It's a perfectly normal English expression. BJ could come here with all his American expressions like burglarize and gotten and things like that if he wants to. Or how do you say aluminium in America?

Aluminum.

Aluminum. Exactly. Which is, you know, I'm not going to make fun of those. And so similarly, I don't think you should make fun of me saying copper pipe.

Get off your old fucking high horse.

Smashing Security, episode 138, Logic Bombs. Phishing, Data Exploitation, and Digger D Tweets with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 138. My name is Graham Cluley.

I'm Carole Theriault.

Hello, Carole. How's it going for you today?

I am sitting on your floor in your back room with my laptop on your piano bench, and it's very warm back here.

Yeah.

Yeah.

We should explain, normally we don't record in the same location. We use the wonder of the internet.

As far as we can from each other normally.

Yes, exactly. And on this particular occasion, your internet has been dug up in your road or something just before.

We don't know. All we know is that the current internet to our road is not working. We didn't see anyone digging anything up. They're denying everything. It is happening to neighbours as well. So there was a little bit of an oddy bodgy to get over here quickly.

Well, we are very lucky that we were still able to connect with our special guest today, which is BJ Mendelson. Hello, BJ.

Hello.

Thank you guys for having me back.

Wonderful to have you back. How have you been? How hot is it in New York?

Oh, God.

Yeah, exactly.

It was bad enough for me to sit with the blinds closed and the air conditioning on all day on Saturday.

Nude?

Well, I'll let the podcast viewers use their imagination on that one.

That would surely make it hotter, Carole, if he was nude. That's very true. Boom, boom. Carole, what have we got coming up on the show this week?

Big shout out to this week's sponsors, LastPass. Their support helps us give you this show for free. Now on today's show, Graham's dropping a logic bomb. That's the first time. BJ will be looking to commoditize brain data. Weird. And I will be looking at how the London Met deals with infiltrators. All this and heaps more coming up on this episode of Smashing Security.

Now, chaps, we're only human, aren't we? Well, we're all making mistakes.

I know I'm human. I know BJ's human.

Yeah, try not to be.

And programmers, they're human too, aren't they? Well, mostly, you know, and that's why it's practically impossible for any moderately sophisticated piece of software over about 20 lines of code to be completely and utterly bug-free. And I say, thank heavens for that. Thank heavens for bugs.

20 lines of code?

Well, you know, any sort of long piece of code normally has some kind of bug in it.

Is that long for you?

Okay. 20 is quite long for me. And I say, thank goodness. Thank goodness for that. Because otherwise there'd be a lot less work for us programmers to do. And we would spend all our time watching reruns of Buffy the Vampire Slayer, or I don't know, documenting our code or whatever it is, growing neckbeards, whatever it is.

Are you geeking out?

That, you know, it's actually been a long time since I've written any code.

I know, I was surprised when you said us developers.

Well, you know.

That was a bit like I'm part of the club. I'm not sure they still have you.

I think it's a bit like being a chess grandmaster or a serial killer.

Are you any of those?

Even if you stopped, you still get classified as one.

It's true.

For the rest of your life. It's not something you can just shake off. And similarly, you can't shake off the stench of being a programmer. And I have introduced bugs into my code in my time. I've written games which have had logical bugs in them. For instance, there was a game I wrote once where there was meant to be a time machine and you had to go through all this palaver in order to unlock it from a crate. And if you sat in the time machine, you got taken back in time, obviously. But the bug in the code meant that if you sat in any other chair anywhere else in the game, that also sent you back in time. So I fixed that.

But you digress.

Yes, we digress. Now, most programmers, they to stamp out the bugs in their code, don't they? But occasionally there's a programmer who not only fails to remove the bugs in the code, but actually deliberately introduces them.

Bit weird.

And I'm gonna tell you the story of a chap called David Tinley. He's an IT guy, 62 years old, who lives in a city near Pittsburgh, Pennsylvania. In fact, you might want to go to his website. His website is called tinleyconsulting.com. It doesn't use HTTPS, and it looks it was created in about 1998, but it has some nice testimonials on it from satisfied customers. In fact, the first testimonial you see when you visit the webpage is from no less than that multinational Siemens.

Right.

And they say, Tinley Consultants always provided highest quality computer consultancy, great computer programming services. We depend, they say, on Tinley Consulting and therefore David Tinley for many of our mission-critical applications. And you think, well, that's wonderful.

You do?

Yes. How wonderful is that for Mr. Tinley? And quite a prestigious customer to have to boot. And you'd probably to keep hold of it, wouldn't you, if you had a customer that, if you're running a little IT consultancy? Well, you can contact David if you want him to work for you. He lists his email address. It's a Hotmail address. Don't—

You're kidding me. This isn't the real Siemens.

No, no, no. No, no, I understand that. But his client is the real Siemens. He really is Siemens with an S that he is working for.

