This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. Is this a German joke?

---

CHRIS KIRSCH. This is a very German joke, and you know Germans are really not funny. We found a German joke.

---

CAROLE. I just didn't get it, but I won. Oh, sorry.

---

GRAHAM CLULEY. They've been saving it up for years, and now it's been revealed on the Smashing Security podcast.

---

CHRIS. Jokes die when you explain them, right? Yeah, God.

---

GRAHAM. Hello, hello, and welcome to Smashing Security, episode 266. My name's Graham Cluley. And I'm Carole Theriault. Hi, Carole. And who have we got on the show this week?

---

CAROLE. We have Chris Kirsch. Hi, Chris.

---

CHRIS. Hi there. Thanks for having me.

---

CAROLE. Now, guys, Chris is CEO at Rumble.run, a solution for asset inventory and network discovery. That sounds so complicated, Chris. CEO of Rumble.run. You've been on the show before.

---

GRAHAM. Yes, I have. He still came back. Isn't that extraordinary?

---

CHRIS. Yeah. After Graham told me to F off on the podcast, I wasn't quite sure if I'd be invited back.

---

GRAHAM. I'm British. That's quite polite, really. Are you sure I did that? It must have been Carole. It wouldn't have been me. Maybe Carole.

---

CAROLE. Maybe we need to discuss this at the end of the show. How about we thank this week's sponsors, Collide and Drata. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. To AV or not AV? That is the question, particularly when it comes to Kaspersky.

---

CAROLE. Okay. And what about you, Chris?

---

CHRIS. So we'll have a story that I'll just call Tinker Tailor Soldier Air Tag. We'll leave it at that. We'll dive in later.

---

CAROLE. Okay. I'm going to call mine Ding Dong, the pick is dead. I'll listen much more coming up on this episode of Smashing Security.

---

GRAHAM. Now, chums. Around about a week ago, I received an email from a listener. Always love an email from a listener. Thank you to everyone who drops us a line.

---

CAROLE. We get a lot less than people think, you know, I think. Do you think? Yeah.

---

GRAHAM. Oh. Well, maybe that's just you, Carole. I seem to get plenty. You get inundated? Of course you do. I get a lot of fan mail. Of course you do. Anyway, John wrote to me and he had a question for me. He said, in view of the current situation, do you think it's wise to continue to use Kaspersky antivirus software? I thought that would be an interesting one to discuss. John is 83 years old, he tells me. He's retired. He's well into our demographic. Hi, John. And he doubts he has anything much on his PC that would be of interest to a Kremlin-backed hacker when they could be attacking a government department instead. But it is a valid question, one I think many other people might be asking themselves at the moment. Because Kaspersky, of course, as we all know here, is one of the most famous names in antivirus. And it is Russian. And Russia's been in the news lately, hasn't it?

---

CAROLE. Really? I haven't noticed. Can you tell us more about that? But this isn't the first time that Kaspersky's been called into question, right?

---

GRAHAM. Well, no. And that's what we're going to look at. We're going to look back at some of the past claims which have been made against Kaspersky and what the situation is right now. So Kaspersky, multinational company, hundreds of millions of users around the world, headquartered in Moscow, founded and run by Eugene Kaspersky. He's been writing antivirus programs since 1989. That's incredible. You'd think he'd have got it right by now. But yeah, he's been writing them all that time. He's still having a go. Now, Eugene's very well known in the industry. I probably first met him back in the 1990s. It all seemed like a friendly chap.

---

CAROLE. Yeah, in the industry, he certainly has a kind of character, right? He's kind of bigger than he is. He's not the tallest man, is he? Well, sort of normal sort of height. There's nothing wrong with... He's not Napoleon. I was just surprised. It's a bit like meeting Bono, you know, in the industry. And you meet him, you're like, oh, you're...

---

GRAHAM. Oh, well, I don't know. Anyway, but he's always keen to have a giggle. Anyway, the thing is, he's always seemed like a very friendly guy to me. He likes nothing more than a drink, trip to the sauna with his mates. And it's who Eugene's mates might be that has often got him into a bit of a pickle. A few years ago, for instance, Bloomberg and the Wall Street Journal, they claimed that Kaspersky had close ties to Russian spies. And they even said that Eugene was regularly visiting the sauna with intelligence officers from the FSB.

---

CHRIS. That's oddly specific. Yeah, was that the cover story?

---

CAROLE. Did you deny it at the time?

---

GRAHAM. Well, what Eugene said is I often go for a sauna with my mates and it's not impossible there might have been Russian intelligence officials visiting the same sauna at the same time but I don't know them, he said. But some people tried to construe that this was part of some conspiracy and they said, well, isn't it weird that Kaspersky is always reporting on American and Western state-sponsored malware attacks rather than those ones which originate in Russia? Maybe he's hushing those up. And I remember at the time I thought, well, actually, if you look back over the Kaspersky blog, there have been plenty of occasions when they have talked about Russian hackers. And they have talked about Russian campaigns which appear to have originated from there. So it felt a little bit unfair to me.

---

CHRIS. Was the reporting that the campaigns that he highlighted, was it cybercrime or was it state-sponsored?

---

GRAHAM. There were some which were, the suggestion was that it was state-sponsored and highly organized against other governments. And so what Kaspersky, the company, used to say was, we don't care where the malware was written, we are going to detect it, we're going to write about it.

And sometimes feathers were ruffled. I mean, sometimes I suspect the NSA, for instance, would think, well, fine that you detect our malware, but do you then have to do a press release saying that we did it and pointing the finger at us as well?

I don't know. Anyway, this began to cause big problems. And there were warnings which came out from America a few years ago saying government departments shouldn't be using Kaspersky software because maybe it could be meddled with, maybe it could be tampered with.

