This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

CAROLE THERIAULT. Hi everyone, Carole Theriault here. We just wanted to reach out and give a huge thank you to some of our amazing Patreon supporters. This week we give a shout out to Fantastic Wolf, Divorced Pop, Andrew Minko, 636B, Dave Barker, Susie V, Heisenberg, Eric Hoople, Robert Martin, Dave B, Habmala, Thom Courtney, Matt Weir, and Alex. Thank you all. We couldn't do this without you. If you want to join our Patreon community, we would be thrilled to have you. Check out more information at smashingsecurity.com/patreon. Now let's get this show on the road. [Ray [REDACTED]]: Last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.

---

CAROLE THERIAULT. Oh my God, they didn't know where they— where am I? [Ray [REDACTED]]: You certainly did not know where you were.

---

UNKNOWN. What is the point of living anymore if my steps are not being counted? Smashing Security, Episode 189: DNA Cockup, Garmin Hack, and Virtual Kidnappings with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 189. My name is Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, we are joined by a special guest, someone who's never been on the show before. It is the mysteriously named Ray [REDACTED].

---

CAROLE THERIAULT. Newbie Ray. [Ray [REDACTED]]: Well, hello.

---

GRAHAM CLULEY. Hello, Ray.

---

CAROLE THERIAULT. Hi, Ray. [Ray [REDACTED]]: Hello, it's good to be here. I'm a super fan. So now I get to actually be on the podcast.

---

CAROLE THERIAULT. Oh, that's very exciting. Now, what 3 things should our listeners know about you? [Ray [REDACTED]]: First of all, my name is Ray [REDACTED]. Second of all, I was not born with that name. Okay. That was not the name that my parents gave me when I was born. And third of all is I have a brand new podcast called Tribe of Hackers Podcast. That's tohpodcast.com that I've just launched during the pandemic. Ooh.

---

GRAHAM CLULEY. And what, what happens on Tribe of hackers? [Ray [REDACTED]]: Well, we actually talked to members of the tribe of hackers. There have been several books written by Marcus J. Carey and Jennifer Jenn, including Security Leaders, including Red Team, and an upcoming Blue Team book. And we basically just chit-chat and talk about current events and everything security-related.

---

GRAHAM CLULEY. Hang on a minute. What made you think that there was space on the marketplace for another cybersecurity podcast? Did you not think actually—

---

CAROLE THERIAULT. Graham, Graham, Graham, didn't you hear him? He talks to the bad guys. We talk to the good guys. [Ray [REDACTED]]: Oh, no, no, no. We're not letting you use the hacker term as a negative connotation. No way.

---

GRAHAM CLULEY. Carole, what is coming up on the show this week?

---

CAROLE THERIAULT. Well, first, let's say thanks to this week's sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. Now, coming up on today's show, Graham delves into a DNA cock-up, Ray questions whether Garmin should pay the ransomware or not, and I'll be looking at an international phishing scam with pretty shitty stakes. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, I want to take you take you back in time once again.

---

CAROLE THERIAULT. It's always going back in time.

---

GRAHAM CLULEY. I love going back in time. The thing is, Carole, I am—

---

CAROLE THERIAULT. What, when you were young and hip?

---

GRAHAM CLULEY. Hey, look, Ray understands, right? There's a global pandemic going on, right? Our hair makes us look like we're living in 1974 right now, okay?

---

CAROLE THERIAULT. That's true. I'm more of a Farrah Fawcett now than I was 6 months ago.

---

GRAHAM CLULEY. Well, between 1974 and 1986, There was a serial killer and rapist known as the Golden State Killer operating in California. [Ray [REDACTED]]: Yes.

---

GRAHAM CLULEY. He was at large. Oh, have you heard of this?

---

CAROLE THERIAULT. Oh yeah, yeah, yeah. This was a big deal. This was a huge deal in my neck of the woods too.

---

GRAHAM CLULEY. Oh really?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Well, he was also known as the Original Night Stalker and the Diamond Knot Killer. And he is thought to have killed at least 13 people, been responsible for 50 rapes and over 100 burglaries. Not a terribly nice chap.

---

CAROLE THERIAULT. I was just gonna say, thanks so much for bringing us joy. Me and our listeners.

---

GRAHAM CLULEY. Well, there might be a happy ending, or there might not. Let's find out. For decades, the cops investigated. Yeah, they were interviewing suspects left, right, and center, and then they'd clear them. They'd say, oh, well, your alibi turns out, yes, all right, you were with Granny that night, or the DNA doesn't match the evidence. And the evidence wasn't pointing in any particular direction. There was a good chance that they were never going to solve the crime and unmask the Golden State Killer, because, you know, coming on for almost 50 years. [Ray [REDACTED]]: Cold case getting really cold after 50 years.

---

GRAHAM CLULEY. Until April 2018, when they arrested a chap called Joseph James DeAngelo, 72 years old. And DeAngelo, well, he coughed up and he admitted it. He said, "Yep, it's me." He had a good reason to do that, which was he wanted to be spared the death sentence. So he did a plea deal and he said, "Yep, I admit killing these 13 people, the kidnappings, numerous other crimes, the rapes, everything else." Wasn't he like a former cop or something? Yes, he was. [Ray [REDACTED]]: Yes!

---

GRAHAM CLULEY. You do know about this. Yes, he was a former police officer. Yeah, yeah. Now, whether that gave him any advantages in covering his tracks, I don't know. So, interesting thing was, how after all of this time did the police manage to find him? And it's quite a fascinating story. I knew nothing about this particular case until I began reading about this in the last day or so. It turns out the vital clue was DNA, which was collected at the scene of a double murder in Ventura in 1980. And what the cops managed to do was they used an online genetic genealogy database, and they built a complex family tree dating all the way back to the 1800s with a partial match on the DNA. And they found someone who was D'Angelo's great-great-great-great-grandfather. [Ray [REDACTED]]: Oh, wow.

---

GRAHAM CLULEY. Now, obviously, it wasn't the great-great-great-great-grandfather with a time machine and a stick of bubble gum or something, who traveled through time and committed the murders. But that meant was they were able to go down the family tree and say, okay, well, who's descended from them? Who may be related to them? And they came up with 1,000 people, a shortlist, as it were, of 1,000 people. And over a few months, the investigators eliminated them based upon their age or their sex.

---

CAROLE THERIAULT. It's just incredible.

---

GRAHAM CLULEY. I mean, it is incredible.

