The cybercrime lovebirds who hijacked Washington DC's CCTV cameras in the run-up to Donald Trump's inauguration, the truffle-snuffling bankers at the centre of an insider-trading scandal, and the hackers that Uber paid hush money to hide a security breach.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Lisa Forte.
Visit https://www.smashingsecurity.com/153 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Lisa Forte.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Ransomware attack impacted 70% of Washington DC police surveillance cameras — Graham Cluley.
- The Hapless Shakedown Crew That Hacked Trump’s Inauguration — Wall Street Journal.
- Eveline Cismaru's Instagram account.
- London Investment Bankers Charged in Insider-Trading Ring — Bloomberg.
- Trade-Secrets Case Linked to Google Seen as Warning to Silicon Valley — Wall Street Journal.
- Uber concealed massive hack that exposed data of 57m users and drivers — The Guardian.
- Uber's statement about its 2016 "Data Security Incident"
- Hackers who extorted Uber and LinkedIn plead guilty — ZDNet.
- Maersk: Springing back from a catastrophic cyber-attack — I-CIO.
- The Master Game — Wikipedia.
- BBC's The Master Game — The Kenilworthian.
- Gogglebox — Channel 4.
- Ndemic Creations, makers of Plague Inc.
- Plague Inc. trailer — YouTube.
- Plague Inc. — iOS App Store.
- Plague Inc. — Google Play.
- The great contemporary art bubble. BBC documentary - YouTube — YouTube.
- BBC art documentaries playlist — YouTube.
- Painters and artists documentaries — YouTube.
- Art documentaries playlist — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. It's not just the external threat, but the threat of people who are basically people you've opened your kimono to, people who you've sort of embraced or brought into your company or trusted.
CAROLE THERIAULT. You open your kimono to your investment bankers?
LISA FORTE. Who does that?
ROBOT. Smashing Security, Episode 153: Cybercrime Phishing, ransomware, and phishing. Time doesn't pay, but Uber does. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 153. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Graham.
GRAHAM CLULEY. We are—
CAROLE THERIAULT. How are you today?
GRAHAM CLULEY. Well, thank you very much for asking. I'm not too bad, actually. And I'm particularly excited because we have a brand new guest on the show.
CAROLE THERIAULT. Never been on the show before.
GRAHAM CLULEY. Never been on the show before. Can you believe it?
CAROLE THERIAULT. There's just a few people out there. Absolutely.
GRAHAM CLULEY. Someone who hasn't been on the show before. It's Lisa Forte. Hello, Lisa.
LISA FORTE. Hello.
GRAHAM CLULEY. Now, Lisa, you should tell us what you do and who you do it for and why are you here?
LISA FORTE. Wow, so many questions all at once. So I'm a partner at Red Goat Cybersecurity, and we specialize in security training and crisis simulations for sort of crisis management teams and organizations where we simulate a cyberattack and then see how they handle it and the sorts of decisions they do or do not make. And then I write a brutal report up on how well they did.
CAROLE THERIAULT. That sounds awesome. Now, did you have anything to do with the name of the company?
LISA FORTE. Yes.
CAROLE THERIAULT. Oh, tell me why. Why Red Goat?
LISA FORTE. So it was kind of funny actually, because it really wasn't planned. And just as I was setting up the company, I read this report in the New Scientist that was about some study done by UCL in London, and they'd recognized that goats can tell intruders rulers to their herd just by hearing their voice. And I thought, this is kind of exactly my thing for my company and what we're doing. So I thought, you know what, I'll do it. And now when I go into some of my clients, they go, oh, the goat lady's here.
GRAHAM CLULEY. So charming.
LISA FORTE. You can't ask for anything better in life.
CAROLE THERIAULT. I wonder if you can use something like a deepfake lyrebird on goats and then present them in front of them and they might get duped. Okay, I digress. I digress.
GRAHAM CLULEY. Just slightly. Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, on today's show, Graham tells us what happened to a Romanian couple who hijacked surveillance cameras in Washington, D.C. Lisa visits the world of insider traders who are trading our secrets. And I'm revisiting the Uber hack of 2016, now that we have all the juicy details. All this and loads more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, can I take you back in time once again to the happy days of January 2017?
CAROLE THERIAULT. Are you planning to start every single story now that has happened before last week with—
GRAHAM CLULEY. I'm glad you've noticed this. Exactly. We're going back in time almost 3 years. January 2017, a time when we were full of hope, wasn't it? Do you remember what was going on? This beautiful romantic couple were walking the streets of Washington, D.C. Him, he was tall, He was tanned, his blonde hair blown in the wind like a young Robert Redford, a long red tie dangling down his torso. And next to him, a pouting former model from Slovenia, a picture of true love. I'm talking, of course, I think you can guess.
CAROLE THERIAULT. Trumpistan?
GRAHAM CLULEY. Exactly. About Donald and Melania. I almost called her Melanoma. Melania. There they were as he was given the nuclear attack codes and the keys to the White House. And we thought, oh, wonderful, a whole brand new era of civilization is about to begin. How fantastic, how optimistic. Yes, those were happy times, and we knew everything was in safe, albeit quite small, hands. Well, Graham, let's not bring my hands into things. But we knew we had nothing to fear. But Donald Trump's presidential inauguration could have gone horrifically wrong. There's some people who think it did go horrifically wrong, of course, but But, you know, just days before the ceremony, just days beforehand, hackers managed to hijack 70%— 7-0%— of Washington, D.C.'s public surveillance cameras being used by the police. And they demanded a ransom for their safe return of over $60,000.
CAROLE THERIAULT. A worldwide investigation is underway into a cyberattack on Washington, D.C. surveillance cameras ahead of last month's inauguration. Hackers targeted traffic and security cameras in the nation's capital just 8 days before President Trump was sworn in, and the attack happened while federal law enforcement officials were trying to ramp up security.
GRAHAM CLULEY. So they came in via the internet and basically just jammed them all up so they couldn't be used.
CAROLE THERIAULT. Oh, so they jammed them. It wasn't like they were taking what was being recorded, they were just flooding them.
