In the interest of debate.

Yes. So you buy a new house. You go in, you say, I don't like this wallpaper. I'm going to take it down. Don't you? But when I take down wallpaper, Carole, I don't do it by smashing down the walls as well.

Aha. That's okay. Good point.

And the roof falling on my head. Smashing Security, Episode 200.

298, Housing Market Scams, Twitter Two-FA, and the Fesshole with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security episode 298. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, this week we're joined by a special guest. Who've we got?

We've got a co-host of sorts from the CyberWire, Dave Bittner. Mr. D-Dog, how are you?

I'm doing well. It's nice to be back.

Hello, Dave, or should I say, welcome Datacomp, perhaps. Does that ring a bell?

Yes, vaguely it does. Half a lifetime ago.

I don't know what you're talking about.

So, what happened was this, Carole. I was vanity searching myself on Reddit to see what scurrilous rumours I could find out about myself.

When was this?

Oh, just, yeah, a couple of weeks ago. And this thing comes up to me and someone goes, you should check out this post on Usenet by Graham Cluley, where he promotes his CompuServe channel. And I thought, okay, so this is from the archives from 1995, December 1995. And it took me to a thread on the Usenet group alt.comp.virus, where I was answering somebody's question because this person had had a problem with their Mac computer. It was acting bizarrely. And here's the funny thing. That person was Dave Bittner.

No way.

Yes, it was. And so Graham sent me the message and said, this couldn't possibly be you. And I said, yeah, actually, that was me. And what's funny is I was actually talking to someone in the past year about this.

Explain what was happening on your Apple Mac, which caused you to post this message, Dave.

So what was happening was every couple of minutes, if your computer was sitting idle, up on the screen would come a text string that said, welcome Datacomp, out of the blue. That was it. And so had no idea what was causing it, where it was coming from. Thought maybe we had a virus on the system. So I put this up on Usenet, as it was, which is what you did back in the day. And a very helpful chap from across the pond named Graham Cluley wrote up a custom response.

Well, I took a cut and paste. I took something from the FAQ. It wasn't very personal, but what it was, was there was a particular third-party Mac keyboard where the people who developed it had programmed this practical joke into it. So if you left it unattended for a certain length of time, it would just output text. It would type. Welcome. What a bloody thing to do with a keyboard.

Right. You have to remember, these were the days where you bought things from a catalog. You had a mail order catalog, right?

You did.

This was really before you were buying things online. There was no Amazon yet. And so we ordered these keyboards, I suspect because they were cheaper than Apple's. But I do recall when, after I got this message from you, calling the catalog company and saying, "Hey, we need to return these keyboards." And they're like, "Yeah, just send them back, please. Just send them back right away. We will replace that for you, no problem. Please send them." So they knew something was up. But so I was 26 years old when this happened, Graham. So this is literally half a lifetime ago for both of us. We crossed paths. Little did we know.

Yeah, I was only 11 at the time.

Yeah, that's right. Yeah, Carole hadn't even been born yet. She wasn't even a gleam in our parents' eye.

Maybe we should get on with the show. Perhaps stop geeking out about our pasts. But before we kick off, why don't we thank this week's sponsors: Bitwarden, Pantera, and Kolide. It's their support that helps us give you this show for free. Now coming up on today's show, Graham, what do you got? So bored with Twitter. What about you, Dave?

I have Google agreeing to the largest settlement ever when it comes to privacy and location data.

Ooh, and I've got a scheme to get us rich, guys. Plus, we have a featured interview with Pantera. I speak with Shakel Ahmed from Pantera on how they automate continuous cyber defense validation for their users. Super interesting stuff. Anyway, all this and much more coming up on this episode of Smashing Security.

Well, chums, it's that time of the week, the part of the week where we return and find out what's going on. What's the very latest in the soap opera that is Twitter?

When you say "we," I think we talked earlier today and you said, "I think I'm going to do this." And I was like, "Please no."

Well, Carole, I think it's quite fascinating. It's clinically fascinating what is going on at Twitter. The story so far, for those people who haven't been— no, I can't possibly begin to tell you the story so far because just listen to the other episodes. Just listen to past episodes. And even that, we were just scraping the surface of the madness, the craziness which has been going on. And the craziness has continued. And it's got to the stage now where I've actually asked Elon Musk how I can have my verified tick from my account removed because I'm worried people will think that I've paid for it and that would be incredibly embarrassing. Maybe I would actually pay him now to have it removed. But there's certainly been some very odd things going on at Twitter. Now, just this last weekend on Saturday, Elon tweeted an apology to his 115 million followers.

Twitter two FA, Twitter two FO, Twitter two—

Yeah.

By the way, he said, "I'd like to apologise for Twitter being super slow in many countries." And he said that the reason why the app was slow was because it was doing, quote, "over 1,000 poorly batched RPCs, remote procedure calls, just to handle the timeline." That's what he said.

I don't know what that means.

Right. It meant that just to display on the screen the latest things in your timeline, it was making all of these calls. It was over 1,000, he said. And what they should have done is, according to him, they should have batched them up carefully. If you need to make a call, do them maybe in a clump rather than individually one by one, because he was suggesting it would take a long time, which is kind of ironic because of course he is the person who's in charge of the Boring Company, in charge of the Hyperloop, planning to deal with traffic problems by cramming lots and lots of people into a tube and spurting them off down a very small tube.

I was gonna ask, to what degree does this fall under Elon's areas of expertise?

Well, he is quite the expert, it turns out. At least in his own mind. Now, that's fair enough.

Don't you own a Starlink?

I do own a Starlink, yes. We're actually speaking right now—

I just wish you had a little bit more respect.

We're speaking right now via a low Earth orbiting satellite.

Yeah. All right, okay.

And it works all right.

Giveth with one hand, giveth with one hand, taketh with the other.

No, I want him to remove my check. I don't want him to remove my Starlink because then I'm gonna find it difficult to connect to the internet where I live.

Yeah, podcast will be a little difficult, yeah.

So the only problem with him saying that the app was slow and him blaming the poor programming is some people thought that perhaps this guy who'd just spent $44 billion buying Twitter didn't know what the fuck he was talking about. And some of the people who thought he may not actually have got this completely right were actually Twitter employees, including Twitter software engineers who worked on the app.

