Well, holographic nano layer technology doesn't come cheap, Carole. I think a lot of people are just assuming—

They just think VPN. No one understands. It's too complicated. It's too complicated.

People are assuming this is just a USB stick with a sticker on it, and it does so much more than that. Smashing Security, Episode 181: Anti-Cybercrime Ads, Tricky Tracing, and a 5G BioShield with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 181. My name's Graham Cluley.

And I'm Carole Theriault. And Carole, we are joined this week by Naked Security's own Mark Stockley. Hello, Mark. I think Mark Stockley has a character beyond Naked Security.

I thought you were going to say it's Mark Stockley who happens to be naked and talking about security.

Well, well, well. Welcome to the world of post-COVID.

It's very, very warm today in my defense.

And that's why we do a podcast and none of it—

The sun is shining.

And you're quite a hairy man, Mark. And I—

He's medium hairy.

I had to do a video call thing the other day, which will end up on YouTube somewhere.

Did you take your shirt off?

No, but my hair is getting quite long and uncomfortable now. And I'm just wondering how Mark, who normally is extremely offensively hirsute, Offensively hot. Well, no.

You're outrageous. Just because you're, you know, baby-skinned.

What?

Like a 10-year-old.

There's just a lot of it going on, and I just wonder how he's coping in all this heat.

Well, I'm not very good at keeping cool at the best of times.

You're sweating a lot then.

I think I'm definitely on the sort of Neanderthal side of the gene pool.

You said it. Carole, what's coming up on the show this week?

Thanks to this week's sponsors, Deep Instinct, Immersive Labs, and LastPass. Their support helps us give you this show for free. On today's show, Graham looks into how to stop kids from turning to a life of crime. Mark is looking into all the ways bad guys might hinder the UK's track and trace efforts. And I try to find out just what life-affirming frequencies and holographic nanolayer catalyzers are. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, before all that, I want to talk to you about kids. What a complete pain in the arse kids are, right?

No, they are.

They're one of the useless things.

I thought you were in a bad mood this morning.

You're feeding them, you're clothing them, you're bathing them, you're cleaning them, you're entertaining them, you're educating them, you're teaching them how to use Google Classroom.

Mostly picking up shoes. I've noticed that there's a tremendous amount of shoe picking up. I wasn't ready for that.

And then, after some years, an inordinate number of years, they become even less adorable. Suddenly they're playing Call of Duty, they're wearing baggy trousers, they've got baseball caps on sideways, they're smelling of Lord knows what, and who knows what they're up to in their bedroom.

Just because you wore MC Hammer pants back in the day doesn't mean that the kids of tomorrow are going to be doing that, okay?

Is it— Is this a good guess? You have to get with the times there, Clue.

Now, computer crime cops in the United Kingdom are targeting young men aged 13 to 22 years old because apparently that's the sweet spot. You don't go younger than that, you don't go older than that, definitely not any women. Teenage boys apparently are the problem. Specifically, the cops are hoping to make a dent in the number of teenage males who are launching DDoS attacks and installing remote access trojans and various shenanigans like that.

Okay, so let me just swap that sentence around. Basically, young men aged 13 and 22 are launching DDoS attacks and installing remote access Trojans.

Apparently so.

And the computer crime cops are going after them.

And according to the fuzz, they say it all starts by playing games. You remember playing games? Remember video games?

I played video game. I've been playing Animal Crossing.

Animal Crossing, of course. Yes.

Yeah, I should give you an update sometime.

You're doing very well at that. Has Graham the hamster come to join your—

No.

Oh. What is this? I don't know.

You don't know Animal Crossing?

No. I know the name. I have not yet had the pleasure of—

Do you have a Nintendo Switch?

Obviously not. I've got children. Why would I put them near a Nintendo Switch? Just start them on a life of DDoSing and RAT installing.

Well, it all does start by playing games. I mean, obviously we used to play games. I suspect most of us, maybe some of us still are, but we used to play games as kids. I remember playing Pac-Man and Super Mario, and in those days it wouldn't lead you into a life of crime as police say it does now. The worst that would happen is, you know, maybe if you played, I don't know, Mario, you might get into plumbing.

So what is the premise here? The premise here is you play games, you are a teenage boy, therefore you're getting on the wrong side of the cyber world.

Let me explain how it works, Carole, right?

Please.

Kids get really, really obsessed by games. And then they start wanting mods for the games and changing the games. Then they look for hacks, mods or modifications.

Okay, just try

Okay.

Okay.

And then they start falling into other things because you begin to suspect other people are sort of using aimbots against you.

and talk to— What bots?

This is all lingo I've learned from my 9-year-old child.

Okay, just stop showing off. Just try and communicate with the rest of us so that we understand what you're saying. lose the jargon.

Basically, there are people who are cheating in games, right? And they get bots and little bits of software and things like that to augment their powers inside the game or give them a better ability to shoot you or whatever. Eventually, this culminates in gamers trying to take down other gamers by other means, such as denial of service attacks, such as swats, where they call up the cops and— You know, they say—

So the idea is get them offline, so to disrupt their progress in the game?