And how is that spelled again?

This isn't the Siemens website. So, S-I-E-M-E-N-S, not to be confused with anything else.

Okay. I was very confused.

So now he's been helping companies, including Siemens, for well over 10 years. He's been working as a contractor for them at their offices in Munroeville. And one of his duties was to create Excel spreadsheets that could help staff manage orders. And so the users of his little programs, his code written into the spreadsheets, would input figures based on the customer specifications or whatever it is they're ordering. And the spreadsheet would, you know, do some calculations and spit out and automate some of the work and produce cost estimates for the project, right? And it was a very valuable tool for Siemens to use.

Okay. I don't know where you're going with this. So in 2011, new management popped up at Siemens and they began to supervise David Tinley's work. And they wanted him to cut his hours. And they said, look, not only do we want you to cut your hours, but do you think you could provide the passwords for these spreadsheets which you've done? Because we can't currently access the code. And he said, no, no, no. He said, I can't give you the passwords because there is proprietary code which I've developed with other people, which does not belong to Siemens, which is running in the background of these spreadsheets.

Okay.

The managers said, well, you know, we don't really like the idea of that.

Yeah. What kind of programs, pray tell?

But they said, well, can you remove that code? Because we like to own all of our own code. And it was around about this time when he was beginning to headbutt up with the— It was around about this.

To butt heads.

Exactly. He was butting his heads with the chaps from Siemens and things stopped running quite so smoothly. And once again, a spreadsheet crashed. But David Tinley had gone off, right? He'd gone off on holiday to Florida. Imagine that, how gorgeous that must be. Although it was Florida, I don't know.

Speak for yourself.

He went there.

It's hot right now.

Sorry for any listeners. Yeah, exactly. So he couldn't rush back to the office, right, to fix it. So Siemens said, well, we really need the spreadsheet to work. We've got this important, huge order. And they managed to convince Tinley and he reluctantly agreed to give them the password to access the spreadsheet code over the telephone.

Right. Okay. So now they can actually finally access the code that he's been writing for them.

And actually, that's quite a good thing, right? Because you don't really want the only person to know the password to be, well, one person. Because if they get run over by a bus or eaten by an alligator in Florida or choke on a hot dog while trying to enter the world record or whatever it is, you don't want to be reliant on one person. Something like that, you need the password stored securely and should a disaster happen, you'd be able to recover it, right?

Well, yes, but there are many consultants out there in the developer world that want to keep proprietary ownership of their code, right? So they're happy to provide services to their clients, but the code is their code so that they can reuse it and have access to it. And they don't want to just hand it out to everybody.

Maybe, but then you do need some sort of mechanism as to how you're going to handle it. If you either come a cropper or you are on holiday far away, or you can't log in to take—

What's a cropper?

Come a cropper. Come a cropper means if you have an accident and you die. You never heard of come a cropper?

No.

It's like kicking the bucket.

BJ? I've heard of kicking the bucket.

My brain kind of locked up. I had never heard that before. And I did that thing where you just start running through everything anyone has ever said to you.

So you mean like a dead crop?

No, it's just—

It's like being razed to the ground.

It's a perfectly normal expression. It's a perfectly normal English expression. BJ could come here with all his American expressions like burglarize and gotten and things like that if he wants to. Or how do you say aluminum in America?

Aluminum.

Aluminum. Exactly. Which is, you know, I'm not going to make fun of those. And so similarly, I don't think you should make fun of me saying copper.

Get off your old fucking high horse.

Anyway, so good. They've now got the password. No worries, right? Because now Siemens got the password, they're able to make the fix themselves. But what they found— and this is the interesting bit— what they found inside the spreadsheet was a logic bomb. Planted by Tinley to deliberately crash the spreadsheet software.

If someone had accessed it.

What happened was, if you were running the spreadsheet, which of course Siemens were commonly in the habit of doing, then it would look at the current date, and if the current date was later than a particular date, it would cause bizarre crashes and make you think there was a problem with the spreadsheet. And so you would have to ring up the contractor, and in fact there's only one contractor who can fix the spreadsheet, which was indeed the very chap who planted that code in the first place. And every time he was brought in to fix the problem, he simply changed the date in the code and then it worked again.

So did he do this as a failsafe, do you think?

I think he did it so that he would keep on getting work from Siemens. And he also knew that, you know, maybe his prospects there weren't quite as positive as they had been in the past. And he thought, well, they might get rid of me at some point.

And if they get rid of me, I'm gonna blow everything up so they can't actually see the spreadsheet.

It certainly made him more indispensable, didn't it? It's bizarre that a company like Siemens was running so much of its operations from an Excel spreadsheet in the first place. But—

I have to say, this is the world's worst supervillain origin story.

Tinley is scheduled to be sentenced in November for the harm which he caused and the damage. He's facing up to 10 years in a federal prison and a fine of up to a quarter of a million dollars.

