The US military has been caught exposing its nuclear weapons secrets, and we explore the world of nerdy miners.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by "Lola."
Visit https://www.smashingsecurity.com/230 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Sponsored By:
- 1Password: Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company’s security, combat shadow IT, and help your employees stay both productive and secure, wherever they are.
- 1Password makes the secure thing to do the easiest thing to do.
- Instant control, effortless management. Quickly deploy 1Password to a single team, multiple teams, or your entire enterprise. Provision employees using trusted systems, respond quickly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security.
- Find out more and try 1Password free for 14 days at 1Password.com
- JumpCloud: JumpCloud’s Directory Platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass.
- With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy.
- Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure hybrid work model.
- Deep Secure: Deep Secure Threat Removal takes incoming poisoned Word documents, boobytrapped PowerPoint slides and the like, and creates brand new files with just the good stuff (and none of the bad). It is a great way of handling brand new threats coming into organisations via the web, email or file sharing and can run alongside your existing anti-virus.
- Threat Removal gives you the good stuff by delivering files that are 100% threat-free, fully functional and fully revisable.
- Visit deep-secure.com/smashingsecurity for more information, and set up your free trial today.
Links:
- WarGames (1983 movie starring Matthew Broderick) — Wikipedia.
- Cram: Create and Share Online Flashcards.
- Chegg flashcards.
- US Soldiers Expose Nuclear Weapons Secrets Via Flashcard Apps — Bellingcat.
- 'Three nerds' linked to massive Bitcoin mine found in Sandwell warehouse — Birmingham Mail.
- Sandwell Bitcoin mine found stealing electricity — BBC News.
- The Berglas Effect: Magic's Best Card Trick — The New York Times.
- David Berglas and the Legendary Berglas Effect — YouTube.
- West Cork podcast — Acast.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Imagine some, uh, some ninjas came in to sort of commandeer the nuclear base, or someone like Bruce Willis, or who would it be? It'd be Alan Rickman, wouldn't it?
CAROLE THERIAULT. So Alan Rickman, when he was alive.
GRAHAM CLULEY. I hope he was alive.
CAROLE THERIAULT. It's not a Weekend at Bernie's situation. Jesus.
UNKNOWN. So, Smashing Security, episode 230, Flashcard Ransomware, Bitdefender, and energy pipe pilfering with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 230. My name is Graham Cluley.
CAROLE THERIAULT. I'm Carole Theriault.
GRAHAM CLULEY. And this week, Carole, we are joined by somebody who doesn't actually exist.
CAROLE THERIAULT. No, we have nobody this week for a number of different reasons, including childcare, I think, Graham.
GRAHAM CLULEY. That's right.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. And so there's just a vacant seat. At our virtual table today?
CAROLE THERIAULT. Well, we'll give her a name. We'll call her Lola. We don't have enough women on this show.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. I mean, I know I'm here all the time, but I mean in guests, you know?
GRAHAM CLULEY. Okay, so, well, thank you, Lola, for joining us, and maybe we'll hear some more from you later.
CAROLE THERIAULT. Um, oh, I'm so excited to be here! I love Carole so much. Thanks to this week's sponsors: 1Password, Deep Security, and JumpCloud. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got? Flash!
GRAHAM CLULEY. Aya! Is it really great?
CAROLE THERIAULT. In English? Sorry, sorry, I just didn't understand.
GRAHAM CLULEY. I'm going to be talking about, well, not Adobe Flash, but a different kind of flash.
CAROLE THERIAULT. Okay, and I'm talking about jazz cigarettes. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, A question for you. Do you want to play a game?
CAROLE THERIAULT. Do you? Oh my God.
GRAHAM CLULEY. Do you want to play a game?
CAROLE THERIAULT. Yes, I can't wait. Play us. I'd love to play a game.
GRAHAM CLULEY. Well, no, no, those are the words, Kroll. That is a famous phrase from a movie from yesteryear. It's the famous line that a computer spits out at Matthew Broderick in the movie WarGames from 1983. Have you ever seen it?
CAROLE THERIAULT. I don't know if I have.
GRAHAM CLULEY. I've never seen it.
CAROLE THERIAULT. Yeah, but I'm kind of surprised I haven't.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I bet my husband's seen it though. He's a bit of a film buff thingy.
GRAHAM CLULEY. He would have done it. Well, in that movie, a young hacker, a teenage hacker, unwittingly accesses a US military supercomputer programmed to predict and execute nuclear war against the Soviet Union.
CAROLE THERIAULT. It's a comedy?
GRAHAM CLULEY. I don't know. I haven't seen it, Kroll.
CAROLE THERIAULT. It's gotta be a comedy.
GRAHAM CLULEY. Do you think?
CAROLE THERIAULT. With Matthew Broderick? Right? How can anyone take his little face seriously?
GRAHAM CLULEY. I think you're mixing it up with Ferris Bueller. That was fun.
CAROLE THERIAULT. Yes, no, I'm not mixing it up. I know that that line is not in that movie, 'cause I've watched that movie a lot.
GRAHAM CLULEY. Well, it would be pretty dangerous, wouldn't it, if a hacker, young or otherwise, Matthew Broderick or someone else, were able to access a US military computer which had that kind of power, which was working out game plans as to how to react during the Cold War. It'd be absolutely terrifying.
