A married couple are accused of selling nuclear sub secrets, Facebook continues to make young lives a misery, and a school hacker lets loose one heck of a prank.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/247 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- 1Password: With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now.
Links:
- Maryland Nuclear Engineer and Spouse Arrested on Espionage-Related Charges — US Department of Justice.
- Couple charged with leaking US nuclear sub designs — The Register.
- Facebook will add new safety features, notably for teens, after whistleblower leak — CNBC.
- Unfollow Everything cease-and-desist letter from Facebook — Louis Barclay.
- IoT Hacking and Rickrolling My High School District — WhiteHoodHacker.
- Board Game Arena — Play board games online from your browser.
- Foundation — Official Trailer — YouTube.
- Foundation — Apple TV.
- Film Courage.
- Film Courage — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Peanut butter is fairly toxic isn't it? It is a bit like plutonium. It does have a half-life, peanut butter doesn't it?
CAROLE THERIAULT. I can't imagine that does any good for the actual device inside. It's wrapped in plastic. Oh, not the sandwich. Well maybe the sandwich. I mean also maybe the sandwich. Okay, I honestly, okay, you know what?
MARIA VARMAZIS. I feel like we need to do a Smashing Security investigate segment where we re-enact this.
GRAHAM. Hello, hello, and welcome to Smashing Security, episode 247. My name's Graham Cluley.
CAROLE. And I'm Carole Theriault.
GRAHAM. And this week on the show, Carole, it's a returning guest. It's the fun-time family favourite that is Maria Varmazis. Wow. Sorry, Maria. Wow.
MARIA. Thank you. Fun time favourite. Fun time family favourite. No, fun time family favourite.
GRAHAM. Fun time family favourite. Your children love me. Well, everyone loves Maria, don't they? No. I love Maria. I can't speak for anyone else, but I do.
CAROLE. I can't speak for anyone else, but I do.
MARIA. I can tell you definitively, there are people who definitely do not like me. If only my life was that everybody liked me.
GRAHAM. On that cheery note, should we get on with the show?
CAROLE. Yeah, let's thank this week's sponsor, 1Password. It's a board to help us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM. I'm going to be going deep down underwater, investigating submarines and secrets. Everyone picture it, Graham and goggles. Maria, what about you?
MARIA. There's this thing called Facebook. I don't know if you've heard about it. Might be talking about it. Yeah. Okay.
CAROLE. And I'm going to be visiting a teen who tries to teach us all a big lesson, and all this and much more coming up on this episode of Smashing Security.
GRAHAM. Now, chums, how good are you at keeping secrets?
CAROLE. Garbage. Absolute garbage. Yeah. I don't know. I think that's a really hard question. I think most people think they're great at it, but people aren't. I like to think I'm great at it.
GRAHAM. Right. Okay. It depends on the secret, though. Yeah, it does, doesn't it?
CAROLE. I put my own judgment on it. And then that's not necessarily the judgment of the person who told me.
GRAHAM. No, that's a problem, isn't it? Because you might think it's less of a secret than someone else. Someone may be really particular about you not revealing their habit when it comes to toenail clippings or something like that. And you just think, well, that's harmless. I can tell my friend Bruce about that. And before you know it.
CAROLE. Yeah, it turns out they were dating and Bruce doesn't want to date him anymore. The toenail issue. And you screwed everything up.
MARIA. That sounds like a sticky pickle. I'm just putting it out there. Make a note. Make a note. You were wondering when it was going to happen. I know somebody was wondering.
GRAHAM. Well, talking of toenails. We weren't, but okay. Well, I want to talk to you about Jonathan and Diana Toebbe. I don't know how to pronounce this. Maria, you're an American. Here is how their surname is spelt. You just simply don't have surnames like this in England. Okay. T-O-E-B-B-E.
MARIA. Toebbe? Toebe? Toe? I have no idea. I'm going to guess it's Toebbe.
GRAHAM. Toebbe. It's a weird way of spelling Toebbe, though, isn't it? It's the best way for the show. Toebbe. Okay, let's say Toebbe. Jonathan and Diana Toebbe from Annapolis, Maryland. Or is it Maryland?
MARIA. Maryland. Maryland. Now I'm pronouncing it weird. Maryland.
GRAHAM. Maryland. Maryland. Why do you keep repeating it? Maryland. Maryland. They were arrested last Saturday and they stand accused of selling some secrets. They gave away some secrets, albeit for money. Highly restricted information about a highly sensitive subject. The sensitive subject was the design plans of a nuclear-powered submarine.
CAROLE. So who are these people? Would they just grab these off a web page?
GRAHAM. No, no, no, no, no, no, no, no.
MARIA. We found these on Pinterest. Yeah. Chair. Love it. They're on my inspo board.
GRAHAM. Jonathan Toebbe, he actually works for the U.S. Navy, specifically as a nuclear engineer inside their nuclear propulsion program.
CAROLE. So he actually knows a thing or two about these things.
GRAHAM. Yeah, I'm imagining he's someone a bit like Scotty on the Enterprise with the dilithium crystals. He's the guy. Yeah, he is the man. If you want the engines to work, he's the guy that you go to. And he's got to say.
CAROLE. Can't he push it harder, Captain?
GRAHAM. Engines cannot take it, Captain. It's actually quite a convincing accent.