GRAHAM CLULEY. No, no, I mean, they could have just tuned into CNN or MSNBC. That wouldn't have been that tricky. I mean, I know it can hard getting those stations overseas, but you wouldn't necessarily go to this effort. But what they did was they installed ransomware onto the computers controlling the cameras.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And they then used those computers not only to sort of block them up, but also they used them to spam out an additional 180,000 email addresses with a ransomware-laden payload. Nasty stuff. And the Secret Service, as you imagine, you know, they sprung into action because this was—
CAROLE THERIAULT. So did they figure it out? So they hijacked this 70% of— this must be thousands of cameras, and what people noticed right away— or they sent out the ransom right away. Oh yeah, they demanded a ransom.
GRAHAM CLULEY. I think, yeah, and I think the smart chaps at the Secret Service and the Washington police noticed when the ransom message— yeah, exactly.
CAROLE THERIAULT. Yeah, when they got the ransom message, yeah, put on their hats, stood up, did a little backstretch, went and handled the problem.
LISA FORTE. Was it their ransomware or was it purchased?
GRAHAM CLULEY. Yes, they'd bought it from hackers based in another country. But the Secret Service, you know, they sprung into action. They said this was a really high priority due to the impact on their mission, which was obviously to protect the First Lady and POTUS as he was given all the power.
CAROLE THERIAULT. And presumably every single person in Washington, D.C.
GRAHAM CLULEY. Right.
LISA FORTE. And I'm sorry, but to play the cynic, also kind of embarrassing.
CAROLE THERIAULT. Ever so slightly.
LISA FORTE. In some ways, that's kind of the worst part of it. You're like, oh my God, it wasn't even sophisticated.
CAROLE THERIAULT. And God.
GRAHAM CLULEY. And obviously, based upon what we subsequently found out, no one would have wanted cameras out of action at the inauguration. I mean, that was a truly historic moment, needed to be recorded. We needed photographs of the crowds for posterity so that we could later count how many.
CAROLE THERIAULT. So, did they use the public surveillance cameras, Graham, to do a crowd count? But to your point, if they were worried about any dissidents at the event, that is presumably how you would capture them.
GRAHAM CLULEY. Now, fortunately, before the big day, things actually got sorted out, but nobody likes loose ends when it comes to a cybercrime attack. It's fun to unravel the mystery and find out who did what and why. And that is what a recent article in the Wall Street Journal does rather spectacularly. And I was reading this and I thought, oh, I would love to share this with listeners of Smashing Security. So I'm gonna tell you what was happening because while Donald and Menalia, Menalia? Melania. Let's not start a rumor that the First Lady's a man. No, so Melania, while they were, you know, doing all those lovely things, there was another couple 5,000 miles away in Bucharest.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And this young couple, now I'm probably going to butcher their name. So, you know, I'm sorry, I'm not Romanian. So apologies. Alexandru Isvanca and Evelyn Cismaru, a guy and a girl, and they were set up in Bucharest and they were rather like Bonnie and Clyde. They were a bit like cyber criminals of the 21st century. They actually liked to call themselves, their nicknames, their pet names for each other were Bobo and Eve. So I think I might call them Bobo and Eve as well.
CAROLE THERIAULT. I wouldn't want to tell you my husband's nickname for me, just saying.
GRAHAM CLULEY. Eek.
LISA FORTE. Eek, eek, eek.
GRAHAM CLULEY. Waiting for that data breach. Um, so, uh, now, uh, they'd been together for a while. In fact, ever since around about a year after they first met, they had supported themselves in their relationship through computer crime and credit card fraud. Fairly unsophisticated stuff. Yeah, romantic. Well, you know, who knows what they're buying. Committing small-scale online fraud with stolen credit card numbers, spamming out people. And they largely got away with it, I think, because for the police, the cost to investigate the crime was just too high.
LISA FORTE. Yeah.
GRAHAM CLULEY. Actually, Lisa, didn't you used to be with the police?
LISA FORTE. I did indeed.
GRAHAM CLULEY. And was this your experience that some computer crime doesn't get investigated for that reason?
LISA FORTE. Yeah, and to be honest, you've gotta balance out the chance of being able to catch someone and the harm that's been caused by whatever they've done and cost to the police resources. And sometimes that doesn't always mean everything gets investigated.
CAROLE THERIAULT. I imagine the amount of time and resources required just to make contact with the correct officials in Eastern Europe would be in itself completely off-putting.
LISA FORTE. Totally. Yeah.
GRAHAM CLULEY. Right. So there's different legislation in different countries, there's different languages, there's different time zones. It all adds up to money, money, money, and lots of effort, which maybe could be being spent elsewhere. And I think some financial institutions, if it's not tens of millions, are happy to take it on the chin. You know, and they think, well, consumers are gonna pay for this ultimately.
LISA FORTE. Yeah.
GRAHAM CLULEY. You know, through bank fees or whatever. So Evelyn, also known as Eve, she was actually found guilty of some credit card fraud back in 2012, but she only got a suspended sentence and told to behave herself in future. But surprise, surprise, that didn't stop her. And it didn't stop Bobo either. And from their apartment in Bucharest, they had spammed out this ransomware attack to an email list they'd picked up. And it just so happened that it infected all of these computers running Washington DC.
CAROLE THERIAULT. Oh, so it wasn't a targeted attack by any stretch. It was just a lucky find.
LISA FORTE. But that's even more embarrassing.
CAROLE THERIAULT. Yes, I agree. I agree.
GRAHAM CLULEY. Exactly. It wasn't like they'd put loads of effort into infecting those particular computers. It's just that they were unprotected or the users on those computers had clicked on an email attachment, and bam, they got infected, and then it spread inside the organization.
CAROLE THERIAULT. So it's like casting a net with your eyes closed and you just happen to catch this huge poisson.
GRAHAM CLULEY. Yeah.
LISA FORTE. But to be honest, it is nice to do something with your partner and have something in common.
CAROLE THERIAULT. Yeah, a story you can tell at dinner, right? Exactly. Or to your friends.
LISA FORTE. Yeah, how did you guys meet?
CAROLE THERIAULT. Yep, well, it's kind of funny.