But had been fired?

Not at this stage.

Oh, okay.

So among those who didn't agree with Elon's assessment was a Twitter software engineer called Eric Frohnhofer, and he said, hey, I've been working on the Twitter for Android app for around about 6 years, and I can tell you that you're wrong. And now this is all happening publicly on the platform that your boss actually owns, right? That Elon Musk actually owns. So he is arguing with his boss in public on the boss's brand new platform. And of course we know it's crazy Elon. So Elon says, well, please correct me if I'm wrong. What's the right number? Elon sends over 1,000. Frohnhofer, the programmer, says it's zero. Our apps don't make any RPC calls. So it's a little bit awkward. Now, in front of 115 million people, people are grabbing their popcorn thinking, oh, this is fascinating. And then Musk says, "Well," he says, "Well, well, the Twitter Android app is super slow," he says. "What have you done to fix that?" And Frohnhofer says, "Well, you know, the company's done lots of work to try and improve the performance, but there is admittedly plenty of room for improvements." But, you know, he fundamentally disputed Musk's diagnosis of what the issue was.

Oh, okay.

Yeah, yeah. Well, he's, so I can understand. I know loads of engineers that would do that.

Yeah, exactly.

And it's not a diss, it's just—

Right. It's a bit like when politicians get together. So when diplomats get together and they describe themselves as having a full and frank discussion of the issue, which means there's a bit of argy-bargy going on. And—

But I would make the case that for engineers, diplomacy is often not their strongest suit.

Right. And maybe it's not Elon Musk's either. Yeah.

But feel sorry for Elon.

Oh, do you?

I mean, how many people sit around—

Sorry, what?

How many people are hanging out with Elon going, oh yeah, you're totally right, boss. Yeah, you're so right. And he's just filled with this injection of, you know, authority bias basically. And he's just right.

So you feel sorry for him because of the people he hasn't fired are telling him he's great in order to keep their jobs.

Yes. And he doesn't have a view on reality. He doesn't have a handle on it. He thinks he does.

So it sounds like you have more pity for him than, say, empathy.

Yes.

Right. Okay.

Pity. Yeah, no, definitely not feeling him at all.

Okay.

What's the solution then, Carole?

The solution is to get off Twitter.

I think I've said that before. No, for Elon, I mean.

'Elon, get some therapy.' You know?

Oh, okay, okay.

Yeah.

So anyway, obviously there was a bit of argy-bargy, and you will be surprised to hear that the next thing that Elon Musk tweeted was that he had fired Eric Frohnhoefer after they'd had—

No!

Yes. So after they'd had this little spat, he said, 'Well, he's gone now. He's fired.' And of course, that meant that Frohnhoefer wouldn't have a chance to make any of those improvements which he thought could be made. The very next day, which is last Sunday, Elon Musk tweeted again. And he said, "We're gonna make a number of improvements." He said, "It's things that we need to fix in the apps. Part of today will be turning off the microservices bloatware. Less than 20% are actually needed for Twitter to work." So in other words, what he was actually doing was he was kind of following up on the advice of the guy he'd just fired and making some fixes.

And fixing it himself and saying, "I fixed everything, guys. Don't you worry." Who knows?

Maybe he'd rolled his sleeves up.

I mean, you don't actually need all 4 chambers of your heart.

I suppose not, no, to keep on working. So it's all right to turn off some things.

Right.

You know that he has expressed a lot of admiration for Kanye West?

Has he?

Just saying.

Really?

Yes. Yes. Because they're both moguls. Right?

Well, a number of changes were being made, he announced. They were turning off things at Twitter. They'd already turned off the HR department because they didn't have any more staff to look after, and they'd turned off a lot of the programmers and the customer support and the, all kinds of departments who were dealing with trust and safety. Well, it turns out that in turning off things, Twitter also busted two-factor authentication. So anyone who relied upon SMS-based two-factor authentication to protect their account could no longer log into Twitter. So let me explain what—

Oh my God.

Well, Carole, you are not an avid Twitter user, so that wouldn't be a problem to you. But it would be a problem to any brands who were using Twitter who might be protecting their account that way, or any regular user. Because if you try to log back in and the site says, I'm just going to send you an SMS message so you can enter your magic code rather than getting phished, you didn't get the two-factor code. Now, of course, SMS-based two-factor is not as good as other forms of two-factor, but someone at Twitter had disabled that bit of code. Maybe someone who hadn't realized the complexity of a system like Twitter. Maybe someone who'd made arrogant assumptions as to how easy it was to understand.

Did he give it himself?

Maybe somebody on their way out the door who just got their walking papers.

Yeah, I don't know how you fire someone without an HR department either. I'm sure that guy has now, you know?

Well, Fronhofer says he's not been officially told he's fired, but what's happened is he can no longer log into his email. So he's assuming he's gone. And of course, Elon has tweeted that he's gone as well. So maybe he's just shutting people off their email left, right, and center. But what's happening is a system like Twitter, very complex, gazillions of dependencies. If someone just rips out a piece of code on the orders of the big boss, there may be unforeseen consequences, and the only people likely to know what those consequences are are probably some of those thousands and thousands of software engineers who you've kicked out of the company.

Yeah, but that's fine. That's, you know what, I see a win-win because you're gonna bring them back as consultants and they should say, well, actually my salary has now changed times 3 and I can help you out.

Yeah. Well, it does send a bit of a chill down the spine because this random, chaotic, erratic behaviour. Now, there've been a number of advertisers who've been concerned about Twitter in the last few weeks because, well, their brands are being ridiculed by people creating fake accounts and posting all kinds of unpleasant stuff under other people's names.

Yeah. Brands have lost billions of dollars in market value because of alleged parody accounts pretending to be them.

Yeah. Yeah. And really horrible offensive things and some very funny things, let's be honest, have been posted as well.

And do you blame Elon for that because of his numptiness, or do you blame the twits that are trying to take advantage?

Well, the twits couldn't have taken advantage if he hadn't messed around quite so much in this sort of move fast, break as many things as you possible can kind of fashion.

In the interest of debate.

Yes.

So you buy a new house, you go in, you say, I don't like this wallpaper, I'm going to take it down. Don't you? You do that.