Kaspersky set up a transparency centre in Switzerland and other places around the world, trying to quell any concerns that the software could be subject to supply chain exploitation. They even said, look, you can look at all of our code if you want to, come to Switzerland.

They took their biggest customers there. And there's no doubt it affected their sales in the West, at least, although they were doing still quite well in the East.

---

CAROLE. I'm such a conspiracy theorist. This is what's happened to me over the last 10 years. Right now I'm thinking, oh, he did write about Russian state-sponsored hacks, that did not impress the current administration, who then contacted the Trump administration and said, put the kibosh on the Kaspersky stuff, just to hurt them financially.

There you go. Well, yeah, you...

---

GRAHAM. You do love a conspiracy theory. Who knows? Don't we all? We love it until people begin to believe them.

---

CAROLE. Yeah, don't believe it. I have no proof at all.

---

GRAHAM. Until people turn up at pizza parlours in Washington with a gun and all that sort of nonsense. Anyway, Eugene, he likes a sauna, he's high profile, he's also very successful.

Forbes estimate he's worth about $1.8 billion.

---

CAROLE. Shut up.

---

GRAHAM. I know. Shut up! That's almost double what we have in our bank accounts, Carole.

Chris, how do you compare to that?

---

CHRIS. Not quite there yet.

---

GRAHAM. You're not quite there yet, but maybe we'll pull together.

---

CAROLE. That's a ridiculous amount of money.

---

GRAHAM. There's a lot of money, it turns out, in cybersecurity. Who would have known?

Now, Eugene, or at least his company, is in hot water again, but not of the sauna variety. It all comes down to Russia's invasion of Ukraine.

So obviously, when something like that happens, people are going to look to high profile Russians working in tech. I mean, Eugene, in a way, he's a bit like Richard Branson or Lord Sugar or Donald Trump.

---

CAROLE. He did have the hair.

---

GRAHAM. Yeah. He's a high profile entrepreneur, got bags of cash. Where does he stand on this?

And he put out a tweet where he said he welcomed the start of negotiations to resolve the, quote, current situation in Ukraine and hoped it would lead to a cessation... How do I say cessation?

---

CHRIS. That's right. I think that's right. Pronunciation tips from a German.

---

GRAHAM. Hoped it would lead to a cessation of hostilities and a compromise.

---

CHRIS. Well you can't say war right because then he goes to prison. I think he's in a really crappy situation right because I do think that Kaspersky produces genuinely good technology.

But then the question is who has oversight, who has oversight? If you live in Russia and you are in a role where you can have geopolitical impact on Russia, right, undermining Kaspersky is a big asset for the Russian state, so there is a motive there.

And it's really hard to prove a negative. So I used to sell crypto software in Germany to German companies, right, and all we needed to say is, hey, do you really trust the Americans? We didn't need to prove anything, and we didn't have to be specific and it's just so hard for them to disprove that.

Then we got acquired by an American crypto company and our messaging changed, and our marketing changed right, so funny how that works. But if I had to choose between different antivirus companies, quite honestly for a corporation especially and for anything to do with government, I probably wouldn't pick Kaspersky now, even though I think they do a very good job.

But it's just impossible for them to prove a negative or for me or anybody who's buying that to prove a negative. And that's really tough.

---

GRAHAM. Even if there's the tiniest sliver of a possibility that in the future, Vladimir Putin might get Eugene Kaspersky's testicles in a vice, you don't want that to be a possibility, do you?

---

CAROLE. Well, it's not like he's walking around with your private secrets all the time. What are you worrying about, Kaspersky's own gonads or your information?

---

GRAHAM. I don't really care about the state of Eugene's balls too much. Well, I mean, no, no, I mean, it's not something I've pondered very often.

Well, not that close. Obviously, I wouldn't want that to happen to him.

---

CAROLE. What, you wouldn't go in the sauna with him?

---

CHRIS. It would be awkward with a vice in the sauna, right?

---

GRAHAM. The thing is, the thing is the supply chain. If a piece of software is running at a low level on hundreds of millions of computers around the world, and it's regularly updated by other people in a way which you frankly don't actually choose when it updates or not because it's updating continuously to deal with new malware, the potential is there for someone either maliciously, without the knowledge of Kaspersky, the company, to do it, or to apply pressure and say, this is what you're going to do.

That's the risk, the supply chain.

---

CAROLE. Yeah, but that's the risk with any piece of software at all.

---

GRAHAM. Absolutely. And American software. NSA could do this to American security companies, and the GCHQ could do this to British security companies. You're absolutely right.

---

CHRIS. Yeah, with antivirus, there's another thing. If you're scanning desktops, right? You have a file scanner and you're looking at the contents of each file and looking for signatures. So I think one of the allegations, and I'm not sure if it was an allegation or if somebody tested it or whatever, the idea was, hey, if Kaspersky just added a signature for certain keywords, right? Certain projects, certain people's names, email addresses, any identifier that they're interested in and just say, hey, every time you see that on a desk, just upload that for analysis.

---

CAROLE. Put it in the log. Yeah. You know?

---

GRAHAM. So this is something which appears to have happened. Not quite exactly what you're describing. But what appears to have happened is that some of the white hat hackers who work for the NSA, part of the Equation Group, which is basically the state-sponsored U.S. hacking group, were writing malware. One of them took his work home with him and put it on his home computer, which was running Kaspersky. Kaspersky, with its heuristics or whatever, thought, hmm, this looks a little bit malicious. I will upload these files to Kaspersky's servers for further analysis. And then there was this big freak out that Kaspersky was stealing NSA secrets.

---

CAROLE. And it was probably already in the terms and conditions that they would do that if they saw something suspicious on a home user license.