GRAHAM CLULEY. Do you have a partner, Lisa? I mean, you're an ex-police person.
LISA FORTE. I wonder if—
GRAHAM CLULEY. Now, on the very same day that Bobo, the guy, managed to infect all these CCTV cameras in Washington, D.C. streets, he made a mistake. And his mistake was to order food from a pizza shop called Andy's Pizza in Bucharest.
CAROLE THERIAULT. What, on the same—
GRAHAM CLULEY. On the same day.
CAROLE THERIAULT. On the same day.
GRAHAM CLULEY. On the same day.
LISA FORTE. I know where this is going.
GRAHAM CLULEY. So now are these His mistake wasn't ordering a Hawaiian pizza.
LISA FORTE. Okay, phew, that's fine. That's what I thought it was gonna be. Yeah. I'm Italian, so we— you get— people get hung in Italy for ordering Hawaiian pizzas. So please don't do it.
GRAHAM CLULEY. That wasn't his boo-boo. What his boo-boo was is that he used the same email address that he had used to spam out all these other people.
CAROLE THERIAULT. That's pretty 101 mistake, isn't it?
GRAHAM CLULEY. Well, it turns out, Kroll—
LISA FORTE. Oh, sec, 101. Yeah, yeah.
GRAHAM CLULEY. It turns out, Kroll, that quite a few cybercriminals make 101 mistakes. The thing is, they may only make them once or twice, but that's enough, isn't it?
CAROLE THERIAULT. Yeah, well.
LISA FORTE. Wow.
GRAHAM CLULEY. Well, he wasn't the only one making a boo-boo, was Bobo. Eve, she had this other criminal scheme up her sleeve. You see, she was running a fraudulent seller account on Amazon. You know, you can buy things on Amazon which don't come directly from Amazon, but from other people who sort of set up online stores up there.
CAROLE THERIAULT. Yeah, of course.
GRAHAM CLULEY. She set up a fake one. And what happened was whenever people ordered something from her, she'd get the alert saying, oh, you know, Frank has ordered a book or a DVD box set or something. And then she would use a stolen credit card to go and buy it from a legitimate seller. So they would do all the shipments. So she'd get the money and then she'd use a fake credit card to actually buy it and get it delivered. Hmm. Good on her. Well, it's astonishing this sort of thing goes on, but it does go on. But she didn't use her own computer to do this because that would of course left too many clues lying around, right? Did she use both?
CAROLE THERIAULT. Oh my God, that would be the best outcome.
GRAHAM CLULEY. Well, she used one of the computers belonging to the police in Washington, D.C., controlling the CCTV cameras. And so when the U.S. officials, when the Secret Service were running around fixing the hijacked cameras and panicking about that and resetting the computers, they went to one of these computers and they found on it, they found this message, this tracking number of an Amazon package being sent to the UK, right? And interestingly, when they looked at the order of what was being sent to the UK, do you know what it described the item as? No. A smoking gun.
LISA FORTE. Oh my God.
GRAHAM CLULEY. Now, when I heard of a smoking gun, I thought this might be something that people vape with, right? Because that's sort of, you know, all the smoke and stuff, which I thought maybe it's something like that.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Or a cigarette lighter or something. But But no, apparently a smoking gun is an accessory used by people who like barbecues. And according to the Amazon description, adds a lovely smoky flavor to food and drinks.
CAROLE THERIAULT. Are you sure it's not a smoker gun?
LISA FORTE. Yeah, I would have said smoker gun.
GRAHAM CLULEY. Well, look, I— this is the Wall Street Journal, and far be it from me to suggest that they've got this wrong.
CAROLE THERIAULT. Okay, but did you Google it? I'm just going to do that right now.
GRAHAM CLULEY. Well, you can go ahead and use a search engine of your choice. If you wish.
CAROLE THERIAULT. Start page. Don't you worry.
GRAHAM CLULEY. While you're looking at that, I'll carry on. The UK cops were then told by the Americans, look, this is the house where this gun is being delivered, and we think it's associated with this hijack of the CCTV cameras. So cops went round to this house in Streatham.
CAROLE THERIAULT. Where the smoking gun was delivered.
GRAHAM CLULEY. Where the smoking gun was delivered.
CAROLE THERIAULT. Apparently Amazon call it that too, so there you go.
GRAHAM CLULEY. There you go. Okay. And they arrested the people. There was a 50-year-old British guy and a 50-year-old Swedish woman at the address, and they said, look, we know nothing about this. We're just into barbecues in quite a serious fashion.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. And so they were initially arrested in connection with the hack, but they weren't actually connected at all. But Eve had blundered some more. She had created a Gmail account as a backup to some of her other online accounts, and she'd attached to that Gmail account her real name. And you may not be surprised to discover that the police have it within their ability, if they have a name, to then possibly locate the person associated with that name. And so they were able to identify that this was the same Evelyn in Bucharest.
CAROLE THERIAULT. So what you're saying, it's like if I had AAA and BBB and CCC as fake accounts, but as a backup account, I put it under my legit email address. And so they just—
GRAHAM CLULEY. Carole Theriault at SmashingSecurity.com or something like that. Yeah.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Well, again, again, not the smartest, uh, So Europol investigated, and Eve and Bobo went on the run. They're eventually caught, put under house arrest. Evelyn Chutsmaru, also known as Eve, was extradited to the States and has since pleaded guilty and agreed to testify against her former boyfriend. The full story of how she was caught is quite fascinating. You can go and read it on the Wall Street Journal. It is quite interesting to read. But anyway, she has since been released for time served. And she's now in London working as a fashion fitness entrepreneur.
LISA FORTE. Good for her.
CAROLE THERIAULT. What is that?
LISA FORTE. You go, Eve.
GRAHAM CLULEY. You go, Eve. Well, you can say go Eve to her yourself because she's on Instagram and she has got 80,000 followers to her account.
LISA FORTE. Wow.
GRAHAM CLULEY. Where she is posting glamorous selfies. Now, Alexandru Izvanca, meanwhile, also known as Bobo, he hasn't come up quite so good out of all this. He's facing trial in Romania on other credit card theft charges. And is currently facing extradition to the States where he could face up to 20 years in prison.
