Hey, it's Graham here. Just before we begin the show, just wanted to say that we had a bit of a problem recording this one. In the first few minutes of the podcast, Maria, who's our special guest, her audio is slightly defective. Please bear with it. We had some technical problems. We even had a power cut during the course of the recording. Her bad audio only lasts maybe 3 or 4 minutes, and after that, everything should be good. And we still think it's worth putting out. So bear with it and enjoy the show.

Smashing Security is supported by Recorded Future, the real-time threat intelligence company whose patented machine learning technology

Smashing Security. Episode 36: Flash, Clunk,

continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.

Flush and Hacking Security Researchers with

Sign up for the free daily threat intelligence update at recordedfuture.com/intel. That's recordedfuture.com/intel.

Carole Theriault and Graham Cluley.

Hello, hello, and welcome to another episode of Smashing Security, number 36. Indeed, my name is Graham Cluley, and I'm joined by my good buddy and co-host, Carole Theriault. Hello, Carole, how are you?

I'm good. I just wish I was 36 again, actually.

That was some time ago, wasn't it? Back in the '90s.

It's going to be one of those.

It's one of those.

It's going to be one of those. And as you've just heard, we are joined by a special guest today, and it is Maria Varmazis, information security and technology blogger. Hello, Maria. Welcome to the show.

Hi, great. Thank you so much.

Maria, I am so glad. We never have enough women on this show, and I am thrilled to bits that you're here. Thank you for joining, because I know you have recently had a baby, so you're not getting a lot of sleep these days, are you?

I'm about as sleep deprived as most people in our industry.

When you say recently, do you mean this morning or what?

No, no, heavens no. No, no, 3 months ago. So I just came off maternity leave about a week ago, so I'm dusting off everything going, what the heck happened? I just want to cry. Happened the day I was in the hospital. It was amazing.

Yeah, you're represented most every week.

So, oh wow, the nurses were going, I think something happened and I'm gonna have to change all my passwords again. And they're wheeling in my baby in the bassinet and I'm going, oh my God, I can't get away from this anywhere.

Well, thank heavens you weren't having it in the British NHS because that could really have been a problem, couldn't it? Anyway, thank you for coming on the show. And I agree with Carole, we need more women on this show. In fact, we've had shamefully few.

But you don't count at all is what we're saying.

Well, obviously there's been you, Carole. She doesn't count? No.

You two cancel each other out and you become a gender-neutral thing. I don't know.

Now, listen, guys. Each of us is going to choose something which has tickled our security nostrils over the last week and got our attention. My story this week is, well, let me start off by saying this. What do you think is a security researcher's biggest nightmare? What do you think would really terrify them?

Running out of booze.

Booze, yeah.

Being hacked.

Being hacked, meeting a member of the opposite sex. All of those sort of things definitely are a concern for those of us in the infosecurity world. But Carole, you have put your finger on it. Because a senior threat analyst at Mandiant, which is of course a division of security firm FireEye, was hacked in what appears to have been a revenge attack. Now, I'm not gonna name him because he's probably embarrassed enough as it is and is worried that his future career prospects are scorched. But he was targeted by hackers as part of a campaign which they're calling #leaktheanalyst. And a bunch of hackers who call themselves Hey Maria, you're a bit geeky. You'll be able to handle this. 31337.

OMG!

Which I think is meant to mean elite. It's a bunch of elite hackers.

It's like 1996 all over. I know.

I think this dates the hackers. This dates the hacker operation.

A little bit. Yeah, mid-30s.

They've given away some information about themselves there. Anyway, they took information from this Israeli researcher And they made it available for anyone to download from the net. It's still available to download, including his email archive, megabytes and megabytes of that, passwords, contacts database, details of private communications with potential recruiters. Slightly awkward, isn't it? Cloud drives, his calendar.

It's got to be kind of dull though, right?

Dull?

Yeah. I mean, the guy's just emailing, saying, I'll be home for dinner. And yes, boss, I'll get that for you right away.

Yes. Who's getting donuts for tomorrow's meeting?

Oh, can I have a job with recruiters? I mean, it's not, you know.

Well, no, it could be fairly juicy if you were talking about a particular hacking campaign or a piece of malware. And if you were the hacker who was being analyzed by this analyst, that may be useful. Furthermore, you may be able to find communications as they claim to have done about some of their clients and the situations that they found themselves in. They even managed to track the poor guy's location because his, I said poor guy, he really was, because he had a Microsoft Surface and it was being geotracked. And so they were able to pinpoint where in Israel he was from day to day. And to add insult to injury, the hackers even defaced their victim's LinkedIn page, replacing his picture with a photograph of a hairy bottom.