---

CHRIS. I would question the qualifications of this person. Because if you're writing malware for the US government, you know, number one, don't take it home. Number one, right? Number two, don't put Russian software on your computer. Number three, don't put antivirus on your computer if you're developing malware. Right?

---

GRAHAM. Yeah, it's true. So if we make the assumption that Eugene Kaspersky is a decent chap, which I think, let's hope that he is, you can understand why he's trying to tread very carefully and not get himself embroiled in this situation. Oh, absolutely. And also possibly bad for him. Six months ago, the founder of another security company, Group-IB, he was arrested in Moscow on treason charges after he criticized the Russian government for not taking action against Russian ransomware gangs. And after he allegedly provided the US government with information about Russian interference with the presidential election of 2016. So Eugene wants to be careful.

---

CAROLE. Yeah, I think there's a lot of people in the world right now who are trying to be very careful, particularly those based in specific geographies.

---

GRAHAM. And the very latest development on this is that German authorities have just issued an advisory telling consumers that they should look for alternatives to Kaspersky antivirus. They're telling them to uninstall it and switch to another antivirus because of the risk that pressure could be applied or that it could be hacked. And this really comes back to John's question. Remember John sent me an email about whether you should use Kaspersky or not? I think who can put their hand on their heart and say that isn't possible in the current political climate? That pressure wouldn't be put on them to take advantage of the fact that so many hundreds of millions of computers are running it. Chris, earlier on, people are going to question you if you buy Kaspersky, I think, for a corporation. Rather like they wouldn't have questioned you for buying IBM in the old days. Because, you know, it's like, well, that's a decision which no one's going to criticize. People might criticize you for taking a risk on Kaspersky.

---

CHRIS. Oh, I think they probably will. Absolutely. Tricky times. One reason why you might want to buy a Kaspersky, though, is because I think Russia won't be able to process payments. Maybe you get it for free because they can't charge you a credit card.

---

CAROLE. Yeah. Oh, that model. We've not seen that before.

---

GRAHAM. If you're worried about that, Chris, I can point you some cracks on the Internet. You can download them from Torrents if you'd like some free software. Much better alternative. Chris, what have you got for us this week?

---

CHRIS. So, fascinating story about how an ordinary citizen, quote unquote ordinary, she's not all that ordinary, investigated a secretive government agency and basically uncovered how secretive government agencies are connected in Germany. And it reminded me a lot of Bellingcat. Bellingcat's a news outlet that is run by ordinary citizens who use what's called OSINT, Open Source Intelligence. It's a method where you just take what's out in the public, basically fancy Googling, and then put the puzzle pieces together to find out something that's actually highly confidential or secretive.

---

GRAHAM. There's a remarkable work they've done in the past, isn't there, by analyzing photographs.

---

CHRIS. It's quite extraordinary. Super interesting. And I myself got into OSINT when I participated in the social engineering CTF at DEF CON a few years ago. And so there's a lot of OSINT involved there.

---

CAROLE. You won. You won. Yeah, you're being modest here.

---

CHRIS. That's how I really got into it. And I developed an appreciation for OSINT and how hard it is, but also about the power of what it can yield. And so this story was mostly published in German. All the English coverage was extremely short, and it missed a lot of the interesting stuff. And to me, it really read basically like a German spy novel.

---

CAROLE. Okay, go, go, go. I'm ready. Got the popcorn. I'm ready. So

CHRIS. Our protagonist is a lady by the name of Lilith Wittmann. She is a white hat hacker. She's exposed some vulnerabilities in the past. And she's also a specialist for digital transformation in government.

And so she was doing research and looking at all the different government agencies on a website, a website that just really lists line by line all the agencies with a very short description. And she stumbled across an agency that she hadn't heard of before. And it's called Bundeservice Telekommunikation.

So, Graham, we're going to have a lot of long German words in here.

---

GRAHAM. Oh, lovely. Frankfurt der Augermeiner.

---

CHRIS. Yeah, exactly. It could be nine Schaff. I can do it. 99 Red Balloons. Oh, my God. I'm not going to comment or coach on German pronunciation in this podcast. I'll just refrain from that.

So, the Bundeservice Telekommunikation, it translates as Federal Service of Telecommunications. Couldn't be more bland, right? We're going to abbreviate this as BST.

And actually, back in the day, we sometimes used to joke that there is an agency called the Federal Agency for Telecommunication Statistics. And so this is actually eerily close to that joke because it turns out that it is actually an intelligence agency that nobody's heard of before.

---

CAROLE. Is this a German joke?

---

CHRIS. This is a very German joke. And, you know, Germans are really not funny. We found a German joke.

---

CAROLE. I just didn't get it, but I won. Oh, sorry.

---

GRAHAM. They've been saving it up for years. Now it's been revealed on the Smashing Security podcast. Jokes die when

---

CHRIS. You explain them, right? Oh, God. So, all right, back to the story.

So, Wittmann, she looked at the description of this agency and it said, hey, this agency is tasked with digital transformation and government. And this was weird because she's a specialist in that area and she's never heard of this agency before. Right? So that kind of raised some questions.

And so she phoned the phone number, which was a fax. Then she phoned the fax number, which was no answer. And so she couldn't get anywhere with that.

And so she started a FOIA request, a Freedom of Information Act request. The first response she got fairly quickly from somebody with a title Geheimschutzbeauftragte, which basically translates as secrets protection officer. So it's a role in counterespionage. So that was a little bit weird for a digital transformation agency.

And then she got a second email and said, oh, the first email, ignore that one. We were wrong on that one. We have no record of this agency existing. And at the same time, the BST disappeared from the official listing.

---

CAROLE. This is fantastic. Okay. So, okay. Cover up. Cover up. Backtrack!