MARIA. Yeah, you took me there.
GRAHAM. Now, he had all kinds of top-level national security clearance, which gave him access to restricted data, including information related to the Navy's nuclear propulsion systems, sensitive design information, et cetera. Now, if you had that kind of access to that kind of information, who would you sell it to? Who would you sell the top secret information to?
MARIA. Did I value my life or no? I mean, God, I'm a good American. Selling it to anybody would not.
GRAHAM. Yeah. Who'd be interested in a submarine? Who would you sell it to, Graham? Oh, back at me, eh? I think maybe, well, there's a few contenders. Really? Submarine designers. I'm thinking Elon Musk. He might want a personal nuclear submarine. Ringo Starr, of course. He's very keen on submarines as well. I'm not sure who else.
CAROLE. Basically you're telling everybody your ethic level is about zero out of ten.
GRAHAM. Oh, I see. Because they're secrets, you don't think I should sell these? Well, probably not, because I would get into a bit of bother, wouldn't I, if it was...
MARIA. Probably not. A bit of bother. Nuclear submarine.
GRAHAM. Well, according to the authorities who arrested the Tobys, Jonathan Tobey sent a package to an unnamed foreign government. So he parceled up some information. It contained some restricted Navy documents and also instructions on how to open a secure channel for further communication with him. And he wrote in this, he wrote a little note. He said, please forward this letter to your military intelligence agency. I believe this information will be of great value to your nation. This is not a hoax.
CAROLE. OK, so he didn't sell it. He handed it over.
GRAHAM. Oh, well, at this stage, he's just opening up the communications and I've got something. Oh, I see.
CAROLE. Saying, here's a little taster. If you want more, then get in touch. Get some wonga and call me up.
GRAHAM. Right. You know, contact me on my ProtonMail address or something. Oh, my God. And we'll speak that way. Now, he sent this to this foreign government, which hasn't been named on April the 1st, 2020, which I think if you're trying to convince someone something is not a hoax.
MARIA. This is definitely real perhaps wasn't the best timing.
CAROLE. Actually that's very smart from a liability standpoint if he does get caught right this could be one of his arguments going well I did send it on April 1st of course it was.
GRAHAM. A joke oh he's pulling an April fool on the FBI and the U.S. Department of Justice that's.
MARIA. No take faxies. Don't know if you know, but that's admissible in the court of law. They say, oh, it's the April 1st offense. Well, we got nothing.
GRAHAM. I was robbing a bank, but it was April the 1st. So it's all just a bit of fun. Of course I was.
CAROLE. Going to give the money back. Ha ha, just kidding. Gotcha. I can't wait to hear how the wife gets involved in this.
GRAHAM. Well, the Tobys thought everything was going really well. But unfortunately for them, the foreign government who they approached with these secrets, do you know what they did? You can't rely on any foreign governments these days. What they did was they got in touch with the FBI, with the US authorities, and showed them the letter and said, look, one of your guys.
CAROLE. So that, yeah, that narrows down the countries that they would have maybe sent it to, doesn't it?
GRAHAM. Because it has to be a country which likes America. Or
CAROLE. Wants to get in with America.
GRAHAM. Right, maybe, exactly. There's not going to be many. And so somebody thought, no, we don't want your flipping nuclear submarine secrets. We'd rather dob you into the FBI. So the FBI got to see this package.
CAROLE. Can you imagine if you were the country that took those and then you got caught? You
MARIA. Lift the corner of the paper a little bit, just peek, be like.
CAROLE. Maybe just a little bit. We'll just photocopy
MARIA. It first. Yeah, you call up the
CAROLE. FBI and you go, there's good news and bad news. Someone send us all the plans. We've seen them.
GRAHAM. I've seen everything. So the FBI have now received the package and they decide to string the Tobys along. And so they begin to chat over ProtonMail. So Jonathan Toby, he adopts an alias. He calls himself Alice and the FBI call themselves Bob. So you've got Alice and Bob, which I think is quite, it's a bit nerdy in the cryptography.
CAROLE. That is extremely nerdy. I have no idea why that's nerdy. Yeah, Alice and Bob.
MARIA. Those are always the names they use in examples for stuff.
CAROLE. Oh, I see. Yeah. Okay. Jack and Jill, what kind of thing?
GRAHAM. Kind of, kind of, yeah. Yeah, maybe. After a bit of to and fro over this encrypted email, they sent Jonathan $10,000 worth of cryptocurrency.
CAROLE. Is that all? Well, no, this is just at this stage. This is just at this stage. Let's just say they're good for it. They're good for it. But he just
GRAHAM. Handed them nuclear sub plans. I don't think he handed them all.
CAROLE. Did he just send a 10 by 10 pixel? No, no.
GRAHAM. This is just the will gesture of, okay, let's start
CAROLE. Talking. Oh, okay. Okay. Sorry. He ripped off the corner and said, I've got more where this came from.
GRAHAM. So Jonathan Tobey and his wife, Diane, they put the sensitive, allegedly, allegedly, they put the sensitive information onto a memory card and they left it.
CAROLE. You want to say that again? I don't know what just happened to you.
GRAHAM. Jonathan and Diane Toby allegedly, allegedly then put the sensitive information onto a memory card and they left it at a dead drop. I love the idea of a dead drop for what they believed was the foreign government to pick it up.