Sorry, what?

A hairy— bottom.

Did you see this picture?

I have seen it, yes.

Do you think it is her student?

Can I see it?

Maria?

I haven't seen it. I'm curious.

Link's in the show notes.

Link's in the show notes. Noted.

And they described him— You know, normally where you have your job title is, you know, information security expert or something like that. What they wrote was, asshole fucked up analyst at fucked up Mandiant.

I have no idea.

Now, the profile has since been deleted, perhaps understandably. He's decided to remove his LinkedIn presence, but not very good, really, is it? And so the bad guys, they posted up on Pastebin and they provided a link where you could download all of this data, which they'd grabbed in the screenshots and the evidence that the accounts had been compromised. And they posted their little manifesto. And they said, for a long time, we, the— get ready, Maria— 31337 hackers—

OMG!

Tried to avoid these fancy ass analysts whom trying to track— it's not great grammar, to be honest— whom trying to trace our attack footprints back to us and prove they are better than us. In the #leaktheanalyst operation, we say, fuck the consequence. Let's track them on Facebook, LinkedIn, Twitter, etc.

That's very famous.

Let's go after everything they've got. Let's go after their countries. That's a bit bold.

Their tiny speakers.

Let's turn into tweeters. Yes, very good. Let's trash their reputation in the field. If during your stealth operation you pwned an analyst, target him and leak his personal and professional data.

Oh, hey.

So basically they're declaring war on the good guys.

Yeah, but the girls are safe. It's personal. It's his personal and professional data. So we're cool.

There are no female analysts. Yeah, well, or we're all safe because they don't know we're there.

We might be the next doxing.

Hackers are sexist?

No!

I would never dare.

Well, now, if you were to peruse the documents which they've now leaked from this guy's computer, it appears—

It's like reading someone's diary.

Why would you do that?

Really?

Well, in preparation for this podcast, perhaps. But I didn't— Am I the only one with a moral fibre? Listen, I didn't look through his emails, right? I didn't do that. But there were certain—

Oh, well, good for you.

There were certain documents and presentations related to some Mandiant/FireEye customers, such as the Israeli Defense Force.

Oh!

And those have been leaked out as a consequence of the hack. Right? No?

Okay, so I take back what I said earlier. I, yes, I was assuming perhaps it was his personal email archive, but of course it wasn't. So yes.

Customer data, yikes.

Ooh.

Yeah. Now, the hackers say that they have hacked Mandiant's internal network and they've compromised client data and that they might, 'Leak that in the future.' Yeah.

That seems weird that you'd say that beforehand if you did actually have it.

I know. I'm a bit suspicious. Because you think, well, why haven't they leaked it already? If they want to cause embarrassment, if they want to give this guy some pain and get him in trouble, you probably would have done that as well, wouldn't you?

Unless they're wanting ransom.

Well, they don't seem to have asked for anything like that. It appears to be more a sort of personal attack in a way. They just don't like their stuff being researched.

I would think someone who has the capability to target somebody and was in an internal network would actually lie low and see how much they can get away with.

Yeah.

I mean, just see how long it takes for them to be discovered on the network, you know.

And we don't know how long they were— they did compromise this guy's account. Certainly from the geo data where they were tracking his lovely old Microsoft Surface, it does appear that that may go back some time. I don't know if that's an archive which is available to anyone, you know, whenever they log in, but it does appear that there was some old information in there. The obvious danger is, has client data been compromised? FireEye have issued a statement. They've told Gizmodo, "We're aware of the report." So they basically confirmed that the hack has happened. "We're investigating, we've taken steps to limit exposure, but there's currently no evidence that any corporate systems at the company have been compromised." They say, "Customer data, keeping that secure is a top priority. And to date, they've only confirmed the exposure of business documents related to two separate customers in Israel." One imagines one of those is the IDF. And they've addressed the situation with those customers directly. That's an awkward phone call to make, isn't it? Oh yeah, we might have doxxed—

How do you start? Hi.

On my short list of people to not piss off, the IDF is definitely one of them.

You're right.

Oh my goodness.

So what are the morals from this, folks?

Get off the internet. Just delete everything and go home.

Bury your head in the sand, right?

And also, schadenfreude is a dangerous thing.

It is. And anyone can be vulnerable, right? I think none of us can imagine that just because of our jobs or our roles or the fact that we're working in security 24/7, that somehow we couldn't be targeted. The truth is that everyone makes mistakes. I remember years and years ago, I was working at a security company and they were holding an antivirus conference and experts from all around the world were bringing in their presentation from rival firms. And one of these guys gave me a floppy disk there, that's dated me. And he said, "Here's my presentation." I said, "Thank you very much." I shoved it in my computer 'cause it was my job to collate everyone's presentation. And the antivirus on my computer went zoop, zoop, zoop because it contained a virus on the floppy disk.

