Smashing Security podcast #339: Bitcoin boo-boo, deepfakes for good, and time to say goodbye to usernames?

And you think well hang on even though we're booking online and surely this is more cost effective for you than having a real person take my order over in person on the telephone I'm gonna have to pay several pounds more per ticket to go and see some god-awful superhero.

You realize that we're on the show right now this is not just a conversation of you calling me up and having a whinge. You know that. ANNOUNCER/INTRO. Smashing Security, episode 339. Bitcoin Boo Boo, deep fakes for good, and time to say goodbye to usernames, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 339. My name's Graham Cluley. And I'm Carole Theriault. And I'm delighted to say that we are joined today in the hot seat by someone whose reputation stands before him. What does that mean? Someone whose long, long career in the world of security podcasting knows no equal. It is, of course, the CyberWire's, Dave Bittner. Hello, Dave.

Well, I don't know how to follow up an introduction like that, so I'll just say thank you for having me. It's a pleasure to have you, Dave. It's nice to be back. Because we had a quiet summer. It was just Graham and Carole show during August, wasn't it?

When are they going to get a guest back on?

But before we kick off this show, let's thank this week's wonderful sponsors, Kolide, Moonlock by MacPaw and Gigamon. It's their support that helps give you this show for free. Now, coming up on today's show, Graham, what do you got? I'm going to be talking about paying unnecessary additional fees. And what about you, Dave?

I'm going to say you'll catch more flies with honeypots than vinegar.

And I'm going to examine whether deepfakes can be good. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, I don't know about you, Dave. I don't know about you, Carole, but I hate paying a little bit extra. I like a good deal. I like shoving it to the man and thinking that I have got a way ahead.

Okay. Agreed. Sure. Yeah. You're thrifty. Well, cheap. There's two words here, Graham, right? There's frugal and there's cheap, right?

I just don't want to pay any additional expense.

Right. You don't want to give anyone anything extra, just the exact requirement. Let me tell you what happened to me. How do you tip people?

Let's not get into that.

I know how you tip people. Very generously. Very generously. Let me give you an example. The other day, I picked up someone from the airport, right? I went to Gatwick Airport. Oh, my God, what a drive. Anyway, you eventually get to Gatwick Airport. All I want to do is just pick them up, right? They're there. They're there. So I think, where do I go? I would feel a bit annoyed. You see, I'd be thinking if I haven't gone in the right place, they're probably going to charge me.

Maybe it wasn't very clearly signposted.

Yes, okay. You have small eyes. We've established that before.

I'm sure it was their fault.

Yeah, it was definitely their fault. Another example. Another example. I decided, I've moved house recently, I decided that the current washing machine is rubbish. And so I need a new washing machine. So I go on the review sites, I found a short list of good washing machines. I found what I wanted. And then I tried to find the best price for it online. Oh, they were offering to take it upstairs, were they? And you had to redirect them.

Would I like it unpacked, it says it. Yes, I would like it unpacked. And silly old me, despite requesting all of these things when I was going through the order.

You didn't see that it added money to your end number.

No, I did. I thought, OK, begrudgingly, I will tick those boxes. Begrudgingly is the word. Well, and one of the things which I forgot, which didn't appear to me when I was checking out, but only when they called me up afterwards to find out, well, why are you changing your washing machine? What was wrong with the past washing machine, all these questions. None of their business, right? They said, so, you know, you want your washing machine delivered? Well, yes, I want my washing machine delivered. I'm not going to travel to the Outer Hebrides to pick it up. Oh, you didn't want to give them your address, though. No, I gave them my address when I was built and everything else. Turned out I hadn't ticked the box for delivery. So that's an extra 30 quid, not for quick delivery. That's just for any kind of delivery. So now I'm getting close to the price that the other people were going to charge me who weren't going to add all these on at the end. And so I thought I've now got it all sorted, right? I've got the new washing machine unpacked. It's been the old one can be removed and recycled. And yes, I've even dared to ask for it to actually be delivered to my place of residence. But what I've forgotten to do is say to them, oh, would you also mind uninstalling the old washing machine and plumbing in the new one? Because it's an integrated washing machine, right? Extra cost of that 130 quid.

