Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience

Do you know what, Geoff? I listened to two whole seasons of The Lazarus Heist, and there was nothing about the proper way to bake a potato.

No cooking advice.

Kim Jong-un didn't give any advice to how his loyal subjects, should they be lucky enough to actually own a potato. Smashing Security, episode 438, when your mouse turns snitch and hackers grow a conscience with Graham Cluley. Hello, hello, and welcome to Smashing Security episode 438. My name's Graham Cluley.

And I'm Geoff White.

Hey Geoff, welcome back to the show. Fabulous to have you here again.

Thanks for having me.

All of our listeners know about you, of course, from The Lazarus Heist, from Rinsed, from Crime.com. You're on our TV screens, you're in our ears. You're everywhere.

By the way, thanks for remembering my first book, Crime.com, which is interesting. As that's got older, it's just fallen off the radar. People are oh, you've written a couple of books. It's no, I did write a third. It's a bit old now, but it's still there. And gradually it just sort of has fallen off the edge of the cliff at the back. So well done for remembering that there was a third book.

I've got my copy and it's a great read too.

Thank you.

What's keeping you busy at the moment?

I am working on a new BBC podcast. Exciting news. There are going to be not one, but two new seasons in the Lazarus Heist feed.

Yes.

This is exciting breaking news, and I think you're probably the first to get it. Well, I think it's been announced on the BBC. I hope it's been announced on the BBC first, but—

No one listens or watches the BBC, for goodness' sake, Geoff. Everyone's listening to Smashing Security. Let's claim that we've got the exclusive here. Scoop! So, two new seasons of the Lazarus Heist.

Yes, yes. So, painfully aware that we did two seasons of Lazarus Heist, which was exciting, lots of people liked it, you know, with my co-host Jean, did really, really well, about North Korea and how North Korea became this computer hacking superpower. We then sort of just left it, and obviously you've got an audience of people who you've built up and who are expecting things, and we didn't give them anything. So we're painfully aware, I think, particularly the BBC, that, you know, probably should do something else. So, exciting news, Joe Tidy, the BBC's august cybersecurity reporter, who's obviously done amazing stuff on ransomware, which we'll talk a bit about in this episode, I think as well, has teamed up with the BBC's former, I think it's former Russia editor, Sarah Rainsford, and they are gonna be doing a new podcast, which is gonna go in the Lazarus Heist feed. We are renaming that feed Cyber Hack, which I'm not a massive fan of that name, but there you go. I think it makes sense to people in the general public. And so it's gonna be Cyber Hack and then whatever the title of Joe and Sarah's series is, and that's gonna go out imminently. I mean, that's going to be very, very soon. And then the series I'm working on, which is going to be again all about cyberattacks and particularly around things ransomware, is going to be going out next year, we think in February. So if you haven't subscribed already to the Lazarus Heist, do it now. It may be called Cyber Hack by the time you subscribe, but you'll be alerted to Joe and Sarah's series and then you'll be alerted to my series. And honestly, the stuff we've got for my series is absolutely knockout amazing. And I'm sure Joe and Sarah have got some fantastic stuff in their show as well. I can't wait to hear that. So yes, exciting news.

Terrific stuff. Before we kick off, let's thank this week's wonderful sponsors, Vanta, 1Password, and Drata. We'll be hearing more about them later on the podcast. This week on Smashing Security, we're not going to be talking about how Discord has warned users that their data has been stolen in a third-party breach, with some users even having their passport scans falling into hackers' hands. You'll hear no discussion of how hackers linked to North Korea are stealing record-breaking sums of cryptocurrency. And we won't even mention how the scattered Lapsus$ hunters gang is offering $10 in bitcoin for people to harass executives of hacked companies to pressure them into paying ransoms. So Geoff, what are you going to be talking about this week?

So I am going to be talking about ransomware and I'm going to be talking about the Kiddo Nursery ransomware attack.

And I'm going to be taking a mosey at the mousy spy on your desk. Oh, all this and much more coming up on this episode of Smashing Security. Right. First of all, a quick word about one of our sponsors today, Vanta. Now, I know what you're thinking. Oh, good. Another bit of software promising to make my security easier. But honestly, Vanta's actually pretty handy. Here's the deal. If you are spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that yes, you do take security seriously, Vanta automates all of that. It pulls everything together, keeps an eye on your systems, and basically makes sure you are ready for an audit at any time. No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago. It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess. So if that sounds like something that might save you from a few sleepless nights, check them out at vanta.com/smashing. That way they'll know that you heard about them on this show. And if you use that link, you'll get $1,000 off. Which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show. Now, Geoff, I want to take you back in time.

