Smashing Security podcast #456: How to lose friends and DDoS people

It's a good job this is not a video podcast because listeners would see my mind boggling. A new category of AI porn. Yeah, it's sort of hard to imagine that there is a new category of porn, whether AI or not.

Exactly. What's the internet been playing at for all these years? Surely it's covered just about every category possible.

Smashing Security, episode 456: How to Lose Friends and DDoS People, with Graham Cluley and special guest Paul Ducklin. Hello, hello, and welcome to Smashing Security, episode 456. My name's Graham Cluley.

And my name is Paul Ducklin. How are you, everybody?

Hello, Duck. Welcome back to the show. Lovely to have you on again. What's been keeping you busy lately, Duck?

Well, you know that feeling you probably had years and years ago when we both started in cybersecurity, that when this virus writing thing blows over, we'll go and find something else to do.

When the fad has passed.

Yeah, I'm just still waiting for that fad to blow over. Never a dull moment, for better or for worse.

I know what you mean. Well, before we kick off, let's thank this week's wonderful sponsors, ThreatLocker, CoreView, and Vanta. We'll be hearing more about them later on in the show. This week on Smashing Security, we won't be talking about a new app which promises to tell you if someone is wearing smart glasses in your vicinity. You'll hear no discussion of how a medical records data company has been taken offline after some patients' records were hacked to say that they were dead.

And we won't even mention how fake AI videos of urban decline in the UK are flooding social media. So, Duck, what are you going to be talking about this week?

I'm going to be talking about a topic that is near and dear to all of our hearts, namely ransomware. And the subtitle, without giving too much away, Graham, is "You had one job." And I'm going to be explaining why Wikipedia has blacklisted archive.today.

All this and much more coming up on this episode of Smashing Security. Before we go any further, I want to say a few words about one of our sponsors this week, ThreatLocker. Most cyberattacks don't start with some genius hacker writing custom malware. They start with something much simpler, like a misconfigured setting, an exposed service, or a security policy that quickly drifted out of line. And in large, complex IT environments, those misconfigurations are everywhere and almost impossible to track manually. And that's why ThreatLocker built Defense Against Configurations, or DAC. ThreatLocker DAC gives you a real-time view of configuration weaknesses across your entire environment. It runs deep checks across every endpoint, not just your ThreatLocker policies, but your operating systems and application settings too. All of it appears in one clean dashboard showing what's misconfigured, how risky it is, and exactly how to fix it. So no more discovering problems after the attackers do. With DAC, you see configuration drift as it happens. You can also check alignment with major security frameworks and see which endpoints don't make the grade. If you want to stop firefighting, harden your environment, and catch hidden risks before they turn into breaches, you need DAC. Try it for free for 30 days at threatlocker.com and find out what's misconfigured before it costs you. So, as I said at the beginning, I'm going to talk to you today about the website archive.today, also known as archive.is and archive.ph. Archive.today is an internet website archiving service. Duck, have you ever used archive.today?

I haven't, because I try very carefully to stick to archive.org because I consider that a known quantity. And you need to be careful of trying some other top-level domain because it might be an imposter or a lookalike or not quite what you expected.

Archive.org, I think, is the Internet Web Archive, isn't it? It's affiliated or connected with the Wayback Machine and things like that.

I think they're two names for the same coin, if you like. Yeah.

And it's been around for years. It's well established. But some people do use alternative services. And there's reasons for that. One is that the Internet Web Archive apparently is not quite as good at archiving some pages as archive.today is. Apparently archive.today, for instance, is pretty good at archiving articles behind paywalls. So if you didn't want to pay your £11 a month for the privilege, you could use archive.today for doing that. Now, of course, lots of people will have problems with that, not least the people who are running the paywall and are trying to earn a buck or two from all the work that they're creating. But that's why some people use it.

Yeah. And having a choice is always, in theory, good, isn't it? Because it means you haven't got all your eggs in one basket.

But all of these sites, they take a snapshot of a site, they store a copy of it at that precise moment, which is really handy, of course, because sometimes web pages will disappear or they're updated or they're altered. So it's handy if you're a researcher or a journalist, archive.today has been running for over a decade and it's been really successful. In fact, Wikipedia uses archive.today a lot. I think the only web archiving service it uses more is the one you've already mentioned, archive.org. Over 400,000 Wikipedia pages include links to archive.today. So it's pointing to archives of web pages that are being referenced in case they ever drop off the internet in the future.