So I've got the hump now, right? Did you involve any other adult in this process? Because all you do is get yourself in a big tizzy thinking everyone's ripping you off and you just sound like a whiner. We've been going for eight minutes so far. I got the hump, I cancelled my order, right? And so I ended up going online to go to my usual retailer and I actually ended up buying a much more expensive washing machine than I had originally planned. But I felt vindicated that I'd got everything I wanted. You've been living under a rock for the last decade and haven't encountered these.

This is what I'm fed up with. If you want to take luggage which is larger than a bum bag with you.

Don't go on a budget airline then. Well, yes, exactly. But you've been lured in, haven't you? You've been lured in by the low cost. You didn't realise that if you wanted to use the lavatory, oh, you want oxygen on this plane at 30,000 feet, that's going to cost you extra as well. You realize that we're on the show right now. This is not just a conversation of you calling me up and having a whinge. You know that.

Forgive me. Forgive my across the pond ignorance here, but do you all have Ticketmaster in your neck of the woods?

Yes. Exactly. Ticketmaster, they're the worst, aren't they?

Finally, Dave, you agree with me. They're the poster child for this sort of thing. So their grasp has extended globally.

Awful. They're awful. So sometimes, though, additional fees have a purpose. For instance, and we're coming back to the security angle of this podcast here. Thank God. Bitcoin fees. So when the Bitcoin blockchain was all dreamed up, part of the plan was to include transaction fees. So these weren't just designed to fill someone's pockets with lots of Bitcoin, but rather to deter people from flooding the network with transactions and spam and also incentivise miners to validate transactions and add it to the next block of the blockchain. So this is part of the process. You put a little bit of Bitcoin there along with it. So Bitcoin transactions require a small fee, which is paid to the miners that confirm them. And if you're in a rush to get your Bitcoin transaction processed, you might pay a high fee. So imagine you want it to be processed in 20 minutes rather than an hour and a half. Because I need that money right now. Right. Some people do. But generally speaking, not always. The higher the transaction value, the higher the transaction fee. It's a percentage, I'm guessing. Yeah, we are. Many cryptocurrency exchanges, they won't allow you to choose how much you pay. Because you can choose how much you pay. Instead, they will have a predetermined fee. And that's how they make their millions and millions. Is, again, scraping off the top and then using the rest to make the payment.

We've seen it with banks for millennia. Well, maybe not millennia. But, you know. Thanks.

I've been doing it for a long time. The thing is this, if you are a more experienced cryptocurrency dealer, it's quite possible that you choose what you want to pay rather than using a cryptocurrency exchange. And that brings me to today's story, because someone has just paid a fee to transfer $1,865 worth of Bitcoin. So $1,865 worth of Bitcoin. What kind of fee do you think they paid? What would seem plausible to transfer that sort of amount of money? $10 maybe? Well, 1%, something like that. Yeah. Right. What about $500,000? Seems excessive. I'm guessing you choose not to do it at that time. Well, this particular person, they chose what their fee was. They chose to pay half a million dollars to transfer $1,865 worth of Bitcoin. So they paid 19.82 Bitcoin to transfer 0.074 Bitcoin. In other words, they spent 270 times more than the transaction value to pay the fee. Why? Well, I'm guessing we're going to find out about the scam now. Well, Ticketmaster aren't involved. That's your initial thought, is they must be somehow involved in this. So it does seem a little excessive. So how on earth did this happen? Well, on Twitter, a Bitcoiner called Jameson Loop, which I think is a really cool name. Sounds a bit like Mobius Strip.

Right, or a street on the Apple campus.

