Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Paul Ducklin.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
Links:
- 'It's like Uber, but for weed': Meet the man who revolutionized Israel's pot trade — Haaretz.
- Israel Police arrest top members of Telegrass online drug ring — Haaretz.
- Sources: Telegrass head cooperating with police — YNet News.
- You left WHAT on that USB drive?! — Naked Security.
- Cult of the Dead Cow — Wikipedia.
- Back Orifice — Wikipedia.
- Beto O’Rourke’s secret membership in America’s oldest hacking group — Reuters.
- Beto O’Rourke acknowledges involvement with hacking group as teen — The Texas Tribune.
- Behind the Curve.
- Behind the Curve - Official Release Trailer — YouTube.
- Serious Security: What we can all learn from PiDay — Naked Security.
- Drawabox — A free, exercise based approach to learning the fundamentals of drawing.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. If they're really keen to convince Telegrass's admins that they're legitimate dealers, they actually will even upload video footage of themselves next to huge amounts of weed.
CAROLE THERIAULT. Can we just make pot legal? I mean, wouldn't that just be the easier way and basically save people's privacy?
UNKNOWN. Smashing Security, Episode 120.
PAUL DUCKLIN. Silk Road with Deliveroo with Carole Theriault and Graham Cluley.
UNKNOWN. Hello, hello, and welcome to Smashing Security episode 120. My name is Graham Cluley.
CAROLE THERIAULT. You're 120?
GRAHAM CLULEY. No, I'm episode 120.
CAROLE THERIAULT. I'm Carole Theriault. Just kidding.
GRAHAM CLULEY. And we are joined this week by a returning guest. It's Paul Ducklin from Sophos. Hello, Duck.
CAROLE THERIAULT. How are you?
PAUL DUCKLIN. I am super duper. Thank you.
CAROLE THERIAULT. Yay for coming back on the show.
PAUL DUCKLIN. Yeah, I noticed that you've already deviated from the script that I added to your script.
GRAHAM CLULEY. I didn't really understand what you'd written here. What? We're joined by returning guest Paul Ducklin from Sophos, whom we have once again forced against his will to join the Smashing Security sheep run.
PAUL DUCKLIN. Meh, meh, meh.
GRAHAM CLULEY. By installing and using a browser created by the world's biggest peddler of online ads and tracker of keystrokes in the whole universe, the Googleplex. How do you feel about that, Duck?
PAUL DUCKLIN. Oh, I'm all right. I've got— I'll remove Chrome as soon as I've done.
GRAHAM CLULEY. So Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. Well, we have a good one this week. Graham, you are going to talk to us about telegrass. Ducky's going to talk to us about what we do when we sell our old devices and what we should be doing. And Kroll is going to be talking about an old hacker group. All this and more coming up on Smashing Security. Right guys.
GRAHAM CLULEY. I want you to imagine you're on your smartphone and a message like this appears. It says, hey, dear friends, in light of the heavy demand for Patrick Lemon Haze, deliveries to the Tel Aviv area, 5 grams, just 500 shekels.
CAROLE THERIAULT. Okay, delete.
GRAHAM CLULEY. Would you know what I'm talking about?
CAROLE THERIAULT. No.
PAUL DUCKLIN. I'd go, what accent were you trying to do? Was that like New York Jewish? Is that supposed to be Tel Aviv? Are you some kind of laid-back San Francisco 1960s hippie? I'd say you're kind of probably a bit wasted there, Graham.
GRAHAM CLULEY. I am a bit wasted because I want to talk to you about something called Telegrass. Telegrass is a community that operates through Telegram, the encrypted messaging app, and it was set up by a guy called Amos Dov Silver and is estimated to have more than 150,000 members from countries around the world. And what is it? Well, it describes itself as being like Uber, but for weed.
CAROLE THERIAULT. Oh, isn't Telegram like a kind of messaging service, like a secure messaging service?
GRAHAM CLULEY. Yeah, that's Telegram, but this is Telegrass, a community which operates on Telegram.
CAROLE THERIAULT. But not owned by Telegram.
GRAHAM CLULEY. Well, I imagine not, otherwise they're going to be in a little bit of trouble. Now, Telegrass is somewhat innovative, right? It allows users to do a search of dealers by name and find reviews of their operations, just like Yelp if you're checking out restaurant reviews. And this has resulted actually in people who are dealing in pot and other drugs, improving their service and product quality in order to compete with others, because everyone wants to get a 5-star review.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. On Telegram, they even have a help wanted channel. So if you need help in all different manners, maybe you need to hire a Python programmer, for instance, you go on to Telegram and you're pretty sure to be able to find one. You put up a little ad.
PAUL DUCKLIN. Is that to control the lights and the heating in your grow house?
GRAHAM CLULEY. In your hydroponics unit?
PAUL DUCKLIN. Yeah, maybe.
GRAHAM CLULEY. Now, Telegrass is run like a proper normal organization. So there are people with titles like chief financial officer, vice president for infrastructure, vice president of operations, and even a spokesperson. So it's running in a way like a dot-com startup.
CAROLE THERIAULT. Pot is legal in many states now, certainly in the US.
PAUL DUCKLIN. Yeah.
GRAHAM CLULEY. And in other countries, maybe not. And certainly dealing it in many countries is something which could get you a hefty prison sentence, as it can in Israel, where many of Telegrass's users are. But it's not all It's not all fun and games. There's bad stuff which happens on Telegrass as well. Sometimes people steal or they don't pay up. And some dealers have even sexually harassed their potential clients, telling them that they can pay in a different way if they don't have the shekels on them. And there's even a sexual harassment officer at Telegrass who's trying to impose standards upon the dealers so that they don't suggest that people have a bit of nookie rather than paying up.
CAROLE THERIAULT. Wouldn't you rather have a title like anti-sexual harassment officer?
PAUL DUCKLIN. Yes.
CAROLE THERIAULT. I mean, really, it's a bit of an odd title, really.