CAROLE THERIAULT. You can't even tell me how they were able to access this computer in 1983.
GRAHAM CLULEY. Via an acoustic coupler, I imagine. Oh, gosh.
CAROLE THERIAULT. With a wee wee wee wee wee wee wee.
GRAHAM CLULEY. It would have just— it would have been like dialling up a bulletin board.
CAROLE THERIAULT. Of course.
GRAHAM CLULEY. I mean, I haven't seen the movie, but I'm guessing that's what happened.
CAROLE THERIAULT. The land of disinformation is closer than you think.
GRAHAM CLULEY. Listeners, I'm sure 98% of our listeners have seen the movie. Movie and would be able to confirm that I'm completely correct.
CAROLE THERIAULT. Yes, let us know. Tweet us.
GRAHAM CLULEY. And tell us we're bad for not having ever seen WarGames. And have you ever seen the movie Hackers with Angelina Jolie?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Oh, I haven't.
CAROLE THERIAULT. But not for a long time.
GRAHAM CLULEY. Sneakers with Robert Redford?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. I haven't seen that one either. I think we might have to have a movie night. Anyway, listen. That was all a movie, wasn't it? WarGames and real nuclear weapons based in countries around the world. Are obviously carefully secured with their locations often kept officially secret. Now, my understanding is some people say that the reason why the locations of where nuclear weapons are held is kept secret is not so much because they really think it will be kept secret and that Johnny Foreigner won't be able to work it out, but rather that they're worried about public reaction in those countries as to how they would feel Knowing that they have nuclear weapons down the end of their street. Yes. So— Obviously that potentially makes you a target.
CAROLE THERIAULT. So rather, we don't want people to know that they actually have deadly missiles in their country, 'cause that's not good public awareness.
GRAHAM CLULEY. Well, I mean, it's— Some people view it rather dimly, you know? And they think, well, we don't really want those. Yeah, weird about that.
CAROLE THERIAULT. Weird. Weird that people don't like nuclear weapons though, isn't it? It is strange.
GRAHAM CLULEY. It is strange. Very strange. Very strange. So that's the kind of information you wouldn't expect to be in the public domain. Now, there are, as we've mentioned sometimes before, some amazing wizards at Bellingcat. They're like experts at OSINT. They're experts at finding out information which you would imagine people would want to keep secret. And they were interested as to what information might be just lying around in the public domain about nuclear weapon bases across Europe.
CAROLE THERIAULT. So what, you just slap in that search term in Google?
GRAHAM CLULEY. Well, no, don't just go to Quora and ask the question, where are the nuclear weapons bases? But you're right, they did use a highly advanced tool known as Google to search the internet for certain phrases associated with nuclear weapons technology and bases.
CAROLE THERIAULT. I wouldn't know what that is. What is that?
GRAHAM CLULEY. Can you tell me? Well, they can They came up with a number of them. Phrases like— hang on, there was PAS, which stands for Protective Aircraft Shelter, and WS3, which stands for Weapons Storage and Security Systems. Words like that and vault apparently are the kind of thing which will then reveal all kinds of information. So you're wondering, well, where is this information held? Is it on the web pages? Is it on the public official web pages? Of these military bases.
CAROLE THERIAULT. Yes, here's the photo gallery.
GRAHAM CLULEY. Here we are. No, it's not on those at all.
CAROLE THERIAULT. It's on Google Maps.
GRAHAM CLULEY. No.
CAROLE THERIAULT. It's on Google Maps.
GRAHAM CLULEY. It's— well, it might be by now, but no, it's on flashcards.
CAROLE THERIAULT. Flashcards?
GRAHAM CLULEY. Do you know what flashcards are?
CAROLE THERIAULT. No.
GRAHAM CLULEY. So flashcards is a way of learning dull, boring information.
CAROLE THERIAULT. Oh no, I know that. I know that.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. Yeah, yeah. I know, like flashcards to learn stuff. Yes. Sorry. I thought there was some digital term.
GRAHAM CLULEY. See, I didn't know this.
CAROLE THERIAULT. Well, yeah. You only speak one language though, right?
GRAHAM CLULEY. You tell me. I can speak dolphin as well. You tell me if I've got this wrong about how flashcards work. A flashcard is like a postcard, and on one side you ask the question, and on the other side you write the answer, and then you kind of shuffle them up and you look at them and you have this repetition of— is that basically it?
CAROLE THERIAULT. Or you could have like, so if you're learning a language, you'll create some flashcards for yourself with the English word, for example, for me on one side, and then maybe the Japanese word on the other side, right? And then you can show the Japanese word to someone who speaks Japanese and you see the word that you understand and you then, and they go, "Ah-ah," or "ka-ting." Oh, I like the noises.
GRAHAM CLULEY. That's interesting 'cause I heard that Duolingo have a flashcard app. And of course—
CAROLE THERIAULT. Oh, I don't know about apps. I've never done it with apps.
GRAHAM CLULEY. Well, there are flashcard apps as well.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. For people who don't wanna carry around lots of postcards, I guess.
CAROLE THERIAULT. My husband made one out of a cornflake box actually. He still has it to this day. He made it when he was about 12.