Mm-hmm.

This is so far back in time. You were probably wearing short trousers. You were out there on your chopper bike with your packet of Spangles. Do you remember 1997?

Yeah, I was wearing very long trousers at that point. I wasn't—wasn't in shorts on a chopper bike. I think I just graduated from university. But anyway, carry on.

Okay, alright. Well, do you remember the horrifying thing that happened that year?

Other than the fact I graduated from university and had to find a job? No, no, I don't.

That must have been terrifying for you. But scientists, for Lord knows what reason, they decided to grow on the back of a laboratory mouse—

Oh!

A human ear.

1997, Boston, Massachusetts. At first glance, it seems impossible.

Yet it's something out of science fiction, this animal may actually become a trailblazing hero. American scientists have successfully grown and attached a human ear onto the back of a mouse.

The ethics are controversial. God, of all the creepy things.

I mean, I'm still not sure why they did this. That ghastly image was plastered all over the news. There was footage of this mouse walking around with a human ear grafted on the back of it. You think, why? Scientists done this? Of all the things they could have done, what are they trying to do other than to give us nightmares right now?

I also felt quite sorry for the mouse, 'cause all I could think was the mouse was thinking, "Shut up, just be quiet, shut up." You know?

Well, we all thought that that was it. That was the peak territory when it came to what can scientists do with mice? We thought, well, that's it. That's as disturbing as the mouse situation is going to get. But almost 30 years have now passed, and oh boy, how naive we were. Because now— and I want you to really appreciate the beautiful symmetry here in my storytelling— we've gone from growing a human ear on a mouse to discovering that your computer mouse has essentially grown its own ears.

Oh, I see what you did there.

Yes, thank you. I'm glad you appreciated it. So do you have a mouse in front of you?

Oh, I don't, but I can— I have a Bluetooth one in my drawer. I'm getting it out now, just so we've got a prop here. Right, got it.

Okay, alright. Take a look at it.

Yes.

Can you tell that that mouse could be listening to you?

Ah... I'm just— there's no mic thing in it. There's no obvious sign. No, no.

No, there's no microphone in it or anything like that. No. Boffins from the University of California, Irvine have discovered that fancy high-performance gaming mice, which maybe you bought

Really?

yourself because you absolutely needed a 20,000 DPI sensor to get your competitive advantage in Fortnite or Call of Duty or whatever game it is that you, Geoff White, like to play, they can now be turned into a microphone without any physical access to the mouse itself. Yes, I'm not kidding. Researchers are calling this particular technique— and by the way, I have to congratulate them on this because this— I always love the names which security researchers come up for vulnerabilities or types of attack.

Oh, right. Yes.

Sometimes there's true inventiveness. Sometimes there's a logo. Sometimes there can even be a theme song. You know, but this one, they've just come up with a good name. And what they've called it is MIC, as in M-I-C, the MIC-E mouse. So by research paper standards, that's a pretty good pun, I'd say.

Yes. Yeah.

I expect Disney's lawyers aren't quite as impressed. They're going to find out how litigious that they can be as a result of this. But the basic idea is this: these absurdly sensitive optical sensors in modern gaming mice are so good at detecting the smallest little twitch, the smallest little movement, that they can also detect acoustic vibrations travelling through your desk.

So as you speak, you vibrate the desk, it vibrates the mouse, and the mouse can pick that up.

That is exactly it.

God.

Now, I don't know if you have a problem with acoustic vibrations in your home office, Geoff, if there are things emanating in your vicinity, but for many people, the most likely vibration would be your voice. When you're having a conversation about— well, literally, it's what we are right now, right?

Yes, that's true, yeah.

People could actually hear what we're saying right now. What a disaster that would be, principally for them, if they could hear our conversation, or if we were secretly being recorded right now.

Yes, yeah, yeah.

Rather than this being a private one-to-one conversation that we're having. So to recap, the mouse that you use to click on things can now listen to you. Whoa.

Yes.