---

CAROLE THERIAULT. I mean, 1,000 people, I mean, still sounds like a lot of people. The number of cops that were on this during his reign of terror, you're looking at 10 million people.

---

GRAHAM CLULEY. So the cops had done this incredible thing, and they'd eliminated all the potential 1,000 suspects until only DeAngelo remained. But they have to prove that it really is DeAngelo. So they tailed him, right? You know, you tail someone, Ray, right? You're American, yeah? [Ray [REDACTED]]: Sure.

---

GRAHAM CLULEY. Yeah, you get your box of doughnuts, right? And you just hang out outside their house for a while, right? And you follow them around. Yeah, that's what you do. You have a buddy. Do you have a buddy?

---

CAROLE THERIAULT. Wouldn't it be smarter to offer him a doughnut? Didn't get the DNA that way, and it's to give it back.

---

GRAHAM CLULEY. I don't know if that's legal. I don't know. Once you've given someone a doughnut, to then take it back and use it as criminal evidence. You might need a warrant for that, I don't know. Anyway, they tailed him. Mm. And they picked up some of his DNA. Now, you have to be careful picking up people's DNA to make sure that it's evidence you can actually enter.

---

CAROLE THERIAULT. What, rather than, like, putting your DNA all over it?

---

GRAHAM CLULEY. Well, you can't, for instance, grab a piece of his hair, you know, or do a swab without his permission. Apparently, he helpfully discarded some of his DNA. In all the reports I've read, they've not gone into detail Okay, well, there you go.

---

CAROLE THERIAULT. The way they always did it in Law Order, right, was that they would have a chat with someone, offer someone a coffee, and then when they'd throw it out, grab the cup, right?

---

GRAHAM CLULEY. Oh, I see. I was thinking maybe he'd blown his nose or something and just chucked the tissue into a garbage can. [Ray [REDACTED]]: Well, now we're constantly discarding DNA all the time. The challenge for the police officers is to maintain the chain of custody. We all learned this during the O.J. Simpson trial. Way back in the day, remember?

---

CAROLE THERIAULT. Yeah, Graham must love that story too. That's old.

---

GRAHAM CLULEY. Well, bingo, they made a match to his DNA. And hurrah, huzzah, huzzah. Everybody was happy, right? That they caught this chap.

---

CAROLE THERIAULT. Well, except for him, I imagine.

---

GRAHAM CLULEY. Well, you know, maybe he's relieved. Wouldn't have to worry about it, right?

---

CAROLE THERIAULT. Yeah, he's not—

---

GRAHAM CLULEY. Finally, I've got meals for life. I've got a roof over my head.

---

CAROLE THERIAULT. Yeah, my retirement plan wasn't very smart. This is excellent.

---

GRAHAM CLULEY. Now, some people weren't happy. Because some people gave their DNA details to sites like GEDmatch, G-E-D-match, to work out their family trees, not for the cops to dig through. So when this really high-profile case was publicized and how the cops got them, GEDmatch did get it in the neck a bit from some of the users who said, hang on a minute, what do you do? This isn't why I did this. What I want to do was increase my family tree, not to help law enforcement searches. So GEDmatch gave its million-plus users the choice to opt in. Yeah, I was surprised too. Opt in if they wanted their data to be available for law enforcement.

---

CAROLE THERIAULT. I think that's excellent.

---

GRAHAM CLULEY. Isn't it?

---

CAROLE THERIAULT. It should be.

---

GRAHAM CLULEY. They did all the right things. Big privacy warning, opt in if you want.

---

CAROLE THERIAULT. Well done, GEDmatch.

---

GRAHAM CLULEY. And apparently a couple of hundred thousand people did opt in, right? They thought, yeah, I want to help, those sort of things. So, you know, good that they did it the right way around. Everything was fine and dandy, and there ends the story. A success. Not so good.

---

CAROLE THERIAULT. What a lead-up.

---

GRAHAM CLULEY. Because—

---

CAROLE THERIAULT. 10 minutes in.

---

GRAHAM CLULEY. When—

---

CAROLE THERIAULT. Dun dun dun!

---

GRAHAM CLULEY. When users logged into GEDmatch on July 19th, they got a nasty surprise. Because what happened was everybody's profile, the settings had been updated. So they were no longer hidden from the police. They were all now configured to be available for the cops.

---

CAROLE THERIAULT. So did the company GEDmatch, did they change their default setting? Is that what happened?

---

GRAHAM CLULEY. No, the company hadn't done it. What happened was a hacker had come in and changed everyone's setting, which meant that profiles were updated so the police could use them for their own investigations. Not very good at all.

---

CAROLE THERIAULT. Interesting that a hacker would make them available to authorities, isn't it? [Ray [REDACTED]]: And questionable. But, you know, that's actually called something. That's actually called involuntary opt-in. And Facebook has kind of pioneered the involuntary opt-in when it comes to your privacy rights changing.

---

GRAHAM CLULEY. Are you suggesting Mark Zuckerberg did this? [Ray [REDACTED]]: No, I'm suggesting that an interested party may have had a motive to change those settings across the board.

---

GRAHAM CLULEY. Who possibly would have a motive for searching many, many more people's DNA data?

---

CAROLE THERIAULT. I don't know. Let me think. This is going to get political really quickly, isn't it?

---

GRAHAM CLULEY. So that's a little bit odd. And that happened on July 19th. And then, so that was the first hack, and then two days later something else happened. Another genealogy website, one based in Israel called MyHeritage, said that its users have been targeted by a phishing attack trying to steal their passwords. And what was the common denominator between all those targeted users of MyHeritage was that their email addresses had been the ones they had also been using at GEDmatch. So a hacker had taken email addresses from GEDmatch and targeted MyHeritage users as well in order to gather more data. So this appears like a concerted effort to get hold of an awful lot of data about people. [Ray [REDACTED]]: Sure.

---

CAROLE THERIAULT. Yeah. And it's problematic because, for example, you, Graham, might decide never to take part in one of these sites, right? However, your brother might say, yeah, yeah, I love this.

---

GRAHAM CLULEY. Right.

---

CAROLE THERIAULT. And then if for whatever reason someone wanted to get at you.

---

GRAHAM CLULEY. Oh, yeah. My brother's always been very free and easy with his DNA. It's going here, left, right, and center.

---

CAROLE THERIAULT. Do you mean he has lots of girlfriends?