So does Archive Today make any money off this? Is there anything in it for them?

Well, not that I've ever noticed, but that may be because I'm running ad blocking on my internet. So I couldn't actually tell you. It's not making any money as far as I know from my eyeballs.

I have the same problem as you, Graham. Maybe I'm living a sheltered life.

But you can understand why some people wouldn't love archive.today because of this. So if, for instance, you wanted to read a New York Times article and you've read your allocation for the month, archive.today could be able to blast past that paywall and show you the article, and you don't have to cough up any cash. So you can understand why some people don't like archive.today. Also, if archive.today has kept a copy of an old web page which you feel shows you in a bad light, even if that web page was later updated, you aren't necessarily going to like that archive.today has a version where maybe you weren't looking quite so cool.

Or even worse, if you've had to comply with some legal ruling that says, right, take this down, and you've gone, okay, fine, I'm happy to comply to the law, and you remove it, and then everyone keeps blaming you for not doing that because they can still find it. And although it isn't your site, it jolly well looks like it. I can understand why that would make you quite anxious.

I actually remember once I read an article about a company which had been breached and the company were really annoyed that I announced that they had been breached, right? And so they wrote me a legal letter saying, remove our name from your website. And I responded saying, well, it appears you were breached. You know, it's here's your data. It's out there on the internet. Anyway.

And here's the proof, the email you just sent me.

And they kicked off all this fuss about it. And I thought, what can I do about it? Because I don't want to spend any money with solicitors and things. I don't want to waste all the time. So what I decided to do was I went to that article, I redacted their name with actual black blocks in the HTML whenever their name was. And then I posted up on Twitter as it was back then when I used Twitter. I said, unfortunately, I've had to remove this article because blank, blank, blank, blank has sent me a letter. And that of course had so many people racing over to the web archive to find an old version of the article, causing them much more of a headache. As if I ever knew that was going to happen. As if I ever realised.

When you put the black blobs in, did you make the foreground and background colour the same? So if you copied and pasted, you got the original text out?

Well, no, I didn't do that. But of course, I knew that people could actually copy the text.

Did you leave the text the same length?

Oh, yes. Yes, I had it exactly. Anyway, the thing is, they probably wouldn't have liked a web archiving service either because it revealed who they were. So one of the things that archive.today does is it protects itself with a CAPTCHA, right? Yes. To make sure that anyone visiting it is a human rather than a bot. So you have to tick a box, say, yes, I'm a human. We've all seen those a million times before. And that obviously can prevent all kinds of shenanigans launched against archive.today, like DDoS attacks. Anyway, that's a bit of an aside.

I guess it also helps stop other people scraping them to make an archive of the archive.

Yes. So the important thing is that archive.today serves a purpose, whether you agree with all of its purposes or not. And it is popular. But despite being so popular and around for, what was it, 10 years or so, some things about it are still a bit of a mystery, like who is running archive.today? And it turns out nobody knows for sure. There's been some suggestion that it might be someone in Russia, but no one's quite certain. And I guess, you know, that's partly, maybe it's unclear and not made public because that's one of the ways the site protects itself from people who would rather see it gone. It's like, well, we're not going to reveal who we are. So what happens when the cops want to know who is really running archive.today?

And I guess that could be just because there's a formal legalistic complaint.

Yes, I think that's exactly it. The FBI last November sent a subpoena to a domain registrar demanding to know who was really running the site. And Archive.today, what they did was they posted a screenshot of that up on Twitter, and that understandably got journalists sniffing into the story a bit more. It's like, oh, hang on, this is interesting. The FBI trying to find out who runs it. They put up this screenshot and the journalists were wondering, well, I wonder who is behind the site.

It's a self-fulfilling prophecy, isn't it?

Yes. So the site has now actually encouraged other people to try and find out who it is. And what journalists at Ars Technica and The Verge and Heise Online discovered was that a couple of years ago, someone else was curious, an independent Finnish blogger, a software engineer called Yanni Patokalio had also spent time trying to figure out the true identity of whoever was behind archive.today. Such is research, right? You're supposed to do that. Right.