GRAHAM CLULEY. What, to learn what?
CAROLE THERIAULT. Some language. I don't know, one of the 15 languages he speaks.
GRAHAM CLULEY. Probably Elvish.
CAROLE THERIAULT. No, no, no. He's cool. Come on.
GRAHAM CLULEY. Wookiee. Okay. So, so there are flashcard apps out there and it turns out that soldiers and contractors, people who are working in military bases, need to know a lot of information and they need it at their, well, their sort of mental fingertips, if you can imagine mental fingertips. So they need to have it top of their brain. And the way in which they learn these things is by using flashcard apps. There's one called Cram and one called Chegg.
CAROLE THERIAULT. Right, so if you were a student, you would totally know about these, right? Well, yeah, right, right, right.
GRAHAM CLULEY. And so they, they just plugged in this information which they needed to know into these flashcard apps, and then along comes the Bellingcat group with a copy of Google, and they're searching, and they find themselves on public flashcards related to nuclear weapon facilities.
CAROLE THERIAULT. Wow. I was just going to ask, okay, give me a name of one of these apps and I will check it up on the App Store just to see what they're—
GRAHAM CLULEY. There's one called Cram, C-R-A-M.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And there's Chegg with a double G, C-H-E-G-G. Yeah.
CAROLE THERIAULT. Flashcards with Cram. Okay. I'm going down to their security stuff.
GRAHAM CLULEY. All right.
CAROLE THERIAULT. Okay. No details provided. The developer will be required to provide privacy details when they submit their next app update. So There you go. Interesting. And the other one was Chegg.
GRAHAM CLULEY. Chegg with two Gs, as in Cheggers.
CAROLE THERIAULT. I've heard of that, actually. Okay. Yeah. It's called, it's called Homework Help. Oh, wow. Data linked to you: purchases, user content identifiers, diagnosis, contact info, search history, usage data, and other data. So, well done, guys.
GRAHAM CLULEY. So there's a fair amount of information which you reckon at least Chegg is collecting from its users. But this, these flashcards are of course information which people have entered into the app.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. To use as flashcards and—
CAROLE THERIAULT. And they haven't turned off the make private only to me.
GRAHAM CLULEY. Hahaha. Well, this is the thing.
CAROLE THERIAULT. I'm guessing. I'm guessing.
GRAHAM CLULEY. It turns out that many of these flashcard apps appear to be public by default. Yeah. So when you put the information in them. So let me give you some examples of the kind of information which people were putting into their flashcards.
CAROLE THERIAULT. It won't mean much to me, but let's just try.
GRAHAM CLULEY. So it wasn't just the names of bases, but also details of the exact shelters which had so-called hot vaults. And hot vaults are those which are likely to actually contain the nuclear weapons. So you may have a site with a number of shelters, but the hot vaults are the ones where the the nukes are kept, right? They also put on the flashcards the position of security cameras.
CAROLE THERIAULT. What do you mean they put the position? They took photos?
GRAHAM CLULEY. So, no, no, no.
CAROLE THERIAULT. And someone was able to work out the position?
GRAHAM CLULEY. No, they would put on one side of the digital postcard, they would put, where are the security cameras? And on the other side, they would put, well, we've got one on the north perimeter wall, 38 metres along.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And we have another one here. So anything which they felt they needed to know.
CAROLE THERIAULT. So these are people working there, and they need— they're going to have an exam, or they're going to be tested, and they need to know all this information.
GRAHAM CLULEY. They feel they need to know the information in order to do their job properly. Can I tell you some more things they put on these flashcards?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. The frequency of security patrols around the vaults. The secret words that guards could use if they were being threatened or under duress. Imagine some ninjas came in to sort of commandeer the nuclear base, or someone like Bruce Willis, or who would it be? It'd be Alan Rickman, wouldn't it? So Alan Rickman coming in.
CAROLE THERIAULT. When he was alive, I hope.
GRAHAM CLULEY. When he was alive.
CAROLE THERIAULT. It's not a Weekend at Bernie's situation. Jesus.
GRAHAM CLULEY. So if they've got a gun against a guard's head, right? The guard, if he has to radio into HQ, if he uses a word like pom-pomoose or something like that, that would indicate that he was being threatened, right? And Saint was going down.
CAROLE THERIAULT. Yeah, yeah, yeah.
GRAHAM CLULEY. But this way, the baddies know what those words are.
CAROLE THERIAULT. Don't they do this in adult playtime as well?
GRAHAM CLULEY. I'm not sure it's the same as safe words, Krow. Okay. You mean like when people are nailing parts of their partner's anatomy to a plank of wood?
CAROLE THERIAULT. I wouldn't know. Carry on.
GRAHAM CLULEY. If you just say an ouch, that's not good enough. You have to say pom-pomoose. And also what to yell at intruders in their local language to make them stop. Because it may be a US service.
CAROLE THERIAULT. I understand though. I get it.
GRAHAM CLULEY. I get it.
CAROLE THERIAULT. They are trying to learn all this stuff and they're like, I can't cram this in my head. I need help. Why use pen and paper, right?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. I've got this computer, this supercomputer in my hand.