But when I take down wallpaper, Carole, I don't do it by smashing down the walls as well.

Aha. That's okay. Good point.

And the roof falling on my head. Right.

Right.

So I think there's a concern here for regular Twitter users as well as brands because although most of what we do on Twitter is public in terms of tweeting, you do have direct messages. I've got direct messages going back to about 2017 or something. I don't know how many years, and I'm having to go through one by one deleting them because quite frankly, I'm not sure how much longer Twitter is going to be secure. And I don't want things like that.

You still think it's secure now? You haven't got the message yet?

Who knows? Well, who knows?

You've covered it 3 weeks in a row. I'm just surprised that you haven't yet figured it out.

Well, it's taken me a while to delete them all.

But when you delete them, they're not actually deleted. They're just hidden from your view. The person that you were conversing with still has a copy of it.

They have a copy. And there was a story a couple of years ago saying that even when you do delete the messages, right, set visibility to zero, Twitter still has an archive of them unless you actually completely eradicate your account. And let's hope then, but who knows if all that stuff's still working as well?

I've seen some fraying around the edges and I've seen some engineers talking about this. For example, right now, the indicator that tells you how many alerts you have, if someone's mentioned you or something like that, it will alert you when that happens. But it no longer tells you how many. Evidently, that little microservice is not working as well. So people were talking about this, how it probably won't be that we're gonna suddenly start seeing fail whales again, that we're going to start see things fray around the edges.

Yeah.

It seems like that's exactly what's happening.

Maybe that's it. Yeah, I think you're right. Maybe it just sort of gradually begins to crumble away, which is a shame 'cause I quite liked Twitter.

But—

Mm-hmm. God, yeah, we didn't know that.

Anyway, Smashing Security is now on Mastodon.

Yeah.

Go and follow us there. Dave, what have you got for us this week?

Well, as we are recording here today, the hot news is that Google has agreed to pay nearly $400 million over deceptive location tracking practices. I'm referring to a story — this is from The Record, from our friends at Recorded Future. Jonathan Grieg wrote this. And so Google has agreed to pay $391.5 million in a settlement with 40 states over revelations that it continued to track users' locations even when told explicitly not to do so. So Google basically was, as we know, tracking people's location using their apps, their various apps, their Maps app. Basically, when you were logged into Google, Google would keep tabs on where you were, and then they would use that to send you ads, which is of course the business that Google is in. Well, they had evidently agreed with some of these states to no longer do that, or to adjust how they would do that, and they kept on doing it. And they made it hard for people to know how they were doing it.

They made it hard to find the ways to turn it off. And so the states went after them. And what's remarkable here is that you've got 40 states and these 40 states are not politically aligned on many things.

Well, who else is gonna be

Yeah.

Right.

Interesting.

You've got, yeah. But they found a common cause in going after Google for $400 million.

doing the programming in there now, Well, there's the incentive, isn't it? That's the prize. Who cares about the politics?

Yeah.

It's like, oh, we can get $400 million. I mean, I imagine those states aren't gonna then deal out the $400 million to the people who live in those states, are they? What are they planning on? Carole? I think, well, I think—

Here's your 20p.

No.

Here's your 20p.

And it's not really a lot of money to any individual state. For example, $15 million goes to Oregon, like $12 goes to Nebraska. So it's not going to make a big difference to any of these states' bottom lines. But as part of the agreement, Google is going to change their wicked ways. Hang on, have we been here before?

Weren't they told last time to do that? And now they've been fined $400 million, but now they're really, now they're really promising to do it, are they?

Well, right. Trust us this time. What's funny is in Google's response here, they say, the investigation is based on outdated product policies that we changed years ago. So nothing to see here. We dealt with that a long time ago and we're just going to give you this money because it's a nuisance and we want this to go away and that sort of thing. So to your point, to what degree do we believe that Google has really changed their ways here? I certainly am going to remain skeptical. This is not the only lawsuit that Google has faced here. They settled with Arizona back in October for $85 million.

This is chump change for them. I'm looking here. A search on Google says that Google's net worth as of May 2022 was $1,135 billion.

Yeah. This article points out that they made just under $55 billion just in the third quarter of this year.

Right. So it's toilet paper costs is probably higher, right?

It's not going to affect Google's day-to-day operations, but I think as the largest privacy settlement ever, it does draw attention to it. And I think it puts other companies on notice that the states are willing to band together and go after them. The other thing that this points out is that here in the US, we have no federal privacy regulation yet. So because of that, the states have to join together if they want to see anything happen. And that's what we're seeing. So as part of this, there's a call from the states themselves saying, hey, you know, feds, do something here. We could use a little help. We shouldn't have to do this on our own.

Oh my God, maybe Google could save everyone by being a common enemy. I almost said enema there, which is really interesting.

I think Facebook have got the common enema role at the moment. Carole, what have you got for us this week? All right. Yeah. Okay.

You know, we're all suffering from heated inflation, right? It affects food costs, petrol costs, house prices.

Yes.

And we're fast approaching our 300th episode. So what happens after that? Where do we go from there?

Like 301? Yeah.

Okay.

Exactly. Not rocket science.

The thing is, with our skill set, the three of us, I think we could walk away in sexy Louboutin knee-high boots with a few million to spare each. And before you ask, of course, we'll split it super fairly, right? 30-30-40.

Okay. Yeah, sounds fair. Yeah, sure.

Sure.

So it's all about real estate. Real estate is where we're going. Okay. And people, it seems, are desperate to either move from their current house or just to get their foot on the housing ladder. And this has been going on for more than a decade. Problem is there isn't enough houses out there to go around, right? We saw this ourselves, 2021-2022, where house prices went through the roof and even rental market was insane. I heard renters having to prove that they could front 12 months' rent before they could sign the lease, or, you know, houses being sold only to cash buyers, right?

Yeah, yeah, yeah.

But what if we could locate houses in this hot, hot housing market— nice, beautiful, expensive houses— and then show them to prospective buyers and maybe even hold a few open houses, right? Yes, I could maybe be the greeting person, right, showing them in.

Yeah.

And I'd hand over to you or Dave, right? Graham or Dave, one of you would do the house tour. Maybe I should test you out in this role a little bit.

All right. Okay. Yeah. All right.