Was it the Morris worm? How far back are we going with this?

How dare you? How dare you? But I had to go back sheepishly to this antivirus expert and say, "Um, your peer has given me a virus." A fairly well-known name in the industry. And the truth is that he'd been using exactly the same computer to analyze viruses as he'd been using to write his presentation. And, you know, so people make mistakes.

I don't think that's the stake here though. I don't think that's what's going on here.

No, no. I think what may have happened here, from the examination, 'cause one of the things which fell out of this were passwords. And it does appear that this particular guy may have been reusing passwords. It's possible that his password leaked out from the old LinkedIn data breach, but also that he had a formula for passwords. You know how sometimes people think, well, you know, I will have different passwords, but what I'll have is I'll have a sort of base word, a base password, and then I'll add on the first two letters of the domain or something like that.

Graham, you and I years ago wrote a video about how to— recommending people do that. I don't know if you remember.

I remember.

Yeah, we did. Yes, yes, we did. And you're the star of the show and I'm behind the camera.

Links in the show notes. That video doesn't say that. The video we have is one where we say, make up a random sentence and take the first letter of every word. That's what the video is.

Okay. Okay.

It was a while ago. We'll go watch it, but I have a feeling you may be wrong. Anyway, I don't remember.

We digress.

We digress.

We digress.

Yes.

Settle the fight.

Anyway, even the advice we gave in that old video doesn't really scale for the number of passwords which you need today. You know, my advice is use a—

Exactly. No, I agree.

Use a password manager to remember your passwords, to keep them secure, and to generate passwords as well.

So many people use their own personal mental cipher thinking nobody can ever crack this. But I mean, come on. As you were saying, with all the passwords we need nowadays, there's no way you can make that even sane. So yes, please.

But on the other hand, though, a lot of people don't trust password managers. There's a lot of doubt in putting, storing stuff in the cloud and trusting a third party to do it. You don't have to use a cloud-based password manager though. You can use a local one.

Yeah. I mean, I like cloud-based ones. I personally use one, but I completely get that there are problems with them for sure. And people understandably are skeptical.

But there are also problems with storing your passwords locally on your computer. You know, it's—

There's no perfect solution.

Right. That's the thing, isn't it? So anyway, this guy, looking at some of his passwords, he works at Mandiant, which is a FireEye company. Some of the passwords have the word fire in them. You think, seriously, guy, you know, are you doing this? But hey, all security researchers out there, make sure that you're practicing what you preach.

Yeah, and I think actually it's an idea that many people just assume that they will not be targeted. And I think that's, you know, that's a fairly likely probability you won't be targeted if you're just— but, you know, in this industry and with this LeakTheAnalyst operation, I wonder what your advice would be, Graham, for other analysts out there? Are you saying literally just make sure your passwords are good and strong and unique?

Well, and have layered security and enable two-factor authentication and all the— I mean, we have, for instance, talked in the past about different ways in which you can protect your email account. All the variety— we'll link to a past podcast in the show notes. Oh my word, we've got a lot of show links today, haven't we? But we'll put some of those things in where you can learn some of the techniques which you can use to harden the security, to better protect yourself from these kind of attacks. Ultimately, I'm afraid it's your brain, isn't it? It's your mouse finger which might be clicking or making a mistake, or it's your decision as to whether you are going to choose a strong password or a weak one. And I think some people think, oh, because I'm a bit nerdy, somehow I don't have to worry so much as my auntie Jean.

I know someone exactly who's very savvy in security, and they insist on using the word password as their password.

Really?

How did you know?

Advertises it.

When did I tell you that? Just kidding.

But yeah, and I think it's an arrogance of, I'll never be targeted. Give me a break.

Wow.

So everyone's a target, even if you're not a security analyst. I mean, not to be completely tinfoil hatty, but you know, it's having worked at security companies before, you know, even the marketing intern can be a target. And you know, definitely people who are high visibility targets like an analyst know that they really need to practice what they preach. But that goes all the way down, doesn't it?

Maria, what have you got for us this week?

Okay.

So the petition from web developer Juha Lindstedt, I hope I didn't mispronounce his name, says open sourcing Flash and the Shockwave spec would be a good solution to keep Flash and Shockwave projects alive safely for archive reasons. Don't know how, but that's the beauty of open source. You never know what will come up after you go open source.