CAROLE. Basically they duct tape it to the bottom of a mailbox somewhere.
GRAHAM. If only Carole if that's what they've done. What they actually did was they took an SD card, they wrapped it up in plastic, and they put it between two slices of half of a peanut butter sandwich. What? They put it inside a peanut butter sandwich.
CAROLE. And what, handed a peanut butter sandwich to the DOJ?
GRAHAM. No, they left the peanut butter sandwich at the agreed place.
CAROLE. Oh, it's because no one would touch a peanut butter sandwich?
GRAHAM. I wouldn't touch a peanut butter sandwich. I have
MARIA. A nut allergy. I am not touching that.
GRAHAM. Yeah, they obviously thought pigeons wouldn't attack it either.
CAROLE. They obviously have a lot of faith in the memory card construction so that that gunk... It was wrapped in plastic.
GRAHAM. Yeah, I know, but peanut butter is fairly toxic, isn't it? It is a bit like plutonium. It does have a half-life peanut butter, doesn't it?
CAROLE. But I'm just thinking, I can't imagine that does any good for the actual piece of the device inside. It's wrapped in plastic. Oh, not the sandwich. Sorry. Well, maybe the sandwich
MARIA. Was as well. I mean, also maybe the sandwich.
CAROLE. Honestly, you know what? I feel like
MARIA. We need to do a Smashing Security Investigates segment where we reenact this. Take an SD card, put it in a dime bag, put that in between two slathered slices of bread with peanut butter and jelly. Because peanut butter sandwich always has jelly, right? And then leave it to the elements and find out, will anybody actually steal national secrets?
GRAHAM. Well, the FBI picked up this half a sandwich and retrieved the SD card.
CAROLE. And did they eat the sandwich? They must have suggested the sandwich. They must have, because they were moving them on. No, no, no, no. This was the Navy guy.
GRAHAM. Allegedly, it was the Navy guy because the FBI actually praised Alice, as we will call him, for his suggestions on how to manage the whole dead drop situation and transfer the information.
MARIA. Was the sandwich inside a lunchbox, a kid's lunchbox? This is all excellent detail. Little Bobby drop tables. You forgot your lunch at school today. Here you go.
GRAHAM. I don't know. We're going to have to leave that for a more serious podcast to investigate that. What I can tell you is that later there was another SD card delivered to the dead drop, this time hidden in a packet of chewing gum. And Alice aka Jonathan Toby was paid seventy thousand dollars in cryptocurrency for that particular drop.
So each time after each dead drop Toby would allegedly send through a decryption key to Bob or Alice - I've lost track now, I think Bob is the FBI - and they would say look this will decrypt the data. And the FBI did confirm that the cards really did contain encrypted data, which was decrypted with that decryption key, related to nuclear reactors on submarines.
CAROLE. So it wasn't he screwed them around a bit and changed the drawings. They were the actual plans for the submarine.
GRAHAM. So it is alleged, yes. And in addition, while still using his pseudonym of Alice, this chap who has been arrested, he is reported to have told his FBI contact to remember he believed to be a foreign government. He said that he had actually been collecting data over several years in the normal course of his job. And to avoid attracting attention, he was smuggling it out past security checkpoints a few pages at a time. So I don't know, he's chuffing it in his underpants. I wonder why. Well, maybe he was thinking that his pension wasn't going to be that good.
CAROLE. No, this is a big deal, right? This is not stealing a few burgers from your McDonald's job or something. This is serious big shit.
GRAHAM. You could try stealing burgers, Carole, and then go into the Chinese government or someone and say, look, I've got some burgers for you. I can hide them amid half a peanut butter sandwich. Are you interested? I'll wrap them in plastic, so don't worry. To be honest, they probably wouldn't approach the FBI with that information. So you're at least safe from that point of view.
MARIA. Yeah, but his quote reveals that he was - this was not - you know, he was about to get sacked or something. He was planning this over years. That is really serious. That's honestly really disconcerting.
CAROLE. And how is the wife, why is the wife involved in this? Why has she been arrested?
GRAHAM. Well, she was an accessory, is the allegation. She knew about this and was part of the operation. Maybe she was the one who made the sandwiches. There you go. Do I cut them into triangles? Do I cut off the crusts? Oh, my God. Maria, what have you got for us this week?
MARIA. Well, I heard last week there was some shit that went down on Facebook. I don't know if you guys heard about that or, I don't know, covered it in your last episode.
GRAHAM. I think Facebook went down was the story, wasn't it?
MARIA. Yes, Facebook did go down, and you guys covered it in your last week's episode with Chris. So I thought I would do a little follow-up this week, not on Facebook going down, but on the concurrent Facebook issue that you also covered a little bit, which was the whistleblower.
So in response to the big Facebook whistleblower story that went down last week, Facebook says that it's working on a response. So there was a whole litany of things that the Facebook whistleblower brought to bear, but a lot of them were essentially that Facebook knows how bad their content is, especially for young women and young girls and how it basically promotes eating disorders. It knows that it serves up a lot of very divisive, to put it mildly, and misinformed political content to people who are not looking for it and kind of almost actively serves it up. And that a lot of this information has been known at Facebook for a long time and they've sort of chosen to look the other way or have not used tools available to them to make these problems less bad.
