Razzlekhan, the self-proclaimed Crocodile of Wall Street, pleads guilty to the biggest crypto laundering scheme in history, and just how safe are you typing while on a Zoom call?
Meanwhile, Graham rants about public EV chargers.
All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- With Nvidia Eye Contact, you’ll never look away from a camera again - Ars Technica.
- “A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards” - Technical paper (PDF).
- New acoustic attack steals data from keystrokes with 95% accuracy - Bleeping Computer.
- Bitfinex users to share 36% of bitcoin losses after hack - BBC News.
- Bitfinex’s Latest News & Updates - BitFinex blog.
- Heather R. Morgan - Wikipedia.
- Razzlekhan and husband guilty of $4.5bn Bitcoin launder - BBC News.
- Record-high seizure of $4bn in stolen Bitcoin - BBC News.
- ‘Sexy horror comedy’: Bitcoin laundering suspect is also ‘raunchy rapper’ Razzlekhan - The Guardian.
- ”Versace Bedouin” music video by Razzlekhan - YouTube.
- “Pho King Badd Bhech” music video by Razzlekhan - YouTube.
- SWARCO - Nit Pick of the Week.
- Esim Holafly - Holafly.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- ClearVPN – Hide your IP address, browse without geo-restrictions, and stay private online with a 30 day free trial of its premium plan.
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Why didn't you just go up to the main floor and do your business and then come back down?
GRAHAM CLULEY. Oh, well, Carole, you weren't there, right? If you're going to jump in with sensible suggestions at this point, it's too late.
CAROLE THERIAULT. I can't believe I've ever taken any advice from you in my life.
UNKNOWN. Smashing Security, Episode 334: Acoustic Attacks and the Tears of a Crypto Rapper with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 334. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Carole, great to have you with us once again, despite being on pastures far away. Still on your secret assignment?
CAROLE THERIAULT. Yes, I am still on my secret mission.
GRAHAM CLULEY. But the podcast stops for nothing.
CAROLE THERIAULT. Well, that was a bad decision, I think. But how about we get this show on the road and get back to our summer lifestyle?
Before we kick off, let's thank this week's wonderful sponsors, Collide and ClearVPN. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. TikTok tap tap tap.
CAROLE THERIAULT. Okay, that reveals nothing. And I'm going to tell you a tale about the tears of a rapper.
All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Tears of a rapper. Now, Chum Chum.
CAROLE THERIAULT. Yes, yes.
GRAHAM CLULEY. Have you ever been on a really boring work conference call? I wonder.
CAROLE THERIAULT. Oh no, no, no, no, no.
GRAHAM CLULEY. Never?
CAROLE THERIAULT. They are riveting.
GRAHAM CLULEY. All of them wonderful.
CAROLE THERIAULT. I look forward to them so much. Most people now whose life has moved to online Zooming and all this, it is a joy, don't you think?
GRAHAM CLULEY. Absolute joy. I love nothing more than the feeling of having my eyelids propped open on matchsticks and pretending to pay attention.
Because you sometimes get on these calls, but I remember being on calls in the past, which were literally all day with a great big team, and you'd be there and you just had to listen, waiting for your name to be mentioned and then, oh God, oh God, oh no. And it'd be terrible if they mentioned your name at the end of the question rather than, Graham, I wonder if I could ask you, if they say blah, blah, blah, blah, blah, blah, is that right, Graham?
And it's, what? I don't know.
CAROLE THERIAULT. This is why that invention, the Suitsy, was so glorious because it gave you the appearance of wearing a suit when that was something pre-COVID, but it was actually a baby's, you know, whatever, baby's little thing.
GRAHAM CLULEY. So it's pretty bad, isn't it? And it is worse when it's on video because you have to appear as though you're listening rather than simply keeping an ear open for your name.
I don't know if you've heard about this. There's this new technology Nvidia Eye Contact.
So the guys at Nvidia have, they can now give you AI-powered eyeballs to ensure that you're always looking at the screen. So rather than, you know.
CAROLE THERIAULT. What do you mean AI-powered eyeballs?
GRAHAM CLULEY. So they change the video stream so that you appear to be looking down the webcam all the time rather than, you know, scratching your crotch or looking under the table or, you know, looking at your other screen where maybe you're playing Patience.
CAROLE THERIAULT. What, just the eyes stay there floating? As your head kind of bobs down to tie up your shoe.
GRAHAM CLULEY. Well, no, maybe not quite that. Maybe not quite that. But they certainly give the appearance that you have perfect Zoom etiquette because you are looking down the camera all the time. It's all being done by technology.
Inevitably, if you are on a dull conference call and your colleagues are on it too, if your boss— it's normally the bosses who love to talk, isn't it? It's normally them who just go on and on and on and on. Talking about something extremely tedious or making a sexist comment. And, you know, they're just— suddenly you wake up from your slumber and you IM your other pals on the call saying, "Did you hear what that idiot just said?" So you make it— this is what I do.
CAROLE THERIAULT. You were silly to do that because of course you were doing that on the company's systems. You're a lame-o.
