Smashing Security podcast #352: For research purposes only

You looked around the house of this guy who mouthed off because the hacker posted that?

Well I was curious as to what the hacker was linking to and I went and checked it out. Oh, I've got big air quotes for research purposes only. Yeah, I didn't break in through his front door and have a poke around or anything like that.

Right, that's what all the hackers say too.

Smashing Security, episode 352, for research purposes only, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 352. My name's Graham Cluley.

Hello Graham and Carole.

Thank you for coming on the show Duck.

Thank you for having me.

Now Carole we're running a tight ship today aren't we because you've got a very important phone call to make to your mum.

I do have a very important phone call to make to my mom which should have been made yesterday. So let's kick this show off but first let's thank this week's wonderful sponsors Collide, Push Security and Vanta. It's their support to help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about inflation.

Ooh, okay. What about you, Duck?

I am going to be talking about something that the cyber crooks did that when I saw it, I grudgingly had to think to myself, ah, 10 out of 10 for style.

And I'll be talking about winning hearts and minds. All this and much more coming up on this episode of Smashing Security. Now, chums, chums, it's the most wonderful time of the year, isn't it? Is it? I don't know. That's what they sing. Maybe it is. Maybe you've got other preferred times of the year. I'm not sure. But you know what it means, this time of the year. Ugly jumpers, just festive jumpers. Graham, have you never stopped to think that in the Southern Hemisphere, as the days are getting to their longest, that it might even more be party season?

And maybe party season on a beach?

In the swimming pool, perhaps?

Yeah, something that, yeah.

What kind of games do you to play, Duck, when you are having a little party? What's your preference?

I'm not really a party animal, Graham. You could afford me. I do put Christmas lights on my bicycle at this time of year, and I have them on. And that's one thing nice when the nights draw in, because when you go for a ride, all the kids look at the bike and you can hear what they're saying. Daddy, daddy, I want those for my bicycle. It sounds dangerous. You must have one hell of an extension lead. Yes, with you, I think. It's a drinking game. I don't drink, Graham, you. So, no, I haven't played it, but I know that something bad is coming. I can just feel it in my liver.

I can enjoy Fuzzy Duck, even if I haven't been drinking. I think, anyway, maybe some of our listeners would like to play Fuzzy Duck. I'll put a link in the show notes.

Is that because you the discomfort of others?

Well, what is a party? Of course I do. What is a party without balloons? Not baboons, balloons.

What, those big plastic things that are polluting the earth?

Latex rubber is what they're made out of. And that is, you know, you get balloons in different shapes. You get your tedious old round balloon. You know, that's the sort of bog standard sort of balloon. Or the ones that look a sausage. They're quite fun. Some people to have a lot of fun with balloons. Friend of the show, Geoff White, author of The Lazarus Heist. used to be a professional body no not a professional bodybuilder used to be a professional balloon modeler back in the day.

Is that where they twist them into dogs and fairies and go karts and worse? Duck you weren't at the Smashing Security podcast Christmas party a few years ago where Geoff was videoed doing his not safe for work balloon trick but I have found it on the internet so again I will put a link in the show notes for anyone who wants to see someone having a lot of fun with balloons. And there's lots of people who to have fun with balloons. And what they do is they to seek out other people who enjoy good, clean fun with balloons.

Oh, not loons the bird.

Right. No, no, no, no, no. So it's the website for lunas and inflatable lovers to upload their videos. And they say if you go there, you can every day watch new inflatable and balloon fetish videos.

Oh, fetish. There we go. That's what you were waiting for. That was a long and very cautious introduction to bring us to that dread word.

That's why you got all precious when I said plastic. You're, no, no, no, latex rubber. Oh, no. Latex rubber. These people are purists. They want the proper material. So they run a website. What have they done, Graham? Tell us. Well, they haven't done their security properly. Who would have thought? We talked about this just a few weeks ago that the law has changed where people are going to have to provide things maybe a passport. Remember what the Ofcom—oh yes. Yeah oh but that's with pornography sites Carole, this is good clean inflatable fun. You say fetish though. Well, if they're asking for people to be over 18, it seems to me it might be a little dangereux.