So well, yeah, and this is a good wake-up call for everybody who may

Hooray. All right. So the reaction of much of the security community is paraphrased beautifully by Carole's reaction.

have been a bit lax as of late on their own personal security whilst

Please just let Flash die already. It is due to die in 2020. That's not nearly soon enough, but let's make this happen. Well, to paraphrase from Monty Python, Flash, it's not dead yet. I'm not gonna even try and make a dead parrot joke, but there we go. So as many of us have heard, and no doubt many of our listeners would know, Flash is finally going to kick the bucket.

they're sitting there telling everyone else how to behave, right?

Adobe announced in 2020, since supposedly is expiration date for the much maligned plugin and video player and interactive thingamajigger. However, I mean, what else do you want to call Flash? Attack vector.

Put us out of our misery by putting it out of its misery.

Amen to that. There is an ongoing effort from at least one web developer on GitHub to keep Flash alive. Why? And that is the reaction of many people around the internet. And just in case people want some stats from a lovely Gizmodo article quoting, I believe, our sponsor Recorded Future, they ranked Adobe Flash Player as the most frequently exploited product in 2015, comprising 8 of the top 10 vulns leveraged by exploit kits and noted the existence of over 100 exploit kits and known vulns. So yeah, it's a problem.

8 out of 10.

Yeah. It's a, did better on tests than I am. So there we go. So boom, boom. So I mean, I've gone back and forth in my head on this whole thing because I love open source projects. I worked with a lot of the guys on Metasploit, which is a very wonderful open source project. And I've seen firsthand how wonderful the open source community is and what amazing things they can do. But open source is of course a double-edged sword. You open up that source code to the world and there's a real possibility that a lot of people are not going to be working out of the goodness of their heart to fix Flash. And they're just going to go to town and find all sorts of problems that they couldn't find before. So we're going to have an even more vulnerable Flash, if that is even a thing that you can imagine. It is quite a target.

Yeah, I know. I'm just, I don't know. I kind of, I kind of like the archival reason. I like that. I think that does make some sense that people should be able to research this information and see how it was working. Specifically Zombocom and Homestar Runner and Egon's World. Yeah. And Newgrounds.

I'm quite nostalgic about a lot of those retro kind of computer things. It would be a shame. Hey, I've got an idea. Could we, hey, look, huddle up, right?

Good guys.

Get together, right? Because how about we open source Flash? And so all the hackers and the bad guys, the malicious hackers, can spend lots of time and continue spending lots of time exploiting Flash, but the rest of us agree not to ever use it. Because the danger of closing down Flash is that the bad guys will then put all of their attentions on exploiting something we are using. But if we just keep it there and they don't hear that we're not actually using it, yeah, because they're all idiots.

Brilliant.

Yeah, I'm sure this will work with no problems at all, right?

Good.

Yeah, it's perfect.

So basically, how many people use Flash now though?

Maybe everybody. Yeah, still, because it's everywhere, because too many websites still have a tiny, yeah, teeny wincy little bit of them.

Literally everyone who watches hentai stuff on the internet. Yeah, Flash. So those guys can be really pissed when it goes away. I'm just saying.

Well, it's like, how much warning do you need? I mean, we've known it's going to, you know, it's the longest death in history.

Quite the death rattle for Flash.

You know, it's taking longer to die than XP.

Yeah, it's taking way too long in my opinion and many other people's opinions. However, as the petition says, you never know what could come up after you go open source, exclamation point. And I mean, okay, fair enough. It could become more secure with more eyeballs on it. In theory, that is possible, but you know, open source projects are not always necessarily known for continuing after a certain point, you know, having a lot of support. People tend to drop them. And I don't know how interesting this is as a problem for a lot of people. I mean, Flash has been around for forever, but that said, what do we do when Flash goes away? What do you do with all those Homestar Runner videos? And it's not just videos, I should say. It's really the interactive content, the stuff you click on, because videos are not really the problem. It's the interactive stuff. And there are a lot of people who've attempted to solve this problem, basically making interactive videos from early 2000s workable. But since the Flash backend is closed, you can't really do much with it. So there really hasn't been a good solution and there's really no viable alternative right now. So that is actually a legitimate issue if there's stuff that you want to still use once Flash goes away.

So one thing that I've seen suggested is that the browser plugin of Flash is killed off. That's completely zapped because that's obviously the most common attack vector, but maybe there could be an open source desktop player instead. And so if you had something which you really wanted to run to check it out, you still could, but the exposure is greatly reduced.

That does sound like a good solution to me.

It would be a program which you have running on your desktop and you load a file into it. You say, this is the Flash file which I want to run.

Right. Yeah.

Something like that.

