Smashing Security podcast #403: Coinbase crypto heists, QR codes, and ransomware in the classroom

Off the back of this, can I also have a quick rant about ransomware operators?

Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.

Hey guys! Hey guys! Or should I say Privet or Strahlas Feetcher? Because we know where you all are based.

Smashing Security, Episode 403, Coinbase Crypto Heists, QR Codes, and Ransomware in the Classroom, with

and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 403. My name's Graham Cluley. And I'm Carole Theriault. And this week, we are joined by a very special guest, someone who's been on the show many times before. It is, of course, the star of the Lazarus heist and various other activities. It's Geoff White. Hello, hello, hello.

Can you dive on some applause there? Geoff, what's been keeping you busy lately?

Well, yes, powering into 2025. I'm lucky because America Invades Greenland was on my bingo card so I win. I've been keeping up with the rolling chaos that is the incoming Trump administration and I've got various projects in the work and things in the pipeline which I'm working on so I'm busy which is good.

Fantastic.

Let's thank this week's wonderful sponsors 1Password, TailScale and Cortex Symphony 2025. Coming up on today's show, Graham, what do you got?

I'm going to be talking about how some companies are still telling their users to turn off their security.

Okay, what about you, Geoff?

I'm going to be talking about a school data breach and how annoyed I am with incommunicative ransomware games.

Okay, and I'm going to delve into the wondrous growth of the QR code. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, here we are, episode 403 of Smashing Security. Quite extraordinary. What have we actually learnt? What's been the purpose of this? What wisdom have we shared with the wider population, do you think, after all these podcasts?

Are we on the educational track?

And I didn't know. Well, it would be nice if there was a small sliver of that, wouldn't it?

Constantly educational, I would argue. He's spreading the good word of cybersecurity and the important lessons to be learned.

Right. Exactly. I think to be safer online, we've often shared some pretty straightforward tips, even if you're only half listening while walking the dog. You've hopefully learnt to use a password manager and have unique hard to crack passwords.

Yeah.

Use multi-factor authentication.

Oh, good one.

Install an ad blocker in your browser to prevent malvertising. That's a good one as well.

Oh, I haven't done that.

Yep. Have a password keeper of sorts.

Use a VPN to ensure your connections can't be intercepted.

Don't use the phone in the bath. No, that was another podcast. Sorry. Brad Pitt almost certainly isn't in love with you. That's another thing we've learned. Don't click on suspicious attachments or dangerous links. We could go on forever, couldn't we? I don't know if we could go on for 400 episodes, but anyway, somehow we've managed to. So how would you feel if a company told you specifically to stop doing some of these things?

Concerned.

Any word? Or please pray tell, say more. What if they told you you really shouldn't run an ad blocker anymore? Or to believe it every time Jennifer Lopez drops into your DMs declaring her undying love for you? Not because following any of those behaviours is actually bad for your security, but because it might make you look suspicious. That's their argument. It's not that it's bad for your security. It's because it makes you look suspicious because you're securing yourself.

Suspicious to whom?

Well, to them, to the company. They're saying, don't do that because it makes you look suspicious to us. I mean, I would look suspicious if I was dating Jennifer Lopez, not just because I fancy Diana Rigg more than Jennifer Lopez. Although that would also be suspicious as she has been dead for some years.

Jennifer Lopez has died?

No, Diana Rigg. Diana Rigg. Goodness. Frantically Googles Diana Rigg now. Oh, come on. That's my domain. In fact, probably the only way I might end up dating JLo for real would be if I made a cryptocurrency fortune. I think she's just split up with that. No chance. No chance. She's just split up with Ben Affleck. She's vulnerable. You could be the gazillionaire.

Bigzillionaire, like 15 Elon Musk with a few Bezos on each shoulder and you still wouldn't get J-Lo, dude. Hey, she's still Jenny from the block. Yeah, exactly. You're not from her block. Trust me. Trust me.

Fascinating as this is, and much as I'm enjoying the pictures now of Diana Wigg, back to the plot. Who is this company telling people, Graham, why are they saying that implementing security makes you look suspicious? Can you name names?

I can. Yay. Coinbase.

Oh. They're crypto, right? They crypto, guys.