Yes, all kinds of naughtiness. And you get rivalry and you're, oh, I can't believe you did that to me on Call of Duty or whatever, Elite Sniper.

You're such an asshole.

Yeah, right.

Eat your ass.

And so, and this is often apparently, according to the police, this is really commonly a way in which young people ultimately get into cybercrime. Who would have known? Now, according to research, most of these kids don't really consider what they are doing to be wrong because all the other kids and their mates are doing it as well. And they certainly don't believe that they're going to get into any trouble. So how do police convince teenagers that they shouldn't launch these kind of attacks, which might eventually lead them down this path of, you know, more serious cybercrime?

Is it send them to their rooms?

Well, no, that's the worst thing you can do, Mark. Don't send them to their rooms.

Oh, okay, because that's where the bitcoin mining rig is.

Graham, you say that they don't know they're doing anything illegal. I can't imagine there's any kid alive that doesn't think a DDoS is illegal.

Really?

Yeah, but maybe I'm— hey, I'm in an echo chamber. I learned that last week with my cousin on the show.

I admire your faith in 13-year-old boys. Having been a 13-year-old boy, albeit a very long time ago, I can confirm that, you know, not the most together and, you know, intelligent group. Certainly not when I was one.

And if everyone else is doing it, then you kind of think it isn't that bad. I remember being at school and all the boys in school, we were on a very rickety table, right, with rickety legs. And so the custom was that you would come in each day and you'd give the leg of the table a bit of a kick, right? Because it was quite entertaining to see how far it would go. And you'd think, wonder when—

This is when tables were the height of technology. You have to understand these newfangled tables that they got in this posh school that Graham went to.

And so I was kicking the table, and No, no, it was—

Oh gosh.

then along comes Mr. Selleck, Pinhead himself, and It wasn't him, I'm afraid, but—

So you had a teacher whose nickname was Pinhead?

Yes. Did you not have one of those?

I also had a teacher whose nickname was Pinhead.

He probably went on to your place after ours.

How peculiar.

I get hauled out for— Maybe. Anyway, the point is, kids do bad things, Carole. And even if they think they're naughty, they think they're never going to get caught, and so it's kind of all right to do it.

Yeah, no, sorry, I was thinking more in the 20 age group rather than 13. So fair point.

But also, I do think that there's a sort of game-like aspect to a bunch of this stuff anyway. You know, there's something sort of game-like about, okay, you're doing something on a computer, you're trying to overpower someone else on a computer in a game, and then you find a way that you can actually take over their computer for real, or you can stop them being able to use their computer for real. I don't think it's a very big jump. I think there's a lot of similarities there, so I can kind of see how that happens.

Well, in the past, the police, what they've done is they've gone around and knocked on your door. If they think that you've been up to no good or downloaded something you shouldn't have, like a piece of malware, or if you've been to a DDoS stressor site or a booter site, they may well come around, hopefully with your parents present as well, to really put the fear of whatever into you. And they'll have a little word in your ear and say, look, we know what you've been doing.

Knock it off, kiddo.

Exactly. Exactly.

Right.

And hopefully stop them taking those first steps of a life in cybercrime. But now police are doing something different. Brian Krebs, security blogger, noted that the NCA, the National Crime Agency, has been busy buying Google ads, Google ads targeting teenage males in the UK who are looking for certain search terms to do with DDoS attacks. So things like booters and stressors. And what they're doing in these adverts is they're pointing people to articles that they have placed in online gaming magazines explaining that such things are illegal. So up pops one of them instead and sort of says to you, oh, you know, you'd be a very naughty boy.

So they're basically advertising. So the potential DDoSer is sitting there just scrolling around on the web and keep seeing these ads.

Well, they're putting the words into the search engine specifically to try and find DDoS attack services, because many of these kids, at first at least, they're not going to create a botnet themselves. They're not going to—

Of course not.

Actually, they're not gonna manage it, but they're gonna find someone else who will do that for them for just a couple of dollars.

And then what, pull out their, yeah, I was gonna say pull out their credit card. Like how do you pay that if you're 13?

Or cryptocurrency or such.

Oh yeah, they all have Bitcoin accounts, right?

Of course.

Jeez.

Get with the beat, Carole.

You're right, you're right. Kids don't know that DDoSing is illegal, but they all have crypto accounts. Yeah, okay, good. No, this is good.

My son's got a crypto wallet.

I'm sure he does.

I'm sure he does.

His children.

If my kids had a crypto wallet, I wouldn't tell them about it. It's just there on the darkweb waiting for them.