I've included a picture in our shared document of an interior, and I want you to try and sell it to our listeners as though they were prospective buyers.

Graham, you choose which one you want to do, and I'll do the other one.

Yeah, I think I'll do the one in the picture beneath. So maybe if you go first, Dave.

All right. Well, this is a lovely, cosy home.

All right. That's pretty good.

It certainly reflects the previous owner's eclectic taste in art and furniture. This is an opportunity for any buyer to make this place their own by putting their own mark on it. This is priced to sell. A bit of a fixer-upper, but I think anyone who's quite handy will find themselves with a real opportunity here to polish this gem of a home and make it their own.

Yeah. All right, so back to my little scheme here. So we get, you know, we're gonna get lots of interest because we're the dream real estate team, right? And we're offering houses at rock bottom prices, right? And we get some bids in. So we're doing these little shows, these open houses. And this is the clever bit. This is where we get to make some manga. We accept more than one bid even though we tell each of them that they're the only ones who are the lucky ones to own this beautiful, beautiful house. Yeah.

So we're taking down payments or deposits?

Yeah.

Wow.

What, 750?

Yes. So the money would be apparently rolling in. Okay, guys, guys, guys, you have to huddle, huddle, huddle, huddle, because I have And they got their employees to open up bank accounts to shove the money in and then told their employees, take the money out and put it somewhere else. The money trail was horrific because it was just scattered everywhere, like a spray gun. learned of a way for us to make some serious money.

Not the most clever money launderers in the world.

A few weeks ago, Adolfo was sentenced to 9 years in the clink in the Central District of California. But I'm sure he's not as clever as we three. Not this chump change that you're talking about, some serious money. So can you see a way not to get caught in this scam?

The version I've seen of this scam that I think is probably a little more common is has to do with rental properties, right? So because in that case you've got people who are coming in from out of town, so they're looking at a place like Craigslist, for example, right? So I take someone's rental listing, I clone it, stick it up on Craigslist, say, look at this beautiful place here, it can be yours for the low, low price of whatever. Someone contacts me from out of town, they say, this is perfect for me. I say, terrific, send me the first and last month's rent, and the keys will be waiting for you when you get here. Boom, scam done.

And people are willing to put the money forward before they sign anything?

Doesn't matter if they sign anything. Yeah, I mean, I can send you all the fraudulent paperwork in the world. I'm already— I'm all in on the crime part, so that doesn't bother me at all.

Yeah, yeah.

But what happens is the people come to town with their moving truck. Yeah, they knock on the front door to get the keys and there's someone else living there. So here they are, all of their possessions in a van, expecting to walk into this place they're going to live in. Someone else is living there and they have nowhere to stay, and someone has taken off with their several thousand dollars of first and last month's rent.

So that's— yeah, so what's different in this one is because it's a purchase, they would get the deposit and then they would say, oh, there's trouble with the processing because it's a short sale, we'll get there, there's trouble, trouble, meanwhile just shoving that money into different personal accounts all over the place.

Yeah, it seems like the one with the sales is more elaborate and potentially more money per hit. Yeah, but also more complex because I suspect, as we've seen, it's probably easier to get caught.

So I'm wondering, as a homeowner, what I can do to avoid having my house sold when I pop out to the shops, or if these scammers come around, you know, while I'm on holiday.

Your house isn't sold in this case, right?

Well, well, no, but what I don't want, what I don't want is some poor innocent person paying money for my house, right? So I'm trying to think of ways in which I can make the house tour less successful.

Just shit in every corner.

Well, you know, Carole, that's, that's what I was thinking. I was, I was—

Wow.

I was—

No, but I'm not sure that'd be nice to permanently arrange in the house, but I was thinking if you just had one bathroom, which you never entered because you had prepared it. But on the tour, that would be the one which they'd go into and be like, oh gee.

Would you not buy a house because there was a log in the loo?

We did. You know what? We sold a house once and the—

We sold the log.

No. When I was 13 years old, we sold a house, and the people who bought the house, one of the requirements was that we had to replace every toilet in the house because they did not want to do their business in toilets that other people had done their business in. True story.

Yeah. Fair enough. Fair enough. You spent all that money.

I mean, yeah.

So did you really, or did you just change the seats or give them a wipe?

No, no, they changed. They swapped them out. They swapped them out. I remember my father and my grandfather did, you know, they were handyman and they did it.

So did you put the used ones on eBay?

We left them on the front lawn as planters.

Yeah. Show sponsor Penterra is taking a whole new approach to penetration testing allowing every organization to continuously test the integrity of all cybersecurity layers, including against ransomware and leveraging leaked credentials by emulating real-world attacks at scale all day, every day. This approach helps security teams across the globe to cope with one of today's top security challenges: the growing digital footprint of the enterprise. Looks nice. To help out, Penterra security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number 1: Penterra recommends always taking the adversarial perspective. The best way to find exploitable vulnerabilities is to, well, exploit them. From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com/penterra that's smashingsecurity.com/penterra. And thanks to Penterra for sponsoring the show.

Pretty good.

Looks nice.

You didn't do the Einar Garten thing of oh, can you imagine sitting on this sofa? Wouldn't it be amazing?

Picture yourself. Yes.

Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access, and it's easy to set up. It's easy to use. I honestly love Bitwarden. Okay, Graham, you go. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. Or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.

I was going to say picture yourself on some hellish moonstone sofa. Escape somewhere on a moon around Saturn. Here you are looking, gazing beautifully at this cubist monstrosity. It looks like a robot dog vomiting into a bowl. It's angles, it's glass, it's concrete, it's—

Do you see the bathroom there? There's a bathroom.

Is there a pool? Oh, that's a pool, is it? That's a pool. No, right? Does it? The challenge with endpoint security has always been that it's difficult to scale. And when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux?

Yeah, that is a pool.

Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashingsecurity to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's kolide.com/smashing, and thanks to Kolide for supporting the show. Oh my goodness me. So how can I describe this? I've never seen anything like this outside of a science fiction movie. And welcome back, and join us for our favorite part of the show, the part of the show that we like to call Pick of the Week. It looks like the least comfortable house imaginable. You will think that you are on a boat which is slowly sinking into the sea.

Remember the fairy tale about the crooked man who lived in the crooked house? That's what this reminds me of.