So there were now more people on the trail of the owner of archive.today, following the breadcrumbs that Janni had found. And, well, what do you know, but whoever runs archive.today noticed. And they made what can probably only be described as some of the most self-defeating series of decisions in the history of the internet.

Let me guess. Like that experience you described of your own, where if they just kept quiet about it or came out and said, yes, we did get breached, but here's what we've done about it. And everyone would have gone, what a lovely company. They decided, let's go bashing on the window and shouting at them.

Let's go and pick on people and try get reporters to remove their name. Anyway, so first a complaint was filed against Yanni's blog hosting company alleging that his post about the site was defamatory because it mentioned some possible aliases which the owner of the site had used. And well, Yanni, he did the natural thing. He went to an AI and got it to draft his rebuttal to his blog host, and the complaint was rejected by his blog host. So, you know, well done AI. AI succeeded in helping Yanni write his rebuttal. But then the anonymous archive.today webmaster sent Yanni a fairly polite email asking him to remove the post.

Oh, have you seen the actual email they sent?

So a lot of this is posted up. I will link in the show notes to Yanni's most recent blog post where you can see a lot of this. Unfortunately, his email, for some reason, ended up in Yanni's spam folder. So he didn't see it for 5 days. And in those 5 days, well, the temperature was just turned up a notch because what happened was a DDoS attack started against Yanni's blog. What had happened was archive.today modified its capture page, the page seen by millions of people every day, to include a piece of JavaScript that every 300 milliseconds would send a request to Yanni's website, basically a search request, a URL with a, you know, question mark, S equals, and then some random characters. So it couldn't be easily cached. Basic defenses wouldn't have been able to stop it.

And you can't tell it easily that it's not someone just doing a search.

Right.

And that a search engine has said, go and find this.

And it's happening millions of times a day from computers all across the planet using all manner of different browsers.

Aided and abetted by what, what did he say, 400,000 links on Wikipedia?

Yes.

Oh dear.

And so anyone visiting archive.today or archive.is and the other names was effectively participating in an attack on a Finnish engineer who'd written a mildly curious blog post and then forgotten about it years later. He was suddenly getting bombarded. And according to Jāni, he says the stated goal was to increase his bill at his web host. Unfortunately, he was on a flat fee plan. I think it was a WordPress site, or maybe it's on wordpress.com even. So he was just paying so much and it's like, well, it doesn't affect me. My web host may be paying, but they're not charging me anything for this. So the DDoS attack cost him exactly zero. So you've now got this, what appeared to be a legitimate web archiving service, launching a DDoS attack against some poor little Finnish blogger.

And is there any suggestion that that DDoS was yet another part of the mystery by some fourth party? Or does it look like Archive.today did this as a kind of a fightback?

Yeah, it does, I'm afraid, look rather like it was Archive.today, because in later emails which Jāni has published, which appear to have come from Archive.today's webmaster, he's accused of having a Nazi grandfather. He's told that a gay dating app would be created in his name.

A gay dating app? An app. Not just an account on a dating site? But a whole new app.

A whole new app.

That is a very weird kind of threat.

Oh, if you think that's weird, Duck, this threat also warned that a whole new category of AI porn associated with him would be created.

It's a good job this is not a video podcast because listeners would see my mind boggling. A new category of AI porn.

Yeah.

It's sort of hard to imagine that there is a new category of porn, whether AI or not.

Exactly. What's the internet been playing at for all these years? Surely it's covered just about every category as possible. But also Wikipedia editors, they noticed that some of the archive pages that Wikipedia was linking to had now been altered to include Jāni's name. His name was being inserted into snapshots in ways they said were intended to smear him. Again, the mind boggles what words were being said on these web pages.

But of course, what's important there is not so much whether it's smearing him, because I think everyone will be on his side now. It's the fact that if this is supposed to be a one true archive site like archive.org that prides itself on the archive and can explain why it thinks that the copies represent what the site was like at that time.

Yes.

Why would you trust anything if the site is changing history?

Yeah. It's ruined its reputation effectively.

As if the DDoS alone was not bad enough. And the porn thing.

A whole new category. So the folks on Wikipedia, they've been debating in the last couple of weeks what they're going to do about this. Apparently there are 695,000 links to archive.today across roughly 400,000 pages on Wikipedia, and they've been saying, well, we kind of like archive.today because it's a bit better in some ways than the Internet Web Archive, archive.org. But at the same time, we can't trust it anymore. So they've just reached a consensus to blacklist archive.today and remove all those hundreds of thousands of links, which does mean, unfortunately, some resources will be lost because who else has got a copy of some of these pages. It's going to be gone forever.