LISA FORTE. Can I just say that the point at which they went on the run, I mean, we've all been there with our partner where we've had an argument and it just gets way out of hand. Can you imagine the arguments that they were going on in that car? No, it was you because you ordered that pizza. No, it was you because— I mean, it would have been beautiful.
CAROLE THERIAULT. It would be a lover's tiff, to be sure.
LISA FORTE. For sure.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. We've all gone on witness protection from time to time with our partners. We've done it.
LISA FORTE. We've all been there.
GRAHAM CLULEY. So I thought this is a salutary warning to other cybercriminals out there not to make such elementary mistakes. Maybe not even commit the crime in the first place, but also as a backup for your future career, maybe set up an Instagram account because maybe you'll become an Instagram influencer.
CAROLE THERIAULT. So basically their mistake was almost inevitable. The mistake was they got too big a fish that they didn't know how to handle. They caught the attention of the FBI, who otherwise would never have looked their way because they were doing petty crime in Bucharest.
GRAHAM CLULEY. I think you're absolutely right, Krow. I think if you spam out a lot of email addresses, there's a danger that you might infect someone who you didn't want to infect, like the FBI, like Scotland Yard, like the NSA. You know, you just want to stay well away from those kind of targets.
LISA FORTE. Mossad would be another one that I would guess.
GRAHAM CLULEY. Oh, you don't want to— You don't want to mess with the Israelis.
CAROLE THERIAULT. Back away.
LISA FORTE. There's a few of them on the list that you just probably want to search for.
GRAHAM CLULEY. Says the Italian. As though they never cause any trouble.
LISA FORTE. Yes.
GRAHAM CLULEY. Lisa, what story have you got for us this week?
LISA FORTE. So I also have a romantic tale.
GRAHAM CLULEY. Ah, lovely.
LISA FORTE. Love and treachery, and you know, it's just— it's a beautiful story. Um, basically what has happened is two London investment bankers, madly in love, have just been charged in the US. Um, and they've been charged for insider trading, basically.
CAROLE THERIAULT. Whoa, whoa, investment bankers with a heart?
LISA FORTE. Sounds— oh yeah, they love each other. They loved each other and they loved money.
CAROLE THERIAULT. So, right, oh, the best thing.
LISA FORTE. Exactly. Um, yeah, so they've basically been taking loads of information from the companies they work for and selling it on to other traders through middlemen so that they can basically make— they reckon about tens of millions of dollars in profits have been made from this, and it's been going on for over 5 years. So their OPSEC was a little bit better than— so they had pseudonyms for each other as well. They called each other Pops and Popsie in their emails. I know, it's beautiful, isn't it? So they were sort of going through middlemen, sending these things, and one of the messages that has been sort of revealed in this court case is that he wrote, once upon a time, there was a pop searching for truffles in the forest. And attached to said email was a highly confidential file relating to a pharmaceutical company that got sent to another trader. And they use these like cryptic messages. They were encrypting everything. They were using burner phones to pass information. And yeah, they cost a lot of people a lot of money and they're in a bit of trouble for it. So it was a beautiful story of love and money.
GRAHAM CLULEY. Truffle snuffling.
LISA FORTE. Yeah, exactly. But it's kind of interesting because one of the commentary pieces on it was that in some of the cases they released information like, okay, there's going to be a merger. So the share price was going to go up.
CAROLE THERIAULT. Right.
LISA FORTE. So in some ways, although they released that information, it benefited the company because their share price just went up early.
CAROLE THERIAULT. Yeah.
LISA FORTE. But there was also situations where they passed really damaging information to short sellers. And essentially short sellers are like kind of hated.
CAROLE THERIAULT. The enemy of the company.
LISA FORTE. Yeah, they're basically people who bet that your share price is going to plummet. Exactly. And they make money when it does. So they get some sort of dirt on the company from these people and then they publish it and then the share price drops. So interestingly, they were just at this for years and it seems to be that this is just the tip of the iceberg and they reckon that that there could be 10, 15 other people around the world who've been involved in this ring of insider traders. So it's really fascinating because obviously they were at a company that you'd have thought would have had a reasonable amount of security, but yet they were still managing to exfiltrate all this information and then use it to make millions.
CAROLE THERIAULT. So do you know if bankers or investment traders have to sign an oath that they're not going to pass on these secrets? Like, I don't know how it works. It must just be, how was your day? Fine. Good. It's like, it's like being married to a spy or something.
LISA FORTE. Yeah, totally. Well, it's definitely highly, highly illegal.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. For sure. It reminds me a little about a hacking gang who a few years ago hacked into PR Newswire and some of the other press newswires, because of course that was somewhere where hundreds of companies were posting financial news or news about mergers and acquisitions. And the hackers managed to get hold of these press releases before they were published. And then sell them to dodgy people who were doing the trading. And they made a fortune. This really is a more effective way, if you don't get caught, of making a large amount of money through cybercrime than just sending out ransomware, I reckon.
LISA FORTE. Totally. And I think the other thing, people always think that, 'cause we talk so much about PII and like personal information and stuff like that, actually to an insider threat, that's pretty useless information because the stuff that's gonna make you big, big bucks is going to be trade secrets, it's going to be market information, it's going to be IP. You know, that's the sort of stuff that you can steal and sell for a lot more money than any personal information of any employee or anything.
CAROLE THERIAULT. Yeah, that's true, isn't it? It's like stealing a company's secrets as well is very useful, you know, if you can target the competitor to sell it on to.
GRAHAM CLULEY. The intellectual property or something like that.
CAROLE THERIAULT. Yeah, the IP.
LISA FORTE. Yeah, because the Google exec has just been indicted, hasn't he? Because he stole trade secrets about the self-driving cars that Google were developing and he sort of took them with him when he left.
CAROLE THERIAULT. Yeah.
LISA FORTE. Rolled into Uber and was like, "Hey, Uber, guess what?" This is such a big problem, isn't it?
GRAHAM CLULEY. It's not just the external threat, but the threat of people who are basically people you've opened your kimono to, people who you've sort of embraced or brought into your company or trusted.
