Apparently in the UK, we really trust the Geordie accent. So when we call call centers—

What's the Geordie accent?

Why, I'm on— It's so lovely.

No, it's not that. No.

What's the Geordie accent?

The Geordie accent is an accent from Newcastle primarily and its environs. And it has just a— I mean, you could—

Well, let's hear it, Carole. Let's hear it. No, no, no. I've done my Geordie accent. I think we should hear yours.

Okay. Anyway, crack-a-gone.

Smashing Security, episode 271. Crypto break-in, Google blurring, and mics not muting with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 271. My name's Graham Cluley.

And I'm Carole Theriault.

And we're joined today by someone who's got his cheeks stuffed full of chocolate. Cheeks and his mouth, Carole, don't be filthy. Dave Bittner.

Hello. Yes, just call me Mr. Chocolate Cheeks. I'm enjoying chocolate bunnies and hard-boiled colored eggs and all of those delicious things.

Thank you.

Good to be here.

First, let's thank this week's sponsors, Collide and NetFoundry. It's their support to help us give you this show for free. Now coming up on today's show, Graham, what do you got?

Well, I'm gonna be going ape over iCloud backups.

Okay, what about you, Dave?

I have the story of Twitter being all abuzz over claims that Google had removed blurring from Russian strategic locations.

Sounds fun. And I'm talking all about the mute button. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, where do you keep your valuables? Is there somewhere where you store them to keep them out of harm's way?

What do you mean, like—

Physical valuables?

Yeah. Well, the most valuable thing I have is my house, and it's pretty much out there.

Oh, okay. So it's out there for the public to see. You haven't hidden that. Anything else that's valuable to you?

I have a safe deposit box.

Do you?

Sure.

Where do you keep it?

Well, the bank keeps it. So is this— I don't know if this is— do you guys have this? This is a thing where you are? Do banks have safe deposit boxes?

I've only seen them in the movies.

Okay, so here in the U.S., most banks have a room full of safe deposit boxes, and it is the big safe in the bank, and you rent this little drawer that has two keys on it. You get to keep a key, and the bank has a key, and you come and you talk to the bank person, and they let you in the room, and you pull out your little drawer, and you go in a private room, and that's where you keep— you can keep valuables, you could keep money, you could keep jewels, you could keep important papers.

Oh yeah, wills and stuff, I guess.

Yeah, all that stuff. So if there's a fire at the house, your valuables are at the bank, and presumably the bank vault is fairly safe. So I have one of those.

And you feel comfortable with the bank having a copy of the key? Do you?

Well, the bank only has one of the two keys necessary. So there are two keys to open it. They can't open it without me. Although, I mean, you know what? I suppose they could hire a locksmith.

Fascinating. Certainly in my circles, that doesn't happen very much. Maybe if I was super rich, it'd be different. But obviously podcasts get paid better in America than here.

Yeah, just rolling around with those wheelbarrows full of podcasting cash.

I want to introduce to you Dominic Iacovone. He appears to have a bit of cash. He's into NFTs, which of course we're big fans of on this show. We love talking about NFTs. If you follow him on Twitter, I checked him out on Twitter and I'll put in a link in the show notes as well. You'll see that he's tweeting all the time, nothing else other than NFTs. He's scooped up Mutant Apes, Alien Boys, Gutter Cats, Fancy Bears. The list goes on. It's all that kind of funky, weird NFT stuff.

So he must have lots of cash if he's buying these, right?

He's that guy.

Well, or a lot of cryptocurrency. That's right. But on April 15th, just a few days ago, he received a phone call on his mobile.

In case we didn't know what a mobile sounded like.

Yeah. And it said— he had a look at it and it said Apple, Apple Inc. are calling. On his caller ID. Now, he was a bit suspicious because he'd been receiving a number of messages asking him to reset his Apple ID password, and he thought it might be a scam.

Okay.

But because it said Apple Inc. on the phone, he thought, well, maybe I'll give them a call back. So he gave them a call back, and the person he spoke to, he said he was reassured because they had an American accent. I guess he was under the misapprehension that a scammer would have some sort of, I don't know, some sort of different sort of evil accent of some description.

The Count, like from Sesame Street.

Yeah, you're right. But of course, a good old trustworthy American accent like Casey Kasem or Dave Bittner on the Cyberwire, that sort of thing, you just inherently trust.

Apparently in the UK, we really trust— or this was maybe 10 years ago— but we really trust the Geordie accent. So when we call call centers—

Yeah, yeah.

What's the Geordie accent?

Why, I'm on— it's so loud.