CAROLE. So it would be like, for example, if I had an eating disorder like anorexia and I went on Facebook looking for that, the ad served up might be about dieting, for example.
MARIA. Yeah, that kind of thing. Or just if you are looking at photos of people living their best life who are very, very skinny, maybe surgically enhanced, and you're just going to see more and more and more and more and more content like that because there is a lot of it on Instagram especially.
So it's just going to give you, if you click on it once, they're going to serve it up to you ad nauseam and it'll be almost impossible for you to escape to the point that it's like you're being mentally waterboarded with this stuff.
GRAHAM. It's like their algorithms are too good. Kind of. Not good in a good way, obviously, but they're very good at giving you more of the kind of thing which you liked before.
MARIA. Like a golden retriever, super, super eager to please like just, oh my gosh, oh my gosh, this is what you want. I'm gonna give you more of it. Please stop. No, I'm good. Thank you.
So, yeah, the whistleblower allegations just came to light. And actually, I read this morning that I think a second whistleblower is going to be testifying soon.
But, yeah, it should be interesting. But in the meantime, the Facebook vice president of global affairs, Nick Clegg, went on a lot of the TV networks over the last couple of days and has been doing a lot of damage control or at least trying to.
Imagine Mark calls him up. Nick, sort this now. Fix it.
But yeah, so he assures everyone, please stay calm. We're working on new tools to make things better and address the whistleblower's complaints.
So I was really curious, what exactly does that mean? And Clegg's details are kind of scant, I imagine. It sounds like things are kind of scrambling right now.
But one of the things that Clegg said was, you know, if we see a Facebook or Instagram user who's been using our stuff for too long, we're going to encourage them to take a break.
CAROLE. Oh, so what? So, yeah, so if someone's, you know, swiping for over an hour or two, they'll go, hey, why don't you not?
GRAHAM. I think I heard they do that on some other social networks. I think I heard they do that on TikTok. I've never used TikTok, but.
MARIA. Maybe go outside and, you know, breathe some fresh air and take a walk or something. Yeah. But you know what?
GRAHAM. If I'm binging on a TV series and I've just watched eight episodes in a row, my TV is kind of embarrassing, isn't it? It's judgy. All of ours do it. All of ours do it. It pops up and says, are you really still watching?
MARIA. Or are you asleep in front of your TV? Yeah, but they added this new button that says, no, I'm seriously still watching and stop asking, which I do appreciate. Because it's like, no, I am marathoning Arrested Development for the fifth time. Stop asking.
Yeah, something like that. So, yeah, it's going to gently encourage users to take a break. You know, it sounds really, really helpful.
CAROLE. It doesn't really feel like an answer. Yeah.
MARIA. Yeah. It's like, okay, take a break. Okay, great. If you have a young child or teen that's looking at tons of pictures of people who are plastic surgery models living their best athletic skinny life, Facebook says they might give them a gentle nudge to maybe look at something else.
GRAHAM. Here are some happy fat people for you to look at. Right.
MARIA. Happy fats. Exactly. And the Instagram platform that Facebook said they were going to make for users that were 13 and under that they paused. Clegg says that's actually part of their solution to make Facebook and Instagram better.
So it doesn't sound like that whole thing's been shelved.
GRAHAM. I'm pretty sure that that isn't part of the solution, is it? Right. Producing on Instagram for kids under 13.
MARIA. No, no, no. They're going to actually make it for real. And that's going to be their grand solution for making it better. So, yeah, all right.
Oh, and on the more Facebook-y side of things, Clegg says that they're going to be sending data on the content that they publish every 12 weeks to an independent audit. Because they, quote, need to be held to account.
Yeah, that sounds like, I don't know. It's like that's all we know. That's a whole lot of nothing.
CAROLE. It's ironic for me still to think of Clegg as the daddy of this whole episode, right? Because if Zuckerberg was out there doing all these messages, no one would even listen to them. And Clegg somehow is the dad of the, you know. Yeah, we trust this guy.
GRAHAM. We have a very strange relationship with Nick Clegg being British because he used to be leader of a political party over here. And then he was deputy prime minister, wasn't he?
MARIA. Well, Facebook's basically a massive country, right? I mean, how many is bigger than India in terms of people, right? I mean, it's just a massive nation. So anyway, that's terrifying.
CAROLE. It was extremely terrifying. Yes.
GRAHAM. This doesn't feel like a really terribly good fix. It feels like a little bit of a band-aid just to say, oh, we've done something. We're telling people to take a break.
MARIA. It's like, how did Facebook not see any of this coming? I just don't understand why this is such an anemic response. It's like, I don't get it.
GRAHAM. It did know. It just didn't care, I think is the truth. It wasn't a priority for them. I think they've just cared about the balance sheet.
CAROLE. That's very true. That's very true. But they can't say that, you know, win favor. So, you know. They're taking this seriously. And you have to be held to account.
MARIA. Hold us to account, yes. So the goal, Facebook says, is to limit political content for some users and give parents more control over what their kids see on Facebook and Instagram. That's what they said. Make it their problem. Exactly.
So I like how they said to limit political content for some users. So that qualification is like, OK, that's very interesting that they felt the need to say that. So, you know, watch the space on that front. And I guess don't keep your expectations too high.