GRAHAM CLULEY. Yeah. And I've got it all the time with me. If someone asks me a difficult question, I can nip off to the loo, quickly look at my phone, and then I know the answer again.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. So Bellingcat were able to discover cards used by military personnel serving at all 6 European military bases reported to store nuclear devices.
CAROLE THERIAULT. Oh, fuck. You know what? I really feel for the kids though that are being absolutely bombed out right now.
GRAHAM CLULEY. It's not kids, bro. They're not being protected by kids. They haven't got—
CAROLE THERIAULT. What? I don't mean children. There aren't that many toddlers. I just mean younger than me, probably.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Younger than you. Okay. That's a much bigger— Age range, yes. So some of these personnel were storing huge amounts of information. One guy noted down over 100 things he had to know regarding his job, including the location of modems that connected vaults to the monitoring facility. Not only where the security cameras were, but their line of sight. Yeah. You know, which way they were pointing and how passwords should be chosen and usernames and some of the rules regarding that as well. Some of these had been available and publicly visible online. Going back as far as 2013.
CAROLE THERIAULT. Jesus. So this is down to bosses, isn't it down to the head honcho going, "You better know every single thing about this facility. I mean the camera light. I mean what you see. I mean how many people in the room every single time." Or whatever, whatever, whatever, on and on. So they're like, "Fuck, fuck, fuck, fuck." And then they, yeah. So who is really at fault here?
GRAHAM CLULEY. So your solution, Carole, is that the sergeant majors or whoever should just be much nicer and fluffier. And just say, "Oh, there, there, don't worry about it. Nuclear weapons. Give them a call. You don't have to learn too much.
CAROLE THERIAULT. And say, don't store any of this shit on your phone anywhere. I would kind of think that had been around for a while. That's what I think is most shocking about the story. No?
GRAHAM CLULEY. I'm sure they're making that point now. But the thing is, even when people are told not to do things for the sheer convenience, if they are cramming for a test or if they're worried that—
CAROLE THERIAULT. No, no, no. If you're working for nuclear weapons and say, do not put any fucking thing on your phone, you wouldn't. Unless you're a dweebo, I think.
GRAHAM CLULEY. Well, in the past, Bellingcat have, for instance, they've found out where sporty personnel were running around the base, the perimeter of bases, haven't they? They've looked at things like, was it Strava, which they were able to find people's public routes? There's all kinds of information. There was even that beer app as well. I think we've spoken about this before. Favorite beers which military personnel were drinking.
CAROLE THERIAULT. It's kind of scary though, right? All these people are walking around with all that information as well. Yes.
GRAHAM CLULEY. And then have posted it publicly on the internet. And some of them—
CAROLE THERIAULT. No, they didn't mean to. They didn't mean to. Come on. You don't think anyone did this on purpose?
GRAHAM CLULEY. Well, I suppose.
CAROLE THERIAULT. No, I don't think so.
GRAHAM CLULEY. Right?
CAROLE THERIAULT. And none of them are experts in cybersecurity. So get off, you know, let's be a little gentle here.
GRAHAM CLULEY. Okay. Yeah, yeah. I'll think much more kindly as the nuclear weapon begins to—
CAROLE THERIAULT. You won't have time to think if that happens. Don't worry, baby.
GRAHAM CLULEY. Now, some of these flashcards had usernames associated with them, some of which were the full names of the individuals who created them. Some even had avatars which were the same image these people were using on LinkedIn. So again, there's all kinds.
CAROLE THERIAULT. I wonder how many stupid things I have somewhere that are defaulted to public and I have no idea that I don't even play with anymore, right? Like from the olden days, I have no idea. I wouldn't, how would one go about checking that? You don't even know.
GRAHAM CLULEY. Carole, I wasn't planning to reveal this for another few months or so, but I've been working on a project. For the last couple of years, spotlighting you and your online activity.
CAROLE THERIAULT. Stalking me? You mean?
GRAHAM CLULEY. Collecting information.
CAROLE THERIAULT. Right. Great. Everyone heard that. Good.
GRAHAM CLULEY. Anyway, Lola, what have you got for us this week?
CAROLE THERIAULT. Let's just go to Carole. She's so smart.
GRAHAM CLULEY. Okay. Carole, what have you got for us this week?
CAROLE THERIAULT. Okay, Graham, first I need your help. I need you to describe to me what an English nerd is.
GRAHAM CLULEY. An English nerd?
CAROLE THERIAULT. If I say the word nerd, what does that mean to you?
GRAHAM CLULEY. Someone who's maybe really keenly enthusiastic about a particular niche topic. Like, you could be a sort of like a sci-fi nerd.
CAROLE THERIAULT. Socks.
GRAHAM CLULEY. Socks?
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. Well, I think what you're thinking about there is a fetish, not a— But yes, you know, it would be like you could be into science fiction and fantasy, or you could be into a Game of Thrones nerd, or you could be into, um, oh, I don't know, uh, Trainspotting or something like that. That would all kind of—
CAROLE THERIAULT. right, into something is your definition?
GRAHAM CLULEY. Yes, I mean, fairly, fairly harmless, I would say, you know.
CAROLE THERIAULT. Okay, what about a geek? Oh well, nerd and geek, what's the difference?