And I kind of think, well, of course it can. Why should your smartphone, your smart speaker, your smart TV, your smart fridge, your smart toilet? Why should they all have the fun? Your mouse is going to want in too, isn't it? It's going to say, well, hang on, don't forget about me. Now, the researchers are really quick to point out that these vulnerable mice, they can now be bought for under $50. So these aren't expensive, exotic pieces of spy equipment that we're talking about.

Okay.

This sort of thing that your nephew asked for for Christmas. And here is the scary part, because I think it wasn't really that scary before. I mean, it's not as though it actually had a grafted ear onto your computer mouse those scientists did in 1997. The scary thing is that the bad guys don't need to install any malware onto your computer to pull off the surveillance. And you're thinking, well, hang on, they don't fiddle with the mouse. They don't fiddle with your computer. How can they do this?

Yes. Yeah.

It sounds a bit of a stretch, Graham, quite frankly.

Yes. Yeah.

But according to the researchers, yes, of course you could be running compromised software on your computer, but you could also be doing something which seems entirely benign.

What?

You could just be visiting a website and the website apparently can collect the mouse packet data and extract the audio waveform. So if you're tricked into visiting a website— Well, because websites can collect so much information as to what you're doing.

Yes.

And of course, you could have a little applet running inside a website, which is tracking the movement of your mouse. And if your mouse just happens to be residing on the window and you don't think you're moving the cursor, but tiny little movements are happening. So basically you visit the wrong website. Congratulations. Your mouse is now listening to every embarrassing thing or sensitive secret that you're sharing during calls.

Unbelievable.

Isn't it sneaky? I mean, there've been so many sneaky ways in the past to extract data. I think we've spoken before on the podcast about spies who've been able to look at the vibrations off windows to find the conversations going on inside, or there've been radio frequencies emanating from a monitor, which can then be picked up, even if there's no physical wired connection to the device. They can actually pick that up remotely, or listening to the sound of hard drives.

So mad.

But now, it looks like it's mice potentially, which could be leaking your information as well.

Unbelievable. Well, I know spies have always been able to read window vibrations. So if you're in a room, and you're speaking, the window vibrates, and if they have a sensor trained carefully on the window, they can pick up the vibration of the window. So I guess it's a sort of modern twist on that, but the idea that you can do it sort of remotely through websites, that's absolutely mad.

And of course, the window vibration thing, that's quite a lot of effort for the person's spine, and they have to target you specifically. Whereas if they wanted to do this on scale for any reason, just get a lot of people to visit a website or plant a piece of code on a website. Now, I know what you're thinking, which is, surely the audio quality must be absolutely rubbish, right? Because we've got nice microphones in front of us right now. And you'd be right. It is shit. They've shared a video.

I was gonna say, they've actually showed, and it's not just a theory, they've actually done a proof of concept and actually got some audio.

Oh no, they've done this. They've done this. They've published the technical paper, they've published videos showing it, they've even shared code showing how this works. They produced this video and it's such awful audio that I can't actually include it in the podcast because the way we make our episodes of Smashing Security, it will automatically be removed as background noise.

You wouldn't be able to make it out.

But the researchers say that through successive signal processing and machine learning techniques, in other words, they just threw a whole load of AI at it, they can achieve 80% speaker recognition accuracy as to who is speaking.

Right.

And they also found that they had a word error rate of just 16.79%. That means they make a mistake in about 1 in every 6 words. Which I think is okay, considering it's a flipping mouse. Yes.

I mean, I've done far worse than that in articles that I've written as a journalist. So, you know, good on them.

So your mouse, which you use to click on cat videos, can now listen to your conversations and correctly transcribe about 83% of what you are saying. And these gaming mice are getting cheaper all the time.

Yes.

You know, they're about $50. Over time, everyone's mice is going to be that accurate. And potentially, I guess you could have a touchpad, couldn't you, or something like that?

Well, do you know what I'm thinking?

What's that?

I'm thinking right now, is the best time to start investing in the resurgent technology known as the mouse mat. Do you remember when we had mouse mats? We had mouse mats.

Ah, yes, yes.

Because if you're talking about vibrations passing the surface upon which the mouse is resting, surely a mouse mat would insulate and buffer against that potentially.

Yes, it's like suspension for your mouse.