---

GRAHAM CLULEY. And maybe I'm— I wouldn't like that. [Ray [REDACTED]]: And that's actually the main key issue is that any one of your distant relatives can make that choice and you are therefore dragged in as well. Yes!

---

GRAHAM CLULEY. Mad Uncle Andy. [Ray [REDACTED]]: And I will tell you, one of the things that I always recommend to people, you know those knowledge-based authentication questions like what street did you grow up on or what was your first pet? I always tell people to lie on those, right? But with DNA, you can't. If you send in fake DNA to 23andMe or one of these other companies, they will reject it and send it back and say you violated our terms of service, and they'll even threaten to sue you.

---

GRAHAM CLULEY. Oh, so I can't send in my dog's DNA, for instance? [Ray [REDACTED]]: Well, certainly not the dog's, but I'm talking about if you wanted to, uh, to put, put an entire different human DNA in there, you're going to have to co-conspire with a lot of your relatives because they use genealogy databases to cross-correlate.

---

CAROLE THERIAULT. They could probably sue you as well, only on the basis of you stealing someone else's DNA, because you can't make up DNA. [Ray [REDACTED]]: Oh, actually, there is synthetic DNA, but it does not look very human at all.

---

CAROLE THERIAULT. Exactly. I don't know if it's gonna fool them. [Ray [REDACTED]]: But people have tried these things, right? When 23andMe first came out, that was like the first big commercial enterprise. You know, they sold it as, "Oh, we're gonna find all these diseases that you don't know you have, or these things that you can take for yourself." But what they didn't really tell you is that they were also looking at the diseases of your cousins and your grandparents and your uncles.

---

CAROLE THERIAULT. And if they share that with insurers, fun times.

---

GRAHAM CLULEY. So anyway, GEDmatch, they say they were victims of a sophisticated attack. [Ray [REDACTED]]: Sophisticated.

---

GRAHAM CLULEY. Yes, exactly. Oh, those are the worst kind, aren't they? No one ever says, "It was really dumb, actually. Yeah, our password was password1. That's how they got in." No, it's always a sophisticated attack. On one of its servers, via an existing user account. I'm not sure what that means. I wonder whether maybe the hacker came in through a staff account or something. But as a result of the breach, they say all users permissions were reset, making profiles visible to all users. They say it was only open for everybody for 3 hours. [Ray [REDACTED]]: It certainly cannot be exfiltrated in 3 hours. I mean, my goodness, right? That's mathematically impossible.

---

GRAHAM CLULEY. Absolutely impossible. Utterly impossible. You'd have to have something like a computer to help you.

---

CAROLE THERIAULT. But surely they'd have log systems to be able to see what's being ciphered out. [Ray [REDACTED]]: Oh, but the logging was disabled miraculously and weirdly, right? At the same time, Carole. I will tell you, I was actually shocked to find out how small our DNA files are. They're really not nearly as— like you would expect yours to be like, you know, hundreds of gigabytes or something, but it'll actually all fit on a single DVD or I think even maybe even a CD-ROM if you remember those.

---

GRAHAM CLULEY. A LaserDisc, a 360K floppy? [Ray [REDACTED]]: No, not the floppy. Even the one with the hole punch on the other side so that you can flip it over. That's not going to hold your entire DNA, but it's not a super amount of code. And, you know, it can be compressed as well. So.

---

GRAHAM CLULEY. Hmm. Well, one thing I found is that some of these genealogy sites actually publish transparency reports. So they're open and they say, look, we have disclosed our user details to law enforcement. So 23andMe and Ancestry, for instance, they do that. So they've been a little bit more open things. GEDmatch doesn't offer that. Doesn't. [Ray [REDACTED]]: Yes. And on the transparency reports in the United States, they cannot publish if they have an NSL. That's a national security letter. By law, you're not allowed to divulge if you've even gotten one of those, much less if you've acted on it.

---

GRAHAM CLULEY. But you could have a canary, I suppose, couldn't you? [Ray [REDACTED]]: We haven't seen that work yet, Graham. In theory, people have said that that might work, but it has not been widespread adopted to success.

---

GRAHAM CLULEY. Right, right. Well, certainly big questions as to who might have been behind this hack, and also questions, I suspect, as to whether GEDmatch is going to be trusted by users in future with their DNA data, whether people will begin to delete their accounts instead. But do not fear, because they have now emailed all of their users, telling them they take security very seriously. [Ray [REDACTED]]: Well, that's good. That's a relief.

---

GRAHAM CLULEY. Sleep well, kids. Don't have nightmares. Anyway, Ray, what is your story for us this week? [Ray [REDACTED]]: Well, my story is not nearly as thrilling as the tale of DNA and murder, but it does involve some criminals, and they're actually really sophisticated cybercriminals that historically were known as the Dridex gang until in December of 2019, the United States Department of Justice issued several indictments. And in the process, or right around that same time, the Dridex gang did what any major corporation does when it faces a lot of negative press. They rebranded. And so they have henceforth become known as Evil Corp, which is a pun on Mr. Robot, the Mr. Robot show. They did not choose F Society, which would have made the most sense. They actually chose Evil Corp. And in the process, one of the other things that they did was this organization has a very sophisticated, what's called a kill chain, a way of actually infecting companies and inserting ransomware. What they decided to do was to target highly specific companies in the Fortune 500 with individual malware that actually has the name of the company that they're targeting. And they went after manufacturing, and they went after oil companies, and they went after all of the major companies in that space.

---

CAROLE THERIAULT. No resources spared, right? [Ray [REDACTED]]: Yes, and so Evil Corp is going after these. Now fast forward to the COVID pandemic, and everybody is cooped up at home. And the one solace that many of us actually have, because we certainly cannot go to restaurants or movie theaters, is actually running or walking outside. And last Thursday, millions of people noticed that their Garmin watches were no longer tracking that activity or any GPS data.

---

CAROLE THERIAULT. Oh my God, they didn't know where they— where am I? [Ray [REDACTED]]: You certainly did not know where you were.

---

GRAHAM CLULEY. What is the point of living anymore if my steps are not being counted? [Ray [REDACTED]]: And to make matters Worse, Garmin also supplies data to folks like the Weather Service. Lots and lots of airline pilots use it for both flight plan, fighting. It's using satellite technology, Garmin Explore, GPS navigation, etc. Okay. And all of this is being held up for reportedly $10 million in ransomware. But here's where the story gets a little bit tricky.