No, it's not that. No.

What's the Geordie accent?

The Geordie accent is an accent from Newcastle primarily and its environs, and it has just a— I mean, you could—

Let's hear it, Carole. Let's hear it. I've done my Geordie accent. I think we should hear yours.

Okay. Anyway, crackin'.

Oh, I see. Interesting.

I was thinking of Geordi from Star Trek, but—

Oh no, not Geordi La Forge. No.

No. Maria is nodding enthusiastically as she listens to this.

So anyway, he rang up this number. He rang up who he thought was Apple. And they said, well, hey, they said, listen, your Apple ID account has been compromised. But don't worry, you have a chance to get it back. And what we will do is we will send your phone a one-time code. So a 6-digit number, which you can tell us back over the phone, and that will confirm your identity and we'll grant you access to your Apple iCloud account. And he's thinking, well, isn't this wonderful that they're doing this? And so he receives the code. And of course, he tells the person on the line instantly. The line goes dead. And within seconds, according to Dominic, $650,000 worth of cryptocurrency and NFTs had been stolen from him. Kaboom!

Isn't that the current value of the Graham and Carole NFT?

I think it currently stands at about $1 trillion, the Graham. Oh, that's— at least that's what they're asking for. That's what the person who bought is.

Well, I underestimated.

Sure.

This is chump change then.

So Dominic was storing all of his cryptocurrency and assets and goodies, including a Mutant Ape Yacht Club NFT worth approximately $80,000. He was using a wallet called MetaMask.

Okay. Never heard of it.

You don't revolve, Carole, in the circles of cryptocurrency.

No, I don't.

Crypto bros out there. Apparently it's trusted by 21 million monthly users around the world.

Not anymore.

I've read some reviews of it. According to the reviews, it is a highly regarded and extremely secure digital wallet, praised for its encryption technology and has suffered no digital hacks so far.

I'm wondering if our guy here is praising it as we speak.

Well, his latest tweets suggest he's not that keen.

Right.

Would it be smart to tattoo these phrases on your body, for example?

No, that's a bloody awful idea, Carole. Well, maybe— Think about it.

Depends on where.

Well, yeah, exactly. Maybe if you put it somewhere that you don't tend to show anyone, right?

Where on your body do you not show anyone?

Oh, it would make the social engineering a lot more interesting.

Dave, where on your body do you think no one would ever see? Where does the sun not shine?

I think we all know the answer to that question, Graham.

Because it's covered in chocolate, remember?

I think that's right.

I think it is self-evident.

Where—

What we say, where the sun does not shine. We are— there is one body part. It is your most private part.

Let's stop you there. Let's stop you there. The thing is— that when you're dead, for instance, right, there's going to be someone glamming you up, Carole, or you, Dave, you know, foofing your hair and putting a little bit of mascara on or whatever it is that, you know, to make you look a little bit better in the open casket. And they've basically got access to everywhere on you. So don't tattoo it on your body. Also, some thief might knock you off in order to check out your—

I wouldn't— I wasn't suggesting advertising that, you know, fact to anybody.

Well, other than going on a podcast and saying. Thousands and thousands of listeners.

Well, and also you could have the 12-word phrase tattooed, but you shouldn't have also tattooed, "This is my MetaMask 12-word recovery phrase." Right.

It could just be in Latin or Sanskrit or whatever the funky thing is to have your tats in these days.

Pig Latin would probably do it.

Pig Latin. ROT13.

Yeah. What if you had 12 words of people you dated in your life and that was your— that would be the worst password on the planet, actually.

Well, that would have to mean that you would have actually dated 12 people and I hear it's sad.

So MetaMask, they've got this secret recovery phrase, but they reassuringly say in their FAQ that they store the secret recovery phrase passwords and all their private keys in an encrypted format locally on your device where it's installed. So on your iPhone or on your Android phone. So it's stored there encrypted, out of the hands of hackers. They can't get at it. Or so you would like to think. Well, the unfortunate business here is that your MetaMask vault, this encrypted vault, including your secret recovery phrase, is by default backed up by Apple to the Apple iCloud, meaning if someone manages to gain access to your iCloud, as these bad guys obviously did by getting this guy to send them their verification code. They can also force their way into your MetaMask vault. Maybe you've reused a password or chosen an obvious one, or they brute force it, and then they have access to everything in your crypto wallet.

Wow.

So MetaMask users are probably not aware, and this may be true of other software wallets as well, not aware that these private pieces of information may be being backed up automatically by Apple.

Yeah, we're helpful.

Mm-hmm.