But if we now strongly suspect that we can't trust these pages anyway because they're used for smear campaigns, maybe that's actually a good thing.

Yeah. They clearly don't think it's cool for a website like archive.today to use visiting computers to generate DDoS traffic.

Who would have thought?

Or threaten them with AI pornography and tamper with its own archives. Who'd have thought that?

How to win friends and influence people. Oh dear.

And of course, now everyone's reading that 2023 blog post and everyone's really keen now to find out who is behind archive.today.

Yes. Ah, the Streisand effect at a whole new level.

This episode of Smashing Security is sponsored by CoreView. Now, most security teams like to think they've got Microsoft 365 covered. They can spot suspicious logins, they can see dodgy activity, they get the alerts. But here's the problem. Detection isn't enough. Because when an attacker gets into your Microsoft 365 tenant and starts quietly changing the settings, like disabling conditional access, weakening Defender policies, elevating admin roles, the noise often stops. And that's when the real damage begins. This is how Microsoft 365 tenant takeovers actually happen. According to CoreView, 63% of tenants are still handing out broad admin rights. One compromised account and suddenly the attacker has the keys to the kingdom. And if those configurations get tampered with, your backups won't save you. You could spend weeks trying to rebuild tenant settings by hand because Microsoft doesn't give you a native way to roll back tenant-level changes. Attackers know this. They count on it. And that's why CoreView has published a new white paper called Total Tenant Takeover: The Microsoft 365 Disaster No One Is Ready For. It looks at how these attacks unfold in the real world, where least privilege breaks down, and what it actually takes to recover a Microsoft 365 tenant. Not just files, but the whole environment. You can download it right now at smashingsecurity.com/coreview. That's smashingsecurity.com/coreview. Duck, what's your story for us this week?

It's kind of amusing in one way, this story. The crooks are relying on scrambling your files. This is ESXi ransomware, so it's not just trying to scramble laptops or even conventional servers.

Right.

It's trying to mess with a company's VMware servers, you know, the core bare metal ones that are typically used for big things like CRM systems or payment systems or websites or blogs or whatever. So the idea here is that it's not so much to steal the data, but to disrupt a business right at its deepest core part so that it has little choice but to pay up. And I shouldn't laugh, but what this malware known as Nitrogen had, right, was not one but two memory mismanagement bugs. It turns out that they both trashed the same part of memory. Though I think that was more by accident than by design, since presumably this wasn't supposed to happen at all.

Yeah.

So for listeners who know that the fundamental premise of ransomware that we've had since the very first ransomware back in 1989, it is that your computer still works. It will still boot up. It's still there so it can show you messages like flaming skulls and you have to pay and even send those messages to your printers. And all your files are kind of there and visible. So it's a very dark psychological trick that you're nearly but not quite ready to go. It's just that you don't have any data to run your business.

Yes, a ransomware which completely borked your computers so they no longer booted up would be kind of useless, wouldn't it? Because you wouldn't know that you had ransomware. And more importantly, maybe you wouldn't know where to send the ransom to get your data back.

Yes. As an aside, I've heard a lot of people say, oh, it's much worse if you get ransomware that works at the very low level below the operating system and locks up your computer entirely. But the fact that that didn't take off among ransomware crooks suggests that it doesn't have, as you say, that same psychological pressure.

They're tantalizingly within reach. It's like, I can almost get at them, but not quite.

Yes, I'll open the document. Oh dear, shredded cabbage. And as you say, the other reason that generally, if it's a laptop ransomware attack, they want to leave at least your operating system there and your browser so that you can go online and download the Tor browser, the anonymous browser. And so you can read the new wallpaper with the flaming skull that says, here's how you save your business.

Yes, you can Google how to buy bitcoin and all those other important things you're going to have to learn about pretty soon.

And very sadly, as we know now, particularly in a widespread ransomware attack, part of that psychological goal is that if almost everybody in the company, one way or another, whether it's laptops or servers, experiences the ransom note, then that creates much more anxiety and fear and uncertainty and doubt inside the company. So there's this huge psychological thing about leave the server mostly working make it obvious that the data's still there. The files have nearly the right name and they have about the right size, but they just won't work. And what you keep secret is the unscrambling key that the victim needs.