PAUL DUCKLIN. Yeah. If you have a complaint against this company, we'll set the sexual harassment officer on you. With a truncheon.
GRAHAM CLULEY. Yeah. Well, on Telegraph, the sexual harassment officer, her name on the app at least, is Iron Flower.
CAROLE THERIAULT. Ooh, strong lady.
GRAHAM CLULEY. She can throw people off. Sometimes it's just for a week for behaving inappropriately, or she can even request that victims are given 7 grams in compensation for any trouble that has been caused. So, you know, they've thought this through. You know, it's not just an amateur operation, this.
CAROLE THERIAULT. So basically, people are going on there trying to buy pot, and then there's a bunch of dealers out there going, hey, buy my pot. This is how much it costs. This is the strain, whatever, whatever.
GRAHAM CLULEY. And they're looking up the reviews and then they turn up on your doorstep and they give you whatever it is that you want.
CAROLE THERIAULT. Right. Okay.
PAUL DUCKLIN. So this is sort of like Silk Road, but in person, not using— but with Deliveroo or—
GRAHAM CLULEY. Yeah, exactly. Yes.
CAROLE THERIAULT. Silk Road with Deliveroo. There's our title.
GRAHAM CLULEY. Now, Obviously, they don't want undercover cops coming onto the system, right? So any would-be dealers are required to go through a verification process to be authorised on Telegram.
CAROLE THERIAULT. Oh, so Telegram don't want to have undercover cops there.
GRAHAM CLULEY. No, no, they don't, because that's going to upset the customers, right?
CAROLE THERIAULT. That doesn't seem very legal, but yeah, it's true.
GRAHAM CLULEY. So one of the checks that they do is if you want to be a dealer, you have to upload your photo ID to the administrators, who will do a background check. They look on your Facebook account, they see if you have likes from like 5 years ago. They want to make sure that you've got a history rather than being a new account and make sure that everything's kosher.
CAROLE THERIAULT. Oh, damn, Graham. There's no way we're getting on.
GRAHAM CLULEY. No, we wouldn't be able to join, would we? Suspicious by our lack of Facebook presence.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. But if they're really keen to convince Telegrass's admins that they're legitimate dealers, they actually will even upload video footage of themselves next to huge amounts of weed.
PAUL DUCKLIN. So you're like, here's me strolling through my plantation, kind of thing.
CAROLE THERIAULT. Yeah, yeah. That's what cult leaders often demand of their followers. Give me something that holds you for ransom should you ever step out of line. Okay, so people are obviously uploading this thinking it's a great idea.
PAUL DUCKLIN. On the other hand, maybe it's just know your customer.
GRAHAM CLULEY. Yeah. And meanwhile, of course, the dealers themselves, they're paranoid. They don't want to sell to an undercover cop. So when a potential client contacts them via private message on Telegram, the dealer verifies the client usually by saying, can you send us a selfie? Can you send us a photo of your 'Your identity card,' or 'Can you send us a photo of your salary slip?' And that's another way in which they verify, okay, this is a—
CAROLE THERIAULT. my God!
GRAHAM CLULEY. Yeah, this is what's going on, Kroll. They don't want to be caught.
CAROLE THERIAULT. Can we just make pot legal? I mean, wouldn't that just be the easier way and basically save people's privacy? Honestly. Okay, carry on.
GRAHAM CLULEY. All of this, of course, means that the administrators of telegraphs and the dealers have collected an awful lot of personal information Yeah, no shit. Of the users. Pretty good shit, actually.
CAROLE THERIAULT. And dealers.
GRAHAM CLULEY. Some of whom. Yeah, and the dealers as well. That's right. So what could possibly go wrong with this?
CAROLE THERIAULT. Nothing. I think everything went perfectly. There's no story here.
GRAHAM CLULEY. Well, what could go wrong is that the group's entire database of dealers could be leaked onto the internet.
CAROLE THERIAULT. No, really? That can happen?
GRAHAM CLULEY. And what could go wrong is an undercover agent could have infiltrated the group for 9 months collecting information. I guess he was feeling fed laid back 9 months. It's just like, oh yeah, I've got to do a bit more investigating here.
CAROLE THERIAULT. How many more fish can I nab?
GRAHAM CLULEY. Last week, police arrested 42 people in Israel, the United States, Ukraine, Germany on suspicions that they were running this drug distribution online network. Amongst those arrested was Amos Dov Silver, Telegram's founder. He was in the Ukraine allegedly having business discussions with local criminal gangs. And Telegram's meanwhile suspected of selling tons and tons of drugs over the years worth hundreds of millions of shekels.
CAROLE THERIAULT. It sounds to me like they're pulling that whole Facebook thing, like, hey, look, we're not dealing drugs, we're just inventing a kind of highway that people are using in the way they want to use. It's not our fault that they're doing it from countries where pot's not legal.
GRAHAM CLULEY. Well, they have very much a philosophy that everyone in the world should have access to pot. They should be able to get it, and it should be as easy as possible regardless of local laws. That's their view. That's very much the philosophy of the guy who set this up. And so he's tried to make it as simple as possible to do that. Now, what kind of defense they're going to around this, I don't know. Certainly in Israel and in some other countries, it's likely that they're going to have the book thrown at them. Amos Dov Silver, the founder, he is apparently now cooperating with the police. I think he's realized that may be in his best interest.
CAROLE THERIAULT. And where was he when he got arrested?
GRAHAM CLULEY. He was arrested in Ukraine. Now, he hasn't been back to Israel for years. He's dual citizenship. He's both American and Israeli, but he's been sort of nomadically travelling around the United States for a few years, doing interviews, talking about his basically Uber-for-weed operation. But he wanted to do it from the States because he found it a bit more free and easy over there.
CAROLE THERIAULT. And as soon as he goes to Ukraine, and that's where they nab him.