Yeah, it's like the paperclip

Yeah.

You remember the days though when we were just worried about, it was all celeb photographs. So people were getting their private pictures slurped up from the cloud. And now of course Apple's storing everything, right? from Windows. Well, we're here to help.

Well, there's a lot, which is why you need obviously to secure your Apple iCloud account and equivalent cloud-based accounts. You need two-factor authentication. You need to make sure that you're not handing over access keys because someone else may be saying, oh, can you send me your recovery number? And they're socially engineering it out of you. So the lessons from this: always use a cold hardware-based wallet. That way it's not going to get backed up to anything.

Don't lose it.

Don't lose it. Of course, don't give verification codes to anyone. By the way, this happened to me the other day. I was on Instagram and I got a message from my niece, but she wasn't talking like my niece normally talks. She was saying, oh, I've lost my shit. She's such a lovely, lovely young girl. You know, it's slightly out of character. And she was saying, send me your phone number and I'll get a verification code sent to you. You just give it back to me and I'll be able to get my shit together again. And this probably isn't her. But she'd been fooled by one of her friends who, because she's a lovely person, she'd said, yes, I can help you. And when I get the code, I'll send it to you. Now, other cryptocurrency wallets, MetaMask has a secret recovery phrase facility. This is 12 words which you're encouraged to write down and keep in a safe place. And so it happens on a lot of accounts, this kind of thing. So watch out for this verification code trick, which people are doing. And also remember that caller ID is really easy to spoof as well. And Apple, just like every other big tech company, they're not going to call you out of the blue. You know, you sort of hide it under your great aunt or you put it inside a dictionary or you sort of put it somewhere. So if you forget everything else, if you lose your private keys and everything else, you can still regain access with these 12 magic words, which you must never ever tell anybody else. Right. But if you have that, you can recover your funds. Even MetaMask themselves, they can't give you access to the account. The only thing you can do is use these 12 words, which you've chosen, your recovery phrase.

Right.

Yeah, because I was thinking when you're telling the story, the first thing is, you know, don't call the number that they dialed, call their main hotline number and go, yo, just got a call.

Yeah. And also you may want to look inside your settings on your phone and look to see what is being backed up to iCloud. MetaMask themselves now, because there's been a bit of a furor over this, they've tweeted saying we would advise our clients, if you don't want to back up to the iCloud, turn that off. Too late for Dominic, who's lost $650,000 and is now offering a $100,000 reward to try and get his crypto back. No one's found a way to get his cryptocurrency back, but I saw they'd received a message from someone calling themselves Lauren G81948454. Seems like a plausible username. And they said, oh, I was also hacked of $100,000 last month, but I got my funds back when I contacted a hacker on Instagram called Cyberjack002. Go and reach out to him. And so whenever you talk on Twitter about being hacked for cryptocurrency or losing your Instagram account, all these bots will pop up advising you to go and contact someone on Instagram, who of course is after your Instagram account as well. And so you're going to be scammed over and over again.

Yeah, you make it sound so cool to be all involved with all this stuff. Too long. Too long.

I agree.

Alright, you two.

You've just got to remember these codes. Never share them with anyone.

Sounds so fun. It's just, it's fucking traps everywhere.

Yeah, my general advice is if it's something important, it needs to have multifactor. Anything valuable.

Not tattoos.

Not tattoos. Maybe there's a side hustle here for you, Carole. You could open a special tattoo parlor that is just for passwords and those sorts of things on your tattoos. As people come out of the parlor, they'd be coshed over the head, chucked into the back of a van. Right. Call it Crypto Inc. Carole's Crypto Inc.

Oh, that's very clever.

Yeah.

Dave, what have you got for us this week?

Well, I wanted to talk today about Google Maps, and specifically, Google Maps has their satellite view, which I think we're all familiar with. You can go on Google Maps and you can get a nice bird's eye view of— although I think Bing calls theirs bird's eye view, but you can get a satellite view of anywhere in the world, pretty much. And over the years, this has gotten to be higher and higher resolution. My understanding these days is that they are at half a meter resolution these days, which means that a single pixel in an image is half a meter in size. So quite sharp over the past, I don't know, 20 years or so that they've been doing this. But there are, of course, privacy issues with this, and Google recognizes that. And so you can request to have a location be blurred.

Yeah.

For example, Dick Cheney famously had the US Naval Observatory blurred while he was vice president. The vice president of the United States lives at the Naval Observatory. And so that was his location. So he had it blurred.

Was he worried he'd get pictured sunbathing or something that, do you think?