---

CAROLE THERIAULT. Okay. [Ray [REDACTED]]: Most people would say you make $4 billion a year. Okay, $10 million is almost pocket change that you would find on the floor. However, because of the indictments against the Evil Corp last December, it would actually be a violation of the federal sanctions placed on Russia for them to do so. And so they have an entire nother legal quandary about they could be breaking federal law by violating international sanctions to simply send that money in.

---

CAROLE THERIAULT. Right, right. So, so, okay. So right now we have a situation where Garmin have to decide to pay or they've already decided and it's all back to normal. [Ray [REDACTED]]: No, they've not paid and everybody is still locked out.

---

CAROLE THERIAULT. Right. [Ray [REDACTED]]: As of right now, they still are not functioning.

---

GRAHAM CLULEY. I read on the BBC this morning that they are beginning to come back online. Some people are now uploading their data. [Ray [REDACTED]]: So, well, so get this, Graham, you made the joke about if you exercise and it doesn't count on your watch, then does it really count? Restoring from backups for them might very well mean that you lose a couple of weeks worth of exercise activity on this, on the tracker, so to speak. Right.

---

CAROLE THERIAULT. I know people that would go apeshit crazy if that happened to them. [Ray [REDACTED]]: For sure. For sure. But the other thing that it really shows off that I wasn't that aware of is how many other services use Garmin underneath. Right. So just like, yeah, just like so much of the internet relies on Cloudflare or AWS, right? So much of navigation services including like cars and everything else, actually relies on Garmin data without you actually knowing it. But the biggest lesson here is the fact that to my knowledge, this is the first time when a company has actually been prohibited from paying ransom because of federal sanctions.

---

GRAHAM CLULEY. [Speaker:GREG PHILLIPS] So I— that's extraordinary. But I don't get this because surely Evil Corp, right? If presumably they've been in negotiations with Garmin and Garmin have said, well, look, we'd love to pay you. Unfortunately, we can't. Because of this. Can't Evil Corp rebrand themselves again? Say, "Oh no, we're not Evil Corp.

---

CAROLE THERIAULT. We're not those guys." Take 10% of the fee.

---

GRAHAM CLULEY. We're Apple Corp or something. We're another one entirely. You know, don't worry about— No, no, no, no, no. We're different criminals. Don't mix us up with those bad guys over there. [Ray [REDACTED]]: Well, now, Graham, as a fan of Smashing Security, I do know that you once had a story about where the negotiations had been made public and people could see the gangs negotiating with the ransomware authors the victims. But in the Garmin case, we really don't have visibility to that particular aspect.

---

GRAHAM CLULEY. Hello, hello. Sorry for the interruption, but since we recorded the podcast, there have been some developments in this story. Here is the human known as Ray [REDACTED] to give you an update. [Ray [REDACTED]]: Hey guys, just a real quick update. Since we recorded this podcast, apparently Garmin has, quote, acquired the decryption key and begun decrypting files and restoring services. Now, that's an interesting choice of words. It's not clear whether they paid or somebody else paid, or perhaps the government got a hold of it, or the law enforcement, or maybe there was a GoFundMe and I just wasn't invited to it. But regardless, Garmin has apparently acquired the decryption key and services are being restored.

---

GRAHAM CLULEY. Crazy, crazy goings-on. Well, hopefully things will begin to get back to normal. Do you think it would be right if the bad guys did get paid for this or not? [Ray [REDACTED]]: Again, I mean, this is a mathematical exercise to me. $4 billion in revenue. This has got to be costing them hundreds of millions of dollars in lost business, right?

---

CAROLE THERIAULT. Why not call the Kremlin directly and say, look, can I just pay you directly? And then you could just talk to these dudes and get them to back off for a bit. And then, you know, they don't need a cut. [Ray [REDACTED]]: For sure.

---

GRAHAM CLULEY. You know, I think Carole's onto something, right? She's basically saying go to Vladimir Putin.

---

CAROLE THERIAULT. Or one of his cronies.

---

GRAHAM CLULEY. Well, no, no.

---

CAROLE THERIAULT. I wouldn't wait to get him on the phone.

---

GRAHAM CLULEY. Vladimir, from what I've seen from some of the photos, he's quite an outdoorsy kind of guy, right? He likes taking his shirt off and getting out there. I bet he's probably a Garmin user. He's probably just as frustrated.

---

CAROLE THERIAULT. Let's go re-examine the photographs and see if we can see the watch strap. [Ray [REDACTED]]: I can guarantee you he's not a Garmin user. They would have never attacked something that Vladimir Putin was actually using himself.

---

GRAHAM CLULEY. Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, so Graham, you have a son.

---

GRAHAM CLULEY. I do.

---

CAROLE THERIAULT. Okay, and one day, a decade or so from now, imagine he says to you, you know, he says, "Papa," he says, "I want to be an international peace negotiator." Right. And you're like, what are you like? You're like, "Atta boy." Good lad. "Go take on the world." And he says, "Well, okay, great, great. The best school for me to study at is actually in Russia." Oh, and you're like, uh, sorry, we live in Oxford. And he's like, yeah, [MASKED] that, Dad. I need to learn Russian cultural norms. I need to learn directly from the Russians. Don't you get it? Geez, Dad.

---

GRAHAM CLULEY. Okay, just remember, he's my son, right? He's not gonna be using language like geez.

---

CAROLE THERIAULT. So you acquiesce, right? You acquiesce. He goes, all is fine, until you get a crazy call from your son and he is freaking out. And he tells you— I'm going to ask you what you're going to do at the end of this, okay? So pay attention.

---

GRAHAM CLULEY. Don't doze off like normal. Yeah, okay.

---

CAROLE THERIAULT. Okay, he's freaking out. He tells you the British Embassy in Russia, okay, or some other authority has just contacted him and said he's been implicated in a crime in Russia and that he needs to pay like thousands of pounds to avoid getting arrested. And they told him not to contact you, but he, you know, trusts you or something. And he's like, what do I do, Dad? So what would you say to him?

---

GRAHAM CLULEY. So I'd, I'd ask him for more details and then say, no, of course you're not going to pay them, just come home.

---

CAROLE THERIAULT. So what if you were Chinese and your son was studying in Australia? Do you think that might change things?

---

GRAHAM CLULEY. Oh, so, so, okay, so now I'm Chinese and my son has gone to Australia to study.

---

CAROLE THERIAULT. I want to go to Australia.