Right.

That's the blackmail. Now, we know that these days they tend to steal a whole load of data as well, because they can use that second sort of blackmail leverage saying you're actually paying for a positive. You get your business running again and a negative that you have to trust us to delete the data. So there's an awful lot of honor that you have to ascribe to thieves. And historically, as you and I know all too well, the early days of successful ransomware, CryptoLocker, all that stuff about 10 or 12 years ago, for better or for worse, those criminals got a reputation that if you paid up, you probably almost certainly would get your data back. And that created this mystique that although you were dealing with sleazebags, if you paid, your business probably would get going again if you had no other way forward. But not in this case.

I think they were worried about their Trustpilot reviews, weren't they? I think ransomware gangs didn't want people saying, well, I bought this product or I paid for my data to come back and it never did, because that would give them a bad reputation. That would damage further business in quotes for them, wouldn't it?

Absolutely. And if you go back to those CryptoLocker days, as I remember, that's exactly how it panned out. But people who hated the fact that as an individual they'd had to pay $300 or maybe $600 if it was a couple, both of whose laptops had got trashed. And now you've lost your tax returns, you've lost your wedding videos, you've lost the photos of your kids, you've lost all the stuff. And you think, you know what, if we just scrape together $600 and pay, maybe it'll work out. Well, it wasn't Trustpilot, but did become received wisdom, didn't it? As much as it might hurt you, as much as it was doing a deal with the devil, if you paid up, you would be okay. And then you could go—

Yes.

To the shop and buy a USB drive and back all your data up properly next time.

So what's the story this time with the nitrogen ransomware? What's gone wrong with that?

Well, one of the ways that you can deal with having a decryption key that the crooks know and that the victim does not is that you generate a random key either for the whole computer or typically it's done for each file because that means you can do a deal. You say, okay, I'll give you a little discount, but I'm only giving you 10 files.

Ah, yeah.

So generally there's a key for each file. And what the crooks could do, assuming you're online, is they could just then upload that key in some obfuscated way and then delete it from memory on your computer and you'd be none the wiser. So that's one way that crooks have done it in the past. But then they have a problem that if the network connection breaks or they can't upload each key or each key for each file or for each computer, then even if you send them the money, they're not going to have a key to send back to you.

Hmm.

So the trick is to use public-private cryptography, which is where you have a private key that the crooks know and a public key that the victim knows. And without going into the details of public key cryptography, which sounds like a contradiction in terms, doesn't it? The idea is that, very loosely speaking, what the public key locks, only the private key can unlock. And you can go from the private key to the public key, but not the other way around. Yeah. After the encryption's done, the public key is no good for unlocking. It's only good for locking. And then the crooks say, well, we happen to have the private key that will meld with the public key that obviously you've got, which essentially serves as a victim identifier. Except that— and I shouldn't laugh— in this case, the buffer overflow bug in the ransomware overwrote the first 4 bytes of the public key. So what we have is the crooks have the private key, but you no longer have the public keys that you need to meld with it. To get the files back, game over.

They're gonna get very bad reviews for this. So they've partially erased, effectively, part of that public key.

Yes. So they basically shot themselves in the foot.

Yes. It's bad news for the victims, of course, but it's also bad news for the ransomware guys. I mean, really, no one wins here at all.

No, absolutely not. Now, the good news is that if you look at recent ransomware history, it looks as though fewer and fewer companies, even when they might be willing, fewer and fewer companies are actually prepared to pay.

Yes, it's interesting, isn't it?

I don't know whether that's because people have finally learned the lesson that the only backup you will ever regret is the one you did not make, whether they finally learned that when you have backups, you don't leave them on the same computer so the crooks can ruin the backups at the same time, or in a cloud service, which is what these ransomware crooks do. They particularly favor affiliates, their name, who have not programming skills, but IT management skills, notably including backup software. So they trash your backups just in case. So I think for many companies, they've kind of learned, let's do backup properly, then at least we can get the business going again, whether it's ransomware, fire, flood, whatever it might be.

It strikes me that if they're overwriting some of that key accidentally, there is a chance they could overwrite it with the correct numbers.

Yes, it's a very small chance.

Right.