Exactly. So I think mouse mats are going to make a bit of a revival. And maybe those mouse mats, you know, the ones with the wrist support on them as well, had a little wrist support and everything.

Yes, yes.

Some of them, you know.

Yes.

Yeah, what happened to mouse mats? Why don't we have them anymore? And can we have them back? Thank you.

Maybe we could get a little muffler for our mice to sort of wrap around it. Something furry.

A mouse muffler.

A mouse muffler.

Do not Google that, Graham. You're gonna— I don't know what would come up on Google, but I'm pretty sure it wouldn't be good if you Google mouse muffler.

Now, the good news is the researcher's been very responsible, of course. They've made their code and their data available to reviewers through anonymous repositories. You can go and grab it. I'm sure that's gonna stay nice and contained. It's not like people ever abuse security research for nefarious purposes. That never happens. That never happens. But here's my advice. If you are having a sensitive conversation, maybe don't do it at your desk or near your desk or in the same room as your desk, or it's gonna be difficult. I mean, tell you what, I'll try it right now. I'm going to get under my desk, Geoff.

Okay. Okay.

You can hear me right now, right?

I can hear you right now.

Yeah. Okay. I'm going to tell you what my password is. Okay?

Okay.

I'm going to— and see if you can pick it up. You just entertain the audience while I'm just getting down, Geoff. I'm just getting down.

Okay. I can still hear you, Graham.

You can still hear me? Am I still clear?

Yes.

Password 123. Let me in. Add me. Did it work? I'm coming back, I'm coming back. I don't know if my mouse moved at all, or whether you picked that up.

I've received 83% of your password through the website that I tricked you into looking at while we were doing this. So, I know that it features the words A, W, O, D, and S. The rest of it, I've no idea about.

Alright then, quick shout out to one of our sponsors this week, 1Password, and more specifically, something that they've got called Trellica. Now, be honest, do you actually know how many SaaS apps your company's using right now? Probably dozens, maybe hundreds, half of them signed up for by some guy in marketing with the company credit card. That's what Trellica's for. It finds all of those apps, even the sneaky ones nobody admits to using, and gives you a proper overview of who's got access to what. So no more abandoned accounts sitting around waiting to be hacked. No more paying for licenses that no one's touched for years. It also makes it dead simple to bring new people on board, remove folks when they leave, keep track of who's got access to what, and stop your IT from turning into a tangled mess of old forgotten accounts. I've used 1Password for years. They've always been great at taking the hassle out of security. And now with Trello, they're going after the whole SaaS sprawl problem. If you want to tidy up your company's app chaos, take a look at 1password.com/smashing. That's 1password.com/smashing. And thanks to 1Password for supporting the show. What's your story for us this week?

I'm gonna probably get a bit more serious than the Mike E. Mouse story. By the way, for folks affected by this, you have not just my sympathy, but the sympathy I think of lots of people in the country and indeed in the cybersecurity industry. So this was the hacking by ransomware operatives of a nursery chain called Kiddo Nursery.

Oh yeah.

And they were targeted by cybercriminals as lots of businesses are these days. And the criminals they were targeted by were obviously ransomware operatives, scrambled the nursery's files and demanded a ransom to get the information back. Ransom was reported about £600,000, which I believe Kiddo Nurseries refused to pay.

Well, would they even have had £600,000 to pay? That's the thing, if you're a nursery.

Exactly, yeah. You know, the sort of setting of the ransoms with these gangs is really interesting. I mean, obviously I've been looking a lot into this as part of the podcast series I've been doing for the BBC, which is gonna be out next year.

Yes.

And the calculation, the ransom calculation is a whole part of this. I'll be honest, in the podcast, I just don't know how much of this we are gonna be able to get over. We're scripting it at the moment, but there's entire conversations, which thanks to leaks from internal chats within these ransomware gangs, we've got a huge amount of insight into. There's conversations around how to set the ransom and, you know, what the market capitalisation of this company is. You know, and therefore how we should set the ransom and how the ransom should be negotiated and where the limits are. They know absolutely what a target's gonna be worth and what to hit them for.

At least people like Conti do, who are experienced in this. Other gangs who are less experienced, and other affiliates working for these gangs, may be less experienced.

Yeah.