---

GRAHAM CLULEY. Yeah, good for you, Bruce, go for it.

---

CAROLE THERIAULT. Exactly, right? Yeah, except it turns out things get really bad when you get scammed. Okay, I'll flesh it out.

---

GRAHAM CLULEY. Okay, tell me more.

---

CAROLE THERIAULT. Okay, so in this Chinese Oz permutation, things get heavy very quickly. This is basically a new type of scam. There's only been 25 cases reported in Oz so far, 8 in 2020. My guess is this has all been underreported, but you guys let me know at the end what you think. [Ray [REDACTED]]: Sure.

---

CAROLE THERIAULT. So this is how it works. A fake authority like a Chinese embassy rings international students based down under. If someone picks up the phone, the fraudster informs them all in Mandarin that they've been implicated in a crime in China or facing some other threat, that their loved ones back home are at risk as well. This appears to be involving like a blitz of automated phone calls sent to anyone with a Chinese surname in the public phone records. That's how they're kind of contacting them now. They threaten the victims with risk of legal action and possible arrest in China and persuade them to transfer money in order to avoid arrest or deportation. So they really kind of scramble up a huge sense of urgency. This is where things get absolutely insane. In some cases, the students are even convinced to cease contact with their family and friends, rent a hotel room, and fake a hostage situation to obtain funds from their relatives overseas.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. Wow.

---

CAROLE THERIAULT. All with messages you know, saying, "Help me, help me.

---

GRAHAM CLULEY. I, you know, I need this ransom money for my safe release." I remember when I was at college, you know, I sometimes ran out of cheese sandwiches and I'd send an urgent note home. And my Auntie Hilda came around once with a hamper. But I mean, this seems a little bit extreme. [Ray [REDACTED]]: I've gotten calls like this before. If you are in the United States and you get robocaller calls in Mandarin, it's probably this exact scam. And I've gotten tons of those on some phone lines I have.

---

CAROLE THERIAULT. That's really interesting because they say it's happening more in the States and New Zealand. There are cases there as well. Let me show you some of these pictures. [Ray [REDACTED]]: Oh, these pictures are crazy. These pictures are crazy.

---

GRAHAM CLULEY. So these are pictures of people who are sort of like bound by their arms and legs.

---

CAROLE THERIAULT. They have bound themselves. [Ray [REDACTED]]: Oh, they stage it themselves.

---

CAROLE THERIAULT. Oh, they're staging this. [Ray [REDACTED]]: Wow, it looks very real. She ripped her shirt and everything.

---

CAROLE THERIAULT. Yes, because the ransomware are saying if you don't convince them, you're in deep, deep trouble. [Ray [REDACTED]]: Oh, she added bruises to her ankles so it looks like she'd been bound.

---

GRAHAM CLULEY. People did all this based upon a phone call.

---

CAROLE THERIAULT. Well, no, not just a phone call. I imagine it went on and on. How they got them to this psychological state of you are a controlled— [Ray [REDACTED]]: Well, they start with those automatic phone calls, right? The automatic phone calls. And then the people that fall for it call back that number, which is, you know, the spoof caller ID is showing a Chinese voiceover IP number or something that they answer as if it was the embassy or whatever. And then they basically set the hook at that point. Right. So it all starts with robocalling. But eventually people really do start to fall for it. And I'm assuming these are people with parents that have money.

---

GRAHAM CLULEY. Hang on, hang on, hang on, Carole, please explain to me. So they're being scammed and the scammer who's pretending to be from Chinese law enforcement or something, right? Or Chinese authorities.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. They suggest to the victim that they pretend to be a kidnap victim and the person being targeted thinks, yes, that sounds legitimate.

---

CAROLE THERIAULT. Well, I don't think they're always using the embassy line. I think that is in some cases using embassy, but other times they're saying you're at risk, you're in danger.

---

GRAHAM CLULEY. And then they suggest you pretend to be a kidnap victim rather than saying just convince your parents to sort out the money. It just seems—

---

CAROLE THERIAULT. well, maybe, maybe, for example, the phone calls are like, I can't, they won't give me any money. Or, you know, I mean, you have to imagine like this is serious cash, okay? So there was 8 known virtual kidnappings this year and it has netted $3.2 million Australian dollars.

---

GRAHAM CLULEY. What?

---

CAROLE THERIAULT. Yes. So payments normally range between $20,000 and $300,000, but in one case, a father paid more than $2 million Australian— that's based more than a million pounds or $1.5 million USD— in ransom payments before receiving a video of his daughter gagged and bound in an unknown location. So already having had a million quid— wow— he then got a video of his daughter gagged and bound, and then is when he contacted the Sydney Police police, who after an hour's search found her safe and well in a hotel room in the city. [Ray [REDACTED]]: But she was hiding though, right? She was hiding under instruction. She was told to go hide, make sure you hide and turn off your phone and everything else, right?

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. What are parents to do? Are parents supposed to wait for a severed ear or something? Mind you, some of these guys probably would have done that, right? They think, oh, little pink ear. [Ray [REDACTED]]: Well, you could check the DNA. You could just run it against the GEDmatch database. And see if it matches.

---

GRAHAM CLULEY. Or send your dog's ear, maybe. No, don't do that to dogs.

---

CAROLE THERIAULT. I mean, I think the reason this might— so apparently they're saying this type of scam is on the rise. It's rearing up its head now. And why is Oz a hotbed for this? And some of the explanations seem quite interesting to me. So one was Australia relies a lot on international students. So something like there's 750,000 international students and they make a huge hotbed of money for the universities and for, you know, renters and landlords and restaurants and everything. But international students were not approved for government welfare during the pandemic. Okay, so number one, they don't have any cash from the government, from the, from the Australian government. [Ray [REDACTED]]: Interesting.

---

CAROLE THERIAULT. Um, second, they also tend to rely more on casual work to help ends meet, and a lot of those hotels, restaurants, etc. had to close during the pandemic. Australia universities apparently have long been accused by researchers of not providing better support for international students. So they're saying there's like some, there's some struggles to develop social bonds with Australian-born peers. There's some prejudices. So there's a number of pieces of research suggesting that. There's also the political skirmish that's heating up. So you might remember that Australia kind of sided with the US when the US said, hey China, we would really like to have a bit of a dig into this whole virus thing and how it started. Since then, China's been poo-pooing students who chose to stay or return in Australia. Beijing said in a statement in June that students should be cautious— is the word they used— when choosing to go or return to Australia. That said, said, quote, "The spread of the new global COVID-19 outbreak has not been effectively controlled, and there are risks in international travel and open campuses." And during the epidemic, there were multiple discriminatory incidents against Asians in Australia. So Oz retorted, and they're kind of saying, no, no, no, we provide world-class education. We're one of the safest countries in the world. So there's a bit of a spitting fight there between the two nations.

