Listen early, and ad-free!

300: Interplanetary file systems, iSpoof, and don't delete Twitter

With , ,
November 30, 2022
Read the transcript

Why deleting your Twitter account may be a very bad idea, how the police unravelled the iSpoof fraud gang, and a trip into outer space (or at least interplanetary file systems).

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by original show co-host Vanja Švajcer.

What an amazing 6 years of bickering it has been… thanks to all of you who have tuned in, appeared on the show, or supported us! 🙏

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Drata – Put Security and Compliance on Autopilot. Build trust with your customers and scale securely with Drata, the smartest way to achieve continuous SOC 2, ISO 27001 & HIPAA compliance.
  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on Mastodon, or on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Give thanks, men, to Leonidas and the brave 300!

CAROLE THERIAULT. To victory!

UNKNOWN. Smashing Security. Episode 300: Interplanetary File Systems, iSpoof, and Don't Delete Twitter with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 300. My name is Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, what a long journey it's been. 300 episodes. This podcast, which we on our own.

CAROLE THERIAULT. With no one's help.

GRAHAM CLULEY. Launched without anyone's assistance.

CAROLE THERIAULT. It was just the two of us.

GRAHAM CLULEY. Just the two of us. Wait a second.

VANJA ŠVAJCER. Wait a second. What about me?

CAROLE THERIAULT. That is the sweet, sweet voice of Vanja Švajcer, our very first trio. Or what is it?

GRAHAM CLULEY. An original founder.

CAROLE THERIAULT. An original founder.

GRAHAM CLULEY. He was there at the beginning of the threesome, but he couldn't last. He had no stamina. There's probably a lot of listeners who aren't aware that it wasn't just Carole and me way back when. There was this other chap, this man, oh, with the voice, the voice of the count.

VANJA ŠVAJCER. The person number 3 in the corner.

GRAHAM CLULEY. The goatee beard. Oh, yes. Yeah, the gravitas.

CAROLE THERIAULT. Welcome to the show, Vanja. We're very happy to have you.

GRAHAM CLULEY. Vanja Švajcer.

VANJA ŠVAJCER. I'm so very happy to be here once again and for this special occasion, of course. I mean, 300 episodes. I can't believe you made it so far. It's been what, 6 years?

CAROLE THERIAULT. Oh my gosh.

GRAHAM CLULEY. That's right.

VANJA ŠVAJCER. Yeah. I know because I watched the first episode yesterday. Well, not completely. When we were doing it all completely live from Google Hangouts to YouTube, insane.

GRAHAM CLULEY. Smashing Security 001. One cup, two hotel guests, and here are your hosts, Carole Theriault, Vanja Švajcer, and Graham Cluley. And, well, exciting time.

CAROLE THERIAULT. You're doing great, you're doing great. Carry on, it's really— it's riveting, it's riveting.

VANJA ŠVAJCER. You were so young, Carole.

CAROLE THERIAULT. I have never done it. I have never been able to watch that or listen to it. I never, I'll never be able to do that ever.

VANJA ŠVAJCER. It's quite an experience.

GRAHAM CLULEY. Well, Vanja, good of you to show up because let's be honest.

CAROLE THERIAULT. It's been a while.

GRAHAM CLULEY. There's a lot you haven't shown up to. A lot of episodes where—

VANJA ŠVAJCER. Yeah, I've been closely following your work and you've done a really good job. You made me proud. If it wasn't for this disappearance of mine, that was a serendipity, right? You know, because if I stayed, we will never be as successful as you are now.

CAROLE THERIAULT. Well, we are thrilled that you are here. But before we kick off, we must thank this week's sponsors, Bitwarden, Drata, and Kolide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. Well, I'm going to be telling everybody why they shouldn't give up on Twitter.

CAROLE THERIAULT. God. Vanja, thank God you're here. What about you?

VANJA ŠVAJCER. Well, mine's not gonna be on Twitter. Mine's gonna be on some Web3 technologies that's called Interplanetary File System and its abuse.

CAROLE THERIAULT. Ooh, I think we're gonna learn something there. And I'm gonna talk about how iSpoof went poof. All this and much more coming up on this episode, very special episode of Smashing Security.

GRAHAM CLULEY. Well, chums, chums, celebratory chums, everybody. Isn't this a lovely little party what we're having? Episode 300. I don't know if it's as big a deal as 250 or not. 250 in some ways feels a little, I don't know, doesn't 250 a bit more special?

VANJA ŠVAJCER. Like a golden anniversary or whatever?

GRAHAM CLULEY. I don't know, Carole, if we can make more of a fuss until maybe episode 500. 500 feels like the next big one.

VANJA ŠVAJCER. How does it feel? Do you feel you're going to make it until 500?

CAROLE THERIAULT. I'm not sure at all. I think we should celebrate bejesus out of this little baby.

GRAHAM CLULEY. Oh, okay. All right. Well, I mean, we could just check with Vanja Švajcer if he's free for episode 500 now.

VANJA ŠVAJCER. So that's going to be in about 4 years' time. So far so good.

CAROLE THERIAULT. Excellent.

GRAHAM CLULEY. Anyway, sorry. Let's get back on topic. Chums, I haven't been talking about Twitter very much. I mean, last week I barely mentioned it at all.

Previous 3 weeks, yes, I did mention it a fair amount. There's been a lot of drama on Twitter. And Vanja, I saw that you've joined Mastodon.

VANJA ŠVAJCER. Yes, I joined Mastodon. And in fact, I'm not a super early adopter and I don't want to just discard the old stuff as well.

GRAHAM CLULEY. You're conservative, you're careful.

VANJA ŠVAJCER. Exactly, very.

GRAHAM CLULEY. You don't to leap in. You to be cautious.

VANJA ŠVAJCER. And there's still quite a lot of information on Twitter going on, but I certainly, I'm not super happy with the way it's going so far.

GRAHAM CLULEY. Really? There's a lot of people who aren't happy and some people are saying, you know, hashtag delete Twitter, a bit hashtag delete Facebook. And my message to all the listeners today is don't do that.

Don't delete your Twitter account.

CAROLE THERIAULT. Dun dun dun.

GRAHAM CLULEY. And I can think of two good reasons why you want to keep your Twitter account rather than zap it.

CAROLE THERIAULT. For posterity, if someone good comes along?

GRAHAM CLULEY. I mean, it's always possible that things will turn around. Maybe someone else will become the CEO of Twitter and fix all the problems, which are—

CAROLE THERIAULT. Mark Zuckerberg will come in on a white stallion.

VANJA ŠVAJCER. Big return of Jack Dorsey.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah, Jack Dorsey comes back.

GRAHAM CLULEY. I heard a story the other day that maybe Elon Musk is planning to emulate OnlyFans. Maybe he's going to think, well, what we really need on Twitter is more pornography and adult content. And that's how I'm going to make money.

VANJA ŠVAJCER. I have to say that I don't get this verified account thing, €8 a month or $8 or something. I would never pay for it.

GRAHAM CLULEY. No, no, no. But anyway, so why should you remain on Twitter? Well, one obvious reason is when else and where else do you get the opportunities to see the richest man in the world burn his way through $44 billion in front of your eyes?

There's a wonderful sense of schadenfreude and, oh, isn't this terrific? Because when he initially made the offer for Twitter, you think he was just doing it on a whim. He didn't really want Twitter.