Can we talk about his website for a second?

Yes, please do. His website's extraordinary, isn't it?

My favorite part, as you've pointed out, it looks like something that came out in the '90s. But my favorite part is he must have been self-aware of that at some point, because at the very bottom it says copyright 2004.

I just saw that too. And all rights reserved. So he's 15 years out of date.

In case you're planning to rip off this website design?

Do you know what though? That could happen to me easily because you tinker with your website a lot. I just have one because I need to have one and I rarely go there and update it. Sure. Go ahead, do that for my site. Done, done.

You want me to log into your site? Give me the password.

It's true, it's awful, right?

Boom, boom.

So logic bombs can be planted inside people's code, and they're typically planted by folks who have legitimate access to your company's code. So it could be someone in your IT team, could be a contractor, and they're hard to detect because antivirus software won't detect code like this. And what you need in place to detect logic bombs are things like change control procedures and code review by other people to make sure there's not malicious code there.

Things that, to be fair, Siemens should have already had in place.

They should have had it, but they're very dull, Carole. Change control procedures. If you're a programmer, it's just anathema to you to have other people looking at your code or slowing you down when you just want to get it working. Just want to write the thing and push it out there.

Sorry, you want to be a big maverick, but if you're in a hive, you got to play your worker bee role, right?

This might be why I'm not a programmer anymore.

Yeah, or working for

Yeah.

BJ, what story have you got for us this week?

Okay, so I want to say real quick, originally I spent all weekend getting ready to talk about the fines that have been levied against Facebook and Equifax and how they've basically been paltry sums in terms of the grand scheme of things. But then Rosalind Wyatt, PhD, over on LinkedIn sent me this great post over from Oxford University and they were talking about how the data that's being gathered from neural networks and different devices that are connected to your brain, there's absolutely no protection on what happens to that data.

a big company.

There's nothing in GDPR that specifically says, you know, if from a Neuralink device or from an fMRI or some other brain-computer interface, there is nothing that protects you. And so if you read the blog post, and I think you guys will link to it in show notes, there is some tremendous amount of shade being thrown by the University of Oxford. And I just wanted to share a couple of excerpts from it because I couldn't stop laughing.

Okay, okay, okay.

So let me first read the important piece, right, from the article. This is the last funny part, but I think this is important for people who don't know what I'm talking about. And it says, currently marketed companies such as Emotiv and Neurosky are not yet widespread, which might be owing to a lack of apps or issues with each use, or perhaps just the lack of perceived need. However, various tech companies have announced their entrance to the field and have invested significant sums. Kernel, a 3-year-old multimillion-dollar company based in LA, wants to, quote, hack the human brain, which sounds super creepy in its own right.

So you just write a little bit of code which just displays the current year for your copyright Oh, it sounds absolutely fine. I don't have a problem with an LA-based company.

Okay, I'll volunteer you, no problem.

Hacking human brains, that sounds comfortable with me. Yes, fine. message. That's what every geek does.

Yeah, especially in LA where they're hacking the brain with other substances. So I don't know if this is necessary. But they continue, more recently they are joined by Facebook who wants to develop a means of controlling devices directly with data derived from the brain to be developed— and this is their wording— by their not at all sinister sounding Building 8 group.

Okay, so they want to develop a means of controlling devices directly using your brain waves.

So there was a story, it's at least a decade old now, of a monkey that had a brain implant, and the monkey was able to control a robotic arm.

I remember. See, yeah, that's deep in the recesses of my memory.

So this is our robot arm. This is our training that we go through with our monkeys as they go through and try to learn how to use this robot. So they're using brain signals, so signals from their motor cortex, that we pull out of wires into our system, and our computers then decode what it is that the monkey's intending to do. The monkeys have brain control over this robotic arm to move it forward and grab a piece of fruit as it's presented and then bring it back to their mouth to feed themselves. And so that's basically the same tech, but it's now being applied to people.

So, okay, that sounds really creepy. But I'm also thinking there must be some amazing advances that might be able to be done with this kind of technology for people that have brain conditions or diseases, right?

People who are disabled or something like that.

I mean, that's the way it is, sort of similar to the conundrum with big data, right? In terms of there are sensors everywhere now, and the downside to that is facial recognition is ubiquitous, but we have all of this data on the ocean. In terms of the temperature and we're able to project when exactly we think it's gonna rise and cause a problem. So there's that counterpoint of big data actually being really useful.

Yeah.

In terms of battling climate change. And so I sort of, I agree that, you know, it's one of those things where if you can't walk, this could be amazing if we can figure out, especially robotics. 'Cause the big problem with robotics is there's that last mile issue of we could design it, we think we can make it work, but it doesn't quite work in reality. With self-driving cars, we still need millions more hours of the cars on the road before they've got it perfected. That's sort of the same thing with robots where I know I forgot what book it was, but they were talking about there are robots that can fold your towels, but it takes an entire day to fold one towel. As opposed to if you have someone working remotely, in the Philippines, piloting the robot, they could fold the towels twice as fast. And so this is sort of that same deal of we had technology, but we're not quite there yet. So we think this data can get us to the point where if you can't walk, then perhaps these devices can help.