---

GRAHAM CLULEY. These photos, Carole, are unbelievable. And I choose my words carefully because the cynic in me wonders whether this is all a load of old nonsense. I wonder whether word has got round the Chinese student population in Australia. Here's a scam to get a whole load of money out of your parents. Pretend that you've been kidnapped. And then when people investigate, say, oh, I got this phone call and it told me this and it told me that. And so I had to do it. [Ray [REDACTED]]: Oh, I disagree. I disagree, Graham. I understand your skepticism and it certainly does kind of set off some alarm bells about skepticism, but that would easily be uncovered by now. I mean, it's very difficult to keep a secret like that, right? I mean, some of these pictures have knives in them and cash in them, etc. You don't think that that's being investigated extremely heavily after the fact?

---

GRAHAM CLULEY. It's Australian money, right? Doesn't really count.

---

CAROLE THERIAULT. Graham, the other thing is that thought glanced past my mind, but I immediately said, well, what? Because I was thinking the pictures look so staged. [Ray [REDACTED]]: Sure.

---

CAROLE THERIAULT. Right. But what's to say that some guy who was actually doing this would actually be a good photographer? [Ray [REDACTED]]: Like, just because the TV show would have showed it, made it look more real.

---

CAROLE THERIAULT. The guy was just taking a snap of me, was actually holding me at ransom. Would it be a great pic? You know? [Ray [REDACTED]]: Yeah. So you had— you do have to wonder if any students would engage in copycatting it though. That, to Graham's point, you might actually see people doing this now themselves just to get that laundry money or those cheese sandwiches.

---

GRAHAM CLULEY. Buddy, I'm right now, I'm at the bottom of my garden. My family haven't seen me for a while. I might tie myself up now and send them a text message, see if I can get some cash out of them.

---

CAROLE THERIAULT. They're just going to empty your own account, Graham.

---

GRAHAM CLULEY. That's—

---

CAROLE THERIAULT. well, could you just give my bank details? First off, the thing, a little bit of advice. If you know of any international students that are outside of their country and they happen to be living in the States, in the UK, anywhere in the world, 'Can you please just make sure they're okay?' is really hard, potentially, during— because a lot of people couldn't travel due to money, like they didn't have enough cash to go home and they're stuck where they are.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. Um, and if you do get threatening calls, uh, tell someone. Do not sit quiet and try and deal with it yourself by deciding to do these hammed up— it's awful.

---

GRAHAM CLULEY. I'm still a bit scared. [Ray [REDACTED]]: And Carole, in the United States, by the way, anytime somebody contacts you and says they're from the IRS or the FBI— the FBI actually has a number that you call to verify and check whether they are actually who they say they are. So you should always do that rather than calling back the number that's sent on the caller ID.

---

CAROLE THERIAULT. I know my advice would be, yeah, it'd be like, thank you very much. Then call the embassy directly and say, hi, this is Carole Theriault. I hear that you're looking for me. I'm just returning your call. And if enough people do that, they'll realize something's going on. [Ray [REDACTED]]: And I bet you the embassy immediately says, no, that's a scam. We've been dealing with it all week long.

---

GRAHAM CLULEY. And yeah, these are students, these are smart people studying overseas, you know, they're not dumbos.

---

CAROLE THERIAULT. Well, hey, you know, Trump's president of the United States, I don't know what to tell you. [Ray [REDACTED]]: You know, I think as a parent though, when your child goes away to college, if you do happen to have, you know, $200,000 in bitcoins or something and you get these photos, I would absolutely want to pay that ransom immediately. Like, this is not Garmin, this is actually my child.

---

CAROLE THERIAULT. Yeah, well, Graham's not going to do it. Graham's gonna be like, no, no, no, this is a scam, you figure it out, my son, you're a smart boy. [Ray [REDACTED]]: Get a better camera. Get a better camera next time.

---

GRAHAM CLULEY. Come on, Carole. Your dad would be the same. Would your dad pay up for it?

---

CAROLE THERIAULT. No, of course he wouldn't have. [Ray [REDACTED]]: Ever.

---

GRAHAM CLULEY. He would probably pay them to get them to keep you.

---

CAROLE THERIAULT. He'd be like, "How much you talking?" "I'll double it," he says.

---

GRAHAM CLULEY. "I'll give you twice that." Negotiated away.

---

CAROLE THERIAULT. Keep her!

---

GRAHAM CLULEY. If you listen to our show regularly, you'll know that hackers never stop innovating. Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats. Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week. Latest being their red and blue team labs on the SaltStack vulnerabilities, which were in the news last week. Go check it out at immersivelabs.com/smashingsecurity.

---

CAROLE THERIAULT. Hey, you IT security guys out there, I know that you have a tough job. If you want increased security without impacting productivity, if you want to secure every entry point to your business, if you want to unify access and authentication, then check out LastPass. They have the tools to make your life easier. Learn more at smashingsecurity.com/lastpass. Oh, and the rest of you out there, don't freak out. There's a free password manager for home use. Check it out at smashingsecurity.com/lastpass.

---

GRAHAM CLULEY. And welcome back, and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. [Ray [REDACTED]]: Pick of the Week.

---

CAROLE THERIAULT. Hey!

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week is inspired. Inspired by you, Kroll.

---

CAROLE THERIAULT. Inspired by me, huh?

---

GRAHAM CLULEY. Yes, because last week your pick of the week was an article which detailed 60 different covers of Hallelujah by Leonard Cohen. And I went through that list and I have to say, I'm not sure about the Hallelujah song. You know, I do feel it's been really overplayed, and going through some of those, I thought some of them—

---

CAROLE THERIAULT. I found it doesn't make it a shit song.

---

GRAHAM CLULEY. No, I know, but it kind of grates with me. I have to say, I really liked Regina Spektor's version. That I thought was fantastic and a different take on things. But anyway, um, you did also give us an exclusive recording at the end of last show of a brand new version of Hallelujah. [Ray [REDACTED]]: Great, great. It was great.