---

GRAHAM. We've accidentally published the existence of our top secret agency. Yes, exactly. Exactly.

---

CHRIS. So the story gets better. So then she looks around and says, hey, you know, let me see if I can find any other entries in other directories that might be out there. And she found an, I think it was some X500 directory or something. And she finds a physical address in another directory for this agency, and has a physical address somewhere in Berlin, but it's not an official building that is occupied by any government agency.

So she's got a following and she tweets out. And one of her followers says, hey, I checked out the website of the landlord of this building. And the tenants lists a generic government agency.

So she actually gets in the car, she drives up to Berlin, and she goes to the building. And it's a very boring average office building, right? Quite big. But the government agency is occupying, I think it was 2,500 square meters, which is quite a big floor. So that's enough space for about 100 people.

And so she looks at the mailboxes and the BST is on there. And there is a mailbox next to it for Bundesministerium des Innern. So this is the BMI. This is the Interior Ministry. And the BMI heads up a lot of the civilian intelligence agencies in Germany.

So the BND, Bundesnachrichtendienst, which is the equivalent of the CIA. The BSI, which is the Bundesamt für Sicherheit in der Informationstechnik. Please repeat that. Which is the equivalent of the NSA. And the BFV, which is Bundesamt für Verfassungsschutz, which is the Federal Agency for the Protection of the Constitution. See, it's even long in English, right? Wow. Okay.

---

GRAHAM. So let's just recap here. So she's interested in digital transformation. She goes to a webpage where it lists all the departments which do with the government. And she finds one and it says, we deal with digital transformation. She rings them up and they say, oh, we don't really exist. Don't contact us again.

She then goes to their office, finds a name plaque or something. And alongside it, it says, basically, this is associated with the part of the government which looks after all the intelligence agencies. Yeah, the hush-hush bit. So they put nameplate up and they're in their presence as well.

---

CAROLE. They must be shitting themselves if they did any recon on her from the beginning because she's not an unknown ethical hacker. Right? So when they went, oh, sorry, they must have been cacking.

---

CHRIS. Yeah. She found vulnerabilities and some apps for political parties and some other things. And she's associated with a Chaos Computer Club and so on. So she's not an unknown entity yet.

So then she does some more digging and she looks up if she can find anything in the RIPE database. So the RIPE database is where companies register their public IP spaces. And so she finds a few other IP addresses associated with physical addresses that are associated with the Ministry of the Interior.

And she finds one that's a little bit odd because it's in Cologne. There's no office for the BMI in Cologne. And the email address is a generic email address.

It's not a person, but it's a department and group number. And so you can look that up. In German government, it's very organized, right? As you might expect.

Really? It's not a hotmail address. They're a bit more organized than that.

So each department has their own email address that follows a certain nomenclature, right? So she reads this is the email address for Department 7, subgroup Z2. The problem is that neither Department 7 nor subgroup Z2 exist in any official org charts.

---

CAROLE. Yeah, so it's either fake or super duper secret.

---

CHRIS. Exactly. So then she looks up for some other things. She finds information about the BFV, the Verfassungsschutz, in RIPE as well. And her

---

CAROLE. goal right now is she's just curiosity has bitten off her left hand and she just needs to follow the red crumbs.

---

GRAHAM. Exactly. She's kind of got that loose piece of string on her jumper and she's pulling it. It's unraveling. What's going to be at

---

CAROLE. the end of this? It's not going to end up topless, Graham.

---

CHRIS. Okay. I was hoping. It's German.

So she finds some more entries. I think there's also a football club, a soccer club involved in Cologne for the Ministry of the Interior. But the Ministry of Interior doesn't have an office in Cologne. It's only the Verfassungsschutz, which is an intelligence agency.

And so she finds all of these things. And she finds a few phone numbers and decides at 3 a.m. in the morning to phone these cell phones. And so the person on the other end picks up is wide awake.

And basically, it doesn't say it exactly. He doesn't deny that it's the BFV, but he doesn't acknowledge it either. And the phone number is disconnected the next morning.

---

CAROLE. What's she doing calling at 3 a.m. to try and catch people off guard? Well, she wanted to catch them off guard,

---

CHRIS. right? She wanted to catch them off guard.

---

CAROLE. I don't know. I would be really irate if that happened. I'd be that is not playing fair. It wasn't a

---

CHRIS. booty call. I don't think she was aiming to please.

So all of this so far is a very cool but pretty standard OSINT investigation, right? If you read Bellingcat or follow any of the OSINT-related stories, it's typically pulling on the string and finding little breadcrumbs and putting them together. But this next part is what I thought made this story worth sharing.

So she says, okay, so I've got a few PO boxes in Cologne that are associated with the BMI, which doesn't have an office in Cologne. And there is also one associated with the Verfassungsschutz, the BFV. And they're close to each other in the post office. They're right next to each other.

And she's I wonder where the mail goes for these PO boxes. Does she put herself into a parcel? Almost.

So Apple just came out with the Apple AirTags, right? Apple comes to the rescue. The AirTags, for those listeners that are not familiar, they look like a pound coin or a quarter, you know, about that size. And they contain a little battery and a Bluetooth transmitter, low energy Bluetooth. So they can run for about a year.

They don't have GPS. They don't have a GSM chip or anything to actually communicate out over long distance, but they can communicate over short distances.

---

CAROLE. You have to be nearby. Yep. Yeah.

---

CHRIS. What Apple did that I thought was really clever is any iPhone, not just your iPhone, but any iPhone in the world can now detect these AirTags and deliver the current location of that AirTag to the cloud. And then it ends up with the owner of the AirTag. So the owner of the device nearby doesn't know that it's happening or can't see what the AirTag is, but the owner can.

---

CAROLE. So she sends a letter. She sends a letter.