Now, the first thing which struck me was, what kids are using search engines with the ads enabled? Why aren't they blocking the ads? Because surely that's really irritating seeing ads in a search engine. I don't use search engines and see ads because I run a little ad blocker. So I was first of all surprised that certainly if these people are slightly technical anyway, if they're into computers, you would expect that. So I'm surprised from that point of view that these ads are actually being seen. But apparently and amazingly, this approach may actually work. The University of Cambridge Cybercrime Center, they say that a similar campaign which ran in 2017 over 6 months from the NCA caused a reduction in the growth in demand for DDoS attack services. I think they're a bit shady about it, but I think what the Cambridge Cybercrime Centre do is they have some dodgy sites which look like DDoS booting websites and they are measuring traffic to those sites and how many people try and sign up for them in an attempt to measure how big the problem's becoming.

Thom Selleck?

And they have released reports over the years of this growth in interest in these kind of sites.

Well, a lot of people are sitting at home right now, sitting in front of a computer, playing probably inordinate amount of online gaming, and are isolated and bored. And have YouTube as their best friend. So—

Oh yes, these kids would normally be down the park with a hula hoop, wouldn't they?

No, they'd be at school.

Or in go-karts. That's what they'd be doing.

Kicking a table leg.

Yeah, exactly. Doing really fun things.

So let me see if I have this correct. So, yes, you go around using the web, and as you go around using the web and looking for search terms, Google builds this enormous profile of you so that it can do demographic marketing, including the ability to classify you as a 13-year-old child. And then as that 13-year-old child uses Google, they do a Google search and Google goes, ah, we know all about you. You're 13, and those people over there have bought some adverts which they only want to target 13-year-old males, and here's one that's going to stop you from doing DDoS attacks on people because you're going to read this article. But if they don't click on that one, they might click on another one which takes them to a fake stressor site, which is essentially a phishing site to count how many 13-year-old boys are doing DDoS. Yes, these are the tactics we're using in 2020.

There is, of course, another category of ad which may appear because Google isn't just accepting ads from the police or the Cambridge Cybercrime Centre. They're also displaying ads which have been bought by criminals who are running booter and stressing sites.

So they are completely— Because they also want to target the 13 to 18 demographic.

Yes, of course.

Yeah.

Well, Google's ad policies, they say they prohibit ads that enable dishonest behaviour or anything which might cause harm to users. But history has shown that they're not very good about vetting these things, especially when it comes to booter sites and DDoS attack sites and stressor sites.

Well, as long as they're not lying about what they are.

Well, obviously there are some things which hopefully they wouldn't accept ads for, but they will accept ads for these things. And it tends to rely upon the public to report these before they get taken down or for the press to make a great big stink about it. So Google's doing great out of all this, right? They're displaying ads from these guys, ads from those guys, ads from the researchers as well.

Getting paid from both ends.

Getting paid from everywhere. It reminds me a little bit about what goes on in Cloudflare as well. And lots of people love Cloudflare and think Cloudflare does a great job. But of course, a lot of the cybercrime websites and some of the things which are deeply, deeply disturbing are also protecting themselves using Cloudflare as well. And Cloudflare tends to turn a bit of a blind eye to these things, doesn't it?

That's very interesting. Cloudflare is going to come up again in this podcast.

Oh, really?

Yeah.

Anyway, the ads apparently are working. They found that in less than 30 days, they had over 5 million impressions, more than 57,000 clicks.

5 million impressions. What the hell does that mean?

Well, that's—

People scrolled past it.

Perhaps, but—

Well, that's what they paid for. So that just shows you how much money they spent. That's not an indicator of anything.

You know what? You old fuddy-duddies may have a problem with this, but I think if it does—

No, I understand online advertising. I want to know the numbers. Impressions don't interest me at all. The clicks don't really interest me. I want to know how many people read it and changed their lives. That's what interests me.

Well, according to the boffins in Cambridge, they have seen a reduction in the number of people interested in launching DDoS attacks.

Oh, maybe the ads are so boring, they just stopped Googling those words.

I reckon I know what's going on here. I reckon people are so used to only clicking the first link in Google, that what's happened here is they've just essentially bought the first link. So, I mean, it's an ad, it's not the first link, but it's the first thing you see. And because they've just got the number, they've spent a load of money, so they've crowded out that number 1 slot. And loads of people are just hitting that and nothing else. So they never go further. You're just very cynical, all of you, aren't you? I'm just trying to be a bit positive. I do actually think this is great. I think this is the kind of—

Oh, right. 20 minutes into the podcast. Now. Thank you very much. Mark, what's your topic for us this week?

Right, well, getting away from the pandemic, I thought we could talk a bit about the pandemic.

Sorry, folks.

I've got a question for you.

Yes.

I want to know, what is the English Test and Trace website address, please?

Oh, for God's sake. Okay.

Hands off keyboards.

I'm not looking. It's something like nhs-tracing.ph.gov.uk.

Okay, but can I counter-question? Can you get to it from gov.uk/coronavirus?

Oh, that's a very good question.

Which is the whole thing.

Although your question is interesting, my question was, what is the English Test and Trace website address?

We don't know. We don't know.

So to be clear, this is the place that you're going to go if you've got a positive test for COVID-19, so the government can find out who you've been in contact with. And the address is— so Graham, drum roll please.

I was close, wasn't I?