Yes. Yeah. Anyway, it is extraordinary. Would you want to buy it? No, I don't think so. But if you found a crypto millionaire, you had someone who's made a lot of money in a very silly fashion, I think they are the sort of people who'd have a lot of money to burn and might be interested in a house like this.

Graham, I'm sorry, you fail on this because that would not make me want to buy any of these houses. Dave, you're doing that. Yeah, Graham, you can run around with the canapés and serviettes or whatever.

It's a bit

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

of a Bond Better not be.

It is. It is. Yeah.

villain house, I think.

Well, my Pick of the Week this week, not really security-related. It is a bit geeky though. It is a bit programmer-y. And I don't know, Carole, if you've ever encountered, or indeed you, Dave, whether you've ever encountered regular extortion. Regular expressions.

I looked up to get this.

Hmm.

In programming.

I searched for stupidest looking house.

That's when it came up.

I'm sure some of the nerds and the system administrators listening out there will have heard of these. It is a way of specifying a text search pattern, which can be handy if you're looking for text or want to check that text entered onto a form is valid. So for instance, if you wanted to check on a form that a phone number had been entered correctly, you might look for a certain number of characters.

Okay.

Maybe a certain number of characters. And you may say, well, we want zeros and ones and all the way up to 9. Oh, but hang on. Oh, hang on. Are we going Sometimes people put brackets around sometimes the area code or sometimes people put dashes in, but you definitely don't want a Z in there and you don't want all this. Now to do that, to do that syntax checking to make sure it's correct is actually quite a complicated process. And this is why regular expressions were devised. to get more than one person And they can do all manner of things. It's an incredibly powerful way of using a computer. So if you had a file and you wanted to find every line in the file that contains the word Elon when it is close to the word cockwomble, but not when it includes the phrase is not a, then—owner of Starlink. to buy our house?

Deposits. But maybe we can actually convince people to give us all their money because, you know, this is a very, very competitive market and you want to make sure you've got this. Maybe don't just leave the deposit. Why not pay the whole thing since you've got some cash? Right.

Yeah, and they are lovely canapés after all, so why wouldn't You would write a regular expression to do this. Now, that kind of thing, I think you'll agree, isn't very easy to do inside Microsoft Word. You'd struggle with that. you do that?

The paperclip can help. That's right. All right, and the way we would do this, of course, we would just simply list them on real estate websites and market them as short sale opportunities, right?

Maybe, maybe not.

What if I was looking for the phrase "Welcome DataComp"? Yeah, right, right.

Now, the only problem is that regex, as it's known, or regular expressions, they have completely unintelligible syntax. And when I say completely unintelligible, it will be easier for you to learn Klingon than for you to learn regex.

Because the thing is, maybe these houses aren't even actually for sale. Maybe the owners have no fucking idea that you're doing this.

So to validate a US phone number, for instance, it would be like chevron forward slash bracket star forward slash D curly bracket 3 close bracket 3 forward slash. I'm not going to carry on. Are these on Airbnb or something? This is riveting. Right.

No, no, no.

So, I know.

I can't wait to see where this is going.

They're on real estate, you know, Yeah, I'm editing this bit as well. Is that going to land?

You're going to land it, Graham. You're going to land it.

So I've spent months of my life running a website, sometimes needing a bit of regex, a bit of regular expression. And it's just a nightmare. It's a nightmare. And that is why I am pleased to announce that my pick of the week is a website called thetypingoftheregex.com.

whatever. I don't know, WebPro or

The typingoftheregex.com, which is an online game. Where it will give you regex challenges. It will give you some words, a clump of text and some words. All you have to do is write the regex to find the word.

whatever the real estate—

That's all you have to do. Just get the syntax right. And if you're a nerd or if you're a sysadmin or if you're a programmer or if you're a guy with a neckbeard, this probably is something you're going to be able to do in your sleep. I can't get past about level 3.

Redfin or— Yeah.

It's utterly impossible. And it's done against the clock as well. And I would love for our nerdier listeners to go to thetypingoftheregex.com and tell me what level they managed to get to. And that is my pick of the week. No, but in order to do a house tour, is it the case that the scammers have rented the house for a weekend and are pretending it's theirs?

Oh, very clever, Graham. So we're not exactly clear. So that was a bit scuffy in the news reports I saw. So I didn't see, but I was thinking they might go up and go, hi, we're from Architectural Digest. We love your house. Can we do it? You know, could we do a show here and do some— we'll have the house for a few days. Or maybe we're filming a movie here, right? Filming a movie. So a movie scene, or yeah, Airbnb. Why not? So they've totally done social engineering to get the houses from the owners so they can do these tours. They're collecting money. We're collecting money from— you can tell that this has actually happened, right? We're following someone else to do this, but they got caught. So this is what I want to know from you. How do we get out of this? So the hiccup is the people that tried this before, Adolfo Chonicky, he's a middle-aged guy and his sister Bianca. They tried this in South Bay, USA earlier this year. Adolfo pleaded guilty to federal criminal charge for participating in this with his sister. And it involved listing homes without the owner's consent and collecting the money from multiple would-be buyers for each of the not-for-sale homes. So how much money did he manage to make? Apparently collected $12 million from 750 victims.

Wow. That is specialized. Yeah.

I feel like I've just moved to Mars.

Have you tried the website? Have you tried playing the game?

No, I don't even know how to type it.

No, because she has a life. Yes! Because she has dignity and self-respect.

I can't! I don't even know what you're talking about. I'm sure it was very interesting.

It's a beautifully presented website. It's just a shame that the game is impossible.

Oh, it's a game? I didn't even get that. What?

Oh, God. There are gonna be people who will go crazy for this, trust me.

Okay, well, let's crack on. Yeah, let's crack on. We'll trust you.

Okay, Dave, what's your pick of the week?