GRAHAM CLULEY. I think there is a difference. I think geeks tend to be more into technology, so In a way, they could almost be a subset of nerd. I think there's some overlap. There's a bit of a Venn diagram going on.
CAROLE THERIAULT. Venn diagram. Love that. Okay, okay, cool. So that's interesting. And let's put that in our back pocket for this story because we are heading to a Tipton industrial estate. Now, this is about 30 minutes northwest of Birmingham in the UK. And this particular industrial estate is called Great Bridge. Actually, why don't we go to Great Bridge Industrial Estate, Graham? Why don't you come along with me?
GRAHAM CLULEY. Am I allowed to under lockdown? Is this allowed? Okay, here I am. Okay, I'm here. I'm at like a Street View thing.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. There's an articulated lorry.
CAROLE THERIAULT. Right. You've got to imagine it's kind of like just lots of buildings, lots of trucks, a lot of cars, a lot of working people.
GRAHAM CLULEY. It's actually on— it's on a street with some fairly ordinary looking houses. Yeah, it's, it's, you know, it's not, it's not a wasteland, is it?
CAROLE THERIAULT. No, it's not a wasteland.
GRAHAM CLULEY. No, despite being near Birmingham.
CAROLE THERIAULT. Whoa, sorry, Brummie friends. Okay, so, so now you've got our scene, right? This is the scene. Now the cops get a tip-off or two that not all is right on this industrial estate. One of the empty units, it seems, was getting a heck of a lot of foot traffic.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And one anonymous owner of a unit nearby said there were 3 men who looked a bit nerdy and dodgy, had been coming to this empty unit on and off for around 8 months.
GRAHAM CLULEY. Is it possible to look nerdy and dodgy?
CAROLE THERIAULT. So what could they be doing in there? Like, these aren't kids as far as we know, so they're going into a lock-off. And according to the police tip-off, it was being used as a jazz cigarette farm.
GRAHAM CLULEY. Oh, the old Mary Jane.
CAROLE THERIAULT. The old Mary Jane. Hmm. So the West Midlands cops, being pretty modern, sent over a drone.
GRAHAM CLULEY. Oh, that's so cool.
CAROLE THERIAULT. And guess what? The drone records a sizable heat source from the unit. And that ties totally with growing Laganja indoors because you need to use things like heat lamps, which produce light and— Heat.
GRAHAM CLULEY. It could just be bad air conditioning or something, couldn't it?
CAROLE THERIAULT. It could be. I'm imagining if it was like 22 degrees, they probably wouldn't have done anything with it. But maybe if it was like belting it out.
GRAHAM CLULEY. Right. Okay.
CAROLE THERIAULT. So, so based on the information they were able to collect, the police organized a forced entry event.
GRAHAM CLULEY. A forced entry event.
CAROLE THERIAULT. That's— yeah, that's what the Birmingham Mail called it. A forced entry event. So this was for the 18th of May.
GRAHAM CLULEY. Why don't they just call it a raid?
CAROLE THERIAULT. It's a raid, right?
GRAHAM CLULEY. They call it a forced entry.
CAROLE THERIAULT. It's a raid. It's basically where they show up unannounced and bust in like Arnie.
GRAHAM CLULEY. That's so typical of the police. We initiated a forced entry event. No, we didn't. We went round with a sledgehammer.
CAROLE THERIAULT. Yeah. Not a sledgehammer. One of those doorbuster things. Those incredible things.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Now, of course, they're going in and they're expecting to find a unit full of Mary Jane. Maybe 3 stoned-out nerds in the corner. In a heap. But instead they find this. Now let me see if I can share this with you.
GRAHAM CLULEY. Oh, look at this. So what we've got here is racks and racks of— oh, racks and racks of computing stuff.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. With some big heavy fans attached to them. Probably to try and keep them cool.
CAROLE THERIAULT. Look at those. Doesn't it look like a sci-fi program? The ginormous extractor, like the— what are they called, those extractor fan tubes? Huge, huge tubes going out.
GRAHAM CLULEY. Well, I think I know what this is, Carole.
CAROLE THERIAULT. Oh, have you figured it out?
GRAHAM CLULEY. I think I have. I think this is a cryptocurrency mining rig, isn't it?
CAROLE THERIAULT. Exactly. So it's currently in the press, suspected illegal crypto mining rig, right? And it's made up of about 100 computer units. Can you imagine the noise from that?
GRAHAM CLULEY. Hang on, how is this illegal? Why is it illegal to have a cryptocurrency mining rig?
CAROLE THERIAULT. Well, it's not illegal to have a crypto mining rig. It's illegal to steal someone else's electricity to do it. This is not their unit. They actually dug underground to connect themselves to the energy pipe.
GRAHAM CLULEY. The energy pipe.
CAROLE THERIAULT. The energy pipe.
GRAHAM CLULEY. They didn't just use an extension lead from next door and trail it out the window into their unit.
CAROLE THERIAULT. So they dug down. They dug down to get access to electricity. And now, according to MailOnline, they say that they probably stole around £16,000 worth of electricity to keep this running.