Then he's committed to giving $44 billion for it. He tried to back out of it.

CAROLE THERIAULT. Okay, so I just looked up how much he's worth. And currently it says 191.4 billion.

VANJA ŠVAJCER. So 44 is quite significant.

CAROLE THERIAULT. Yeah. It's not that bad. He's not going to be destitute if it all goes to crap.

GRAHAM CLULEY. Oh, not destitute. But I think Elon Musk is a narcissist. Elon Musk loves to be adored.

He's someone who loves the adoration. Everyone thinks he's fantastic. And of course he's had successful companies.

He's revolutionised electric vehicles. He's putting space rockets up in the air. You know, he's going to be helping NASA land on the moon and maybe going to Mars.

You know, people think that he's incredible.

VANJA ŠVAJCER. Anyone would not know that.

VANJA ŠVAJCER. It's quite an interesting management style that he adopted on Twitter.

CAROLE THERIAULT. But do you think he's done more for mankind than you have?

VANJA ŠVAJCER. Are we going back to the space elevator theme?

GRAHAM CLULEY. I'm not.

CAROLE THERIAULT. I'm just checking. I just want to know. I just— because you—

GRAHAM CLULEY. Why does it always have to be about me, Carole?

CAROLE THERIAULT. Well, because you're the one who keeps bringing it up every—

GRAHAM CLULEY. Well, no, no, I'm not bringing up me. I'm not saying that I've done more or less than Elon Musk. I'm—

VANJA ŠVAJCER. But surely Graham starting Smashing Security is almost as big as, yeah, starting it with Carole and—

GRAHAM CLULEY. And don't say that I started it, please. Let's not get that argument going again. Anyway, so I couldn't resist.

There is something fantastic going on in terms of here is someone who seems to have bought something on a whim. And then once he's got it, thinks, well, what the hell am I going to do with this? And he's making mistakes left, right and center. People are leaving. People are quitting. He's made some really bad business decisions. And you begin to think, oh, this man is not invulnerable. This man is not necessarily a genius.

CAROLE THERIAULT. Or maybe he is and you just can't understand because you're not as clever as him.

GRAHAM CLULEY. Oh, because it's four-dimensional chess. That's what you're saying.

CAROLE THERIAULT. That's right. It could be.

GRAHAM CLULEY. Anyway, so that's one reason to stay on Twitter. It's a bit rubbernecking when you see a car accident.

VANJA ŠVAJCER. But one of the things is if you consider yourself leaving Twitter, isn't it also a little bit of narcissistic move thinking, oh, I'm so important, screw you, Elon Musk?

GRAHAM CLULEY. Well, no, I don't imagine that Elon Musk is going to be personally hurt if one of us deletes our Twitter account. I don't think he'd care about that.

VANJA ŠVAJCER. It's your own feeling. It's basically doing your recycling every day, even if maybe there are garbage is not recycled, but at least you feel good.

GRAHAM CLULEY. So you might want to stay on Twitter in order to, you know, watch the last days of Rome. You know, you may just be amused by that and think, I want to be here because it's interesting.

But there's another reason why you shouldn't delete your Twitter account. And that is because someone could hijack your account, not because of some security flaw. We talked about the risks maybe of having a privacy or security breach on Twitter because of all the security people that they've let go. I'm not thinking so much of that, but what I'm thinking is that if you just rashly think, well, I'm just going to delete my account and go to Mastodon and that's where I'm going to do my tooting from now on, then there is an issue. Because what happens is if your account gets deleted on Twitter, one of the things that Twitter does is it releases your account username, which means Vanja Švajcer, if you were to delete your account, @VanjaŠvajcer, yeah.

There you go. You're still desperate for followers. It means that at that point, once you've deleted it, someone else could come along and create another account in your precise name using your user ID.

CAROLE THERIAULT. That is the problem with Twitter, isn't it? The problem with Twitter is that everyone named their accounts after their names. On Reddit, you just call yourself Bumhead268 or something.

VANJA ŠVAJCER. But I would say Twitter is that as well. There are plenty of people with usernames and accounts around, which doesn't tell anything about who they really are.

CAROLE THERIAULT. Yeah, totally. But there are also people Graham and I and many, many of us who have our names.

VANJA ŠVAJCER. I think we kind of went for it and I always do it, you know, whatever, you know, what could possibly go wrong? Yeah.

GRAHAM CLULEY. Especially if you're trying to communicate something or you're trying to spread news, it gives it a little bit more veracity, maybe authenticity if you put your name up there. I mean, what would you suggest then, Carole? You think everyone should be bumhead 65 or just a number.

CAROLE THERIAULT. I'm just thinking, based on your story, saying, oh, better hold on to it, someone could grab your name. It's kind of a shame that that's even part of it, right? Because your name, your username, shouldn't be the verification of the person.

VANJA ŠVAJCER. On Twitter, it's very easy to impersonate anybody, right? Because, you know, Vanja Švajcer underscore B.

CAROLE THERIAULT. Exactly.

GRAHAM CLULEY. Yeah, but Carole, if you had a big following, if you had not created Carole Theriault on Twitter, instead if you'd been mechanic artist or something.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. And you'd created a following and people followed you and trusted you or whatever. And then someone in the future stole that username because you deleted your account. Then those people would still think it was you tweeting. It doesn't matter if it's your actual name, because they would associate your postings with your username. So it doesn't matter if you're bumhead565.

CAROLE THERIAULT. What happens to my followers when I delete my account?

GRAHAM CLULEY. Oh, they die.

CAROLE THERIAULT. Well, presumably they no longer follow a deactivated or a deleted account. So you'd have to start up from zero.

VANJA ŠVAJCER. That's a good question.

CAROLE THERIAULT. So you'd look like a fake Elon Musk account.

GRAHAM CLULEY. I don't know. What I do know is that anyone who's @ed you in a previous message, when your account is deleted, those are no longer clickable. Presumably when that account becomes active again, they do become clickable again. And so people might see a message where you're being mentioned or retweeted or whatever, and it could link back to your account.

VANJA ŠVAJCER. So it's an easy takeover of somebody's account.

GRAHAM CLULEY. It is.

CAROLE THERIAULT. Can you walk me through the takeover bit just so I understand?

GRAHAM CLULEY. So let me explain exactly what happens. When you delete your Twitter account, it actually puts it into limbo for a while. It deactivates it first. Facebook does something similar.

CAROLE THERIAULT. But I don't mean it. Obviously I don't mean it. And I'm going to wake up from my mild insanity and reactivate it the next day.

GRAHAM CLULEY. You must have been drunk. You must have been on drugs. So they say, look, we'll put it into limbo for 30 days. And if you log in during those 30 days thinking, oh, I wonder if anyone's tweeted me, I wonder if I got a message, it will reactivate your account. Facebook does the same kind of thing. But if you leave it longer than 30 days untouched, then your account is properly deleted and your username is up for grabs. So anyone could grab it. And under Elon Musk's new world order, they could give themselves a verified checkmark, which isn't, of course, these days properly verified at all.

CAROLE THERIAULT. But they're not grabbing the history of that account as well. They're just grabbing the username, correct?

GRAHAM CLULEY. They're just grabbing the username.

CAROLE THERIAULT. Exactly.

GRAHAM CLULEY. But it has a certain cachet and it has no followers.

VANJA ŠVAJCER. Well, yeah, it may not have followers, but of course, give them a little bit of credit. I think they're making a change now to verifying the accounts and they're saying they will do more to try to verify that the account is really owned by somebody.