The public key in this algorithm is 256 bits long. So, by the way, is the private key, and so is the magic shared combo device they have. That's one of the strengths of this algorithm. Everything's neatly 32 bytes big: private key, public key, shared secret. So they're only overwriting 32 bits of it.

Right.

They overwrite it twice. The first time they overwrite it with 32 bits that are zero.

Yep.

And they just accidentally wrote it over the beginning of the public key. As if that wasn't bad enough to prove their incompetence and fecklessness, at some other point they saved the value, apparently, 32. Who knows why? It just happens to be the length of the key in bytes. Maybe that's what they were doing. So they overwrote the key with zeros, then they overwrote the same part of the key again with zeros, just in case one bug wasn't bad enough. Just in case you're thinking it was a minor oversight, it was a double minor oversight. This is fundamental to their blackmail model, that there is a way to recover because they actually did the cryptography correctly and they didn't have these memory mismanagement buffoonery bugs in their software. So if they do sell you the private key, how are you ever going to know that they haven't managed to overwrite the first 8 bytes, 16 bytes, 24 bytes of that?

Yeah.

Or that they've sent you the wrong one? How on earth are you going to know whether it works at all? Because of course they can't reconstruct the public key. No, that's on your computer because that's the whole idea. So two things to learn from this. The first is that if you are inclined to think that you could not trust ransomware criminals because they were criminals, here's another reason: they are often incompetent and careless as well. And of course, the fact the cops bust them in the first place suggests that their own security may not be perfect. But the other lesson is that when you have things that have happened that make it sound as though something is cryptographically impossible, it might not be. So don't take the first story you read about something at face value. Always ask an expert.

Well, do you think the ransomware gangs are going to test their software in future for these critical buffoon overflow vulnerabilities?

A buffoon overflow. I might dine out on that. Well, it's hard to say, isn't it? I think that good news, if you see it that way, is that intrusions by law enforcement and fallings out among ransomware gangs in recent times do seem to have fragmented, if you like, the ransomware— I hate to use the word industry, but the ransomware ecosystem. That reputation that the first big-time ransomware money-making criminals created 10 or nearly 15 years ago certainly does seem to have been undermined.

Hmm.

So I wouldn't rely on them continuing to make mistakes that either mean that the ransomware will fail or that they make a mistake that means actually you can recover the key without paying. I mean, that does happen, and you do sometimes get free tools that let you recover. But unfortunately, I wouldn't rely on that because when these free decryption tools come out, it often takes days or weeks or maybe even months of work before someone stumbles upon the way of doing it. And although that means that version of the ransomware is essentially cracked, for a company that's struggling to get back on the road, it's probably too little too late.

Okay, before we go any further, we've got time to chat quickly about one of our sponsors today, Vanta. So a question for you: what do you worry about at 2 o'clock in the morning when it comes to your company? Company's cybersecurity? Is it, do we actually have the right controls in place? Is it, are our vendors quietly on fire? Or the truly terrifying one, why are we still trying to do all this with spreadsheets? Well, if that sounds like you, enter Vanta. Vanta takes all that painful manual security busywork, chasing audit evidence, filling out questionnaires, updating the same spreadsheet for the thousandth time, and it automates it. Their trust management platform continuously monitors your systems, pulls everything into one place, and helps keep your security program audit-ready all of the time. And yes, it uses AI, but in the useful way—flagging risks, streamlining evidence collection, and fitting neatly into the tools you already use. So you can move faster, scale with confidence, and maybe even sleep through the night. Get started today at vanta.com/smashing. That's V-A-N-T-A.com/smashing. Smashingsecurity.com/smashing. And thanks to Vanta for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security related. I've got a question for you, Duck. Have you ever done yoga?

I think my mum, my late mother, was, believe it or not, and she used to describe herself as 4 foot 11 and 3/4. She was very, very tiny. She was a physical training instructor during the Second World War and a PE teacher afterwards. So she did try and show me how to do yoga once when I was very small. But I kind of got banished because I just couldn't quite take it very seriously.

Oh, well, I've done yoga and I know that may surprise some people. That's big of you to say, Graham. Yeah, well, I am all over my warrior pose 1 and warrior pose 2, my cobra, my downward dog, my yoga nidra. Do you know what a yoga nidra is? That's the one I'm best at.

I thought you said a yoga ninja.