Well, yeah, certainly they're saying if you want to upload some nudity, so if you're, you know, engaged in some activity with an inflatable or with a balloon and there's some, you know, nippleage or something on show, then yeah you have to prove that you're over—

I just want to say I've got my eyes closed talking into the microphone now and it is not helping because you're painting quite a vivid picture.

So according to InflateVids that doesn't matter anyway. They say because they always delete that ID verification data which is smart.

It's just a special kind of deletion where you can go in with a utility afterwards and undelete it.

Who knows? So Rik at InflateVids, he said, the other problem is that sadly, my website was using an outdated hashing technique, SHA-1. So that is not the best way of hiding your passwords. It's not the best way to obfuscate them from someone else coming along and de-scrambling them. So they say they're going to fix that and they're going to add some salt in the password because that's what you should do. You should hash and salt or salt and hash actually is the correct order to do these things in the future. But the problem is that people who were using a particular password for InflateVids may also be using the same password on other websites that they're members of. Oh, no. And I'm guessing, I haven't done much searching, but I imagine there are other websites of a similar vein. Or maybe just their banking password, or maybe their eBay password, or their email password could be the same.

I think you're right, Graham, because what I've heard a lot of people say is, well, I've gone out of my way to think up one really extra, super complicated password. I'm not taking shortcuts, no cats names. And now I've got that memorized because it's so secure. Why don't I just use it for everything? And I think you just explained why not. Hate to burst your bubble.

Yeah. If there's any websites that you really want to keep private, you know, I think of banking. Yeah, all of them. But you may care less if someone broke into your New York Times subscription or something because you're not putting any information in there.

But it's just a good habit, isn't it? If you just have the habit of always using a unique password, one that's been randomly generated maybe by your password manager or something rather than by your brain, then you're never going to accidentally use a dumb password. What may happen is you may create an account on an online site at some point, which seems fairly harmless, and then later use it for some more serious purpose, but you're still lumbered with that daft password you initially chose.

Absolutely. And actually, my example was stupid because, of course, if you have a subscription, they've got information on you and you have to pay for that some way. And so if that information got taken, you would be screwed a bit.

There's also the issue that even if it's just some local news site where you don't have to pay, if someone's got your password, they can jump in and put inflammatory, racist, derogatory, abusive remarks in and just sit back and go, ha, ha, ha, ha, ha, I've got you. Because the finger's pointing towards you when that happens.

Yeah, attack the reputation. Yeah. So did he publish these usernames, IP addresses, email addresses? He's trying to sell them. What's he want?

It looks like he's made them available to download for free.

Oh, that's a bit douchey, right? So he's posted this up on this website. And from what I've seen, some of the members of InflateVids aren't terribly happy. So I was looking at this thread where the breach has been announced. You looked around the house of this guy who mouthed off because the hacker posted that. Well, I was curious as to what the hacker was linking to and I went and checked it out. Oh, I've got big air quotes for research purposes only, is this? Oh, right. That's what all the hackers say, too.

So, Rik, Rik at InflateVids, Rik has said this all happened because he was running off-the-shelf software that used SHA-1 for hashing. He didn't check. He didn't change it. He assumed that everything was going to be fine because he just got something off the shelf. Obviously, he says that's going to have to change in the future. It doesn't explain how the hack has gotten in the first place, but it's how maybe people are now able to find out what their passwords are. So I don't know if either of you are members of InflateVids or any of our listeners. Bad news is there's no ETA for the website to come back. Rik says it may take months. I don't know what you're going to do for your inflatable content in the meantime. I do. Change your bloody passwords. Well, yes, maybe you're going to have to find another source. I found the Instagram account of a Spanish chap who appears to be a member of the site, but his account is private. His avatar, though, Duck, this is just for you, shows him splayed on top of an enormous inflatable football. So it seems legit, either that or he's got some sort of other issue. So there's a lot of this going on. Thrax, by the way, this isn't his first breach. He attacked Fast Company. He hacked into Fast Company's content management system last year. And he pushed out some obscene and racist notifications via Apple News to tens of thousands of subscribers. So not very nice of him to do that either. Another douche move, yeah. Yeah, absolutely. So what we're saying to regular users, use unique passwords, obviously. But also, if you're running a website, even if it seems to be harmless fun like InflateVids. I haven't seen any of their videos, honestly. I haven't. So I don't really know what goes on, but I assume it's all fairly harmless. Maybe we should

have a campaign called Hug a Hacker or something. Maybe they just need some love and we're denying them and then they go and do evil stuff. Hug a Hacker. Start with hugging IT people, IT security staff. Yeah, I hug my CIO. Oh, your husband. The Yeti.

