This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

UNKNOWN GUEST. Thanks man! To the United and the brave 300 to victory! Smashing Security, episode 300, Interplanetary File Systems. I spoof and don't delete Twitter with Carole Theriault and Graham Cluley.

---

GRAHAM CLULEY. Hello, hello and welcome to Smashing Security, episode 300. My name is Graham Cluley. And I'm Carole Theriault. And Carole, what a long journey it's been. 300 episodes. This podcast, which we, on our own with no one's help launched without anyone's assistance. It was just the two of us. Just the two of us. Wait a second. Wait a second.

---

CAROLE THERIAULT. What about me? That is the sweet, sweet voice of Vanja Schweitzer. Our very first trio. Or what is it? An original founder. An original founder.

---

GRAHAM. He was there at the beginning of the threesome, but he couldn't last. He had no stamina. There's probably a lot of listeners who aren't aware that it wasn't just Carole and me way back when. There was this other chap, this man with the voice, the voice of the count. The person number three in the corner. The goatee beard. Oh, yes. Yeah, the gravitas.

---

CAROLE. Welcome to the show, Vanja. We're very happy to have you.

---

VANJA SCHWEITZER. I'm so very happy to be here once again. And for this special occasion, of course, I mean, 300 episodes. I can't believe you made it so far. It's been what, six years?

---

CAROLE. Oh, my gosh. That's right. Yeah.

---

VANJA. I know because I watched the first episode yesterday. Well, not completely. When we were doing it all completely live from Google Hangouts to YouTube, insane.

UNKNOWN GUEST. Smashing Security 001 One cup, two hotel guests And here are your hosts Carole Theriault, Vanja Schweitzer and Graham Cluley And... Well, exciting time

---

CAROLE. You're doing great, you're doing great, carry on It's really riveting It's riveting

---

VANJA. You were so young, Carole

---

CAROLE. I have never done it. I have never been able to watch that or listen to it. I'll never be able to do that ever.

---

GRAHAM. It's quite an experience. Well, Vanja, good of you to show up, because let's be honest. It's been a while. There's a lot you haven't shown up to. A lot of episodes.

---

VANJA. Yeah, I've been closely following your work, and you've done a really good job. You made me proud. If it wasn't for this disappearance of mine, that was a serendipity, right? You know, because if I stayed, we would never be as successful as you are now.

---

CAROLE. Well, we are thrilled that you are here. But before we kick off, we must thank this week's sponsors, Bitwarden, Drata and Collide. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM. Well, I'm going to be telling everybody why they shouldn't give up on Twitter.

---

CAROLE. God. Vanja, thank God you're here? What about you?

---

VANJA. Well, mine's not going to be on Twitter. Mine's going to be on some Web3 technologies that's called Interplanetary File System. And it's abuse.

---

CAROLE. I think we're going to learn something there. And I'm going to talk about how I spoof went poof. All this and much more coming up on this very special episode of Smashing Security

---

GRAHAM. Well chums, chums celebratory chums everybody isn't this a lovely little party what we're having episode 300. I don't know if it's as big a feel as 250 or not 250 in some ways feels I don't know 250 a bit more special a golden anniversary or whatever I don't know. I think we can make more of a fuss until maybe episode 500. 500 feels the next big one. How does it feel? Do you feel you're going to make it until 500?

---

CAROLE. No, I'm not sure at all. I think we should celebrate the bejesus out of this little baby.

---

GRAHAM. Okay, all right, okay. Well, I mean, we could just check with Vanja's diary if he's free for episode 500 now.

---

VANJA. Let me check. So that's going to be in about four years' time. So far, so good. Excellent.

---

GRAHAM. And anyway, sorry, let's get back on the topic. Chums, chums. I haven't been talking about Twitter very much. I mean, last week I barely mentioned it at all. The previous three weeks, yes, I did mention it a fair amount. There's been a lot of drama on Twitter. And Vanja, I saw that you've joined Mastodon.

---

VANJA. Yes, I joined Mastodon. And in fact, I'm not a super early adopter and I don't want to kind of just discard the old stuff as well.

---

GRAHAM. You're conservative. You're careful, aren't you? You don't to leap in. Yeah, exactly. You to be cautious. And there's still quite a lot of information on Twitter going on, but I certainly am not super happy with the way it's going so far.

---

GRAHAM. Really? There's a lot of people who aren't happy. And some people are saying, you know, hashtag delete Twitter, a bit hashtag delete Facebook. And my message to all the listeners today is don't do that. Don't delete your Twitter account. And I can think of two good reasons why you want to keep your Twitter account rather than zap it.

---

CAROLE. For posterity, if someone good comes along.

---

GRAHAM. I mean, it's always possible that things will turn around. You know, maybe someone else will become the CEO of Twitter and fix all the problems which are being caused at the moment.

---

CAROLE. Mark Zuckerberg will come in on a white stallion.

---

VANJA. Big return of Jack Dorsey. Yeah.

---

GRAHAM. Yeah, Jack Dorsey comes back. I heard a story the other day that maybe Elon Musk is planning to emulate OnlyFans. Maybe he's going to think, well, what we really need on Twitter is more pornography and adult content. And that's how I'm going to make money. I don't know

---

VANJA. If that's… I have to say that I don't get a disverified account thing, like eight euros a month or eight dollars or something. Yeah. I would never pay for it.

---

GRAHAM. No, no, no. But anyway, so why should you remain on Twitter? Well, one obvious reason is when else and where else do you get the opportunities to see the richest man in the world burn his way through $44 billion in front of your eyes? There's a wonderful sense of schadenfreude. And isn't this terrific? Because when he initially made the offer for Twitter, you think he was just doing it on a whim. He didn't really want Twitter. Then he's committed to giving $44 billion for it. He tried to back out of it.

---

CAROLE. Okay. So I just looked up how much he's worth. And currently it says $191.4 billion.

---

VANJA. So $44 billion is quite significant. Yeah.