GRAHAM CLULEY. Because isn't this the problem with crypto mining? Is that you spend more money running your mining rig than you manage to make from actually mining the cryptocurrency because of the costs of the electricity.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. Let's explain that actually. So the mining process requires computers to complete rapid calculations to solve the same puzzle. So all the computers are competing to solve the same puzzle, and it always takes 10 minutes. And the winner that managed to do the puzzle is rewarded a tiny amount of digital bitcoin, and then a new puzzle's generated and the whole process repeats itself. Itself every 10 minutes. Now, the more people mining, the harder the puzzle gets, which means it takes more electricity to run the calculations. So Graham, you're absolutely right. In countries like ours and the UK, you ain't gonna make a huge chunk of change if you're paying your LECCY bill. But apparently most of the mining, according to Statista, is done out of China. 65% is done there, whereas apparently only about 7% is done in the US and Russia. Anyway, so they were illegally snarfling lecky without paying for it to the tune of $16K, if you believe the MailOnline.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. The Beeb did say that inquiries of the local electricity distribution network, Western Power Distribution, found an illegal connection to the electricity supply. But I'll tell you what I think is super weird by this picture. Now, I'm not a pot farmer. I've never been a pot farmer. I've never even visited a pot farm. But it seems to me from the pic that there's a heck of a lot of ventilation ducts.
GRAHAM CLULEY. There are. It's huge. Yes.
CAROLE THERIAULT. Right? Like they're massive.
GRAHAM CLULEY. Yes. They do.
CAROLE THERIAULT. And the idea is, I thought if you're farming something indoors like pot, you want the heat. You don't extract the heat. Right. Right. It's kind of like whacking up the heat in your house and keeping the windows and doors open all the time.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. You want it to be a greenhouse, I imagine. Yeah.
CAROLE THERIAULT. And you have heat lamps to provide light and heat. So I'm not sure how they thought it would be a pot thing. I mean, what was the stink of pot around? Like, I don't—
GRAHAM CLULEY. yeah, I imagine there's still— what I mean, even though they have all the ventilation there, I imagine it was still quite warm in there with that many computers whirring away.
CAROLE THERIAULT. Graham, I just had a serious, serious brain fart. If you lived in a place, right, where farming pot was legal, couldn't— and electricity was cheap— couldn't you combine your efforts have the crypto mining process going on generating tons of fucking heat and then smoosh that heat over to your pot plants so they can get all— Do you see what I'm saying here? Wouldn't it be great?
GRAHAM CLULEY. Yes, I've just trademarked it. Thank you for that suggestion. That's genius.
CAROLE THERIAULT. There you go. Everyone can have that for free because I'm a citizen of the world.
GRAHAM CLULEY. That's incredible. Chums, chums, if you remember one thing from today's episode, it should be to check out the leading cloud directory platform, JumpCloud. JumpCloud's directory platform makes it easier to solve today's IT challenges by unifying device and user management through a single pane of glass. With JumpCloud securely managing your users and their devices, doing common things like onboarding and offboarding remote workers is easy. Try JumpCloud for free today at smashingsecurity.com/jumpcloud and help your organization move to a modern, secure, hybrid work model.
CAROLE THERIAULT. Deep Secure Threat Removal is a very cool product which takes incoming poisoned Word documents, booby-trapped PowerPoint slides, and the like, and creates brand new files with just the good stuff and none of the bad. It is a neat way of handling brand new threats coming into organizations via web, email, or file sharing, and it can run along your existing antivirus. Threat Removal gives you the good stuff by delivering files that are 100% threat-free, fully functional, and fully revisable. Adding Threat Removal to your defense can help you reduce administrative costs as it doesn't require signature updates or security patches and reduces the time your security team spends on false positives and remediation. Visit deep-secure.com/smashingsecurity. That's deepsecure with a hyphen dot com smashing security for more information and to set up your free trial today. And deep thanks to Deep Secure for sponsoring the show.
GRAHAM CLULEY. Around 80% of business data breaches result from weak or reused passwords. Using 1Password can close the gaps in your company's security combat shadow IT, and help your employees stay both productive and secure wherever they are. 1Password makes the secure thing to do the easiest thing to do. Quickly deploy 1Password to a single team, multiple teams, or your entire enterprise. Provision employees using trusted systems, respond rapidly to domain breach reports, and offer every business user a free 1Password Families account for work-from-home security. Find out more and try 1Password for free for 14 days at 1Password.com. And thanks to 1Password for supporting the show. And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Thanks, Lola. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Now, my pick of the week this week is not security related. My pick of the week this week is to do with magic.
CAROLE THERIAULT. You didn't even choose a pick of the week for me that I would like.
GRAHAM CLULEY. I'm sorry.
CAROLE THERIAULT. I'm just, I'm here on my own.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Magic.
GRAHAM CLULEY. Oh no, you'll like this.
CAROLE THERIAULT. Oh, I will?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Okay, okay, okay.
GRAHAM CLULEY. This is about— well, I would hope you would. This is about an extraordinary magician called David Berglas. He's still alive. He's 94 years old. Good for him. And he invented—
CAROLE THERIAULT. He's made it.
GRAHAM CLULEY. He has made it. And he invented an incredible card trick, which has become known as the Amazing Berglas Effect. Now, this particular trick which he does is that there's a type of magic trick called any card, any number, right? But he does it in an incredible way. It works like this. He has a pack of cards which he doesn't touch. He gets someone in the audience to say a card. Say a card, any card you like. Are you sure you want that card? You choose whatever card.
