What can X Æ A-12 Musk teach us about passwords? How did our guest finally hunt down the man behind one of history's biggest virus outbreaks in Manila? And what on earth is a hacker doing breaching Roblox security?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by technology journalist Geoff White.
Visit https://www.smashingsecurity.com/177 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Geoff White.
Sponsored By:
- DomainTools: Join our friends at DomainTools for a webinar as they walk you through the process of identifying a nefarious domain, mapping connected infrastructure, and reverse-engineering a ransomware attack which used a Coronavirus disguise.
- Learn more about how DomainTools helps security analysts turn threat data into threat intelligence and watch the webinar at domaintools.com/smashing
- Oracle: Build, test, and deploy applications on Oracle Cloud - for free.
- Sign up at smashingsecurity.com/oracle and you'll soon be building, testing and deploying cloud applications securely with Oracle.
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Vote for Smashing Security in the EU Security Blogger Awards!
- Graham Cluley on Earworm Island — Earworm Island podcast.
- Carole Theriault on Earworm Island — Earworm Island podcast.
- Elon Musk tweets a photo of his newborn child — Twitter.
- World Password Day — Days of the year.
- Grimes explains the baby's name — Twitter.
- Don’t Make These 5 Password FAILS! (But Do Notch These 2 Password Wins) — ID Agent.
- Love Bug Virus Creator Comes Clean — Geoff White.
- Memories of the Melissa virus — Naked Security.
- Roblox — Wikipedia.
- What is Roblox? — Digital Trends.
- Hacker Bribed 'Roblox' Insider to Access User Data — Motherboard.
- I'm Officially RICHER Than ROBLOX!! (WORLD RECORD BROKEN) — Linkmon99 on YouTube.
- WM97/Michael-B virus analysis — Sophos.
- Bookcase Credibility — @BCredibility on Twitter.
- Five Minutes With: Brian Sewell — YouTube. So you can see how good Graham's impression is.
- Syncplay.
- Netflix Party.
- Whole Chicken in a Can — Ashens on YouTube.
- Poundland Food Special - All Day Breakfast — Ashens on YouTube.
- MRE & Ration Reviews — YouTube. A man experiencing and reviewing military rations from 1863-current day.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. News slash news slash Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be asked, please go to smashingsecurity.com slash vote and vote for your favorite security podcast. Voting closes on the 11th of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com slash vote.
Now, on with the show. Smashing Security, episode 177. Elon Musk, Roblox, and Lovebug author found. With Carole Theriault and Graham Cluley.
GRAHAM. Hello, hello and welcome to Smashing Security episode 177. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM. And we're joined this week by returning guest, it's Geoff White. Hello Geoff.
GEOFF WHITE. Hi, how are you doing?
GRAHAM. Hello Geoff.
GEOFF. Hi Geoff. Good to have you back now.
GRAHAM. Yes, exactly. Something we need to raise, Geoff, is that as well as doing cybercrime investigations, that podcast of yours, you've also launched another podcast, haven't you? Earworm Island. Yes. Maybe you can tell our listeners who might not have heard Earworm Island, what's the premise of Earworm Island?
GEOFF. It's quite simple. So basically each week the guest gets to send their worst enemy to a desert island with the four most terrible records ever made and a completely useless object. That's pretty much it. Similar to other desert-based radio programmes you may have heard.
GRAHAM. Now, so I was fortunate enough to be the first guest on Earworm Island. And a great guest too. Thank you very much. You were a wonderful host. And I took along, of course, celebrity popper quadruplet Il Divo is who I sent. And then apparently you also spoke to Rik Ferguson, who we had on Smashing Security last week.
CAROLE. I know. That was so weird how we slalom through that. I didn't know that he was going on your show.
GRAHAM. I think Rik has basically become a podcast tart. And then your next guest was Carole.
GEOFF. Yes. Yeah, Carole. I should say, I don't dictate what the guests do on the show. They just come on. So that's what I wanted to raise.
CAROLE. What's your problem, Graham? Geoff, are you happy with the episode?
GEOFF. Oh, yeah, yeah, yeah. They've all been fantastic.
GRAHAM. I was happy too. So, Carole, the person you wanted to confine on this desert island and inflict pain on with some of the worst records ever, that was who exactly?
CAROLE. The person I wanted to help improve was you.
GRAHAM. Yes. And I didn't know you were going to do that, did I?
CAROLE. No. That was something of a surprise for me.
GEOFF. You could have got there first, Graham, I have to say.
GRAHAM. Well, I'm not evil. That's the difference, you see, Geoff. That's the difference between me and my co-host is I'm not as nasty as I am.
CAROLE. Look, I was doing it as a favor. You say no news is bad news, right? So you like to be in the press. So I just thought, hey, I'll give you another hit. You're welcome.
GEOFF. Carole. Thank you both for coming on. We're all friends now.
GRAHAM. Yes, totally. I'm everybody's friend always. Working on it. Carole, what's coming up on the show this week?
CAROLE. Well, first, thanks to this week's sponsors, Oracle, Domain Tools, and LastPass. Their support helps us give you this show for free. Now, on today's show, Graham is going to give us a password update. Geoff tracks down a notorious hacker and gets the lowdown, and I'm exploring the world of Roblox and find out how a hacker upset the Apple cart. All this and much more coming up on this episode of Smashing Security.
GRAHAM. Now, chums, chums, amidst all the misery, all the gloom, the pandemic, the dystopian nightmare that we are all living through, we have some happy news. Yes, a child has been born just a few days ago.
CAROLE. I think there's children born quite regularly, Graham.
GRAHAM. Not a child like this, because this is a child born of our savior, the SpaceX and Tesla billionaire, Elon Musk, who one day will be packing us off to Mars for the safety of humanity. Just a few days ago, he was making headlines by calling for the end of lockdown. Did you see him on Twitter?
CAROLE. Oh, no, I didn't see that. I didn't see that. I saw that he was trying to sell his house. He was like, I'm going to be homeless. I'm going to.
GRAHAM. Yes. Yeah. I'm not going to be home. No home ownership for me. That's right. He wants to sell all his possessions, his mansions. They've been listed online. He's got a $30 million seven-bedroom, 11-bathroom house in Bel Air.
GEOFF. I'm always freaked out by houses that have got more bathrooms than bedrooms. That's true. I don't know if that just implies bowel problems to me.
CAROLE. No, but you have a powder room downstairs. And then, of course, in the gym, you've got a bathroom. And in the cinema room.
GRAHAM. Oh, that's true. And also, you might want a his and hers bathroom, but you might not want a his and hers bedroom. You might want to say, oh, sorry, we haven't got a spare bed. You're going to have to share with me, right?
CAROLE. Because the other six bedrooms are full. It's 2020, Graham. I don't think that's how it works anymore.