Yeah, if you're an internet archivist and those people do exist and you really want to access that eBaum's World thing from, you know, the stick figure fighting game from 2002, you can. And you know, and that way we don't lose all that ephemera from the early 2000s, really.

And I also like the idea, I think I'm a little less cynical about open source and I think, yeah, sure. There's a few bad apples out there, but I think, you know, you don't know what'll come up and it could be amazing. They could actually make it much, much more secure and usable. Absolutely possible. That's the thing. It is a complete unknown. I mean, it really could happen and that would actually be kind of exciting. However, I mean, as I said, I kind of go back and forth on this one because I can see their point of view. I can save $30 grand by not updating my system and carry on using Flash and just change it to this new open source version.

Correct. And that's not an outcome we want to see, at least those of us in the security world.

Okay guys, I'm gonna put you in the hot seat, right? Should we kill Flash or not? Thumbs up or thumbs down? Come on, are we gonna save it?

I'm giving a thumbs up or thumbs down, but you can't see 'cause I'm over the microphone. No.

I think you're not giving us the option of kill it for everyday users, but throw it into the open source community to see what they can do with it.

But is that actually— That's not killing it. It's not dead yet. Maybe getting better.

I like this open source desktop player thing, which will mean that people will still have to update their websites and fix their websites and stop being reliant on Flash. But the exposure is reduced in the browser, which is the primary attack vector.

Why wouldn't they just say to download it? They would just say, go download this tool.

Are people going to do that? I mean, we're talking about reducing the attack surface, right? If we get rid of the Flash browser plugin that definitely needs to go.

Yes, that's ridiculously

I don't think anyone's really fighting for that. I mean, maybe they are, but I certainly am not. That certainly won't mitigate the issue.

And does interactive ads— actually, this is a question I don't even know the answer to. Interactive ads in videos, right? high. That is So are they all Flash reliant as we know, right now? Because that was probably what's causing the big delay in them being wiped out. like 100 meters.

I imagine a lot of them are not. I mean, to me, the thing that has killed off Flash in a lot of websites right now is mobile. There's a lot of mobile devices no longer support Flash. So that has done a lot for killing Flash more than anything else. I doubt that those are Flash-based. I'm sure there are in some corners of the world, but I imagine many of them have moved to HTML5 or other options. I mean, do we still see the mortgage ads with the dancing person where you punch the number? I mean, that sounds like 10 years ago. But I mean, there are other problems with ads that we could probably do 50 shows on that alone.

All night long. I put up that video,

Yeah, yeah, yeah, yeah.

Right, enough chat. I've decided we're gonna kill it. Flash is gonna die. There you go. Someone had to make a decision. that's the obvious thing.

Okay, it rests in peace.

It's in room 101.

There's the answer. Pull the lever. Clunk, flash. Clunk, flash, actually.

Bye, Flash.

Boom, boom. Oh dear. Carole, take us away from this madness. Give us a totally sane topic to chat about today.

Well, I'm going to talk about hacked billboards. So today, Wednesday, the day of recording, we've seen reports of a giant billboard in Wales' capital, Cardiff, its main shopping street. It's been hacked. So the billboard seems to have been accessed by a hacker via remote control, and then they took control of the screen to display rather shocking images to the shoppers of Cardiff.

Right, yeah.

Okay, now this has only just happened. There's not a lot of info right now that's just come out at the time of recording, but a message posted by an anonymous user on the community site 4chan— okay, I'm putting little marks around community site 4chan.

Paragon of internet citizenry.

Anyway, now this was posted late Monday evening, and it read, I live in Cardiff, Wales, UK. Earlier today I was walking to work and looked up at a giant 300-foot TV screen on the side of the building. That's what he says. 300 feet. I think—

I'm surprised they've got 30-inch TVs in Wales.

Wait, that's where they filmed Doctor Who, right?

So it is. Yeah. 300 feet must be a mistake. I don't think we can rely upon this person, but anyway, carry on.

Yes, yes, yes, yes, yes.

Okay, so a big—

Let's— we're going to replace that with big TV screen on the side of the building. I noticed that TeamViewer was running in the background and I took a photo of the username and password. I just tried remote controlling it and it worked! What should I use this for considering that it's probably unattended all night long?

All night long, Lionel Richie.

Yeah, that's his—

That's what, yeah.

So there were many suggestions, some were as mildly funny as yours was and some were truly distasteful.

What a surprise.

They included swastikas and the sign saying, "Big Brother is watching you," and a warning, "This is a Sharia-controlled zone, no alcohol, no gambling, no porn," and a kind of peppy Donald Trump mashup thing.

Any Rickroll suggestions?

Not that I saw.

That's disappointing.