CAROLE THERIAULT. Okay, Queen of Hearts. Queen of Hearts.
GRAHAM CLULEY. Then he goes to someone else, like Lola. Hey Lola, say a number between 1 and 52.
CAROLE THERIAULT. 12.
GRAHAM CLULEY. Thank you, Lola. So we've got the Queen of Hearts, and we've got the 12. And then somebody picks up the pack of cards, not him, he hasn't touched the cards. And they take each card from the top of the pack one by one, and they turn it over face up, going 1, 2, 3, 4, blah blah blah. They get to number 12. They turn over number 12. And what card is it?
CAROLE THERIAULT. I don't know.
GRAHAM CLULEY. It's the Queen of Flippin' Hearts.
CAROLE THERIAULT. Of course it is. And is that because people are in on it?
GRAHAM CLULEY. No, that's the thing, Carole. There are no stooges.
CAROLE THERIAULT. Okay, but it's a trick. It's a trick.
GRAHAM CLULEY. It's more than a trick. It's an incredible card trick.
CAROLE THERIAULT. Okay, it's an incredible card trick. But the key word here is trick.
GRAHAM CLULEY. Well, of course.
CAROLE THERIAULT. Does he tell us what it is?
GRAHAM CLULEY. No, he does not. And he never has. He's never explained it. And other magicians have been spending the last 50-odd years scratching their heads, trying to work out how this is done. There are variations on the trick, but no one else seems to quite do it without rigging the cards or touching the cards.
CAROLE THERIAULT. It's called a trick for a reason.
GRAHAM CLULEY. It is called a trick. Now, that trick— Okay, so there are ways of doing it without rigging the cards, right?
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. If you had Derren Brown-style mental skills to influence people—
CAROLE THERIAULT. What, like a psychological abuser?
GRAHAM CLULEY. If you were able to influence the people in the audience to saying a particular number or choosing a particular card, then that would go some way towards doing the trick, right?
CAROLE THERIAULT. Well, the whole way if you were really good at it.
GRAHAM CLULEY. You'd have to be really good at it.
CAROLE THERIAULT. You're like, "Oh, a dozen eggs. Oh, look, a dozen doughnuts. Give me a number." 12.
GRAHAM CLULEY. Carole, what if the pack of cards is also shuffled by somebody else?
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Right. Now I think you're really impressed. Now, there's a great article about this in The New York Times, all about the Berglas effect, where they went and interviewed David Berglas, who is living in London these days. And an interesting chap he seems to be as well.
CAROLE THERIAULT. He's 94 now though, right?
GRAHAM CLULEY. He's 94 now, yeah. But there are videos of him online, and I'm going to also link in the show notes to a video where you see him doing the trick. I think it's actually a school. He's— I think it's like a fundraiser for a school event where he's doing it. He's come out of retirement. He's been retired for 20-odd years. He comes out of retirement and he does this trick and other tricks as well. And this particular video is commentated by other magicians who are just sitting there in awe on an hour of watching David Berglas going, "This is incredible." That's because they want—
CAROLE THERIAULT. they want the secret. Maybe he's saying, you know, they have to stand in awe because maybe they want to inherit all his tricks.
GRAHAM CLULEY. And so, they're sitting there 'cause it's nightfall, and they're like, "Wow, he's amazing!" Well, the thing is, normally in the magic community, magicians do quite often share with others details of how they do their tricks. And there's plenty of YouTube videos showing other ways to do this particular trick. But no one does it quite like David Berglas, because no one can work out quite how he does it. So that is my pick of the week.
CAROLE THERIAULT. Down and out.
GRAHAM CLULEY. Lola, have you got a pick of the week?
CAROLE THERIAULT. I'll just pass on to Kroll, 'cause she's so great.
GRAHAM CLULEY. Okay, Kroll. Maybe you can pick up the tab here.
CAROLE THERIAULT. So my pick of the week is, surprise, surprise, surprise, a podcast.
GRAHAM CLULEY. Oh, lovely.
CAROLE THERIAULT. You know it, Graham, 'cause I got you hooked, I hope, called West Cork.
GRAHAM CLULEY. Oh, yes.
CAROLE THERIAULT. By Yarn FM. Now, I'll give everyone the premise first, right? And then we can discuss it. Okay, so 1996. 1996, French film producer Sophie Toscan du Plantier is found dead near her holiday home in Ireland, near Cork. There are no witnesses and no known motive, but police suspect one man in the community, but they can't make the charge stick. And you'd think that people in that situation would just leave town. Because everyone thinks you're a murderer. Yeah, yeah, suspect. But he refuses to leave. So the documentary has been made by Sam Bungee. He's a Guardian, Daily Beast journalist, and his wife, TV documentary maker Jennifer Ford. Um, and it was published in 2018 but only on Audible, but earlier this year it was made freely available to everybody on iTunes and Spotify. So Graham, where are you? I finished it this morning.
GRAHAM CLULEY. Have you?
CAROLE THERIAULT. 14 episodes.
GRAHAM CLULEY. Yeah, I I have just finished episode 7.
