haven't

Had, like, years of warning that this might come? Oh, no, no. And this is

Why when they changed the name to Meta, I thought it was absolutely hilarious because when I think of Meta, I think of Metadata, which is like, hey, we've got all your data. I think they claimed it was beyond, beyond advertising. But I was like, no, no, no, It's the data, but whatever. But I think the other interesting thing is not only is this a scary big thing that's going to happen for them, but also, is this setting a precedent? Are other organisations going to be less likely to want to transfer? Do you want to deal with EU data or are they going to be more cautious, hopefully? Because the risk of misalignment is quite an exceptional find.

I also wonder whether, I mean, a company like Facebook will have employees all based around the world sort of helping their users in different areas and working on the data. And maybe we're going to begin to see more silos of people dotted around different parts of the world rather than just in one single place. So the data doesn't have to be moved to that part of the world in order to do some work. But

Here's the thing, Graham, that I don't understand is we had these conversations when GDPR was coming out. Exactly. And there were so many discussions about, oh, where is our data centres? Do we have them, you know, not just do we have them in different locations for resilience, but also do we have EU specific, you know, when we go to get contracts with third parties, do they keep their data in EU? Like, this is not new.

No, no, that's true. But they're Facebook, they probably think they're above the law. This is just embarrassing.

Yeah, and how much money did they make by not following the law for the last four years? And

How many situations have they caused? How many political, how many not so ethical situations have been associated with Facebook in general? It's almost like, well, is it really financially worth it to care?

Whoa, sorry Zoe. Are you saying we shouldn't trust Facebook? What? Seriously? Come on. What the hell's going on?

And now a word from our sponsors, Facebook. Do apologise about Zoe.

We're not having her back.

Carole, what have you got for us this week? Well, I just wanted to talk about life as a hacker because it can't be easy, right? The poor little sausages, stressful. You've got to lie and cheat. You've got to love up lonely grannies. I did turn on the dishwasher today. I'd just like to tell everyone that. Did you tell anyone? No, there was no one else here to tell. I'm telling you. I'm telling all the listeners.

All the listeners. But you see, your typical hacker, they can't go around showing off, right? They have to say schtum. Because if the information gets into the wrong hands, they've got to say sayonara to their big fat bank accounts, their big houses, their yachts, golden slippers.

I mean, how many malicious actors were caught because they were bragging?

But there must be many, many that are smarter than that and stay gym. So if anonymity is key, you might be tempted by a service that claims to guarantee that for you, ensuring that if the authorities got wind of a cyber heist, you know, they would have no idea who was behind the crime. A privacy service for the hackers. Excellent. And this is how sites like iSpoof.cc fill a very necessary business gap. Now, we spoke about iSpoof.cc in our 300th episode, but I wanted to revisit the story because there's been some very interesting news that broke only this week. So to recap, this is an underground website created in 2020 that sold spoofing services to ne'er-do-wells, you know, people that want to pretend they're someone else. And the business model was very simple. You know, for a handsome fee, iSpoof would allow its users to display a false caller ID, okay, one that matched the services they are pretending to be, which were normally banks. So, were you to get one of these calls, they say they were from your bank, saying that maybe there was suspicious activity on your account, and you wisely would look at the caller ID number and say, oh my God, that is correct, that is my bank. You'd be inclined to think the call is legitimate and provide any information they requested, right?

Absolutely. If it's a spoofed number, if my phone tells me it's you calling, Carole, then I expect to hear your voice at the other end.

You'll go, what up, asshole?

Yeah. Well, that's how I would tell it was you rather than someone pretending to be you.

No, I was saying that's what you would answer.

Oh, I see. Oh, yes. That's right. And I don't want to upset a fraudster who's pretending to be you. So, yes. Anyway, yes, you're absolutely right. If you spoof someone's phone number, then it's a large part of the social engineering you've already got.

I think it's important to note that it's actually not difficult to do. So if you do trust by default for people that aren't aware, don't do that. I was going to say something witty, but I couldn't.

Yeah, but it's one of those things, though, that somehow, even though you know that you would, you know.

It does give the caller a sense of authority. It's just like showing up with a business card, you know. I might have printed it at home with my fancy printer but it doesn't actually mean anything.

Yeah. Now iSpoof what made them particularly successful is they didn't just focus on a single geography. This operation was global baby, right? At its peak it had almost 60,000 users who paid up to five grand a month in Bitcoin to access the software.