No. https://contact-tracing.ph.gov.uk. And the reason I'm asking is because I am actually a little bit worried about scammers targeting the UK's freshly minted track and trace systems. And I think I have good reason to be worried. So since the start of the coronavirus, there has been an enormous surge in scams and malware piggybacking off the back of all the disruption and the uncertainty and the fear that has come with this. Unsurprisingly, I might argue, from my being a veteran of the industry. I mean, it's a worldwide global event. It's disruption and change, isn't it? Whole businesses are moving from office buildings to working from home. And there's all this new infrastructure to set up. And there's a load of— You know, some people are doing it in a hurry and there are vulnerabilities that come with that. I did a quick review of the stats from Sophos Labs before I came on just to give you a flavor of what's happening. So since the start of the outbreak, we have seen coronavirus-themed sextortion scams. So those scams that say, we've got video of you enjoying yourself at adult websites.

Zooming.

Yeah. We've seen World Health Organization fundraising scams. There's been a surge in spam, including at the beginning there was a coronavirus-themed email spreading TrickBot. And if you know anything about malware, TrickBot is probably in your top 3 things you don't want to get on your computer. There have been scams offering to sell you PPE, and thousands and thousands and thousands of domains and SSL certificates with the words COVID, corona, or coronavirus in them.

Is there anything with track and tracing in it yet?

Oh, it's a good question. I don't know.

I would love to know the answer to that.

I certainly know Richard de Vere, who is also known as the Anti-Social Engineer. He registered the domain name ph-gov.uk when he saw the official test and trace website, and he was amazed that someone in a position of power hadn't already registered that domain. So he's demonstrated just how easy it would be to create a phishing website.

But the thing is, and obviously the reason I asked you what the address was at the beginning, is that neither of you got really any idea. So registering a misspelling allows you to be very clever, but you probably don't even need to get close. And I think the evidence of phishing scams even now is that you can host a phishing scam on somebody else's website with a totally incongruous domain. People will still click on it.

We should probably explain exactly how it works because we have an international audience, Mark.

So what's happened in England in the last week is that the manual track and trace system has started, and the manual track and trace system does not rely on an app. There are 25,000 contact tracers now, and anyone in England with coronavirus symptoms can now get a test, basically. And if your test is positive, then you'll get contacted by text, email, or phone and asked to log into the NHS Test and Trace website that you don't know the URL for. So you should expect an email if you have a test, you should expect an email with a link to a website that you don't know, telling you there is a matter of utmost importance that you need to deal with. And if that script sounds familiar to you, then that just means, me, you've seen lots of phishing scams. When you go to that website, you can expect to be asked for the following PII. You'll be asked for your name, date of birth, and postcode, who you live with, the places you visited recently, and the names and contact details of people you've been in close contact with in the 48 hours before your symptoms started. Now I did a little back-of-the-envelope calculation. So this is the first part of the system.

Yeah.

This is what happens if you have a test.

Yeah.

Okay. So the UK is currently conducting around, I think it's upwards of 120,000 tests a day, and there's about 50 million adults in the UK. So let's say there's 700,000 tests a week. If you sent an email to any random UK adult, that gives you roughly 1 in 70 chance of hitting someone who's had a coronavirus test in the last week.

But it's not just those people who've taken a test who are at risk here, is it? Because of course the other thing which these tracers will be doing is they'll be contacting other people saying, we think you may have come into contact with someone who had the symptoms or who has tested positive. So let's walk through that, okay, because you're right. So part one is if you have a test, there's an opportunity where you're going to be contacted, but part two could target anyone.

Okay.

Which sadly turns out to be positive.

Oh.

And you go to the correct website and you enter your details and one of the person's details that you enter is Carole. Now, so—

Because we had contact via the podcast.

Yeah. Yeah.

I'm afraid you're infected as well, Mark.

Well, you know, let's— Is it because I'm naked? So Carole, you're going to be contacted now by the contact tracing team. Yes. And unless you've spoken to Graham, you don't know that that's going to happen.

Right.

So instead of there being 700,000 potential scam victims, there are 50 million potential scam victims in the UK, because anybody can be expected to be contacted out of the blue at any time.

This was annoying me already, because I would want Graham to call me, right? Graham gets the disease, we've seen each other, I want him to call me up and go, "Hey dude, sorry," right? I don't want him to give my personal information to a third party.

Yeah, but I'm very forgetful, Carole.

Yeah.

It's just a lot of hassle, you know, calling everybody up and telling them.

Send a group email.

So, Carole, do you think it's out of the question that if Graham had a serious communicable disease, that he might not phone you?

No, I don't. I think it is very unlikely that he would not phone me, even just to show off. Or to get sympathy, right? Yeah, no, he'd definitely, definitely call. There is no way he wouldn't call. But hey, maybe he didn't see me. Maybe he saw some lady down at the supermarket, right? He happened to bump into who has no idea what her name?

Brenda.

Well, is it?

Tell us about Brenda, Graham.

I'm really confused now.