Yes. He speculates that some buggy software might be to blame, either in the payment process or the cryptocurrency exchange. Or maybe someone put a decimal point in the wrong place. How do you do that? I'm not sure. You have a heart

attack and fall on your keyboard on the zero, you know, your nose tip. Maybe. Yeah.

Or maybe they mixed up the fields. Maybe they were planning to transfer $500,000 and pay a $1,865 fee and they put the wrong numbers in the wrong fields.

Well, then no problem. Yeah. I guess the exchange could give it back to you. It's like, that's a ridiculous transfer fee.

They've made the commitment by

then. Yeah, yeah. And the fee has been lodged. And it ain't regulated, as we've discussed many times. So this is something of a mystery. What we do know is it isn't a newbie because this particular cryptocurrency wallet, although we don't know who they are, they've made over 120,000 other transactions in the past. Nothing quite as bad as this. I think you're missing it. I think they were actually going to be collecting the transfer fee somehow. Like, you don't know what this person is or what their job is.

I don't think that's how it works. So the transfer fee gets sent ultimately to other people mining on the blockchain. Right, so it gets dispersed. And it's split between them. Oh, right. Yes, it gets dispersed. So this transaction happened on September 10th, 2023 at 5:10 p.m. UTC. So it's 10 past six in the evening UK time. The mining pool that was used to process the transaction, they're called F2 Pool. And they've said that they are giving the sender three days, so until Wednesday, September 13th at 5:10 p.m. UTC. Unfortunately, just before this podcast is released, so my attempts to warn someone is going to fail. I'm sorry if this is bad news that you're hearing this. Right. And after then, it's just going to be transferred and distributed amongst miners on F2Pool. So this is quite an expensive lesson for someone.

Maybe it's a Robin Hood moment. Maybe they're like, hey, give it to the people. Give them the money. It's a charitable act. Yes. And some people are, Graham. Some people, right? Don't sit there trying to save two bucks every time they're trying to buy something. Like, you know, it's true.

How did this come to light? Are there folks out there who are just keeping an eye on the blockchain for unusual transactions?

That's exactly what's going on. People with even less of a life than people who appear on security podcasts.

Less than a life than trying to fill in a washing machine form and missing the, can you do the plumbing, please?

Dave, what's your story for us this week? My story comes from a website called GovInfo Security. And this is written by Matthew Schwartz. And it's about usernames being a potential security issue here. Admin.

Need to guess. Admin.

Admin. Excellent guess. It could be something like John Smith, I suppose, or a common name.

Not as good a guess.

John Smith, you know? They have the example thing.

Actually, Graham, I'm surprised that you're not acing this. Your email address.

Oh, I know what it is.

No, no, no, no. It's username.

What? It's username. Oh, username. No, no, no. And to username and password. Root.

Oh, good one. Ding, ding, ding, ding, ding, ding, ding. Yeah. Right. Got it. Yeah. Root is it. So this story centers around a gentleman named Jesse LeGrew, who is the chief information security officer at Madison College in Wisconsin. And he also helps out the folks at the SANS Institute with their Internet Storm Center. He runs a honeypot. And over the past 16 months, he's collected over 3.7 million usernames via attacks that targeted his honeypot. And the most popular is root, accounting for 48% of all the login attempts. Graham, why do you suppose root is so popular? Any guesses?

Well, because the root account is a powerful one to have if you manage to break into it. And it's the default username in Linux for SSH logging in. So 48% of all login attempts used the name root.

Password, one, two, three, four, five.

Yeah, yeah. Root. Root also, yes. Yes. Yes, root. Carole, you are correct. One, two, three. But there is an odd thing here. The most popular password tested by attackers was 345GS5662D34.

I have to look at my keyboard now.

And nobody knows why. Say it again. It's 345GS5662D34.

Is that perhaps the default password used by a particular piece of software or hardware if people don't change it? Could this be some sort of targeted attack against one particular device, which his honeypots are picking up time and time again?