CAROLE THERIAULT. Who opens your kimono to your investment bankers?
LISA FORTE. Who does that? Graham, seriously, I'm worrying about you, man. We'll get him some help. We'll find him.
CAROLE THERIAULT. Yeah, listen to him. He's wheezing away like practically dead. Are you lying on the ground as you do this podcast?
GRAHAM CLULEY. Carole, what's your story for us? We know it's about Uber. Go on, tell all, tell all.
CAROLE THERIAULT. Well, Uber, right? The bane of every old school cabbie out there, but so loved by city dwellers the world over for its convenience And I might argue it's adventure as well. I mean, with an Uber, you never really know what you're gonna get. You must have a crazy Uber story. I think everybody does.
LISA FORTE. I definitely do.
CAROLE THERIAULT. Okay, tell.
LISA FORTE. I, okay, this is, I would, I got an Uber in London once and I had this Irish driver and he spent the entire duration of the journey telling me what kneecapping was.
GRAHAM CLULEY. Oh, how nice.
CAROLE THERIAULT. Oh my God.
LISA FORTE. So yeah, that was my, that's my experience. Yeah.
CAROLE THERIAULT. I got into the cab and he was furious the entire time because this previous person had vomited in the car but didn't tell me until we had taken off. So that's when the smell hit me. And with the cleaning Febreze stuff. Oh no. Oh my God. Oh.
GRAHAM CLULEY. I had a bad experience as well. I once vomited in the back of Uber and all I had was a Febreze spray with me and I just quickly sprayed it around Got out quick. Yeah.
CAROLE THERIAULT. Now you both will of course remember that Uber got hacked 3 years ago, back in October 2016, with the hackers stealing the personal data of almost 60 million customers and drivers. Well, the two guys behind the hack have recently pled guilty, and some pretty juicy details have come out since. The upshot is Uber did not react the way you would want a respected company to behave, in my opinion. So question one was, how did these two hackers get into Uber and steal that ginormous treasure trove of user information? ZDNet pulled together a rather insightful article on this based on court documents. Here's the gist. So in 2016, the two hackers, a Floridian named Brandon and a Trontonian named Vasily, used their custom—
LISA FORTE. Sorry, can I just ask, were these guys romantically involved?
CAROLE THERIAULT. Not at all. I have no love in my story. I know.
LISA FORTE. Okay, that's a shame.
CAROLE THERIAULT. Though you can imagine them holding hands. Okay.
LISA FORTE. I will, I'm doing that now.
CAROLE THERIAULT. Okay, so you've got your Floridian guy, he's gonna be wearing shorts, you know, maybe Magnum P.I. style-y.
GRAHAM CLULEY. Oh, sexy.
CAROLE THERIAULT. Yep, and Trontonian just wearing a big hoodie and a big, big, big toque for your head.
GRAHAM CLULEY. A moose.
CAROLE THERIAULT. Yeah, wearing a moose, yes. These two guys used their custom-built GitHub account checker tool to test user credentials leaked from other sites against GitHub's own service, and they were particularly interested in targeting credentials of corporate employees because they wanted to get high-value GitHub accounts. They weren't interested in little, you know, people like me with a few things there. They wanna look for the motherlode.
GRAHAM CLULEY. So what they were doing was they were searching GitHub to see if developers had left passwords and keys?
CAROLE THERIAULT. Right. They're looking for credentials. They're looking for usernames. They're looking for passwords, looking for keys, looking for anything that's gonna allow them to breach any associated Amazon Web Services.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And then once they were able to get those credentials, they had this huge backup of information of sensitive data like user details and backups and all that sort of stuff. So boom, they had the goods. This is the personal information of nearly 60 million users and drivers. Now, question 2, how do they extort the money but stay under the radar? Because of course, no one knew about this. If the attack happened in October 2016, it didn't make it out into the public arena till a year later. So with this data in possession, the two hackers created and used a ProtonMail email service.
GRAHAM CLULEY. Oh yeah, I've got a ProtonMail account. Yeah.
CAROLE THERIAULT. They used this ProtonMail address to contact Uber. And this was in November 2016. This was a full month after the attack. Now they contacted the then chief security officer, Joe, the CSO, And they said they found a major vulnerability and provided a sample of the stolen data. And they demanded $100,000 payment in bitcoin to delete the info.
GRAHAM CLULEY. Yeah. The major vulnerability is we've managed to nab some of your passwords.
CAROLE THERIAULT. We've got—
GRAHAM CLULEY. Getting access to your data.
CAROLE THERIAULT. And here is all the data we have of yours that you should be keeping under lock and key.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Now, Joe, the CSO, you may remember, ended up paying off these hackers but told no one about it. Not the authorities, as the rules stipulate, not the affected users whose data had been stolen. Everything was kept deep, deep undercover.
GRAHAM CLULEY. That's scandalous, isn't it?
LISA FORTE. I mean, it's a strategy. I mean, it's not a good strategy, but I guess, you know.
CAROLE THERIAULT. Yeah. It's gotta be a stressful time for Joe the CSO at this stage, right? Because he's taken a road of— He's taken the left fork in the road. What is it? He's— I can't even speak.
GRAHAM CLULEY. I like the analogy, Carole. I mean— The wheels are possibly going off it, but it's— Well, I mean, this is Uber all over though, isn't it? I mean, certainly a few years ago, I know they've changed CEOs since then, but they were up to a lot of very dodgy things, which will make them very controversial. And they did seem to, yeah, ride a bit rough, shod over the rules.
CAROLE THERIAULT. So here's some cute things about this that I found interesting. So first one was Joe, the CSO, responded to their ransomware threat as though it were a bug report, right? So he carried on the charade. You know, Joe the CSO paid via the company's HackerOne bug bounty program, which from a corporate standpoint is probably a very, very good way to hide if you're gonna pay off a ransom.
LISA FORTE. Yeah, definitely.