---

CHRIS. She takes a Norwegian cruise line catalog or something, cuts out a little bit in the middle, puts in this AirTag and sends it off to the address of the BMI in Cologne, which doesn't officially have offices there. And sure enough, you know, German Postal Service is very efficient. 10 o'clock the next morning, she sees a ping and it shows up at the offices of the Verfassungsschutz, which is the domestic intelligence agency.

And so that proves to her that the BMI is a cover organization for some of its intelligence branches, that the BMI in Cologne is actually Verfassungsschutz, etc. So I thought that was a really clever use of AirTags. Very cunning. Yeah.

And that made it scary

---

CAROLE. for the rest of us, though, because, you know, if someone dropped an AirTag in my house, well, I guess would that matter? Because they would just go, she's still at her house, still at her house. But if someone drops it in your bag, for

---

CHRIS. Yeah. There's been a lot of stalking cases reported. And it's actually I think it's pretty hard to protect against. If I remember correctly Apple actually created there is some kind of anti-stalking functionality isn't there but it only works if you have an iPhone yourself. It basically tells you if you are close to if you're moving around and you're close to an AirTag but the owner of the AirTag is not also with you because like if your husband has an AirTag on the key ring you don't want it alerting. So I think that's an interesting counter measure I guess against stalking, but it's not foolproof.

---

CAROLE. She basically proved that there was a secret government organization that was even more secret than the secret government agencies that already operated to probably do the real dirty work. Was that fair? Something like that, yeah.

---

CHRIS. And she did this mostly sitting from home and Googling. The only thing she did is she went up to the mailbox of the address and she sent an AirTag through the mail. But otherwise, she just consulted open databases on the internet, which is really cool.

---

CAROLE. It's kind of scary, though, too. If they're sitting there lying open, it means most of us are.

Yeah, and that's why the show exists, listeners.

---

CHRIS. Yeah. Lock down your personal details online, right? Reduce your online footprint. Don't answer emails. And don't post to your secret government agency on a public website. And so this is not a call for hacking other nations. So don't be a cowboy. You know, if you have an inclination and an interest and a passion for OSINT, I encourage you, you know, go digging because you might find something really cool like Lilith Wittmann did.

And I don't know, I probably wouldn't publish it under my own name. Like she did, she's got a profile in that space. And I think that somewhat protects her, but I probably wouldn't, you know, poke the bear, so to speak, if we're thinking about the current conflict. You can pass it on to your local authorities if you like and trust them. And if you know somebody there, you can pass it on to Bellingcat. If you find something meaningful and they can then verify it. Follow your chain of custody. And if they believe that it's accurate, then they can publish it under their brand. Those are probably some good options.

---

GRAHAM. Very interesting. Yeah. And well done, Chris, in all those difficult German words. I'm very impressed with you.

---

CHRIS. I know. I practiced for hours. For years.

---

CAROLE. Your pronunciation was okay. It was pretty good.

---

GRAHAM. Carole, what have you got for us this week?

---

CAROLE. Well, we are in the UK for this story. So this week, the UK government confirmed that it will be updating the online safety bill. So this has been happening and going on for years. But they have confirmed they're going to include a new cyber flashing law as a specific criminal offense. So this is where a person sends another person, it's like someone they know or someone they don't know, an unsolicited sexual image, right? And this could be via social medias, it could be by dating apps, it could even be by Bluetooth or AirDrop.

---

GRAHAM. What do you mean by sexual image? Do you mean an image of people having sex?

---

CAROLE. Your junk. Your bits, your private parts. Yeah. Cyber flashing.

---

GRAHAM. All right. So I get that. And obviously, we're going to talk about that. But what about some people have a fetish for different parts of the body, don't they? Like some people have a foot fetish. So would you get in trouble if you had particularly sexy feet or you thought you did and you sent someone a picture of your feet?

---

CAROLE. That's an excellent question. I'm writing it down right now. And we'll come back to that, I'm sure.

---

GRAHAM. All right. Elbows as well.

---

CAROLE. Yeah. You're loads. There's loads. Yeah. So, in some instances, a preview of said unsolicited sexual image can appear on a device even if the person hasn't accepted it. So, even if the transfer is rejected, they're forced at seeing maybe a thumbnail of the image or saying, do you want to accept this image before it fully loads onto your...

---

CHRIS. Or just a text, right? Yeah, what kind of systems are those, though? Because if you send somebody a text or a chat app or whatever, usually images, especially images, just get displayed. If it's something that's larger and potentially malicious, like a, I don't know, spreadsheet or something like that.

---

GRAHAM. Oh, you mean a larger file size? Sorry, I was trying to understand what you meant. I should learn to be very specific on this podcast. Yes, Mr. German. If someone sends you a particularly large file sometimes you'll get the option to download it won't you before you...

---

CAROLE. Yeah so if for example we were traveling nearby and you wanted to send me something via AirDrop and it was an image I would see that image before I accept that image.

---

GRAHAM. Now AirDrop's interesting isn't it because to text you I need to know your mobile phone number. Exactly. If I was on a public transport or something and wanted to send you an image of my, then I could just maybe send it via AirDrop, perhaps, depending on their settings.

Right. Gotcha.

---

CAROLE. So, this is now a criminal offence. So, the idea is that this change means that anyone who sends a photo or film of a person's genitals for the purpose of their own sexual gratification or to cause the victim humiliation, alarm, or distress may face up to two years in the clink.

---

GRAHAM. Oh, crumbs. Picture or video? Is it photo or video? Yep. What about a doodle?

---

CAROLE. You see, I'm ahead of you, way ahead of you. What about an emoji? Well, yeah, an eggplant emoji.

---

GRAHAM. Or, you know, you used to do smiley faces with the letters, you know, before emojis existed. They were fun.