PAUL DUCKLIN. I imagine even in places where it's lawful, like some states in the US, not federally, and Canada, Uruguay, places like that, you can't just set up a website and sell it. Because there are taxes to be paid and there's registration to be done and there's all sorts of— it's quite complicated to comply.
CAROLE THERIAULT. He has a CFO, he must know how to do all that. I'm sure it's not just a title.
GRAHAM CLULEY. But just consider, it's a shame they didn't have a Chief Privacy Officer really, isn't it? Just consider that they went to the effort of thinking, we're going to base this on Telegram, we're thinking encrypted messaging, we're going to keep our communications secure. But at the same time, they were collecting video footage, photo IDs.
PAUL DUCKLIN. I wonder how they were doing that. Were they saying, oh, just email it to us?
CAROLE THERIAULT. Yeah, yeah.
PAUL DUCKLIN. And copying it to a USB drive that they kept in a cupboard somewhere.
GRAHAM CLULEY. I think that the transmission was via telegram, but then of course it may well have been saved in places or on cloud servers. Yeah, exactly. They may have copied it to their local drives as well.
PAUL DUCKLIN. Well, there's no point in not keeping it, is there? If you're going to collect it, you're doing it so you can identify the person. Right. And therefore anyone else can. If you're going to, get the message and then throw it away, what's the point of collecting it?
GRAHAM CLULEY. Oh, it'd be such a nuisance if I had to keep on videoing myself past my marijuana plantation, wouldn't it?
CAROLE THERIAULT. You gotta drive out there, walk around with your, you know, running through your fields of pot.
PAUL DUCKLIN. I think you just set up a webcam and open it up and then say, look, just find me on Shodan. So all sorts of trouble for those people, I guess, because everyone's going to be quaking in their boots now.
GRAHAM CLULEY. Yeah. Yeah. Well, whether you are a good guy or a bad guy, remember, encryption does not necessarily mean that you're going to have complete operational security. You're not necessarily going to keep all your information private. You don't know what else will happen with it. And it's just extraordinary that these people who are obviously involved in criminal activity were sharing so much data, and now it's come to bite them on the bum, hasn't it?
PAUL DUCKLIN. Well, it's the whole Snapchat thing all over again, isn't it?
CAROLE THERIAULT. Yeah.
PAUL DUCKLIN. Hey, we encrypt end-to-end, and people think, oh, end-to-end, that means from the very, very, very beginning to the very last moment, forgetting that actually they mean the other end of the network link, and then the picture appears on your phone. And if someone takes a picture of the picture with another telephone, how are you going to control that? That. So you're sending this to somebody so they can verify you. Obviously they have to have that unencrypted saved somewhere so they can look at it. And that's, you know, so I think maybe people, when they hear about these messaging systems that use the term end-to-end, it kind of sounds like it's universal, complete, eternal, everything encrypted, forgetting about the fact that you had to see it at your end and the other guy sees it at the other end. What do you not understand about that bit about seeing it?
GRAHAM CLULEY. Yeah. And from the telegraph's point of view, of course, maybe a lot of people now will lose confidence in telegraphs and be nervous that their information may soon fall into the hands of the authorities, which means that if you are after 5 grams of Patrick Lemon Haze or whatever the hot substance is in Tel Aviv right now, you're going to have to look elsewhere, aren't you? I wonder if there'll be other criminals operating similar networks and taking advantage of the internet and technology to make this as smooth an operation as apparently Telegraphs was until it came undone?
CAROLE THERIAULT. I'm just thinking, I mean, the guy was there for 9 months stalking this group, right? So I'm sure things, you know, came to light during that time. But I imagine many people would have loaded up, loaded up, like, maybe not their passport numbers, you know what I mean? You'd want to obfuscate your character and you'd have an online character that may be different from your real physical character. I'm going to be amazed if people actually went forward with all their you know, proprietary information.
PAUL DUCKLIN. Well, I feel sorry for the people whose IDs have already been ripped off in a previous data breach that was now uploaded here. Exactly. So that, you know, who knows what people are in the database? Because you imagine it's not going to be people who are buying weed online. Although if it's delivered to your house, it's all LinkedIn.
GRAHAM CLULEY. This is all LinkedIn data that's been uploaded to Telegram. So all the photographs of people in their suits with their ties done up really tightly.
CAROLE THERIAULT. What sparked your interest in this story?
GRAHAM CLULEY. So are you deliberately putting these terms in that sparked?
PAUL DUCKLIN. Yes.
CAROLE THERIAULT. You're welcome.
GRAHAM CLULEY. Duck, what's your story for us this week?
PAUL DUCKLIN. Well, my story is based on something we wrote on Naked Security with the imaginative title, You Left What on That USB Drive? Now, this comes about, it was a survey done by the University of Hertfordshire that bought up a whole load of USB keys from kind of what you might call public sources. So they went to eBay, people are selling off old stuff. And they just bought up devices, which is very much like a project I was involved in when I was working at Sophos in Australia. This is now about 8 years ago. We went to the New South Wales Railway Company's lost property auction and bought up a bunch of USB keys, and we were interested to see what was on there. And as you can imagine, the answer is quite a lot that you shouldn't have let out.
CAROLE THERIAULT. Oh, it's not funny, man. I think everyone has a bunch of these USBs lying around with personal stuff.