GRAHAM CLULEY. Yeah, I wonder how much effort they'll put into that and how many resources. I know he's now saying that they're going to have different coloured checkmarks for organisations and for government accounts and, you know, I mean, it's all been all over the place, hasn't it?

VANJA ŠVAJCER. Yep.

CAROLE THERIAULT. 4D chess.

GRAHAM CLULEY. But some celebrities have been deleting their accounts, of course. Whoopi Goldberg.

VANJA ŠVAJCER. Whoopi?

GRAHAM CLULEY. Yeah, Whoopi. Nun's on the run. You know, Ghost, all those, or Guh-Host if you prefer. So, Wahoopee, she deleted—

CAROLE THERIAULT. Why are you doing that to her name?

GRAHAM CLULEY. Why am I doing what?

CAROLE THERIAULT. You don't know that her name is Whoopi Goldberg.

GRAHAM CLULEY. That's what I said, didn't I? Wahoopee Goldberg. What?

VANJA ŠVAJCER. And of course, Whoopi is Guinan on Star Trek: The Next Generation.

CAROLE THERIAULT. Yes.

VANJA ŠVAJCER. Great show.

GRAHAM CLULEY. Good, good, cool. She left Twitter on November 7th. She deleted account. Two days later, Stephen Fry. Right? Stephen Fry, famous actor, national treasure in the UK, author, comedian, etc., etc., etc. Everyone knows who Stephen Fry is. He deleted his account on November 9th. If you try and go to their account, he switched over to Mastodon. If you go to his account now, you'll just see this profile does not exist, which means it seems to me that after 30 days, someone could probably create accounts in the names of these people using their actual account name.

CAROLE THERIAULT. And all this is going to make Twitter more of a cesspit that people want to leave.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. So isn't that good?

GRAHAM CLULEY. Well, it's good as long as those people don't then use those accounts to cast aspersions or spread phishing attacks or something malicious or cryptocurrency scams or say something about how they love the Nazis.

CAROLE THERIAULT. I'm sure they will. I'm sure they will. And you know what?

VANJA ŠVAJCER. That's pretty common on Twitter.

CAROLE THERIAULT. Yes.

VANJA ŠVAJCER. At least it used to be.

CAROLE THERIAULT. Plus, that means we'll get loads and loads of content for stories in the future.

GRAHAM CLULEY. Well, Carole, you're just very selfish, aren't you?

CAROLE THERIAULT. Yes, I've been called that by you a lot, actually.

GRAHAM CLULEY. So if you want to leave Twitter, if you want to shut down your account, but don't want someone else taking it over and using your name, I have a suggestion. I read an article on Forbes by Davey Winder. All about what you should do rather than deleting your account. And what he says is you should— well, there's a few stages to this. What you should do is you should lock down your account instead. That way you keep the username so no one else can grab it. But you can also protect your tweets. You can delete your tweets, you can delete your direct messages, you can do all the rest manually. And well, there are some third-party tools as well if you want to help you do some of those things.

VANJA ŠVAJCER. So when you lock it down, you can't post or anything. You can just do some management of your account.

GRAHAM CLULEY. Well, you can choose not to post any longer, but also if you lock it down. So let me explain how to do it and what that actually means. So you go to your Twitter account settings, you look for the settings and privacy option, you select privacy and safety, and then audience and tagging, and you will see a toggle which says protect your tweets.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. So switch that over to protect your tweets. That means your tweets are only now visible to people who follow you, and you will have to manually approve any new followers. So no one else new can go there.

And once you've done that, you could, if you wanted, block all existing followers and delete all your tweets and your direct messages if you so chose.

CAROLE THERIAULT. Sounds like a lot more work than just deleting it.

GRAHAM CLULEY. Well, it's a lot better than someone taking over your account. Or imagine if you're a company brand and you think, oh, we'll just delete our account on Twitter because we don't want to be associated with all this unpleasantness that's going on.

And someone else comes along and damages your brand by grabbing your username. You don't want them to grab your username.

I mean, I think in some ways it makes sense that Twitter frees up usernames when people delete accounts because otherwise you could create a bot which just, you know, registered millions of accounts.

CAROLE THERIAULT. I'm sure that exists all the time. Yeah.

GRAHAM CLULEY. And they'd exist forever and ever, wouldn't they? So, I mean, in some ways it makes sense that they do get deleted after a certain time period.

But, you know, I think for those people who are choosing to move on or don't like Twitter anymore, don't just delete your account, lock it down instead. Delete your messages if you want. Turn on protection.

CAROLE THERIAULT. If you're worried about your username. You know, some people don't use their name as their username.

VANJA ŠVAJCER. Or you can just want to communicate with your friends or a smaller group of people.

GRAHAM CLULEY. I mean, you could create another account or something if you wanted to. But Carole, you represent Smashing Security.

Vanja doesn't. Vanja used to, but you've deserted us.

CAROLE THERIAULT. Well, you should be nicer to me then.

GRAHAM CLULEY. Well, I'm just saying maybe you need to think a little bit about your brand online.

CAROLE THERIAULT. I'm not worried about my brand online.

GRAHAM CLULEY. Oh, okay.

CAROLE THERIAULT. Yeah, thanks though.

VANJA ŠVAJCER. Your brand is very strong, Carole.

CAROLE THERIAULT. Thanks.

GRAHAM CLULEY. Vanja, what have you got for us?

VANJA ŠVAJCER. So what I've got is a part of the Web 3.0. I'm sure you're aware this is the third iteration of the web technology.

GRAHAM CLULEY. Yes.

VANJA ŠVAJCER. Super exciting, right?

GRAHAM CLULEY. Very exciting.

VANJA ŠVAJCER. Very exciting.

GRAHAM CLULEY. NFTs, blockchain, all that great stuff.

VANJA ŠVAJCER. All that. It's, you know, the second iteration was like, put yourself onto the web, make your own—

CAROLE THERIAULT. Create a blog.

VANJA ŠVAJCER. Yeah, you have your own content.

GRAHAM CLULEY. Create a Tumblr account. Yes.

VANJA ŠVAJCER. Yes. But it seems like the old idea of the web is that now all the content is concentrated and controlled by a small number of very powerful companies.

So the whole move is towards making everything more distributed.

GRAHAM CLULEY. Mm-hmm.

VANJA ŠVAJCER. Which includes distributing the content, distributing money through blockchain. So the blockchain is a technology and one of the fundamental technologies of Web 3.0 is the IPFS, which stands for Interplanetary File System.

GRAHAM CLULEY. Right now, now, Vanja, why is it called the Interplanetary File System? Is it really interplanetary?

VANJA ŠVAJCER. That's an interesting question, of course. And I actually tried to find out why it was called Interplanetary File System. And the only explanation I could find is that if you had, let's say, your colonies on Mars or Saturn, for example, and you had some content on Earth, sometimes in the future, then it would actually take quite a long time, you know, the kind of trip for the radio waves to come from Earth to Mars takes about 8 minutes or so. So, you know, if you requested a webpage. It would take at least at best time, like up to 16 minutes until the webpage responds in Web 2.0 technology.

CAROLE THERIAULT. Should we demonstrate it for our listeners?

GRAHAM CLULEY. Let's do that.

CAROLE THERIAULT. Hello.