---

GRAHAM. It's not that bad. He's not going to be destitute if it all goes to that. I'm not destitute. He is destitute. But I think Elon Musk is a narcissist. Elon Musk loves to be adored. You might know that. He's got all these. He's. What? He's someone who loves. Graham does not know that. He's someone who loves the adoration. Everyone thinks he's fantastic. And of course, he's had some successful companies. He's revolutionized electric vehicles. He's putting space rockets up in the air. You know he's going to be helping NASA land on the moon and maybe going to Mars. You know people think that he's incredible.

---

VANJA. It's quite an interesting management style that he adopted. Yeah Twitter, but

---

CAROLE. You think he's done more for mankind than you have?

---

VANJA. But are we going back to the space elevator theme?

---

CAROLE. I'm not, I'm just checking. I'm just wanting to know.

---

GRAHAM. Why does it always have to be about me Carole? Well because you're the one who keeps bringing it up every single week. I'm not bringing up me, I'm not saying that I've done more or less than Elon Musk. But surely Graham

---

VANJA. Starting Smashing Security is almost as big as

---

GRAHAM. Starting it with Carole and you. Don't say that I started it, please let's not get that argument going again. Anyway, sorry, I couldn't resist. There is something fantastic going on in terms of here is someone who seems to have bought something on a whim and then once he's got it thinks, well, what the hell am I going to do with this? And he's making mistakes left, right and centre. People are leaving. People are quitting. He's made some really bad business decisions and he begins to think, oh, this man is not invulnerable. This man is not necessarily a genius.

---

CAROLE. Or maybe he is and you just can't understand because you're not as clever as him. Oh,

---

GRAHAM. Because it's four-dimensional chess. That's what you're saying.

---

CAROLE. That's right. It could be.

---

GRAHAM. Anyway, so that's one reason to stay on Twitter. It's a bit like rubbernecking when you see a car accident. But one

---

VANJA. Of the things is, if you consider yourself leaving Twitter, isn't it also a little bit of a narcissistic move, thinking, oh, I'm so important. Screw you, Elon Musk.

---

GRAHAM. Well, no, no. I don't imagine that Elon Musk is going to be personally hurt if one of us deletes our Twitter account. I don't think he'd care about that.

---

VANJA. It's your own feeling. It's basically like doing your recycling every day, even if maybe the garbage is not recycled, but at least you feel good.

---

GRAHAM. So you might want to stay on Twitter in order to watch the last days of Rome. You may just be amused by that and think, I want to be here because it's interesting. But there's another reason why you shouldn't delete your Twitter account, and that is because someone could hijack your account, not because of some security flaw. We talked about the risks maybe of having a privacy or security breach on Twitter because of all the security people that they've let go. I'm not thinking so much of that. But what I'm thinking is that if you just rashly think, well, I'm just going to delete my account and go to Mastodon, and that's where I'm going to do my tooting from now on, then there is an issue. Because what happens is if your account gets deleted on Twitter, one of the things that Twitter does is it releases your account username, which means Vanja Schweitzer, if you were to delete your account. At Vanja Schweitzer, yeah. There you go. You're still desperate for followers. It means that at that point, once you've deleted it, someone else could come along and create another account in your precise name using your user ID.

---

CAROLE. That is the problem with Twitter, isn't it? The problem with Twitter is that everyone named their accounts after their names. Like on Reddit, you just call yourself bumhead268 or something.

---

VANJA. But I would say Twitter is like that as well. There are plenty of people with usernames and accounts, which doesn't tell anything about who they really are.

---

CAROLE. Yeah, totally. But there are also people like Graham and I and many, many of us have our names.

---

VANJA. I think we kind of went for it and I always do it, you know, whatever, you know, what could possibly go wrong? Yeah.

---

GRAHAM. Yeah, especially if you're trying to communicate something or you're trying to spread news, it gives it a little bit more veracity, maybe, authenticity, if you put your name up there. I mean, what would you suggest then, Carole? You think everyone should be bumhead 565 or just a number?

---

CAROLE. I'm just thinking based on your story, saying, oh, better hold on to it. Someone could grab your name. It's kind of a shame that that's even part of it, right? Because your username shouldn't be the verification of the person. On

---

VANJA. Twitter, it's very easy to impersonate anybody, right? Because, you know, Vanja Schweitzer underscore B. Exactly.

---

GRAHAM. But Carole, if you had a big following, if you had not created Carole Theriault on Twitter, instead if you'd been Kanak artist or something, and you'd created a following, and people followed you and trusted you or whatever. And then someone in the future stole that username because you deleted your account. And those people would still think it was you tweeting. It doesn't matter if it's your actual name because they would associate your postings with your username. So it doesn't matter if you're bumhead565.

---

CAROLE. What happens to my followers when I delete my account?

They die. Well, presumably, they no longer follow a deactivated or a deleted account. So you'd have to start up from zero again.

That's a good question.

---

GRAHAM. So you'd look like a fake Elon Musk account. I don't know. What I do know is that anyone who's added you in a previous message, when your account is deleted, those are no longer clickable. Presumably, when that account becomes active again, they do become clickable again. And so people might see a message where you're being mentioned or retweeted or whatever, and it could link back to your account. So it's an easy takeover of somebody's account.

It is.

---

CAROLE. Can you walk me through the takeover bit, just so I understand?

---

GRAHAM. So let me explain exactly what happens. When you delete your Twitter account, it actually puts it into limbo for a while. It deactivates it first. Facebook does something similar.

---

CAROLE. I don't mean it. Obviously, I don't mean it. And I'm going to wake up from my mild insanity and reactivate it the next day.

---

GRAHAM. You must have been drunk. You must have been on drugs. So they say, look, we'll put it into limbo for 30 days. And if you log in during those 30 days thinking, oh, I wonder if anyone's tweeted me, I wonder if I got a message, it will reactivate your account. Facebook does the same kind of thing. But if you leave it longer than 30 days untouched, then your account is properly deleted and your username is up for grab. So anyone could grab it. And under Elon Musk's new world order, they could give themselves a verified checkmark, which isn't, of course, these days properly verified at all.