Could you imagine how much they made though if they're paying that much a month?

It's incredible. iSpoof was reportedly used to make 10 million fraudulent calls worldwide. 40% were in the US and 35% in the UK. And at one point they say as many as 20 people every minute were being targeted by callers using technology bought from iSpoof website. So, big deal, right? And they say that the iSpoof services is said to have helped fraudsters nab around 100 million from victims all around the world. Now, in 2021 and 2022, it was part of an investigation by numerous law enforcement agencies. We talked about this bit in the episode 300s. You can go listen to that. It was shut down in November 2022 as a result of Operation Elaborate, that was the name. And this was a multi-agency investigation. So, you had the Met, the Netherlands Police, Europol, and Eurojust. But what happened to iSpoof.cc ringleader TJ Fletcher, right? Because he got arrested as part of this.

Not TJ Hooker. TJ Fletcher. Okay, it wasn't Shatner. It wasn't William Shatner who was behind this. No, it wasn't Shatner. But he was found guilty for running this complex banking scam in the UK courts, and just a few days ago he was sentenced to 13 years in prison.

See, I thought it seemed like a long time in the UK. Okay, yeah that does seem, not for the UK, yeah. Can I guess what the unusual thing was? Was he also hit by a GDPR fine? Let's call the Irish commissioner, get them on the phone.

Yeah, why not? Sorry, Carole, carry on. Tell me more about TJ Fletcher.

But what makes it unusual, though, is that the thousands who lost money through all these sophisticated scams were not direct victims of Fletcher or his junior partners.

But he did create the opportunity.

Oh, so I manufactured a hammer, Zoe, and other people chose to take the hammer and smash people's windows. Are you going to imprison me?

To me, that's a little bit different, though, because you're not advertising your hammer as effective murdering devices.

No, not necessarily, but it could be a device for maybe, you know, if you wanted to bruise a pineapple or something like that, or if you wanted to crack a coconut in half. There's all kinds of ways of presenting it, I suppose.

That's true, it is a slippery slope. You do make a good point because it is a slippery slope. iSpoof could be advertised as a practical joke service where you call up people claiming to be their auntie. Or training, yes.

Yeah.

Or it could also be privacy. You don't want people to know who you are or what your number is.

Yes, that's also possible. If I'll be prepared to pay £5,000 worth of Bitcoin a month for such a practical joke facility.

The prosecution described the business setup. They were effectively luring criminals into the service, is what they were accused of.

They were manipulating criminals to be criminals. Naughty.

So it was really the copywriters that iSpoof hired who wrote the content for the web pages. It's not this poor TJ Fletcher guy who was just too busy running his site and didn't realise what the marketing people had written on some of the web pages. I should have been on his defence team. Oh, really, I could have got him off this. Objection, Your Honour. I mean, you do make a slightly interesting point, though, because... Slightly interesting, slightly interesting. Oh, thank you, I didn't say overly. Yeah, you see? You see, that's deep, that's deep, Zoe. It's not appropriate for this podcast, this kind of depth of thinking. I think we've broke the show.

Yes, let's move on. Smashing Security listeners, did you know that Bitwarden is the only open source cross platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up, it's easy to use. I honestly love Bitwarden, I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. Or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

Now there's some big news from our sponsor, Collide. Collide, if you are an Okta user, they can get your entire fleet up to 100% compliance. How do they do that, you're asking yourself? Well, if a device isn't compliant, the user can't log in to your cloud apps until they fix the problem. It's that simple. Collide patches one of the major holes in zero-trust architecture, which is device compliance. Without Collide, IT struggles to solve basic problems keeping everyone's OS and browser up to date. Unsecured devices are logging into your company's apps because there's nothing there to stop them. Collide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Collide's agent detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked. Collide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit collide.com slash smashing to learn more or to book a demo. That's K-O-L-I-D-E dot com slash smashing.