Can I just make sure that I understand exactly what kind of data you're talking about here? So this isn't the collection via technology of people's thoughts or their memories or anything like that, or even maybe specifically instructions, but recording and somehow analyzing brain activity. Is that what's going on?

Yeah.

And by looking at that brain activity through the wonder of AI and so forth, we might begin to be able to look at other activity coming from people's brains and determine what people might be trying to instruct something to do. Is that what's at stake here?

Yeah. And this is where the shade comes in from the University of Oxford. This is their wording: We can easily imagine some dystopian idea where a company, let's call them Schmoogle, creates a game and measures how its players react to stimuli. This could supply direct measurement of brain activity relative to known stimuli as the players react navigating their virtual worlds. In so doing, the players furnish a brain signal database. A social media company too, let's call them Schmacebook, using the same kind of approach might want to see how we react to every post much more directly than via thumbs up and thumbs down.

Yeah, they want to get rid of our conscious filters, right? They want to just have a direct link to the deep brain activity. Will they ever stop? God!

Because I guess the advantage to Shmashbook and Shmoogle is if they were able to tell what you wanted to click on without you having to click on it, or whether you liked a post or didn't like a post without actually having to make that physical interaction. So they were able to just tell from your brain chemicals and go, oh yes, he likes this, or she likes that. They begin to learn an awful lot more about you, and it becomes much more difficult to prevent them from grabbing it.

So the one thing I wanted to add was, and they closed by saying, you know, brain data recorded by the wizard hat or other means could give neuropsychological insights to the posts we see from Granny CNN or some political party. So I mean, this has applications to a lot of different things beyond, you know, we talked about the positive example of walking, but this could also play into the hands to something like Cambridge Analytica or our friends in Russia who might want to influence elections using this data.

The good thing is there are no evil technological companies who would try and somehow misuse this kind of data. They would all act responsibly.

Yeah, they wouldn't have faced loads of fines just in this past week for their very perfect behavior.

Right.

And I think we can trust the government as well to put barriers in place and set limits. And so this kind of thing will be very tightly policed going forward into the future. So good news all round, I think, for the human brain.

I don't know what you're smoking.

Carole, what's your story for us this week?

Well, you're very lucky to have a story considering my dramas of today.

Am I?

I've had internet failure and all that, but no, I've pulled it together because I'm incredible.

What do you want, a round of applause?

Sure.

Nice one.

Okay, so cast your minds back to last Friday night, okay? July 19th, it's around 11 PM. An old Doctor Who featuring David Tennant glows in the background, and you are slumped on the couch stifling a big yawn as you scan your Twitter feed for anything interesting. And suddenly you see written in caps across your screen, "Fuck the police, free the gang." Go, interesting, interesting. What is going on?

Who's being rude about the police?

Exactly. So you look at the Twitter handle and it clearly states UK Met Police, the official Twitter handle for the UK's Metropolitan Police of London.

Yes.

There are more weird tweets coming off this account. Things like, who you gonna call, the police? We are the police.

I think the answer is Ghostbusters normally. Yes, but they've got that wrong. But anyway, yes.

These things are a bit odd, and everyone's kind of taking screenshots of it, as you would be if you'd happen to notice this on Friday night, right? And you would probably say something pompous like, now, now, chaps, what's going on here, right?

I beg your pardon, what? Why would— pompous?

That's how you talk, right?

Charming.

Do you think it's weird that people keep track of the Met Police on Twitter? There's like 1.2 million accounts that follow this Twitter feed.

Uh-huh.

Okay.

I mean, it's an active feed, right? They have probably a dozen tweets a day. And if I look on it, right, I can see that they tweeted about a murder arrest. They tweeted about a missing persons announcement. They tweeted a few convictions and the sentences that criminals received for violent crimes.

Right.

And they even have this campaign for gun crime appeals with hashtag #giveupyourguns. So there's lots of, I suppose, useful information there, particularly for Londoners interested in the happenings of their city.

Yeah, I would think so. Yeah, why not?

But on this past Friday the 19th, messages like 'fuck the police' and 'free Digga D' were being posted for all the followers of the Met Police to see. And just before I get into that, there was a press release also sent from the official Met Police account entitled 'Free Digga D,' and it was erased from the official feed along with all the Twitter messages. But it was indexed on Google search.

Oh, so this actually appeared on their website as well?