---

CAROLE. But they're not grabbing the history of that account as well. They're just grabbing the username, correct?

---

GRAHAM. They're just grabbing the username. Exactly. But it has a certain cache and it has... No followers.

Well...

---

VANJA. Yeah, it may not have followers, but of course... To give them a little bit of credit, I think they're making a change now to verifying the accounts. And they're saying they will do more to try to verify that the account is really owned by somebody.

---

GRAHAM. Yeah, I wonder how much effort they're putting into that and how many resources. I know he's now saying that they're going to have different coloured checkmarks for organisations and for government accounts. And, you know, I mean, it's all been all over the place, hasn't it?

Yep. 4D chess.

But some celebrities have been deleting their accounts, of course. Whoopi Goldberg. Whoopi. Yeah, Whoopi. Nuns on the Run. You know, Ghost, all those. Or Go-host, if you prefer.

So, Whoopi, she deleted her...

---

CAROLE. Why are you doing that to her name?

---

GRAHAM. Why am I doing what?

---

CAROLE. You don't know that her name is Whoopi Goldberg.

---

GRAHAM. That's what I said, didn't I? Whoopi Goldberg.

---

VANJA. And, of course, Whoopi is Guinan on Star Trek The Next Generation.

---

GRAHAM. Yes. Great show. Good call.

She left Twitter on November 7th. She deleted account. Two days later, Stephen Fry. Right? Stephen Fry, famous actor, national treasure in the UK, author, comedian, etc., etc., etc. Everyone knows who Stephen Fry is. He deleted his account on November 9th. If you try and go to their account, he switched over to Mastodon. If you go to his account now, you'll just see this profile does not exist, which means it seems to me that after 30 days, someone could probably create accounts in the names of these people using their actual account name.

---

CAROLE. And all this is going to make Twitter more of a cesspit that people want to leave. Right. So isn't that good?

---

GRAHAM. Well, it's good as long as those people don't then use those accounts to cast aspersions or spread phishing attacks or something malicious or cryptocurrency scams or, you know, say something about how they love the Nazis.

---

CAROLE. I'm sure they will.

---

GRAHAM. I'm sure they will. Which is pretty common on Twitter.

---

CAROLE. Yes. At least it used to be.

---

GRAHAM. Plus, that means we'll get loads and loads of content for stories in the future.

---

CAROLE. Well, Carol, you're just very selfish, aren't you?

---

GRAHAM. Yes, I've been called that by you a lot, actually.

---

CAROLE. So if you want to leave Twitter, if you want to shut down your account, but don't want someone else taking it over and using your name, I have a suggestion. I read an article on Forbes by Davey Winder all about what you should do rather than deleting your account. And what he says is you should, well, there's a few stages to this. What you should do is you should lock down your account instead. That way you keep the username so no one else can grab it, but you can also protect your tweets, you can delete your tweets, you can delete your direct messages, you can do all the rest of that.

Manually. Well, there are some third-party tools as well if you want to help you do some of those things.

---

VANJA. So when you lock it down, you can't post or anything, you can just do some management of your...

---

Graham. account? Well, you can choose not to post any longer. But also, if you lock it down... So let me explain how to do it and what that actually means. So you go to your Twitter account settings, you look for the settings and privacy option, you select privacy and safety and then audience and tagging. And you will see a toggle which says protect your tweets. So you switch that over to protect your tweets.

That means your tweets are only now visible to people who follow you. And you will have to manually approve any new followers. So no one else new can go there. And once you've done that, you could, if you wanted, block all existing followers and delete all your tweets and your direct messages if you so chose.

---

Carole. Sounds like a lot more work than just deleting it.

---

Graham. Well, it's a lot better than someone taking over your account. Or imagine if you're a company brand and you think, oh, we'll just delete our account on Twitter because we don't want to be associated with all this unpleasantness that's going on. And someone else comes along and damages your brand by grabbing your username. You don't want them to grab your username.

I mean, I think in some ways it makes sense that Twitter frees up usernames when people delete accounts, because otherwise you could create a bot which just registered millions of accounts.

---

Carole. I'm sure that exists all the time.

---

Graham. And they'd exist forever and ever, wouldn't they? So I mean, in some ways it makes sense that they do get deleted after a certain time period. But you know, I think for those people who are choosing to move on or don't Twitter anymore, don't just delete your account. Lock it down instead. Delete your messages if you want. Turn on protectors if you're worried about your username.

---

Carole. You know, some people don't use their name as their username.

---

Vanja. Or you can just want to communicate with your friends or a smaller group of people.

---

Graham. I mean, you could create another account or something if you wanted. But Carole, you represent Smashing Security. Vanja doesn't. Vanja used to.

---

Vanja. Not me.

---

Graham. He deserted us.

---

Vanja. Well, you should be nicer to me then.

---

Graham. Well, I'm just saying maybe you need to think a little bit about your brand online.

---

Vanja. I'm not worried about my brand online. Oh, okay.

---

Graham. Thanks, though. Your brand is very strong, Carole.

---

Carole. Thanks.

---

Graham. Vanja, what have you got for us?

---

Vanja. So what I've got is a part of the Web 3.0. I'm sure you're aware this is the third iteration of the web technology.

---

Graham. Yes, super exciting, right?

---

Vanja. Very exciting, very exciting. NFTs, blockchain, all that great stuff. It's you know, the second iteration was put yourself onto the web, make your blog, you have your own content, create a Tumblr account.

Yes, but it seems the old idea of the web is that now all the content is concentrated and controlled by a small number of very powerful companies. So the whole move is towards making everything more distributed, which includes distributing the content, distributing money through blockchain. So the blockchain is a technology. And one of the fundamental technologies of Web 3.0 is the IPFS, which stands for Interplanetary File System.

---

Graham. Right. Now, Vanja, why is it called the Interplanetary File System? Is it really interplanetary?