I have a story about a WordPress phish that I investigated. I didn't have the original email. And fortunately, you, Graham, rode to my rescue because you, as a fellow WordPress user, I use the hosted WordPress. You, I think, run your own, which is why you got chosen. You received an email fascinating me to your privacy at account, which I presume was done to give it more credibility. that was, in my opinion, surprisingly believable for a phish and led to a web domain that was astonishingly close to the real WordPress one.

So, Duck, what was the content of this email? What was triggering people to click on the link and end up on this fake WordPress site? Well, the thing that drew me in and made me think, hey, maybe they've actually hacked something inside WordPress because it all looks so good, was subject line, attention, remote code execution vulnerability detected in your WordPress site. Dear user, that's perhaps the only giveaway. and it's a professional looking email isn't it i mean it really does look visually like an email from WordPress you know there's no spelling mistakes It's formatted nicely. It's got their logo. I mean, it looks convincing.

And it's quite charming and it sounds community orientated. And of course, it's spoofed. So the from address is wordpress.org. It claims to come from security at webmail-wordpress.org. It's come to your privacy email account. Yeah. So apart from the dear user with a lowercase u and one comma that I didn't like, but that may be a stylistic matter. It was way, way better than usual. And this is not just some chat GPT thing that's produced text that meets English grammar rules. It's nicely written. All you need to do is download, install, and activate the plugin, ensuring a quick and trouble-free protection. That's not quite perfect English, but it's good enough.

I know people would just trust this, but I think my first thing, if I had one of those, was go to the WordPress website to see if there's any information, see if there's any press articles on it. Because surely if it's affecting tons of people, they're going to be talking about it rather than just sending private emails.

Indeed, you're right. If you know your domain and that's what you should do, know where to go yourself in advance, using information you've prepared earlier, you would probably just go to WordPress.org and start right there. However, I can see why people might go, well, let me click the button. I'm only going to the website. Presumably, my browser's patched. I'm not going to get pwned just by visiting the site. I mean, that can happen, but it's unlikely. You click download plugin, and you end up on a site that will seem targeted perhaps to your region of the world. Because what these crooks registered is they got the domains en-au.wordpress.org. That's English Australian flavor, en-ca, which was the link that was in the email that Graham got, en-gb, they got nz for New Zealand, us and za. It's a clever move. Except they didn't actually get en-ca.wordpress.org because that's the real site. What they got was en-ca-wordpress.org it just looks right and I have to admit when I went through to look at that site and I went through with the tall browser I took all my care just to see what was going on when I looked at the page when the page appeared to me my immediate thought was wow this is WordPress's real site the crooks have actually tricked WordPress into accepting a plugin that is bogus, that I'm amazed they didn't spot the malware in it. And I'm amazed it's still up. And then I look back and thought, no, hang on, they're WordPress.org. And they won't have registered a separate domain for each region. They do them as subdomains. And there it was, just that dash.

So don't you think it's a bit shitty that that's even possible? Yes. So if you had duck.com as a URL or as a domain. I wish I could have sold it to DuckDuckGo somebody did and made

A small fortune. But it didn't seem important back in the day when four-letter domains were free and easy to get. I'd have bought Apple shares at the same time, by the way, and mined a few Bitcoins. So I don't regret it. Just one of those things I never got around to doing.

But if you did have DuckDuck.com, it's kind of shitty if you have to register Duck1, doc2, doc, you know, en, doc, you know, all the different types just to make sure no one pretends to be

You. Get all your ducks in order. Yeah. Yeah. Good one.