So they would have come up with a figure for kiddo nurseries for this. The hackers then obviously went to the next stage of their sort of extortion demands, which is, we have stolen data from you. We haven't just scrambled your files, we've stolen some of these files, and we will start leaking them until you pay us the ransom. And this is obviously where the story gets really serious, because they have information on children looked after by the nursery, including photographs of these kids, names, and other very personal details. Which is obviously the thing as a nursery that you do not want out there, and addresses as well of these.

Yeah.

They claimed about 8,000 of these, including a few, I think it's 10 or so, that they actually leaked onto their dark website, this ransomware gang called Radiant. I hadn't heard of Radiant before, but frankly, these ransomware gangs come and go very frequently now.

Yeah, some sometimes seem to sort of disappear a little, maybe when the heat's on them, and then you see a very similar ransomware group popping up and you think, oh, I wonder if you've just rebranded yourself.

Yes, yes. Particularly around the Ukraine war, a lot of these ransomware gangs started getting sanctioned.

Yes.

So the US government was like, you are now a sanctioned entity, which means the victim, well, if they pay, they are breaching sanctions and you could go to prison for that. So that was a significant impact. The way the ransomware gangs got around that sometimes was setting up under a new name and saying, well, yes, you know, Conti or whoever may be sanctioned, you know, BlackBasta, but we are not them, you know, we're different, you can pay us. The issue with that is reputation. If you've been around in ransomware for a while under a particular name and you do decrypt people's files and delete their data or claim to when they pay up, if you sort of do what you say you're gonna do when someone pays you, you have a reputation online and in the community that you are going to do the do when the ransom is paid. And you gradually work up that reputation over time, sometimes over years. If you then suddenly hop into a new name and say, oh, now this new ransomware gang X, the victims are going to try and Google you and ask around and say, well, if we pay the ransom, are these guys going to perform? And no one will know because it's all, we don't know these guys, they're a new gang. So operating under a name gets you an enduring reputation, which is important for your victims to pay up. But these guys, Radiant, as I say, I had not come across them before. Obviously, the leaking of kids' incredibly sensitive personal data, photos of them, attracted universal condemnation from almost everybody. Understandably. This was seen as being, even among sort of animals of cybercrime, a particularly sort of heinous attack. Then the gang started contacting families of these kids and saying—

Oh boy.

This nursery's refusing to pay, you know, you should put some pressure on them. Which again, harks back to, in fact, I'm going to mention Joe Tidy again, the BBC cyber reporter, put out a book recently called Control Out Chaos, which was mainly about a young lad called Julius Kivimäki, who's a Finnish guy.

That's right. He's the guy who targeted the Vastamo Psychotherapy Clinic, wasn't it?

Precisely. So he managed to extricate swathes of incredibly sensitive therapy notes from therapists working for this Vastamo operation. He obviously tried to blackmail Vastamo, but he also contacted patients and said, "Look, I've got your top secret notes. You need to get in touch with these people and urge them to pay." That's worse. Then we start to see this shift in the gang and what they do. They then blurred the kids' photographs. So they said, well, we understand this is bad, we're going to blur them. And now claim to have deleted the kids' data and deleted all of the data on the other 8,000 or so children they claimed they had data on. So effectively, the ransomware attack has sort of failed. They've had to backtrack in the face of this. And it's really interesting. I find this fascinating in terms of, I think we tend to assume these gangs, these ransomware gangs are sort of homogenous and tightly controlled enterprises have uniform policies on things. And certainly in some cases, yes, that is the case. I mean, Conti had this whole thing about the fact they don't hit healthcare, and that became a big issue within the gang of do we or don't we? What is healthcare?

What isn't?

But they at least had a sort of fairly solid policy on that. Around the fringes of this gang though, there's this really interesting debate over whether they are crooks or not. I mean, they clearly are, right? But are we the kind of crooks who just don't respond to any laws and guidelines? Or do we actually have our own internal sort of ethics that we obey? So the healthcare thing was absolutely a part of that. Some of the ransomware gang were "look, we don't attack healthcare. You know, my aunt died of COVID, I'm not going to attack a hospital." I don't care. I will go after what I will go after, thank you very much. And you start to see this in the sort of targeting again. How much control does a ransomware gang have over how its ransomware is used? Because they work through affiliates, they work through effectively a franchise system. Somebody will take the ransomware and then hit whichever target they want with it.