GRAHAM CLULEY. But people do it, don't they? People might— or people might have a, you know, have their AOL chat or whatever, ICQ. They may have their own little private channel. They may even be using Signal, who knows, where they're just chatting to their buddies saying, oh my God, can you believe that? Or, you know, your bit's coming up or whatever it is.
CAROLE THERIAULT. Yeah, like having a little private— I did this all the time. I once, my job was to try and make my favorite colleagues spew as they drank their tea. So trying to time, because I could see them on the video about to take a sip of hot tea. And then I would send them an outrageous text message or IM that would pop up on their screen. And then I would watch them almost turn and spill. And that was my fun during those boring, boring conferences.
GRAHAM CLULEY. Or put them off while they're actually talking by sending them something highly inappropriate. So, well, Carole, take heed, beware, because some boffins at British universities have revealed that they have had success in stealing data from the sound of keyboard keystrokes. In other words, if you are on a conference call and you are typing to your buddies, it is feasible that people could actually find out what you are typing, whether you're using Signal or IM or ICQ or Telegram or whatever it may be.
CAROLE THERIAULT. Okay. I feel like we've flirted around, researchers have flirted around this area before.
GRAHAM CLULEY. They've done other things.
CAROLE THERIAULT. A number of years.
GRAHAM CLULEY. Yeah. There've been other things which have been done, astonishing number of different ways of stealing information. We did speak, for instance, about the reflection of your screen in your eyeball as you appear on video conferencing and how researchers were able to steal information if you had a good enough quality webcam from the reflection in your screen. There have been plenty of other ones as well. There have been ones where people have actually been able to gather data by watching the vibrations on the window. So they might be able to hear the conversations which are going on. Oh, all kinds of things.
But this, of course, is something that we all do all the time. We're all using Zoom, we're all using Skype, we're all speaking to each other. And these boffins at British universities, they're not just having some success in stealing data from the sound of keyboard keystrokes. They reckon that with their deep learning model, which can steal data from these keystrokes recorded with a microphone, they have an accuracy rate of 95%. And is this any keyboard, or is this you have to use the proprietary keyboard as designed by the researchers? Any keyboard, including touch keyboards, not just the clackety-clack keyboards, other keyboards as well.
CAROLE THERIAULT. Shut up.
GRAHAM CLULEY. For real. This means 95%.
CAROLE THERIAULT. I can't even have a chat affair anymore.
GRAHAM CLULEY. This means 95% accuracy, so 1 in every 20 characters will be incorrect. Only one in twenty. So your passwords, your private discussions, your messages, other sensitive information can all be leaked to a malicious third party using this method. And they say that it's likely to be even simpler now because of just how many devices have microphones in them capable of high-quality audio capture, because everyone's computer's got a microphone, everyone's phone has got a microphone.
People have got smart devices left, right, and centre. It's possible you've got a watch which has a microphone in it as well. All kinds of devices now have this.
CAROLE THERIAULT. Home assistants, all that.
GRAHAM CLULEY. Yeah, exactly. So let me tell you how it works. The first step of the attack is to record keystrokes on the target's keyboard, as that data is then used to train the prediction algorithm.
CAROLE THERIAULT. So why not just install a keylogger at this point now?
GRAHAM CLULEY. Well, you need the sound as well.
CAROLE THERIAULT. When you say record, you mean audio record, have a microphone near the person who's typing away? Yeah. Yeah. Okay. Okay. Sorry.
GRAHAM CLULEY. Sorry. Sorry. Was that not clear? Yes, of course. So it's not normal sort of keyboard logging. This is keyboard recording. It's the audio recording.
So it could be on a Zoom call. It could be on Google Chat or whatever they call it and all those other things. So it can all be grabbed via a nearby microphone, which could be the microphone on the user's phone.
It could be the microphone on the desktop computer, and that might have been infected by malware that has access to microphone. Or as I just said, it can be recorded through a Zoom call. So you could have someone who really wants to know what you're writing during meetings, Carole.
They have a Zoom call with you and they can then record you as you type. It may be someone from HR wanting to know what you've been messaging someone else in the company during these very important company meetings. And so HR say, "Hey, we've just got a little Zoom call with you, la la la la. We'd like you to fill in an online form. Here's the link."
And it asks you to type in various things, name, et cetera, et cetera. It's not asking for passwords necessarily. They're asking you to complete a survey while they have the Zoom call. And that way they learn what your keyboard sounds like, and they then put that into the deep learning model to train up their algorithm.
So it's like, this is how Carole's keyboard sounds.
CAROLE THERIAULT. When she's typing at it.
GRAHAM CLULEY. Yeah. And from that, because the recordings produce audio waveforms and spectrograms, I love that word, to train their system. And like I said, 95% accuracy.
That's 95% accuracy if it's done via smartphone, 93% from Zoom. Skype is a bit lousier, audio capture than Zoom, a feeble 91.7% accuracy, but still, let's face it, still pretty good via Skype as well.