Well, you know, that's another sort of funny side issue is how many people think that these satellite views are real time. I've actually convinced people to go outside and wave. Oh, wow. Yeah, they're not. So, but, and you know, there are websites full of funny images that have been captured with the satellites and particularly with Street View. There are people who find, you know, they see the Street View camera driving around, and so they take it upon themselves to punk the Street View and things that.

But yeah, I've got two friends that have done it. They're still online at the moment. Those pictures with them in there, their faces are blurred, but they're right, right?

Yeah.

Yeah.

So they automatically blur faces. But if you, for example, want your home blurred, like Carole, if you wanted your palatial estate there in Oxford blurred, you could contact Google and request that they would do it. And they would do it. And I have a link here in the show notes for a bunch of places that they have blurred. And things like military bases all make sense, right? Some private places people have requested to be blurred. For some reason, I guess because of facial recognition, the picture of Colonel Sanders that's on the sign of all the Kentucky Fried Chickens automatically gets blurred.

I wonder about Popeye Burgers as well. Yeah.

Right. I wonder how many people actually request these things. Do you have any idea? I requested it once for Street View, but they didn't do it for some reason.

Why were you out in the front lawn when the van went by?

No, I just thought, how dare they take a photo.

Nude sunbathing.

I just thought, how dare they take a photograph of my house? I just thought, but nothing ever happened.

He was afraid someone would see his tattoos.

That's right.

His crypto ink. So Twitter was all abuzz this past weekend that evidently Google had removed blurring from many Russian strategic locations. And of course, we are in the midst of the invasion of Ukraine by Russia. And so there's lots of sort of armchair quarterbacking over what's going on with this war. And one of the open source tools that lots of people are using is Google Maps to determine who's where and who's doing what and what's the status of various militaries and so on and so forth. So there was a lot of buzz over this over the weekend, and people were having fun looking at airports and military bases. I've included a link here. Evidently someone found the Russian version of the space shuttle, or the Soviets had their own space shuttle. It looks exactly like the US space shuttle.

Yeah, Carole, I don't know how

It's as if you took the plans for the US space shuttle, put it into a CAD program, and said, make it 1.5 times bigger. That's what the Soviet space shuttle looks like.

long you've been working in cybersecurity, but this is what it's like.

It's cool. I'm looking at it now, it's very cool.

And there it is, parked next to a runway. They have a couple of them, and that's one of them. Someone found — I guess the Soviets had their own version of the Concorde supersonic jet. They found one of those. But people were looking at a lot of Russian planes that were on runways that had their wings removed. People were speculating, are these actual planes? Are they made out of Styrofoam? Are they inflatable? Is this, how bad? Because we've seen the Russian military has not lived up to their legendary status throughout this campaign. And so people are wondering what's the state of their air force? Well, just today, as we record this morning, Google came out and said, no, we didn't remove any blurring. None of this was ever blurred. This has all been out there the whole time.

No.

What?

Yeah.

So people just assumed that it had been blurred?

I think so. And I've seen several people on Twitter say, no, I do this stuff, either for my work or as a hobby. And it's always been there. None of this stuff is blurred. Why did you all think this was blurred?

So someone somewhere said they've unblurred it and everyone else just took that as fact.

Right.

It's as though the internet were unreliable in some fashion.

Yeah, or like that things on Twitter aren't always true.

But that's the part of this story that I think is interesting, is how this misinformation took hold, right? That Google had de-blurred all of this imagery. Suddenly we had all this information available that we had not previously had. And people were out speculating, oh, what is this going to— this is going to change the course of history. How will this affect the war? There's so many, you know, secrets revealed. And then Google says, no, this is— what are you talking about? We haven't changed a thing. Isn't that fascinating?

How long did it take Google to respond?

Within 48 hours, I would say. I think what happened was some of the news organizations took notice, started publishing stories. I have a link to a story from The Verge. And at the top of the story now, there's a correction where they say, oh, well, we heard from Google and funny thing.

It turns out that having two tweeters is not two independent validated pieces of information.

Has anyone, or maybe it's too early for this, but I hope someone's going to sort of try and track it back and work out who was the first person to make this claim.

Wouldn't that be fascinating? Yeah, someone should do that.

It's going to be awful. It's going to be someone's dad told him, so then he puts it out saying, my dad said, and then it will have grown from there. It'd be something so innocuous, and then we're all gonna hate this person.

Yeah, but I think it's an interesting cautionary tale that these things can take hold. And this did. There were, I mean, lots and lots of accounts, people who should know better who latched on to this, legitimate news organizations who took this as fact and reported on it. And there was nothing to it at all.