PAUL DUCKLIN. Well, you know what, Carole? There was someone who commented on our site saying, you know, it kind of seems a pity that what everyone's saying is when you're done with a USB key, just, you know, put it in a vice and do it up and crush it to bits and just let the dust drop to the floor and be done with it. And that's obviously a great way to deal with it. No one's going to get the data off, you don't have to worry about it. Who wants a 256-megabyte USB stick anyway? And this lady Samantha said, you know, it kind of seems very wasteful and very un-green, which was the angle that I took all those years ago when people were saying, we can't believe that New South Wales State Rail, as it was then that they, that they're selling the stuff off. This is a violation of people's privacy, you're saying. So they should waste this stuff, like, because people can't be bothered to look after their own data properly. And eventually, you know, with the, the Privacy Commissioner in New South Wales decided it is actually too hard, it's too expensive, it takes too long to wipe a USB key, and who knows if it even worked correctly because of the way writing to USB devices, SSD devices, storage works, that they're not valuable enough, that it would cost us too much to sell them. I'm really Sorry, we're going to— they're basically going to get shredded and turned into dust and distributed back to the universe. And it does seem kind of wasteful. I love old USB keys because when I want to wipe them out after every time I've used them, the smaller they are, the faster they wipe. And I don't normally need to fill them up. But we're in this sad thing that it's almost like making these devices kind of disposable and wasteful and un-green and un-environmentally friendly. Sadly, that's the right thing to do from a privacy point of view, because it's the one way you don't have to worry about what you might have left on them, whether you thought it was encrypted or not.
CAROLE THERIAULT. So let's just imagine there's someone listening right now who's got a handful of USBs in his hand going, oh God, I don't even know how to wipe these. What steps would you— where would you tell them to go?
PAUL DUCKLIN. Well, Graham and I have had discussions about this in the past. What I'm about to say now is not relevant to USB keys. So he is allowed to laugh. But the first thing you should do is— you see how times change, Graham? First thing to do is go out and buy yourself a Mac.
CAROLE THERIAULT. Mac.
PAUL DUCKLIN. Hallelujah. It's been years, Carole. It's been years. I ran Linux on my work computer for very many years until I got a Mac. And then after 5 minutes, I thought, what have I been doing all this time? Now, the reason I'm saying this—
GRAHAM CLULEY. Sounds like a rather expensive way of wiping a USB drive.
PAUL DUCKLIN. What I mean is, if you have a Mac, it's kind of easy. Easy, right?
GRAHAM CLULEY. Okay, it's easy with a Mac.
PAUL DUCKLIN. All right, well, if you have a Mac, the command you want is diskutil space zero disk, and that's a way that you can basically write zeros over an entire device. It's, it's quite slow, but you can leave it running in the background and then it will offer you the chance to reinitialize it and whatnot if you want to. Or if you're just going to put it back in your own drawer in case you need it later— I, once I've finished using one for a temporary purpose, I'll wipe it, I'll wait for that to happen, then I figure if I do lose it or someone steals it or I need to hand it to somebody else, yeah, I'm handing them something that I'm pretty certain is blank and I don't have to worry about it. And the other thing, the other reason I'm suggesting a Mac— you can do this, it's easy enough on Linux or the BSDs, you can do it on Windows although you might have to upgrade to the Windows 10 Pro— but at least on a Mac when you put in a blank USB device it will come up and say do you want to format it and prepare it for use, and when you do it'll say do you want to encrypt it. And you can actually format it using the Apple filing system, the new Apple filing system. You can format it so that it's encrypted from the start. Put in a passphrase, you get a recovery key which you can print out and lock away if you really want to. And that means that then if you do lose it, somebody who hasn't got the key, to them it's just— the data is just so much shredded cabbage.
GRAHAM CLULEY. But hang on, a lot of people use USB sticks in order to give a file like a presentation or a Word document to someone else, right?
PAUL DUCKLIN. Yes.
GRAHAM CLULEY. It's like when I go and give a talk, people say, oh, can we load your presentation onto our computer?
PAUL DUCKLIN. It's like, okay, here's the USB stick.
CAROLE THERIAULT. They all have that voice, those people paying you money. They do.
GRAHAM CLULEY. Nothing wrong with that voice. Anyway, and so you give that to them. If it's encrypted, Doug, how are they going to access it?
PAUL DUCKLIN. I'm talking about that's for storage, storing your stuff. What I do is, and I actually keep some old USB sticks that have a low capacity. As I said, they wipe fast. And I keep a blank one lying around in the little bag I carry around with my stuff. And if I get somewhere I need to share data with somebody and I can't do it via some electronic means like AirDrop or something from Mac to a phone or whatever, then I basically will take out one of the USB keys that I know I've got blank. I'll plug it in, my Mac will say this key is unusable on this computer, do you want to prepare it for use? And then I will format it, and I'll format it unencrypted. I'll put that one file on it, I'll hand it to them, let them use it, and when they give it back, I'll go through the wiping process again. Because 8 years ago when we did this experiment with the New South Wales State Rail, all doxing USB keys, two-thirds of them had malware on them, and not one of them had any encrypted files. So nobody had bothered to encrypt them. So when I get the key back from somebody else, if they've had malware on their computer— I know that happened to you once, didn't it, Graham, at an RSA conference? Yes, you handed them the key, they plugged it in, or you— they gave you the key, you plugged it into your computer, your Mac, and bloop, Windows virus. Thanks very much, um, for you. Yeah, so what— you wonder how many other presenters— I was speaking at an event last week and I got an email saying, thank you, you're one of 700 speakers. So if they were passing a USB key around, there was a lot that could have gone wrong. I use my own computer, so that didn't come about. But generally, when I get the key back from somebody, I'll then put it in and immediately wipe it, won't use any of the files off it, and then just put it back in my bag blank. That way, if someone does run off with it, or someone says, hey, can I borrow a USB stick, I'll just give them that one. It's— if it's old, relatively low capacity, to be honest, I gave it to them if they never give it back to me, I'm not going to burst into tears. So I just— that's what I do with my old USB keys. I keep them around as kind of semi-expendables.
GRAHAM CLULEY. You must be pretty flush, Duck. You must be making a lot of cash over there at Sophos.
PAUL DUCKLIN. I've got several dollars a month. I'll tell you the way I make money, Graham, is that when I do presentations, I don't, you know, use a funny voice when I'm talking about the people who've very kindly invited me to present. I found that pays for several USB keys a decade. Just saying.
CAROLE THERIAULT. Just FYI, Graham.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. You guys have been around in the cyber biz for a long time, right? Like way, way longer than me.