Smashing Security is also brought to you by Centripetal. Centripetal is the global leader in intelligence-powered cybersecurity. The company operationalizes the world's largest collection of threat intelligence in real time to protect your company from every known cyber threat. Now available as a cloud-based deployment, Centripetal's Clean Internet Service is a revolutionary approach to defending your assets from cyber threats by leveraging dynamic threat intelligence on a mass scale. The addition of AWS Clean Internet Cloud protects your enterprise, whether on premise, remote or in the cloud, removing the need for a more costly cybersecurity infrastructure. Learn more about Centripetal's intelligence powered cybersecurity solutions at smashingsecurity.com slash centripetal. That's C-E-N-T-R-I-P-E-T-A-L. And thanks to Centripetal for sponsoring the show. And welcome back. Can you join us at our favorite part of the show?

is the shortest documentary I've ever heard of. It's

a micro documentary. And why not? Why not? I think, you know, we're all busy. Yeah. If that contains the whole story, then it's wonderful. The documentary is called John Was Trying to Contact Aliens. What a gloriously interesting title. This is a documentary on Netflix about an electronics whiz called John Shepard. And he spent 30 years of his life all on his own, not really making any friends, poor chap, trying to find extraterrestrial life from his cottage in rural Michigan. What do you mean, poor guy? I think he probably had the time of his life. Well, he was trying to make, he was doing his bit. That's what he was into. From a young age, he was interested in contact and extraterrestrial life. And unlike the rest of us who, I don't know, may have filled up a balloon with helium and thought maybe it'll get through the atmosphere, or how about I write a really large word in the crop circle, he actually built transmitters. Enormous amounts of electronic wizardry, which began to dominate his grandparent's sitting room. In the documentary, you begin to see pictures of the grandparents sort of sat in front of the TV, you know, on a typical evening. And they're just surrounded by all this electronics and this bearded guy. And he's playing jazz. He's playing world music into space. I think I'd like him. Yeah. Right. Incredible array of electronics. And then he gets really serious and thinks, I have to take this up a notch, because just going a bit past the moon with my transmissions isn't going to be powerful enough. I need to send them further. Now, this documentary isn't really about aliens. It's actually about love. And I'm not going to give away everything which happens in the documentary because it is only 16 minutes long.

Yeah, you've been talking for five. It's the third through.

and but it's a heartwarming lovely documentary which I'd recommend to everyone it's called John Was Trying to Contact Aliens and I really enjoyed it and so I wanted to share it with you two and all of our gorgeous listeners today and it is my pick of the week sounds great so Zoe what's your pick of the week

Yeah my pick of the week is I wanted to highlight things that have helped me with insomnia. Yeah, well, I had really severe insomnia for many, many years, exceptionally bad, where I would only sleep two hours at a time. And then now I'm a mum and sleeping is vital, but also not very readily available. So I figured here's some ideas that I've had that have worked for me in the past. Mind you, if it is really severe, I would still recommend seeing a doctor going to your GP but yeah so one of the ones that I the most important thing for me was eye covers and I know that sounds really silly but

you mean an eye mask yeah yeah yeah right

Right, yeah, because I've bought many and I've always found them very rubbish and then I was feeling I don't know, silly I guess, and ended up spending probably more than I expected that I would spend on an eye mask. I think it was like...

How much did you spend? Sorry, it

wasn't crazy, but it was like, I think the one I bought was probably just shy of 30 euro or pounds because I was in the UK at the time. Quite expensive. But I did add a link because I think that one wasn't quite that much. And I don't know if that's the exact model I have, but it's similar. It looks similar to the one I have.

Okay, so we're going to put a link in the show notes where people can check out your eye mask or something similar to your eye mask?

Yeah, similar. And I actually noticed it made a huge, huge impact because it was also a routine. It was not just that I put the mask on and I went to sleep. That didn't happen. But I put the mask on and I didn't look at my phone because I have my mask on. And if I do that, I have to take it off. And I didn't look around the room. It made me focus, forced me to focus. It's like going into those... What is it called where you reduce the senses? What is it?

Or like an isolation tank. Sensory deprivation.

Yeah, that's the word term. It's not to the extreme. Obviously, you could still hear and everything. But it forced me to be in the dark and it was this routine that when I started to get a bit tired I put it on and it required me not to do anything because I have a very short attention span and I'm not so good at that. So it had a huge impact in my sleeping quality which has been great. But for people that do not like textures or certain things on their face, which I understand... I'm very picky about materials. There's also the option of blackout curtains. And if you rent, like me, you don't want to install them and you don't really usually have the money to buy really fancy curtains anyway. And so what I found is suction cup based blackout blinds. So it's basically blackout material, but they suction cup to your window so that you can remove them. So they're good for travel. They're good for a variety of sizes of room because you can suction them. And then they also have Velcro to reduce the size if you need to. They're not perfect, but it does make your room quite a bit darker because you put it on there and then you put your curtains that you do have over. Quite helpful.