CAROLE THERIAULT. Right? 'Cause that money's already earmarked. It's not like you're trying to steal it from sales or marketing and you have to come up with some made-up reason. It's okay. So this gets interesting here, right, for me, So we have responsible ethical hackers out there, right? And they find flaws and they contacted the affected company. They provide proof that they were able to do something. And then often they kind of look for payment for their hard work. And in exchange for that, they will not go public until the problem is sorted. That's effectively what we'd call responsible disclosure. Now these guys, they're kind of doing a similar thing, except they're holding data for ransom. They threaten to go public with that information unless Uber pays up.
GRAHAM CLULEY. Well, I think the difference probably is that if you were a genuine security researcher who is behaving ethically, you would not download all the gazillions and oodles of data from that Amazon bucket. You'd simply see that you had access to it.
CAROLE THERIAULT. But what's more important for me, I think, is that that person doesn't then share it with everyone in the entire universe and put it up on a database.
GRAHAM CLULEY. Yeah. Yeah.
CAROLE THERIAULT. So let's keep that in mind because I want to come back to that in a second. So the other big question, how did Uber know that the hackers would not release the data after they made their payment? Right? That's the big question we always have. How, you know, okay, I've paid off the ransom, but how do I know? Now, in order to ensure that the hackers stayed stum about their activities and their big treasure trove of data, Uber made the hackers sign NDAs. This is a non-disclosure agreement, right, that holds parties accountable to keeping their trap shut. But how did they do that, right? They didn't know the hackers' true identities, did they? Yes, they did.
LISA FORTE. Oh, Uber.
CAROLE THERIAULT. Yes, they did. Yes, they did. And then according to media reports, in January 2017— okay, this is still 7 months before any of us found out.
GRAHAM CLULEY. This is after Uber have paid them.
LISA FORTE. They paid them first.
GRAHAM CLULEY. I think they paid them and then they investigated and found their identities.
CAROLE THERIAULT. So, okay, so then in January 2017, an Uber rep went down to Florida to meet with our U.S. Floridian hacker and got him to sign an NDA with his real name. And then two days later, another Uber rep meets up with the Canadian hacker in a Toronto restaurant and gets his John Hancock on the NDA form.
GRAHAM CLULEY. So John Hancock, what's that?
CAROLE THERIAULT. Signature. Oh, don't know that.
GRAHAM CLULEY. Is that what people call signatures? John Hancocks? Why would a signature be John Hancock?
CAROLE THERIAULT. I'll let you Google it.
GRAHAM CLULEY. Am I terribly ignorant?
CAROLE THERIAULT. I'll let you Google it.
GRAHAM CLULEY. Am I exhibiting my ignorance? Okay.
CAROLE THERIAULT. Yeah. It's not Hancock though. Okay.
GRAHAM CLULEY. Hancock. No, I don't think that. Hang on. John Hancock.
CAROLE THERIAULT. So to sum up, Uber required the two hackers to sign a confidentiality agreement prohibiting the use of data and public disclosure of the security breach. So they knew who hacked them, but never gave the identities to the cops. So to be fair though—
GRAHAM CLULEY. John Hancock has the largest signature on the Declaration of Independence. And his is the only one still legible on the highly faded document, it says.
CAROLE THERIAULT. There you go.
GRAHAM CLULEY. He wanted to be sure that King George III could read it. There you are. Because he's like, let's get me in there, do a really big signature.
CAROLE THERIAULT. We could maybe do this at the end of my segment.
GRAHAM CLULEY. Yeah, I'm sorry, I've just found it interesting.
CAROLE THERIAULT. I'd just like to have a bit of rhythm, if I could.
GRAHAM CLULEY. Yeah, okay.
CAROLE THERIAULT. If that's all right. Yes, Lisa.
GRAHAM CLULEY. Yes, that's fine.
LISA FORTE. Can I just say though, Uber did not tell the police who these people were, but— if you've just gone out of your way to hunt these people down, get them to sign NDAs to keep everything completely quiet, and then you go to the police and go, guess what, I've got them, let's just make this public. It's kind of a waste of time, really. I just think that, like, in fairness, it does make logical sense. It's not a very good strategy decision, and it clearly does not make you look very transparent, but you're not exactly going to go and publicize it after you've got them to sign NDAs.
CAROLE THERIAULT. Well, I had two thoughts on this, right? One of them was, remember we were talking earlier about the NDAs and them signing it. The fact that they did this kind of ensures that they weren't going to go live with the data. So in a way, it may have been a very responsible thing to do in terms of Uber customers whose data had been stolen.
GRAHAM CLULEY. But still not tell the customers.
CAROLE THERIAULT. Maybe Joe the CSO did something really good here.
LISA FORTE. No.
GRAHAM CLULEY. Because of course, even if they've signed an NDA, they could still have told, you know, Mario in Bucharest or something. They could have just whispered to him or left him a copy of it, or they may have been lazy with their own security, so someone else could have hacked the data. And who knows, because those passwords were left on GitHub, someone else could have pinched it as well. So they should have told all those Uber customers and drivers about the problem.
CAROLE THERIAULT. Mm-hmm.
LISA FORTE. And let's be honest, what was going on here was Uber are thinking, our share price has taken a battering. We really can't afford to have this huge, massive data breach that shows knows how incompetent we've handled our data to come out and then our share price will be zero and we won't, you know, that'll be that. That was really the motivation.
CAROLE THERIAULT. Yeah. And ironically, ironically, what leg did Joe the CSO, what could he stand on afterwards after he paid off the money? What was he going to do, hold them to their NDA if they did go live? What was he going to do, go live on the record and say, yeah, okay, so I paid them, I knew who they were, I made them sign NDAs to keep it all under quiet, and that would have been better for the company anyone.
LISA FORTE. Now, haven't Uber said in response to this that Joe and somebody else were kind of off on a frolic of their own and no one knew that they were?
CAROLE THERIAULT. Yes, well, excuse number 48 from any organization. Potentially true, potentially true, but, um, right? He certainly paid the price. He no longer works at Uber. And, you know, it was only 10 months after this NDA signing, right, that Uber, uh, told riders and drivers— and that was under new management, you mentioned that earlier— so that's a long time now. The current CEO, he said in a statement last week, "None of this should have happened and I will not make excuses for it." And he said, "While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes." Now, I was all cool with this apology till the word mistake. Okay, mistake. I think that's a little bit rich, don't you think? I mean, I'm not talking about the breach, the fact that they got, you know, their security wasn't on par and someone stole their data. But how they responded to the breach is really abysmal.