PAUL DUCKLIN. Did you just use cyber as a noun?
CAROLE THERIAULT. Yeah. Yeah, actually no, it was an adjective. I appreciate the cyber biz.
PAUL DUCKLIN. Yeah, okay, just check. That's okay.
CAROLE THERIAULT. So welcome to the old school quiz game. Are you guys ready?
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Question number 1: What does 31337 stand for?
PAUL DUCKLIN. It's the back orifice port. 13337.
CAROLE THERIAULT. It has an acronym that it stands for, doesn't it?
PAUL DUCKLIN. 3-leet, man.
CAROLE THERIAULT. 3-leet. And, uh, when was it invented? Do you have Any idea on timing?
GRAHAM CLULEY. 2000 and— no, earlier than that. 2001, I'm going to say. '98.
PAUL DUCKLIN. It'd be around the time that we started getting teh and prom for porn.
CAROLE THERIAULT. It's actually earlier than that. It's in the '80s, apparently. And who invented it? Any ideas?
PAUL DUCKLIN. Was it that guy who hacked Prince Philip? Tell me it was.
GRAHAM CLULEY. Oh, Chiffrim.
CAROLE THERIAULT. Yeah, Cult of the Dead Cow. I thought you guys would get that one.
PAUL DUCKLIN. In the '80s? I didn't know they were that— they've been going that long. I thought they were more of a late '90s, early '00s.
CAROLE THERIAULT. Very interesting you say that, because I think that's when they, you know, we started paying attention to them, as in our industry, right? So Cult of the Dead Cow formed in 1984. This is the year Frankie went to Hollywood and told the world to relax. Cyndi Lauper told them that girls just wanted to have fun, and Wham!'s George Michael just wanted to be woken up before he go-go'd.
PAUL DUCKLIN. Wasn't there a book about that, about 1983? Yeah, there was.
CAROLE THERIAULT. I don't know if many people have heard of it. Uh, now in the late '80s, this Cult of the Dead Cow, also known as CDC, basically organized and maintained a loose collective of affiliated bulletin board systems, or BBSs, across the US and Canada. And these bulletin boards are kind of like a geeky Reddit or Facebook of its day, an online discussion forum that allowed people to connect electronically Exactly. Did you guys use BBSs?
GRAHAM CLULEY. Absolutely. Of course you did.
CAROLE THERIAULT. Of course you guys did.
PAUL DUCKLIN. I want to hear Graham make a modem noise.
CAROLE THERIAULT. Did you do anything naughty on it ever?
GRAHAM CLULEY. Of course not. I once got acoustically coupled with Gwyneth Paltrow. Acoustically coupled? But other than that, no, she got consciously uncoupled, didn't she, from Chris Martin. anyway, no, I didn't do anything naughty. I did used to log into bulletin boards and things like that back in.
PAUL DUCKLIN. Acoustic couplers are a thing. So instead of connecting directly to the modem, you actually. Yes, the modem actually played the noises and your phone listened to the noise and played it down the line.
GRAHAM CLULEY. And this was the thing, of course, because if you were living in a house which only had one phone line, if you were on the Internet, other people would pick up the phone to ring Auntie Marge and they'd just be hearing. They say, get off the phone, you know.
CAROLE THERIAULT. The CDC or the. The Dead Cow also published an underground ezine in the late '80s. They also claim to have invented the term hacktivism, which is, you know, describing human rights-driven security work, or security quote unquote. So this is all in the '80s now, and this is all going to become very relevant in a second. Now, from the '90s onwards, the CDC started releasing tools, right, both for hackers and system administrators and for the general public.
GRAHAM CLULEY. Now, were these— were the CDC bad guys, or were they just people just playing around with computers.
CAROLE THERIAULT. Well, I think we would have seen them as bad guys. So these guys are the guys behind BackOrifice, which we certainly saw as malware.
GRAHAM CLULEY. Yes, that was a tool for remotely accessing computers, wasn't it? Which could be used for naughty purposes.
CAROLE THERIAULT. And it was probably being adopted by malware authors, yeah.
PAUL DUCKLIN. The features in it were clearly there because it was like, ha ha ha, look at how smarty pants we are. Like it had a button where you could remotely eject the CD drive or you could swap the mouse buttons around. Like, why would you need to do that? But it was this attempt to create tools that were, you know, I suppose like, like a firearm or something. It's kind of— it's just technology and it's kind of morally neutral on its own, and it's what you use it for. To be honest, I always found the Cult of the Dead Cow— always, one of the guys is called Sadistic, wasn't he? Yes, he's the guy who did Back Orifice. I always found it rather childish rather than criminal. It was just like guys who had maybe needed to grow up a bit.
CAROLE THERIAULT. Well, it's very interesting you say that because one of them has, hasn't he? Just last week on Friday, Reuters issued a rather explosive article saying that popular Texas Democrat and 2020 presidential candidate Beto O'Rourke was once a member of the CDC.
PAUL DUCKLIN. Cool name. Yeah, I love it. I'd vote for him on that name alone.
CAROLE THERIAULT. Well, let's see after I tell you a few things, if you would, because it'd be really Really interesting. Now, this is not someone, um, dobbing him in. He's kind of coming clean about his membership to the CDC way back then. Now, a few things he reportedly admitted to doing whilst in the CDC, or Cult of the Dead Cow— CDC sounds like some, uh, Center of Disease Control.
GRAHAM CLULEY. Yes, Center of Disease Control.
CAROLE THERIAULT. Yeah. So he avoided big phone bills because of course he was doing mobile dial-up, right? So he admits to stealing internet at the And savvy teens, like you guys were talking about, like savvy teens learn techniques to get around the modem, you know, charges, right? Such as phone company credit card numbers, getting those and having the 5-digit calling codes to place free calls. Because it cost a bomb, didn't it? Like, you know, these calls would get hundreds of dollars at the end. Did you guys, you're old fogies, did you guys get any horrendous modem bills?