---

Vanja. That's an interesting question, of course. And I actually tried to find out why it was called Interplanetary File System. And the only explanation I can find that if you had, let's say, your colonies on Mars or Saturn, for example, and you had some content on Earth, sometimes in the future, then it would actually take quite a long time. You know, the kind of trip for the radio waves to come from Earth to Mars takes about eight minutes or so. So you know, if you requested a web page, it would take at least, at best time, up to 16 minutes until the web page responds in Web 2.0 technology.

---

Carole. Should we demonstrate it for our listeners? Let's do that. Hello.

---

Vanja. And wait. Hi, Carole. How are you doing? Are we all right? If you had other colonists of Mars, of course, then they may already have requested for that popular page to be loaded. And they may store it on their own machines. And as a part of the interplanetary file system, the way you access content is not by entering a URL, for example, to go to smashingsecurity.com. But you go, I'm searching for the first episode of smashingsecurity.com and it magically appears. You don't really know where it's coming from. You just have a unique idea of that episode and you're going to say, I want that.

---

Graham. Right. There is nothing magical about the first episode of Smashing Security.

---

Carole. Other than we started the show there.

---

Vanja. I'm sure many people will have it. I'm sure many people will have it in the interplanetary file system in 300 million years from now. Hi, guys, the future. So there's an obvious advantage of having this sort of ability to have decentralized content where you can have your file or your content, in fact, because you don't look at the file, you look at the content, your unique content, content ID, stored in many different systems. It's kind of a peer-to-peer network when you have a torrent and you try to download some movie for example and then pieces of torrent will come from different peers within the network so that's kind of the ideal interplanetary file system. But it's commonly used to store NFTs and I have noticed that you guys also have an NFT.

---

Graham. We have, yeah. Mark Stockley created it.

---

Vanja. Yeah, yeah. And now it's the price is pretty high. They did something about one million Ethereum.

---

Graham. Yeah, it's about trillion dollars or something.

---

VANJA. Not too bad. Well, now it's about $100 million from the beginning of the year. So the price went down a bit. It's not too bad.

So of course, it's one of the fundamental technologies of Web 3.0, and sooner or later you will have some bad people using it. And why do they use it? Well, they use it because it's actually very difficult to remove content from the interplanetary file system. So once it's there, it's there.

If you want to upload a new version of the file, the content ID changes, but the old one still stays. And the version control or the version objects knows that this is an old version or a new version of the same thing.

So you can imagine that you can put phishing toolkits, you can put malware on an interplanetary file system, and it would actually be quite difficult to remove it. So it's kind of bulletproof hosting idea where you had hosts hosted in the various countries where you can store your malicious content and it would be very difficult to remove it.

---

GRAHAM. This sounds like a problem because if I were a cyber criminal or if I was a paedophile ring or something like that, I could put up some very nasty stuff on the internet or at least on the interplanetary file system. And how are the authorities going to ensure that it's all removed?

---

VANJA. Yeah, you have to basically issue some command to remove the file, but that means that it has to be removed from every server that contains it. And that means that every owner of a server or the peer in the network needs to be able to allow that to happen.

So you also have this concept of so-called pinning where you can pin content. And so in a way, you tell your IPFS system or the network not to delete that content.

---

CAROLE. So can I make sure I understand just by giving an analogy? So say I packed fruit for living and I used to pack these fruit salads for people, right? I get apples from everywhere around the world. I cut up those apples and then I just take those cut apples and throw them into these dishes and distribute those.

And say one of them was poisonous and people started getting sick and I need to find where that apple bunch came from, bushel, whatever it's called—

---

GRAHAM. A tree, a tree. I think apples come from a tree. Well done, keep going. You're doing the cooking, yeah.

---

CAROLE. Yeah, so how would I find that? It would be very difficult to find the source, because I've got so much distribution on both sides. Is it kind of like that?

---

VANJA. Yeah, I think it's very similar to that, because it's difficult to find source. But you probably know who actually checked in the file, so perhaps they will be able to track that you checked in the file. But of course, your ID can be fake because when you install interplanetary file system, you need to install specific software on your system. So you can use any username, really.

---

CAROLE. Oh, you don't have to use your Twitter handle with your actual name? For example, no. Oh, right, interesting.

---

VANJA. No, but it's kind of like, you need to know the content, right? The content ID is the most important thing, not the address of somebody.

There's also another concept here, which is if you have a standard browser or you have a standard machine, that standard machine usually accesses content using HTTP, the standard web protocol. And so your machine needs to be able to talk interplanetary file system. And so most of the machines don't do that.

And in a similar way, you have gateways to Tor network, you also have standard web gateways to interplanetary file system, which is in a way a kind of vulnerability for the bad guys, because the owners of those gateways can actually remove the listing for a particular file very easily. So even if that file, a malicious file is on interplanetary file system, the way some other components access it is through the gateways. So it's very easy to break that chain.

But, you know, can I say, I work for Cisco Talos. It's a pretty nice group of people. And my colleague Edmund Brumagin, he did this research on IPFS and he realized that actually there is quite a big increase in submissions of the samples that are using IPFS for malicious purposes, 300% over a period of last six months or so.

---

GRAHAM. Oh, really? So this is cybercriminals doing phishing and malware. You've seen phishing campaigns—

---

VANJA. You have campaigns using standard email, social engineering techniques, and instead of having a link pointing to some standard content, they point towards the IPFS gateways.

---

CAROLE. Just a huge, an extra layer of complication for catch me if you can.

---

VANJA. Exactly. And it's difficult to remove something from IPFS. So the malicious content phishing toolkits usually remain on it.

So it's one of the things that we will learn and we need to start addressing because now even some browsers like Brave is able to access interplanetary file system using its own protocol. So not through gateways using it directly. So we may see even increase in bad guys trying to abuse IPFS.

---

GRAHAM. Is there any challenge for web filtering security solutions when it comes to IPFS addresses? Or will they just treat it as anything else?

---

VANJA. They can treat it like URL shorteners, for example. So you have a unique content ID, unique URL.

Actually, you can also have multiple gateways and every gateway has a slightly different addressing scheme for the IPFS. So perhaps for bad guys, if they can start using many of those gateways, it would be more difficult to block just simply using a standard URL blocking technique.