LISA FORTE. Yeah, the company-wide manhunt wasn't like an oops moment. It was like dedicated team of resources going after these people.
CAROLE THERIAULT. Flying to Toronto to get an NDA signed, you know, showing a lot of forethought.
LISA FORTE. Classic mistakes.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. It is terrible, isn't it? I mean, we talk all the time about companies getting hacked and the mistakes they make, but this sort of deliberate cover-up up, an attempt to avoid telling your breached customers about what's happened is scandalous.
LISA FORTE. And I always say this to my clients, you know, when I'm doing these things, that the best thing you can possibly do is like a Maersk situation, because Maersk is like held as the gold standard of instant response now, right? And then comms messaging was like on point, really transparent. And I truly think that honesty is your best policy if it's— if you know you've been breached.
CAROLE THERIAULT. 100%. And the way you handle these breaches can do a lot for your share price thereafter, for sure, right? When you— how you handle yourself in a in a crisis is a very good measure of something, someone you want to invest in.
GRAHAM CLULEY. Now, what's the damage to Uber now? Are they being punished?
CAROLE THERIAULT. It's all very interesting. So the FTC placed Uber under a strict security audit. Okay. The UK fined Uber just shy of £400,000. So what, $600,000? And the Netherlands charged €600,000. And there was a $148 million fine for a class action lawsuit, right? So this was a settlement for that. So all that together, still for a company reaching $3 billion in revenue is a tiny, tiny tap on the nose rather than a smart slap on the choppers.
GRAHAM CLULEY. It's about the same amount it would cost me to get an Uber to Edinburgh. Or something like that, I expect. It is a return trip.
CAROLE THERIAULT. It's funny because, right, all these fines, this money goes to government agencies. And wouldn't it be great if somehow affected users got that as a tax break? If they— so if they get the money and you're like, oh, well, you were a Uber user, you can get, you know, £140 off your— this year's taxes. That might encourage—
GRAHAM CLULEY. Good luck with that. That might—
CAROLE THERIAULT. yeah. Okay, good point.
GRAHAM CLULEY. That might be a vote winner if anyone's got an election coming up. I like to think smashing crow?
CAROLE THERIAULT. Okay, hand on heart time, how many of you can say that your password hygiene is squeaky clean? If you're feeling it could use a tune-up, maybe check out LastPass Enterprise. With central admin oversight, controlled shared access, automated user management, you help every employee become part of your security solution. Find out more at lastpass.com/smashing. Plus, I would like to extend a personal invitation to an upcoming LastPass event on Wednesday, November 27th, in the wonderful city of Manchester. Occasional Smashing Security guest host Jessica Barker and yours truly are going to be talking about about all things security related. We would love to see you there. Check out the registration page on lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?
CAROLE THERIAULT. Pick of the Week.
LISA FORTE. Pick of the Week. Yeah!
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Should not be.
GRAHAM CLULEY. And mine is not security-related necessarily. There I was the other night in the bath thinking, how can I entertain myself because it's so dull here with my loofer? And oh, I see my wife has left the iPad. Within reach. I thought, I wonder what I could prop— I could prop that up somewhere and see if I can watch something.
CAROLE THERIAULT. Are you in the bath with electronics again?
GRAHAM CLULEY. Don't worry about it. It's absolutely safe, I'm sure. Anyway, so I propped it up at the end of the bath and I went onto Amazon Prime and I went back in time once again, because I'm quite nostalgic. I remembered being a 12-year-old boy watching a BBC TV show from the late 1970s, early 1980s. Called The Master Game.
CAROLE THERIAULT. The Master Game.
GRAHAM CLULEY. The Master Game. And this was a BBC Two show, I think it was. And there is one series, the sixth series, which is available to view for free on Amazon Prime. You don't have to pay. On some of them you have to pay, but on this one you can watch the entire series for free. And it stars 15-year-old Deep Purple fan Nigel Short. And if that isn't enough of a clue, Carole, as to what this TV show is about, it's about chess.
CAROLE THERIAULT. Ah, no, I had no idea.
GRAHAM CLULEY. I'm sorry about that.
CAROLE THERIAULT. I had no idea.
GRAHAM CLULEY. Yes, it is an innovative TV show. I absolutely loved it at the time because what they would do is they would pit two International Masters or two Grandmasters against each other. And as they were playing, you would actually get their internal commentary from the player themselves as though they were playing it. So they'd go, oh, what to do? Interesting. That's a very sensible move he has made.
CAROLE THERIAULT. Is this like a voiceover? Or is—
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. They do it after they watch their moves afterwards.
GRAHAM CLULEY. Exactly. They watch it afterwards and they act it as though they're playing it.
CAROLE THERIAULT. I think of how much an asshole he is and I will kill him with the next move.
GRAHAM CLULEY. And it's fantastic. I absolutely love it because it's so rare to get that kind of insight from the people who are actually playing. It was very innovative at this time because of course they didn't have computer graphics.
CAROLE THERIAULT. I was just gonna say, have you been on YouTube? Because everyone is willing to give commentary at every single thing they do.
GRAHAM CLULEY. Yes, but this is both parties on a game and it was presented wonderfully. And one of the presenters, the commentator, is a chap called Bill Hartston. I have to say, when I was 12, Bill Hartston was a bit of a hero for me. Reminds me a bit of my dad. Head, sort of softly spoken, sort of nice chap. And—
CAROLE THERIAULT. He looks like Bill Cosby.
GRAHAM CLULEY. Right. Well, yep.
CAROLE THERIAULT. Oh no. Oh boy.
LISA FORTE. Yep.
GRAHAM CLULEY. Bill Hartston is one of the people who occasionally appears on the sofa in Gogglebox. Gogglebox is a TV show where they basically film people sat on a sofa watching TV and responding to TV.
CAROLE THERIAULT. For real. That is what it is.