GRAHAM. Anyway, he said various things. He also said that Tesla's stock was massively overvalued, in his opinion, which sent his share price tanking, which are not things for him to say. I remember he's gone a little bit postal before on Twitter and has had an impact on his share price, so much so that he's actually been told the lawyers have to – he has to run any controversial tweets past them. So he can't have done this on this occasion because he went the full McAfee, right? He should never go the full McAfee.
CAROLE. Did he ever go totally apeshit on Twitter? Who, Musk?
GRAHAM. Yeah.
GEOFF. Well, there was constantly. There was the whole thing around the submarine.
CAROLE. Yes, the submarine thing is the only one that comes to mind for me. I don't follow him.
GRAHAM. I don't follow him either. I think he quite likes to troll people and act quite bizarrely. Now, I was wondering, why has he done all this? And it's not a presidential bid, although I'm sure that will be coming. It's only a matter of time.
CAROLE. I don't know if he'd want all those headaches. All the bureaucracy, I don't think that's his style.
GEOFF. The power, though. I mean, the power you get as president. I think that, I don't know. I can see it. I can see it. Okay, interesting.
GRAHAM. He could declare himself Lord Mayor of Mars or something, couldn't he? I mean, if he gets there first. Well, the answer as to why he's acting so peculiarly may be that he's had a little bit of stress at home, where he lives with his girlfriend, Grimes. Are you familiar with Grimes? She's a singer or something.
CAROLE. She is? Yeah, I know that. That's right.
GRAHAM. Now, she's not very happy with some of his tweets. Maybe she has some Tesla stock. She's dating Elon Musk?
CAROLE. Oh, for a couple of years, I think. I didn't know that. See, I don't know. I'm Googling the photos.
GRAHAM. Hang on. So, basically, we've got Grimes and we've got Musk, which is quite a good point. Quite a combination.
CAROLE. They should make a perfume, a scent together. Oh, yes.
GEOFF. It sounds like a house full of cleaning products, doesn't it? Get Grimes. For the toughest stains, get Musk.
GRAHAM. Well, that's not the only source of tension is the share price because they've just had a baby together. They have had an offspring. A little Musk was welcomed to planet Earth. It was announced on Monday by Elon, and he posted a picture of his newly born with tiny face tattoos over it. So, which I think had been added via Photoshop or something like that.
CAROLE. That's his picture? He put those things on his kid?
GRAHAM. Well, that is the picture he posted. I can't imagine they've really...
CAROLE. And what does it say? I see Savage.
GRAHAM. Savage and there's some sort of weird symbols of a snake and I don't know.
GEOFF. Also, look, I mean, the picture, just looking at it, there's the tattoos, but it also looks like it's been sort of photoshopped to make the lips. The eyelashes are upside down. Yeah, the eyelashes and lips are more sumptuous. It looks like the baby's wearing makeup as well as tattoos. This is weird.
CAROLE. So it's not his kid. It's just a kind of...
GRAHAM. Who does that? It might be an Instagram filter, maybe. You know how sometimes, you know, the likes of the Kardashians sort of touch themselves up. Yes. Now, you might be wondering what Musk Minor is going to be named. That's an obvious question. You know, how much is the name? You know, how does it match the weight?
CAROLE. That's exactly what I'm thinking about.
GEOFF. I'd love it if it's something really boring like Kenneth. Yeah, Daryl.
GRAHAM. Well, this is Elon, this is Grimes, this is Kenneth. The name is X capital Æ A-12 Musk. So that's what Elon said. No one thought always having a joke, and then Grimes chipped in and she explained the name. Okay, go. So X, that represents the unknown variable. The capital Æ that is a, I think people call it ash or something, is that that particular character these days. It's the elven symbol of AI, which can mean love and or artificial. Yes, as in Lord of the Rings. Okay, so AI, okay.
CAROLE. Okay good, so Lord of the Rings with artificial intelligence. Brilliant. Okay, this is deep. Carry on.
GRAHAM. A-12 is the precursor to the SR-17, of course. That's their favourite aircraft. It doesn't have any weapons, no defenses, just speed. Great in battle, but non-violent, she says.
CAROLE. So if they have a second child, they're going to have the second favourite aircraft.
GRAHAM. And A equals Archangel, she says, which is her favourite song. So that's the name of the new Musk, which is going to be a challenge, I think, when they fill in the birth certificate as to whether the form's going to accept it. And now I was... X for short, so that's what's going to happen. You might be wondering, why am I bringing this up on Smashing Security?
CAROLE. Yeah. Did someone complain saying, look, could you just talk a bit more about some security stuff, please?
GRAHAM. Well, I think the explanation of this might be that this is actually Elon Musk's tribute to World Password Day, which is today, Thursday the 7th of May, as is every first Thursday in May, is officially World Password Day, when we're all reminded how important passwords are and that password security.
CAROLE. Every month? No, the first Thursday in May. The first Thursday in May. So every year we have a World Password Day. Okay, great.
GRAHAM. That has been the case since 2013. This initiative was all started by Intel. They created a website called PasswordDay.org and launched it on Thursday, the 7th of May in 2013. And they continued to promote the event, you know, every year for a few years. And then they got a bit bored of it.
GEOFF. Well, I still firmly celebrate this every year. So every year I faithfully write my password on a billboard and I go out down the street with a klaxon. Tell everyone. Isn't that how everybody's supposed to celebrate World Password Day?
CAROLE. Make sure you do it with a mask if you're going to do it this year. Of course, yes.
GRAHAM. Well, I was thinking maybe Elon had actually chosen his child's name with a password manager because he's got a funny character in there. He's got a mixture of capitals and lowercase. And I thought it's probably fairly unique, I think. I can't imagine there's many more of them out there. And then I thought, well, maybe, you know, people keep on saying that passwords are dead, right? And that passwords are going to be replaced by something. Oh, sorry.
CAROLE. Can I interject? How is X going to be able to open any accounts with his name?
I didn't know you're so familiar with them that you could just call them X, girl.
CAROLE. How do you write Ash on a phone? It's not easy. It's annoying. He's going to hate his dad. He's going to hate him.
GEOFF. Isn't there some rule as well about what you can call a child? I don't think in the UK you can call a child Jesus. Obviously, Jesus in Latin American countries you can. So I think if you try to register a child as X, I don't know whether you can register that birth with that name. Is that... I don't know. I don't know what the rules are in the US.
GRAHAM. I'm sure there are rules in some... I'm surprised you can't call a baby Jesus in this country. Of course you can. I don't know. So I said baby Jesus. I didn't say baby cheeses.
You probably could name your kid baby cheeses.