---

CAROLE. You can imagine that a number of Redditors had a field day with this announcement. So I'll paraphrase a few, but things like, would authorities need to match the junk with the face that sent it, for example? Or an attentive, I'm paraphrasing here, but an attentive member may look very different from a sleeping one, right? So would one need to show it in full glory to the authorities? Would the police get their very own cock squad? Will it go in the penal code?

---

GRAHAM. That one's actually quite good. I like that one. Now, I've had this happen to me. Oh, I'm intrigued now. A talk for a Microsoft conference. There were thousands of people in the auditorium. Huge auditorium. And I was doing my bit and I was talking about IoT or whatever it was. And my phone bleeped while I was up there because I obviously, being professional, hadn't turned it off. And someone in the audience had sent me a picture of what I can only describe as a small button mushroom. It was, and it was, I mean, that's not really to my taste. I don't love mushrooms, but it was quite off-putting. And I mean, I can only. Did you lose your stride? No, I mean, you know, we're giggling about it a little bit. But actually, it wouldn't be very nice to receive an unsolicited one of those, particularly if you thought it was someone in the vicinity of you. And particularly if you thought it might, you know.

---

CAROLE. If you didn't feel safe.

---

GRAHAM. Yeah, if you didn't feel safe. Yeah,

---

CAROLE. 100%. So, some of the comments, though, on Reddit were a little bit more thoughtful. Because how do you fully define solicited versus unsolicited?

---

CHRIS. I think that's really where the rub is, right? Oh, no pun intended here. So

---

GRAHAM. juvenile. Can't believe we allowed Chris on this show. It's really lowered the tone. That was

---

CAROLE. actually not intended. So would there need to be proof of the request for the image? Yeah,

---

GRAHAM. it would have to stand up in court, that's for sure.

---

CAROLE. Come on, that was quite good. Please, come on, give me something. It's not as good as Chris's. Just work harder. Another concern is that cyber flashing cases might be too difficult to prosecute because of the lack of evidence, right? So we risk seeing women's confidence in the criminal justice system reduce even further because they bring it forward and they go well look we don't have enough evidence sorry it was on Snapchat oh god everything's erased don't know sorry

---

CHRIS. Yeah it reminds me of revenge porn problems right so let's say somebody posts pictures of you online and you want to get those pictures taken down you actually need to prove I think this is in the U.S. I think you need to prove to the police that it's you so you need to either you know send the images plus a picture of your driver's license or some proof of identity. If your head isn't in there, then you need to include a full body shot plus your driver's license and so on. And it just, yeah, and it just makes it really hard for somebody who's already in a bad place and probably traumatized to get this stuff off the internet, right?

---

CAROLE. Yes, 100%. I was listening, this one woman was saying that someone was basically doing this kind of revenge porn, but they'd taken her head and put it on a different body and then shared it around a bunch of forums. So apparently that's not illegal, right? It's not illegal to do that at the moment because it's not your body, right? So anyway, so it becomes... It is illegal, just to stress

---

GRAHAM. to the audience, so it is illegal to actually detach someone's head and sew it onto someone else's body, isn't it? Yes,

---

CAROLE. Maybe we should be clear. We're talking digitally. We're talking digitally, yeah.

So jokes aside, though, it's a big problem because one place, like you mentioned earlier, Graham, is public transport. So this is from Stylus Magazine. So this was someone writing a kind of, you know, this happened to me type of story.

So she says, I was on the train to London for work. I had a series of five images sent to me via airdrop. Weirdly, they were like telling a story.

The first was a picture of someone getting on the train, like a CGI mock-up. It was followed by a topless photo of a guy with his face covered, then by a picture of his crotch.

I received messages saying, want more? But I had declined all of them. Oh, my God.

This is absolutely awful. I was trying to figure out how to turn off my airdrop, right? I didn't even realize it was on, and I wasn't aware I could manage it.

And in the meantime, I got another picture, a full-on nude of his privates. And the thing was, there was only a few people in the carriage at this point.

It was really intimidating, as I was the only female, and my phone would have showed up with my name. It isn't nice.

Nima Elmi, she's head of public policy for Europe at Bumble. So they did some big research into this, and they said, The research showed that almost half of women between the ages of 18 and 24 have received sexual photo that they did not ask for in the last year.

Oh, in the last year? Yes.

Public transport is a place that's happening, but also it happens in schools. Someone reported just after a math lesson, this woman's 14-year-old daughter received not one but five unsolicited pictures from different classmates' penises.

Okay. And they ganged, because they'd ganged up and thought it would be funny to send them all at once, said the mom.

And they watched her reaction as she opened them and she got really upset, which they found hilarious. So Tess, okay, so they work with 25,000 schools across 100 countries, right?

So they've done a bunch of research into this. And they said that 76% of girls between the ages of 12 and 18 have been sent an unsolicited nude image of boys or men, which is like, That's three quarters of teens.

And the thing is, it's basically, apparently, what they say in tests is basically, if you use Snapchat, you will be sent a dick pic. And the biggest problem, the reason why this law is, in my view, a good idea, is because the problem is school politics, right?

Girls who get these are encouraged to laugh it off. Yeah.

Or called a snitch if they report the sender. And there's, of course, the shame factor that you're being targeted.

Claire McGlynn, she's a QC of Durham University, and she specializes in cyber flashing. And she says this law is interesting, but the government must go further if it's going to live up to the rhetoric.

The current proposal only covers cyber flashing where you can prove that the person that sent the image for sexual gratification or to cause distress, this leaves a significant gap where men send the penis image for a laugh or a joke amongst their friends, like in this case in the school. You can imagine that would be the retort.

We were just having a laugh. It wasn't to make her feel harassed.