GRAHAM CLULEY. Oh yeah, it used to get huge. It used to cost a huge amount here in the UK to get on the internet. Net. But I remember, I think in the United States, there were reports that people could get local dial-up access very, very cheap, or even maybe free on some plans. That certainly didn't happen here in the UK. You paid through the nose to get on the internet.
CAROLE THERIAULT. Yeah, because we did have local calls were free. But so you'd have to guess if you were in a big city, it would probably work well for you. But if you're in the country, it wouldn't. Yeah. Right.
PAUL DUCKLIN. Or if you wanted to connect to somebody's bulletin board interstate. Ah. So, you know, the bulletin board operators would try and exchange stuff. And in many cases, they just mail copy disks to one another with like collections of software on, and then the other guy would upload it to avoid the toll charges. But if you decided, if you were sitting in the UK and you decided, I want to dial up this US bulletin board because that's where all the cool stuff is and it hasn't got over the pond yet, then you had little choice but to dial up at, what would you get, 300 bits per second at international rates. Yeah, it could add up pretty quickly.
CAROLE THERIAULT. Yeah. Bido was, you know, admitted to stealing modem connections you know, basically, you know, ripping off the phone companies. Um, and he also admits to scouring the BBSs for pirated games so he could play them for free, he and his friends in the group. Now, he quit the Cult of the Dead Cow at age 18. This was the year he enrolled into Columbia University, 1991. And as you alluded to, Duck, the '80s seemed really to be more about e-zines. And yeah, yeah, Tobito was quoted in the Reuters article as saying There's just this profound value in being able to be a part of the system and look at it critically and have fun while you're doing it. I think The Cult of the Dead Cow is a great example of that, unquote. Now, it's an interesting thing to say, don't you think, for someone who's, you know, who's a presidential candidate? It's like he's trying to appeal to, like, Mr. Robot lovers out there. Or does he just want all of his skeletons out of the closet?
GRAHAM CLULEY. He wouldn't be the first presidential candidate linked potentially to hacking, however. Maybe this is something Yeah, actually, maybe he's got better credentials than maybe someone else who's been accused of it.
PAUL DUCKLIN. What I was surprised to hear is that he seems to think that this is a great education into understanding modern computer systems and cybersecurity. That's what worries me, is that I think he's— it sounds like he's got this idea that it's all like it was in the 1980s with modems going— Graham did a— so I think he'd say, yeah, we've moved on and I've moved on and I I think I've got bigger things to worry about now. That's what I'd want to hear him say.
CAROLE THERIAULT. Very— you're absolutely right, because his attitude seemed to have changed slightly following the Twitter storm that ensued upon Reuters, you know, publishing this article. He said, it was something I was part of as a teenager, referring to the Cult of the Dead Cow, not anything I am proud of today. So that's exactly what you want to hear. He was just a bit late at saying that.
GRAHAM CLULEY. And I heard there's also been some fallout against the newspaper because they're saying, well, why did the journalists keep this quiet until after the election, back in November?
CAROLE THERIAULT. Well, yes, because this is all an excerpt from an upcoming book called Cult of the Dead Cow. So I was thinking exactly the same thing. This journalist has been working on this for some time and hasn't brought it up until now. Now, the book is scheduled to be published in June. He's made a lot of cash. And you're right, it's a bit interesting that he's waited and whether that was the ethical thing to do.
GRAHAM CLULEY. Well, my understanding is that Joseph Mann, who's the journalist, he wasn't able to get anyone to confirm on the record as to whether Beto was the guy who used to be in the Cult of Dead Cow until the election had already passed. Well, good for them, I think. You know, so no one was prepared to talk. And so he kind of did a deal and said, look, after the election, Will you let me interview you about it?
PAUL DUCKLIN. It's a little bit like when someone finds a bug and then they kind of hold on to it for the highest bidder and you think, I wish you hadn't done that, but I kind of can't, given that bugs now have a value and you're allowed to sell them on the open or the private market. I can't really blame you for it. You know, if the journo went too early, then he'd burn his book. And but now maybe he figured, oh golly, like if someone scoops me to this news before my book comes out in June, I'll undermine myself. So I have to pick the right time. I guess he's allowed to do that, isn't he?
CAROLE THERIAULT. What's like Roger Stone, right? He's putting out a book now, and he's gonna, you know, he's facing prison time, which is really, you know, it's crazy the whole way people are using books.
GRAHAM CLULEY. Is this really the worst thing in the world though, that he used to be in the Cult of the Dead Cow? Is this something really for people to get upset about? Because it seems to me the typical politician would have done much worse things during their teenage years, like get dressed up in a KKK outfit or blackface themselves up, or who knows what.
CAROLE THERIAULT. He's not running for president.
GRAHAM CLULEY. Well, whatever it is, you know, those are sort of things which people often will get outraged about. It sounds like this is a group which didn't really do that much. And yes, so he may know more about computing than the typical politician, which may be no bad thing.
CAROLE THERIAULT. Yeah, exactly. Understanding technology is one of those things that you do want policymakers and politicians to understand better. I certainly do. So I don't think Beto O'Rourke is like the new Julian Assange either, right? Can you imagine him running for president?
PAUL DUCKLIN. I mean, he Oh well, he's welcome, uh, he's welcome to travel to the United States to register his interest.
CAROLE THERIAULT. Um, yeah, but we were, we eagerly await—
PAUL DUCKLIN. my understanding is that he was born in the Commonwealth of Australia and therefore he is ineligible to be President of the United States of America. Yes, by constitutional affirmation or something. Just like Schwarzenegger. Yeah, exactly the same. Australia. They're easily mixed up.
GRAHAM CLULEY. If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
PAUL DUCKLIN. Do I have to do that as well? Say it in that funny voice. How many times?
CAROLE THERIAULT. Any voice you like. Pick of the Week.