GRAHAM. Now, a company called ID Agent for World Password Day, they have been looking through their database of past breached passwords. They went through over 2 billion breached passwords, and they came up with some of the most common ones, right? So lots of people are still using sports teams. This is 2020, and people are still doing this. Apparently the number one sports team or sports slogan is Roll Tide. I don't even know what that means. Yankees, the Steelers, Eagles, and Red Sox. And then people are choosing sports like baseball, football, and soccer. Superheroes. The top superhero or cartoon character is Tigger. It's probably kids. Well, maybe, yeah. I mean, I suppose better that they're – is it better that they're using Tigger and Snoopy than Password? No, no. So how about this, Carole? You're a bit of a muso, right? The top songs and bands. The number one, apparently, is Blink-182.
CAROLE. Oh, yeah. I was a big Blink-182 fan.
GRAHAM. Rush-2112, then the Beatles, Blondie. Blondie? Blondie. In this day and age. Yeah, I know, but in this day and age, would that really be the fourth most common band? And the other one, which confused me, and I've Googled it, is 867-5309, which apparently is some pop song, something. I don't even know. I think it's meant to be a girl's number in a song. It doesn't ring any bells with me. No idea.
You're over 50, though, Graham, so that's good.
GRAHAM. That's true. That's true.
That's the number five most popular. That's odd, isn't it?
GRAHAM. So say ID agent, and I'm always, I don't know, really. I mean,
GEOFF. Yeah. Oh, by the way, I just Googled the thing with Jesus. I think you can call a kid Jesus in the UK. Apparently there aren't that many restrictions. So I may have been misinformed. I don't want to put the fake news out there. Okay. Okay.
CAROLE. So what I think this is actually saying is of all the passwords we looked at, some of them had sports teams, here they are, right? Yes.
GRAHAM. And they tried to categorize them and come up with a list of them.
CAROLE. Yeah. I think the list is, because they didn't want to put out the same news that everyone else puts out is the number one word is password. And then it's password 123, you know, and then it's 1, 2, 3, 4, 5, 6.
GRAHAM. So I think Elon has maybe given other people a great idea. So if you haven't already started using some sort of random character generator or a password generator to generate stronger, more unique passwords, just like he's named his child.
Are you suggesting people start naming their kids following his lead?
GRAHAM. Well, it's an approach, isn't it? You know, as we haven't had much success getting people to choose stronger passwords, Maybe if everyone had a crazy user ID, hey, maybe rather than creating unique passwords for every site, maybe we should all create unique usernames instead. So you have a different username for every single site.
CAROLE. Yeah, that'd be so easy to manage.
GEOFF. Also, can I just point out, if Graham's onto something here. I'm not. It would be a first. But if Graham's onto something here, hasn't Elon Musk just given everybody his password? Oh, good point. By naming and tweeting.
GRAHAM. Yeah. Well, I think, I mean, Elon Musk clearly is barking mad. But very rich. And therefore very powerful. And therefore very powerful and potentially very prone to legal action. So let's swiftly move on. Geoff, what have you got for us?
GEOFF. Well, I've been quite busy this week.
You have, haven't you? I'm settling in with a cup of tea for this story because I can't wait to hear it. Tell us why you're in the news, Geoff.
GEOFF. It's more the story that's in the news rather than me, but this is the 20th anniversary this week of the Lovebug virus, the I Love You letter. And it was 4th of May 2000 that it was launched. You guys must remember. Yes.
Oh, yeah. We were working together. We were first responders because we were PR because we had to talk about what we'd done with the labs, how we did help defend against it. It was a big deal.
GRAHAM. I was in Stockholm that day, actually. I was giving a talk. And during a break, lots of people turned on their phones and their phones started bleeping. And they came up to me and said, hey, have you heard of a virus which sends love messages? And I
GEOFF. Hadn't you been talking about some love-related virus?
GRAHAM. I had, yes. The funny thing was that morning I'd been telling people about funny viruses and I said, oh, there was this virus called no smoking. And what it could sometimes do is send a message, a netware broadcast message saying, I love you or something, or I'm in love with you. And I was joking about the problems that could cause in the office.
So I'd made this joke. And then we broke for coffee and things. Everyone's pages started going off. And they said, is that thing, is that in the world? And I said, oh, no, no, no, no. You're not likely to encounter it. And they said, well, we've just been bombarded with love messages. And it was the love bug that day.
GEOFF. I worked for an internet company at the time. And I just remember being in the office and people just kept falling for it. Every time you looked up from your desk, there was a new person sort of staring at their computer and kind of phoning IT support. It just went around like wildfires. 45 million machines, it's estimated. Yeah,
CAROLE. it was huge. It was huge.
GEOFF. What was interesting was a lot of the damage it caused was it flooded email servers. So basically, it just got inundated with messages because it was a self-replicating worm. So for every person who got hit, it would attempt to send a copy of itself to everybody in their Microsoft Outlook contact book.
CAROLE. We call them mass mailers.
GEOFF. Mass mailers. So interestingly, it was the disconnection of stuff that caused a lot of the disruption, because it wasn't that you got hit by a lovebug necessarily, but you'd had to unplug all of your email servers. So I find that interesting in that, if you look at coronavirus, a period we're in now, a lot of the economic damage is being caused not by the virus itself, but by the measures we're having to take to prevent the virus propagating. So I find that interesting sort of echo down the line from
GRAHAM. that. We've disconnected rather like the love bug virus made us disconnect.
GEOFF. Exactly. Yeah. So anyway, so they traced the password stealing virus as well. It was stealing passwords and it was sending them to an email address. Investigators tracked the email address to Manila. They had a couple of suspects at the time, but there was no law at the time in the Philippines against computer hacking.
GRAHAM. That's right. I forgot that. Yeah.
GEOFF. So they tracked back to an apartment. A couple of people connected with the apartment were computer science students at a local college, notably a guy called Onel de Guzman and a friend of his called Michael Buen. So, you know, these guys, you know, they did a press conference, people asked them and stuff, but there was no law against hacking. And Onel de Guzman, when asked about this, said, oh, it's possible maybe I released it by accident. Don't know. And then that was it. You know, everybody packed up and there was nothing more could be done. And the world
CAROLE. was screaming blue murder and they were going, we can't do anything.
GRAHAM. And for anyone who's listening, who wasn't working in IT at the time, because this was 20 years ago, this was the biggest virus outbreak we had ever seen. There'd been nothing like it. And to be honest, there wasn't much quite like it in the years since either. It was one of the biggest outbreaks in history.
GEOFF. It really set the benchmark. And one of the things I've talked about in the book I'm publishing in August is that prior to Lovebug, it's not quite this binary, but prior to Lovebug, it was quite difficult to, A, infect lots of people and get a good base of infections, but also it's quite difficult to make money out of that stuff. And I really feel in 2000, that changed. Suddenly it's like, yes, you can infect millions of people. And obviously, one of the effects of that is, well, then millions of people can potentially be robbed, defrauded, and so on. So yeah, I think it really was a sea change. I mean, I've talked about the world's first global computer virus. There was obviously Melissa before in 99?