But this is, this is, I think, the problem with fast food news, right? You want to be first out there. You want to do your proper due diligence and you have no time because you're trying to get out first. And you get it wrong because you're tripping over yourself to be the one to press publish first.

We have these perverse incentives. Absolutely.

Yep. Well, these news organizations which pump out, you know, every day with some new update on what's going on in the world of cybersecurity. I mean, they're never going to be as reliable as those of us who wait a week before coming onto a story, are they, Dave?

No, no, they will not. Absolutely not. In fact, I don't even know why anybody would bother tuning into a daily cybersecurity publication. That is the definition of a fool's errand.

Carole, what have you got for us?

We're talking about the mute button because the mute button gets us out of all sorts of trouble. And we're probably more aware of that now than we ever have been, thanks to all of us having to do work from home for the last few years. I think each of us has found ourselves in a moment where the mute button saved us from, you know, I don't know, shame or embarrassment or ridicule.

By mute, you mean like if you're on a conference call or something like that, or if you're on a Zoom call? Right.

Say you're on a video app, right, on your computer, and maybe you're in a meeting, and say someone DMs you a joke during that meeting, and you slam it on mute because you're gonna laugh hysterically, especially if I'd sent it, right? Or see your kids start fighting, yelling names in the background like poo-poo head and fart brains.

Yeah.

You'd want to press the mute button because you don't want your boss to. And maybe you don't even have any video, so this means you have a bit more freedom. So you're doing the laundry, the dishes. I bet you people probably do loo breaks during meetings. I bet you that's a thing.

Oh yeah, there's been video.

I think they probably do worse than that.

So you get me, right? And if you have to use these video conferencing apps, you know that the mute button is one of the great, great features of it, right?

Yeah.

So we got these 4 graduates based at the University of Wisconsin-Madison and Loyola University Chicago, and they were wondering what happens to the microphone data when a user clicks on the mute button in a video conferencing app or a VCA. Because, you know, we all have assumptions, right? And they thought, well, let's first ask people, see what they think the mute button does. And not very surprising, 77.5% said they, you know, it would be unacceptable for apps to continue to be able to access the microphone and possibly gather data if the mute mode was active, which, you know, makes sense. So they thought, okay, so people assume this works this way, but let's check what actually happens. So they looked at all the big boys. We have Zoom, Slack, MS Teams, Google Meet, Cisco Webex, GoToMeeting, and then Discord. And then there's two I don't know Jitsi Meet, Whereby, and third, BlueJeans. So those three I don't know. I don't know if you guys are aware of them.

Oh yeah, I've heard of a couple of those. I've heard of Jitsi and BlueJeans, yeah.

Yeah, they wanted to kind of go in there and see how they all worked. And a lot of us assume that they kind of work more or less similarly because they're all kind of providing more or less the same functionality. And you might also assume that Zoom is Zoom is Zoom, no matter what your OS is. Or whether you're using a browser or a native app. But you'd be wrong on both counts because native apps can collect data from the microphone with few restrictions. So web apps are implemented in JavaScript and they have to request access to the microphone through the web browser, which generally has much more restrictive policies, you know, for data collection and stuff like that. And they looked at it across 4 operating systems. So Linux, Windows, Chromium, and macOS. And each one of them processes and munges audio data in a slightly different way. So the researchers used runtime binary analysis tools to trace raw audio from the aforementioned popular video conferencing apps as the audio traveled from the app to the computer audio driver and then to the network while the app was muted.

Okay.

And they did that for all the various OSs along the board. I think they had 4 that they were looking at. And their findings are rather interesting.

You're going to tell us that no audio data whatsoever was transferred from the computers and it all stayed local.

Oh, that's all on the up and up.

And that is the big shock. That's the big surprise. Is that right?

Yes, that's exactly right. Now just flip that on its head. So it turns out that all of the apps tested occasionally gather raw audio data while mute is activated, with one of the popular apps gathering information and delivering data to its server at the same rate regardless if the microphone was muted or not.

So it's not sharing your audio with the other participants on the call.

No.

But it is sharing it with the company?

Well, with the VCAs.

Right.

And so Zoom, one of the most popular video conferencing apps worldwide, we all know Zoom, was found to actively track if the user is talking even when they were in mute mode.

Right, 'cause sometimes you'll see it'll pop up, it'll say, "Hey, you're muted," if you try to talk.

Oh, I see. Oh, okay, so it's a—

That's a useful feature.

That's a useful feature.