No, no, no. It's the one where you basically lie down and fall asleep. I really, really enjoy that. I actually do enjoy yoga. I find it very relaxing, very peaceful. You know, I like all that. But I can't claim to be the most flexible person in the world. But I enjoy doing it, despite not being very good at it. And I've gone to classes in dusty church halls before.

Oh, can you be good? Is it a thing where you're encouraged to be good, or is that a little bit contradictory to the whole spiritual ethos?

Excellent point. Excellent point. Yes, I think many people would have told me I was doing just fine. But what I've noticed is if I were doing the tree pose, for instance, it would be a case of timber rather than, you know, standing tall and proud and sturdy. Wobbly twig. Yes, I'd be a bit wobbly. So, I've gone to classes before, but what I've started doing is online yoga. And I know that sounds horrible. There's no apps involved. There are YouTube channels, right, with yoga on. My favourite is something called Yoga with Adriene. Adriene Mishler. She's got over 13 million subscribers and she's not that annoying. You know, she's kind of, she's all right. She's got a dog as well who occasionally comes in and says things, well, doesn't say things, but you know, is there in a peaceful kind of yogury way.

Is this a downward or an upward dog?

Well, what we're doing — 'cause this isn't just me, Duck. This is my wife, my stepson, and others, friends who are remote. We're putting the video on our TV screen, and with our laptop or smartphone, we are FaceTiming with friends and other family members around the country. So last Friday night, we were doing just that. We were doing our sun salutations. On our FaceTime, we had our friend Jenna, and we're all watching the same YouTube yoga video at the same time, and we're doing it in different places. This isn't rocket science. You can sync up the videos using online services. So everyone's watching the video at exactly the same time. But we can see each other.

Oh, is that important? Like if you're out by a couple of seconds, does it ruin it?

No, it doesn't really ruin it at all, to be honest. So we're not bothering with that. But, you know, we could be more sophisticated about it. But it's a fun way to do yoga with people you love and catch up with them afterwards for a chat. And it's something we've introduced into our little routine and I'm enjoying it. I thought, you know what, maybe some other people like that as well because a bit of yoga, a bit of sort of mindfulness, a little bit of your toes feeling the ground and just being aware of yourself, I think it's good for you as well as your flexibility. So that is my pick of the week. Duck, what's your pick of the week?

Well, you might be annoyed now because you've been all uplifting and well, I'm saluting the sun and I'm being cheery with family. So mine's not going to be quite as uplifting as yours because I would like to have a nitpick of the week, if I may. Oh, yes, you can. That's allowed, is it? Yes. Of course, because it's me, it does have a cybersecurity kind of implication because it's what I would call crappiness in web programming. But it's really just the fact that this is 2026. This is supposedly the dawn of AI code that will be perfect and websites that are really a delight to use. So my annoyance is just a few things. Each one of these happened to me within the last 7 days and it drives me barmy. And I would love to encourage people to shout back at web services, whether they're government web services, commercial web services, even free ones, about some of the programming stupidity that we have. For example, you have to put in an email address to use this website. Fair enough. Maybe they want to email you a confirmation code, or maybe they're saying we'll let you download this document or we'll let you download the software for free, but we want one chance to spam you. I'm happy with that. So I go to the form and I type in, and as you can imagine, my email address, it starts with P for Paul. So I press P into the field and immediately 1.7, which is not a legal top-level domain anyway. And it goes, that's fine. And you just think, well, you want me to trust you with my data. Maybe if it's a site where you're creating an account to buy something, in a moment, you're going to ask me for my credit card number. Seriously, as soon as I type in the first letter of my email address, you start bellowing at me that I've entered an invalid email address. You buffoons. Then many sites these days either invite you or even insist that you give them a phone number. Oh no, here we go. Right. Well, Graham, there's a document called RFC 3966.

Oh, is that the one which defines a legitimate phone number? That must be quite a complicated thing to define.

Telephone numbers for the internet. Right, okay. And it's not every possible phone number, and it's not every possible thing you could dial, because what a lot of people don't realise is the modern phone keypad — you know, think of how it looks even on a modern phone that doesn't have keys, or look at your old phone, there are what, four rows of three columns?

Yeah.