CAROLE. That was pretty big at the time. I mean, that was the biggest to date at the time.
GEOFF. They reckon about a million machines with Melissa and it certainly didn't generate the kind of headlines.
GRAHAM. The Melissa guy, David L. Smith wrote the Melissa word macro virus. He was in America, ended up getting caught, given a prison sentence eventually. But with de Guzman,
GEOFF. nothing seemed to happen. Exactly. So for the book, I wanted to start the book somewhere. I was thinking, where do you start the history of cybercrime? You're going to write about it. And the reason I chose the love bug was, A, as you say, it's a massive thing. B, it was my first sort of failed attempt at journalism. I sent a badly written article to the Guardian newspaper and they wrote back and said, well, we're not going to print your article. And by the way, sending us an email titled love bug during the middle of an outbreak called love bug isn't exactly the smartest move.
GRAHAM. That's quite funny, Geoff. I sent out a newsletter this week to my subscribers, and I mentioned the 20th anniversary of the Love Bug, and I called the subject line of my newsletter because I'm just childish. I said, kindly read the attached newsletter coming from me, which is a kind of spoof of the message that the Love Bug had sent. And I did get some people coming back to me and said, I'm not sure I trust this anymore.
GEOFF. I'm not going to open this. But the other thing I find fascinating about Love Bug is it's always people opening emails, clicking links. Very often, that's the source of the infection. It's still the hackers' number one way in. And if you think of what you need to do to trick people to open the message, the lure that you're going to need, the Love Bug was the best lure ever created because it's got universal appeal. The one thing everybody in the world wants is love. You could not come up with a better lure for an email. It was inspired, absolutely inspired.
So I thought, I'm going to settle this dilemma, you know, who created Love Bug. There were two people, there was Onel de Guzman and Michael Buen. Michael Buen, as far as I can work out, still in the Philippines, still a coder. He's a very smart guy. He's very witty. And there's some stuff in the Love Bug, some little in-jokes. And I looked at it and I looked at Michael Buen. I thought, you know, he does look like the kind of guy who might have written it. So I started getting in touch with him, sent him many messages, and he just didn't reply. Onel de Guzman just went to ground, never heard of again.
CAROLE. And we don't know why he went underground? We don't know what led to that? He just disappeared?
GEOFF. He just disappeared. Yeah, yeah. There was also gossip that he'd been hired by Microsoft and that he worked in the US and all this stuff. Then there was a little comment, one comment on a forum, on an internet forum from somebody who said, oh, I think I saw him in a market in Manila. I think he was working in a mobile phone shop. And they named where the market was. I thought, well, I'm going to the Philippines anyway to research another story. I thought, I'll just go to the market. I'll pop by. So I looked at this market. I don't know, I've—
GRAHAM. Got a broken phone. Could you fix it for me? I love you.
GEOFF. But this market is chaos. You can imagine a market in back streets of Manila. And there's dozens of mobile phone shops. And I thought, well, I'm here now. I've done some desperate things. I'm going to do a desperate thing. So I wrote his name on a piece of paper. And I literally went around the market showing it to people in these phone shops. And of course, I'm taller and lighter skinned than most of the people there. I just look like a tourist dad who'd lost his kids. I was, hello, have you seen this man?
GRAHAM. Oh, so there wasn't a risk that other cybercrime investigators might be at the market, see you holding Onel de Guzman's name out and think you were de Guzman.
GEOFF. I am Onel. But then somebody said, oh, yes, I know him. I remember him. I said, really? He said, yeah, yeah, he works at this mall or the shopping mall across town. So I went over there and I go around the mall with my little sign with his name on. And I get to the very back of the mall, the real cheap bit of the mall, the cheap booths. And somebody says, oh yeah, he works at that booth down there. So I went down. Oh my goodness. And I thought, surely not. And I go to this booth and there's a guy there and he doesn't look much like Onel de Guzman. And it wasn't him, it was his colleague. And he said, oh yeah, Onel works here, but he'll be back tomorrow. It's his day off. And I was flying out the next day at 7 p.m.
Hey, so you have time. You've got time. I said, what time do you turn up to work? He generally turns up about three or four. I was, oh, no. And I just thought, well, he's not going to talk. Obviously, he's not going to talk to me. I'm a journalist. Why on earth would he do that? And he's going to turn up late. He's got every opportunity to dodge this interview. But I'm here now. So I spent two days in the shopping mall. I didn't leave. I stayed there. And sure enough, the next day, he turns up. And I sat down with him. And I was expecting him to, I was expecting to have to put my evidence to him and finally force him to... But he just started talking about it and just admitted it pretty much straight off. To the point where I was so paranoid, I thought, well, this must be a wind-up. This can't be the real guy. So I was making notes in my notepad and I just thought, well, how can I prove this is actually Onel de Guzman? And I noticed he had moles on his face. So I started drawing in my notebook a map of where the moles were. So that later on...
That's so smart. Well, I thought it's got to be something. But to be honest, as soon as he started talking about it, there was so much stuff that he knew. He also knew some other people I'd been speaking to. So during the course of the, it was an hour's conversation. It became clear. This was Onel de Guzman. He did create it.
CAROLE. So why would you be surprised that he wouldn't talk, given that I'm presuming he's still safe from imprisonment or from any legal ramifications?
GEOFF. He feels, yes. He feels that there's no risk of being prosecuted. He said there was a case that I think the ISP that he was using to gather the email addresses, I think they tried to bring a case against him, but that got dropped. It would be stunning after 20 years, I think, if there wasn't an attempt to prosecute.
Is he proud? It's interesting. Like a lot of techies who've been caught, he's proud of the code. He's proud from a technical point of view, I think, of what he did, because it was a decent pull together of the virus potential at the time.
He's not proud, though. He deeply regrets the damage that was caused, and he had no idea it was gonna go international. He released it at about one in the morning and he sent it to somebody in Singapore. There was a Filipino person in Singapore he says he was chatting to online. So he sent the virus to him. And then Onel de Guzman went out drinking with a mate and just forgot about it.
CAROLE. It is kind of incredible how much disruption two guys caused.
GEOFF. So just quickly on that front, though, I did ask him about Michael Buen, the other chap. He said he did know Michael. They did write code together. But Michael Buen, according to Onel de Guzman, had nothing to do with the love bug virus. So I can finally settle that.
GRAHAM. Michael Buen, though, he has always won my award for the dumbest virus writer in history because he wrote the WM97 slash Michael B virus, as we called it at Sophos at the time, which at the end of the month would print out his entire CV and say, if you didn't give me a job, he was going to release another virus. So you had his name, address and contact details. If only de Guzman had done that, you'd have been able to reach him even.