Yes, it appeared on the website as well. Now, I think that probably helped them figure out what the problem was, because it turned out that a third-party service provider was to blame. The Met Police, like many organizations and firms out there, work with an array of online services to provide better experiences for the user, right? Make it slicker, make it cooler. So it wasn't a Met Police Twitter heist case, but a MyNewsDesk attack. So MyNewsDesk is basically this platform that allows you to publish press releases, and it also helps you manage social and web listening, they call it. I'm rolling my eyes as I say that, but basically it's are people complaining about the product or the services or the brand, or people loving it? And then you have all these fancy analytics that make your bosses feel like they got a handle on things.

Yeah, okay.

So I'm reading all this and I'm preparing this story and I'm "I cannot resist. Who is Digga D? What is this?"

Please tell us. Is it Digger with an ER?

It's D-I-G-G-A.

Oh, excellent. It's very cool. Digga.

Digga D. Does Digga D have a website designed by Tinley Consulting?

I doubt it, man. I doubt it.

So, I'm going to look.

Somehow MyNewsDesk was compromised, or the password for the Met Police UK Twitter handle was stolen, or something, because for enough time there was all these messages about hating the police and freeing Digga D. Digga D is a British rapper. I didn't— this is a new term for me. So apologies if you guys know what I'm talking about. Have you heard of drill rap or drill music? It's a kind of rap filled with violent lyrics.

For freeing Digga D. There is other rap. I've heard of grime. I just hadn't heard of drill.

Yeah, that's very good, very modern, Graham. Have you heard of pop? Digga D is a rapper, part of a drill genre that have violent lyrics, and The Guardian reported that in June last year, a judge issued a court order banning Digga D and his four other drill rappers from recording new tracks without notifying the police. What?

Yeah, what? Wait, he's not allowed to record records unless the police— so hold on, otherwise you'll get a police record, I suppose, right?

So now I'm totally interested, right? I read that, I'm "holy moly." So apparently Digga D and his cohorts were up on charges of conspiracy to commit violent disorder after being arrested last November for carrying machetes— get this— knives and baseball bats, okay, on the streets of the UK. They initially claimed to have the weapons for use as props in their rap video, but later pleaded guilty to the charges.

If it's drill rap, wouldn't you have, I don't know, a hammer, a plane, a screwdriver, a few nails? Yeah, exactly.

I feel like they would live at a Home Depot.

These, the Drill Guys, got sentences ranging between 10 months and 3 and a half years.

Oh, crumbs.

And the group received 8-year criminal behavior orders banning them from mentioning death, injury, or rival postcodes in their song.

So what, you can't mention a postcode? Don't mention E17.

And I don't have it written down here, but the name of their drill rapper group is something like W1011 or something like that, or 1011, and it has to do with the W10, W11 postcodes in London. In their lyrics, they have rivals of gangs.

Carole, just remind me, because it's been a while. So Digger Dee got mentioned in some of these tweets which were posted on the Met Police's Twitter account and indeed posted on their website as well by these hackers. So these hackers are, they're fans of Digger Dee?

Yeah.

And want him out of jail.

These guys got into the Twitter feed via MyNewsDesk, whatever, these nefarious group, and they started tweeting on the Met Police Twitter feed about You know, I Hate the Police and Release Digger D. So they got sentences between 10 months and 3 and a half years. They weren't allowed to mention death, injury, or rival postcodes in their songs, right? And they were required to inform police of any new music videos within 24 hours and give 48-hour notice of any live performances. So this has raised this huge issue of censorship, right? So if you read an article in The Guardian, for example, about this they're very much like, how is this not censorship?

And actually banning it or driving it underground might make it in many people's eyes cooler, if the kids still say cool. Mightn't it as well?

That's interesting.

So whereas if it was embraced by the police and said, oh yeah, we love the drill music.

Yeah.

Then all the—

Well, that's what they should do.

Yeah. Then all the dudes would say, oh yeah, man, I don't really like that anymore.

Basically, the police became aware that his Twitter feed and press releases were under content attack. And this is 11 o'clock, 11 PM, right? But the police never sleep. So they regained control quite quickly, but they did take their Twitter feeds offline for a number of days. Earlier this week, on July 22nd, Twitter feed burst back into life with this message, quote, due to an incident on 19th of July, as a precaution, we decide to suspend using this account. The issue has now been rectified. We'd like to reassure you that there's no evidence of a hack at the Met's IT network. We continue work with NCSC. They're the National Cybercrime Unit, right? Oddly, you would think that this guy would be pretty busy dealing with all of the dramas in his homeland, but POTUS Trump decided to weigh in, retweeting an image of the hacked accounts and blaming London Mayor Sadiq Khan, quote, "With the incompetent mayor of London, you will never have safe streets." I'm going to guess Pres Orange is tickled pink that ex-London mayor and Brexit campaigner Boris Johnson has just today, on the day of recording, announced that he is Prime Minister of the UK.

Let's just have a moment of silence for that one.

Wait, I don't have my black armband.