Well, my pick of the week is a Twitter account, in the waning days of Twitter. It's something that I enjoy. It is called Fesshole, F-E-S-S-H-O-L-E. And it is a place for people to confess their sins anonymously, to see if the internet will absolve you. It is very British, evidently comes from your side. And you can tell by the way that the confessions, they talk about things like loos and, you know, cars having bonnets and things like that. So you can tell it's British, but quite funny. And it's exactly as described. It's people who are anonymously confessing horrible things that they've done, or they've been thinking about doing, or things they're thinking about their loved ones. And some of them are heartbreaking, some of them are hilarious. There's a whole gamut of things. So, I thought it would be fun, as a demonstration of this, how entertaining it could be, I emailed both of you ahead of time, and I asked you to go on Fesshole and choose two confessions for the other one to read. So, Graham, you have chosen two for Carole. Carole, you have chosen two for Graham. Neither of you know ahead of time what the other one is going to read. So we'll all be experiencing this live on the show as it happens. And so why don't we start off with Graham? You have your picks for Carole. She just pasted them into our show document here. Start off with the first one here, Graham. The floor is yours.

Well, I was going to confess that I had a very poor pick of the week, which the rest of the team were very impressed with, to do a regular expression. But instead, okay, so this is a confession that Carole has shared with me. All right, so Fesshole, it says, 3 years ago, I pre-programmed 15 different love messages that an automated script sends to my wife every week, telling her I love her or that she is the light of my world, etc. I always forget that they're sent, but she answers back every time, grateful that I'm thinking of her. That's actually really quite clever, isn't it? I think that's quite—

I thought you would enjoy that one.

Yes. That's quite tempting.

Put that in your back pocket. Yeah, yeah. I just think 15 is not enough. I think I would notice. I used to have one of those dolls when you're a kid, you know, that you pull the string on the back of the doll and it would go, "I love cookies!" or whatever it would do. And it would be about 10 or 20 different things it said, and within 4 hours you're dead bored. You're pulling that string non-stop just to get to the one funny one, you know?

Yeah, yeah, yeah. Let's kill your sister.

Holy crap, Dave.

All right, so you chose another one. What's another one here, Graham? Go ahead.

Oh, okay, so another one from Carole. As a hormone-ravaged 12-year-old, I would scratch away at the pictures of women in lingerie in my mom's catalogues thinking it would reveal the lovely 1980s bushy front bottoms underneath.

I love that. That's an English expression, front bottom. I love it.

Front bottoms. That's a new one to me.

Yes. As opposed to a fanny pack.

Yes. Yeah, I was going to say, I only recently learned that the two sides of the pond have very different impressions of what the word fanny means.

Yep. So I, by the way, I never perused the lingerie catalogs. I was rather more sophisticated. I remember I used to look up in the encyclopedias pictures of ancient Greek and Roman statues. That's where I got all my kicks from.

Yeah. Yeah, I think I was more of a National Geographic guy myself, you know. All right, and the second one. Always— oh my God. All right, Carole, so Graham has selected two for you here, so why don't you start off with that first one there?

"As a guy in my early 20s, when I'm at a public urinal next to an older gentleman, I try to go as fast as I can to make him question how well his bladder is working nowadays, even if it means finishing a tad too early sometimes." What does that mean, finishing a tad too early?

Oh, you're very lucky not to know, Carole. Does that mean you put it away and it's—

You're not done? Exactly. Yeah, yeah, yeah.

Dribbling and all that stuff. Oh, nice, nice.

Yeah, I'm telling you, the aging process is a series of accumulated indignities.

Yeah. So I've used this Twitter site before for sticky pickles, of course, because there's some lovely— yeah, it was Ollie, a friend of ours, actually a previous guest on the show. He pointed it out to me a few months ago. So it's a secret weapon for sticky pickles. Very good.

Very good. Yeah, I categorize it as a guilty pleasure and it's one of the reasons I hope Twitter stays around, but who knows, maybe they have a Mastodon account, but anyway, check it out. Fesshole over on Twitter is my pick of the week.

Fabulous. Yeah, good one. Carole, what's your pick of the week? Keep it clean. My pick of the week is brand new podcast, a brand new podcast, and it's called If Books Could Kill. And the strapline is "airport bestsellers that captured our hearts and ruined our minds."

And they show through an about an hour-long episode how they fall way short of the mark they're purporting to be taking. So these are kind of like sciencey books, right? Books that are saying we've done some research and this is the factor. Malcolm Gladwell's Outliers was basically— the big thing was 10,000 hours it takes to make someone an expert in something. And they kind of say this is all bollocks, and I'll show you why. And it's quite a fun show. Now it's co-hosted by Peter Shamshiri. He's a lawyer and a co-host of Five Four Podcast. So he's outside my echo chamber. He's new to me. But it's also co-hosted by Michael Hobbs. He's of BuzzFeed fame, and he does two other podcasts called Maintenance Phase and You're Wrong About, two that I'm very familiar with.

Oh, these people who are on lots of different podcasts, it's terrible, isn't it, Dave and Carole?

Oh, shameful. Yeah, who has time for that? It strikes me, Carole, that perhaps the name of this podcast should be Well Actually.

I Think You'll Find. I Think You'll Find. I think, I think, I think you'll find. Yeah, totally.

And it's really interesting because all the podcasts that Michael's been involved with all seem to have a kind of vibe through them where they revisit events or movements or books of the past, and then look at it with, you know, 10 years on, highlighting flaws, bad behavior, whatever. Because there's more research on them, I guess. I do have a total frush on Michael Hobbes. Thrush? No.

You have a total thrush on him?

A frush, a friend crush.

Oh, right. Okay.

I really want to be his friend. I want to walk in a park with him. As we flesh out recent findings about whatever we're researching, and then we can suck back, you know, some flat whites. But he doesn't know I exist, so, you know.

Oh, so this is why you're talking about his podcast. You're gonna probably tweet him or something, say, hey, we talked about your book.

Oh yeah, I'm totally gonna do that. I'm totally jumping on Twitter right away. That will get me through my Twitter hoop. I know, I was just thinking his loss, actually. The thing is, is I was a total sucker for these Right? Pre-streaming era. What else is there to do if you're stuck at an airport, right? Or in a plane but read something? And I love these airport books with the little science penchant, right? And I would drive my husband and friends mad. I'd be reading a chapter and going, "You won't believe what I just learned because did you know?" And I would just wax lyrical drinking this stuff like Kool-Aid because I'm not sciency and I just assumed they had done their homework. Turns out not so much. So if you're interested, me, you can go check out the podcast. It is called If Books Could Kill. It's a great title, I think. I like it. And you can find it wherever you get your podcasts. All right.