CAROLE THERIAULT. Right. Okay. And what are you thinking so far? What makes this interesting, if at all?
GRAHAM CLULEY. Well, it was a bit of a slow burner for me, to be honest. I think I had to listen to probably 2 or maybe 3 episodes before I was hooked.
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. But once that had happened—
CAROLE THERIAULT. As soon as you meet the suspect.
GRAHAM CLULEY. Well, this is the thing, because this chap, as you mentioned, who stayed in West Cork despite the murder 25-odd years ago, He participates in the podcast. Yes. And you're listening to him. Yes. And how can I put this? He's not very likeable.
CAROLE THERIAULT. Right?
GRAHAM CLULEY. You're listening and you're thinking, I'm trying to keep an open mind here, but I'm kind of thinking it's kind of plausible you might have done it, mate.
CAROLE THERIAULT. Yeah. It makes you realise though, if ever you're in a court of law and you've got jurors that are making the decision for you, be likeable.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Because it really does impact your side. Yes. So, I feel very similar to this as I did Wiener Gate and Staircase, where you had like the, you know, both utterly delicious documentaries, listeners, but where the key protagonist is also the person who is the commentator or they participate in the documentary. Yeah, but they're also the key.
GRAHAM CLULEY. Yeah, it's almost central to the whole, the whole documentary. Yes, both of those were great.
CAROLE THERIAULT. The main dick of the story, if you will.
GRAHAM CLULEY. Now, now.
CAROLE THERIAULT. Yeah, that was for wiener.
GRAHAM CLULEY. Because I thought that with this particular chap, it seems like he almost craves the— Although he complains constantly, you know, "Nobody likes me," and all the rest of it, he kind of can't resist it, can he? He likes the notoriety, I think. He likes the attention.
CAROLE THERIAULT. I think I can say this. I'll say this, and then you tell me if I have to take it out or not. But one thing I think I can give away, because it's given away quite early in the pod, is that he is also the main journalist in the area covering the murder story locally. Yeah, and he is basically meeting with the cops and having interviews, and then he's reporting on, on that, but he's never declaring that he is actually being interviewed by the cops. Freaky. That's what got me hooked with that, when I was like, oh, this is now super interesting.
GRAHAM CLULEY. Imagine if Elon Musk had been killed in some bizarre ritual sacrifice thing.
CAROLE THERIAULT. You'd cry for days.
GRAHAM CLULEY. And no, I would not. And then Rory Keflin-Jones was reporting on it for the BBC. And then it emerges that Rory had been hanging around with him or had some sort of interest in Elon Musk, maybe researching his new book. And it's kind of like, oh, interesting. But of course, Rory's really likable. I don't want to suggest that.
CAROLE THERIAULT. It's like, it's like Rory being, being the cop saying to Rory, hey, we think you did it. And then he's reporting on it going, you won't believe it.
GRAHAM CLULEY. They found a suspect.
CAROLE THERIAULT. It's crazy. Anyway, really fascinating. They're apparently making 3 movies of this. 3 different houses are making movies of this, and some might be already published, some are soon to be published.
GRAHAM CLULEY. Yeah, I heard there's a Netflix show about to come out.
CAROLE THERIAULT. Yeah, there's 2 more. Anyway, so I don't know. I quite like it, and I like the pacing of it a lot as well, and I think he's quite an interesting character. So it's called— West Cork by Yarn FM, and you can find it wherever you get your good podcasts, or maybe just on Apple and Spotify.
GRAHAM CLULEY. It's not a great name for a podcast, or is it?
CAROLE THERIAULT. I remember it. There's many I don't remember.
GRAHAM CLULEY. You don't? Yeah, but you don't see the name and, you know, you know.
CAROLE THERIAULT. Yeah, but there's so many like death, you know, blah blah, like, I don't know. I like it.
GRAHAM CLULEY. I like it. Okay. All right, excellent. Well, that just about wraps up this very special show. Um, Lola, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
CAROLE THERIAULT. Just listen to Sticky Pickles.
GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and we're also up on Reddit as well. Don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And huge thank you to this week's episode sponsors, 1Password, JumpCloud, and Deep Secure, and to our wonderful Patreon community. It's thanks to all of them this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 229 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye! Oh, nicely done, Lola. Hey, that wasn't too painful for you, I hope.
CAROLE THERIAULT. She checked out. Oh, she's probably drunk already. She's probably on the jazz cigarettes. She got excited when I told my story. Hello, Carole Theriault here from Smashing Security. More enchanting news for you. So, wanna know how many reviews we've received worldwide to date? According to Chartable, we have received a whopping 586 ratings. About 99% of them, 5 stars. And no one can sneeze at that. So let's highlight Obi-Wan Kenobi. They write, so glad I found this podcast just before lockdown. Listened to one, instantly hooked, then caught up on the 150+ I had missed, often binge listening to 6+ a day whilst working from home. Who knew the world of cybersecurity could be so entertaining? Keep up the good work. We will, and we salute you, Obi-Wan Kenobi. In fact, we salute you all for listening, for supporting us, for just being alive, really. I mean, you know, sometimes it can be pretty cool. Anyway, buckets of love and keep them coming.
GRAHAM CLULEY. Oh!
-- TRANSCRIPT ENDS --