---

GRAHAM. But I'd imagine these URLs, if you do see one in your browser bar, it's going to look weird, isn't it? It's going to be like, where the hell is this going? It's not going to look like you're going to barclays.co.uk, please bank. Not at all.

---

VANJA. It's going to look like IPFS.io and then a really long content identifier, which is like a cryptographic checksum of the content that you want to download, really. So yeah, it's immediately suspicious. But again, you can have a URL shortener, which will redirect to your IPFS.io. There are ways around it, so it appears more legitimate.

---

CAROLE. So you have to get back to that hover over the link and look and see if you have a link shortener like we did 10 years ago.

---

VANJA. Yeah, exactly. All good fun. Anyway, it's quite possible we'll see more of this coming on. So people should be aware of the interplanetary file system. I mean, it's very useful on the one hand, but like anything, it can also be misused.

---

GRAHAM. Well, Vanja, it's been six years, but you've come back with an interesting story. So well done.

---

CAROLE. And cheered us up tremendously. Thank you very much. Great for bringing this joyful story to us.

---

GRAHAM. Yeah, yeah, yeah. Jolly. Very jolly. Always positive. Carole, what have you got for us this week?

---

CAROLE. Okay. So how hard, this is interesting after following Vanja's story, but how hard would you say it is for the average computer user to completely hide their tracks online?

---

GRAHAM. It's very difficult. It's quite difficult. There are tools which can make it more difficult to track you, but yeah.

---

CAROLE. But the average user, right? Like a hardened cyber expert like the two of you might have an easier chance of doing it than your average user.

---

VANJA. I do have to admit that I'm not very good in my operational security.

---

CAROLE. Oh, great. Yes. Tell all our listeners that. Because I remember this story of, I think it was the whole Silk Road thing, but he was caught because on one occasion he forgot to turn on his VPN and they were able then to tie it on Tor and went on real life web.

---

GRAHAM. Something like that. Yeah, and they can associate the different accounts. Yeah, that does seem to happen sometimes with cyber criminals is they simply forget to turn on the protection. And even if you're using a VPN, obviously, there's a possibility you're using a VPN, which is logging some information about it.

---

VANJA. Exactly. I think most of those VPNs need to adhere to local laws, and therefore the VPN is not really that private.

---

GRAHAM. That's why I'm now using a VPN via the interplanetary file system. My VPN is based on Mars. Legislation doesn't reach there.

---

CAROLE. Thanks, Elon. So if you were a would-be criminal, you would want an approach that guarantees your anonymity, right? Ensuring that if the authorities got wind of the heist, they would not be able to finger you. You know what I mean? And basically, this comes back to what Vanja was talking about. And this is how sites like iSpoof.cc have come to be. Now, with a name like that, iSpoof, what do you think they could be up to? Oh, it's an Apple product, of course.

---

GRAHAM. Yeah, an Apple product. It has an i at the beginning, yes. Legit. Maybe it's a special cover for an iPhone, which makes it look like an Android device or a Microsoft Zune. That's your spoofing another device. That'd be kind of... That's a good one. So if you want to look cool, if you don't want people to think that, oh, you're simply following Apple all the time. It's like, oh, well, actually, I've got the Galaxy S9 or something like that.

---

CAROLE. I've got a Microsoft phone. Yeah, exactly. I get a Huawei. So getting miscreants interested in masking their phone number in order to hide their identity and protect their anonymity is iSpoof's game.

---

GRAHAM. This is when you get a phone call from someone claiming to be an organisation, but they're not. So it's the caller ID that you're talking about that they're spoofing.

---

CAROLE. Right. And you, as a would-be criminal, would have perhaps learned about this type of service if you had taken to Telegram, the encrypted messaging service. And if you'd been flirting around ne'er-do-well channels, you might have seen adverts for iSpoof. iSpoof, until recently, was an underground website that sold these so-called spoofing services. So fraudsters would use these services to contact targets pretending to be trusted organizations like banks or tax offices or other official organizations. And the game is to trick the unsuspecting target victim into handing over sensitive information, including account credentials and ultimately moolah.

---

VANJA. You'd be surprised this approach is very successful.

---

CAROLE. Yes, I've got some numbers which are staggering. So, you know, they would ring up an innocent punter and pretend to be a bank and say something like, hello, hello, hello, this is your friendly bank manager. I think we've got a problem here, Gov.

---

GRAHAM. I'd be suspicious at the friendly bank manager bit. That's the thing which would have my alarm bell ringing.

---

VANJA. I'm sure we all receive calls that are coming from our own country, and it seems like, you know, the caller is who knows where, actually. Yeah, I'm

---

CAROLE. Always like, describe what's outside your window right now. That's my line. Describe if you're in Manchester. Tell me what you see. What's the weather like? Yeah, what's the weather like? Exactly.

But the scam is not just a UK scam. It didn't just target UK victims. This was global. Check out these numbers.

iSpoof was created in December 2020 and at its peak had 59,000 users. Okay, these are the would-be criminals who paid up to five grand per month in Bitcoin to access iSpoof software.

5,000 a month. Pretty decent revenue.

Yes, pretty decent revenue. Wow.

According to the Met Police, between June 21 and 22, iSpoof was used to make 10 million fraudulent calls worldwide. Wow.

Of these 10 million fraudulent calls made, 40 were in the US, 35 were in the UK, and the rest was spread across a number of countries.

---

GRAHAM. Hang on. Well, only 45 calls were made in the US. I'm sorry. I forgot

---

CAROLE. The key word of percent. Let me try that one more time. Of the 10 million calls, 40% were in the United States, 35% were in the UK and the rest were spread across a number of countries.

Sorry to be pedantic.

No, no, that's an important point. Thank you very much.

---

GRAHAM. I understood it immediately. I thought maybe all the rest of them were happening in Belgium or something like that.

---

CAROLE. Europol reports that iSpoof caused approximately 120 million in losses, with the service operators raking in an estimated almost $4 million in just over a year. A lot of people say this number is very low.