Yeah, yeah. So that's how I'm going to lure J-Lo in. So I'm there in my mink coat with my silver cane, pouring my crypto fortunes into an online exchange like Coinbase. But some people have been having trouble with Coinbase lately. It turns out many Coinbase users have reported sudden restrictions on their accounts. So there is a chap we've spoken about him before in his work called Zach XBT. Sounds like a rapper. Legend, yeah. Yes, you know him, right? He's a renowned cryptocurrency investigator and he's unraveled ransomware gangs and investigated all kinds of heists which happened in the past. He's recently mentioned in a thread on Twitter that folks are fuming that they have been locked out of their Coinbase accounts. And he posted a screenshot of dozens and dozens of Coinbase users reporting that they cannot access their accounts any longer. And they've been given no

reason. So that's when you're going in you normally would. You put in your username and your password and it just goes, eh, eh. You can't come in. And it doesn't say why. You're just locked out. So let me tell you what users are saying. There's a guy called Zubik.

Coinbase, I'm assuming, is not regulated by whatever regulates all the banks and financial institutions. I think there are more and more regulations. I mean, maybe you know about this more than me, Geoff, governing some of these cryptocurrency exchanges these days. increasingly coming under regulations. But the main sort of activity around that's been around money laundering. So why is Coinbase doing this? Well, according to ZacXBT, it's to prevent its users from losing something in the region of $300 million per year. Well, where do you go? I mean, what's a cop going to say if you said, oh, I lost my crypto?

I suspect those sort of questions are coming into police. There may be enormous challenges sometimes in chasing this kind of thing and getting a resolution. But, you know, this is a very common type of theft today. It certainly is. I think I read the other day that is it in the UK some 12% of people now own crypto in some form or another? So ZacXBT says he started looking into this because someone contacted him saying that they had lost $850,000. See, that hurts. I don't understand why you keep so much money in there. why do you keep that much money in a pension? Because it's regulated.

Yes. A lot harder to get money out of a pension, I think, than to enter a username and password and transfer it. I

I mean, under your mattress is safer than many crypto joints, in my view. But, you know, it doesn't make as much money, I suppose.

Anyway, this particular guy who lost $850,000, ZachXBT found that something like 25 other users had fallen for the identical scam. Where a scammer called the victim, they sort of spoofed their phone number, they pretended to be Coinbase. They used personal information obtained from private databases to gain their trust, so they knew information about their victim. Now, that isn't revolutionary. We've seen those kind of scams in the past, obviously, many times before. And what people don't realize is Coinbase will never, ever call you. But when they did call, when the scammer called, they told the victim their account had multiple unauthorized login attempts. So people kept on trying to log in. They then sent a spoofed email to the user, which appeared to come from Coinbase support, with a fake case ID, further gaining the trust of the victim.

Coinbase would never do that either. Send a support email.

Well, maybe their support people wouldn't get around to it. Who knows? But that then instructed the victim to transfer funds to a Coinbase wallet and whitelist that address while support, in quotes, verified the account security. So obviously that's where the scam takes place is that the money is then moved.

I can totally see people falling for this. What would you do? What would you do to verify it? I guess many people would just click on the link and say, does this look like the Coinbase site? And the scammers, of course, have cloned the Coinbase site pretty much identically. I don't think they're alone, though, in companies that say don't use VPNs if you want this to work. You know, lots of people use VPNs, for example, or used to, I don't know if it still works, but used to use VPNs to watch streaming channels they weren't allowed to watch in certain regions and that sort of thing. Yeah, there are non-security reasons to use VPNs as well. There's perhaps less requirement for a VPN amongst the general population than there used to be because so many sites now do have set up an encrypted tunnel with your browser via HTTPS.

So you're saying that basically the people that use VPNs are the ones that weren't able to log into their accounts, but their money is fine and safe. It's just don't use VPNs. Otherwise, we won't be able to identify you properly.

Certainly, it seems like some of these people have been locked out because of their ad blocking usage, maybe extensions, maybe their use of VPNs. Who knows what other signals Coinbase is looking for for suspicious activity. What's really fascinating about all of this is there's actually a really massive issue lurking in the heart of all of this, which is that when cryptocurrency was created, when Bitcoin was created, as one of the first major cryptocurrencies, one of the big attractions of it was anonymity was the idea that unlike your credit card and your bank account, you can't be tracked. Services at this point? Well, I—

Just... Does this turn into an advert? For an $85,000 down payment, you can hire the services of Geoff White.