VANJA ŠVAJCER. And wait. So if you had other colonists of Mars, of course, then they may already have requested for that popular page to be loaded and they may store it on their own machines. And as a part of the Interplanetary File System, it's not, the way you access content is not by entering a URL, for example, to go to smashingsecurity.com, but you go, I'm searching for the first episode of smashingsecurity.com and it magically appears. You don't really know where it's coming from. You just have a unique ID of that episode and you're gonna say, I want that, right?

GRAHAM CLULEY. There is nothing magical about the first episode of Smashing Security.

CAROLE THERIAULT. Other than we started the show there.

VANJA ŠVAJCER. I'm sure many people will have it. I'm sure many people will have it in the interplanetary file system in 300 million years from now.

CAROLE THERIAULT. Hi guys, the future.

VANJA ŠVAJCER. So there is an obvious advantage of having this sort of ability to have decentralized content where you can have your file or your content, in fact, because you don't look at the file, you look at the content, your unique content, content ID. Stored in many different systems. It's kind of like a peer-to-peer network when you have a torrent and you try to download some movie, for example. And then pieces of torrent will come from different peers within the network. So that's kind of a, yeah, the ideal interplanetary file system, but it's commonly used to store NFTs. And I have noticed that you guys also have an NFT.

GRAHAM CLULEY. We have. Yeah. Mark Stockley created it.

VANJA ŠVAJCER. Yeah. Yes. And now it's, the price is pretty high. It's something like about 1 million Ethereum or something?

GRAHAM CLULEY. Yeah, it's about a trillion dollars or something now.

VANJA ŠVAJCER. Not too bad. Well, now it's about $100 million from the beginning of the year.

GRAHAM CLULEY. Oh yeah.

VANJA ŠVAJCER. Yeah. So the price went down a bit. It's not too bad. So of course it's one of the fundamental technologies of Web 3.0, and sooner or later you will have some bad people using it. And why do they use it? Well, they use it because it's actually very difficult to remove content from the Interplanetary File System.

GRAHAM CLULEY. Ah.

VANJA ŠVAJCER. So once it's there, it's there. If you want to upload a new version of the file, the content ID changes, but the old one still stays. And the version control or the version objects knows that this is like an old version or a new version of the same thing. So you can imagine that you can put phishing toolkits, you can put malware on interplanetary file system, and it would actually be quite difficult to remove it. So it's kind of like a bulletproof hosting idea where, you know, you had hosts, hosted in the various countries where you could store your malicious content and it would be very difficult to remove it.

GRAHAM CLULEY. This sounds like a problem because if I were a cybercriminal or if I was a pedophile ring or something like that, I could put up some very nasty stuff on the internet, or at least on the interplanetary file system. And how are the authorities gonna ensure that it's all removed?

VANJA ŠVAJCER. Yeah, you have to basically, you can issue some command to remove the file, but that means that it has to be removed from every server that contains it. And that means that every owner of a server or the peer in the network needs to be able to allow that to happen. So you also have this concept of so-called pinning where you can pin content and you tell your IPFS system or the network not to delete that content.

CAROLE THERIAULT. So can I make sure I understand just by giving an analogy? So say I packed fruit for a living and I used to pack these fruit salads for people, right? I get apples from everywhere around the world. I cut up those apples and then I just take those cut apples and throw them into these dishes and distribute those. And say one of them was poisonous. And people started getting sick and I need to find where that apple bunch came from, bushel, whatever it's called.

GRAHAM CLULEY. A tree. A tree. I think apples come from a tree, Carole. Yes. Well done. Keep going. In fact, you're doing the cooking. Yeah.

CAROLE THERIAULT. Yeah. So how would I find that? It'd be very difficult to find the source because I've got so much distribution on both sides. Is it kind of like that?

VANJA ŠVAJCER. Yeah, I think it's very similar to that because it's difficult to find source because, but you probably know who actually checked in the file, so perhaps they will be able to track that you checked in the file.

GRAHAM CLULEY. Yeah.

VANJA ŠVAJCER. But of course your ID can be a fake. You can, because when you install Interplanetary File System, you need to install specific software on your system. So you can use any username really.

CAROLE THERIAULT. Oh, you can't, you don't have to use your Twitter handle with your actual name?

VANJA ŠVAJCER. For example, no.

CAROLE THERIAULT. Oh, right. Interesting. Interesting.

VANJA ŠVAJCER. No, but it's kind of like, you need to know the content, right? The content ID is the most important thing, not the address of somebody or, you know, there's also another concept here, which is if you have a standard browser or you have a standard machine, that standard machine usually accesses content using HTTP, you know, the standard web protocol. And so, but your machine needs to be able to talk Interplanetary File System.

GRAHAM CLULEY. Mm-hmm.

VANJA ŠVAJCER. And so most of the machines don't do that. And in a similar way, you have gateways to Tor network, you also have standard web gateways to Interplanetary File System, right? Which is in a way a kind of a vulnerability for the bad guys because the owners of those gateways can actually remove the listing for particular file very easily. So even if that file, malicious file is on Interplanetary File System, the way some other components access it is through the gateways. So it's very easy to break that chain. But, you know, our team, I, can I say I work for Cisco Talos?

CAROLE THERIAULT. Of course you can.

VANJA ŠVAJCER. It's a pretty nice group of people. And my colleague Edmund Brumagin, he did this research on IPFS and he realized that actually there is quite a big increase in submissions of the samples that are using IPFS for malicious purposes.

CAROLE THERIAULT. Huh.

VANJA ŠVAJCER. 300% over a period of last 6 months or so.

GRAHAM CLULEY. Oh, really? So this is cybercriminals doing phishing and malware campaigns? Yeah.

VANJA ŠVAJCER. Yeah. You have you've seen phishing campaigns using standard email social engineering techniques and instead of having a link pointing to some standard content, they point towards the IPFS gateways.

CAROLE THERIAULT. Just a huge extra layer of complication for catch me if you can.

VANJA ŠVAJCER. Exactly. And it's like I said, it's quite difficult to remove something from IPFS. So the malicious content phishing toolkits usually remain on it.

So it's one of the things that we will learn and we need to start addressing because now even some browsers like Brave is able to access Interplanetary File System using its own protocol. So not through gateways, using it directly.

CAROLE THERIAULT. Hmm.

VANJA ŠVAJCER. So we may see even increase in bad guys trying to abuse IPFS.

GRAHAM CLULEY. And is there any challenge for web filtering security solutions when it comes to IPFS addresses? Will they just treat it as anything else?

VANJA ŠVAJCER. They can treat it as URL shorteners, for example. So you have a unique content ID, unique URL.

Actually, you can also have multiple gateways and every gateway has a slightly different addressing scheme for the IPFS. So perhaps for bad guys, if they can start using many of those gateways, it'll be more difficult to block just simply using a standard URL blocking technique.

GRAHAM CLULEY. But I'd imagine these URLs, if you do see one in your browser bar, it's going to look weird, isn't it? It's going to be like, where the hell is this going, it's not gonna look like you're going to Barclays Bank.

VANJA ŠVAJCER. Not at all. It's gonna look like IPF, for example, ipfs.io, and then a really long, long, long content identifier.

CAROLE THERIAULT. Mm-hmm.

VANJA ŠVAJCER. Which is like a cryptographic checksum of the content that you want to download.

GRAHAM CLULEY. Yeah.