Yeah, because there's certain technical constraints that a ransomware group can incorporate to enforce their rules. For instance, there's a lot of ransomware which won't run if you've got a Russian keyboard, for instance.

Yes, for instance.

So Russian keyboard. The ransomware can determine it's running on that kind of computer and thinks, oh, we don't want to affect any Russian organizations, we might have our collars felt. But much more difficult to prevent your ransomware group affiliates from attacking a hospital, for instance, or a nursery school.

I think what's fascinating about the ransomware scene is it is really a proper franchise model. Obviously McDonald's and Starbucks are legitimate organizations, but there is a comparison to be made. You know, the reason Starbucks and McDonald's are really successful is because you set up the brand, the logos, the icons, you know, the Ronald McDonald's, you provide the burgers, and then that's it. You know, the rest is down to the franchisee. You know, you set up the restaurant, you pay the rent, you employ the staff, you know, you order all the burgers from us. It's a great scalable business model. It's why it works for people McDonald's and Starbucks. The same is true of the ransomware industry. You know, I've written the ransomware once. Now I can just get passive income from it time and time again as my franchisees use it. The problem is, and again, McDonald's and Starbucks and places that have had issues with this, where a manager of a restaurant or a coffee shop that's a franchise will be an absolute nightmare. And it appears in the press, oh, this, you know, McDonald's was awful. And McDonald's have to respond and say, well, no, it's the franchisee who was awful. We're in the background giving them the wherewithal to run their franchise. It's a similar thing in the ransomware industry—how much control do you have over your franchisees?

It must be difficult to police their behavior. And of course, if even if you boot someone out, they could well come back, couldn't they, under a new guise?

Precisely so. And the other thing is this sort of interplay of power between the ransomware providers, the virus writers, and the franchisees, the affiliates and so on. Because without the virus writers, the affiliates can't do anything. It's being a—I know I'm mentioning McDonald's a lot, and I wanna make clear McDonald's are not a criminal organization, but it's a bit—

And they're not in the business of producing ransomware.

They are not, they are not, no.

That's quite clear.

But you know, fundamentally without McDonald's providing the burgers and the packaging and stuff, you can't run a McDonald's restaurant. It's a bit the same in ransomware. Without the ransomware gang providing the encryption code, you kind of can't run.

Yes.

The Qilin ransomware episode seems to have at the moment ended to a certain However, it's a symbiotic relationship. The ransomware gang, if nobody's spreading their ransomware and getting it on systems, they're not making any money. So they both need each other. extent. The problem, of course, and again, I think Joe's pointed this out in And the pendulum of power shift between those two different communities, I think, is really interesting. There are times definitely when one ransomware gang is surging. We had this with LockBit—LockBit's gang were really doing well, making lots of effort because their systems were really good. his articles on the BBC, is have they deleted the data? But then LockBit starts to disintegrate. And now you see, I think, the power balance shifting back maybe to the affiliates because they're the ones who say, look, you know, I can take my pick of ransomware guys, of ransomware virus writers. You need me, who's got the expert knowledge in how to get your ransomware onto a system. Is this just going to be used for some kind of awful blackmail in the future? The power balance starts to shift back. I find that ebb and flow really fascinating, to be honest.

So this episode of the show is sponsored by Drata, and I'm going to tell you why you should check them out. Look, if you're in security or compliance, you know the drill. You're constantly wearing 10 different hats. Risk management, compliance, budgets. It's quite the handful. Here's the thing, though. Drata actually helps with all of that. Basically, they've made a platform that handles all the tedious compliance stuff that normally eats up your entire week. What Drata does is automate the evidence collection, the compliance tracking, the security questionnaires. It just handles it. They've got real-time monitoring, so you're always audit ready, which is nice because no one enjoys scrambling before an audit. And they've even got AI assistance for questionnaires now, which honestly, thank the Lord. The point is, instead of spending all your time proving that you are secure and compliant, you can actually focus on being more secure and compliant. Crazy, I know. Anyway, if that sounds useful to you, check them out at drata.com/smashing. That's drata.com/smashing. And if you use that link, they will know that you heard about them on the show. And thanks to Drata for supporting Smashing Security. And welcome back. And you join us at our favorite part of the show, the part of the show that we to call Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily.