CAROLE THERIAULT. I've just thought of a way to try and get around this.
GRAHAM CLULEY. Brilliant. Let's hear it.
CAROLE THERIAULT. Just play loads of audio of keyboard clacking of previous, of other people keyboard clacking all around to try and obfuscate, you know, needle in the haystack type thing.
GRAHAM CLULEY. Oh, Carole.
CAROLE THERIAULT. But if it's AI empowered, I'm sure they'll be able to figure out that pattern in no time flat. We're doomed.
GRAHAM CLULEY. Carole, you're a genius. You're a genius because the researchers who came from Durham University, University of Surrey and Royal Holloway, one of the techniques, one of the mitigations they came up with was exactly what you suggested.
CAROLE THERIAULT. Well, there you go. Give me a degree.
GRAHAM CLULEY. Play random keyboard noises. The only problem was that they thought that random keyboard noises may be a little bit annoying, maybe somewhat distracting. So they said that it could be a little bit annoying if you have to have click. And of course, it may raise suspicions as to what's going on at your end if you would hear clack, clack, clack, clack, click, click, clack, click, click, clack while you're on your Zoom call.
So they had some other ideas. One was to mix the sound in. One was to play fake white noise, but apparently that's easier to remove than the fake keystroke noise. Another idea they had as a defense was that they could warp the audio whenever it detected a key press. So the audio could go, "You could be talking like this." What? Every time you do a keystroke to hide the keystroke.
So, other tips which they gave. One is check a room for microphones, they said. They suggest removing all smartphones, smartwatches, laptops, webcams, smart speakers from the room. I don't know why they didn't mention computers. I don't think that's very practical. If you're going to be on a Zoom call, you're going to have some kind of device there, aren't you, with a microphone? Otherwise you can't take part in the bloody— bloody students! These researchers who've come up with this research, it's a pathetic idea.
Another idea they had was mute your microphone every time you type something. Like, that won't be suspicious.
CAROLE THERIAULT. Or— It's not about suspicion. You'd be saying, I'm being extra vigilant.
GRAHAM CLULEY. Well, yeah, but sometimes it might be people in the workplace who are wondering what you're typing to each other. They also say, why not not type during the call? Well, that's bloody genius, isn't it? Don't type anything. But sometimes you need to type something. You need to log into something to check something out.
CAROLE THERIAULT. Well, no, no, it doesn't matter really, if you're typing. I guess it becomes interesting when it becomes sensitive information.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. As opposed to rando, you know.
GRAHAM CLULEY. But sometimes it is. I mean, sometimes I've been on calls and people say, oh, could you just give me details that. And I'm thinking, well I'll have to log in to my blah blah blah to look that up. And so I just say hang on a moment. Tick tock. And that isn't my actual password. And I mean, and you know, and it may have been revealed.
CAROLE THERIAULT. Okay. We just have to start talking every time we're typing, humming. Or scatting. Let's scat. Scat to obfuscate. That would be fun.
GRAHAM CLULEY. Ah, the scatological defense. Brilliant.
CAROLE THERIAULT. Irritating to your coworkers.
GRAHAM CLULEY. Why not? Trust you to come up with that solution.
CAROLE THERIAULT. It's brilliant.
GRAHAM CLULEY. Carole, what's your topic for us this week?
CAROLE THERIAULT. Okay, this is a bit of a big story because it spans a whole 7 years.
GRAHAM CLULEY. Oh, okay.
CAROLE THERIAULT. And we're going to start at the beginning.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. So we are in August 2016, and in 2016, in hot August, a Hong Kong-based bitcoin outfit called Bitfinex— this is where customers store their virtual currency, their bitcoins— and Bitfinex suffered massive hack. Okay, so massive losses as a result of this. No way. They said they had a total of 120,000 bitcoin taken by a hacker.
GRAHAM CLULEY. Wow, that's quite a lot of cash.
CAROLE THERIAULT. It's huge. Yeah, that's quite a lot of cash. When I started writing this story, I was doing all the, you know, the conversions, but of course conversions over a period of 7 years is ridiculous. So we're going to try and talk in bitcoin.
GRAHAM CLULEY. Okay, okay.
CAROLE THERIAULT. So 120,000 bitcoin, we know that's a lot of wonga. Yes.
GRAHAM CLULEY. And they did this by initiating more 2,000 unauthorized transactions.
CAROLE THERIAULT. And what was— I mean, that's big in itself. That's huge. But what would Bitfinex do, right? So they in August made another announcement in August 2016. They said that the impact of this hack, this huge loss, was going to be shared across the site's customers.
GRAHAM CLULEY. Oh, that seems very reasonable, very democratic of them.
CAROLE THERIAULT. It's very interesting though. So effectively, it was a way to socialize the losses. So in a statement on its website, Bitfinex said, we have decided to generalize losses across all accounts. So at the time, they reported in a statement, upon logging into the platform, customers will see that they have experienced a generalized loss percentage of 36%.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. That's huge, right?