Yeah. You sometimes do wonder why after a domain this is registered, because of course it's not a subdomain of wordpress.org. It is a separate domain. I suppose the idea is it's meant to be, you know, a free market. It's meant to be a place where somebody who's big and rich can't just register duck.com and then say to me, oh, you want paulduck.com? Oh, no, no, no, no, you can't. So you can see why it's kind of liberal. And I guess the idea is that the powers that be would just rely on WordPress saying, hey, this is clearly domain squatting or clearly the intention of fraud. But that kind of takedown doesn't happen in minutes or hours or even days, perhaps not even in weeks. So, yeah, you kind of wish that it was easier to control, because when you look at it, you're what were they thinking? Why did the .org registrar allow that domain? It's so obviously bogus.

It feels to me that there's an irony here with this particular attack, which is that they are actually targeting people who are security conscious. Indeed. People who actually respond to a notification about what appears to be a critical patch in their WordPress, which they want to apply because otherwise...

He didn't worry about me, did you, Graham?

No, I knew you wouldn't read the email, but you wouldn't take notice of it. But if I was running an inflatable fetish website, for instance, on WordPress, and I got a notification that, I'd think, oh, crumbs, I need to apply this patch because otherwise my user's data might be exposed. So there's this strange thing going on, isn't there, where actually, if you're security conscious, you may be at a little bit more risk Than if you're not. And I think if you do click the button just to see, and you go to the site, and you don't notice the dash for dot, because it just looks almost right. It really does. Yeah, it really does look legit. I've just spotted a mistake they've made, actually, looking at this. Do you want to tell them? Because it's still going, this scam.

Or do you want to leave it there just in case? Well.

I'm reading your article on your blog and I'm looking at these images you've got up and they have made a mistake which is a really obvious one which is in the word WordPress. Oh yes yeah you're right. The official WordPress is a camel case word it's a capital P halfway through and they've put it in most places not absolutely everywhere but in most places they've put it with a lowercase P so the nerd in me might have spotted that because I write WordPress so often. The nerd did spot it. But I didn't know. I'm looking at it now and I can't not see it. Yeah. But I just glossed over that. You know, the other cheeky thing that they do with this is that if you install the patch, they then display a little dialogue saying, thank you for patching your system, lovely, lovely, you're all up to date, you can help the WordPress community by sharing the word. We encourage you to share this patch with people you think might be affected by this vulnerability. So you could actually be doing the bad guys' dirty work for them by getting your friends to install it as well.

Yes, this is a Trojan horse, not an old school computer virus capable of self-spreading, but they've added the computer virus part into it by getting you to help spread it to your buddies. And that pop-up, it just looks fine, doesn't it? The patch has been installed successfully. Your WordPress is up to date, blah, blah, blah. And in the ratings, they didn't just do what you'd expect and everyone gave it five stars. They put in a few people who didn't like it. They got a couple of people who only gave it four and two and even had one person, no, one star rubbish. It just—

You know what the worst irony of all this is, though, Duck, is they're going to listen to this show and take notes. And you've just improved them marginally. Yeah, nice work, Duck.

Well, you pointed out the typo.

Yeah, Graham. I did nothing. I was hardly listening.

Carole, what's your story for us this week?

Do you guys know the expression winning hearts and minds? Yes. Do you know where it comes from? Shakespeare. Second World War. Yes, war. According to military history wiki that I found, it's a concept occasionally expressed during war, insurgency and other conflicts. And it's where one side seeks to prevail not by using superior force, but by making emotional or intellectual appeals to sway supporters of the other side. Kind of like rhetoric, basically type of rhetoric.

Have you ever used that word on the podcast before? Because I like it. I like hearing the word rhetoric. I don't think it's used enough these days. That's what I studied when I was studying a long time ago. Exactly. Yeah. Yeah. Great.

Yeah, wasn't he a comic actor or something?

Yeah, comedian and actor. Reagan was too, right? Reagan was an actor.

He was in a TV show about a comedian who somehow becomes president and then he became president for real life. It's so crazy. As if any country would hire someone just on the basis of appearing on a TV show. Imagine that. Yeah, crazy.