GRAHAM CLULEY. Beautiful. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
PAUL DUCKLIN. It should not be.
GRAHAM CLULEY. Now, my Pick of the Week this week is a documentary, which you can watch in a number of places. I watched it on Netflix and it is a documentary called Behind the Curve. And this documentary is about people who believe that the Earth, which we're all living on, is flat. Not all of us.
PAUL DUCKLIN. Some of us—
GRAHAM CLULEY. what, not all of us on the show?
PAUL DUCKLIN. How do you know you don't have listeners on the International Space Station? Be nice. Hmm.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Anyway, get in touch if you are.
GRAHAM CLULEY. So this is a documentary which takes us behind the scenes of the apparently growing flat Earth community. The internet has put these people in touch with each other, and they are preparing during the course of the documentary for their first ever Flat Earth International Conference.
CAROLE THERIAULT. Okay, can you explain to me how someone can be a flat earther? Do they literally believe this, or is this some kind of metaphysical concept? No, they really believe it.
GRAHAM CLULEY. They believe—
CAROLE THERIAULT. they think there's an edge.
GRAHAM CLULEY. They believe that there is an edge and that basically there's a great big dome surrounding the edge, so that the circumference is basically Antarctica. So there's a great big wall of ice where you can't get past any further, and then there's this sort of hemispherical dome above us, and so things like the sun and the moon are— and the stars are sort of projected onto the dome. For what reason, we know not.
PAUL DUCKLIN. Do they have a single, uh, what do they call it, cosmological view? I mean, does the Earth have to be flat like a disc and round with Antarctica at their edge, or could it just be maybe like a kind of flattish, bulgy pancake that's a bit thicker in the middle and you kind of— like, there is an underside which is, say, where Australia is, and, you know, you— so there isn't— it doesn't have to be an edge, does there? But it could be quite flat.
GRAHAM CLULEY. In the documentary, there's no sort of underneath, as it were. There's no sort of— I mean, Australia is there, but obviously the map of the world is slightly different than what we may be familiar with.
PAUL DUCKLIN. So you could fall off thermally?
GRAHAM CLULEY. Well, no, because you're inside the dome. Think of The Truman Show. That's, that's basically the principle.
PAUL DUCKLIN. I'm pretty sure in The Truman Show, in the end, he opens a little hatch and goes out side.
GRAHAM CLULEY. He does, and they would love to do that as well.
PAUL DUCKLIN. And then what happens? You go up or down?
GRAHAM CLULEY. Well, some people believe that the world is then repeated, and so rather like parallel universe, you know, all these different universes, you enter another ice zone which ultimately becomes another flat world. But it will surprise you to hear that there are counter theories and there are schisms inside the flat Earth community, and Some of them do not like the other flat earthers. Now, one of the stars of this documentary is a woman who runs a YouTube channel. Her name is Patricia Steere, and she has been accused by some of the other flat earthers of being a CIA operative who is giving what they believe not to be the true flat earth message.
PAUL DUCKLIN. Now, she's put a slight bend in the message.
GRAHAM CLULEY. One of the accusations against her by these people is that They can tell she's a CIA operative who is steering people in a particular way because her surname is Steer and the last 3 letters of her name, Patricia, are CIA. So these are— Oh, so clever. So clever. It's genius, isn't it? It was there all along. That's a complete genius. Now, it's easy when you watch the trailer to think this is just a documentary taking the mickey out of these people and their beliefs. And the trailer doesn't really give an accurate view. There is some comedy in it. In the documentary, and you do chuckle at some of these things.
CAROLE THERIAULT. You've bought in, haven't you?
GRAHAM CLULEY. No, no, no, I haven't. But you sound very sympathetic. What I liked about the documentary is it does make something of a compelling case for empathy and dialogue with people who hold vastly different views from yourself. And rather than ridiculing these people, it does discuss the importance of actually communicating with them.
PAUL DUCKLIN. I just suppose you could be— you could— I mean, maybe you don't think it's completely flat. Maybe it sort of bends off at the edges. Maybe it's more like a very, very, very long rugby ball or something. I don't know. But I suppose that you could think that the Earth is flat and still travel around it and, you know, contribute decently. And you could still think that it's a bad idea to pollute the Earth and waste its resources, be cruel to people and shoot animals for no reason, all that stuff. So, you know, maybe it's not all bad.
CAROLE THERIAULT. They think all the images from space are faked?
PAUL DUCKLIN. Well, it always shows a circle.
GRAHAM CLULEY. That's all faked. That's all faked. You can't trust that. They didn't go up there. And apparently the claim is that in the '50s, the Americans were putting up lots of sort of nuclear weapons into the atmosphere trying to burst through the dome, and they didn't succeed. And yeah, all of that apparently— It's faked. They do some scientific tests to try and prove that it is flat during the course of the documentary, and they fail. But the justification which they give for it, because they won't accept that their scientific tests are failing, and they say, well, we have to do more tests because something must have gone wrong, because they're so, so tied.
PAUL DUCKLIN. Who's funding all this? I suppose they are.
CAROLE THERIAULT. That would be an interesting question.
GRAHAM CLULEY. Well, but anyway, the reason why Behind the Curve is my pick of the week is because I think it sends us an important message about how we can communicate with people who have different points of view. After all, the world is becoming more polarised, isn't it?
CAROLE THERIAULT. What has happened to you? This is the first— this is the first week you've ever talked about empathy in your life. You are probably the person who has the least amount of empathy of anyone in my circle of friends. Do you not agree with that? So you've had a revelation. This is an epiphany moment for you.
GRAHAM CLULEY. Okay, good. Charming, charming. Duck, what's your pick of the week?
PAUL DUCKLIN. Well, I want to keep it a little bit scientific last and have a bit of a laugh. Last Friday Oh yes. It was, was. I've been looking forward to that. Did I hear you mention the word empathy earlier? Does empathy mean when you take, when you take the piss out of somebody, as long as you giggle a little bit, that makes it okay?