---

GRAHAM CLULEY. But you only came up with 60 different covers. I have been to a website which gave me 366. Different versions. It is a website called Secondhand Songs. And Secondhand Songs, you can go to, and you can find cover versions of just about any song you would like, including links to it on Spotify and YouTube, if they are available as well. And I quite enjoy going to Secondhand Songs and checking it out.

---

CAROLE THERIAULT. I was just trying to see if there's a song with the name Graham in it. And it looks like, no, there's not.

---

GRAHAM CLULEY. There are no Graham songs.

---

CAROLE THERIAULT. There doesn't seem to be any Graham song, unless I'm not searching for it right.

---

GRAHAM CLULEY. Oh, Graham. He likes girls and to lay 'em. [Ray [REDACTED]]: I'm gonna write one right now.

---

GRAHAM CLULEY. He'll cause lots of mayhem. So I had a look at some songs which I love. For instance, there are 3 different versions of 'My Boomerang Won't Come Back' by Charlie Drake. Slightly racist song, to be honest, now. You can listen to it at 60 years old. 25 versions— What about 'Louie Louie'?

---

CAROLE THERIAULT. That's a great song.

---

GRAHAM CLULEY. Look it up, look it up.

---

CAROLE THERIAULT. I'm doing it right now. 25 different versions of one song. [Ray [REDACTED]]: 'One Night in Bangkok.' That's kind of related to Carole's story, isn't it?

---

GRAHAM CLULEY. I mean— I thought, ooh, I thought, they've got this great big database. What is the most covered song of all? What would you guess would be the most covered song in history? [Ray [REDACTED]]: Oh, it's gotta be a Beatles song. It's gotta be the Beatles, right? Something from the Beatles?

---

CAROLE THERIAULT. You're right. It's gonna have to be old. It's gonna have to be old.

---

GRAHAM CLULEY. Well, I thought it might be 'Yesterday' by the Beatles, 'cause you always hear that's been covered so many times, don't you? [Ray [REDACTED]]: 'It's a Wonderful World.' That'd be a good one too.

---

GRAHAM CLULEY. Oh, what, Louis Armstrong?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Well, according to the database, and we disagree with what the internet says, the most covered song in their database with 2,900 different versions is 'Stille Nacht, heilige Nacht'. [Ray [REDACTED]]: What?

---

GRAHAM CLULEY. Which I think, I think is Silent Night, Holy Night.

---

CAROLE THERIAULT. Happy Birthday should be first, really.

---

GRAHAM CLULEY. Oh yeah, maybe. Well, anyway, so you can check out Secondhand Songs and it's It's quite enjoyable.

---

CAROLE THERIAULT. It's pretty good. It's not as good as my pick of the week, just saying.

---

GRAHAM CLULEY. Oh, we'll see, we'll see. Ray, I know you're dying to tell us your pick of the week. What have you got for us? [Ray [REDACTED]]: My pick of the week. Well, first and foremost, I am not gonna use pick of the week to plug my podcast, The Tribe of Hackers Podcast, because that would just be tacky. Instead, what my pick of the week is, is actually a mathematical formula or algorithm, if you will. Now, this is, is a programmer's parlor trick that will allow you to know what day of the week any date is in history. So it's actually called the Doomsday Algorithm. And it allows you, if you know the date, the month, the day, and the year, to know what day of the week it is. So the name Doomsday was sort of a pun and kind of a joke. But because this is the year 2020, I thought Doomsday was very, very relevant.

---

CAROLE THERIAULT. Doomsyear, let's change it. [Ray [REDACTED]]: The way it works is our doomsday for the year 2020 is Saturday. Now we are in a leap year. So what that means is that Saturdays occur on January 4th, February 29th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, Halloween, November 7th, and December 12th.

---

CAROLE THERIAULT. Easy peasy to remember. [Ray [REDACTED]]: That sounds like it's difficult to remember.

---

GRAHAM CLULEY. Yeah. [Ray [REDACTED]]: But it's actually really, really easy. And there's a mnemonic trick to how you remember them.

---

GRAHAM CLULEY. Confused. [Ray [REDACTED]]: Okay, if you know, if you know that Saturday is the doomsday for the year 2020, you can calculate what day of, of, of any, uh, month or date. Now, once you actually know this trick and you know the anchor date for each and every year— and I've got them memorized from 1898 to 2100, but other people can go all the way back to the very beginning, right? But once you actually know that, you can say— you can figure out out what day of the week anything was. So here's an example. On November 24th, 2014, the employees that worked at Sony Pictures Entertainment came in and saw that their laptops had been wiped and basically destroyed by North Korean hackers. Do you guys remember? Oh, yes. Yeah, of course.

---

CAROLE THERIAULT. Okay. [Ray [REDACTED]]: Now we know that that year is 2014.

---

GRAHAM CLULEY. Yeah. [Ray [REDACTED]]: And 2014, of course, the doomsday is Friday. Which means that that Friday occurred on January 3rd, February 14th, March 14th, April 4th, May 9th, June 6th, July 4th, August 8th, September 5th, and November 7th. Now, that— because it happened on 11/7, or November 7th, okay? Because that was a Friday. We now know that 11/24 was a Monday.

---

GRAHAM CLULEY. So listen to you, Carole, going, yeah. Like, you're— are you— I want you to explain this to me later because I am baffled.

---

CAROLE THERIAULT. No, no, and I get it now. I get it. No, I'm gonna explain it to you right now. I'm gonna explain it to you right now.

---

GRAHAM CLULEY. All right.

---

CAROLE THERIAULT. You need to know what the last day in February is. So it's either the 28th or the 29th. You need to know what day of the week that is. Like it's gonna be Monday or Saturday or Friday. This year, the last day of February is the 29th and it's a Saturday. And once you know that, you can use this mnemonic to work out every day of the week. [Ray [REDACTED]]: So give me a name, name a year for me real quick. Just name any year.

---

CAROLE THERIAULT. 2023. [Ray [REDACTED]]: Okay, 2023. The doomsday is a Tuesday and it's a non-leap year. Okay. So Tuesdays occur on January 3rd, May 9th, September 5th, 4/4, 6/6, 8/8, 10/10, and 12/12. So, you know, all of those days are Tuesdays. So to figure out any other day of the week, you can actually just go forward and backwards.