Like last January, The Guardian published this article on how Zelensky became Hollywood's man of the hour. And the strapline is from Ben Stiller to Jessica Chastain, celebrities have embraced Ukraine's president and offer support to the country's war effort. So that's kind of proof that he's the winner of hearts and minds of the moment, do you not think? Yes yes okay just making sure everyone's still with me.

I was nodding feverishly but very quietly.

Yeah I was just thinking is this a trick question think carefully because after not spotting that WordPress mistake I'm feeling I need to be more cautious in my digital life but yes yes Carole.

Okay so no surprise this must frustrate and anger those on the pro-Russian side of things. Perhaps they wonder why isn't our esteemed leader Putin, Mr. Putin, the smallish man who wrestles big cats and hunts bare chested. Why is he not loved and admired in the same way? Yeah, funny that. So one way is to discredit the opposite side, right? Start chipping away at the reputation and you could use the digital world as your vehicle. So a group has been working on this, revealed Microsoft just last week, in a rather novel way. And I'm so interested to hear what you guys think of this approach. So here are the ins and outs of a new cyber campaign. They have this unknown pro-Russian influence group and they say they recruited legit bonafide Hollywood actors and other celebs. So we have names Priscilla Presley, Elijah Wood, Dean Norris, Kate Flannery, just to name a few. And you're thinking, well, how did they get them to take part in a smear campaign? Well, Microsoft thinks that these celebs were directly contacted via video messaging platform, such as Cameo. And Cameo is a website where you pay all manner of people, bonafide people, including a gaggle of celebs and comedians and whatnot, to get personalised mini videos from your favourite stars.

The likes of Elijah Wood have got a Cameo account.

Yes, it seems they do. Times must be tough. I went looking to see who I could find on it, and I found Don Johnson, right? Star of 80s cop show Miami Vice.

Well, that's the whole point, Carole, because he was a star of a 1980s TV show. He hasn't done anything since, and so the only way he can make money... No, but

He's charging 400 bucks a pop for a one minute or so video.

And how many is he making of those?

I have no idea, but he had a few examples, which I watched. I'll put a link in the show notes for everybody. Okay and what you do is you kind of would say to him hey hey hey okay here's your 400 bucks can you address it to this person and make this message. Maybe I'd say to Graham and say happy birthday for next birthday party or something that right? You'd be wow that's so cool.

Carole can I just say at this point I'm feeling slightly poorly because I'm remembering that there was a chap in the United Kingdom who got on Cameo and I seem to remember he was charging 70 quid a go. Oh, really? Who was that person? Well, I don't want to say it.

Does it rhyme with fine?

No, but his first name rhymes with Nigel. Nigel Farage?

70 quid, really? Wow. Apparently, yeah. So, I don't know. I think, guys, you could probably do this as a sideline if you wanted. You're pretty, you know, you're celebs in the area of cyber. You could send people little, you know, jokes or something.

No, no, no, no, no, no. No, absolutely not. I have thought about it, obviously. Oh, right. But no, because there is nothing sadder than seeing somebody up on Cameo whose career has fallen to such depths that they now will read out messages to people saying happy birthday.

Why is it sad? It makes people happy.

Who? Who are these people?

Oh, if I got one of my mom's favourite people to say, hey,

Mom. No, no. I've looked up Cameos before of people, like actors from Doctor Who and things. And I think, oh, my God, this is so embarrassing that they're having to do this. And so if your mom, who currently thinks the world of, I don't know, Thom Selleck or something like that, she saw Thom Selleck wishing her a happy birthday, they should think, oh, this is what he's doing now. This is as good as it's got.

I don't think everyone's quite that cynical about it. I think some people just think it's good, clean fun. And if somebody wants to make, let's face it, $400 for a minute's work, that's a good rate by any account.

I'd love to do that. But I don't think many people are probably buying greetings at $400 from Don Johnson from Miami Vice.

I'm going to crack on with my story.

Okay. I think you're going to be a winner, Carole, because obviously this story wouldn't exist if Cameo wasn't popular. I suppose. And they don't know if it is Cameo. It's a site like Cameo. They've mentioned that. They're not sure exactly how they managed to do this.