I don't know.

I couldn't care less if you listen to it, actually, Clue.

Well, no, no, no, no. What I'm thinking is they're sort of standing on the sidelines saying, oh, oh, this book's rubbish. This is what I'm trying— it's, oh, who's to say someone's not going to write a book saying, well, actually, actually, I think you'll find that your podcast is incorrect. It's very easy to urinate on Malcolm Gladwell, isn't it, from a great height?

Yeah, and it's really easy to urinate on Elon Musk too, isn't it?

Well, yeah, he does make it easy.

Well, and it's not the Freakonomics folks were acting in bad faith trying to deceive people. I think they were using the best information they had at the time to put together the things they had.

I would listen to the podcast and see what you think. I'm not saying nothing. Everything's provisional.

I'm not saying nothing. Everything's provisional.

Anyway, Carole, you've been chatting with the chaps from Pantera this week, haven't you?

Yes, Shakel at Pantera, and he describes their whole service and why it works. Take a listen. So listeners, today we have Shakel Ahmed, or as I know is Shaq because, Shaq, we used to work together a while ago.

Yes, we did indeed. Nice to meet you again virtually. I know, it's so fun.

So, Shaq is a senior sales engineer team leader at Penterra, and I thought we should start with you first. So, maybe you could give our listeners a bit about your background and how you ended up at Penterra. Yeah, sure.

So, I started in cybersecurity back in 2006, and I believe that's when we sort of crossed paths working for the same company. And from there, I worked in that space, mainly looking at EDR endpoint. So looking at interesting scenarios around malware and from a defensive control perspective. What does EDR mean? EDR, endpoint detection response, or what we used to traditionally call antivirus, and it evolved into something a bit more than just protecting against malware or viruses. So just looking at malware in many different aspects from a behavioral point and then integration into other areas of your control stack. And then, yeah, about 12 years, I think I was there at Sophos and then was looking for another opportunity. And then Penterra came by a couple of years ago and sounded really interesting, very different to what I'd done before because it's looking at it from offensive security perspective. So for us, it's about challenging your cyber defenses and being able to look for the gaps. And those gaps could be anything, right? It could be a failure to detect something. It could be a misconfiguration. It could be a policy that perhaps, you know, allows an attacker in. So we'll talk about misconfiguration on the network, things like lateral movement. But overall, you know, it's looking at security holistically, being able to challenge your defenses, find the gap, and then exploit it in some way.

That's a really interesting approach, right? So it's we all have, say, physical protections. We lock our doors. Some of us have alarm systems, we have lights, all these kinds of things. But what you guys are doing is actually saying, let's just see if those things actually work to keep people out because maybe you've made a mistake somewhere, maybe you've not thought of a route in that lots of cybercriminals use. Is that what you're saying?

Yeah, exactly right. So for us, it's also about automation with the ability to automate these tests or what we call scenarios. It allows us to be able to scale across the entire organization. So imagine, you know, a typical organization, you may have 500 employees, you may have multiple devices, endpoints, or end-user devices, your laptop, your desktop. You may also have servers in a data center, and some of those might sit in a data center somewhere, some of those might sit in public cloud, in AWS, in Azure. Yeah, exactly. And I call it the perfect storm. So for me, if we sort of visualize that we've now got some sort of credentials in order to then propagate an attack, I perhaps need to drop a file of some sort or a payload. I might need to find some privileged account so I can start using William as a user to try and hunt for other credentials on the network. I've got some sort of privilege or permission on the network now. I'm behaving like this user, but I was saying, is there a way for me now to run additional attacks? Because Windows stores credentials in a lot of different places. And what we are doing is looking at all of that infrastructure at a network level and at an operating system level, and it allows us to be able to run these kind of tests very quickly and at a large scale and find the outlier. And for us, sometimes the outlier might be that one system that somebody forgot about that isn't being configured or hardened according to best practice, according to all of the things that you should be doing. You may have a tick box to say, yes, it must have this configuration, it must have this software installed from a security point. And so for us, when we're stress testing those kind of networks, we're able to throw multiple attacks at the network. And the important thing is that we do this in a safe way. So we use all of these common attacks to say, can I get a higher level of privilege, potentially domain admin? It could be a local admin. It could be some sort of privilege escalation and then move further into the network. So, you know, a bit like a spider web, can I expand that? Can I get further and find something more interesting as a prey? Yeah, but we have dependencies for any kind of attack. And when people think about a vulnerability, they think, okay, I have an operating system or I have a network, it has a vulnerability. So safety is a key part of this, and a lot of our customers run Penterra in production. The code that we run is designed not to disrupt systems, not to disrupt end users, but at the same time, it allows us to prove a point that we were able to drop some sort of payloads onto a device, find something interesting. And for us, something interesting would be some sort of credentials. Those credentials could be stored in a process. So when we get into sort of the technical aspects of an attack and it's any kind of attack, let's say post-exploit, so once somebody has a foothold on a machine is, can I find some credentials that allow me to reach the crown jewels? Now, from an attacker's perspective, that vulnerability doesn't really mean a lot. It means that it may get me some sort of foothold on the network, right? But ultimately I want to get to something interesting, some important data, right? And especially when we talk about the world of ransomware, it means now that can I find some data that I can start encrypting as part of a ransomware attack? So we have a particular scenario that allows us to, for example, emulate a ransomware attack. But what we can show is lateral movement from point A to point B to point C, and we don't stop, right? We continue as far as we can as an attacker and see what's the maximum damage that we can create. And the crown jewels means that I might be looking at things like lateral movement. So can I now imagine, and in a typical scenario that I run in the demo environment is where we have a user called William, and we've seen his credentials floating around across the network. So we are looking at that traffic and we find a user hash. Now as an attacker, there's a number of things that we can do, which is one is pass the hash or impersonate that user, and the other is to take those credentials and then see if we can impersonate that user, see if we can open other doors across the network. And again, all because it's run safely, it's just proving a point that we can move around the network, we can obtain user accounts, we can access data. And then it becomes quite scary suddenly, very quickly, especially when we run this with a lot of our customers. For them, it becomes an eye-opener because traditionally, I guess, from a security hygiene perspective, people think about the obvious things, which are, let's make sure there's a firewall, let's make sure we've got good antivirus or EDR. Let's make sure that everything's updated and patched. But from an attacker perspective, even if you have all of those things in place, great, it makes it a bit harder, but there are other interesting avenues to explore from an attacker perspective that occurs at the network level, in terms of how you're detecting an attack, first of all.