VANJA ŠVAJCER. So yeah, it's immediately suspicious, but again, you can have a URL shortener which will redirect to your ipfs.io. You know, there are ways around it so it appears more legitimate.

CAROLE THERIAULT. So you have to get back to that hover over the link and look and see if you have a link shortener like we did 10 years ago.

GRAHAM CLULEY. Jeez.

VANJA ŠVAJCER. Yes, exactly. All good fun.

Anyway, it's quite possible we'll see more of this coming on. So people should be aware of the Interplanetary File System. It's very useful on the one hand, but like anything, it can also be misused.

GRAHAM CLULEY. Well, Vanja, it's been 6 years, but you've come back with an interesting story. So well done on that.

CAROLE THERIAULT. And cheered us up tremendously. Thank you very much.

VANJA ŠVAJCER. A really joyful story.

GRAHAM CLULEY. Yeah, yeah, jolly, very jolly.

VANJA ŠVAJCER. Always positive.

GRAHAM CLULEY. Carole, what have you got for us this week?

CAROLE THERIAULT. Okay, so this is interesting after following Vanja's story, but how hard would you say it is for the average computer user to completely hide their tracks online?

VANJA ŠVAJCER. It's very difficult.

GRAHAM CLULEY. It's quite difficult. There are tools which can certainly make it more difficult to track you, but yeah.

CAROLE THERIAULT. But the average user, right? Like a hardened cyber expert like the two of you might have an easier chance at doing it than your average user.

GRAHAM CLULEY. Mm-hmm.

VANJA ŠVAJCER. I do have to admit that I'm not very good in my operational security.

CAROLE THERIAULT. Oh, great. Yes.

Tell all our listeners that. Because I remember this story of, I think it was the whole Silk Road thing, but he was caught because on one occasion he forgot to turn on his VPN. And they were able then to tie it on Tor and one on in real life web.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Something like that.

GRAHAM CLULEY. Yeah. That, yeah. And they can associate the different accounts and maybe, yeah, that does seem to happen sometimes with cybercrims is they just simply forget to turn on their protection. And even if you're using a VPN, obviously there's a possibility you're using a VPN, which is logging some information about you.

VANJA ŠVAJCER. Exactly. I think most of those VPN need to adhere to local laws and therefore VPN is not really that private.

GRAHAM CLULEY. That's why I'm now using a VPN via the Interplanetary File System, myVPN.

VANJA ŠVAJCER. There you are, very easy.

GRAHAM CLULEY. It's based on Mars. Legislation doesn't reach there.

CAROLE THERIAULT. Thanks, Elon. So if you were a would-be criminal, you would want an approach that guarantees your anonymity, right? Ensuring that if the authorities got wind of the heist, they would not be able to finger you. You know what I mean? No?

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. And basically this comes back to what Vanja was talking about. And this is how sites like iSpoof.cc have come to be. Now with a name like that, iSpoof, what do you think they could be up to?

GRAHAM CLULEY. Oh, I, well—

CAROLE THERIAULT. It's an Apple product, of course.

GRAHAM CLULEY. Yeah, an Apple product. It has an I at the beginning. Yes.

CAROLE THERIAULT. So legit, legit. Yeah.

GRAHAM CLULEY. Maybe it's a special cover for an iPhone, which makes it look like an Android device or a Microsoft Zune. That's your spoof in another device. That'd be kind of cool. Yeah, that's a good one. So if you want to look cool, if you don't want people to think that, oh, you're just simply following Apple all the time. It's oh, well, actually, I've got the Galaxy S9 or something like that.

CAROLE THERIAULT. I've got a Microsoft phone.

GRAHAM CLULEY. Yeah, exactly.

VANJA ŠVAJCER. I get a Huawei.

CAROLE THERIAULT. Huawei. So getting miscreants interested in masking their phone number in order to hide their identity and protect their anonymity is iSpoof's game.

GRAHAM CLULEY. Ah, this is when you get a phone call from someone claiming to be an organisation, but they're not. So they— it's the caller ID that you're talking about that they're spoofing.

CAROLE THERIAULT. Right. And you, as a would-be criminal, would have perhaps learned about this type of service if you had taken to Telegram, the encrypted messaging service. And if you'd been flirting around ne'er-do-well channels, you might have seen adverts for iSpoof.

GRAHAM CLULEY. Ah.

VANJA ŠVAJCER. Mm-hmm.

CAROLE THERIAULT. iSpoof, until recently, was an underground website that sold these so-called spoofing services. So fraudsters would use these services to contact targets pretending to be trusted organizations like banks or tax offices or other official organizations. And the game is to trick the unsuspecting target victim into handing over sensitive information, including account credentials and ultimately moolah.

VANJA ŠVAJCER. You'll be surprised, this approach is very successful.

CAROLE THERIAULT. Yes, I've got some numbers which are staggering. So, you know, they would ring up an innocent punter and pretend to be a bank and say something like, "Hello, hello, hello, this is your friendly bank manager. I think we've got a problem here, gov."

GRAHAM CLULEY. I'd be suspicious at the friendly bank manager bit. That's the thing which would have my alarm bell ringing.

VANJA ŠVAJCER. I'm sure we all receive calls that are coming from our own country, and it seems like, you know, the caller is who knows where, actually.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Yeah, I'm always like, describe what's outside your window right now. That's my line. If you're in Manchester, tell me what you see.

GRAHAM CLULEY. What's the weather like?

CAROLE THERIAULT. Yeah, what's the weather like? Exactly. But the scam is not just a UK scam. Didn't just target UK victims. This was global. Check out these numbers. iSpoof was created in December 2020 and at its peak had 59,000 users.

Okay, these are the would-be criminals who paid up to $5,000 per month in Bitcoin to access iSpoof software.

GRAHAM CLULEY. $5,000 a month.

VANJA ŠVAJCER. Pretty decent revenue.

CAROLE THERIAULT. Yes, pretty decent revenue.

GRAHAM CLULEY. Wow.

CAROLE THERIAULT. According to the Met Police, between June '21 and '22, iSpoof was used to make 10 million fraudulent calls worldwide.

GRAHAM CLULEY. Wow.

CAROLE THERIAULT. Of these 10 million fraudulent calls made, 40 were in the US, 35 were in the UK, and the rest was spread across a number of countries.

GRAHAM CLULEY. Hang on, what? Only 45 calls were made in the US?

CAROLE THERIAULT. I'm sorry, I forgot a keyword of percent. Let me try that one more time.

GRAHAM CLULEY. Oh, right, okay.

CAROLE THERIAULT. So of the 10 million calls, 40% were in the United States, 35% were in the UK, and then the rest were spread across a number of countries.

GRAHAM CLULEY. Sorry to be pedantic.

CAROLE THERIAULT. No, no, that's an important— that's an important point. Thank you very much.

VANJA ŠVAJCER. I understood it immediately.

GRAHAM CLULEY. I thought maybe all the rest of them were happening in Belgium or something like that.

CAROLE THERIAULT. Europol reports that iSpoof caused approximately $120 million in losses, with the service operators raking in an estimated almost $4 million in just over a year. A lot of people say this number is very low.

At one point, as many as 20 people every minute were being targeted by callers using technology brought from the site. Okay? So this is not a small operation, right? And they were making some serious wonga here.

VANJA ŠVAJCER. So do they know what kind of scheme it was, or is just anybody was just using it and they had various types of, you know, do you want to buy some shares? Great investment, that kind of thing.