I just learned about these things because I have a friend who has a slopey roof, like a window. What's it called? A Velux window. And one of their kids sleeps in that room. And now the sun's out all the time. But getting a blind in that shape was super expensive. So I was just suction cups. And we looked it up and there they were. So yeah, no, really cool. Makes such a smart idea.

Making the room darker specifically was what made a huge benefit to me. The suction cup solution was interesting.

I fall asleep listening to podcasts. If I can't sleep, I just put on a podcast. I literally will fall asleep within probably five minutes.

Well, I'm not a fan of you right now.

I'm not saying your podcast, Zoe.

No, I'm just jealous.

Carole, what's your pick of the week?

Well, I'm making Netflix's Jewish Matchmaking my pick of the week. So last week I had a lot of mundane tasks to do, you know, like signing stuff, putting things in bags, all kinds of... because I was doing this little art thing. And I needed something that was good, but not great. Right? So

this is a good but not great pick of the week.

Sometimes you need that in life. You know, you need something that's kind of interesting, but not fascinating.

I 100% understand. I need the background noise.

Exactly. It's a background noise thing that you want to look up occasionally and kind of go, "huh." And that's about it. So I'm not a reality TV... No, I don't have much knowledge of this area. But, you know, occasionally I binge a bit like, you know, Doritos. You know, sometimes you just need to have a few cool ranchers. So I was talking to my friend telling him that I needed something like this. And he said, try this show. He said, all his friends, all his Jewish friends love it, right? So, you know, typical reality show. You have all these beautiful people who say they're looking for love or looking to start a family. And they hit up our Aleeza Ben Shalom. She's our very Jewish matchmaker queen to find them the perfect person. And so a typical scene will be Aleeza's talking to her 30-year-old client Ori about the date she sent him on with a gorgeous, vivacious, intelligent, brown-eyed brunette Israeli Jewish actor who spoke Hebrew. Okay. And how did it go? Meh, says Ori. She wasn't the gorgeous, vivacious, intelligent, blue-eyed, blonde Israeli Jewish woman who spoke Hebrew that he requested, was she?

He also requested big boobs as well, didn't he? I've watched this, Carole. When I saw that you were going to recommend this, I've actually spent this afternoon watching a couple of episodes of this in readiness for the recording. So what do you think? Do you understand what I mean? I know what you mean about it being casual wallpaper TV. It's not entirely gripping. And some of these people are horrendous. I liked the very first woman on it because she was looking for a man with strong eyebrows.

She had beautiful eyebrows. She was, "my eyebrows are beautiful. And I would like someone who has beautiful eyebrows too."

Strong eyebrows. Strong eyebrows. Someone out there for me.

I can relate to her because I do not have strong eyebrows. And I actually despise my eyebrows. They're white. So I have to draw them on.

You can always get a Sharpie.

Not really. That would look kind of ridiculous. But also, my daughter has white eyebrows and I feel very guilty for passing that down to her.

You should. You totally should. Yeah, that's awful. You should. That's totally your fault.

Terrible mother.

I'm saving up for her to get as many tattooed eyebrows as she wants. That is my requirement.

Well, look, while you're pondering that, maybe you want to check out Jewish Matchmaking. You're on Netflix. Guardian gave it three out of five. I think I'd agree.

Well, that just about wraps up the show for this week. Zoe, I'm sure lots of our listeners would like to follow you online and find out what you're up to. What's the best way for folks to do that?

We've got Twitter, which I'm rosecops, and then Mastodon, which I'm rosec.techfielddane.net.

You can use the Morse code. Smoke signals.

Yeah, you could try that. I probably won't see it, but you could try.

And you can follow us on Twitter at smashingsecurity. Security, no G, Twitter, no G, and there's also a Smashing Security Mastodon account. And make sure never to miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Overcast.

And huge shout out to this episode sponsors at Kolide, Centripetal and Bitwarden, and of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list and the entire back catalogue of more than three hundred and twenty two episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye. Bye. Bye, Rose. Sorry, Zoe Rose. Hey Rose, why aren't you saying goodbye to the audience? What's your problem, Rose?

Cheers.

Yeah, that'll do. It's polite. I'm so bad at goodbyes. Thank you. Thank you.