So they edit it so they just have the bit where—

Well they have the name, they have the whole video. It's a one minute long maybe whatever they grab but then they put an overlay over it so it looks like it comes directly from the actor's Instagram page. So they've overlaid things like emojis and links and the sort of stuff that give it a real feel says The Register.

Oh so the theory is that instead of thinking oh somebody paid 70 quid for that they think hey that person feels strongly enough that they actually put it on their own social media page by themselves.

Exactly. Yeah like everyone you see it you're thinking wow Priscilla Presley really cares about Vladimir.

Couldn't they just get Steven Seagal to do that? Isn't he a friend of Vladimir Putin's? Couldn't they just get Steven Seagal to do all of these videos and put them on his real Instagram?

Yeah, but that wouldn't work as well, would it? Because if you're known to have that particular viewpoint, it's when someone that you wouldn't expect suddenly seems to be like Frodo Baggins.

And these videos were then shared on Russian social media networks, all in the name of promoting Russia's long running claim that Ukraine's leader suffers from addiction, which is reportedly widely, this is completely false. But how weird is it? Why wouldn't you use a deepfake? Is it because the celebrity can't deny that he said it? Is that why?

Maybe. Or maybe it's just cheaper and easier. And the thing with deepfakes is no matter that everyone goes, oh, look how good they are, they are fake. It's like that WordPress page that I was just talking about. And Graham said, oh, look, they spelled WordPress wrong, which none of us have noticed until halfway through the podcast. You know, the thing is that nothing is quite as real as something that is actually real.

Yeah, I should underline the celebs who took part in this had no idea that Vladimir, the name, was referring to Vladimir Zelensky or President Zelensky. And there's nothing new with warring sides trying to bash in the reputation of the opposition. But why use Priscilla Presley, for Christ's sake? It's so weird. For anything. Come on. What would be the point? Well, Microsoft Threat Analysis Centre has observed seven star videos since July 2023. And it says that they're expecting to see much more in the coming year. So it's going to intensify as the war rages on.

I suppose the deal is that it's not so much the name of the person as that that name is known to be someone who is American.

What, Vladimir?

Priscilla.

No, the celebrity crew. Try and keep up with your own story.

I told you I was out very late last night. I'm suffering.

Now, you've probably noticed the uptick in identity-based attacks recently hitting the headlines. If you're working like crazy to get everything behind SSO and make sure everyone's using strong passwords and MFA, then Push Security is for you. Push Security helps you to monitor and secure your entire identity attack surface, including non-SSO identities. Get notified in real-time to vulnerabilities across all your internet-facing identities. What's more, Push Security then guides your employees to fix simple issues so your team can carry on fixing everything else. Want to check it out? Well, head over to pushsecurity.com/smashing. That's pushsecurity.com/smashing. And thanks to them for supporting the show.

Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security. Expand the scope of your security program with Vanta's market-leading compliance automation. Vanta's 5,000 plus global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more. And with Vanta's 200 plus integrations, you can easily monitor and secure the tools your business relies on. From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com slash smashing. That's V-A-N-T-A dot com slash smashing. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is, you don't have to imagine this world. You can just start using Collide. Collide is a device trust solution for companies with Okta and it makes sure that if a device is not trusted or secure it can't log into your cloud apps. Visit collide.com slash smashing to watch a demo and see how it works. That's K-O-L-I-D-E dot com slash smashing.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week, Pick of the Week, Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is security related.

Oh, this close to Christmas and you seriously are pulling this? Well, one out. Okay.

It's usually when I'm on the show, it's usually me going, "Oh, I don't really do anything except cybersecurity," and I'm the one who lets you down. This time I have something that is not security related. Thank you, Duck. It does involve coding, though.

Carole, I've got a question for you. Duck, you're not allowed to answer this. Carole, have you got a pie hole? Do you know what a pie hole is?

No. Is it like a raspberry pie? It's not your mouth either.

No, it's not. A pie hole is a bit of software which you might run on a Raspberry Pi.

Yeah, I said Raspberry Pi.

Oh, well, no, not a raspberry pie you eat.

No, I know, you dingbat.

Oh, okay, okay. I'm with you, Carole.