---

CHRIS. Yeah, it's so rampant. I don't think you can have really a truly technical solution to this, right?

I mean, there are some things that you can do. You can turn off airdrop or you can limit airdrop to only known contacts, which would have helped for the public transportation, but not in school with her friends, right?

---

CAROLE. Exactly, exactly, so it is on, that's a really good point. So airdrop is on iPhones turned on for contacts by default.

Now if you're anything like me I've got hundreds of contacts, hundreds and hundreds of contacts on my phone and not all of them do I want them to be able to airdrop me willy-nilly. You know, some people are just work contacts podcast, yes what if we took

---

GRAHAM. These photos, right? When a photo is sent, and what we did was rather than you know, very funny or something, or delete it or something, maybe there should be a way of actually blowing it up to a huge size and putting it on the side of the school or on the side or putting it up in assembly on the big screen and say, oh, here.

Oh, shame them. Absolutely.

And saying here's little Tommy Coggins or whatever from year five and this is his penis, everybody, which he wanted you all to see. Let's all discuss it.

---

CAROLE. You're so four years ago. You're so four years ago because Cosmo, I went back and Cosmo had put out an article called 13 Genius Ways to Respond to Unsolicited Dick Picks.

Okay. I'll share a few with them, with you.

One of them is I critique them on a scale of one to 10, which is basically what you're saying to do. Right.

The other one is, why is your pinky so ugly? That's what she would reply.

---

GRAHAM. Oh, like the little finger. Yeah, I get it.

Yeah.

---

CAROLE. And the other one was, I'd send pics of my poop, which, you know. What?

Cosmopolitan suggested that. That would maybe put off a dick picker for life, actually, if that's what they got in return.

This is a

---

GRAHAM. This is a horrible, horrible problem. And I'm really annoyed about it. If I found out any son of mine were doing something like this, you'd just take their bloody phone away and say, "Don't be so bloody," you know, "apologize to the girl and you're not having your phone until you're 18 years old." And yeah, right, yeah. Oh, I'm quite tough, aren't I? Manly, I'd even say. Very masculine.

Collide sends employees important, timely, and relevant security recommendations for their Linux Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable.

So instead of frustrating your employees, Collide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com slash collide at smashingsecurity.com slash k-o-l-i-d-e.

Enter your email when prompted and you will receive a free Collide goodie bag after your trial activates. You can try Collide with all of its features on an unlimited number of devices for free for 14 days, no credit card required.

Try it out at smashingsecurity.com slash collide at smashingsecurity.com slash k-o-l-i-d-e and thanks to Collide for supporting the show.

---

CAROLE. Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR and your HIPAA compliance.

Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely. Drata is the only compliance automation platform with a private tenant database.

They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, Full Story, and Bamboo HR have shared how crucial it is to have Drata as a trusted partner in their compliance process.

Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com forward slash drata that's d-r-a-t-a and thanks to Drata for sponsoring the show.

---

GRAHAM. Welcome back and you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week Pick of the Week Pick of the Week Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish.

It doesn't have to be security related necessarily. Please, God, don't be.

Well, my pick of the week this week is not security related. I'm sure we are all familiar with the popular podcast format of a true crime investigation - the likes of Serial and all of the others.

I mean, oh, you're just watching them or listening to them and you're thinking, "Oh, this is fantastic, isn't it? This is extraordinary."

Well, I have got an investigative mystery podcast for you headed by a journalist called Brian Thompson. And the name of his podcast, which has been running for the last five years, over 240 episodes, is "Whatever Happened to Pizza at McDonald's?"

It's a niche audience. It's been going for five years.

And he goes in depth. He started off quite simply ringing up his local McDonald's and asking them if they had pizza and them saying no.

And him saying, "Well, do you know why you don't have pizza any longer? Because I believe you used to have pizza," because apparently McDonald's used to do pizza in order to try and win the pizza business from all those pizza companies.

And he's trying to get to the bottom of it. Over time, the podcast has broadened out a little.

One of the latest episodes of the podcast, he looks into, as well as the pizza issue, which is central to the podcast, he also looks into Rod Stewart's model train set. How the hell—

---

CHRIS. Is that related? I mean, I get ice cream at Starbucks or something like that.

---

GRAHAM. The thing is, you've got to go deep into the conspiracy, Chris, right, to find out how all of these things are connected.

---

CAROLE. Have you listened to any of it?

---

GRAHAM. Yes, I have.

---

CAROLE. All 240 episodes?

---

GRAHAM. Not all 240, I must admit. There are a few, probably about 230 in the middle I missed.

But Brian Thompson, he's quite deadpan. I think you'd quite like this.

---

CHRIS. I might check it out.

---

GRAHAM. He's got a voice a little bit like the robot voice who introduces our podcast each week. So he says, "And so I called McDonald's to find out." I love that.

And I think it's amusing. And it's done very well, and it is my pick of the week.

---

CHRIS. I will check that out, and I will judge you incessantly.

---

GRAHAM. "Whatever Happened to Pizza at McDonald's," it's called. Chris, what's your pick of the week?

---

CHRIS. All right, my pick of the week is a virtual reality game. So I think in the last one, I also presented a virtual reality game.

This is a different one because it's not one that you play by yourself, but then you play with others. And I was looking for something, My niece and nephew live over in Europe and I'm in the States.

And so we don't get a lot of real FaceTime. And even when we're having video chats or something, it's hard to keep a conversation going with little kids.

But if you can play together, then you can actually have a joint experience. And so I found this game called Cookout, A Sandwich Tale.

And so you need at least two VR headsets. I think it's available on other platforms as well. I have the Oculus and essentially you are making sandwiches in a shop as line cooks and you're collaborating right.