Geoff, what's your story for us this week?

I'm going to be looking at a hack on a US company called PowerSchool. I just can't help pronouncing it like that. It just sounds like PowerSchool. This is a sort of software provider for schools. So basically it provides the kind of software that logs grades and attendance and all that kind of thing. According to TechCrunch, 18,000 schools. It's in and supports 60 million students in North America. Software was hacked. This went back to, I think it was December last year, they first announced it. And we're still finding out the details about this. The reason this story sort of caught my eye was, and it's a really facile reason, but do you remember that scene in War Games, that classic computer hacking movie, where Matthew Broderick's character hacks into a school database and changes his grades? What are you doing? Dialing into the school's—

Computer. Are those your grades? Yeah.

I don't think that I deserved an F. Do you? You can't do that. It took me straight back to that as soon as I saw this because it records your school grades this software and the idea that you can hack in and change your grades to A, I just, it took me right back to War Games. But should I admit that having—

Worked in this industry for 35 years, oh no, I've never seen War Games.

Oh, no. He's not seen a lot of very good films, in my opinion. Really? Were you raised by wolves? He was probably raised by wolves. Never seen War Games. No, no, nor E.T. We could list a lot of movies. Oh, no. Sneakers, that's a hacking movie. Not seen that. Independence Day? I have seen Independence Day, yes.

Anyway, so yes, War Games, by the way, War Games I still think is worth a watch. It's a thrilling little tale. And there's this classic scene in it where Matthew Broderick's character is logging into the school software to change his grades. I mean, there's a number of things about the film that are quite unrealistic. One is that there's a really attractive girl in school who's attracted to him, even though he's a computer geek. And he tries to change her grades as well. And then she refuses and says, no, no, you shouldn't change my grades. And then when she leaves, he changes her grade anyway to an A. That's love, baby. In preparation for this podcast, I watched the scene. That's the amount of preparation I do for this programme. Watch some YouTube. Thank you. Anyway, back to the plot. PowerSchool gets hacked and the hackers break into some portal which allows them access to a lot of the data that PowerSchool holds, which obviously is kids' data, so that's bad. As we said, one of the major problems with this is exactly what the thing gave access to and what information got stolen. So we know that they said, well, this was potentially sensitive information. So this was students' grades, their attendance and demographics, also social security numbers and medical data. I was thinking about that. That could be, you know, my little Johnny has asthma. Exactly. Yeah. But even so, I mean, these days, mental health, does that include mental health data? Because that could be—

And this is a lot of schools who are using this software as—

Well, isn't it? That's the other thing. A lot of schools using it, how many schools are affected? We don't know. PowerSchool are doing this interesting thing of saying, yes, we've got a handle on this. We know what's been affected. And then when journalists are asking, well, how many schools are affected, PowerSchool say, well, we don't know. It's like, well, it's either column A or column B there. Again, you get little tidbits of information come out. Toronto School District Board, which is a school board in Canada, reckons the hackers may have accessed 40 years worth of student data. Oh, wow.

What are they keeping 40 years of student data online for?

Well, this is the thing. You've got to read these things carefully. May have accessed 40 years' worth of student data. What that probably means is that PowerSchool systems have access to something like 40 years' worth of data going back. But did the hacker access that or not? It sounds to me like Matthew Broderick's in trouble.

It certainly is. They may have records of him logging in and changing his grades after all these years.

Indeed, indeed. Maybe that was the thing that was used in WarGames. So there is a huge amount of sort of fog of war around this type of stuff. But what's really been interesting is apparently the teachers who use this stuff, the school, I should say school administrators, it would be teachers, but also people who work in schools, run the IT systems, have been trying to get together and work out what the hell's happened. The problem with this, and I do sympathise with PowerSchool, is each school has its own implementation of this. They log their own types of data. So when people say, well, what data's gone, PowerSchool sort of said, well, it kind of depends what the school was storing on our systems, which is sort of up to them. So I do have a certain amount of sympathy. What's interesting is the school administrators themselves have started to weigh into this and actually take matters into their own hands and have started sharing on one of their forums, one of these bulletin boards, information saying, well, I looked up this and I found that and the hacker's IP address is this. If you search for that, you might be able to find it. So they're actually doing a sort of crowdsourced instant response to this thing, which just shows you in the kind of fog of war with a lack of information from PowerSchool, it seems. The actual users themselves are coming together and trying to sort out what's happened. And it's been a really interesting sort of thing to watch in terms of the incident response.