I think he's winding you up.

Okay, Carole. You explain then, Carole. You explain then if you've got one of these.

No, I haven't used it. It's still in its box. Someone gave one to me. Oh, okay. All right. Okay, all right. Well, a pie hole is a bit of software you can run on a Raspberry Pi that's quite well known, and you can send anything which looks like an ad coming over your internet connection to a black hole inside the Raspberry Pi so it doesn't get displayed on your computer, on your phone, or any of your other devices which are on your Wi-Fi. Yeah, you alluded to this last week, did you not, in your story? Or one story, one of our stories.

I did mention it because I had reason to put some internet filtering at home. Let's not go into the details. To maybe have a bit more parental control. Blocking ads.

Because the inflatables were getting too much. There's too much inflatables in the house.

Oh, I wonder if I'm blocked from reaching the inflatable site. Anyway, so what you do with AdGuard Home, as I say, it's free. You can download it from GitHub. It's not just put up there for research purposes only. It is put up there for legitimate purposes. You can run it on your Raspberry Pi. You connect your Raspberry Pi to your router and it means that you can block ads and tracking and porn and all kinds of other things. You can customize it for different devices. You can have customizable block lists. You can use some of the many other block lists which are already out there. And it works a treat. And it works really well. I have a question.

Ask me a question. What would stop said person in household from just disconnecting the chain and putting the chain back together in the old way? Would

You get notified of that? Well, it depends how well he would cover his tracks, because obviously my router is now using the AdGuard home. It's sending all the traffic through it in order that it gets filtered. So if they were able to also reconfigure my router, then potentially they could do that. But that's protected with a password. AdGuard home is protected with a password as well. And I haven't used an easy to guess password. It's one that's just sort of long and randomly generated. What he can do, of course, is simply turn off Wi-Fi on his device and use his cell phone connection instead to access stuff. And that's a whole other story of how you lock down your smartphone from being able to do things like that.

Ah, okay. A little bit complicated.

Yeah, well, I've already actually taken steps about that as well. But anyway, my pick of the week right now is AdGuard Home. It's free. It's open source. Go and check it out. I'm quite impressed with it. I've been running it for a couple of months now.

Well, future pick of the week. Yeah.

Duck, what's your pick of the week? My pick of the week, it's something that I've used before and I've come back to recently because I dropped my beloved Garmin down the stairs outside my flat, which it did not survive. And I had to go and get a new one. And I decided I'd buy the tiny little entry level one because it's really tiny and it fits in your pocket. I think it's called the Garmin Edge, and it wouldn't be popular with people who like to track everything and have real-time online maps and do all the turn-by-turn navigation that many cyclists do. I don't really like that because I like to just enjoy the ride and I usually know where I'm going. I just sometimes get lost along the way. So I used a thing called Connect IQ. If you're a programmer and you're a cyclist and you've got a Garmin, it is actually user programmable and you can go and download their development kit, their Connect IQ development kit. And you have to learn a language called Monkey C, which is, wow, if you already know C, it's pretty easy to pick up. It's sort of like a scripting language and you can write your own apps that display what you want while you're along. And I used it to build, even if I turn it'll go in the screen, just fills up with a compass, like an orienteering compass. So it doesn't just give the bearing in like 203 degrees or whatever. It's good looking to just glance at it and see which direction you're going. And I found that this, what you might call approximate navigation, where I know where I'm going. Let's say I need to get from Oxford to Bicester, or I need to get from Oxford to the big Tesco and I want to take a different route and I know that I roughly need to get to be to keep going in a southeasterly direction. Then when I get off track I can just glance down at my compass and figure yeah I'm going a little bit off course. I need to take a right somewhere here and work my way across.

Like a compass.

Like yeah just like a compass. So the problem with having a normal compass on a bicycle is even if you have an aluminium bicycle there's lots of steel everywhere and so when you put the compass near it it's like having a compass inside a car. It's a very complicated thing to have one that's tiny, inexpensive, and that you can that isn't set up specially that you can remove so that doesn't get stolen.

I didn't know that.