It's not working against each other, it's actually working with each other and I think that makes it more fun. And so you take orders from customers that are mice or rabbits or werewolves who like the bigger sandwiches and it's really good fun because you can talk over the VR headset.

Obviously you don't see the real person, you see an avatar. And you can talk and communicate the kids started squirting ketchup and mustard bottles all over the place and throwing plates at the werewolf which I both do not recommend in real life and they had a really good time.

---

CAROLE. Can I ask how much a headset is about?

---

CHRIS. I think it's quite expensive. So in the U.S. I think it's 299 and in Europe it was extremely expensive. I think it was about double in euros.

Wow. And I don't quite know why. So yeah, so that's kind of like the entry level. I think they have some with more storage and stuff and that go higher up.

---

GRAHAM. I'm watching a video of this, like the little trailer of it, and it does look quite impressive. I mean, it looks like a proper video game, doesn't it?

And it reminds me a little bit of Overcooked, which is a more conventional video game where you're sort of helping each other cooking and chopping and things. It does look like this would be a good way to keep in touch with youngsters and play a fun game with them.

I can see why you would do this.

---

CHRIS. Yeah, and I think there's some good fun and it's also some good teaching opportunities because it's collaborative. You can learn should we work on sandwiches together or split plates and yes.

---

CAROLE. There's strategy involved, yeah.

---

CHRIS. You can teach them how to work in a corporate sweatshop. It's a good skill to have for later and you don't have to clean up your kitchen afterwards so it's a really good package and I think it's about 20 bucks or so.

So the game itself isn't too expensive if you've already invested in the headset. Obviously, the headset's quite expensive.

---

GRAHAM. I think I'm too old, though, to do all this VR headset stuff. Because I think I just feel nauseous, I imagine.

---

CHRIS. You host a technology podcast, Graham.

---

GRAHAM. Yeah, I know, but my position is really to be the chief curmudgeon on the show.

---

CAROLE. You excel at it. You excel.

---

GRAHAM. Carole, what's your pick of the week?

---

CAROLE. Okay, mine is a website. So I'm going to get you guys to go there now while I introduce it.

So you'll see it in the show notes. So it's stars.chromeexperiments.com. Now, this is an amazing site all about the stars, not celebs, right? But the real stars in the sky.

---

GRAHAM. I'm zooming in. Oh, wow.

---

CAROLE. Right? And you tour the solar system as you would Google Earth.

---

GRAHAM. Oh, my goodness. Yes. Wow.

---

CAROLE. And they've mashed it with high-level deets from Wikipedia. So when you click on a specific star, it provides you with tidbits and information.

So, Graham, if you're there, you can see they give you a high-level tour and tell you how to use it. Anyway, I found it quite relaxing.

I imagine at night playing on this site would be quite beautiful if you couldn't sleep, right? Because it's quite beautiful the way you move around it.

---

GRAHAM. Couldn't you just go outside and look up?

---

CAROLE. Well, we live in the UK and we see stars maybe 4% of the time because it's normally cloudy. And I also live in a city.

So that kind of kills that as well. But yeah, totally, if you've got the real thing.

So I don't know. I think it was quite beautiful. I think it's quite fun.

If you want to learn a bit about the stars that burn hot way, way up in the sky, this might be for you. And might be a great way to spend your tea break.

So check it out at stars.chromeexperiments.com. And of course, link will be in the show notes.

And that's my pick of the week.

---

GRAHAM. I quite like this, Carole. I'm quite impressed.

In fact, it's my little boy's birthday coming up and I've bought him a telescope. We're going to be looking at the moon and maybe at some of the stars.

---

CAROLE. And then you can use this site to go, have you found this? Because some of them are, obviously the big ones that are there are the ones that you're probably going to see.

---

GRAHAM. Very interesting. Very cute site.

I like it. Cool. Wonderful.

Well, that just about wraps up the show for this week. Chris, I'm sure lots of our listeners would love to follow you online.

What's the best way for folks to do that?

---

CHRIS. So easiest is probably at Chris underscore Kirsch, that's K-I-R-S-C-H on Twitter. You can also find me on LinkedIn with the same name.

And if you'd like to try out Rumble, you can do that at rumble.run, as in walk, and scan your networks in minutes. So check that out.

---

GRAHAM. Thank you. Fantastic. And you can follow us on Twitter at Smashing Security, no G on the last half of G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

---

CAROLE. And massive shout out to this episode sponsors, Collide and Drata, and to our wonderful Patreon community. It's thanks to them all this show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 265 episodes, check out smashingsecurity.com.

---

GRAHAM. Until next time. Cheerio. Bye-bye. Bye. Auf Wiedersehen.

---

CAROLE. Wiedersehen. Do you know, I learned a German song once.

---

CHRIS. Oh, this could be dangerous. Now you're telling us.

---

CAROLE. I'm going to sing it now, okay? And you can tell them what it means because I'm not actually sure. Ein, ein, get noch, ein, ein, get noch ein. That's the only words and you just changed the tone. That's all I know.

---

CHRIS. And you don't know what it means?

---

CAROLE. Well, I think it has something to do with beer drinking. Yes. Right? Is that right?

---

GRAHAM. Obviously. All German songs have something to do with beer drinking. It was a lucky guess on your part.

---

CHRIS. Yeah, yeah. No, they're either beer drinking or fairy tales where something horrible happens and you tell it to kids. So yeah, those are the two types of German songs.

See, today I learned. Basically, loosely translated, because it's a really weird song and it's not very, the lyrics aren't very complicated. It means like, oh, one more, you can fit one more in, meaning one more beer, right? Hopefully we're not thinking of the segment that Carole presented earlier, right?

I'm going to stop this podcast. Yes, please. Please.

-- TRANSCRIPT ENDS --