It's actually a 4x4 grid, and there's a tone for each row and a tone for each column, and when you press the button, you know, it makes two tones that join together. DTMF. So you can have some letters in phone numbers, but they say don't bother with that. What we would like is phone numbers. You should be allowed to put either dashes in them the Americans do routinely, or you should be able to put dots in them to space them out — exactly how people say them when they give them to you. Oh, the other thing they say is that you should encourage people and you should try to get them to enter globally valid phone numbers. And how many websites have you been to? If you leave a space, it goes, "Nah, you can't do that." Well, remove the spaces then — how hard is it? And they go, "You can't have a dot." How can you have a dot in a phone number? There's no dot on the keypad. And then they say, "No, you can't have a plus." Oh no, no, no, no, no, no, no. Oh dear.

So I've got a question for you about this. How's the blood pressure going? Are you all right? Great!

That's it? This is great. No, I'm feeling more relaxed.

Oh, is it? Is it? Yes! This is your yoga.

You've got your downward dog. I've got my upward two fingers. But I'm not finished, Graham. There's a third one. There's more? And this calls me even more. You're in somewhere the UK, or maybe you're in a European country — it doesn't matter. But you're not in the United States or Canada. And maybe you live in a country the UK that is very clearly not a federation. We do not have states and we do not have provinces they do in the US and Canada. So I put in all my stuff, I put in my address, and then it says, "What is your country?" And I put United Kingdom of Great Britain and Northern Ireland — the longest country name in English in the world. Oh, is it? Yes, apparently. I can't find a longer one anyway. And then you say, "What is your state/province?" Oh dear. And you have to put something in. I think, well, England is not a state or a province. I'm happy to put that. I'm not going to try and be smarty pants and put Northern Ireland or Scotland or something just to freak you out because it's not true. And so I put things Gondwanaland because, oh, that's fine. And you know that the only reason that the company is asking for the information is for its own convenience in divvying up the sales leads amongst its sales territories. And I just think, oh my goodness. So I'll leave the fourth one out because it's more of the same. It's about reformatting addresses so that they are going from being valid to invalid and not in the correct POST format, and then everybody's happy.

Well, I think this is a valid nitpick of the week. I've often been frustrated when I enter my phone number. At least the phone number seems particularly problematical. I'm not as het up, I think, about the email thing, character by character, but I can understand why you may be alarmed if it pops up, especially if it comes up in red with a nasty, aggressive, angry little icon at that point. Well, that just about wraps up the show for this week. Thank you so much, Duck, for joining us for both your story and your nitpick of the week. I'm sure lots of our listeners would love to find out what you're up to, follow you online — what is the best way to do that?

You can find me on LinkedIn, just search for Paul Ducklin or P. Ducklin. You can find me on my website, just go to pducklin.com/about. And don't forget, I'm a good guy to hire to create content for you.

Absolutely right. And you can follow me on social media as well. I'm on LinkedIn, or you can follow Smashing Security on BlueSky or Reddit or Mastodon. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts. The episodes, show notes, sponsorship info, guest lists, and the entire back catalog of 456 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Bye. You've been listening to Smashing Security with me, Graham Cluley, thanks so much to Duck for joining us. Always wonderful value there. And to this episode's sponsors, CoreView, Vanta, and ThreatLocker. And of course, to all of you chums who've signed up for Smashing Security Plus over on Patreon. As members of Smashing Security Plus, they not only get episodes of the podcast earlier than the great unwashed public, and ad-free episodes at that, but they also get the chance to be pulled out of the hat and to be thanked here at the tail end of the show. So let's reach into the hat right now and give huge thanks to Jane, Henry Walshaw, Adina Bogart O'Brien, Stephen Castle— sounds like a man with wonderful parapets— Yuri Taraday, Bravo Whiskey— almost certainly not their real name, but I live in hope— Alan Liska, Rich— hence he can afford to be a patron— Actually, you don't have to be that rich. It's only $5 a month or so. Jan, Roy Tate, Alexander Huygois, Lars Bashora, and Jonathan Haddock, who has nothing fishy about him at all. You are all absolute legends. Thank you so much. If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details. And even if you're not a member, please feel free to like, subscribe, leave a 5-star review, and tell your friends about Smashing Security. Spread the word. Every little bit helps, and it really does make all the effort worthwhile. Until our next episode, which I hope you're going to tune into, I will say toodaloo for now. Bye-bye.