So you're quite right that the love bug caused a huge problem of clogging up email systems. But what's always occurred to me is that virus stole your dial up internet password. So people used to connect things like FreeServe and CompuServe and things like that. It would steal those passwords and it emailed them to an address that de Guzman was in control of, presumably. As millions and millions of people got infected, didn't that mean that his own email system would have run out of quota?
GEOFF. Yes, it crashed. There was millions of passwords coming in. So he not only DDoSed the world, he DDoSed himself.
CAROLE. In the process of DDoSing the world.
GEOFF. But this was the whole point. He basically, his whole point was, look, access to the internet is a human right, which is an interesting, ahead of its time as a viewpoint. I'm poor, I can't get access to the internet. Other people do and can pay for it. So if I can just take their passwords, I can get access to the internet for free.
GRAHAM. Geoff, right now, I believe toilet paper's a human right. It doesn't mean I'm going around stealing it from everyone.
CAROLE. You don't need to steal it, do you, Graham?
GRAHAM. Have you been stockpiling? Well, I can't go into details.
CAROLE. That's disgusting. That's all I'm going to say. I didn't bring that up on Earworm Island.
GEOFF. Fess up. How many rolls have we all got? I'll start. We currently have 20.
CAROLE. Oh, okay. I don't know. Four.
GRAHAM. Oh, I see. What? Really? I'm living on the edge well that just lasts you till seven o'clock tonight won't it.
CAROLE. If I may, I don't think it's very becoming to walk around with huge bags of toilet paper. I have a real issue with it.
GRAHAM. All right look we couldn't get any at the supermarket and so we thought we'd order online. The problem was that where we were ordering online they weren't going to sell us an individual box. We had to get like a crate.
CAROLE. How many is in a crate?
GRAHAM. Look, I don't want to talk about this. Can we please move on? Please, let's move on.
GEOFF. Wait, is it above 100? Can we just settle?
GRAHAM. No, I don't think it's above 100. Okay, I think it is. Carole, what's your story for us this week?
CAROLE. Well, boys, welcome to the world of Roblox. Now, do you, have you guys ever played with this? Your kids, cousins, anything like that?
GRAHAM. My son is desperate to play Roblox, but I say that he's too young to do it. But I do know lots of kids who adore it.
GEOFF. One thing I will say about Roblox is, I'm sort of dimly aware of this, but I've been trying to, I was trying to find Twitter accounts for police forces recently. And for some reason in Roblox, it's a virtual environment and there are police forces. And so they've set up Twitter accounts for Roblox police forces, but they're the same as the real police forces. So they have to say, look, this isn't really, you know, Manchester police. This is the Roblox virtual.
CAROLE. That is weird. Oh, digital world and the real world are just mashing together in weird ways. So for those that don't know, Roblox is kind of like Minecraft or Fortnite. In Roblox case, it's like a massive online game development suite. And it tends to focus on your younger audience. So kids, teens seem to love it. And it allows users to program games. They have their own language and they can create characters, design really complex, impressive environments from what I saw on YouTube. And they're all programmed in this thing called the Roblox Studio.
And the main draw of Roblox is that it offers thousands of free user created games for users to play. And there's 100 million monthly active users. So no small potatoes. There is a lot of action and activity on here.
So basically, people can also make money on Roblox too, right? They're called Robux. And you can get Robux either by paying an online subscription or by creating objects that other people desire and then selling them on.
Much of the content seems to be developed with monetization in mind. So some developers have even become millionaires for flogging their creations. There's this YouTuber called Linkmon99, and he's well known in the Roblox community for being the richest Roblox player for selling items for inline games.
GEOFF. So if you're playing a game on Roblox, you can go to him and buy something for the game, is that right?
CAROLE. Yeah. So you buy Robux, and you go to his section on the Roblox website. There's big catalogs, and you go after certain people because they're better or they make certain cool stuff, and you then spend your Robux.
GRAHAM. So your Robux purchases get converted into real money for Linkmon99 or whatever his name is. That's
CAROLE. Right. So then Roblox, the company, and the creator both share the cash and the ideas that everyone gets catching. Yeah.
Now, and they seem to do, Roblox as a company, seem to do some good community stuff, helping with online fundraisers. For example, they've just launched a $2 million fundraiser to support COVID-19 charities. This is UNICEF USA, Code.org, and No Kid Hungry. And the idea is they've created some items, people buy them, and then they'll donate money from those purchases to those three charities.
So it all seems good. It's teaching people how to be creative, how to generate money, how to program. And I think it sounded quite cool. So I couldn't help but wonder what the head honchos at Roblox were feeling on May 4th after Motherboard's Joseph Cox published this article.
Apparently a hacker tried to bribe a Roblox employee to gain access to the back end customer support panel of Roblox. You think why would he want that? Why would he want access to that information? So the employee could have said how dare you sir but didn't. Apparently the was successful.
So the way it worked is the hacker is said to have first paid an insider to perform a user data lookup. And that info helped the hacker choose his target, a customer support representative. And the hacker provided Motherboard with a series of screenshots showing the alleged communication between them and the insider. And the insider, this employee on LinkedIn, the worker is listed as having worked as an in-game support contractor for Roblox. So again, LinkedIn is used as a treasure trove of information to help hackers pinpoint their targets in a company.
GRAHAM. But hang on a minute. So this hacker bribed someone inside the Roblox conglomerate into sharing some information. And that's obviously kind of an insider threat in a way, isn't it? Because you've got humans and they're bribable. It's
CAROLE. Who's working in customer support? Who would be interested? Who would do this? And here's a payoff. Thanks for that information.
GRAHAM. But then the hacker goes to Motherboard. He goes to a journalist and said, look what I've been able to do, rather than monetizing it. Well, let's just wait. All right. Wait, wait, wait. Patience.
CAROLE. The hacker gets access to Pandora's box. So I'll share a few highlights. And I want you guys to help me sniff out if he's a good hacker or a bad hacker.
So by Pandora's box, I mean the hacker could look up personal information on any of its 100 million active monthly users. The hacker could steal virtual in-game currency from people. Hacker could change passwords. A hacker could effectively lock people out of their accounts. They could turn off 2FA or multi-factor authentication, ban users and more. So he had access to the mother lode here and he told Motherboard I did this only to prove a point to them and Motherboard has granted the hacker anonymity to speak more candidly about the crime.
So you're reading this and you're thinking, okay, turns out the hacker first phished the Roblox worker to gain access to the backend customer support. So that was true, but he backtracked when he was talking to Motherboard and said, actually it was due to an issue in a piece of authentication software. And I was thinking, why would he first say he phished and then say there was an issue? And didn't it start out that
GEOFF. He bribed? I'm confused. Yes.