So this is with the Garmin obviously you have to be moving for it to work because you use a GPS but it's great just having this big thing that just says you know well north's behind you, north's ahead of you or you know you need to turn left. And I got to write the code myself and do a little bit of graphics.

But you should put your code up and share it with other people, put it on GitHub. For research purposes only there is a Connect IQ community site where you can download stuff so I might just do that. And the other thing I did with it is I have a particular predilection for the typeface for terminal windows. I like the typeface that was originally used on the IBM 3270 terminals from the 1970s.

I love I played. What was it called? That game. Tetris. No, no, no, no. It was like a word game. Zork. Zork. Oh, God. The Infocom games. The old text. Yes. And I played that on a green screen, an IBM green screen. Yeah. I didn't. Yeah. Very cool.

You can get the emulators for all of those games. Hitchhiker's Guide the lot.

Super. I didn't know that. That's really cool.

If you like green text on a black background, I can recommend Paul Ducklin's blog as well, which is all monospaced and very old school.

I didn't know you were writing a blog. I want to go check it out, Duck. I didn't even know.

educklin.com

Oh, perfect. Easy peasy.

Carole, what's your pick of the week? Well, we haven't mentioned it, but the holidays are upon us. So my pick of the week is top five things to get for the cook in your life. Now, I've not chosen dumb things. I've not chosen obvious things. And I haven't chosen expensive things. So I've got five things under 50 bucks for you guys to consider.

Fish, but when you get it out it's full of holes that looks as though someone's been stabbing it. Is that we

Only do it once or twice. You don't have to

Destroy it. I seem to remember the ThermaPin has been a pick of the week in the past.

It has, but that's why I've got four more. Thank you very much, let's

See how you do with those ones. Okay.

A second one is a small flat whisk. This is also known as a French whisk or a stainless steel egg beater. It's got, it's flat and has a coiled ring all around this spoon-like shape. It is so quick to do egg sauces, dressing, and even whipping up cream for a hot chocolate. It's just tiny, great tool. Single mold, mini and large silicone spatula. So you can get them with wooden handles. You can get them with different stuff. Say that again. Again, single mold silicone spatulas in a variety of sizes.

I think there's a fetish website. No.

Why do you have to make everything dirty? Everything. See, now I'm going to say it will clean out any bowl of goop. Now it feels rude to say that. And they wash up in seconds. Oh,

Is that because it works itself into any corner, any shape, any roundness? Because that's what I hate about stuff. You want to get something out of the box. The last bit of mustard. It's there. There's quite a lot left. I need one bit, one spoon more, but you put your stainless steel spoon in and you come out with nothing. Yep. Duck, I'm going to keep my eyes peeled. I always want to hunt for them. If I see them, I will buy you one. Oh. Also, if they land on your foot, I mean, it's granite, right? This is going to take your toe off.

They are heavy. And the last one is for people with wrist sensitivities. I have that and a lot of older people have it too. And so instead of, you know, they have things to open jars and these big clunky things. Hate those things. There's an answer. There's these things called rubber gripper pads. It's basically a tiny, thin, we're back to latex and rubber. It's a little pad of rubber and you put it on top of the lid and bish, bash, bash, you open. Oh, that's so clever. These are all quite economical and they're all good and used and recommended. So all the links are in the show notes. These are not necessarily exact ones I have because some I've had for a long time. I had no idea where I got them, but you'll see what I'm talking about. So check out the show notes. These are my pick of the week. Thank you very much.

Fantastic stuff. And that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you are up to. What is the best way for folks to do that?

The best way is to go to pducklin.com or if it's easier for you, paulducklin.com out in full or you can follow me on X. I can't believe I didn't say Twitter but I'll say Twitter as well. I am at duckblog and you can find me as P Ducklin on Facebook and LinkedIn as well and that's Ducklin without a G.

Of course I was just saying we did you register that one because I'm just looking for it. It is indeed and you can follow us on Twitter at Smashing Security, no G Twitter and the last have a G. And we also have a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Spotify, Overcast and Apple Podcasts.

And massive thank you to our episode sponsors, Push Security, Fanta and Collide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 351 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Adieu. Farewell. That's not funny. Toodle-oo. Pip-pip. Thank you.