At one point as many as 20 people every minute were being targeted by callers using technology brought from the site. Okay so this is not a small operation right and they were making some serious wonga here.

---

VANJA. So do they know what kind of scheme it was or is just anybody was just using it and they had various types of you know do you want to buy some shares great investment that kind of thing?

---

CAROLE. I don't know that but I do know how the authorities uncovered it because how do we know all this. According to Bleeping Computer, the cybercrime department of the Dutch police found the servers hosting iSpoof in a small town near Amsterdam during a bank help desk fraud investigation.

So they were like, oh, what is this? This led to a new investigation focusing on the service, which led to the discovery of the iSpoof operator location or the main iSpoof operator's location in London.

So they inform Scotland Yard, which start their own in-depth investigation into the suspect. Dutch cops place a tap on the servers to eavesdrop on the activities to get an idea of the scale of this whole scheme.

And soon the UK police and Europol get involved with the Dutch police to map the whole criminal network, to basically make an obsession wall, which would be my dream.

---

VANJA. How dare they? Have you noticed how Dutch police are I really have a lot of ability to kind of spoof or kind of eavesdrop on some of those servers.

---

CAROLE. Yes, they do. It's incredible.

---

VANJA. It's often the case when you read some of the news stories. Yeah.

---

CAROLE. And this partnership, global partnership, allowed for the identification of many more criminals, some already known to one of the parties. So you'd be going, hey, I know that's bad Steve, right? That's bad Steve. He's been operating in my neck of the woods.

---

GRAHAM. Hey, that's Mickey Blue Eyes. He has Johnny Fingers. We know him. Vinnie

---

CAROLE. Slicer. Yeah, Vinnie Slicer.

Anyway, so earlier this month, the owner and mastermind of iSpoof was arrested on November 6th. And he was in East London.

And the websites, iSpoof.cc and iSpoof.me were seized. So if you go there now, there's this big FBI notice on them.

Two men aged 19 and 22, believed to be the admins of the servers in the small town near Amsterdam, were also arrested. And the Dutch police underline they're now de-anonymizing more service users based on the evidence collected from the seized servers.

So it's a growing investigation. Last week, we hear this investigation has led to the arrest of 146 people. That's huge.

Over 100 of these were in the UK and arrested by the Met Police. So what's interesting here is they're not just going after the service provider iSpoof, the guys behind it. They're also going after users of iSpoof who are using it for criminal gain.

---

GRAHAM. Yeah. So this is going to cause chaos for lots of cybercriminal gangs who've been spoofing their phone numbers.

---

CAROLE. Exactly. And bringing up the fraud, isn't it? I mean, this is marvellous.

And it comes at a very good time of year, because if you just go type in scam now in any search engine and go to news, every single town in the entire Western world, it seems, is talking about watch out for scams on Black Friday. And this is going to carry on till Christmas now. Yeah.

Two tiny last points. The Met Police, once they've done this arrest, reached out to the 70,000 people they believed to have been potential targets in this scam. And they did this via text late last week.

---

VANJA. Is it a special services text, not the standard SMS, but the one that can alert people? You know, how do you otherwise can verify that this is police, right?

---

GRAHAM. Well, that's interesting. I think that that is the challenge, of course, because criminals could send a message, couldn't they, claiming, hello we're the Met Police can you please log into this account and enter your bank details because we think you might have been defrauded that's the fear that's

---

CAROLE. Exactly what people like BBC's Radio 4 said to them, how do I know the text message is from the police? It's real and the answer I saw on a law firm website said, okay, text message will only be sent on Thursday the 24th of November and Friday 25th of November. This is to raise awareness amongst those believed to be affected. Anyone who receives a text message after this date should disregard it in the event the campaign has been hijacked by scammers. Yeah, I guess.

---

VANJA. The good way is to verify on the police website or give it as a news, send it as a news or whatever.

---

GRAHAM. They've told people that they're only going to give them one link. So the link which they're going to tell people to click on is met.police.uk slash elaborate. Is that right?

---

CAROLE. If you receive a text message from the Met Police, you will be invited to get in touch. The text message will ask victims to visit the Met's website.

So is that the website you were just giving? Yeah, metpolice.uk, yeah. Yeah, to provide more details about their experience. The text message will not include a clickable link. Ah. Okay.

So on the BBC Radio 4, the Met Police Commissioner, Sir Mark Rowley, acknowledged that it was slightly bizarre that potential fraud victims will now be contacted about the crime by text. But it encouraged people to go through the official police website if contacted.

So it says, he says, quote, so don't respond to any text with sort of dodgy shortcuts and things. Come through official websites is the best way of doing this. And because they really want to hear from people, right? Because the people that they message for the next 24 hours have been victims of fraud or attempted fraud. And we can still stack all these offenses against the people that they've been arresting. So it's really important they get in touch.

---

GRAHAM. Yeah, so they need victims to put a case together to properly clobber the people that they've arrested. I mean, the police are stuck between a rock and a hard place here, aren't they? Because they've got the phone numbers of victims. They don't necessarily know their names and they need them to come forward.

And it's like, well, we could either phone them up or we could send text messages. But it sounds like they're trying to be careful to warn people about the danger of other cybercriminals exploiting this opportunity. The fact that they gave specific days, which are now in the past, because this was the end of last week. That's right. So we'll see what happens in the watch, because we're recording.

---

CAROLE. This a little bit earlier this week, so we'll see. But I'm saving the best to last, okay? Okay, because the Met Police have basically created a spoofed kind of fake ad mocking iSpoof's kind of privacy and services. And they've pushed this out on Telegram. Take a listen to this.

---

ROBOT. Welcome to iSpoof, the former number one spoofing service, now controlled by international law enforcement. Use our service to tell worldwide police that you are a criminal. If you want to spoof your caller ID to make spoof calls, the police are here to listen. All the evidence the police would ever need. iSpoof was made by criminals for criminals. Watch all your personal details be stored on iSpoof server, ready for the police to find. Your email address, location data.