It's kind of a usability thing. Oh, I see, yeah.

I suspect most of these things are for usability really. So they say, "We discovered that all the apps in our study could actively query, i.e., retrieve raw data from the microphone when the user is muted," says the paper. And they continue, "Interestingly, in both Windows and macOS, we found that Cisco Webex queries the microphone regardless of the status of the mute button." So in other words, according to the study, Cisco Webex was the worst as it continued to receive raw audio data from the user's microphone and transmit it. Transmitting it to the vendor's servers in precisely the same way it did when unmuted.

Hmm.

An assistant professor of electrical and computer engineering at the University of Wisconsin-Madison told the Register in an email that we informed Cisco about our findings back in January and they promised to investigate. So Register reached out to Cisco and they told the Register that it altered Webex after the researchers got in touch so it no longer transmits microphone telemetry data. So very good example of responsible disclosure and a quick fix. And Cisco went on to say Webex uses microphone telemetry data to tell a user they are muted, to your point, Dave, referred to as the mute notification feature. They say this is not a vulnerability in Webex.

Right.

And I think what the researchers are trying to highlight is the way in which a VCA operates a mute button is different from what a user's understanding of what a mute button is, if you get my drift. Okay. And then finally, the other last thing they decided to do is they, using machine learning algorithms, they trained an activity classifier using audio from YouTube videos, and they were looking for common background noises. So they used activities like cooking, eating, playing music, typing, cleaning. And then they applied a classifier to the type of telemetry packets the app was sending, and they could identify the background activity with an average of 82% accuracy. So these types of activities can be distinguished just based on these acoustic fingerprints that were actually being sent.

As a general rule, you just can't trust software, can you? That's, you know, it's like, but if you're worried about something like this, then maybe you need a hardware button or a switch or something on your microphone.

Well, not everybody has an external microphone.

No, but you might have a headset or something. You know, there might be, I don't know, or a kill button.

Right, right.

That's one of the suggestions is double muting, right? So you can mute in Zoom, for example, or whatever VCA you're using, but you could also mute at your operating system level. Now this is a bit of a pain, right? Because you have to go into settings, you have to find your microphone, you've got to turn off the input, and then you have to remember to turn it back on next time you do something and not panic that it's broken. So the team suggests the solution might be in developing easily accessible software switches or even hardware switches, which makes total sense, right? I would like that. I want a little big button that says, you are now being recorded, and off/on, right?

That's what I want. Yeah, I have a button right here. It's my cough button. And it's just a big button that says mic mute, and you press the button and the mic mutes. But, you know, there's a saying in broadcasting, every mic is an open mic, which is a cautionary tale that if you're in a room with a microphone, assume that that microphone is open and someone's listening and/or recording. Now, this phrase came into popularity in the days before all of us carrying microphones in our pockets all the time and our webcams, and it's hard to go into a room these days that doesn't have a microphone capable of recording. So—

Didn't Ronald Reagan once get himself in a spot of bother by— he was doing a test in a radio studio or something and he said, "Hey, Nancy, let's bomb Russia." He did. Yeah, he did.

That's pretty— boy, dead on there. It's as if I'm in the room with the old Gipper himself. Wow. But you know, Graham, if this podcasting thing doesn't work out for you, there's definitely a future for you as a mimic.

Yeah, yeah, the

Yeah, yeah, because there's a high

kids— for kids'

demand for Ronald Reagan these days

school, you'd be great.

in the grade school level.

The network is dead. Long live the network. This is the tagline from our sponsor this week, NetFoundry. Protecting applications is getting more complicated. We all care about security, but man, it's hard. You see, all networks, according to NetFoundry, are insecure, period. And the Zero Trust security model is the way to go. It was created with the idea of never trust, always verify. But historically, this has been seriously hard to implement. NetFoundry have created OpenZT to provide an open-source, free, and easy way for you to embed Zero Trust networking into anything. Embed SDKs inside your app, tunnelers to run on all major operating systems, or deploy an edge router for any cloud. And the best bit? No networking engineering skills required. This is something you guys definitely want to check out. Visit smashingsecurity.com/zero-trust. NetFoundry.com/netfoundry. That's N-E-T-F-O-U-N-D-R-Y. And thanks to NetFoundry for sponsoring the show.

And welcome back. Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. Doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related, but I'm actually going to start it with a joke. Dave, just to be sure, are you familiar with Lady Penelope and Parker?

No.

From the TV show Thunderbirds, very popular show in the 1960s.

Oh, I'm sure I'm familiar with Thunderbirds. Yes. And I'm with you now.

Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employees, Kolide educates them about security and device management while directing them to fix important problems. Thunderbirds with the puppets.

I'm with you now. Yes.

Yes. Yep. Okay, so here's a joke. You may not like this. Okay, so Lady Penelope is a sort of aristocratic English woman, and Parker is her sort of Cockney East End driver. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. And so she goes, Parker, take off my jacket. Yes, milady. Parker, take off my dress. Yes, milady. Parker, take off my shoes and stockings. You can try Kolide with all of its features on an unlimited number of devices for free for 14 days. No credit card required. Try it out at smashingsecurity.com/kolide. Yes, milady. And Parker. Yes, m'lady. Don't ever let me catch you wearing my clothes again. How we love it. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. That is the Thunderbirds joke. Now, I'm a big fan of the TV show Thunderbirds and other series which came from the mind of Gerry Anderson with his Supermarionation. Things like Stingray, Captain Scarlet, UFO, Space: 1999. Wonderful.

I don't know any of these except for, yeah.

Oh, Carole! This is really good stuff. You haven't lived. Well, there is a documentary that's just come out made by Gerry Anderson's son, Jamie Anderson, about his dad. It's called Gerry Anderson: A Life Uncharted. I saw it on BritBox, but it may also be available in other places. Now, Gerry Anderson sadly died about 10 years ago, I think. And he left some audio recordings where he was telling the story of his life. And to be honest, he did not have the best of lives. He was married a few times, including a marriage to one woman which was spectacularly— how can you put it? A bit of a roller coaster.

Yeah. Yes.

And this is actually the woman who did the voice of Lady Penelope. And they absolutely hated each other by the end of it. And it made him kind of destitute afterwards as well. So it tells the story of that. It's not really the story of his TV shows, but it's the story of his life. And it's fascinating because it gives you some indication of where— what the impetus for some of the things which happen in stories came from. And it came from a very sad childhood. And it's quite interesting. What's unusual is they took audio recordings of Gerry Anderson, this great star of British children's TV. And they've used deepfake technology to turn it into video of him sat on a sofa telling the story of his life. And this is intercut into—

Whoa, here we go.

Wow. And I watched this documentary and it keeps on cutting to Gerry Anderson talking about his life. And you imagine at first it's sort of archive footage. And there's actually also a supplemental sort of behind-the-scenes thing where they describe how they did it and show you the iterations, how they did it. It's completely convincing. And it does make the documentary easier to digest and to enjoy because it's not just audio. You can see him sat there as well, talking through his life and explaining it. You even see him at some points walking around various locations like Pinewood Studios. And it's not him. It's been—

This is fairly uncontroversial, right? That they portray someone on the couch reading out the words that they've written. But what if they had him doing anything else? Right? Flying a plane or water skiing while he tells you about this stuff. No, but they could with the magic of technology.

I think it must have been a particularly unusual experience for Jamie Anderson, who is his son, who appears in the documentary and was a guiding force behind it, you know, his dad has only been dead about 10 years to have all this happen as well. Anyway, I found it quite a good documentary. It's not going to give you much of a flavor of Thunderbirds and Stingray and Captain Scarlet, but it will tell you about Gerry Anderson himself, who is a bit of a hero of mine. And that is why Gerry Anderson: A Life Uncharted is my pick of the week.

Interesting.

Dave, what's your pick of the week?

Well, my pick of the week was inspired by something you talked about a couple of weeks ago here on Smashing Security. And I'll admit, I don't remember specifically what it was. And I actually went back, I went back and tried to look it up and I was unsuccessful. But what I remembered I heard from this episode was you were talking about some show, I believe, and you said you should only watch the first season of it. That the first season was great.

Oh, that was Graham, and it was Afterlife.

Afterlife, yes. I think I was talking about Afterlife, yeah.

All right. Well, when I heard you say that, it made me think of this show that is my pick of the week this week. And it is a show called Bloodline. It is a thriller drama TV series on Netflix, and it is about a family who is in the Florida Keys here in the US, and the family owns a resort. And it's about the siblings in this family. One of them is the black sheep of the family, their relationship with their parents who run the resort. They all — each of the kids have their own personalities. There's a murder.

Dun dun dun!