So to go back to my thought experiment, let's imagine for a second that Graham doesn't tell you because he's a gregarious guy. He's met loads of people in the last few weeks.

Oh yeah, I'm out about having so much fun right now.

Too many for him to remember and to call. So you get a call from the contact tracing team.

Mm-hmm.

And you'll know that it's from the contact tracing team and not a scammer because it will come from England's official contact tracing number. So for the benefit of your listeners, could you just tell us all what that number is?

Well, I know that the number would be 0300. But I also know that that number can be spoofed.

Is it just 0300 or is there more?

No, it's 0300 blah blah blah blah blah blah blah.

Oh yeah, details, details.

Maybe it spells coronavirus. That would be very clever, but you know.

So I just to point out it's a zero at the beginning as well. It's one of my pet peeves.

0300?

0300. Yeah.

Well, sorry, it's not your podcast.

Wow, Mark. Let's talk about that.

So the number is 0300 0135 000. Now, tracers will only be calling you from that number, and they won't use any other numbers, which is better than using lots of different ones. Obviously, unfortunately, they may not be the only people calling you from that number, because as you correctly said, Carole, spoofing of phone numbers is actually a matter of routine for scammers. And even if it weren't, you aren't going to remember that number. None of us are going to remember that number, so it probably doesn't matter anyway.

Yeah, because we know that phone calls can be spoofed, emails can be spoofed, SMSs can be spoofed.

So luckily there is another line of defence.

Okay.

Okay. So she's saying the legitimate people calling you up, the people who are genuine testers and tracers, they will sound very professional, and because of that, you will be able to tell that they are not a scammer.

Yeah.

Wow.

I know, that's great.

Okay, but it obviously shows that she was not briefed for that question. She had no idea how to handle it, and I kind of feel bad for her because she is being ripped to shreds about it. And she's a medical officer.

She's the deputy medical officer of God knows what, though, Carole. She's quite high up. 'If you don't know the answer to that, you should say, you know what, I don't know the answer, but there's some real boffins—' I do agree. —at NCSE who can maybe answer that question. So I mean, she's not wrong.

Great that they're going to sound professional. It'd be quite bad if they weren't going to sound professional. But I think what we're all getting at is that there are two fairly sizable assumptions at work there. And the first one is that people will know what the contact tracers are supposed to sound like. It only matters if they sound professional if you know what they're supposed to sound like. If you get called out of the blue by someone who isn't a contact tracer, you aren't going to know what they're supposed to sound like.

Don't worry, the Daily Mail actually published the entire form that the contact tracer people are going to use when they call you. Oh, that script. So that's now in the public domain. So thank you so much, Daily Mail. So that'll make it even more likely to fool people. Now, I have a scenario for you, Mark. It's quick, but I was thinking about this morning. Right? So let's use the Graham Cluley scenario here, right? I don't have the virus. Graham and I are going for the same job, say at a company X. Don't want Graham to get the job. So I report on the form that I've had been tested, it's positive, and these are the people I've been around. So he gets a legitimate call. Oh, right. From a trace worker who's doing her job or his job, and you're told, I'm sorry, you can't go out 'cause you saw ask someone and they go, and you go, who? Well, who? I can't tell you that. Where?

I can't tell you that.

Certainly there are opportunities for abuse here, aren't there? Yeah, I'm just making— it's not just scammers and phishers, but also if you wanted to get your own back against someone, if you had a rival on the podcast, something like that. Yeah, this would be an opportunity, an avenue for doing it.

Do you know what I think though? So what are people to do, right? So what are people to do under the current situation? The only thing I came up with when I was thinking about this is recording the call. So, and telling them that you want to record it. So saying, you know, thank you for calling me. Before you say anything, I just like to make sure I've got this all on record so I can share it with my close ones. So I'm going to be recording this call. And it's going to do that. I trace— well, me.

But I think you're a very special—

Maybe everyone who's listened to the podcast with, you know, a like mind like me.

There are many. I think what they need is a jingle. A jingle for the number. So I think, let's all join in. 03000135000.

Sorry, I did O's, didn't I?

You probably didn't like that at all.

I'm not joining in in your jingle unless that's a zero at the beginning and not an O.

Okay, 6 months ago, the UK's Glastonbury Town Council set up a 5G advisory committee to explore the safety of this 5G technology. Surprised me. Really? Glastonbury set that up?

It's not an O, it's a zero.

You wouldn't trust a national one? But whatever, they do. And last month, the local paper reported their findings. The gist is they've agreed to oppose the rollout of 5G until further information is made available on the safety or otherwise of the technology.

It's a number.

And many respected media houses have said that the following statement is in this recommended measures report of which there's a link, but I can't access it. But if anyone wants to, it's on page 31. And apparently it's listed that 5G BioShield. We use this device and find it helpful. 5G BioShield. Sorry? Yeah, 5G BioShield. Use this device and find it helpful as a recommended measures report.

From the committee in Glastonbury.

One at a time, boys. Mark.