Right. Well, the strongest suggestion so far is that it might be the foreign equivalent of a phrase like "my password" being entered into a non-English keyboard. So in other words if you're using, I don't know, let's just choose a random part of the world, Russia. If you're using like a Cyrillic keyboard, perhaps that's the equivalent of that. I don't know, but for whatever reason that is the thing.

Listeners get in touch if you've got any theories.

I'll give my theory. I think it might be something like visual, like if you drew it out it makes like probably a penis or something. Of course, boobs. Always. What a surprise, Carole. That's your — count on you, Carole. Oh yeah, I would do that. Always going for the smutty answer, isn't she, Graham? Of course it matters. Well, from my point of view, you have two shots, right? You got to get both right. And if one's a giveaway 50% of the time, it's kind of, you know, you're making it way easier, no?

Certainly, I've read best practices before with particular pieces of software I've run on servers where they've said, look, this is how you log in. This is the username. Obviously, change the password. But when you read the best practices, it says also change the administrator username. You know, why use the same administrator username? It makes sense. And so on my website, for instance, I don't use the standard administrator username.

But not everybody reads everything. Remember, Graham, the airport story?

But this leads me to, should these systems require that you change the default? Should you be allowed to leave the default as the default or not?

Yeah, I'm thinking of the other way around. Why would they have it as a default? You know, why would they even give a default?

Well, I mean, I guess you've got to ship with something. Yeah. You've got to start somewhere. I mean, the first thing that happens when you power the device up is it says, choose your login name and your password, and doesn't even have a default entered in the system at all. That would be an option. But, of course, you also have to have something to fall back on. So if someone does a hard system reset, there should be some way to establish the system as if it were new. And so perhaps that's part of the motivation here as well. You have something that you can use.

Another thing here is so many websites, they require your username to be your email address. And so there is the potential for privacy breaches to occur because people can see that you're a member of one particular website or a forum and they can see where else you may have accounts. And that can, you know, there is an attraction in being able to choose your own usernames to remain a little bit more private.

Sure. Again, thinking back to the old BBS days when everybody used handles instead of their real names.

Now there are privacy services built into things like iOS. So on modern iPhones now, it will actually say you don't have to use your actual email address if you're worried about spam or whatever else. They will give you an email address which will then forward to your real email address. So there is some more privacy there, which I don't know how many people use that, but it seems like it could be a good idea.

Yeah. Yeah. So in this article, they also talked to Johannes Ulrich, who is the dean of research at SANS. And he also founded the Internet Storm Center. He's host of their daily podcast, also regular guest on the Cyber Wire podcast and personal friend of mine. Plug, plug, plug. Yeah. Johannes makes the point that this all comes down to strong passwords and multi-factor authentication, that you shouldn't really worry about your username as being something secure as long as your password is secure, but then also it's backed up by some form of multi-factor. He also makes the point that nobody should be using FTP anymore. But this article points out that Rapid7, back in 2018, they found that there were 21 million FTP servers still running out there. And I think, you know, I think it's one of those things that if it ain't broke, don't fix it. And people don't often consider something that's been in use for a long time. Or they forget. They'll just keep on using it.

Like how much digital stuff have people just left online somewhere without no one, the person who was in charge got fired, left, forgot about it. No one knows about it. It's just sitting there humming away.

Right. So I wanted to pivot though then to passkeys. And I was curious if either of you had any familiarity with passkeys, if you've experimented with them, if you added them with any of the accounts that you have. I guess I should back up and say if you even know what they are.

So passkeys are pretty cool, aren't they? They're the new development on the sort of password front, trying to make it a more seamless experience to log into sites without having to scrabble around. I must admit, I've played with it. I haven't actually set any of them up yet. So I'm not trusting them yet. And partly that's been because some of the technology which I use isn't completely compatible yet with the passkey experience. And I'm worried about being maybe locked out from some of my devices, from some of my accounts.