GRAHAM CLULEY. That feels like—
CAROLE THERIAULT. Imagine that. I know it's a first-world problem for most, but still.
GRAHAM CLULEY. It feels quite tough, doesn't it? Whereas you would normally expect the organization which had actually suffered the security breach maybe to say, OK, well, we're going to have to cover that ourselves, seeing as we appear to have lost all of this digital cash.
CAROLE THERIAULT. You know, I think the customer was in a rock and a hard place because they probably wouldn't have got the money back anyway.
GRAHAM CLULEY. No.
CAROLE THERIAULT. Right. And or they would have defaulted and gone bust and there'd be no recourse.
GRAHAM CLULEY. So not everyone's account got plundered.
CAROLE THERIAULT. Well, they did have an interesting plan, though. So they said there's going to be a generalized loss of 36% across all accounts. But it said, worry not, they were going to receive a BFX token equal to their personal losses. So these tokens, the idea was they would eventually be exchanged either for repayment by Bitfinex or for shares in its parent company, iFinex Inc. So it's an interesting way of trying to handle the situation.
GRAHAM CLULEY. So you've lost 36% of your cryptocurrency investment, but what we have here is a magic bean, and you're going to carry this bean around with you.
CAROLE THERIAULT. Exactly.
GRAHAM CLULEY. And one day it might become a wonderful beanstalk.
CAROLE THERIAULT. And you'll be able to climb it to the world's riches.
GRAHAM CLULEY. All the way to the moon.
CAROLE THERIAULT. Yeah, I don't think I'd be very happy with that solution at the time, really.
GRAHAM CLULEY. No, not that happy, no.
CAROLE THERIAULT. So, okay, so let's park that and let's now fast forward from 2016 to February 2022. So this is 18 months ago.
GRAHAM CLULEY. Oh yeah.
CAROLE THERIAULT. And there was a huge Bitcoin story that hit the press that 94,000 Bitcoin, that's $4 billion. See, I didn't take it out of my story everywhere. Was seized by the U.S. Department of Justice, the DOJ.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. This was the largest confiscation of its kind. And at the time, it's huge, isn't it? It's massive.
GRAHAM CLULEY. Yeah, yeah.
CAROLE THERIAULT. And at the time, officials also announced that they charged two people with attempting to launder these stolen bitcoins.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. The same, the very same bitcoins that had been stolen from Bitfinex back in 2016. So you might remember I said earlier it was 120,000 bitcoins that were stolen in the hack, and the DOJ seizure accounted for 94,000. So that's quite close, you know, they've recovered quite a huge—
GRAHAM CLULEY. Quite a big chunk of what was stolen. Yeah.
CAROLE THERIAULT. So the thing— the next question is, who are these people that they arrested?
GRAHAM CLULEY. They must be geniuses, right? They must be really nerdy genius crypto bros.
CAROLE THERIAULT. Yeah, really bright.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah. Well turned out.
GRAHAM CLULEY. Yeah. Yeah.
CAROLE THERIAULT. Well, they are a husband and wife team. And 18 months ago, back in 2022, the papers went wild when they learned the identity of this duo. And I'm going to talk to you and introduce you to the missus here.
This is Heather Morgan, born in Oregon, grew up in Tehama, California. And according to Wikipedia, Morgan, who's now 31, was a columnist for Inc. and a Forbes contributor from 2017 to 2021. In fact, in a June 2020 article she wrote for Forbes, it was titled "Experts Share Tips to Protect Your Business from Cybercriminals."
GRAHAM CLULEY. So she's an author writing for Forbes about how people can keep close track on their cryptocurrency investments to keep them out of the hands of hackers. And she's been accused of—
CAROLE THERIAULT. Well, she's been arrested.
GRAHAM CLULEY. She's been arrested. She's been arrested in connection with one of the biggest heists of bitcoin ever.
CAROLE THERIAULT. That's right. And so in articles published by Forbes, in these articles, she claims to be a successful tech businesswoman, calling herself— she lists herself out here. She says economist, serial entrepreneur, software investor, and rapper.
A rapper. And not just any old rapper, one that likes to use quite a lot of saucy expletives.
GRAHAM CLULEY. Ooh.
CAROLE THERIAULT. "I'm a motherfucking bad bitch. Go on, make me a sandwich. You annoying like vag itch. So lame, it's fucking tragic." Morgan produces rap videos under the stage name of, get this, Razzle Khan, apparently inspired by Genghis Khan. And according to the BBC's Joe Tidy, friend of the show, she masqueraded as a rapper in order to evade police.
GRAHAM CLULEY. Because that's what you do, isn't it, if police are on your trail? You pretend to be a rapper because that foxes them every time.
Now, I think I've seen a video by Ms. Razzlekhan. She obviously must have spent some of her money on the production of these videos.
CAROLE THERIAULT. High-value production.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And what I find, this is a little slice of irony pie here. And whilst trying to go undetected by the cops, some of her lyrics are a bit telltale. One of them is, quote, "I'm a real risk taker, pirate riding the flood. I'm a badass moneymaker."