That's weird, though, as well, because often we would say, oh, you know, be careful doing that in a way because you want to involve the person who's running the software. But if they're not coming back, like, what do you do?

Exactly. Somebody said that their information has been suspicious and not very useful. It has to be said, given what they were saying to the press. So has there been any kind of ransom demand over this? Well, we think so. We think it's a ransomware attack. Now, obviously, the way these modern ransomware attacks work, they've broken in. They've probably stolen a bunch of data. What's interesting about this again, though, is in the past when the hackers have attacked systems like this, sometimes they've gone to the provider, in this case, PowerSchool. But the other option is to go, of course, to the 18,000 schools and try and get 18,000 ransoms out of them. Interestingly, this is again from this TechCrunch article. PowerSchool told TechCrunch they'd taken appropriate steps and said that it worked with cyber extortion incident response teams to negotiate with the threat actors responsible for the breach. The TechCrunch article then goes on to say, this all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. The company refused to say how much it paid, how much the hacker demanded. Now, I think that's a bit of a leap. Just because you've got somebody doing negotiation doesn't mean you've paid or certainly paid yet. But interestingly, what piqued my attention about this story was that I'm working at the moment on a ransomware story for an outlet. And so I'm doing a lot on ransomware. So I'm looking at a lot of ransomware groups, websites, where if they want to threaten the victim, they post details of the victim and say, we've hacked this company or this organisation, you know, here's what we've got and we'll leak it unless they pay. I haven't seen this PowerSchool leak on any of the sites I've been checking. I've accessed them all, but I've not seen it on there. And the suspicion always is, well, if your information's not on the site, you're probably negotiating and probably paying up. So I don't know whether that roundup of ransomware websites I'm looking at indicates that maybe PowerSchool have paid and therefore aren't being identified on the sites. It's interesting. It's proper fog of war, this one.

And there's no sort of regulations about them reporting that they've fallen victim to this ransomware attack? Do they have to inform the FBI who maybe want to gather information on different cybercriminal groups?

I understand it in the US, if you're a public institution like a government department, then yes, you have to declare it. But PowerSchool is a private company, and I'm pretty sure in the US, as in the UK, it's still not the case that you have to report. The UK is looking at this. UK government, obviously, big consultation. What do we do about ransomware? It's being reported that they're trying to talk about introducing a duty to report. You have to report if you get hit by ransomware. People I've spoken to say, no, it's a bit different to that, that it'll be a duty to inform government if you want to pay, which obviously means you have to go and tell a teacher if you're going to do this. So the effect might be the same, that people don't want to pay because they don't want to tell the government that they're going to pay. However, off the back of this, can I also have a quick rant about ransomware operators? Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.

Hey, guys.

Or should I say Privet or Strahlas Feetcher? Because we know where you all are based. But anyway, as part of this story I'm doing about ransomware, I am contacting a whole bunch of these ransomware operators of these dudes. And I've got to say it is pulling teeth, it is the hardest interviewing job I've ever done because they're computer geeks and obviously computer geeks don't tend to be very verbose and chatty. And I think a lot of them are Russian who from my dealings with Russians are some of the most taciturn people on the planet, trying to get more than two words out these people is agonizing. You ask them, "Oh you know what do you think of the..." Oh, it's just money.

You will not social engineer me, Mr. Journalist.

Just tell me. So I got one guy, I got one guy on the chat and he was coming out with answers. And I thought, this guy's actually capable of stringing a sentence together. It's great. And I was this is good, I can use some of these quotes. This is, you know, he is actually a ransomware operator. He's an affiliate, you know. And then I looked back at the interview and there was something really strange about his answers. Oh, no. There were shorter answers that were quite revealing about who he was and what he was doing. And in those answers his grammar was pretty bad, he didn't spell "I" with a capital "I" when he's saying "I am" and that kind of thing, no full stops. And then the longer answers, the ones that I thought oh that's quite juicy, they were the kind of answers that you get from ChatGPT and I was oh no, the one interview way I got I could string a sentence together is actually just using ChatGPT. Bloody hell, it's impossible, I just want someone who talks sense, oh my god.