CAROLE THERIAULT. I don't know that, but I do know how the authorities uncovered it because how do we know all this? Well, according to Bleeping Computer, the Cybercrime Department of the Dutch police found the servers hosting iSpoof in a small town near Amsterdam during a bank help desk fraud investigation.

So they were going, oh, what is this? This led to a new investigation focusing on the service, which led to the discovery of the iSpoof operator location, or the main iSpoof operator's location in London. So they inform Scotland Yard, which start their own in-depth investigation into the suspect. Dutch cops place a tap on the servers to eavesdrop on the activities to get an idea of the scale of this whole scheme. And soon the UK police and Europol get involved with the Dutch police to map the whole criminal network, to basically make an obsession wall, which would be my dream.

GRAHAM CLULEY. How dare they?

VANJA ŠVAJCER. Have you noticed how Dutch police are— I really have a lot of ability to kind of spoof or kind of eavesdrop on some of those servers.

CAROLE THERIAULT. Yes, they do. It's incredible.

VANJA ŠVAJCER. It's often the case when you read some of the news stories.

CAROLE THERIAULT. Yeah. And this partnership, global partnership, allowed for the identification of many more criminals, some already known to one of the parties.

So you'd be going, hey, I know that's Bad Steve, right? That's Bad Steve. He's been operating in my neck of the woods.

GRAHAM CLULEY. Hey, that's Mickey Blue Eyes. Here's Johnny Fingers. We know him.

CAROLE THERIAULT. Yeah, Vanja Švajcer. Anyway, so earlier this month, the owner and mastermind of iSpoof was arrested on November 6th, and he was in East London. And the websites iSpoof.cc and iSpoof.me were seized.

So if you go there now, there's this big FBI notice on them. Two men, aged 19 and 22, believed to be the admins of the servers in the small town near Amsterdam, were also arrested. And the Dutch police underline they're now de-anonymizing more service users based on the evidence collected from the seized servers.

So it's a growing investigation. Last week, we hear this investigation has led to the arrest of 146 people. That's huge.

Wow. Over 100 of these were in the UK and arrested by the Met Police. So what's interesting here is they're not just going after the service provider iSpoof, the guys behind it, they're also going after users of iSpoof who are using it for criminal gain.

GRAHAM CLULEY. Yeah. So this is going to cause chaos for lots of cybercriminal gangs who've been spoofing their phone numbers and ringing up for fraud, isn't it?

CAROLE THERIAULT. Exactly.

VANJA ŠVAJCER. Yes.

GRAHAM CLULEY. I mean, this is marvelous.

CAROLE THERIAULT. And it comes at a very good time of year because if you just go type in scam now in any search engine and go to news, every single town in the entire Western world, it seems, is talking about watch out for scams on Black Friday. And this is going to carry on till Christmas now.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Two tiny last points. The Met Police, once they've done this arrest, reached out to the 70,000 people they believed to have been potential targets in this scam. And they did this via text late last week.

VANJA ŠVAJCER. Is it a special services text, not the standard SMS, but the one that can alert people? You know, how do you otherwise can verify that this is police, right?

GRAHAM CLULEY. Well, that's interesting. I think that that is the challenge, of course, because criminals could send message, couldn't they? Claiming, hello, we're the Met Police. Can you please log into this account and enter your bank details because we think you might have been defrauded? That's the fear.

CAROLE THERIAULT. That's exactly what people like BBC's Radio 4, you know, said to them. How do I know the text message is from the police? It's real. And the answer I saw on a law firm website said, okay, text message will only be sent on Thursday, the 24th of November and Friday, 25th of November. This is to raise awareness amongst those believed to be affected. Anyone who receives a text message after this date should disregard it in the event the campaign has been hijacked by scammers.

VANJA ŠVAJCER. Yeah, I guess the good way is to verify on the police website or give it as a news, send it as a news or whatever.

GRAHAM CLULEY. They've told people that they're only going to give them one link. So the link which they're going to tell people to click on is met.police.uk/elaborate. Is that right?

CAROLE THERIAULT. If you receive a text message from the Met Police, you will be invited to get in touch.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. The text message will ask victims to visit the Met's website. So is that the website you were just giving?

GRAHAM CLULEY. Yeah, metpolice.uk.

CAROLE THERIAULT. Yeah, yeah. To provide more details about their experience, the text message will not include a clickable link. Okay.

So on BBC Radio 4, the Met Police Commissioner Sir Mark Rowley acknowledged that it was slightly bizarre that potential fraud victims will now be contacted about the crime by text, but it encouraged people to go through the official police website if contacted. So he says, quote, "So don't respond to any texts with sort of dodgy shortcuts and things. Come through official websites is the best way of doing this."

And because they really want to hear from people, right? Because the people that they message for the next 24 hours have been victims of fraud or attempted fraud, and we can still stack all these offences against the people that they've been arresting. So it's really important they get in touch.

GRAHAM CLULEY. Yeah. Yeah, so they need victims to put a case together to properly clobber the people that they've arrested.

I mean, the police are stuck between a rock and a hard place here, aren't they? Because they've got the phone numbers of victims, they don't necessarily know their names and they need them to come forward. And it's, well, we could either phone them up or we could send text messages, but it sounds like they're trying to be careful to warn people about the danger of other cybercriminals exploiting this opportunity. The fact that they gave specific days, which are now in the past, because this was the end of last week.

CAROLE THERIAULT. So we'll see what happens because we're recording this a little bit earlier this week. So we'll see.

But I'm saving the best to last, okay? Because the Met Police have basically created a spoofed kind of fake ad mocking iSpoof's kind of privacy and services, and they've pushed this out on Telegram. Take a listen to this.

UNKNOWN. Welcome to iSpoof, the former number one spoofing service now controlled by international law enforcement. Use our service to tell worldwide police that you are a criminal.

If you want to spoof your caller ID to make spoof calls, the police are here to listen. All the evidence the police would ever need.

iSpoof was made by criminals for criminals. Watch all your personal details be stored on iSpoof server, ready for the police to find. Your email address, location, and you need to see it.

CAROLE THERIAULT. We'll put a link in the show notes.

GRAHAM CLULEY. It's hilarious, isn't it?

CAROLE THERIAULT. It's so good. It's so good.

So I think they're also enjoying this win that they've had because it seems that cooperation is the answer. Harmonious cooperation of talent and resources and not division is the answer. Who would have thought? Who would have thought?

GRAHAM CLULEY. Together we're stronger, aren't we? Just the three of us. Like the Three Musketeers. Let's hope no one ever leaves.

CAROLE THERIAULT. Together forever and never to part. Together forever with you.

Is your organisation finding it difficult to achieve compliance and scale its security posture? At G2's highest-rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely.

Drata is the only compliance automation platform with a private tenant database. They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, FullStory, and BambooHR have shared how crucial it is to have Drata as a trusted partner in their compliance process.

Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A. And thanks to Drata for sponsoring the show.

GRAHAM CLULEY. The challenge with endpoint security has always been that it's difficult to scale. And when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows, and Linux?

Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down device, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com/smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's k-o-l-i-d-e dot com slash smashing. And thanks to Kolide for supporting the show.

CAROLE THERIAULT. Bitwarden is an open-source, cross-platform password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing. Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2 and SOC 3 security standards.

This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing. Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.

GRAHAM CLULEY. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. For the 300th time, Pick of the Week.