So, you know, we've seen this before. This is not the first time a billboard has been hacked. I think last May, Liverpool One shopping center has a screen, it got hacked, and it was hacked with a rather helpful message saying, "We suggest you improve your Smashing Security. Sincerely, your friendly neighborhood hackers."

That's nice.

Yeah. In April, a giant LED screen in a busy Delhi metro station started streaming Pornhub clips. And in March, Mexico City digital board located near one of the busy roads showed porn for a few minutes. And probably the worst one was the 2015 Atlanta billboard. Remember, it was in a really swanky neighborhood in Atlanta, and it displayed goatse.

Oh, God.

Well, any listener who doesn't know what I'm talking about, you are a very lucky human being. Do not go and research this.

Don't Google.

Do not think this is a double bluff.

There won't be links in the show notes.

There will not be any links in the show notes.

Very quick way to get blacklisted.

Actually, I don't think that is my favorite. My favorite, remember, it was like late 2000s and there was like zombies ahead. It was in Austin. It was construction signs in Austin.

Zombies ahead.

Movies ahead. And yeah, there was something. Yeah, I love that.

Signs are very easy to hack. Yeah.

Yeah. There was another one saying Dalek invasion. I liked that one because obviously fantastic.

The reason I wanted to talk about this was to kind of crowbar in some security chatter about TeamViewer. Now TeamViewer, for those who don't know, is a tool that allows people to remotely access computers and desktops and allows for file sharing and all these things. And they're used to, in some cases, to display messages on, you know, people use them when they're doing presentations to share screens. But people also use them for these big digital screens. So TeamViewer, many of us in the industry would say, it's been designed to be easy to use, not necessarily very strongly secure. And there is a great article that I found from, and it was published last year, but it was published from How to Geek. And it has loads and loads of little tips on how you can make your TeamViewer instance much more secure. Now, a few big ones that we can share is make sure you exit TeamViewer when it's not in use. Don't just leave it hanging around, you know, turned on but silent. Use obviously strong passwords, and there is gonna be a link in the show notes for how to do that, right, Graham? Sure thing.

Dusting that one off.

Yeah, yeah, there'll be 800. Good luck finding any of the links. Turn on two-factor authentication for TeamViewer, and I was just talking to my other half, and he didn't even know that two-factor authentication existed for TeamViewer. That may be something that's less known.

Divorce him.

Yes, that would be a good reason.

Strong measures.

Why are you leaving him? Because—

And of course, make sure it's updated. You know, obviously, I think that's less— You know, I think most people would make sure of that now. But just as a little reminder, let's do that because we're going to be relying on digital screens much more. I mean, I think the end of the poster is near, right?

Right. But so sort of devil's advocate on this one. Yeah. The folks setting up these giant screens, they don't give an F about any of this stuff generally, is my guess.

Well, until they get— until they have their big boss coming down them going, what the hell?

Yeah, but these aren't these the guys that usually are up there on the billboards, the old pasteboard guy? I don't know, I'm just thinking, you were mentioning the Austin sign hack. Yeah, I mean, do you know how to hack those? You literally just walk up to them and open the panel in the back with a flathead screwdriver, and there you go. That's how you get out.

That's the construction sign ones.

Yeah, yeah, that's for the road signs, but I think the advertising billboards are a little bit more complicated than that, aren't they? Or are they not?

Well, I don't think you can go up to them as much. Well, maybe you can.

Maybe you can. Yeah, usually there's a ladder. I mean, is it really that hard? I don't know. I mean, so I'm just thinking, so exit TeamViewer fully when you're not using it. Maybe there should be a way for TeamViewer to self-time out on some sort of application like this.

Absolutely.

Yeah, like assuming that the person's gonna know to do that. I don't know, that seems like a giant leap to me.

There's another one about making sure it doesn't start up when you basically boot up Windows either, right? So don't just have it auto-start along with Windows. So yeah, I mean, I'm not saying TeamViewer is responsible for all these things, but these remote access tools need to be properly configured in order to try and stem the flow of attacks like this because they seem to be growing. You know, it's quite fun for a young hacker to be able to hack something that's so, you know.

Yeah, and don't display your TeamViewer username and password on the billboard, right? Don't have that popping up on the screen.

That must happen because you're sharing your screen, right? And I was thinking about that, like, how do you—

How does that happen?

Yeah, how do you turn that off and how do you manage that? They may not even be aware that that's happening.

Well, it's like when you have a press conference and you have the Wi-Fi username and password behind the reporter kind of thing, like, come on.

Yeah, I don't know.

That's just bad password hygiene, bad overall hygiene.