---

CAROLE THERIAULT. I have to say, this is hard to do on radio, Ray. I got to say, you are a brave man. [Ray [REDACTED]]: But here's— well, we're going to link to some ways that you can actually memorize this and stuff. But here's another example. Do you guys remember Y2K?

---

GRAHAM CLULEY. Yes. Yes, of course. [Ray [REDACTED]]: Do you remember what day of the week Y2K occurred?

---

GRAHAM CLULEY. [REDACTED] No. [Ray [REDACTED]]: Well, of course you should remember that because we know in the year 2000 that doomsday was a Tuesday. So January 1st must have been a Saturday. It's very easy to do it in your head once you actually get this down. It's a great parlor trick. It's a good way to impress people because you know what date their birthday is of any given year or anniversaries. You can even use it to calculate bank holidays and other things like that as well. That's the Doomsday Algorithm.

---

GRAHAM CLULEY. Are you married? [Ray [REDACTED]]: I am.

---

GRAHAM CLULEY. Have you had sex? [Ray [REDACTED]]: Yes, I have. I have children.

---

GRAHAM CLULEY. Oh my goodness. Congratulations.

---

CAROLE THERIAULT. Graham, Graham, I think we should wipe our schedules tomorrow and just learn this. [Ray [REDACTED]]: I don't like to talk about wiping schedule, wiping and DNA and sex all in one paragraph. It's a little bit uncomfortable.

---

GRAHAM CLULEY. Carole, what's your pick of the week?

---

CAROLE THERIAULT. I'm putting this down as one of the best picks of the week we've ever had.

---

GRAHAM CLULEY. Brave.

---

CAROLE THERIAULT. Okay. Number 1, this is not just for you guys or for all us listeners. It's also for your gran and your kids. Everyone can do this.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. Okay, I want you to go to this website, incredibox.com. This gives you a demo of their app, which is available both for iPhone and Android.

---

GRAHAM CLULEY. There are some funny cartoon characters and it says Little Miss.

---

CAROLE THERIAULT. Just press the play button.

---

GRAHAM CLULEY. And there's a play button. All right. Okay, okay, uh, so there are these weird icons at the bottom. Oh, oh, hang on. Oh, oh, oh, I like this crow.

---

CAROLE THERIAULT. Yes, keep going. I'll explain what it is while you keep playing. Incredibox is a musical beatbox game and website developed and published by French company So Far So good.

---

SFSG. And the concept is extremely simple, which is why I didn't want to explain everything, so you could see even Graham picked it up in about 20 seconds. You drag and drop sound icons onto different characters— there's about, what, 8 on the page— and you make them beatbox.

---

GRAHAM CLULEY. This is seriously cool.

---

CAROLE THERIAULT. I told you.

---

GRAHAM CLULEY. I mean, it's a great design. The user interface is wonderful anyway, but also such fun. I mean, the audio and everything is—

---

CAROLE THERIAULT. Plus the player can find combos to— this is where you can get your kid involved, right? Can find combos to unlock animated bonuses and record mixes to integrate a ranking. And there's an automatic mode, so you can actually go to the automated mode and you can just go, okay, jam with my beats. And you optimize my beats into a new jam.

---

GRAHAM CLULEY. And what are they doing here? What are they trying to sell me? Nothing.

---

CAROLE THERIAULT. Well, not the demo version anyway. [Ray [REDACTED]]: They're actually grabbing your DNA through the computer and then calculating what day of the week your birthday is. This is great.

---

CAROLE THERIAULT. It's awesome. So there you go. I'm putting that down as one of the best picks of the week in the world. Please check it out, everybody. It's worth it. The incredibox.com. From So Far So Good. Very good.

---

GRAHAM CLULEY. Well, that's pretty cool. And that just about wraps up the show for this week. Ray, I'm sure lots of our listeners would love to follow you online.

---

CAROLE THERIAULT. Yeah, they want to ask you about doomsday algorithm. [Ray [REDACTED]]: Yes. If you want to learn about the doomsday algorithm, you can find me at—

---

CAROLE THERIAULT. Contact Ray directly, please. [Ray [REDACTED]]: I am at Ray [REDACTED].com. The podcast is at tohpodcast.com, like Tribe of Hackers podcast. And I look forward to seeing seeing you all on Twitter and online.

---

GRAHAM CLULEY. And you can follow us on Twitter as well at Smashing Security, no G. Twitter must have a G. And also join our subreddit, just look for Smashing Security up there. And don't forget, if you want to never miss another episode of Smashing Security, subscribe in your favorite podcast apps such as Apple Podcasts, Spotify, or Pocket Casts.

---

CAROLE THERIAULT. And a huge, huge thank you from us for listening, for supporting us, for sharing our work with friends, family, and and even enemies. Also, hot kisses to this week's Smashing Security sponsors, LastPass and Immersive Labs. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

---

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

---

CAROLE THERIAULT. Bye. [Ray [REDACTED]]: Bye-bye. Now, Graham, I really, really, really do want to teach you this JingZai rhythm.

---

GRAHAM CLULEY. Okay? [Ray [REDACTED]]: Really, really do. Okay. So this is—

---

GRAHAM CLULEY. Christ. [Ray [REDACTED]]: Listen, listen. Just— I just want you to repeat after me. Okay? I just want you to repeat after me.

---

CAROLE THERIAULT. Okay. [Ray [REDACTED]]: 4, 4, 6, 6, 8, 8, 10, 10, 12, 12.

---

GRAHAM CLULEY. 4, 4, 6, 6, 8, 8, 10, 10, 12/12. [Ray [REDACTED]]: Okay. And in the United States, we put the month first. So 4/4 is April 4th, 6/6 is June 6th, right? August 8th. 4/4, 6/6, 8/8, 10/10, and 12/12.

---

GRAHAM CLULEY. It doesn't matter because the numbers are the same. Yeah, it doesn't matter which order you have them in. Yeah. [Ray [REDACTED]]: And they're always— those are always the same day of the week, and they're always the Doomsday. Okay. But the Doomsday is either February 28th or in leap years, 29th. And then you, you will now know where that day is on February. And you will also know 4/4, 6/6, 8/8, 10/10, and 12/12. Okay, then the other ones, the ones that you've already lost— I don't know, those are always the same day.

---

GRAHAM CLULEY. I don't understand. [Ray [REDACTED]]: So if I tell you 19— and if I tell you 1972 to the doomsday— I get away from this man.

---

GRAHAM CLULEY. I'm gonna press stop.

-- TRANSCRIPT ENDS --