VANJA ŠVAJCER. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my pick of the week this week is a bit security related. Not computer security related.

VANJA ŠVAJCER. Oh, I'm looking forward to that.

GRAHAM CLULEY. It's more sort of espionage, that sort of thing. So I have stumbled—

VANJA ŠVAJCER. Threat intelligence.

GRAHAM CLULEY. Well, no, not really. Well, anyway, I have stumbled across a web page and a video which has been put together by the International Spy Museum, which is very interesting. They've got a number of exhibits. You can go and visit the museum in real life and check it out. And this particular exhibit is completely nuts.

Nuts. It is what we— Oh, I've just clicked on your link.

CAROLE THERIAULT. Yeah. Do you want me to say what I— what just— what the first thing that's come up?

VANJA ŠVAJCER. I think I've seen it as well.

GRAHAM CLULEY. Say what you see. Say what you see, Carole.

CAROLE THERIAULT. It says scrotum concealment, 1960s to 1970s.

VANJA ŠVAJCER. So nuts, nuts.

CAROLE THERIAULT. Yeah, there's a large picture here of what looks—

VANJA ŠVAJCER. Suspiciously like?

CAROLE THERIAULT. Suspiciously like a plasticated version of a very realistic sack.

GRAHAM CLULEY. Yes, it doesn't have the other bit, does it? It's only got the Brussels sprout.

CAROLE THERIAULT. It has a lot of poops. It has little poops coming out of it.

GRAHAM CLULEY. Yes, it does. So this is a device which was put together by spies at the CIA because they thought, what we need to do is if we've got an agent who gets captured, we might want them to conceal about their person a tiny little radio to help with their escape so they can communicate with us. But where can we put it? Because if someone is captured, they might have all their clothes taken off, they'll be searched to find something.

And what they've done is they've created this little pouch which looks like a couple of, well, looks like your scrotum. Scrotum, which you could wear over your real scrotum, and there is room inside it to hide a miniaturised radio. Now, where the aerial goes, I've got no idea.

CAROLE THERIAULT. What about your real ones? Where are your real— Well, you just—

GRAHAM CLULEY. Carole, testicles come in different shapes and sizes, right? So if you had particularly dangly ones, or if this was dangly, then maybe they'd just think, well, he's got rather large balls, hasn't he?

CAROLE THERIAULT. He's walking with a particularly— Are we going back to sitting on Yes, it's an invitingly large, wide stance, isn't it?

GRAHAM CLULEY. Well, anyway, I think this is roving gene. So apparently it's never been used in the field.

VANJA ŠVAJCER. I wonder why.

CAROLE THERIAULT. Can I say this item, this item in this picture?

GRAHAM CLULEY. Yes.

CAROLE THERIAULT. Okay. I don't know if it's to scale, but it looks as though it's about an inch and a quarter across and about 2.5 inches long. Right. And I don't know.

GRAHAM CLULEY. What, the radio or the—

CAROLE THERIAULT. Yeah. And that radio goes into these fake testicles, which then are mounted upon or on top of your real ones.

GRAHAM CLULEY. There's a video as well, Carole, if you want to check out the video.

CAROLE THERIAULT. Oh, great.

GRAHAM CLULEY. Yes. And you can see the, you can see one of the custodians of the museum describing the item.

VANJA ŠVAJCER. The object of intrigue.

GRAHAM CLULEY. Anyway, so I think this is rather interesting. I think it's quite ingenious. I love when people think outside of the box, as it were. As it were.

And that is why the CIA's scrotum concealment device and miniature radio is my pick of the week.

VANJA ŠVAJCER. This is a perfect pick of the week for 300 episodes.

GRAHAM CLULEY. Thank you very much, Vanja.

CAROLE THERIAULT. Do you know that I just tried to watch the video while you were talking, and it says this video is age-restricted and will only be available on YouTube.

VANJA ŠVAJCER. Ah, there you are.

CAROLE THERIAULT. Funny.

GRAHAM CLULEY. Vanja, what's your pick of the week?

VANJA ŠVAJCER. Not nearly as good as yours. I actually had quite a few pick of the weeks, but then decided to go for a standard documentary that I watched the other week, actually the week before.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. Ooh, we like documentaries.

VANJA ŠVAJCER. And the documentary, it's streaming on Netflix and it's called Blitzed. I don't know if you guys saw that.

GRAHAM CLULEY. No, I haven't seen it. What's it about?

VANJA ŠVAJCER. It's a documentary about a group of people, in fact, musicians and DJs and people who were very, very fashion aware, let's say. At the end of the '70s, you know, when punk stopped and there was a bit of a question, what's gonna be next? What's the next big thing?

So there are a few people and two of them, Steve Strange and Rusty Egan, who had punk bands before, decided they wanted to have a club for people just to feel themselves, you know.

GRAHAM CLULEY. Just a club for people to feel themselves.

VANJA ŠVAJCER. Exactly, to feel being themselves.

GRAHAM CLULEY. Do you need to go to a club to do that or could you just stay in the privacy of your bedroom?

VANJA ŠVAJCER. These days, you know, when that happened, you know, that's 1979 or something.

GRAHAM CLULEY. Okay.

VANJA ŠVAJCER. It was after the—you know, I think Margaret Thatcher, has she already been?

GRAHAM CLULEY. Yeah, she became Prime Minister in '79, yes.

VANJA ŠVAJCER. But exactly, so you know, it's pretty bad time for London. So the club is in London.

So the people Boy George, Marilyn, Gary Kemp, they were all part of the scene. And that scene basically originated from one of our famous artists, David Bowie.

They really loved him because when he first appeared on the show, on the Top of the Pops or something. He was one of the first artists to look different.

And so, you know, all these glam dresses, looking different. And so it kickstarted this move, which they traced to punk.

But then from punk, there was something, you know, what's going to be next? And so when I was a kid, the big thing was this New Romantic movement.

So these guys are actually all from the working-class backgrounds, very low-key, low-budget because there's a very difficult economic situation in London at the time. So they found this club called Blitz and it becomes one of the centers of the social scene, the fashion scene, the social scene, the gay, you know, LGBT, all these stuff happens and it's kickstarts the new romantic movement essentially.

And this is where Spandau Ballet started and played their first gig. So it follows all these protagonists, Steve Strange, Russ Tegan, and Boy George.

So they're basically talking about what happened and how the club, which only lasted for two years, became super popular and famous so that eventually even David Bowie came to visit the club. And they were all crazy for him.

And it was very famous because it rejected people if they haven't dressed properly. You need to be really flamboyantly dressed to get in, right?

That'd be perfect for me. Exactly, that would be your Cruella de Vil.

CAROLE THERIAULT. Exactly.

VANJA ŠVAJCER. And famously, they rejected Mick Jagger when he came to get into the club because he wasn't properly dressed, I'm afraid.

GRAHAM CLULEY. Quite right too.

CAROLE THERIAULT. Yeah, no, it looks fascinating. I was just looking and it doesn't seem to be on Netflix in the UK.

VANJA ŠVAJCER. Interesting.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. It's not. I've just looked as well.

So you can't stream it for free in the UK. But I think you could—there are other subscription services where you might be able to get hold of it.

But we're putting some links to more information about the movie for people who can't watch it.

CAROLE THERIAULT. Fantastic pick of the week, Graham. Vanja.

GRAHAM CLULEY. Yes. Well done, Graham.