GRAHAM CLULEY. I'm a Forbes contributor. Oh, hang on, that doesn't sound quite so cool, does it?
CAROLE THERIAULT. On her website, Morgan calls herself Razzle Khan, the Versace Bedouin, the raunchy rapper with more pizzazz than Genghis Khan. You can see how talented she is there with the rhymes. And she writes, "Her art often resembles something in between an acid trip and a delightful nightmare."
This is on her website. "Raz likes to push the limits of what people are comfortable with. Her style has often been described as sexy horror comedy."
GRAHAM CLULEY. Yeah, she sounds like Doris Day to me. Something like that. Yeah, I can picture it.
CAROLE THERIAULT. I was reading this article at the BBC, and I love this line from Joe Tidy. He quotes her and he's like, "Come real far but don't know where I'm headed. Blindly following rules is for fools," she says, gyrating on Wall Street wearing sunglasses and wearing a leopard print scarf and shiny gold jacket. So you can just picture it.
And according to The Guardian, on top of doing these rap videos, she also offers DIY techniques and yaks lifestyle issues on Instagram and TikTok.
GRAHAM CLULEY. So despite— other than being this urban rapper, she's a serial entrepreneur, remember that. She's also giving out DIY tips.
CAROLE THERIAULT. She calls herself the Turkish Martha Stewart or the Waffle Queen of Korea.
GRAHAM CLULEY. So busy girl, she sounds nationality challenged if she's Turkish and Bedouin and, you know, the world citizen of the world.
CAROLE THERIAULT. Anywho, rapper Razzle Khan, okay, and her hubby Ilya Lichtenstein were arrested last year in New York after police traced their riches back to their crypto heist.
GRAHAM CLULEY. But it's very confusing, Carole. When I heard about this arrest and I checked out the video I thought, these people are morons. I thought the police have made a mistake. There's no way this idiotic person can possibly be involved in this huge heist. It just seemed implausible to me. So maybe this actually is a brilliant cover story to pretend to be a really bloody awful rapper.
CAROLE THERIAULT. Yeah, totally. Well, she really pulled it off with aplomb, if you ask me. Prosecutors claimed the pair split up the bitcoin into tiny amounts and transferred it to thousands of different crypto wallets and fake identities, right? So they mixed their stolen funds with other criminal cryptocurrency on the darknet marketplace AlphaBay.
They purchased gold coins. They set up shell companies to make the bitcoin funds look legitimate. And prosecutors say that the stolen money was also spent on, quote, absolutely mundane things such as purchasing a Walmart gift card for $500.
And I don't know if this is irony. Can you tell me if I'm making this up? This is irony. The gift card that they bought, the Walmart gift card, the stupid little thing, is what led to their downfall because cops were able to link the Walmart gift card back to some of the proceeds from the Bitfinex hack, which then opened up investigation further.
And by buying these gift cards and moving between different exchanges and different cryptocurrency, they were able to trace it all back.
GRAHAM CLULEY. Provenance once again.
CAROLE THERIAULT. Provenance once again.
GRAHAM CLULEY. It comes down to that.
CAROLE THERIAULT. Always down to provenance. The BBC report that police successfully decrypted a spreadsheet meticulously detailing the couple's intricate methods for laundering the stash, allowing them to recover nearly the full amount, or 91,000 bitcoin if I remember correctly.
GRAHAM CLULEY. It's just such a huge amount of money.
CAROLE THERIAULT. It's so huge. And now the story's not even over.
So fast forward to last week. Oh yes, we hear that the couple have now pleaded guilty to money laundering, with Morgan pleading guilty to an additional count of conspiracy to defraud the US and crimes against music. The couple now face prison sentence.
She herself faces a possible 10 years.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. And you remember those bitcoin losers, the Bitfinex customers?
GRAHAM CLULEY. Yeah, yeah.
CAROLE THERIAULT. According BBC, by 2019, the company had reimbursed the victims. So now the Hong Kong-based firm and some customers who exchanged their losses for shares are in line for a windfall once the recovered bitcoins are returned.
GRAHAM CLULEY. Oh, so if you've hung on to your magic bean.
CAROLE THERIAULT. Yes. So they're actually going to cash out by doing the social experiment of everyone taking a little haircut. So happy days for the Bitfinex and its customers, albeit 7 years on, and sad days for Razzle Khan, the rapper, or wannabe rapper.
GRAHAM CLULEY. I think we should listen to a bit of Razzle Khan music.
CAROLE THERIAULT. Oh dear God. Okay, let's just sign out with about 10 seconds. I'm heading. Motherfucking crocodile of Wall Street. Silver on my fingers and boots on my feet. Always be a goat, not a goddamn sheep. Email me. Fuck your message at the beep. Beep. Beep. Beep.
GRAHAM CLULEY. Link's in the show notes.
CAROLE THERIAULT. If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
GRAHAM CLULEY. This week we're sponsored by ClearVPN, developed by MacPaw, a software company from Ukraine with more than 30 million users worldwide. ClearVPN is incredibly user-friendly, ensuring that even non-tech-savvy users can easily protect their online privacy without any extra technical skills required.