CAROLE. Well, I think it's because he tried to claim on the bug bounty from Roblox. So I think when he first started his story, he realized that actually that didn't mean there was any vulnerability in their system because he had done a social engineering attack. And
GRAHAM. They wouldn't pay out a bounty just because they bribed an employee. Exactly. Yes.
CAROLE. So just for everyone to know, a legitimate security researcher will identify vulnerabilities in sites or services like this. And then the deal is you report those to the company to say, hey, you must fix this problem.
Once the problem is fixed, both companies can go out and tell the world about what happened. And then companies sometimes pay the researchers in response, but this hacker's request was denied and you remember that linkmon99, the rich Roblox YouTuber guy? He was snagged because he's super high profile.
The hacker also stole passwords and stole items from Roblox users and he said he did that only because we had a feeling the bounty shit was going to go south. That's what I said right, to steal
GRAHAM. from other people because Roblox aren't prepared to pay you a bug bounty because you bribed.
CAROLE. For fooling, for duping their employees and bribing one. A murky tale.
The other one that I, just because Geoff is here and he might know the answer. So Motherboard gave him anonymity, this hacker, right? In exchange for his story.
But surely Roblox may want to get the authorities onto this person and do some investigation. And should an investigator knock on Motherboard's door, do you think as a journo, would the Motherboard journalist know the identity of this hacker or would he not know him at all? Would it be safer for him not to know the identity of this person?
GEOFF. So there's anonymity where you know the source and you meet them and you verify, you know, the classics of Whistleblower where you chat them in a pub. But then when you publish the piece, you don't reveal their identity.
But then now, particularly in the modern tech era, there's also the possibility that somebody gets in touch with you and you have no way of verifying their identity, which is what happened in the Paradise Papers story, where the identity was never known, or that they give you an identity that's just fake or that there's no way to verify. So a lot of outlets have started doing and saying, well, okay, if the data is good, if the source is giving me data that I know is verifiable and I can check, then I'll go with the story, even though I can't identify the actual source of it.
CAROLE. In a way, I guess it protects you as well from getting into, you know, if you just, you know, if the authorities come knocking, you're saying, here, I'll give you everything, but I don't know who the person is.
GEOFF. The issue with that is you can be played quite badly as a journalist. So, you know, the classic was the Sony Pictures Entertainment break-in where a lot of the fingers are now pointing at North Korea.
So a lot of the journalists who are taking information from sort of anonymous hacking groups and saying, well, we don't know who's behind it, but, you know, we're publishing anyway. Then later on, it turns out that actually it was somebody who was basically manipulating you as a journalist to work to their agenda.
So yeah, it gets you off the hook for prosecution, for the police coming to you and asking you for the identity of the source. But because you don't know the identity of the source, you're then at risk from a whole other angle because you could have just been basically manipulated and had your strings pulled.
GRAHAM. I love that we get guests on like Geoff because they just raise our bar a little bit. That's what we need, for goodness sake.
It's just a shame he does that podcast, which insulted me so much.
CAROLE. It didn't insult you. It celebrated you and your eccentricities.
We celebrated your eccentricities.
GRAHAM. It's a no-brainer that businesses have to safeguard their data as they move more workloads to the cloud. Zoom is obviously experiencing massive growth right now, and they turn to Oracle Cloud Infrastructure to support them as they innovate and provide an essential service while so many folks are working remotely.
If you want to check it out for yourself, Oracle is providing some great cloud services for free for an unlimited time. Sign up and you'll soon be building, testing and deploying cloud applications securely with Oracle.
Learn more at smashingsecurity.com slash Oracle.
CAROLE. Maybe you don't have a single sign-on password manager or maybe you do and you're not really happy with it. Well, why don't you start a free 14-day trial of LastPass Enterprise and you can manage every access point with integrated single sign-on and password management.
Let me tell you about some extra features. Central admin dashboard, easy user management, group management, directory integrations, advanced reporting, multi-factor authentication options, password sharing, and the list goes on.
Check it out at lastpass.com forward slash smashing.
GRAHAM. Since the outbreak of COVID-19, cybercriminals have found many ways to take advantage of anxious users. Join our friends at Domain Tools for a webinar as they walk you through the process of identifying a nefarious domain, mapping connected infrastructure and reverse engineering a ransomware attack which used a coronavirus disguise. Learn more about how Domain Tools helps security analysts turn threat data into threat intelligence and watch the webinar at domaintools.com slash smashing. On with the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
CAROLE. Better not be. Mine is so good this week, I can't believe.
GRAHAM. Well, I think I might have mentioned somewhere already that one of the games that my wife and I have been playing in the evenings under lockdown. No, not Animal Crossing. This is a game that we play while sat on the sofa. It's a game of looking at people's bookcases when they appear on TV programs. So everyone's dialing in to news reports or magazine shows, and they've carefully set up the bookcase behind them to appear erudite and smart.
CAROLE. Oh, I love that you're talking about this.
GRAHAM. Yes, and we check out what they're reading. And we don't listen to a word that all these talking heads are saying, but we're saying, oh, look at that, that he's got in the background. Why has he left that out? When I regularly broadcast from my study before I came to the podcast Pleasure Palace, my wife used to regularly panic about some of her books which were behind me, which she thought weren't entirely appropriate.
So there is a Twitter account called Bookcase Credibility. The Twitter name is Be Credibility. And it is an account which is celebrating the backdrops behind the people appearing on TV. And what they're doing is really rather creative. They are describing the backdrops rather like there used to be an art critic called Brian Sewell, who had the most wonderful voice.
CAROLE. That's very good, Graham. That's a pretty good impression, yeah.
GRAHAM. Yeah. I do a rather wonderful Brian Sewell impression. And so they will describe in Brian Sewell-like terms what they think of the backdrop.
So we've got one here. They've done a bookcase behind David Baddiel, who is a writer and comedian. And he goes, no chance is taken here. David surrounds himself with bookcases in the vaguely hexagonal shape, suggests they move around us, closing us in with him in a honeycomb of credibility. The sensation is of being welcomed into the hive of a particularly well-read bee. And these write-ups...
CAROLE. What accent was that?
GRAHAM. Sorry, that was Brian Sewell still. That wasn't David Baddiel. And it was... I'll do him another time.
But you get these wonderful write-ups, and they're done in this pretentious artistic way. And it's a joy. So that is my pick of the week and it's Bookcase Credibility on Twitter.
CAROLE. Okay, I've just subscribed.
GRAHAM. Geoff, what's your pick of the week?
GEOFF. I'm going to go for my pick of the week. One of the things I miss in this lockdown coronavirus period is going to see films in a cinema with my friends. That is one of the joys of life that I achingly miss.