Yeah, so it is — one of the things I really like about this show is that the location is one of the characters of the show in a way. That the fact that it's in the Florida Keys really plays into the way that this series feels, the way that it's shot. You really feel like you're there, but it's a super compelling first season. Kyle Chandler is the star of this. He's the guy from Friday Night Lights who, according to my wife, is just quite dreamy. Ben Mendelsohn is in it. He was in the Star Wars movie Rogue One. He's the bad guy in that. He was also in Ready Player One. So a good cast, very good season. But I will tell you, when the first season comes to an end, and there is a cliffhanger, there's a tease. They're going to try to get you to watch the second and third seasons. Do not take the bait. Because — just be satisfied that you watched a season of excellent television. Let it go. Drop it and just leave it there. And think, "Gosh, I wonder what would have happened if they'd made a second and third season of this show." Don't.

Yeah, don't wonder.

Because if you go and you watch them, you will be disappointed and you will waste a bunch of time. But season 1, excellent. Season 1 is really worth watching. Well done, compelling, a real good thriller drama kind of show. So check out season 1 of Bloodline and just leave it there and get on with your life. That is my pick of the week.

You know, I've watched season 1 of Bloodline.

Oh, have you?

And I think I've only watched season 1 of Bloodline, but I can totally echo what you're saying about the location and the being a kind of a character. It is really— it feels hot, and it feels— you're always by the water, and they always see this blue tint on everything. Yeah, yeah, fascinating. Okay, well, good.

I—

It's not on my hit list anyway, so there's a bit of me which wants to watch it now only to carry on to season 2 to find out how awful it is.

Do it.

I mean, there's some perverse gene inside me.

Yeah, it's a slow drip. I mean, season 2 is bad, but season 3 is horrible. Horrible.

Funny.

Carole, what's your pick of the week?

Well, we've done a hat trick, because I also have— Do you have something to watch? Mine is Succession from HBO. Graham, have you heard of it?

I have heard of Succession, mostly from you. I mean, a lot of people have been raving about Succession for a couple of years.

I know, we're late to the party.

But I don't have a streaming service which offers it, and so I haven't watched it.

Yeah, I know. I got so bored of people telling me to watch it, I went out and forked the cash to buy it. And I have to say, it's a brilliant dissection of a family going into serious trouble. So, it's from the writer Jesse Armstrong of The Thick of It and Peep Show.

The Theriault dynasty. Well, he's great.

Great, right? Yep. Completely. And basically, the plot is you have this mega-rich family, a dynasty, Trump or Murdoch kind of thing. And they're media conglomerates, and you've got the aging controlling dad at the helm desperately clinging on to the power. And then you have a squabble of spoiled children navigating their roles and trying to figure out who's going to take over the family business. You've got a stepmom who's very strange, but wonderful, but strange. And basically, the whole thing is who's going to be the next king of the castle. But you've got a great cast, Bryan Cox, Jeremy Strong, Sarah Snook is in there, and dialogue's really good. It's tight, and it's so scathing, right? I come from a family of very straight-talking people that are pretty scathing at times. And this is probably the closest rival I've seen. So, yeah. And anyway, I—

But you know, maybe this is a Jesse Armstrong thing because when I think of Thick of It and Peep Show, I would say it's true, but every single character here is pretty unappealing and a bit of a monster in their own way. You know? No one's carrying the, "I'm the one to follow, just trust me," character.

Yeah, I have a hard time with shows like that because they— I find they're fascinating at the outset.

Yeah.

And I find I get drawn in by these horrible characters. But then over the course of a couple of

Dave, have you ever watched The Thick of It or Peep Show? Because they're comedies. But they're quite sort of dark.

seasons, I feel I don't want to be spending any more time with these people.

Yeah, you might really like them, actually.

The Peep Show, I can imagine Dave enjoying it and think of it just because it takes swearing to a whole new level.

Yeah, well, I'm all about that.

Anyway, there you are. That's my pick of the week, Succession, season 1. That's as far as I've made it, but I'm gonna head to season 2. So you can't stop me, Dave. And that's from HBO.

Terrific. Well, that just about wraps up the show for this week, Dave. I'm sure lots of our listeners would love to follow you online. What is the best way for folks to do that?

You can follow me on Twitter. It's @DaveBittner, B-I-T-T-N-E-R, and everything else is over on thecyberwire.com.

Super duper. And you can follow us on Twitter @SmashInSecurity, no G, Twitter allows to have a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast, Apple Podcasts, LastPass and Spotify.

And massive shout out to this episode's sponsors, Kolide and NetFoundry, and to our wonderful Patreon community. It's thanks to them all this show is free. For episodes, show notes, sponsorship information, guest lists, and the entire back catalog of more than 270 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye. Bye-bye.

Bye-bye, baboo.

I'm riding home.

Thank you so much, Dave.

Thanks, Dave.

I know you owe your busy chest.