Well, now I will say a resounding yes, but— and I think this will be relevant to the ongoing conversation— I just never make them because they're just a faff to make, the baked potatoes. So I'm all ears, some of them on my mouth. Right. Okay. Well, I think it's pretty simple. And it goes this. Okay, I'm writing this down. Potato, get potato.

A good-sized potato for baking.

Do you have a favourite one that you use?

Not particularly, just not a new potato. You know, not a salad potato. It's got to be a proper potato with a bit of earth, a bit of grit on it.

A chunky, yes, okay.

I'm a big fan of the potato skin. Are you a fan of the potato skin?

Oh yes, it's probably in ways the best bit.

That's the whole point, isn't it? It's the whole point of a baked potato. Baked potato, for goodness' sake.

Oh, I'm quite hungry now.

So you get your potato, you turn your oven on to about— I feel Delia Smith— to about 200 degrees. Turn the oven on.

Oh.

Do not put the baked potato in the oven. That is the mistake that people make. Don't do that because you'll be hanging around for about an hour and a half and it's too much of a faff. What you do is you take your potato over to your microwave. Right? You get your little fork out and you prick the potato a few times, chuck it into the microwave. Now, depending on the precise size of the potato, you may have to adjust this time, but I would say round about 6 minutes. Full blast. Bing! Open up the microwave. Take the potato out.

Glad you explained all these intermediary steps, because otherwise I would have put the microwave in the oven. Right, okay, got it.

Pour a little bit of olive oil on it. And maybe a little bit of salt. Already your mouth is watering.

Cheese?

Chuck it in the oven, put it on a baking tray, chuck it in the oven. Set a timer for 20 minutes. 20 minutes are gone. Turn off the oven, take the baked potato out, and thank me for the best meal you're going to have all day long. That is going to be perfect, Geoff White. Right now, if you want, you can get elaborate. You can add some tuna. You could cut up some cucumber. A bit of pepper. Well, cheese if you want. Yeah, I don't tend to have cheese on mine, but that's fine.

No, you want to grate it. Yes. Yeah.

Yeah, you want to grate it. Yeah, I tend to be a bit of a tuna guy.

Right.

But frankly, the potato is going to be the best bit of it. Every time I have a baked potato, this is how I'm doing it. And they are all magnificent. That is my Pick of the Week.

Congratulations to you, Graham, for—

Thank you very much.

Admittedly discovering quite some considerable time after the rest of the population that microwaving a potato and then baking it is a bit of a shortcut to getting a baked potato. I'm just so glad you're there now. I feel sorry for the decades you spent in the potato wilderness, but it's great that you finally cracked everybody else knows.

Well, you know, I think if I didn't know this, Geoff, there are probably other listeners who didn't as well. Just like how I invented how to boil an egg perfectly.

Fair enough, fair enough, okay. Okay.

So, do you consider that too much of a faff? Were you hoping for a shorter version of that?

It's no more or less short than the technique that I myself have been using for quite some considerable period of time.

Oh, for goodness' sake.

So it's not— You know, if you'd have come out with something that took longer than my method, I would've been disappointed. But at least now I can confirm you haven't cracked a shorter method. That's just great.

Do you know what, Geoff? I listened to two whole seasons of The Lazarus Heist, and there was nothing about the proper way to bake a potato, as far as I remember.

No cooking advice.

Kim Jong-un didn't give any advice as to how his loyal subjects, should they be lucky enough to actually own a potato and a microwave, of course.

Yes. Oh God. Okay. Well, yes, you're right. You have absolutely ticked a box in this podcast that—

Thank you.

Despite our considerable efforts and funding from the BBC, we didn't even get near to doing Lazarus Heist. You're right. I can only apologise.

Geoff, what's your pick of the week?

I'm going to pick a book that I read. It's not the last book I read, but it's quite a recent book I read, which was recommended to me by a good friend of mine who's got great taste in books. Always cultivate people who have good taste in books, particularly nonfiction books. Which I really like. It's called, the title alone sells it, At the Tomb of the Inflatable Pig. This is by a guy called John Gimlette, and it is about Paraguay. It's travels through Paraguay in South America.

Yes.

Which is a country I was dimly aware of, but had absolutely no idea. Paraguay is the most batshit insane place. For a start, it's impenetrable. It's surrounded by other countries, but it's sealed off from them by vast deserts, mountain ranges, incredible forests.