The tweet which I saw about this, the tweet which Donald Trump retweeted was actually written by no lesser figure than Katie Hopkins, who British people will know her, a star of The British Apprentice and well known for her controversial views on all manner of subjects, who actually has had her Twitter account hacked in the past as well. A few years ago with people writing amusing things on her Twitter feed, but not a very nice person. But yes, so okay, so Trump and Katie Hopkins, they decided to try and score some political points with this as well. But it wasn't really the police who got hacked in a way.

They did not get hacked, but they are taking the heat for all this. So I think the big takeaway is, you know, if you're using a service to make your website slicker, if something goes wrong with one of those third-party services and it happens on your website, everybody and their dog is going to blame you, even if it was Joe Schmo from ABC Company that's providing you with it. So make sure that your third-party businesses that work with you have the proper security in place. So when I was thinking about the story, I was thinking, I bet there was no two-factor authentication available at my news desk. I did a little digging, I couldn't find that. But maybe also they do have it, but the Met Police case, that Twitter account is probably managed by more than one person. So you have that problem with the two-factor authentication, that it goes to a device or to a single account, and how do you manage that properly? Anyway, so it's not the Met Police in this case though. It wasn't their defenses that fell.

Very good advice there at the end, Carole. Do you remember a year or two ago, we mentioned this on the show, when my Twitter account started spurting out Nazi spam and all kinds of bizarre things. And it turned out it was a third-party application, which I'd linked to my Twitter account. I think it was something to tell me how many people were following me on Twitter or gather statistics, something completely egotistical and vain. Mind you, I've got nothing like the number of followers that BJ has. He's got over a million or something last time I looked. Jolly good, BJ. Well done. I'm sure it's all very worthwhile for you. But while we're, while we're comparing willy sizes on Twitter—

Oh, I tuned out for a second. Let's go to our sponsor break, please. Hey, Graham. Yes, there are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees keys. Check it out at Smashing Security— no, check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect.

Do you want to make it more conversational? I don't know.

I think that sounded great.

It's very hot today, isn't it, Carole?

Yes, let's get going. You have no idea. I'm sweating.

I'm sweating like a pig.

Quick, quick.

Okay. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Should definitely not be.

And my pick of the week, well, it is about securing yourself or maybe securing other people, but not in an IT securing kind of way. Are you curious now what it might be? Well, following the success, and can I say the huge success of my pick of the week the other week where—

Sorry, huge success.

My huge success of my pick of the week, which was 507 Movements, the mechanical animations, which I saw some people on Twitter enjoying, I have found a similar website. And this website is called Animated Knots, Knots with a K. And if, you never were a Cub or a Boy Scout, then you might— Were you not? No, I was not. I know it surprises you because I'm so handy around the place and such an outdoorsy kind. But I've never really learned how to tie knots other than, you know, tie or shoelace or something like that. But with animatedknots.com, oh, you will be tying people or things up left, right, and centre.

I'm looking at it.

All you have to do choose a knot and it will explain it. And I even found a different way of tying up your shoelaces on this website.

And that's a big problem for you because you like them really tight, don't you?

I do like my shoelaces tight because I don't like to lose my shoes, which I'm always worried I'm going to leave my shoes around the place. So I like to make sure that they remain on my feet. But anyway, this is a handy little animation thingy. So whether you are a sailor or a sadist or whatever it is, that you may have a requirement for knots, go to animatedknots.com and check it out. I thought it was quite cool.

Yeah, me too.

And that is my pick of the week.

Yeah. Nothing to do with security. You're fine.

Nothing to do. Nothing to do with it at all. BJ, what's your pick of the week?

Well, I have a quick one and then my actual pick. I couldn't make this. I couldn't find a way to describe this. All I can really say on the first quick one is if you use Reddit, and you do if you're listening to this show, go to r/Imsorryjohn.

Oh, I know this, I know this, I love this. This should be your pick of the week.

I'm sorry, John.

I'm so— it's r/Imsorryjohn, and I'm going to read this subreddit description real quick. It says, "Garfield has abandoned his limited form and he is beautiful. Surrender yourself to him and be saved. Here we celebrate our favorite cosmic entity with catitude." And it's just, if you imagine Garfield merged with Cthulhu that doesn't even begin to describe what you're gonna find on the subreddit. And it's just, it's horrifying and wonderful.

I don't know what you're talking about.

I have to explain to Graham, I think, 'cause I don't even think he knows.

You translate, Carole.

Okay. In the '80s, Garfield, in North America at least, was a big deal. We all had the cartoons, we had the books, we had the comic strips, loads of people.

He's the cat who likes lasagna.

Yes.

He's a cat who likes lasagna and he has an owner named John and he was very sarcastic a bit, right?

Yeah, he's kind of lugubrious like that. And he has a little pet dog called Odie. Is that right?

Are you reading this online?