GRAHAM CLULEY. That is—
CAROLE THERIAULT. It's quite entertaining.
GRAHAM CLULEY. Anyway, Bill Hartston is one of those people. And so he's also— and I remember watching Gogglebox once and I said, that's Bill Hartston. Chess master. Fantastic, very exciting for me. So I would recommend, if you have any interest in chess— I know I've probably lost you if you aren't interested at all— then go and check out The Master Game on Amazon Prime, and you can also see some clips on YouTube as well. And that is why it is my pick of the week. Lisa?
LISA FORTE. It's pretty cool.
GRAHAM CLULEY. It is, it is pretty cool. Lisa, what is your pick of the week?
LISA FORTE. So anyone who knows me or has met me will know that this is obviously going to be a little bit dark, because that's kind of how I feel. So mine is an app, it's a game that I've recently become addicted to and it's called Plague. Yeah, it's gonna— it's just gonna get worse from this point. And basically it's a bit weird, but it's a game where you have to design a bioweapon, a virus, a bacteria that's gonna infect and kill off every single member of the human race. And it's really, really difficult because because the damn humans keep working on cures or isolating. They close airports, they close shipping ports, and you have to get around it, and it's really difficult.
CAROLE THERIAULT. So you're teaching the machines how to kill us? Yeah, in future. You're just giving them all the data. Great, thanks, Lisa.
LISA FORTE. And your virus will mutate, and it's just, you know, you've just got to like sneak in, infect everyone. If you kill them off too soon, they can't infect other people. I waste so many hours traveling, playing, killing humans, basically, is what I do.
CAROLE THERIAULT. So do you— are you playing the same game, or you have to start again? Do they suddenly win and you have to go back to the beginning?
LISA FORTE. Yeah, so like, if they win, then it's over. Um, if they don't, and then you've got to see how fast you can kill everybody off, basically.
CAROLE THERIAULT. Have you beaten the people?
LISA FORTE. Oh yeah, several times. Yeah, pretty proud of my achievements.
CAROLE THERIAULT. I can— I love the premise of it. I love how they flipped it on its head, but you're not protecting humanity but going after them.
LISA FORTE. Yeah, it's really annoying when they start using hand sanitizer. Okay, I'm actually gonna— I'm gonna check this out.
CAROLE THERIAULT. I'm gonna check this out.
GRAHAM CLULEY. It's called Plague and it's available for iOS and Android and maybe some other platforms as well. Actually, I'm just website right now. Looks like it's— oh, there's even a board game version of it.
LISA FORTE. For those Christmas memories.
CAROLE THERIAULT. I think I might do that. Good. Bam, boom. That's what I'll do. I'll buy it from my dad.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. So as some of you know, I've been trying to get better at art, right? Yeah. And it turns out that more often than not, something comes out particularly badly. Not at all what I had in mind. It's really frustrating and I don't want to do it anymore. And in those times, I have taken to watching old art documentaries on the YouTube. And there are a few wonderful compilations, which I will share in the show notes on the Smashing Security webpage. We're talking hundreds of hours of intelligent thought, provoking insightful, interesting things into artists or art movements or techniques or scandals. I was recently watching one called The Great Contemporary Art Bubble. The Bubble. It's a BBC documentary from 2017, um, and this is on Damien Hirst and how he was at the center of the art bubble because there was this gallery called The White Cube in London and they would occasionally come, we've got a brand new Damien Hirst and it's valued at 500 million, you know, and have an auction around that. But it turned out that someone had leaked their inventory and price list and they had hundreds or even thousands of Hirsts in the back room and they had all the prices written down. So in other words, they were controlling the supply and demand of the artworks to keep by keeping them scarce. And what does Damien Hirst end up doing? He decides to hold his own auction of the works he still owns, right? So this could undercut the gallery, but what are the galleries supposed to do? If they don't support him, then his work might get undervalued because he might sell them for a few thousand. But if they do support him, they don't get to see any of the money returned because he owns the whole auction. Fascinating. Check it out. I will have a bunch of show notes of different YouTube compilations and a few shows that I found fantastic. And if you're into art or artists or Francis Bacon— crazy, crazy.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. Anyway, go check it out. That's my pick of the week.
GRAHAM CLULEY. Sounds excellent, Carole. Yeah, fantastic. Well, that just about wraps it up for this show. Lisa, I'm sure lots of our listeners would love to follow you online and find out more. What's the best What's the best way for folks to do that?
LISA FORTE. Yeah, Twitter. I'm @LisaForteUK. Go check me out. And obviously on LinkedIn as well. And then I'm just around.
CAROLE THERIAULT. Catch you on the flip side.
GRAHAM CLULEY. Yeah.
LISA FORTE. And tell me what and how, tell me how quickly you annihilate humanity and then I can judge.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I will. And you can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G. And you can join the discussion with us about the episode on Reddit. Just look for the Smashing Security subreddit.
CAROLE THERIAULT. And once again, thanks to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. And thank you, lovely listeners and supporters. Special Patreon supporters, you have mail, or you'll be getting some soon. I stuffed the envelopes myself along with a little "You rock" note. So check out smashingsecurity.com for past episodes, sponsors, details, and info on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye.
CAROLE THERIAULT. Lisa, you're great!
LISA FORTE. Oh cool, I had fun. I just laughed a lot.
CAROLE THERIAULT. You were awesome.
GRAHAM CLULEY. Crow, you say that you stuffed the envelopes yourself. I'm just, I'm just, it's just this Patreon message. I'm just, I'm just thinking about—
CAROLE THERIAULT. Graham, did you stuff, did you put anything into an envelope?
GRAHAM CLULEY. I technically did not stuff the envelopes.
CAROLE THERIAULT. So then what's your problem?
GRAHAM CLULEY. Well, I did stick the names and addresses onto the front of them that I then had to put tape around.
CAROLE THERIAULT. Well, okay, because your Pritt Stick skills were not that great. Let's be honest here, Graham. It was like doing a job with a 4-year-old. Everyone with a 4-year-old knows exactly what I'm saying.
-- TRANSCRIPT ENDS --