I suppose it is. Well, guys, I think it's time to find out who's sponsoring the show this week. Let's find out who the sponsor is.

Graham, who's our sponsor this week?

Our sponsor is Recorded Future. You know them, they're cool, they do all kinds of cool things. Like? They look on the web, they look on the dark web, they peruse the internet in its darkest corners, and they work out what are the new emerging threats and vulnerabilities from the world of hacking and cybersecurity. And then they bundle it all up, they wrap it up in a beautiful ribbon and send it to you in a free email.

If you want to be ahead of the game, I guess you get their free daily email.

Of course you do. But first of all, you've got to sign up for it, otherwise they won't know to send it to you. They're not that clever. Go to recordedfuture.com/intel. And thanks to Recorded Future for supporting the show. Smashing, and welcome back to the show. And in this segment, we are going to choose our picks of the week. Yes, our pick of the week could be a funny story, a book we've read, a TV show, movie, record, an app.

I think we should have a choice of pick of the week and tip of the week. I do think we should maybe pick tip.

Pick the tip. Tip to pick.

Yeah, sometimes people can give good tips. Sometimes there's a good pick.

That's what she said. I have to say, Maria, I thought having a woman on the show would actually raise the tone a little bit. And I'm not sure that's happened.

Why would that happen?

Who gave you that idea? Graham, you know me.

I thought we would get out of the locker room and it would just be a little bit classy.

Listen, Trump's president, anything is possible now. You know, kidding. Anyway.

Pick of the

Pick of the week. Maria, could you say, "Pick of the week"? Ah, excellent.

There you go.

Very keen.

Yes.

So I've just got a quick one for you all. There is a podcast, it's ridiculously popular. I mean, it's—

week, pick of the week. Yeah, if you listen to podcasts, you've heard of this podcast, but you— Yeah, it's a good one.

It's Reply All from the guys at Gimlet Media, which is a great weekly podcast. I think they do it most weeks, and it's all about the weirdness of the internet and things like that. And their latest episode, which we'll link to in the show notes, is all about tech support scammers. Now, when I saw it was about tech support scammers, I thought, okay, they're going to do the usual thing where a scammer calls them up and they keep them on the phone for ages and it gets more and more ridiculous. But no, they've been rather more inventive than that. It's almost brilliant. It's a great episode.

And so what do they do?

Well, I don't want to give too much away because it's rather beautiful, but basically they almost form a relationship with the scammer. You know, it's like they're calling up regularly for chats and—

But they also do a bit of journo-ness, right? So they go and do a bit of digging and they find out lots of information, which is quite interesting.

They find out more about this particular company which is doing the scams and the people who are working there. And it ends on something of a cliffhanger, which will make you want to tune in, I think, to the next episode, which hasn't been released at the time of recording, but I'm looking forward to it to find out what happens next. But I would recommend it. Carole has an endless appetite

Yeah, I agree. Total hat tip for that. I loved it as well.

Go and check out Reply All, and the episode is called Long Distance. And as I said, we will have a link in the show notes. for dark and sad, is Got a lot of those this week.

Yeah, it's the mot du jour.

what we're saying. So Maria, what's your pick of the week?

Pick of the week.

My pick of the week is speaking of cliffhangers. It's a fascinating documentary I saw a few weeks ago while in the throes of newborn haze. It's the documentary called Tickled. Because I heard you guys talking about the Red Pill documentary a few weeks ago, and I'm just, Graham loved that one.

Loved it.

Hard pass on that one for me. Just, just frankly, no thanks. I'm on Reddit too much. I know what that's about. No thanks, pass. But the documentary called Tickled, which is all about, quote, competitive endurance tickling, is, as the tagline says, not what you think. And Carole and Graham, you both have seen it, I believe, so you can back me up on this.

It's a great documentary. You recommended it to me, Carole.

Yeah, I watched it maybe a few months ago off Netflix, and I called Graham the next day in the morning saying, you must watch this, you must watch this, you must watch this. And I forced them to watch it that night just because I thought it was that good.

Did you get Graham to watch it? No, just kidding. But that's the thing. You think it's a sex thing, and it is, but it's not. And that's not what this is. No, I just gave it away, but it's not crazy people. Some super crazy people. And it's kind of dark and sad, and there's really no conclusion to the main documentary, which is a little frustrating because you're, you're dark and sad maybe, but also I sort of, you know, curl up on a Friday night with a bowl of popcorn.

I think it's

And popcorn.

And popcorn. Stuff in her face. Bit of darkness, bit of sadness, bit of popcorn.

delicious, delicious TV.

Delicious. Have you seen the follow-up documentary called The Tickle King?

No.