No, no, no, I'm remembering. This is my memory. I'm not wearing a wizard's hat. This is genuine from my brain.

So, okay, so fast forward.

Yes, I know Garfield. Okay, check.

Okay, now, so onto BJ's story. This is a whole subreddit. It's designed to kind of pastiche that relationship and has turned it into something much more sinister. So if you just take a look at it, I'm clicking through, you will be able to see some of the— I don't know if this is Graham's kind of humor, BJ.

Okay.

It certainly is mine.

This just seems rather bizarre and a bit dark, slightly disturbing.

It's a bit strange. The internet has historically enough to believe that Garfield is not funny. And so now this is the second attempt in 10 years for someone on the internet to kind of revise it. So first, in the late 2000s, we had Garfield Minus Garfield, which was a really popular Tumblr that became a book, and it was essentially all of Jim Davis's Garfield strips from the comic strip without Garfield. And so this is sort of the second attempt at Garfield is not funny, therefore we're going to just make it this strange and wonderful outlandish thing, you know, merging of H.P. Lovecraft's Cthulhu. And that's sort of a larger statement that it's not funny. And therefore, this is our way of poking fun at it as an internet culture.

I think that's beautifully said. This is a perfect example, Graham, of this. And this is a little bit— this is a bit lighter. It's more to your taste. It's a coffee mug.

I like you.

Okay, so we've got a picture of Garfield. Oh, and Garfield's eyes are turning into the eyes of Sauron from Lord of the Rings occasionally.

So it's a cute little picture of Garfield. Then when he opens his eyes, they're all bright red and heated with the hot drink, I guess.

Okay.

Okay, I think you don't have to rain on it. I think you just say it's not for me, right?

I seriously, guys, I think this is a generational thing.

It's not to your taste or lack of.

So I'm going to step out at this point because I don't want to rain on your pick of the week. It's not to my lack of taste. No, there's plenty of tasteless stuff on the internet I do enjoy. But this, yeah, okay. Great, okay. I don't get this.

What are you worried about?

Don't you think there are people who did Garfield and this is actually ruining all their memories of Garfield?

Then they don't have to go look at this. This is a bit more, you know, edgy.

I mean, I can certainly say I grew up on Garfield. That's right, because I'm a kid of the '80s, was born in '83. So, my childhood is heavily defined by Garfield and Friends, the cartoon.

And you know what, it wasn't funny. I agree. I don't know why I read it all the time.

Were you a friend of ALF, the alien life form? That sitcom? Do you remember ALF?

No.

Yeah, no, no, that was ahead of me. That was my sister and brother, who are slightly older.

All right, I thought that was quite okay. Carole, what's your pick of the week?

Well, I didn't really have time to prepare one.

You've only had a week.

I'm going to tell you something that's happening on the day of publication, which is that a former jet ski champion and French military reservist, no less, who'd become known as the Flying Soldier, has invented a jet-powered hoverboard. And you know what he's going to do with that jet-powered hoverboard on Thursday? Cross the channel. Oh, the English-French Channel.

French.

Oh, just to clarify, this is the thing that looks like the Green Goblin's vehicle.

Oh, I think I saw this chap on Bastille Day because they were doing— and he was— it was a bit like that Spider-Man bad— wasn't it? Or whatever he is. Green Goblin. Yes, that's the thing. So he is going to travel. Well, how's that going to work? When it says he's going to attempt it, he only has to go 10 yards and says, well, I attempted it, doesn't he? Is he really going to do this? Whoa. Carole, you've missed the biggest news here, which is his name. His name.

Yeah, no, I really think he's going to No, I hadn't got there yet because I lost my link. I've lost myself in my link. I can't even find it now because I closed it. do it. He thinks it's going to take

It's got a cool name.

Yeah, don't steal the name.

You're gonna have to edit all this.

him 20 minutes to cross. Yeah. Oh, normally I don't do any editing. Normally I just— yeah, I don't do any of that. Okay, so a hoverboard, right? Now, Franky Zapata, so he's gonna be crossing on Thursday to mark the 110th anniversary. It's a bit 10 years late, right, of Louis Bleriot's first cross-channel airplane flight. So it's the realization of a dream, he told Le Parisien.

Please don't make fun of the French accent, please.

He is also very stressed, he says. So now if you look on this link, there's a video here. Yes, you guys haven't seen this. I'll put this in the show notes as well, but you can see—

Okay, I'm gonna play it right now.

So he's flying through the air. It's incredible.

I'm convinced that this guy is going to kill Spider-Man. So they've given— he's got a gun or something. Is he?

He's in character, Graham. So on Thursday, keep your eyes peeled because we just might watch him succeed or fail at this crazy attempt. Well, let's be honest, he probably will fail. How will it have enough fuel in it to get across the English Channel? Farting, Graham. Does he have tanks? How is it powered?