ClearVPN has a free plan for all users worldwide. It can hide your IP address and browse without geo-restrictions.
And the best part is, you don't even need an account to start using ClearVPN's free plan. It's entirely anonymous.
ClearVPN works on Mac, Windows, Android, and iOS. And with its premium plan, you can be teleported to 40 other countries to unlock content on the top streaming services such as Netflix USA, Hulu, HBO Max, BBC iPlayer, and more.
To make your life online more safe and private with ClearVPN right now, you can try out 30 days of free trial premium. Head over to smashingsecurity.com/clearvpn, click Start 30 Days, go through the registration, and then download ClearVPN to your device.
That's smashingsecurity.com/clearvpn. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app.
Whatever they wish. It doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Now, Carole, after 334 episodes of Smashing Security, we've given a lot of picks of the week. And every now and then we've subverted the format and not given a pick of the week.
Instead, we've done a nitpick of the week. And I would like to take this opportunity to give my nitpick of the week.
CAROLE THERIAULT. Please shoot. I want to hear it.
GRAHAM CLULEY. Two weeks ago, you were away on a secret mission and I edited the podcast. And I managed to edit the podcast successfully, but the day after editing, my laptop went kaput and I was actually away as well.
And so it was rather difficult, right? So my laptop went kaput and I thought, I need to go and take it into the nearest Apple Store to get it fixed, to get them to look at it.
One of the geniuses at the bar. My nearest Apple Store is in Oxford.
That's no problem, I thought. I'll drive into Oxford.
I'll park my car. I have an electric vehicle, as you know.
I will park it at the Oxford Westgate Shopping Centre.
CAROLE THERIAULT. What day of the week is this?
GRAHAM CLULEY. This was Monday. Monday it was.
CAROLE THERIAULT. Okay. Yeah.
GRAHAM CLULEY. Okay. So, I went into the Oxford Westgate Shopping Centre and plugged my car in. Now, the exciting thing about going to Oxford is that the EV chargers at the Westgate Shopping Centre are free. You can plug your car in and it'll charge it for free.
Fantastic, I think. I love a freebie. But oh no, no, they don't do that anymore. They've obviously cottoned on that people like me were going there and getting a free charge because they're no longer free.
They now say you have to download an app called Sparco. And they won't let you use your debit card or something at the machine, right?
Instead, you have to download the app. It says you have to download the app. You can't do anything unless you download the app.
So you think, I'll just download the app, don't you? Wrong.
CAROLE THERIAULT. Well, I would of course read the privacy terms and agreements.
GRAHAM CLULEY. Well, you would have done. Yeah, but okay. I can't just download the app because the Oxford Westgate Shopping Centre car park is underground and there's no data.
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. And so I can't get on the internet with my little mobile phone to download the sodding app. Right? And there's also no Wi-Fi.
And I'm thinking, well, how do I connect? Do I have to walk out of the car park in order to get a connection and then walk all the way back in?
You know, down all the slopes and everything. Anyway, I think, ah, the shopping centre has free Wi-Fi. Maybe there's a little trace of it reaching down into the underground car park.
CAROLE THERIAULT. Why didn't you just go up to the main floor and do your business and then come back down?
GRAHAM CLULEY. Oh, well, Carole, you weren't there. Right, if you're going to jump in with sensible suggestions at this point, it's too late because it's now no longer Monday when this happened.
CAROLE THERIAULT. Yeah, okay.
GRAHAM CLULEY. So I hop onto the shopping centre Wi-Fi and it tells you to register if you want to use their free Wi-Fi. You've got to enter your name, you've got to enter your email address, you have to agree to the terms and conditions, you have to tell it the reason for coming to the shopping centre. The reason for me coming to the shopping centre is to go to your sodding shops, I'm thinking.
So I'm answering all these questions and it says, "Now we're going to email you a confirmation link. You have 10 minutes to click on the link in order to get free Wi-Fi," right? And then it'll unlock it.
So I go to my email app, but there's no email from them. They haven't sent me the email. No matter, I think, it'll be along in a minute.
Sometimes these things take a while. So while I have my 10 minutes of Wi-Fi, I download the Sparco app. Right, so I download it.
CAROLE THERIAULT. I can't believe I've ever taken any advice from you in my life. Okay, right, okay. So now you download it. How are you downloading the app?
GRAHAM CLULEY. Because I've got 10 minutes worth of Wi-Fi from the shopping centre during which I'm supposed to click on the confirmation link, but it's letting me—
CAROLE THERIAULT. Oh, right. And you're trying to work it really quickly to download an app.
GRAHAM CLULEY. You've got my dilemma already. So I'm starting up the Sparco app and it says, "Would you like to register an account?" I know I bloody wouldn't. I want— I just want to pay and go, right?
So I will click on the button which says, "Carry on without registering an account." And I click that button and it takes me to a random screen in the app. And I click it again, click it again, click it again. All the time I'm just saying, "Carry on." It doesn't work.