But what I did think was interesting is some people have been trying to take things into their own hands to make Facebook a better platform. And I don't know if you talked about this in the past about a developer who got a really nasty letter from Facebook about this. Louis Barclay or Louis Barclay. He is a UK based developer and he got a letter in July from Facebook for his unfollow everything extension. Oh, yes. Did you hear about this? Yeah.
CAROLE. Oh, and he got a cease and desist letter from Facebook?
MARIA. Yeah, because his extension not only mass unfollows friends' pages and groups, I mean, it basically completely removes the news feed from Facebook. So if you're one of those people like me who can't completely leave the platform because your entire family is on there and that's how, you know, friends organize events and schools organize how they talk to you about student issues. But you really just don't want to use it and you don't want to see people's political nonsense. That was his solution was sort of just get rid of the part of the site that sucks and just use it to talk to friends and that's it.
But when he did this, Facebook sent him a letter saying that this violated their terms of service. And he himself, not just his app, but he himself is actually now permabanned from all of their products as a result. Oh, my God, he must be crying. Yeah, I'm sure he's real sad, right? But he tried to actually make it workable for him. And as a result, he can no longer use it at all. So I thought that was very interesting.
GRAHAM. I don't see why Facebook couldn't introduce that technology themselves and say, OK, if you really aren't interested in the news feed, you can turn all of that off and just use it to chat to each other. Yeah, you don't
CAROLE. have to see any ads. In fact, let's just let's just stop making money and we'll just give it to you all for free. And we'll just walk away and let it happen. They'd
GRAHAM. still be able to put things in the sidebar. You remember Facebook 2006?
MARIA. We'll bring back pokes and, you know, pokes. Well, there's vampire bites as well. When
GRAHAM. you bite people as a vampire or something. Oh, yeah.
MARIA. Farmville. Bring all that back. Yeah. Bring mafia wars back. Yeah. 2010 Facebook. Yeah.
No, you know, it becomes very difficult to extricate yourself. And there's been a lot of discussion. We've talked about it so many times on the show. And there's been a lot of discussion again from people being like, I need to get off this damn platform. But it feels impossible. And I know you talked about it last week, too. So
CAROLE. if you can run away.
MARIA. But of course, I'd say that. Yeah, it's it's it's. if you can get off of it.
GRAHAM. Yeah, a lot of people have trouble getting off, don't they?
MARIA. A lot of people do have trouble getting off, Graham. Tell us more about that. Don't. Don't. No. No.
GRAHAM. Stop. Carole, what have you got for us this week?
CAROLE. So gather around my lovely little co-host and listen to this, which is a tale told to us by longtime smashing security listener Stijn. I think that's how I say his name, S-T-I-J-N. What do you think? Stein, I always thought. Stein? Yeah. Stein, Stein, Stijn.
All right, we are heading to Illinois. Okay, more specifically, the Township High School District 214 in Cook County, Illinois. I know it well. I know it well. In Illinois, yes.
So this township has almost 12,000 students in grades 9 to 12, okay? And 5,000 staff about to look after those 12,000 students. Now listen to this. According to their test scores, 52% of the students are at least proficient in math and 49% in reading. And this seems to be like a really, like, isn't this great, guys? I
GRAHAM. found that quite shocking. Less than half of them are capable of reading.
CAROLE. Yeah. Yeah. And like grade nine, how old are you? You're what, 14?
GRAHAM. I'm not, no. Oh, you mean grade nine? I don't know.
MARIA. Ninth grade. That sounds about right. 13, 14?
CAROLE. Right? Yeah. Anyway, so I was surprised by the numbers. So half can do math and less than half can read.
There are six schools, okay? And one of these schools in freshman year, so I guess five years ago because he's a senior now, this kid gets curious about tech and the tech landscape. And by curious, I mean he soon ends up port scanning the entire IP range of the internal district network.
All right. With a few of his buds. Okay. Okay, this is when he's a freshman.
And the scanning generated so much traffic that the school's tech supervisor caught wind of it and asked them to stop. Right. But by then, they had finished scanning the first half of the district's 10.0.0.0 address space, a total of 8 million IPs.
Okay? Okay. So, in doing this IP scanning, they found various devices that were exposed on the district network, like printers, IP phones, and even security cameras that didn't have any password authentication.
Okay. And apparently the district tech team was informed about this issue at the time. And then they responded by placing the cameras behind ACL restrictions or access control lists.
So basically they said, hey, this is open. And the technicians came along and said, okay, I'm going to block this. But many devices remained exposed in the student network.
More importantly, the IPTV system. So this is what they use to broadcast live videos, such as text carousels or morning announcements and all that stuff.
Oh, but this—
GRAHAM. Is a school district. It's not as though anyone is going to mess around with that in an unauthorized fashion, surely.
CAROLE. And it turns out that since this kid was a freshman, he has had admin access to the IPTV system. Right. Okay.
Now he's a senior and he wants to prank his school. Of course he does. And he wants to use his access to do something memorable.
And he thinks, well, why just prank my school when I could, you know, maybe do something across the entire district? Right. Right? Because they're all interconnected.
And could I spread my prank to across all six schools?
MARIA. Those kindergartners will not know what hit them.
CAROLE. And weirdly, luckily for him. Okay. So I want you to think, Maria, particularly because I think Graham might know what happens.