When they're talking about the safety of 5G, presumably they mean the danger of you being burned by a flaming 5G mast.

Mark, I'm worried that you're getting a bit grizzled and grumpy in your—

Sorry, sorry, I'll just let you— you may—

You need to chill out. I bet the committee in Glastonbury, it's going to be made up of druids and people who never quite got out of the '70s, isn't it? Wearing wellies.

Okay, so reading that, I'm thinking, what is 5G BioShield, right? So you go to the main website. I would invite you guys to go to this website, actually, if you would, 5G BioShield. 5GBioShield.com. And look at who clears you through to the website as you go through, Graham.

It's not HTTPS, first of all. It's okay, so it's our friends at Cloudflare. And we are here, and there's a big picture of a lion and a USB stick and a young woman in some sort of, whoa, she's in a version of the Eden Project. She's got some sort of a magical bubble around her protecting her.

Oh, here it is, right? So let's read this. The 5G BioShield USB key with the nano layer is a quantum holographic catalyzer technology for the balance and harmonization of the harmful effects of imbalanced electric radiation.

I can't stand it when electric radiation is imbalanced.

Oh, I'm sold. I can get 3 of them for £800.

You can get 3 of them for £800.

It's a USB key. It's a USB key.

So what it says, its advertising model here is 5G BioShield, which is the name, USB key. But then there's all this gobbledygook. What's this text say? What does this mean? The active key operating diameter shields and harmonizes a complete family home. So there's an FAQ. And you go to the FAQ hoping for a bit more information. What is it? Why am I paying 300 quid for a USB? How big is the USB?

Well, it's so much more. I think this inducts life forces, doesn't it? It creates a cardiac coherence. Sorry, Carole, do you not understand about plasmic support and interaction?

At a recent government press conference, Dr. Jenny Harries OBE, who is the Deputy

No, I don't understand. Help me understand.

What it is, right, is it's not a regular nano layer catalyzer. No, no, no. Chief Medical Officer for England, reassured us that it will be very evident when It's a holographic nano layer catalyzer. And it can be worn or placed near to a smartphone.

Do you know, there are probably a number of people that listen to this show that actually think we are not talking any differently from the way we normally do because we all use industry jargon.

somebody rings you that these are professional individuals.

The point is this is Oh, well, it says provides protection for your home and family.

Against what?

Is it scammers?

going to protect you from 5G, right? You wear it or place it near a smartphone or other electrical radiation or EMF emitting device.

So then I check out the testimonials page, right? And Dr. D, finally some medical credibility. Dr. D claims to be a medical doctor and says they put one USB device under my pillow expecting nothing to happen. But later Dr. D reported feeling a strange tingling feeling. I suspect the USB device has in some way normalized my energy to be as it should and not negative or harmful. So all this is going on, and then who do we see swagger in but Pentest Partners? This is a company that performs security assessment. They saw this 5G BioShield recommendation from the Glastonbury City Council, how God knows, and decide to take a look at it. So they ordered one, and it comes in a little velvet bag. Nice. And inside you have— it's very special— a USB stick. But the USB stick has this kind of shiny circly bit about the size of a dime or a 5p coin. And it has this intricate design on it. The pentest people said it looked a bit like George and the Dragon from the reverse of a medal.

This is the emblem you're describing, which is on it?

Yeah, the emblem on the actual USB. Anyway, they rip through the USB. They found it to be basically a generic USB without any additional anything that should cost an estimated few quid. But it has a pretty sticker. And they write, whether or not the sticker provides £300 worth of quantum holographic catalyzer technology will leave you to decide.

I can't believe they didn't test that.

They probably don't have the tech. It's so advanced. So then I'm wondering, who is behind all this? Where is this registered? What company is this? What country? So in Companies House, there are two directors of BioShield Distribution. Both of them appear to have been involved previously in a business called Immortalis, which sold dietary supplements called Clotho Formula. So already a bit dodgy. And one of them told the BBC that her company was the sole global distributor of the 5G BioShield, but did not manufacture or own the product. So the UK operation hasn't gotten their hands on it, they're just a distributor, they're saying. But when Rory Cellan-Jones from the BBC asked her if selling a £5 product for much more than £300 was unreasonable, she said, quote, in regard to the cost analysis your research has produced, I believe that the lack of in-depth information will not drive you to the exact computation of our expenses and product costs, including the cost of the IP, intellectual property rights, and so on.

Carole, what's your story for us this week?

Well, holographic nanolayer technology doesn't come cheap, Carole. I think a lot of people are just assuming—

They just think no one understands, it's too complicated, it's too complicated.

People are assuming this is just a USB stick with a sticker on it, and it does so much more than that.

Well, we've just got one.

Are they sponsoring the show? I've ordered 3 on the company, on Smashing Security, because we want to check this stuff. And you know what? And you know what? If anyone out there wants to spend premium dollar for a, you know, $5 USB with a shiny sticker, this is the place to go.

If you listen to our show regularly, you'll know that hackers never stop innovating. Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats. Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week. Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersive labs.com/smashingsecurity.

Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager. LastPass by LogMeIn is a password manager both for consumers and the enterprise. In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication. Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out, lastpass.com/smashing.

Most people agree that the most effective way to reduce the cost of an attack is to prevent it from happening in the first place. Deep Instinct strives to prevent all known and unknown threats using deep learning, making detection and response automated, fast, and effective for any threat that cannot be prevented.

Well, where does it

Check out a report by the Ponemon Institute which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com/prevention, deepinstinct.com.

say that anywhere?

And thanks to Deep Instinct for sponsoring the podcast.

Back to the show. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, my pick of the week is not security-related. I wonder if either of you, Mark and Carole, have noticed anything different about me today.

Don't sound as bubbly as normal. I don't sound as bubbly. Not quite. Do you hear me?

Is your holographic nano layer slightly more bioharmonized than normal?

Well, possibly, but via a different means. I am on a different chair. I am on a chair called the Swopper chair or the Swopper stool, which comes from Germany. And it means I am bouncing around like Zebedee from the Magic Roundabout. I'm going over here. Let me go over here. Here I am. I'm going back over here now.

Left and right. So you're loving it.

I hurt my back the other day doing something or other. Doesn't matter. And it was kind of, oh, oh dear. And I thought, I'm going to have to change my chair and I need to have a little bit more motion rather than being sat at my desk. I do have a standing desk, but sometimes I want to sit, but I still need to be moving a bit more. This thing, it's a bit sitting on an exercise ball, but of course, if I was sat on an exercise ball, the exercise ball would go to the other end of the room and I'd fall down on my butt and I'd hurt myself.

So London Trading Standards told the BBC that we consider this to be a scam. This is Stephen Knight of the London Trading Standards, and his team is working with the City of London Police Action Fraud Squad to crack down on this, you know, this scammy, scammy scam. But I decided to go check out Trustpilot, right?

Not so with the Swopper chair, which looks a bit a toadstool and it moves in all kinds of directions and is on a great big spring. And that's it. That is my pick of the week.

And on Trustpilot, it's quite fun at the moment because people are kind of ripping through it, you know, basically being very snide about the whole thing being a complete pile of garbage. But I went back to the first Trustpilot review of it to find out when that would have been, when it all go to market. And the first one there is 29th of March. And the guy says, total scam, reported to Action Fraud, contains a USB solid disk component worth a dollar from China. They have even created many fake review websites. So he's, you know, the only thing which protects you from high frequency radiation is a Faraday cage. Don't be scammed. So that's the first message in the Trustpilots, right? And yet, are people buying this? Graham on his toadstool.

Have you got a fishing rod?

Mark, what's your pick of the week?

Well, my pick of the week is a book called The Knowledge: How to Rebuild Our World from Scratch by Lewis Dartnell. Oh, a comedy? This will tell you exactly where I'm at at the moment. So obviously we're just coming out of lockdown at the moment, but it turns out that I've been in lockdown for years, and this is where my head has been. So it's a fantastic book. I've been listening to this as an audiobook.

Experiencing. That's what my brother and I call it. Experiencing the book.

It sounds so much more impressive if you claim to have read the book. And now I'm a little bit disappointed in you now.

I know, but experiencing is the right word.

Well, because I'm letting someone else read it.

He knows how to read.

My son lets me read books to him as well, and I don't actually consider that the same as him reading the books.

All I can say, Graham, is that not only have you not read this book, but you haven't had the pleasure of having this book read to you. Because I don't know who the guy doing the audiobook is, but he is amazing. He's got the most fantastic dramatic voice. The guy who wrote the book decided to try and answer the question: what knowledge would you need in order to reboot society? Because lots and lots of us walking around now, you don't know what it takes to do the things that you use. Nobody could build an iPhone from scratch. Nobody knows enough to build an iPhone. Nobody knows enough to build a laptop. And interestingly, he references a paper that was written in the '50s where somebody tried to trace all of the elements that go into making a pencil. Just a pencil, bit of wood with a bit of graphite down the middle. And that no one person on the planet knows enough of the process to simply make a pencil, never mind all the things that we have invented since. And so it's this kind of unraveling of, from basic principles, these are the things you need to know, this is the science you need to know. If you know this, then you can learn this.

Or know Mark, right? Just know Mark. Sorry, what? Which I do. Well, you're reading it or experiencing it. I know you. And as long as I can get to your house by foot, which I probably could, wouldn't be that, you know, I'd be there in a few hours.

I've got a very quick question for you. Is it an interesting book?

Oh, it's fascinating. I'll tell you why it's interesting, because it's not just the knowledge you need to know. It's also a bit of a history book on how did we acquire that knowledge in the first place, right? Because some of what you need to do is to trace the steps of the past. But it turns out that some of the things that we learned in the past we didn't need to learn in the order that we did. And there are big gaps, for example. So we had all the technology we needed to invent photography several hundred years before we invented it. Knowing how technology could unravel and comparing it to how it did unravel is fascinating in itself. So it's full of useful stuff. It makes you want to go and do things, makes you want to go and build fires and learn metallurgy and do some amateur— it's got me doing— we're homeschooling at the moment, and I've been— we're doing batteries with the kids. We've been turning limes and potatoes into batteries.