Carole, what have you got for us this week? Well, before I get into my topic, have you guys been seeing articles about how children's reading levels are plummeting? Something a third of eighth graders in the US have below basic reading levels. And if this can't be solved, my topic for today might be the answer, which is QR codes, because you don't need to read a thing.

No, I don't know it's an acronym. Quick something?

Yes! Quick Response. Quick Response Code. Okay so it's a two-dimensional matrix bar code invented when, any guesses?

1991.

1994, very close, oh I'm so close. And it was originally used by a Japanese company called Denso Wave, and it was used to label car parts. And so these QR codes basically are, you know, we all know they're black squares and a white background, and they have reference markers inside that are readable by most smartphones, computers, wearables, that sort of thing. And then the data is extracted magically from these patterns, and then brings you to whatever, a service, a product.

Sorry to interrupt, but for the eagle-eared there among us, magically interpreted. What I'm intrigued by is some QR codes are really blocky and they've got I don't know, 16 square bits on them. And others, they're really, really tiny little blocks and loads and loads of them. And yet they all scan. That's what I wonder is how does the phone turn the QR code into a sort of effectively a URL? Yes, I've wondered that too, Carole. Could you tell me? You know what? I'm not going to tell you on the show, but you can go read it in my show notes because I do have it in there and it uses some kind of technology, which I can't remember the name of right now. But yes, you can go read about it. So, you know, go do your homework. I won't do it for you.

I thought it was COVID. Yeah, COVID kicked it off. Yeah, COVID, if you were ordering things, wasn't it? Restaurants, yeah, you wouldn't have a waitress going from table to table spreading nasty germs. Or waiter.

Yeah, it's the germies. It's the germies, the fingerprints, the greasy stuff on the parking meters or fingerprints on menus.

Yeah, it was during the whole, was it eat out to help out or also show up to throw up was the other way we phrased it, yeah.

It's hard to remember just how careful a lot of us felt we had to be during the peaks of COVID, and so it was a perfect storm that QR codes were there and it just proliferated during that time. And the other thing is that they're easy peasy lemon squeezy, like even the youngest users would typically be able to figure out what to do with a QR code in a minute or two, right? It doesn't take a lot of technical nous because you kind of think it's really good for the user, right? Like it makes it easy for me to go to a parking place and then just scan this code and then off I go to where I need to go. But it's used in all manner of things, like from sharing simple business card details to touchless payments, Wi-Fi logins, event check-ins, ordering online. And the reason people use them is they're cheap. Like incorporating QR codes is straightforward, budget-friendly, and there's even free tools to help you create them. They're forgiving. So people can scan them from a bad angle. You don't have to be dead on, the size can be different. They're also little research spies, these QR codes, because they help companies monitor who scans the material, how often, which type of device is used, what time did they scan, what location did they scan. And this tracking provides valuable insights, right? So they're pretty neat. And consumers like them, businesses like them. So technological marvel. There shouldn't be any problems. But there are a lot of news right now happening both in the UK and the US about being careful of scams. The media is rife with reports about motorists being scammed at car parks across the UK with councils battling fraudulent QR codes stuck on machines.

Yeah, this is where they stick over a false QR code, isn't it, on the machine? Yes, I've seen this, yes.

That's right, right? And it can look really legitimate. And basically, the user just, you know, I need to pay for my parking, scan the code. However, the link takes you to a fake website. So you're actually paying the fraudster, not the council, meaning that they'll probably fine you.

Who knows what the real parking website is supposed to look like? If it looks shonky, I'd be like, that's just the parking website, that's normal. And what about in the States? It seems to be US package scams.

It's not a dog poop in a sandwich box or something like that. It is a proper thing that people might want.

So let's, I don't know, just say it's a shoe horn, for example. Right? You get this shoe horn.

Just to pick one of those incredibly popular items out of the air. You might... Our survey said. A pair of grape scissors. Do you know what? Both of those items I currently have in my house. You are so upper class. So you get a shoehorn through the post in a package.

Well, you'd have to log in to your Amazon page, for example.

Oh, I see. So it takes you to a fake Amazon. Oh, I see. I understand. Maybe it's Amazon. Depends on what the scam is, right. It's a hacking gang. It's one of those hacking gang names. All right.