No, you just want to say mine again. Yeah, I understand.

VANJA ŠVAJCER. Yes. You, whatever, whatever your name is.

CAROLE THERIAULT. I don't know why I get you. I think I've known you both about the same length of time.

So as soon as you guys are together, I just want to call you Van Ham or something.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. I have a great pick of the week too, I think, because I know you're both fans of Bob Dylan. Have you got a favorite tune?

VANJA ŠVAJCER. Yes.

GRAHAM CLULEY. Well, Temporary Like Achilles. I love the Blood on the Tracks album.

I think that's—but I mean, there's different eras of Bob Dylan. That's the interesting thing.

VANJA ŠVAJCER. My favorite is Blonde on Blonde.

CAROLE THERIAULT. Yeah. Interesting.

Well, he's still going strong, right? 79 years old, still going strong in the music industry.

And even in the book industry, because last month, Simon & Schuster, Dylan's publishers, advertised a limited edition, hand-signed copy of the musician's new collection of essays for $600 each.

VANJA ŠVAJCER. Wow.

GRAHAM CLULEY. So you're paying for the autograph. That's it.

I mean, presumably the book is available cheaper.

CAROLE THERIAULT. Well, apparently his autograph normally goes— so if he's signed something, those kind of items can go for $1,500 to $2,000. So this is a real deal.

VANJA ŠVAJCER. Decent investment.

CAROLE THERIAULT. So last week, people started to receive The Philosophy of Modern Song, Dylan's first collection of writings since he won the Nobel Prize in Literature in 2016.

GRAHAM CLULEY. Philosophy of Modern Song.

CAROLE THERIAULT. Why were you laughing? What? Again, probably a bit Radio 4-ish for you. And this is said to be a series of rhapsodic observations on what gives great songs their power to fascinate us. I think it sounds fascinating.

GRAHAM CLULEY. Okay, okay.

CAROLE THERIAULT. And the signed copy came with a letter of authenticity signed by Jonathan Karp, Simon & Schuster's chief exec. And 900 of these signed puppies went out.

GRAHAM CLULEY. They weren't actually puppies, were they? They didn't sign— Bob Dylan hasn't been signing puppies. Just for clarity and for legal reasons, we should stress that isn't actually true.

CAROLE THERIAULT. No, but that was exactly the problem. It seems that maybe Bob Dylan didn't sign any of them. Karp's signature looked more legit than Bob's, and it took hundreds of fans to sleuth out the book had not in actual fact been signed by Dylan at all.

So Justin Steffman, he's a professional authenticator. He runs a Facebook group for collectors, he said the autograph was most likely created by an auto pen. And he said this in the New York Times, which is the New York Times article that is my pick of the week.

VANJA ŠVAJCER. Is it because all of them are completely the same?

CAROLE THERIAULT. Well, he says handwritten penmanship normally has a flow, but with a pen machine, it goes from point to point, adding that the beginning and the end points of each stroke apply more pressure to the page. And Dylan's autograph in the new book also appears to have a slight shakiness throughout signature.

They started popping up. Everyone received the book on the same day, and it was instant. They all realized it was an auto pen. More and more people shared their copies, and they put it all together.

Last Sunday, Simon & Schuster issued a public statement that offered few details but acknowledged that Dylan's signature had been rendered in a pen replica form, they called it— in a pen replica form. And the publisher said it would give buyers an immediate refund. So embarrassing, right?

VANJA ŠVAJCER. PR disaster.

GRAHAM CLULEY. But you know what? They might now be even more collectible because they won't produce any more of these, presumably.

CAROLE THERIAULT. I have the fake autograph.

VANJA ŠVAJCER. That's a good thing in that they're going to be quite cheap at the beginning, but later, you know, 100 years from now, yeah.

GRAHAM CLULEY. Yeah. Didn't Donald Rumsfeld get in trouble with one of these autographing machines once? Wasn't he caught out because he was writing letters to relatives of military personnel who died in conflict? And obviously he had to sign quite a few of them at certain points in his tenure. And someone said, hang on, you're using a machine. You're trying to make this all personal. But I think he was doing that.

VANJA ŠVAJCER. I was saying that's what happened when you get signed your letter or something by a CEO of a company.

GRAHAM CLULEY. Oh well, probably happens too, doesn't it? But if you're Bob Dylan, you certainly don't want to sign hundreds of books, do you? What the hell, right?

CAROLE THERIAULT. It's don't say it's a signature then.

GRAHAM CLULEY. Well, I agree.

CAROLE THERIAULT. I think I can paraphrase one of his songs. It's all right, Ma, I'm only stealing. That's what I think. Bring it all back home.

GRAHAM CLULEY. That's very good.

VANJA ŠVAJCER. Poor Bob Dylan.

CAROLE THERIAULT. My pick of the week, a New York Times article called Bob Dylan Gets All Tangled Up in Book Autograph Controversy by Remy Turiello.

GRAHAM CLULEY. That just about wraps it up for 300 episodes of Smashing Security.

CAROLE THERIAULT. Woo! We made it.

VANJA ŠVAJCER. And we agreed that in 200 episodes we—

GRAHAM CLULEY. You're going to be back again.

CAROLE THERIAULT. Maybe earlier if I have my way about it.

GRAHAM CLULEY. Vanja, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to find out what you're doing? Is it on the interplanetary file system?

VANJA ŠVAJCER. I can't say now that it's Twitter, although you can still follow me on Twitter, but on the Mastodon @vanjaš.

GRAHAM CLULEY. And you can find Smashing Security's Mastodon account at smashingsecurity.com/mastodon, or you can still follow us at the moment on Twitter @smashinsecurity, no G, Twitter won't allow us to have a G. And you can look up the Smashing Security subreddit on Reddit. And finally, you can ensure you never miss another episode by following Smashing Security in your favorite podcast app.

CAROLE THERIAULT. It's certainly not finally, because we have to thank this episode's sponsors, Kolide, Bitwarden, and Drata. And of course, to our wonderful Patreon community. You got us here to 300. Thanks to all of you. This show is free for everyone. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 299 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time in episode 301. Cheerio. Bye-bye.

CAROLE THERIAULT. Bye.

GRAHAM CLULEY. Woo.

VANJA ŠVAJCER. Bye.

GRAHAM CLULEY. The old days, but without the video.

CAROLE THERIAULT. Yes, thank God, that was so dumb.

VANJA ŠVAJCER. The video was also good. The video was unnerving. And also that you have to go almost live.

GRAHAM CLULEY. Yeah, no editing. Not that we ever edit the show at all, of course.

VANJA ŠVAJCER. Of course, of course.

CAROLE THERIAULT. Listeners, Carole here on behalf of Graham and I. I've just finished editing the second half of our 300th show. And you know, I'm kind of proud. I just want to say a huge, massive thank you for listening to us, especially those of you that have been with us from the beginning. And those of you that joined us midway through but went back to the start to listen. And let's not forget our incredible Patreon community and sponsors that help make this show possible. And as Graham said, if you like the show, please let us know. A review is fantastic. Not only does it help other people find us, it even makes Graham grumble a little less, which I am incredibly grateful for. We love you. We thank you.

GRAHAM CLULEY. And—

CAROLE THERIAULT. And here's to 300 more.

GRAHAM CLULEY. I can't believe, Carole, you'd add a bit at the end without telling me.

-- TRANSCRIPT ENDS --