CAROLE THERIAULT. Yes, we're on a funny show. That's what we do.
PAUL DUCKLIN. Oh, you're taking his side?
CAROLE THERIAULT. No, I'm taking your side. I'm on your side, Duck. Tell me about Google.
PAUL DUCKLIN. Okay. What's the— Oh, well, yeah, Google do come into this. Last Friday was 3/14 in American notation because they got this weird way of doing dates where they go month, day, year, so that it's completely illogical and it suits very badly. Yeah, 3— it's a bad way of doing it, but I can live with it.
GRAHAM CLULEY. In the UK, it should really be the 22nd of July, shouldn't it? 22/7.
PAUL DUCKLIN. Well, or the 355th of the 113th month. You can— so it's a bit of a joke that 3.14 is Pi Day, 3.14 being approximately pi. And so there's a chance for a lot of fun coming out in that. As Graham said, well, what if it was 22/7, because 22 over 7 is kind of approximately pi. Unfortunately, some people think it is pi, and of course that's a problem. You can never— it's one of those things where no matter how hard you can try, you can never get there. But a Googler apparently used Google's cloud to compute pi to the most decimal digits ever, and they delayed their announcement and their verification until Pi Day, and they computed 10 times pi times 1 trillion digits. Wow. So 31 trillion, 400 billion digits of pi, for no reason other than they could.
GRAHAM CLULEY. Could you read out those digits for us, Doug? These trillion numbers, just to—
PAUL DUCKLIN. 3.141715. Actually, I did, I did write a little, a little article on Naked Security which I entitled Serious Security. It's an occasional series I do where we try and get people to see some, you know, take something that's apparently quite lighthearted but see the serious side in it. The message that you can take out of this is that the thing with pi is no matter how hard you try, you'll never actually computed because it's what's called an irrational number. It never— you can't create a fraction that uniquely determines it, and you don't need to because you can perform mathematical operations by just calling it pi and working with it. And so if you are a computer programmer, be very, very careful about taking things which are inherently approximations, like floating-point numbers that represent a value, and then presenting them to the world as though they were exact results, because therein lies inaccuracy and crazy answers. All right. It's a very good point. Very serious.
CAROLE THERIAULT. Nothing wrong with being serious. We learned something. A very empathetic response, Graham.
PAUL DUCKLIN. Yeah, I noticed that. You know what you guys can do with your empathy?
GRAHAM CLULEY. Crow, what's your pick of the week?
CAROLE THERIAULT. So I like to draw. Well, I like to doodle really, right? And I have no formal training at drawing or doodling. And someone recently asked me to draw a box, like a cube thing, and I did, and it was horrific. So I scoured the web and I found this— about 10 seconds— this website called drawabox.com. And Drawabox provides some great free tutorials on the basics of drawing. I found this guy's approach to videos and tutorials really refreshing. There's no real ad or sales pitch, you know, basically you never see him, you just see the paper and you see the lessons. And after following a few lessons, I can draw a pretty darn good box. One of the exercises now that I'm facing is trying to draw 250 boxes. That's a lot of boxes. I've done about 50. I'm not sure I'll ever finish, but it doesn't matter because now I can draw a pretty darn good box.
GRAHAM CLULEY. And these aren't all cubes?
CAROLE THERIAULT. No, no, they're not perfect cubes. So you can do them with 1, 2, or 3 perspectives. See, these are things I now understand how to do, and it's kind of cool. It's just a good way, you know, there's people that go out there and they buy these little coloring books, meditative coloring books. Don't do that. Just go to draw a box and learn an actual skill. You can draw in already, she says empathetically.
PAUL DUCKLIN. Can you— can I ask you, can you draw a sphere? Yes, I—
CAROLE THERIAULT. well, I've been— I've been working on hatching recently. Oh, I love a bit of hatching.
PAUL DUCKLIN. So, can— let me ask you a question. So you draw a sphere, and there it is, nice sphere. It's— it's round, it's a globe, right?
CAROLE THERIAULT. I know where you're going because I know you so well.
PAUL DUCKLIN. Answer me this. Me this. Is it flat or is it not?
CAROLE THERIAULT. It is not flat if I do bright shading. If I do bad shading, it looks like a scribble.
PAUL DUCKLIN. But when you cut it out with a pair of scissors, is it actually— right, turn into a ball?
CAROLE THERIAULT. You're right, I've changed sides.
PAUL DUCKLIN. And does it have ice all around it? You might have to leave it in the freezer for a while for that.
GRAHAM CLULEY. Well, that— thank you. Also, that's drawabox.com.
CAROLE THERIAULT. It's a good way to learn learn a new skill.
GRAHAM CLULEY. A great pick of the week there. Well, that just about wraps it up for this week, Duck. I'm sure lots of listeners would love to hear more, more of pi to various digits. So how should people follow you online? What's the best way to do that? The best way is Twitter @duckblog. Fantastic. And you can follow us on Twitter @SmashingSecurity, no G. Twitter won't allow us have a G. And you can continue the discussion with us about the show on Reddit. Quickest way to find us up there is to go to smashingsecurity.com/reddit.
CAROLE THERIAULT. And high fives to this week's Smashing Security sponsor, Recorded Future. Its support helps us give you this show for free. And fist bumps to all of you, our wonderful listeners. If you like what you hear and you want to help us grow, leave us a review. It really, really helps.
GRAHAM CLULEY. Until next week. Cheerio. Bye-bye. Toodaloo.
PAUL DUCKLIN. You guys swapped roles. Aha.
CAROLE THERIAULT. Sometimes we do. Crazy. Okay. What do you know pi to?
PAUL DUCKLIN. Me? I don't know that many. Come on. I could do 3.1415926535. 5, 8. It's pretty good. Isn't it?
GRAHAM CLULEY. 3.1415972, or have I read that off my calculator?
-- TRANSCRIPT ENDS --