Yeah, according to Microsoft, the threat actor initiates email contact with their target to engage them. In this campaign, the threat actor personates a government official. So that's what they use in this particular campaign. Email sent to the target contains a QR code purporting to direct users to join a WhatsApp group on, quote, the latest non-governmental initiatives aimed at supporting Ukraine NGOs.

Hang on. You get an email on your phone, which contains a QR code. How do you scan an email on your phone with your phone's camera? You'd have to have mirrors. Have they thought this through properly?

People, I don't know. I don't know how that works.

You could get the email on your laptop, couldn't you? If your email account's on your laptop, and then you scan it with your phone from your laptop.

Oh, I suppose so. Fair enough. A lot of people have two phones. Maybe they're sitting there with both phones. Okay, so this code, this QR code in this email is intentionally broken and will not direct the user to any valid domain. And this is an effort by StarBlizzard, apparently, to target the recipient into responding. Oh, that's sneaky. The criminal is linking their device to your WhatsApp account. Getting access to all your content in there. Oh, that's really nasty.

Also, if you're buying a phone, you can't scan the QR code with your phone because you're buying the phone. As Graham pointed out, what are you doing?

It's just a scam to sell more phones. Are you ready to experience the ultimate cybersecurity transformation? Sign up for the Symphony 2025 Virtual Summit, the event that will keep you ahead of adversaries and empower you to stay one step ahead.

See, Symphony 2025 is your VIP pass to the future of security innovation. It's packed with exclusive insights, live demos, and stories from pros who are already conquering the toughest threats with Cortex, the comprehensive cybersecurity platform by Palo Alto Networks.

Whether you're a security leader, part of a security operations team, or simply interested in the latest cybersecurity innovations, this one-hour event has something for you.

So register now at smashingsecurity.com slash symphony. That's smashingsecurity.com slash symphony. And join Symphony 2025 and be part of the Cybersecurity Transformation Event of the Year. And thanks to Symphony 2025 for sponsoring the show. Everyone these days has a VPN as a sponsor. But Tailscale isn't those. This isn't about hiding your browsing habits from coffee shop owners. And it's not about watching Netflix in any other country.

That's right. Tailscale is a modern networking solution for connecting your applications, your services and devices securely. It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private. It's easy to deploy. Zero config, no fuss VPN. Plus it means zero trust. Every organization can use this. Thousands of companies already use Tailscale, like Instacart, Hugging Face, Duolingo, and more. So why not try Tailscale for free today? You'll get 100 devices and three users for free with no credit card required.

And thanks to Tailscale for supporting the show. Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security Podcast. And this week, we want to tell you about how 1Password's extended access management can help your business.

This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control. And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible. Because 1Password Extended Access Management solves the problems traditional IAM and MDMs can't. It's security for the way we work today. And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.

1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM to Slack. And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1Password.com slash smashing. And thanks to 1Password for supporting the show. And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to sound their light. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related. My Pick of the Week this week. Graham, you're into the whole art thing. Well, I bought a piece of art for my lovely wife. Did she choose it? No, she didn't. Well, no, she had hinted. She had hinted some months before. She said, oh, I quite like that. So I made a little mental note and thought, oh, I will get that for her one day. So this particular piece of art is by an artist called Niall Conlon, who was brought up in Belfast and is in response to a sign which used to appear in some London boarding houses back in the 1950s, which used to say, no Irish, no blacks and no dogs, which they'd put up in the window because they didn't want people like that. Now, I don't know if you've noticed lately, but there's been some people who've been a bit anti-diversity lately and maybe have been picking on minorities or maybe just dogs. Who knows? But as a result, I thought maybe I should choose this particular piece of art because Niall Conlon has done this piece of art, which is all about more Irish, more blacks, more dogs. And so I bought it for my lovely wife. It's a vibrant piece of art. It's a bit graffiti-esque, I suppose promoting inclusivity empathy and diversity. You can go and check out other art by Niall Conlon if you wish to. He's even doing t-shirts and mugs and all sorts these days as well. But that is my pick of the week.