But you have to think, what did he do? Okay. So you're going to try and think of what his prank was.
I'm just going to give you a few more little hints, and you just shout it out if you figure it out.
MARIA. Okay. Is it? I feel like that's kind of too old a reference now for kids that age.
Okay.
CAROLE. He's 17. Yeah, that's ancient history now.
I don't even think you should say that word. I'm going to censor that out. It's my story. I'm censoring that out.
GRAHAM. Beep. Is it some sort of lolcat thing? Isn't that what the kids are into these days?
Maybe I can just give a few more examples before we just start guessing wildly.
CAROLE. And then maybe it might nail it down a little bit. I can't have cheeseburger. Yes.
Now, listen, this is really fascinating. Different schools have different start times, right? And they have different class schedules.
Yep. This was all true before the pandemic. All right.
But conveniently, due to COVID, all the high schools and the districts were now on the same block schedule. So his prank in trying to get access to the IPTV system, he knew that they would all be, you know, the morning bell starts at the same time. The end of a particular class is at the same time all the time.
Right. Across the entire network. Yep.
Okay. Do you want to hint as to what they may have done? Yes.
Yeah? Okay. Okay, let me just. I just want to tell you how to be.
Ah! I'm going to make—
MARIA. You understand. Oh, that's a lot more innocent than I would have guessed. That's really sweet.
Okay.
CAROLE. They Rickrolled the entire school district impacting what possible, you know, 12,000 students and their teachers, administrators, all that. And as part of their stunt, they sent what they call the pen test report automatically to the technical supervisors' anonymous email address.
All right. So it sounds at the moment like that's kind of cute, right? It's not that bad.
So in the actual payload, he says, quote, I repeatedly loop commands to keep the Rickroll running. For example, every 10 seconds, the display would power on and set to the maximum value. This way, if someone attempted to power off the projector or mute it, it would revert and continue playing.
The only way to shut it off would be to pull the plug or change the input source. Right. Sounds worried.
Think how loud and annoying that would be, though. Three days before they decide to launch this whole attack, right? They discover a brand new big range of IP addresses full of IoT devices, right?
So they do a scan, they find all these IoT devices, and it turns out it was a recently installed Bell system. So all the hallways, all the classrooms have it, and each speaker was connected to an Epic server for their respective schools. And these servers were accessed by a web interface.
No? Okay. Behind a login page.
Now they went looking and only one of them was left with default configs, right? So only one was vulnerable of all the other ones. So they're like, well, how do we get access to the passwords?
How do we get in? So they followed the backups and the backups went to an external file share and the credentials for the SMB server were the same default credentials as for the Epic system. So basically, they had the same password for both.
And each backup included an SQL dump of the account usernames and password hashes.
GRAHAM. This is students doing this, is it? Yeah.
MARIA. He's a senior. He's got a good career in InfoSec.
Has he—
GRAHAM. Not got enough homework or something? How can he? It feels like an awful lot of effort to go to.
CAROLE. Well, this is the payload. He was able to customize the bell to play Never Gonna Give You Up. No. Yes. That's
MARIA. great. That's so great. Oh, I love it. That's so much more of an innocent prank than I would have guessed at that age, though, man.
CAROLE. I don't know. A few days after sending the report through via this anonymous email account, they received an email response from D214's director of technology. Right. And the director stated that because of the guidelines and the documentation that were sent as part of the payload, the district would not be pursuing discipline. And in fact, he thanked them for their findings and wanted them to present a debrief to the tech team.
MARIA. Yeah, that's a great response. Hang
GRAHAM. on, hang on. Okay. Wouldn't you be a little bit wary that this is some kind of trap? Are they going to arrest him? Well, I don't know. Well, they could. Or somehow penalize him or punish him. I would be very nervous. His peers agree with you, Graham. They
CAROLE. said they did not trust the administration and were skeptical of the true nature of the meeting. So just in case, I scheduled the debrief to take place after I graduated. Yes, yes, yes. Yep.
GRAHAM. I might have asked for some nudes from the district administrator and said, I need you. Yeah, I need you to send me some nudes of yourself or in some grubby underpants or something. Oh. Then they will be released if anything bad happens to me.
MARIA. That sounds kind of weirdly kinky. I'm not sure.
CAROLE. I'm not. I didn't even listen to him. I just tuned him out. So I don't know. I guess my question is, if this was your kid, would you be proud? Or would you be dude, you're really pissing around with fire? Or is this a way to make his mark? So this kid has now put together a big blog article, which will be linked from the show notes. But I'm not using his name because I kind of think I just...
GRAHAM. Do you know his name, Carole? Do you know it? Yeah. Oh, his name is out there, is it?
CAROLE. Well, not his name. No, no, no. Sorry. His handle. His handle. Not Alice or Bob, is it?
MARIA. No. No. His name was Albert Einstein, and everyone clapped. No, it's – he sounds like he's got a great career in InfoSec. This sounds like an origin story for a lot of people who work in the field. So, I don't know.
CAROLE. Yeah. I mean, he's pointing out some important stuff, and he's getting a bit of – you know, he's working it for his own benefit as well. I don't know. The thing that struck me in all this, actually, the thing that struck me is it was easier for them to do this because everything was organized and streamlined across the network. So during COVID, they got everything in order. You can imagine going, this system's a mess. We need to get everything running perfectly. Yep. You know, if it's easy for you to run efficiently and effectively, it might be much easier for a would-be prankster or scammer to find what they're looking for. Right. Someone getting into my computer, they wouldn't find anything because nothing is filed anywhere.