Right. So I don't know if I'm familiar. Is a passkey something your iPhone might say to you, I'll save that for you. I'll create it. And then you can just go in and go out and your phone manages it for you. Or is it something different?

So rather than having a username and password that you would enter, it takes care of everything behind the scenes. And you would just use something Face ID to log in. So the combination of Face ID and you being in physical possession of your phone, the key exchange happens behind the scenes. You don't even see it, but it is quite secure. This all comes through the FIDO Alliance. So it's good stuff. The big players have all jumped on board. I think it's probably being mostly led by Apple. It's built into iOS now. But Google and Microsoft, they're on board also. I think what's going to have to happen is the password managers are going to have to adopt it. And I know a couple of them have, but not all of them have yet. So I think once they get on board, boy, that'll be convenient to be able to do that. Graham, just you, I've been passkey curious, but I have not jumped in with both feet. And I actually found it hard to wrap my head around some of the details. So I sought out someone to talk to and I actually interviewed a guy named Chris Sherwood. He's from a company called Crosstalk Solutions. People are interested. We'll have a link to that interview in the show notes. And then also I included a link to the Wikipedia page and the page from the FIDO Alliance on passkeys. So I'm hoping that passkeys catch on and they become the future here because it seems to me jettisoning this whole username password dance could ultimately be a good thing for folks. But you, Graham, it's hard to trust it so far. And I know it has all of this pedigree behind it, all these good organizations, but I'm still not quite there emotionally. And I don't know. And I should be, but I'm not.

I think I trust it. I think it hasn't been completely integrated into all of the browsers yet on all of the different platforms. And that's what makes me a little bit nervous. The password manager I support appears to be making a big push in this area. They're making a lot of noise about this, and they view this as their future, and I have confidence in them.

But why wouldn't you use it, though, on your phone with apps that you care less about, right? But you could just trial it out on that, on the iOS. Yeah, you can. Because I'm doing that, and it works for me brilliantly because you can just delete the app and come back and it'll remember. Yeah. Which is useful.

You're more adventurous than either of us, Carole. She is. She is. We're just curious. She just sleeps in. That's right. She just jumps in, dives in, head first. You go first, Carole. Tell us how it goes. Carole, what have you got for us this week?

Deepfakes. So when I say deepfakes, when I say that word, what comes to mind? Just give me a little brainstorm. Dave, maybe you go first.

I would say images of celebrities doing things that celebrities usually don't do publicly.

That's good. Graham, anything to add?

They deepfaked Thom Cruise to appear he's a human being. That kind of thing.

Yeah, it's tied to all things crappy, isn't it? Do you know, its origins are in the porn world, as the entire internet, I'm led to understand. Is that right, guys? Every major technological breakthrough has started, or at least been popularized. I knew that you'd know more about that than I would. Or so I heard. So, the worst of deepfake world is deepfakes used for child exploitation, right? So, even actually, Australia is proposing a new industry code that would require big tech firms, so the Googles, Microsofts, you know, Microsoft Bing, DuckDuckGo, to eliminate child abuse material from their search results and take steps to ensure generative AI products can't be used to generate deepfake versions of the material. But equally crappy is exploitation of any person, you know, either to cyberbully or decimate someone's reputation or shame. The conversation last year said that the majority of deepfakes on the internet were assaults on women grabbing facial images without consent and inserting them into pornographic content. A deepfake expert found that 96% of deepfakes found online were pornographic and 100% of those were video images of women. It's crazy, right? Plus we have deepfakes designed to spread disinformation, misinformation and to undermine. Apparently this is called the liar's dividend. Did you know this term? Yeah, so the liar's dividend is the idea that when anything can be faked, people who are lying, so claiming that something true is actually false, have the power because they benefit from the undermining of our trust in all images in this case.

Exactly. It wasn't a video of me groping that woman. It must have been a deepfake.