---

CAROLE. And you need to see it. We'll put a link in the show notes. It's hilarious, isn't it? It's so good. It's so good.

So I think they're also enjoying this win that they've had because it seems that cooperation is the answer. Harmonious cooperation of talent and resources and not division is the answer. Who would have thought?

---

GRAHAM. Who would have thought? Together we're stronger, aren't we? Just the three of us. Not the three musketeers. Let's hope no one ever leaves.

---

CAROLE. Together forever and never to part. Together forever with you.

Is your organization finding it difficult to achieve compliance and scale its security posture? At G2's highest rated cloud compliance software, Drata streamlines your SOC 2, your ISO 27001, your PCI DSS, your GDPR, and your HIPAA compliance. Plus, it provides 24-hour continuous control monitoring so you can focus on scaling securely.

Drata is the only compliance automation platform with a private tenant database. They say it's like having your cake and securing it too. Countless security professionals from companies including Notion, Full Story, and Bamboo HR have shared how crucial it is to have Drata as a trusted partner in their compliance process.

Listeners, you can get 10% off Drata and waived implementation fees by visiting smashingsecurity.com/drata. That's D-R-A-T-A and thanks to Drata for sponsoring the show.

---

GRAHAM. The challenge with endpoint security has always been that it's difficult to scale and when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets.

But how do you get that visibility when different parts of your company run on Mac, Windows and Linux? Well, you get Collide.

Collide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Collide gives you real-time access to your fleet's data and can do things that traditional MDMs can't.

And instead of installing intrusive agents or locking down devices, Collide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce.

Visit collide.com slash smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial.

That's K-O-L-I-D-E dot com slash smashing. And thanks to Clyde for supporting the show.

---

CAROLE. And is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards. This is pretty slick stuff.

You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com forward slash smashing. That's bitwarden.com forward slash smashing.

Or you can try it for free across devices as an individual user. That's bitwarden.com forward slash smashing.

And massive thank you to Bitwarden for sponsoring the show.

---

GRAHAM. And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

---

CAROLE. For the 300th time, Pick of the Week.

---

GRAHAM. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something.

It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.

Doesn't have to be security-related, necessarily. Better not be.

Well, my pick of the week this week is a bit security related, not computer security related.

---

CAROLE. Oh, I'm looking forward to that.

---

GRAHAM. It's more sort of, I don't know, it's more sort of espionage, that sort of thing.

---

CAROLE. Threat intelligence.

---

GRAHAM. Well, not really. Well, anyway, I have stumbled across a web page and a video which has been put together by the International Spy Museum, which is very interesting.

And they've got a number of exhibits. You can go and visit the museum in real life and check it out.

And this particular exhibit is completely nuts. It is what we—

---

CAROLE. Oh, I've just clicked on your link. Yeah.

Right. Do you want me to say what the first thing that's come up?

---

GRAHAM. I think I've seen it as well. Say what you see.

Say what you see, Carol.

---

CAROLE. It says scrotum concealment, 1960s, 1970s. So nuts, nuts.

Yeah, there's a large picture here of what looks suspiciously like a plasticated version of a very realistic sack.

---

GRAHAM. Yes, it doesn't have the other bit, does it? It's only got the Brussels sprouts.

---

CAROLE. It has a lot of poops. It has a lot of poops coming out.

---

GRAHAM. Yes, it does. So this is a device which was put together by spies at the CIA because they thought what we need to do is if we've got an agent who gets captured, we might want them to conceal about their person a tiny little radio to help with their escape so they can communicate with us.

But where can we put it? Because if someone is captured, they might have all their clothes taken off.

They'll be searched to find something. And what they've done is they've created this little pouch, which looks like a couple of, well, looks like your scrotum, which you could wear over your real scrotum.

And there is room inside it to hide a miniaturized radio. Now, where the aerial goes, I've got no idea.

---

CAROLE. What about your real ones? Where are your real?

---

GRAHAM. Well, you just, if, Carol, testicles come in different shapes and sizes, right? So if you had particularly dangly ones, or if this was dangly, then maybe they'd just think, well, he's got rather large bulls, hasn't he?

He's walking with a particular—

---

CAROLE. Are we going back to sitting on a little—

---

GRAHAM. Yes, it's an invitingly large, wide stance, isn't it?

---

CAROLE. Well, anyway, I think this is rather ingenious. So apparently it's never been used in the field.

I wonder why.

---

GRAHAM. Can I say this item, this item in this picture? Yes.

Okay, I don't know if it's to scale, but it looks as though it's about an inch and a quarter across and about two and a half inches long. Right?

And I don't know.

---

CAROLE. What, the radio or the?

---

GRAHAM. Yeah. And that radio goes into these fake testicles, which then are mounted upon or on top of your real ones.

---

CAROLE. There's a video as well, Carol, if you want to check out the video.

---

GRAHAM. Oh, great. Yes.

And you can see one of the custodians of the museum describing the item. The object of intrigue.

Anyway, so I think this is rather interesting. I think it's quite ingenious.

I love when people think outside of the box, as it were. And that is why the CIA's scrotum concealment device and miniature radio is my pick of the week.

This is a perfect pick of the week for 300 episodes. Thank you very much, Vanja.

---

CAROLE. Do you know that I just tried to watch the video while you were talking, and it says this video is age restricted and will only be available on YouTube. There you are.

Funny.

---

VANJA. Not nearly as good as yours. I actually had quite a few pick of the weeks but then decided to go for a standard documentary that I watched the other week, actually, the week before.

We like documentaries. And the documentary is streaming on Netflix and it's called Blitzed. I don't know if you guys saw that.

---

GRAHAM. No, I haven't seen it. What's it about?

---

VANJA. It's a documentary about a group of people, in fact, musicians and DJs and people who were very fashion aware, let's say. At the end of the 70s, you know, when punk stopped and there was a bit of a question, what's going to be next?

What's the next big thing? So there are a few people and two of them, Steve Strange and Rusty Egan, who had punk bands before, decided they wanted to have a club for people just to feel themselves, you know.