MARIA. Ransomware exactly. You know but no the pranksters are it's all centralized no wait exactly. Anyway so I don't know what I think
GRAHAM. about this. It's a bit like some people that they say ransomware is not that bad. You know it's an online backup. You know if they've got my data
MARIA. then somebody has it. Someone's done a backup. Oh wow that's such a nihilistic view and I love it.
CAROLE. This is a bit old school, but I want to do this on this one. Okay. So the big takeaways on this one though is do not rely on default config options. Okay. That's a big one. Yeah. Check all devices for them, right. And change those stupid passwords and check the config options to make sure you're not saying, yeah, yeah. You know, to allow anything that you don't want access to have access and use a password manager, people use a password manager and, and also check who has access check your auth. This guy had access since he was a freshman.
MARIA. Honestly I'd be hire that kid over the summer before he goes off to college or wherever he's going. Be guess what you're now our summer intern. I don't think I'd hire him. Why? He knows probably knows the network better than anybody else. Yes
CAROLE. but he's also he didn't come up and say hey look what's going on. He did it with a splash and a tap dance.
GRAHAM. He should have done that at least first shouldn't he. Should he should have. I think he should have disclosed the problem before he unleashed Rik Astley. Oh but he's
CAROLE. 17. He claims that he did and that he wasn't you know he wasn't getting enough of a response. And well
MARIA. welcome to being in security that often happens. That's exactly how it happens in the real world. So well
CAROLE. if you're listening to the show guy Maria is willing to hire you so you've got one person on your side.
MARIA. With my zero budget. Yeah, I'm yeah, you want to secure my house Wi-Fi? Great. Go for it. No.
CAROLE. Exactly. Would you trust him to do that?
MARIA. Yeah, actually. Probably. You would? Maybe. I don't know.
CAROLE. You don't think you would keep access? You'd keep a username and password in his own and keep that just in case a rainy day happened and he might be able to use it in the future?
MARIA. I wouldn't give him admin access to my house, no. But if I was asking for hey, what am I missing? I'd probably ask him to poke some holes and stuff.
CAROLE. No, no. But you understand those things. But, you know, would you want him to go to your grandma Janine's house and say, set up her Wi-Fi?
MARIA. I already do that for Grandma Janine. You're not even playing the game.
I don't want to play anymore. My grandparents are all dead, cruel.
CAROLE. Good. That's nice. Cheery. Nice. Nice end. Thanks so much. Lovely having you on.
Cruel. You kept—
GRAHAM. Pressing her. You kept pushing her. Really heartless. Unbelievable.
Thanks to this week's sponsor, 1Password. Did you know around 80% of business data breaches result from weak or reused passwords? Well, using 1Password can close the gaps in your company's security, combat shadow IT, and help your employees stay both productive and secure wherever they are. With the right tools, the right mindset, you can create a culture inside your company where your employees feel empowered to share responsibility for security risk management. 1Password makes the secure thing to do the easiest thing to do by letting your employees stay secure without slowing them down. For employees, 1Password makes it easy to play their part in personal security and by extension, company and customer security too. So what are you waiting for? Find out more. Try 1Password for free for 14 days. All you've got to do is go to 1password.com and thanks to the team at 1Password for supporting the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pig Of The Week. Pig Of The Week. Pig Of The Week. Pig Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be.
Now, last week, I told everybody about Board Game Geek, a fantastic website, and I had some feedback from listeners. A listener, SDJC McHattie, contacted me via our Smashing Security subreddit, and they said, great, great. If you liked Board Game Geek, maybe you will love Board Game Arena. Oh. And I have to say, this is brilliant. boardgamearena.com is somewhere where you can go online you can play board games online to see if you like them before you buy them.
CAROLE. Do you play on your—
GRAHAM. No no no no no. You can either play strangers or your friends or if—and there's a myriad of different board games up there, which have been sort of emulated and everything. And you can pay a premium subscription. That gives you access to more board games. But if just one person has paid for premium, you can play against them. So you don't have to give any money whatsoever, if you like. And it's rather brilliant. And there are rules up there and videos explaining how games. Because I have this problem sometimes. If I'm reading the description of the board game, I think, would I like that? Wouldn't I like that? I don't know. Would my son like that?
Here's how you find out: boardgamearena.com. I'm really impressed by it and thanks to SDJC McHattie for telling me about it. It is my pick of the week.
CAROLE. I gotta say Graham, that's pretty cool. Great pick. Oh my gosh.
GRAHAM. Maria, what's your pick of the week?
MARIA. So my pick of the week is something that I just discovered last week. So I'm very into it now. And it's Apple TV's adaptation of Isaac Asimov's Foundation, which is a very well known in the sci-fi realm book series.
And I have to admit, I have never read it because I've tried many times in my life, and I could not get into it. My husband loves the Foundation series, though, and he's read them many times. And we're watching this together and we're both really enjoying it so I'm a person who has never read the books and my husband is and we're both enjoying it.