I did that when I was a kid. Yeah.

So yes, it's a fantastic read, and also it does equip you with all the knowledge you need for building society from scratch, which seems like a useful thing to know.

Well, you certainly make it sound interesting. Carole, what's your pick of the week?

Okay, it's a story. Two men have been hired to carry out a client's fantasy, sex fantasy. So if there's kids, tell them go away, of being tied up in his underwear and stroked with a broom. So, okay, let's— we're just going to stop there.

Stroked with a broom. Can I ask which end? Because that would be a different kind of—

Otherwise it'd be a pole. Of course it has to be the fluffy end.

I have a follow-up question?

The role play was arranged over Facebook, okay, by a man near Griffith, New South Wales, who provided his address to this duo, right, this hired pair. And he was willing to pay $5,000 Australian dollars if it was really good, quote unquote. How much is that in real money? That's about £2,500. Well, they had to make a dramatic entrance. They had to make it really good. So the guys, the two guys thought about it and figured out how to do it. But meanwhile, our man, our— what do we call him? Client. Yes. Moved house. And forgot to tell the hired people. He probably did it when he was drunk or something, forgot he even ordered it.

We've all been there, we've all done that. No, no, no, I haven't. That's why I'm— it's my pick of the week because I was just—

He comes in 6 o'clock in the morning to make coffee sometimes. And then he hears a weird noise. It sounds like someone's name. So he kind of gets up, you know, from his bed, puts his light on, starts taking off his mask, and there's two guys with machetes standing over his bed. And he freaks out. And after a bit of talking, it turns out that perhaps he isn't the client. He wouldn't know the safe word.

I imagine the safe word in Australia is, "Bloody it. Crikey, mate. What you doing here?" With a broom.

Never mind the broom.

I was reading about this story and I kept waiting for someone to talk about the broom. No one talks about the broom. Everyone's concerned about the machetes. I'm just like, where's the broom? How did they get from broom to machetes? No idea. But it is a staggeringly shocking entrance to make. I suppose machetes are like a broom.

They've just replaced the broom head with an axe. But the other range is—

Graham, would you rather be stroked by a broom or a machete? Yeah. In what way is a broom like a machete?

Well, think about it. There's lots of different types of brooms. You have your hard bristle outdoor cement broom.

Yeah, the ones with great big stainless steel blades on the end.

So when the pair realized their error, one of them said, "Sorry, mate," shook the resident's hand, and, sorry mate, you can't shake hands, there's a bloody pandemic going on. They then drove to the correct address where the client noticed that one of the men had a great big knife in his trousers, and he asked him to leave the weapons in the car. The client then cooks them breakfast, and that's how the police find them. Machetes in the car, sitting around the table eating breakfast with the initial client. The judge ruled that evidence did not suggest the men's actions were intentional and said no problem. The machetes were either a prop or something to be used in a fantasy. It was unscripted. There was no discretion as to how it should be carried out. So there you go.

So the first victim, he called the police. That's why the police came and got them.

Yeah, well, you would, you think, after they said, "Sorry, mate," would that be enough for you?

That could happen.

And they said, "What's going on here?" And then the first thing they could think of. What's the story you've just told?

So it was a commercial agreement to tie up and stroke a semi-naked man in his underpants with a broom. Okay, that was all it was.

That is amazing. That is it. I hope that's the whole podcast. I just cut my bit and Graham's bit.

It's a beautiful story. It's all over the press. BBC have done a quite a cute little one of it, so I'll put a few links in the show notes.

That's fantastic. Fantastic pick of the week.

Thank you very much. I got it from an interesting human being. Someone who's into this kind of stuff.

Oh, really? Well, that just about wraps it up for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

I am on Instagram these days under—

Poke 'em with a broom! Under Internet of Hints.

If you like bees and chickens and other things that might help you after the collapse of society, then follow it on Instagram @InternetOfHands.

And you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can also join the Smashing Security subreddit up on Reddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.

I'm really glad you don't sing subscribe like some people do, like, "Subscribe!" A massive thank you for listening and supporting us, people. It does mean everything. Also, big thank you to this week's Smashing Security sponsors: Deep Instinct, Immersive Labs, and LastPass. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio, bye-bye, bye-bye. Bye. So he asked for a broom and they got machetes. They brought them. Ask for a broom, get machetes.

Maybe it's an accent thing.

How garbled does the Australian accent have to be? Hey, you can't do it. You can't do it.

Maybe there's a kind of Australian version of Cockney slang that has broom rhyme with machete.

You remember in Crocodile Dundee where Paul Hogan says, "Call that a knife?" Maybe they were doing that.

Maybe they were doing that. Maybe they were dressed like that.

Call that a broom? Let me stroke you with this baby here.