Right. Fake news. Fake news. It's like Trump saying that he never met alone and hung out with Jeffrey Epstein ever in his life, right? The message is ultimately you can't trust what you see, but you can trust me because I'm calling out the liars who deepfaked the pictures. Who are you going to trust? Me or your lying eyes? Exactly. But what about deepfakes for good? So as synthetic media and deepfakes take off, there's potential in various fields coming to roost. So one of them, for example, would be healthcare. So an example is a Ukrainian company called Respeecher is developing deepfake voice technology for patients who are unable to speak. So they're creating more expressive, realistic voices to replace the robotic sounding prototypes we had during the 90s. And there's also cultural implications. Graham, I think you went to an art show where there was some AI stuff. I don't know if it was deepfake, but at the Dali Museum in Florida, they have a deepfake Salvador Dali welcoming visitors, telling them about himself and his art. And the idea is that it gives visitors a sense of immediacy and closeness and personalization. You know, deepfake Dali even offers you a chance to take a selfie with him.

Oh, my goodness. You see, I find those things a little bit irritating. It's a little bit like there are adverts on the...

No, you don't find something irritating.

I do, I do. I have to admit it. There's adverts on British TV where Albert Einstein is in the bath recommending we all get a smart meter installed for our electricity. And I think, well, that isn't Albert Einstein. How can they pretend that this is Albert Einstein in the bath telling me this? This is outrageous, I think. And it's all been done with deepfake technology.

Yeah, they've done that as well with Marilyn Monroe with a chocolate bar. I think it was Galaxy that gives looks. Audrey Hepburn. Oh, yes, Audrey Hepburn. Yeah. And this, in terms of deepfakes for good, this one's close to my heart. So there's research engineers Kate Glasgow and Weiwei Zhang are using deepfakes to help people with aphantasia, the inability to create mental images in your mind. And I'm super keen on that because I recently learned of my own aphantasia. Like I have zero visual mental ability, like zero. And apparently it's two to 3% of the population.

So how does that exhibit itself, Carole? What does that actually mean?

Well, I will put a little test in the show notes if anyone wants to have a play. But effectively things like I'd say close your eyes and imagine either a colour or a shape or a face that you know very well. And then you build a mental image of that, I guess. And then you would then say, oh, it's super clear, super vivid. I can see all the lines, the colours. I can see movement. Some people can see actual, you know, have movies play, you know, like play a scene. I just never understood that when they said picture this in your head that people actually...

That's really weird because you're an artist. I mean, you have your paintings exhibited. How are you managing to do this? It's fascinating. Well, don't worry. I'm going to get in touch with Kate and Weiwei and say, guys, guys, guys, guys, help me out.

Why even use that word? I guess for SEO, I don't know. Yeah, I guess people don't know synthetic avatars as well. You know, it's more commonplace. So Axios recently published a story about a company which is granting access to its deepfake tech to the public. So the idea is to provide a quicker, cheaper, easier alternative to recording everything from customized marketing to instructional videos.

Isn't this going to put actors and voice artists out of work? Sure it is. Absolutely. It's going to have a huge impact.

Well, this is an issue with the writer's strike right now, the actor's strike, where the studios were saying that they wanted to do 3D scans of all of the extras in movie production and then be able to use those scans forevermore. So pay you for one day of work and then we'll use your body, your image in the background of all of our movies at our discretion.

Yeah, I can understand why people are upset by that. I was going to say, I swear. There, so I'm conflicted over this because on one hand, on one hand I want to fight my curmudgeonly natural— That's an excellent analogy, Graham. I think we're all with you on that one.

And similarly, it's inevitable that this is coming along. So I can understand why people are striking and really upset about this. And I'm very sympathetic with that. But yeah, it gives me a queasy feeling too, Carole. The thing I was thinking about is so the rules say, you know, no explicit, nothing violent, but that doesn't rule out misinformation, does it? So what if your deepfake account gets hacked by an unauthorized third party? I mean, of course, I know this will never happen to any of them. No, definitely not.