Yeah.

It's almost like God has sort of put a little ring around Paraguay and said, no, nobody shall come here. So you can fly in, there's an airport there, or you can go up the river, which is how a lot of the sort of colonial and pre-colonial explorers kind of got there. But it just sort of lends itself to this complete, absolute crazy country that's been a settling place for— obviously Nazis are accused of ending up in Paraguay, but also it became a sort of battleground state in terms of its support for World War II, the Germans and so on. There was a whole Mennonite community who turned up, religious Christian Mennonite community turned up in Paraguay. It's just completely, completely crazy, coupled with a political scene that makes the sort of ructions in British political life seem very, very quaint and dainty. They've had so many different kind of dictators of different types. It really is a remarkable book. It's just a really fun and interesting book. It's the best of those travel books. It really takes you to a place and gets under the skin of it. So you almost feel like you've been there even though you haven't. Highly recommend, At the Tomb of the Inflatable Pig, John Gimlette.

Can you explain the title at all?

I can, and that's a bit of a disappointment. There's a reference in the book to a craze that takes over in Paraguay of these kind of inflatable pig balloons that are on the streets when the author is there.

Right.

And there's the tomb of the old dictator and they kind of sell these. I think they sell them outside. The title is barely connected to what's in the book. It's a victory of title writers over content of book. But it's just an eye-catching title. And as I say—

It certainly is.

Or ear-catching, depending which way you're consuming it. Fantastic. Well, I think we've covered it all today, haven't we? Yes, yes, I think so. With my baked potato. I think a little bit more highbrow than you were. Mine was a book. Yours was a potato. If we did reducing it to the basics, I don't think you could argue that a potato is more highbrow than a book. I would push back on that, Graham, but I also want to be invited back, so I'll just, I'll park it for the moment. I'll put a pin in it.

Well, that just about wraps up the show for this week. Thank you so much, Geoff. I'm sure lots of listeners would love to find out what you're up to and follow you online. What is the best way for them to do that right now?

Look me up on LinkedIn. I am all across LinkedIn as my main platform of choice. I have, for obvious reasons, I think now deserted Twitter. I don't do Twitter anymore. So yeah, Geoff White, Geoff with a G and White like the color. I'm on LinkedIn. Connect with me there.

Awesome. And of course we're on social media too. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship details, guest lists, and the entire back catalog of about 438 episodes, some of which include recipes for boiling an egg. Check out smashingsecurity.com. Until next time, cheerio. Bye-bye.

Bye.

You have been listening to Smashing Security with me, Graham Cluley. Thanks very much to Geoff for joining me this week. And of course, big thanks to this episode's sponsors, Vanta, 1Password, and Drata, and to all the chums who've signed up for Smashing Security Plus over on Patreon. They include Sabahattin Guceluglu, 636B, Daniel Chromek, Dr. Herbalist, Ask Leo, Sonky Van Repel, Ragnar Carlson, Dave and Pam, John Ware, Adina Bogart O'Brien, Matt H., Maya, Dave Barker, Darren Kenny, and Matt Cotton. Now, wouldn't you love to have your name read out at the end of the show every now and then? Well, if so, you should sign up for Smashing Security Plus for as little as $5 a month. You can become a member of our happy little camping tribe, and you will gain early access to episodes with none of the pesky adverts. How lovely would that be? So just go to smashingsecurity.com/plus for more details. Now, of course, you may not be able to afford such a luxury as signing up for Smashing Security Plus, so don't feel any pressure to become a patron. There's all kinds of other ways in which you can support the show beyond a monthly financial commitment. You could go and check out the Smashing Security merchandise store, which has got some new t-shirt designs and fancy mugs and the like. Truth is, you can support the podcast in other ways which don't involve splashing the cash. For instance, you can give it a 5-star review on somewhere like Apple Podcasts, and you can tell your friends to give it a listen. There's nothing quite like the endorsement of someone saying to you, "Hey, I've heard this podcast. Maybe you should listen to it as well." Why not spread the word that way? Really, really would appreciate that. And I do appreciate each and every one of you who tunes in every week to hear this little podcast. Up to 438 episodes. Wow. You're still tuned in. So thanks very much. And I hope to speak again this time next week. Toodaloo. Bye-bye.