Fantastic. Geoff, what's your pick of the week? My pick of the week I'm gonna go for is a book that I just finished which is called Money Men by a guy called Dan McCrum. This is also a documentary version of the book which I think is called Scandal with a K, which is on Netflix. Yes. I have mixed feelings about this book. And it confused me. It confused me to this one. Because on the one hand, it's very compellingly written. It's about a company called Wirecard, which was a German company. Yes. Wirecard, very famous case of a company that managed to achieve, I think it was an $18 billion valuation. At one point, they were going to buy Deutsche Bank. They thought they could buy out Deutsche Bank. And it turned out the company was basically worthless. It was a giant fraud. So you're kind of seeing, you want to see where it goes. You want to see what happens to the guys. And it is an interesting read and it is a compelling read. However, some of the stuff in it was just not well explained at all, I thought, some of the concepts. If you're a financial journalist and you understand things, fine. But I'm not, you know, I'm a journalist, mainly concentrating on technology. I'm not thick, but, you know, sometimes it's left me behind a little bit. Because Dan McCrum is...

A financial journalist, isn't he? He is. He works for the FT. Yeah, that's right. So, yeah. Yeah. Yeah, he works for the Financial Times.

Oh, I think that's quite elegant. Yes.

It's one of those things where sometimes you want to sort of cut and paste the text and ask an AI to explain this bit as though I was 12 years old. Yes. And I do wonder, I do wonder in future whether, and this is a kind of slightly out there thing in terms of publishing, increasingly, obviously, I think people are going to read on e-readers and, you know, digital books and audio books.

Yeah, it was like Cole's Notes, what we used in high school, way back in the day. Yeah, that's not reading, though. That's like information.

Whereas this would be you'd have different versions of the same book for different knowledge levels. I think that might become down my mind. I know anyway, as long as they pay me three times as much to write the book, I don't mind. Carole, what's your pick of the week?

So January, we've just finished January. In January, the UK is a pretty bleak time of year to my mind. It's cold, it's drizzly, it's dark. There's only a few hours of sunlight.

It seems to go on for about six weeks as well, January. It goes on forever.

Oh, you guys are incredible. Think of how much worse December is. December, it's getting darker all the time. January, it's getting brighter. In December, you're crammed into houses with relatives you only see once a year, and the tension is absolutely overwhelming. January is fantastic. You don't have very much to do. It's relaxing. You know, you're just a slow start to the year.

Well, no, it's not just that. It's also, you know, you have to suffer after Christmas. You obviously maybe not spend loads at Christmas, but a lot of people do. And you're sitting there after Christmas going, wow, my savings account is empty, the bank balance. Okay. All right. So I'm there a little bit nonplussed and I want to cheer myself up. And I thought, you know what? I really love marmalade. Do you guys like marmalade?

I like shredless marmalade, but I don't like the one with the bits in it.

Okay, okay. Well, I like the very bitty Seville orange marmalade. It's nectar of the gods to me.

Oh, really?

Bitter, dark, not too sweet. And it's difficult to find in the stores. So I thought, why don't I make my own?

Oh, right.

But you can only make your own in January or February, because that's when Seville oranges from Spain are ready to be harvested. So I can't say it's not labor intensive. It took a whole Sunday afternoon. I washed them, I boiled them, I took out the mushy inside, I chopped up the peel. Then you have to scoop this super hot sugary marmalade into hot clean jars without burning yourself. That's super fun.

Okay, yeah, laugh a minute.

Yeah, exactly. So I've done three pounds of Seville oranges. That gave me 10 jars of the stuff. Jeez Louise. And now I wake up, you know, it's cold, damp February, and you're sick of marmalade. The sun's not even out. I'm up, right? Buttery toast and a tablespoon or two of marmalade on there and a big cup of builder's tea. And I butt wiggle with joy. It's yum, yum, yum, yum, yum. So I don't regret the time or effort. And if you want to crack at this, I've included the recipe that I use in the show notes.

Well, there you go. And that just about wraps up the show for this week. Thank you so much, Geoff, for joining us today. I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that? As the police car rolls off into the distance. He's right here, guys.

They've got me. Best way to follow me is probably on LinkedIn. Just look for Geoff White. Geoff with a G, G-E-O, and then White, like the colour.

And you can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts.

And huge, huge thank you to our episode sponsors, Tailscale, 1Password and Cortex Symphony 2025. And of course, to our wonderful Patreon community. Thanks. It's their support that help us give you this show for free. For episode show notes, sponsorship info, guest list and the entire back catalogue for more than 402 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye bye. Bye. Bye then.

400 though, wow. Bloody hell. 500 soon. That's okay.

You didn't get your maths GCSE, did you? Not that soon.