So a friend of mine recommended some software to me recently. Now I should say at the beginning I have not done a full security audit of this software, so don't come back to me if you get hacked. But it's called SyncPlay and what it does is it syncs up - we've been using it with VLC player which is great. So what you do is you all download the same movie file, you use SyncPlay and effectively SyncPlay sets up a server that then connects to you all. And so you can all start, because you know you have this thing of, we're going to start the movie at eight and then somebody hits the play button a bit too late and then they end up laughing at the joke before you've all laughed at the joke. You know, that thing.
GRAHAM. We've just had this experience actually, Geoff, because Carole, I and Maria Varmazis just recorded for our Patreon supporters a commentary of the movie Zardoz. Have you ever seen Zardoz with Sean Connery walking around in a red nappy?
GEOFF. Oh, is that the thing where there's a sex scene, isn't there, in Zardoz?
GRAHAM. Just one or two.
CAROLE. Anyway, it's quite an interesting commentary. Yes, we were... I think we added to the movie.
GRAHAM. But we were getting out of sync occasionally, weren't we? You had to catch up, Carole, and things like that. So there was... Anyway, tell us more about SyncPlay. So you've downloaded this and you're all running VLC.
GEOFF. Download it, get VLC. You all have to have the same film, same movie file on your... Legally obtained, obviously.
GRAHAM. Legally obtained, exactly.
GEOFF. Legally obtained. And then SyncPlay will allow you to play it and pause it. So anybody can play it, anybody can pause it. But the other thing I love is you can give yourself a username when you log in to SyncPlay, which obviously, endless fun with movie names.
But also you can comment and your comment appears on VLC over the top of the movie. So we watched Flash Gordon through this and I had the joy of logging on as Clytus from Flash Gordon and typing out, "Hawkmen, dive!" onto the screen. Great endless fun.
CAROLE. This might be something to add if you enjoy this sort of thing. Watching movies with friends is Netflix Party. So I haven't done this yet, but I've had a few people recommend it to me, so it's like a way of watching Netflix together. I've put the link in the show notes, but yeah, so same idea and you can have a screen so your notes appear on the screen. Same similar idea to yours, but might be a little bit simpler if the movie is already available on Netflix.
GRAHAM. From all your friends who are already having accounts, rather than trying to get a legal copy of it. So this is something which plugs into your Chrome browser as an extension rather than you having to install traditional software. We could have done with that, Carole, couldn't we?
CAROLE. We could have done with that, but I don't think that Zardoz was on Netflix.
GRAHAM. Oh yes, Zardoz was quite exclusive, wasn't it? It was hard to get a hold of. Exclusive is one word for it. Yep. So, Carole, excellent. And what's your pick of the week?
CAROLE. Mine is excellent. All right, I need to send you guys a link. Food comes in many different packages, doesn't it? You can get fresh produce to things like crisps and other ready-made meals.
GRAHAM. I like your definition of food: fresh produce to crisps. I like that, the full gamut.
CAROLE. I think I'm just trying to make it quick. I'm moving along the list to get to this. Okay, right. And this is a YouTube channel from a producer called Ashens, who likes to, amongst other different playlists that he seems to provide, likes to do some food reviews. So let me allow you guys to click on this link. This is his video of chicken in a can. You can turn off the sound. I found it's almost more enjoyable.
GRAHAM. Okay, I'll turn off the sound. He's opening some chicken broth, he's opening. Is this... Oh, my goodness.
CAROLE. No, it's a whole chicken in a can.
GRAHAM. No, you can't put a whole chicken in a can. How would you put a chicken in a can? Wouldn't the chicken complain? Oh, that looks bad. He's pouring it out. So this is a pure... Why are you making me watch this? This looks horrible. Oh. Oh, my goodness. Oh, this is disgusting. Okay, I'm going to close this.
CAROLE. Now, what I love about this is the brown sofa that I think has been bought. It's like the stage, so it shows up in every single video that they do. I do recommend watching it without sound almost, just so you can be absolutely revolted and you have your own commentary.
GEOFF. The skeleton is in there as well. It's horrible. Oh, my God.
CAROLE. Now, it's not all, they're not all the skeleton. There was a burger in a can, which was just... People were like, the whole time we were like, is there a bun in there? Is there a bun in there?
GRAHAM. I remember seeing a YouTube channel a few years ago about a guy who would get out old military rations from like the Korean War. And he'd try and guess beforehand whether it was going to taste nice or not. So he would open these things up and then would try them out. And he had quite a lot of subscribers.
CAROLE. Yeah, this guy eats everything he opens.
No, he doesn't. Oh, yeah. Oh, yeah. He eats this. Does he also drink bleach?
GRAHAM. No. No. You should try it. It might work.
CAROLE. But he does worldwide food specials. So people send in crazy food from all four corners of the earth, and he follows the instructions.
GEOFF. Well, there is, I remember all day breakfast in a can. Have you come across this?
CAROLE. Have I come across all day? Yes, I can use it. Yes. A Poundland food special, all day breakfast. They have little egg. Yes. Yes. Let me send you the link now.
GEOFF. Yeah, so there's a can of beans and you get a sausage and a bit of bacon and an egg. And I think you get a hash brown. I think there's a hash brown floating about somewhere. I watched that one.
GRAHAM. Oh, this is the same chat.
CAROLE. Yes, so his full channel. So this is the channel's called Ashens. It's on YouTube. And amongst his various playlists, he does a number of revolting food reviews, which will put your potentially not wonderful dinner, if you don't have great cooking skills at home and you're stuck there and you can't wait to go to restaurants again, this will make you feel better about the food that you may be producing.
GRAHAM. Well, on that charming culinary note, I think we've just about wrapped it up for this week. Geoff, I'm sure lots of our listeners would love to follow you online or check out one of your podcasts. What's the best way for folks to do that?
GEOFF. Probably find me on Twitter. I am GeoffWhite, G-E-O-F-F, white like the colour, 247, the numbers 247, at Twitter.
GRAHAM. And you can follow us on Twitter at Smashing Security. No G, no diphthong. Twitter wouldn't allow us to have them. And on Reddit in the Smashing Security subreddit. Go and find us there.
CAROLE. And as always, wonderful listeners, thank you. You keep Smashing Security alive by listening to us each week, virtually, literally. Also, a huge thank you to this week's Smashing Security sponsors: Oracle, DomainTools and LastPass. Their support help us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details and information on how to get in touch with us.
GRAHAM. Until next time, cheerio. Bye bye. Stay safe. Tap. Cheerio. You matter, Geoff. Sorry, sorry. I thought my bit was done. Just a little bit anti-section of St. Turian. It's just, you know, we're all meant to be friendly, you know, kind of keeping distance kind of way right now. Hello, hello, hello, and welcome to Smashing Security After Dark. It's not even dark out. Well, we'll be in a minute. After dusk. Well, during dusk. Smashing Security during dusk. Today we are going to be doing a commentary on a movie which Maria brought up on a recent episode of Smashing Security. And that movie is Zardoz. I thought it might be useful if each of us described our relationship with Zardoz before we began. How are we coming to this movie? Maria, as you're the person who first mentioned it, you start us off.