It all sounds very plausible to me that Graham would say those things about me. So, oh, that's our Graham. There he goes. He's been...

You see, Graham, everyone wants to forgive you all the time, even if you call them a boob. In a world where technology and human life are intertwined, cybersecurity is just security. Keeping your memories and conversations safe shouldn't require cyber expertise. Technologies for everyone. Cybersecurity should be too. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials.

Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable, network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic. Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid cloud security and the dangers that free-flowing encrypted traffic poses to organizations. Find out more. Download the report today at gigamon.com slash smashing. That's G-I-G-A-M-O-N dot com slash smashing. And thanks to Gigamon for supporting the show. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. That could be a funny story, a book, that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Last week I had a nitpick of the week, which was all about induction hobs with knobs. It was fascinating. It was fascinating. I got feedback. Thank you to the listeners who sent me photographs of their induction hobs, claiming that they loved the touch controls on them and that they didn't need knobs. Because

they're human and normal and know how to use them. You

are just Mr. Major Appliance lately, aren't you? As I am. As promised, I'm going to give you feedback, because I've now got myself an induction hob with a knob on it, rather than touch interface, and it's great. Oh it's a stove top. All right, okay. We can make this a regular annual feature.

want to hear about your hob until then, though. Okay,

all right. Well, once a year, Graham checks in, tells us about his hob. So is this where the phrase hobnobbing comes from? Ooh, ooh.

You could be onto something, Dave. Dave, what's your pick of the week? Well, you know, I love British humor. I have a great appreciation for the comedy that comes from your side of the world, be it Monty Python, Fawlty Towers. I thought you were going to say something like Blackadder or the thick of it. Sure, yeah. Oh, Mr. Bean.

Sure, sure. Fabulous, fabulous, fabulous. Good stuff. Somehow, I don't know why, and I can only guess it's because of my appreciation for British humor, that YouTube decided that it was time for me to learn all about this thing that I did not know existed, and I wonder how my life was satisfactory without knowing it, and that is Mr. Blobby. Oh my goodness. Oh

God. So how are we going to explain Mr. Blobby to people who don't live in the United Kingdom? I'm not sure. Well, I would say he's a ripoff of Barba Papa. It doesn't look like Barba Papa.

That doesn't help as an explanation. It's a man in a sort of polyurethane costume who's bumbling around. He's pink.

Well, it's like a kind of flesh-toned pink with yellow polka dots. Yes. And it's one of those sort of inflatable outfits. It looks like you could punch him and he would just like rock back and put forward like one of those. You don't see his face, so you don't know who's inside the Mr. Blobby costume. But you know it's Mr. Blobby because he's crashing into everything and causing mayhem and destruction. Oh, is that right? Well, it takes a while for things to come over here. That has happened. He used to be a fixture on a show called Noel's House Party. All right. So for my American friends who have no idea what Mr. Blobby is, I'll include a link here for the top 10 WTF Mr. Blobby moments. It is very odd humor. It's kind of it almost feels very 60s in terms of its kind of psychedelic. Yeah. Everything.

Yes. The pinnacle of British achievement, I think, right here. So that is why Mr. Blobby is my pick of the week.

Do you have anything to whinge about with Mr. Blobby, Graham?

I think I'm all blobby'd out, to be honest. Finally. I mean, one thing for maybe Dave to explore is that Mr. Blobby, who came from a place called Crinkly Bottom, there was a theme park, maybe a couple of theme parks, which involved blobby-type antics in the UK. Oh, yeah, they're now derelict and overgrown. There's all a sort of financial disaster, but there's plenty for Dave to explore more if he's interested in Blobby land. Was there ever a Blobby-Doctor Who crossover? I'm sure there's been a comedy skit involving Doctor Who and Blobby. Yeah, that's almost. And he had a number one as well. He had a Christmas number one record, Mr. Blobby.