Okay, so this is— you have to— I'm giving you walking orders. Go watch The Tickle King because that's the follow-up.

I love documentaries like that.

Basically, when they started airing the Tickle documentary at film festivals, a lot of the guys in the documentary started showing up and real-life trolling these events. Yes. And it's all this drama and it's kind of— so yeah, if the Tickle documentary is not enough for you, which it's, you know, it might not be, you know, if as fascinating as it is, go watch The Tickle King afterwards. Back to back, it's awesome. Really fascinating. And yeah, great, great watch.

Sounds good, I'll check it out. Thank you very much.

No problem. And it's not the red pill.

Girl, what's your pick of the week? So mine, mine's a bit weird because I did this pick because of its weird factor. I mean, this is just too weird. So this is a Tokyo-based artistic design studio called We+. So this is a shock dummy face or something?

No, no, okay, look, look, let me look. I want you guys to watch the video, okay? There's a little promo video, it's on Mashable. Just watch this and you'll see what I mean.

Okay, all right, let's watch it.

Let's go click it.

Now do you see how do they—

No, nope, I'm noping out of this. No, no thank you. That's enough internet for me today.

So let me explain to listeners. So basically, say for example it was 10 to 2, you would have to have your left eye kind of facing upwards and left and your right eye facing upwards and right. Right? And how do you do that? So they took— they have 3 different face clocks which you can choose from that are available. And then they did movies of the faces moving their eyes in, you know, around the clock face. And then they of course mirrored two together to try and get the difference.

It's—

The thing was, okay, okay, and there's some, you know, blah blah about how this is important, about how time controls our lives, that I just thought was just snooze fest. No, it's just, you know, sometimes just come on. However, I have to say, I would people to go look at it just to see if they actually can tell the time quickly. So I think there's, there's a game in here, right? Just stop the video and say what time is it?

I haven't seen— I cannot recognise this. I mean, you've explained to me how it works with the eyes moving. I can't read the times on any of these.

It's just a human whose brain has been replaced with a goldfish and they're going pop, pop, pop. And it's just really disconcerting. And I don't want to tell time with that.

Who would want one of these?

And their eyes are all bug-eyed and stuff. I'm not okay with it.

See, I have a number of cool clocks in my house that, Graham, you have a problem with because you feel that they're—

You have one particularly bad clock, which is absurd in every fashion and not very easy to— But actually, is it easier to tell the time from than this?

Yes, and I think better looking as well. I think I'd find it creepy. It's a bit like, you know those paintings in haunted houses where they follow you, the eyes follow you, Scooby-Doo style.

You take the mask off and it's Mr. Weekends.

So go be weird. If any one of you want a top pick for being weirded out, go check out this little product and video on Mashable.

That's my top clock that you have. Then you can't just use that.

Okay, so my clock is where the hand don't move, the hand stays steady, and there's a cog that turns around the hand, and the cog has the face on it. So the 1, 2, 3, 4, 5, and it kind of chugs along on a cog and it turns. And as it goes, you can tell what time it is.

Does it have a cog?

I hope you're following this at home, folks.

I heard cog 4 times.

This mental picture that's being drawn up. Carole, is it possible you've got a link we could put in the show notes?

Yes, let's add them to the show notes.

Or just take a photograph and chuck it up on the internet somewhere and people can see that.

Put it on the tweeter link.

I think that just about wraps it up. It's been quite a show. We've had a few interruptions. Hopefully they didn't crop up in the edit too much. We had a power cut at one point. That was very exciting. But we've made it to the end. Thank you so much, Maria, for joining us.

Oh, my pleasure. Thanks for having me.

It's been wonderful.

You were great.

She's been super, hasn't she?

Yep.

Thank you at home for tuning in. And if you like the show, or if you've got some—

Carole, you were great too.

Yeah, yeah.

If you—

No, I was great.

Do you want to say I was great?

Because you're not. Right. Well, on that note.

Just kidding. We love you a little, maybe.

If you've got any comments to make on the show, go sign ransomware like iTunes, where you can leave us some feedback. Just remember to click the 5-star button while you're doing it. Whether it's good feedback or negative feedback, we don't care. Just 5 stars, 5 stars. Go to www.smashingsecurity.com and you can follow us on Twitter @smashingsecurity, no G on Twitter.

And thanks as always for listening.

Yeah. Until next time.

Toodaloo.

Bye-bye.

Bye.

Okay, bye.

Thanks for making us laugh, Maria.

Oh, no problem.

Yeah, because I'm not funny.

Yeah.

Oh, that was so much fun!

Oh wow, fun!

Oh gosh, I just dropped something on the floor.

Graham's not very funny.