So I think, "Okay, I'm going to have to register an account with Sparco." Did I mention, by the way, I'm in a hurry? I'm in a hurry. There's places I have to be. I've got an appointment at the Apple Store. I need to get there.
Sparco wants my name, my email address, my postcode. It then searches my mailing address from my postcode. I select it. Then it asks me to choose a password, minimum 12 characters, it says, uppercase, lowercase, and a symbol.
So I create a password. I re-enter the password. The password matches, it says. Then it asks me to complete a CAPTCHA. I find—
CAROLE THERIAULT. Can I interrupt one more time?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Sorry. As I listen to your story.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Your car, is it a hybrid car or fully electric?
GRAHAM CLULEY. No, it's fully electric. Fully electric.
CAROLE THERIAULT. Right. So it's not like you could have just parked in a normal car spot, go do your hurry, hurry thing and dealt with this afterwards.
GRAHAM CLULEY. I could have done. But I was quite low on juice and I wanted to charge my car.
CAROLE THERIAULT. Right, so you were basically trying— Yeah, yeah. You did not prioritise what was most important, car or Apple.
GRAHAM CLULEY. Again, you're offering advice, which is very gratefully received, but you weren't there at the time.
CAROLE THERIAULT. I'm sorry, okay, sorry. Get back in your soapbox.
GRAHAM CLULEY. You could possibly have called me with this advice if I'd had any data to reach me in my underground car park. So I'm taking the CAPTCHA and I find three buses and then asks me for another CAPTCHA. I find four bicycles. Ask me for another CAPTCHA. I find three fire hydrants. Ask me for another CAPTCHA. I find four—
CAROLE THERIAULT. Bzzz.
GRAHAM CLULEY. It says—
CAROLE THERIAULT. Out of time.
GRAHAM CLULEY. Cannot complete CAPTCHA, it says. Do you have internet access? Because at this point—
CAROLE THERIAULT. This does sound like a nightmare situation. I'm so sorry.
GRAHAM CLULEY. At this point, I've lost my internet access.
CAROLE THERIAULT. Oh dear.
GRAHAM CLULEY. I haven't received the email from the shopping centre. I'm walking around the car park trying to find better— No internet access.
CAROLE THERIAULT. Dare not go up those stairs though.
GRAHAM CLULEY. I fill in the shopping centre Wi-Fi form again and again and it keeps not working. I turn off my Wi-Fi, turn it on again. I managed to re-register for the Wi-Fi for another 10 minutes. I try and register on Sparco again.
I enter all my details again. I tick the I am human box. No internet access, says the CAPTCHA.
CAROLE THERIAULT. You're ridiculous.
GRAHAM CLULEY. 15 minutes have now passed. I finally managed to create a Sparco account. And I think, right, we're almost there. And it says it wants payment information. Easy, I think. I'll just enter my payment card details.
Oh no, no, no. It wants to set up a fricking direct debit with my bank at this point. So I have to dig out my—
CAROLE THERIAULT. That's the only option?
GRAHAM CLULEY. Yes. They only accept payment via direct debit.
CAROLE THERIAULT. And again, at this point you still don't go, okay, I'm just going to park in a normal car spot, go to the Apple thing.
GRAHAM CLULEY. Again, Carole. Again, Carole, you weren't there to offer this advice.
CAROLE THERIAULT. No, I know, but I'm here right now and this is taking a long time.
GRAHAM CLULEY. I enter my direct— I find my information for my bank, even though I don't have internet access. I find it, I enter it, and I think, right, now I can choose my charging point and tell it to start charging.
And I find my charging point in their app, and it has a button, it's marked Start Charge, and I think, this is it, but it's now going to work out. And then I notice it's greyed out and it tells me your charging point is already occupied.
It's well, yeah, it's occupied by me. This is where my car is.
And so it won't let me start the charge. I don't understand why.
I then have to move my car from that point, charging point, to find another one. I've been there 30 minutes by now.
I eventually start to charge my car. Fantastic.
Go to the Apple Store. They take my laptop away.
They're going to fix it. Lovely, lovely.
Now I come back to the car park and I think this would be easy. I'd just sleep in my car.
No, no, no. That'd be too easy because I now have to log into the fucking app to tell it to stop charging my car.
I can't disconnect the cable unless I can get into the app to tell it to stop charging because there's no stop button on the charging point. And I can't get into the app unless I have data to get onto the internet and I'm underground.
CAROLE THERIAULT. Okay, deep breath.
GRAHAM CLULEY. So, in summary—
CAROLE THERIAULT. You had a bad, bad Monday afternoon.
GRAHAM CLULEY. No electrical vehicle chargers should require you to install an app to charge your bloody car. They should all—
CAROLE THERIAULT. Especially if it's underground.
GRAHAM CLULEY. Yes, with no data. They should all have the ability for people to pay contactless with their payment cards.
Welcome to my TED Talk. Thank you very much.