Okay. "Embittered by having to work night shifts, I roam through the offices turning all the toasters up to 10. So far, two fire alarm activations and mass evacuations. Give the day shift a reason to get off their fat arses and take the shine right off the whole grain bagels." I like that one.

That's almost like a spider. You want the biggest web you possibly can have to munch up on all the goodies that you can come across. I love that though. I really love that you are effectively thinking like an attacker, it kind of gives you a different breadth of how to approach this type of scenario. And it's eye-opening, I'm sure, because there's a lot of people out there that create very good software but don't necessarily have that approach or that expertise of how is someone going to actually worm their way in.

Yeah, well, I guess what the really interesting thing here is that when we run these scenarios, how can you prove that that update, that patch, or that software has been deployed to every system on your network? So for us, going back to this example of finding the outlier as an attacker, that's what we're doing. We're finding that lapse in security. And we've done this with customers that are running the best-in-breed EDR endpoint antivirus, right? You name it. Smashing Security, but we managed to propagate a ransomware attack on one of their servers. And so when we looked at it further and we went in to understand why, and it was a really simple case that somebody had forgot to deploy the software to that particular server. So it can be as simple as that, right? And that's what the attacker's looking for is they're looking for that one mistake. Somebody forgot to deploy or for whatever reason it got left out. And in some instances, it can be things like the software is broken. How do you guarantee that the software is working across your entire estate? So this is where the ability to continuously test and test at scale means that you get to find these kinds of misconfiguration and policy that may not have been applied. Somebody assumed it had and it hadn't. So it's about being able to mark your homework in some sense from a cybersecurity perspective. We call it purple teaming. Purple teaming really is enabling the defenders to test their own security and make sure that they've done everything that they should have, 'cause it's humanly impossible to go and audit everything. So when we have a platform like Penterra that allows us to scale across the network and check all of these things, it becomes really powerful in validating that you've done all the right things. Totally. What I'm hearing you say is you're really literally only as strong as your weakest link because that weak link is so valuable to an attacker. Yeah, absolutely. And yeah, I mean, it goes back to this idea that you need some sort of mechanism to be able to stress test those things and find the anomalies, the problem systems.

So, Shaq, before we close, why don't you tell us about your one-day challenge? Yeah, absolutely.

So, we have this interesting concept in the UK, we call it a one-day challenge, traditionally, you know, as a proof of concept. And we help a lot of organizations in spending a day with them, running through these scenarios. So, you know, we start in the morning with doing a sort of a scenario where we'll do a baseline of scanning the network and really showcasing the capabilities of the platform in, rather than taking my word for it, to show you in your environment what it looks like, right? How we go about as an attacker finding these things and then proving also the safety aspect of how we do it. As we said, right, that our researchers spend a lot of time in making sure that that code is safe to run, it doesn't cause harm. So we have a central sort of tenant that is do no harm. And we really help bring it to life, right? You know, what an attack looks like. And sometimes it's really interesting in that we've, you know, we've done this kind of one-day challenge with customers and we've propagated or run a ransomware attack, for example, and then their alert mechanisms, and it might be a SOC team or whoever's monitoring these things, picks up on it, you know, a few hours later and they say, oh, you know, one of the security teams got a call and said, it looks like you've had an attack of some sort. It looks like ransomware. And for them, for the customer, you know, where we're running these kind of scenarios, it's interesting in that, you know, we're spending all of this time and effort in trying to monitor and detect attacks, but it sounds like the attack has happened and then, you know, we get notified. So this becomes a tuning aspect of your security as well because the response is just as important, right? You want to know when something bad is happening, but how good is that response and how quick is that response? And do we now need to tune our controls and whatever we're using to measure an attack, does it need some sort of tuning to be able to pick the right things up during an attack? And we can obviously show each stage of that attack, and from a transparency perspective, so you can then measure that against your controls and say, okay, you know, at this stage we found some files, at the next stage we encrypted them, then we created some sort of remote connection to a bad known server. So all of that telemetry, you know, gets fed in and you can use that as a way of being able to measure where the failure or the lapse in your control and response mechanisms isn't working.

Yeah, so I think it would sound fascinating to try and see that and just test the systems and set up a scenario. So listeners, if you think so too, you can go to go.penterra.io/smashing, and that, they'll have free demos. You can read about Penterra's approach, what some people call the most perfect continuous vulnerability scanner. So, you can find out for yourself at go.penterra.io/smashing. And Shakel Ahmed, Senior Sales Engineer, Penterra, thank you so much for chatting with us.

Thank you.

Thanks for having me. A pleasure. Fabulous. And that just about wraps up the show for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

Well, for the moment, I'm still over on Twitter. It's @Bittner, B-I-T-T-N-E-R, but who knows how long that's going to last. Everything else I do is over at thecyberwire.com.

And you can follow us on Twitter at the moment, @SmashingSecurity, no G, Twitter allows to have a G. And that's one of the reasons why we've now created a Mastodon account where Smashing Security does actually have a G. But being Mastodon, it has a really complex, long name. So you best go, I think, to our website or to our show notes to get the link for that. And we also have a Smashing Security subreddit. And don't forget, if you want to ensure you never miss another episode, follow Smashing Security your favorite podcast apps such as Apple Podcasts, Spotify, and Google Podcasts.

And massive shout out to our episode sponsors, Kolide, Bitwarden, and Pantera, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire catalog of more than 297 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye!

Bye-bye. And we have a treat for you for episode 300. Not telling, not telling.

Yeah, it's just been arranged, hasn't it?

Yes. By me? By me?

Okay, Carole. Yes, by you.

What? What? I don't even get it?

No, no, you can have the credit.

So let me get this straight. I come up with the idea, I sort out the idea, I schedule the idea, and I can get the credit? Okay.

I haven't seen my invite yet, so I'll wait for that.

Come on, $298 is pretty good.

Oh yeah, oh yeah.