Of course he did.

Yeah, there's so much more for you to discover. There's a lot for you to dig into, Dave, if you're really keen.

I have so much in front of me. What a world. What a life. I just, please restore some sanity. What's your pick of the week?

I will be restoring sanity with my pick of the week because it's a book, a book of fiction. Regular listeners know that I'm a fan of audio books. I've been plowing through them. Apparently I use the word experience when it's an audio book. I feel weird about saying read, but I've experienced 57 in the last 12 months. So it's not bad going.

Yeah. Wow.

Yeah, I don't sleep a lot. So this one, this last one was a real gem. It's called Lessons in Chemistry by a former copywriter, Bonnie Garmus. Have either of you heard of it, read it?

No.

Oh, well, I'm surprised because there was a huge hoo-ha when the book came out. Everyone's saying, oh, my God. And it got a big name TV deal really early on. Everyone seemed to love it. And I, in fact, put off reading it because of the hype. You know, sometimes there's so much hype. You're just like, come on, come on. So it was stupid of me because I've just now finally read it and it's fabulous. Polished, funny, thought-provoking, beautifully knitted together. So you've got a lead, which is a pioneering chemist named Elizabeth Zott. And her obvious talents mean that she should be at the top of her chem game, you know, getting huge research grants for all her cool explorations and discoveries. She's this no-nonsense dedicated researcher, but she's a she. And this is the 1950s, set in California. And as we access her inner life and outer experiences for about a decade, the reader gains an amazing understanding in what was normal just a few generations ago for men and women, and how far we've come since then. And this isn't a men are shit and women are fab narrative. There are many characters with flaws, some unforgivably awful on both sides of the sex divide. But it's so just so well done. And it's a real testament to copywriters becoming writers, because as a copywriter, you learn how to be tight, you learn how to get rid of the riffraff, you learn how to tell a story. And it really shows.

Dave, that's quite a cultural pick of the week from Carole there, isn't it?

It surely is, yes. My father-in-law was a research chemist, so perhaps we'll check this out.

I was thinking, Dave, I would love for you to read it. Graham, I'd love for you to read it as well. But if nothing else, recommend it to readers in your life.

I think Dave should read it rather than watch Mr. Blobby. That's what I'm thinking the whole time.

I think it's much, much better than Mr. Blobby, though not maybe as a phenomenon. Oh, I don't know.

It's a lateral move at best.

Yeah. Anyway, it's a beautiful, non-confrontational, non-preachy, non-aggressive way in understanding the journey of how we've managed to get to where we are. Lessons in Chemistry by Bonnie Garmus. It's my pick of the week.

Fantastic.

You came here for the Hobbes and you end up with the chemistry and other magic. This is the wonder of the Smashing Security podcast.

And that just about wraps it up for this week. Dave I'm sure lots of our listeners would love to follow you online and find out what you're up to what's the best way for folks to do that

You can go to the cyberwire.com and I am also on Mastodon

Terrific and you can follow us on Twitter or whatever it's called these days Elon Musk's Fun Palace if you prefer we are at smashinsecurity no G, Twitter allows to have a G and you can also make sure that you never miss another episode by following Smash Insecurity in your favourite podcast apps such as overcast spotify and apple podcasts

And massive thank you to this episode sponsors moonlock by mac paw collide and gigamon and of course to our wonderful patreon community it's thanks to them all that this show is free for episode show notes sponsorship info guest list and the entire back catalog of more than 338 episodes check out smashing security.com

Until next time cheerio bye bye bye

It doesn't make great audio. You really need to see him for it to work. Oh my

Goodness. You have opened up a can of worms here, Dave. I know. The Pandora's box you're about to uncover.

Yeah. I just like the contrast between the stereotypical stiff upper lip of the Brits with Mr. Blobby coming in and just running through walls. I don't know why it tickles me so, but it does.