CAROLE. Oh my goodness. So I first saw it maybe a decade ago at a local movie theater here in the Boston area called The Brattle. They had a 24 hour bad sci-fi movie marathon called schlock around the clock and Zardoz was sort of the prime feature and a bunch of my friends and I went to see it some of them had seen it some of them hadn't and I, you know, you can't forget your first time and every year when they would do this festival I would always make a point to bring someone with me who hadn't seen it before and at that point I would just watch their face and not the movie.
It's just in my group of friends, we all love how bad this movie is. And yeah, it's, I love it in a bad way. I've never seen it, Maria. And I wish you could see my face. I wish we had a video cam on so you could watch it. Me too. I'll take selfies as appropriate. When you say, take a selfie now. Okay, you can line me up and I will do that for you and send them to you. Basically the whole first half of the movie, just record your face because it's just the beginning is especially, the beginning is extraordinary yeah it loses steam just a fair warning it just kind of yeah well you know we can always hurry through if it gets boring we just call it off right well that
GRAHAM. So Carole you haven't seen it this completely new to but you've got someone in the background there to help you out during the recording
CAROLE. Well I have our designated fact checker during this filming. So if there's any questions that any of you have during it, I'll have it checked by Mr. Hubs. I will make it very formal. I'll say question for something like that. Like I'm raising my hand.
GRAHAM. Oh, Hubs as in husband. I thought you meant in Pornhub or USB hub. Well, don't get specific.
CAROLE. Don't get specific. It's fine. Jeez. All purpose hub. Yeah. All of those things. The hub. Okay. That's all you need to know.
GRAHAM. Now, in Zardoz, there's a movie that I knew about. So I was bemused when Maria mentioned it but I'd never actually seen it but I did watch it last night. You spoiled yourself. I couldn't resist so I watched it last night with my wife and she fell asleep during it and I mostly stayed awake during it.
CAROLE. Yeah, I tried to show my husband this movie a few years ago but he apparently had the flu at the time so about half an hour into the movie he started hallucinating and passing out. So Mr. Maria is not a fan? He's never, no, he would love to see it. He was actually asking to watch this with me while we're doing this, but someone has to watch our kids, so.
GRAHAM. You definitely don't want the kid watching this. Well,
CAROLE. Why not? No, this is not a movie for a three-year-old. Okay, okay. You see, you can tell I've not seen it. You see, I'm not faking. I mean, it would just be very boring for her. All right. For the most part. Okay. Okay. That's all I'm going to say. Can we just kick this off? Yeah. Come on. So
GRAHAM. We need everyone who wants to watch along with us. They need to get their DVDs. Their legally purchased DVD, VHS tape, their Blu-ray. Laser disc. Their Amazon account or whatever. They need to go and grab a Zardoz. What year is this? 1974? Something like that. There's only one Zardoz.
CAROLE. A year of many good movies and also this one.
GRAHAM. All right. So we are going to count down from, well, count up one to four and say go. Yeah?
CAROLE. So do we go on four or do we go after four? Can I just do this, Graham? Can you just not be weird? Okay. Three, two, one. Go. Go. All right. Okay, I'm seeing 20th Century Fox. 20th Century Fox. I'm seeing 20th Century Fox. Yeah, okay. This is going well. Oh, I have X-ray on. This is fascinating. Me too. All right. Do we want to say about the X-ray stuff? Yeah, why not? I mean, it's our... Okay. I am
GRAHAM. Arthur Frayn. And I am Zardoz.
CAROLE. He's bodiless. This is Arthur Frayn. Is that a nun? He
GRAHAM. Appears to have a pair of trousers on his head.
CAROLE. Just take a closer look at what's on his chin. Just as he gets closer. Notice his chin. Rich. That line could not be said by an American. We don't know how to roll our R's. Rich.
GRAHAM. So now these events have yet occurred.
CAROLE. That 'stash, though. No, no, no. His chin.
GRAHAM. That chin. I think this actually is my favourite part of the movie. His
CAROLE. Beard, I think you mean. His beard. What's on his chin? Oh, it's getting closer. I need to make this bigger. Is it? It is. Is it? What is it? I am the puppet master.
GRAHAM. What do you think it is, Graham? I manipulate many of the characters and events you will see. Is it some sort of cave?
CAROLE. One could say yes, a wizard sleeve maybe, a hairy back end. Yeah, so my understanding is they had to tack this introductory scene on because nobody understood the movie. Yes, they hope this would clarify.
I'm so into this already. Okay, I'm sitting back.
GRAHAM. That was the highlight of the movie honestly.
CAROLE. It doesn't get much better than that.
GRAHAM. So that guy we just saw, he's also in Alien 3 I read. Arthur Frayne.
CAROLE. Oh, you see he did some research. I did some research.
Oh yeah, I'm sure everyone really loves you did that. That's why they listen to this, to hear your really erudite commentary.
GRAHAM. He was also in Mamma Mia.
CAROLE. Oh, well I didn't realise they filmed this in Ireland. Are those real horses or CGI?
Do you think they could afford fake horses? Oh, I love the logo. I love the logo. Zardos.
No, I love it. I love it.
Oh, here it is. Here it is!
You're going to be so disappointed when you learn what Zardos means. It's such a letdown.
Yeah, okay, I'm going to paint. I'm painting this tomorrow.
This is inspiring me. Oh, yep, okay, I'm seriously going to do it.
So more than one Sean Connery in this movie. That's important.
GRAHAM. This was a Rik and Morty episode.
CAROLE. Yes, yes. I would love to go where they shot this in Ireland and recreate this.
GRAHAM. With the giant heads in the sky. It's a Rik and Morty.
CAROLE. Show me what you got. Let me see what you got.
I love the outfits. Do you curl?
I'm having a Zardoz party when this is all over Graham. I don't know how many—
GRAHAM. —people are coming to it.
CAROLE. You haven't seen the whole movie yet. Guarantee you won't feel the same way by the end.
It's just mud. STFU everyone.
Zardoz. Are you his chosen one?
No, none of us are. We're cursed.
Lursed. Brutality.
Brutals. I love saying that shit.
GRAHAM. I just always think that the costume designer is like, okay, I'll put up some. I know, but what did they reject? What did they think this was the—
CAROLE. —edited version. You could never come up with this, Cluey. Never.
The gun is good. Okay, hubs is freaking out.
I left the part. I love to watch everybody's face.
I can hear it. Oh, man.
GRAHAM. Want to hear more? Seriously?
Well, you'll have to become a bonus content supporter of Smashing Security on Patreon. Sorry about that.
Just visit patreon.com slash smashing security for more details. Until next time, cheerio. Bye bye.
-- TRANSCRIPT ENDS --