Good night. That is my nitpick of the week.
CAROLE THERIAULT. Listeners, let us know if you want more disaster stories Graham's life.
GRAHAM CLULEY. We've got a lot of material.
CAROLE THERIAULT. Yes, nothing to do with how he uses the world. It's all to do with the world.
GRAHAM CLULEY. Carole, what's your pick of the week or nitpick of the week?
CAROLE THERIAULT. Well, it is, as you know, you open saying we've done a lot of pick of the weeks. We have done a lot of pick of the weeks.
I am a little nervous. We may have touched on this subject before in one of the 333 previous episodes.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. But as we were talking about, I'm on a mission far, far away in a place where using data on my phone would cost a veritable fortune.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So as I'm having to work while I'm away, what do I do? 'Cause I'm not always near a Wi-Fi point.
Well, I got myself a virtual SIM card, an eSIM, because my phone is eSIM compatible, as are most modern phones. So an eSIM is an industry standard digital SIM.
This is according to Apple, okay? But it does work on other devices that allows you to activate a cellular plan from your carrier without having to use a physical SIM.
So basically I can get SIM access without getting off my ass. And that's a—
GRAHAM CLULEY. I mean, this is a brilliant invention because the pain with SIMs is you have to have that little— this potentially is a nitpick of the week. Again, that funny little pin thing.
CAROLE THERIAULT. You sure you want to keep it for next week?
GRAHAM CLULEY. You have to have one of them to get in the car. Nothing else fits.
Nothing else fits. I used to have one of them on my keychain because I occasionally needed one, and it kept on stabbing me in the thigh.
You know, potentially.
CAROLE THERIAULT. Only you would call it stabbing.
GRAHAM CLULEY. But no, it could cut.
CAROLE THERIAULT. It's a paperclip.
GRAHAM CLULEY. It could be. It's probably a very important vein in my thigh.
It could kill me.
CAROLE THERIAULT. Well, I'll carry on with my story. I'm glad you lived through that horror. Now, I got one from a company called HolaFly. H-O-L-A Fly.
GRAHAM CLULEY. Hola.
CAROLE THERIAULT. Yeah, hola, like hello fly.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. And yeah, hello, fly. And basically you go to their website and they say, hey, where you heading? Where are you going? Right. And you say, oh, I'm going to, you know, Mexico, or I'm going to, you know, Japan or the US or wherever. And they say, well, how long you plan to go for?
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And you tell them, and bish bash bosh, you can have unlimited data for that length of time. Oh yes. Do you—
GRAHAM CLULEY. So you don't have to put anything into your phone? Your phone already comes equipped with this eSIM technology?
CAROLE THERIAULT. Yeah. If you go right now, go to esim.holafly.com.
GRAHAM CLULEY. Are you being sponsored by them?
CAROLE THERIAULT. No, I know. I think I sound like an ad. I'm not getting a fucking penny. I was just really impressed. It installs in a few clicks. It's really simple to use. There's no trickery. You just choose your travel mobile plan or your local travel plan.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And that's it. For unlimited data, it's pretty affordable. So for 7 days, I'm just looking now. So let's say I was going to the States, right? And I was going there for 7 days.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. For unlimited data, $27. So you can download on your phone, keep it there silent. And when you go away, you kick it off and then you've got 7 days of unlimited time, unlimited juice.
GRAHAM CLULEY. Well, that's a very helpful pick of the week.
CAROLE THERIAULT. Yes, it is. It's fabulous and it's easy and it doesn't need an IT technician to do it for you. So that's why I am choosing eSIMs and my only experiences with HolaFly so far, but that's why eSIMs are my pick of the week.
GRAHAM CLULEY. Very nice too. Well, that just about wraps up the show for this week, Carole.
CAROLE THERIAULT. It does.
GRAHAM CLULEY. Listeners can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And we also have a Mastodon account if you're one of those people who've made the exodus already. And look us up on the Smashing Security subreddit. Don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors, Kolide and ClearVPN. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 333 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye.
CAROLE THERIAULT. Bye-bye. Hey, I didn't tell you. I was accused by someone who's known me for quite a long time that I don't say my name properly on this show.
GRAHAM CLULEY. You don't? You've always said I'm the one who says it correctly.
CAROLE THERIAULT. Oh, no, no. They definitely think you do not say it correctly, and I have to agree with them under duress.
GRAHAM CLULEY. Oh, okay. So what is, how do you say your name?
CAROLE THERIAULT. Well, I think I don't know.
GRAHAM CLULEY. You don't know how to say your name?
CAROLE THERIAULT. I think I've lost the, moving to England, I mean, so in French it would be Carole Theriault.
GRAHAM CLULEY. Carole Theriault.
CAROLE THERIAULT. Right, but that's really hard for Brits to say and I don't them horking on my R. What?
GRAHAM CLULEY. You don't want anyone horking on your Rs.
CAROLE THERIAULT. Exactly. Anyway.
GRAHAM CLULEY. Ah, dear.
-- TRANSCRIPT ENDS --