There are 50 years of Marvel Comics that says he will be successful. Yeah, I'm all in. I'm with you.

Oh, it's kerosene. It's powered by kerosene. Oh yeah. That's safe as well, isn't it? Geez. Oh, hang on. I'm reading a bit more here, right? It says takeoff time depends on weather conditions. It has not yet decided whether to refuel by landing on a ship or hovering over it. The latter apparently is more risky. Well, duh, of course it's more risky. So it might be that he's just sort of hopping up for 5 seconds at a time, then coming back on the ferry, reloading. Hey!

Zapata, can you just not kill this until Thursday? On Thursday, if he fails, you can call me up and go, well, that was fun. But until then, can we just pray that he can get this? Because we need some good news. I don't know if you know who today was announced our prime minister, but maybe we could just stop, you know, poo-pooing this because Zapata is on his way to do it. He's gonna—

French government hoverboard across the Department of Defense in France have given him €1.3 million to develop this thing and it can fly for 10 minutes. Okay, carry on.

My solution is we put Boris Johnson on one of these things and see how far he can go.

We have put him before on a zip wire and we saw how that ended up.

He certainly managed the PR-ness of that impeccably.

Oh, I read a story about it. I mean, it's probably off topic for this podcast. Apparently that was all a fix. Apparently he asked them to stop it. No one else, and the people who run the zip wire say, oh yeah, he made us do that.

Well, there you go.

There you go.

There we have got a wonderful news that Boris Johnson is our Prime Minister. There we go.

I don't think that's the highlight of our podcast necessarily, but it does just about wrap up the show for this week. BJ, I'm sure lots of our listeners would love to follow you online. What is the best way for folks to do that?

Yes, so like you guys, I now have a Patreon.

Do you? Excellent!

Patreon.com/BJMendelson. I will be doing funny summaries of business and marketing books, one a month for a dollar.

Excellent. And you can follow us online on Twitter @SmashingSecurity, no G. Twitter wouldn't allow us to have a G. And we have a discussion Reddit as well, go to smashingsecurity.com/reddit. That's the quickest way to get there.

Plus, huge thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free, so be sure to check out its offers. And as always, huge hugs to you all, you listeners out there, and welcome to our new Patreon subscribers. Stay tuned after the show for a bit more information about our Patreon.

Until next week, cheerio, bye-bye, bye-bye.

Graham!

Yes, hello, hello again.

How is our Patreon experiment going?

The Patreon experiment is going superbly well, I have to say. Since we announced it on last week's show, according to Patreon right at this second, it says we now have 37 patrons, people who are subscribed supporting the show. They've joined one of the two tiers for goodies and special access.

Okay, so we must do a little shout out for our brand new patrons: Alexander, Angela, Chayenne, Dan, Daniel, David, David, David, guys, Dimitri, Eric, Giselle, Rodrigo— sorry— Jonathan, Lisa, Macaulay, Mark, Marcus, Michael, MTS, Nate, Nathan, Neil, Nicola, Pete, Picto Pirate, Richard, Richard, Robert, Roy, Reuben, Sanketh, Scotia Stewart, Thomas, Thomas, Yuri, and Zach. Don't forget Zach, guys. Thank you so much. High fives to you all, especially for being early supporters to our Patreon page. It means so much.

For $2 per month, you get access to special little messages from us. And eventually, when we're earning as much as $500 per month, we will pull the lever and turn on the ad-free RSS feed so you'll be able to get the show without any ads. Now, if you want to give us $5 a month, and many of you have been very generous enough to do that, then you get all of that which I've just mentioned, but you also get early access to episodes before they are officially released when possible.

People are going crazy for that, right?

They are loving it. And also, Carole, people can get bonus behind-the-scenes podcast content, which may contain more bickering. As if. Well, anyway, if you're interested in all that, go to patreon.com/smashingsecurity. But if you can't afford to support us in that fashion, and we totally don't mind about that, there are other ways in which folks can do their little bit for us, isn't there?

Totally. You can always drop us a review. We love reviews. In fact, we just got a recent one, which I really loved because it's from Metal Geek Steve. And he says, by far the best Security Weekly News podcast. He says, entertaining, informative. But he says even his wife, who doesn't know the difference between OS X, Windows, and Linux, loves listening to this. And those are the people that we can help make actually be a little safer out there. So that's so cool. I really like that.

It would be good if we're not just helping the geeks with cybersecurity. In fact, on that—

I don't think we're helping any real— I think we're entertaining the geeks.

On that note, we'd also like to thank Nate. Nate has dropped us a line on Twitter, and he says his 18-month-old boy laughs along with the show whenever he listens.

Excuse me, I swear quite a lot on this show, Nate. I don't know if you know that. Eek, get some headphones. Yeah, just make sure you yell really loudly whenever you hear a swear word coming along.

Or whenever Carole comes along, that's possible, yes.