It is not 100% faithful to the books on purpose. If from what I have been told by my dear husband, if you have read the books you will understand that it is almost impossible to adapt to TV directly because of how Asimov writes. So they've made some interesting changes which I have found intriguing.
I will admit this series is not going to be for everybody. It is very high concept.
Explain the premise. This is based on the TV show, so this may not be 100% faithful to the books. But the idea is that there is a scientist who has come up with something called psychohistory, which can predict the long arc of how a civilization may rise and fall on the macro scale, over hundreds, tens of thousands of years.
And he predicts that this great empire that they all live in is going to collapse and there's going to be a 10,000 or 30,000 year long dark age unless they take some important precautions and do some work to try and save the important knowledge of their empire. This sounds like a message to Nick Clegg at Facebook more than anything else.
And that knowledge that's going to be saved is called the Foundation. So it's extremely relevant to now.
And you know this was written, Asimov started writing this I think during World War II, right, this is one of his first works but it's extremely relevant to now and Apple threw so much money at this series it's extremely expensive every frame of the screen looks like the budget which is massive and Lee Pace and Jared Harris are in it so you know it's good. As I said it's not going to be for everybody and it's not a 100% super duper faithful adaptation of the books.
Nothing's for everybody though. Yeah, but I have to admit, I'm really, really enjoying it.
And it is... They're doing the whole one episode a week drop thing. So every Friday, there's a new episode and four episodes are out right now.
How old school and fun. Yeah, I'm really enjoying it. And I think we started watching it just three days ago, and we've already watched all four episodes twice now.
Wow. Really, really enjoying it. And there's just a lot there.
CAROLE. See, I never read any of the Foundation books, but I did... Asimov taught me about DNA, the whole helixes. I don't remember. He wrote one book on it or something, and it was in our shelves. And I remember devouring that and going, oh. Like, understanding about genes and everything. That's, yeah. Interesting.
MARIA. Yeah. So if you're watching Apple TV for Ted Lasso and you want something very different, switch over to Foundation. Yeah. There you go. That's my pick.
GRAHAM. Cool. Very cool. Carole, what's your pick of the week?
CAROLE. So my pick of the week, actually, Maria, you've seen at least one of these. We talked about it a few weeks ago. This is a YouTube channel, yeah, called Film Courage. And it's more than a YouTube channel, which I found out only in looking this up. It turns out there's a website with all kinds of content, podcasts and, you know, articles and everything.
But the concept behind it is basically filmmakers, actors and screenwriters and authors share their thoughts or it can be anything really. It can just be how to create an evil character or how to tell a good story or writing supporting characters or grabbing attention or thrillers or anything. And there's thousands and thousands of interview snippets up there.
And every well-known or respected director, screenwriter, producer has been showcased, at least those from the States. It's a treasure trove for movie lovers, but also for creatives, people like me who like to write stories or get characters down quickly. There's been a lot of stuff in there that's helped me, you know, kind of hone that skill.
MARIA. The video that you sent me was fantastic. I'm still thinking about it. So you sent it to me two weeks ago and I'm just yeah, I've gone back to it a few times. Yeah, it's there's a lot in there and a lot of wisdom. And yeah, if you do any kind of narrative, I don't know, like a podcast, it really gives you a lot to think about.
CAROLE. There is a lot of ads because there seems to be a ton of followers, millions follow this channel. But the interviews have a kind of intimacy and authenticity I really like. The content seems super solid and they feel like they're really putting their heart in the line. Anyway, I think it's worth it. Check it out. It's called Film Courage on YouTube. Link in the show notes.
GRAHAM. Brilliant. Well, that just about wraps it up for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARIA. I won't mention the podcast that I'm on with Krull. So you can find me on Twitter. No, no, I'm not going to talk about it. Sticky Pickles. Oh, there it is. I didn't do it. You should. Okay, yeah, we're on Sticky Pickles. So StickyPickles.com.
GRAHAM. And you can follow us on Twitter at Smash Insecurity. No G. Twitter allows to have a G. And we're also up on Reddit. Just look for the Smashing Security subreddit and don't forget to ensure you never miss another episode follow Smashing Security in your favourite podcast app such as Apple Podcasts, Spotify and Google Podcasts.
CAROLE. And let's not forget to thank this week's episode sponsor 1Password and to our wonderful Patreon community. It's thanks to them all that this show is free for episode show notes, sponsorship information, guest list and the entire back catalogue of more than 246 episodes. Check out smashingsecurity.com until next time, cheerio, bye bye.
Bye-bye. Bye.
CAROLE. Hi, everyone. Carole here. It's been a while since I shared a review, and normally we get glorious reviews.
However, this month we have received a one out of five stars that I want to share with you. Title, Not Funny, Not Informative.
And they write, I've given this podcast a try multiple times over the years, hoping I'd both enjoy it and get something out of it. Unfortunately, each time has been disappointing.
There are a plethora of other cybersecurity podcasts that are more worthwhile. Ouch. Right?
One thing we all know is that we can't make everybody happy. And I can accept that.
So, obviously, this listener felt strongly about this and shared it with us. And for that, I thank them.
But if you, dear listener, enjoy our podcast and haven't left us a rating or a review, it would be really helpful. Because we do put a lot of heart and soul into this.
And our egos are a little bit crushed. Stay safe out there we love you even if you don't love us.
-- TRANSCRIPT ENDS --