Just a club for people to feel themselves. Exactly, to feel being themselves.

---

GRAHAM. Do you need to go to a club to do that or could you just stay in the privacy of your bedroom?

---

VANJA. These days you know when that happens, you know that's 1979 or something. Okay, it was after the, you know, I think Margaret Thatcher has, she already been? Yeah, yeah, she became prime minister in 79.

But exactly so, you know, it's pretty bad time for London. So the club is in London so the people like Boy George, Marilyn, Gary Kemp, they were all part of the scene and the scene basically originated from one of our famous artists David Bowie.

Yes they really loved him because when he first appeared on the show on the Top of the Pops or something he was one of the first artists to look different. And so, you know, all these glam dresses looking different and so it kind of kick-started this move which they kind of traced to punk but then from punk there was something, you know, what's going to be next.

And so when I was a kid the big thing was this New Romantic movement. Yes so these guys are actually all from the kind of working class backgrounds, very low-key, low-budget because there's a very difficult economic situation in London at the time.

So they do this, they find this club called Blitz and it becomes one of the centers of the social scene. The fashion scene, the social scene, the gay, you know, LGBT, all this stuff happens and it's kind of kickstarts the New Romantic movement essentially.

And this is where Spandau Ballet started and played their first gig. So it kind of follows all these protagonists Steve Strange, Rusty Egan and Boy George.

So they're basically talking about what happened and how the club which only lasted for two years became super popular and famous. So that eventually even David Bowie came to visit the club and they were all crazy for him and it was very famous because it rejected people if they haven't dressed properly.

You need to be really flamboyantly dressed to get in right.

---

CAROLE. That'd be perfect for me.

---

VANJA. Exactly, that would be your Cruella de Vil. Exactly and famously they rejected Mick Jagger when he came to get into the club because he wasn't properly dressed, I'm afraid.

---

CAROLE. Quite right, too. Yeah, no, it looks fascinating.

I was just looking, and it doesn't seem to be on Netflix in the UK. Interesting.

---

GRAHAM. It's not. I've just looked as well.

So you can't stream it for free in the UK, but I think there are other subscription services where you might be able to get a hold of it. But we're putting some links to more information about the movie for people who can't watch it.

Fantastic pick of the week, Greg. Vanja.

---

VANJA. Yes, well done, Greg. No, you just want to say mine again.

Yeah, I understand. Yes, you, whatever, whatever your name is.

---

CAROLE. I don't know why. I think I've known you both about the same length of time.

So as soon as you guys are together, I just want to call you Van Ham or something.

---

GRAHAM. Carole, what's your pick of the week?

---

CAROLE. I have a great pick of the week to you, I think, because I know you're both fans of Bob Dylan. Have you got a favourite tune?

---

GRAHAM. Yes. Temporary Like Achilles.

I love the Blood on the Tracks album I think that's, but I mean there's a few, there's different eras of Bob Dylan that's the interesting thing. My favourite is Blonde on Blonde.

---

CAROLE. Yeah. Interesting.

Well he's still going strong right? 79 years old still going strong in the music industry and even in the book industry because last month Simon & Schuster's Dylan's publishers advertised a limited edition hand signed copy of the musician's new collection of essays for 600 bucks each.

---

GRAHAM. Wow. So you're paying for the autograph.

I mean, presumably the book is available cheaper.

---

CAROLE. Well, apparently his autograph normally goes, so if he's signed something, those kind of items can go for 1500 bucks to 2000. So this is a real deal.

Decent investment. So last week, people started to receive the Philosophy of Modern Song, Dylan's first collection of writings since he won the Nobel Prize in Literature in 2016.

Philosophy of Modern Song. Why were you laughing?

What? Again, probably a bit forward, 4D chess for you.

Yes, yes. And this is a collection, it's said to be a series of rhapsodic observations on what gives great songs their power to fascinate us.

I think it sounds fascinating. Okay.

Okay. And the signed copy came with a letter of authenticity signed by Jonathan Karp, Simon & Schuster's chief exec, and 900 of these signed puppies are sent out.

---

GRAHAM. They weren't actually puppies, were they? They didn't sign.

Bob Dylan hasn't been signing puppies. I think just for clarity and for legal reasons, we should stress that isn't actually true.

---

CAROLE. No, but that was exactly the problem. It seems that maybe Bob Dylan didn't sign any of them.

Karp's signature looked more legit than Bob's, and it took hundreds of fans to sleuth out the book had not in actual fact been signed by Dylan at all. So Justin Stefman, he's a professional authenticator, he runs a Facebook group for collectors, he said the autograph was most likely created by an auto pen and he said this New York Times, which is the New York Times article that is my pick of the week.

---

VANJA. Is it because all of them are completely the same?

---

CAROLE. Well he says handwritten penmanship normally has a flow, but with a pen machine, it goes from point to point, adding that the beginning and the end points of each stroke apply more pressure to the page. And Dylan's autograph in the new book also appears to have a slight shakiness throughout the signature.

They started popping up. Everyone received the book on the same day, and it was instant. They all realized it was an auto pen. More and more people shared their copies, and they put it all together.

Last Sunday, Simon & Schuster issued a public statement that offered few details, but acknowledged that Dylan's signature had been rendered in a penned replica form. They called it in a penned replica form. And the publisher said it would give buyers an immediate refund. So, you know, embarrassing, right?

---

GRAHAM. PR disaster. But you know what? They might now be even more collectible because they won't produce any more of these, presumably.

---

CAROLE. I have the fake autograph.

---

VANJA. That's good thinking that they're going to be quite cheap at the beginning, but later, you know, 100 years from now.

---

GRAHAM. Yeah. Didn't Donald Rumsfeld get in trouble with one of these autographing machines once? Wasn't he caught out because he was writing letters to relatives of military personnel who died in conflict? And obviously he had to sign quite a few of them at certain points in his tenure. And someone said, hang on, you're using a machine. You're trying to make this all personal. I think he was doing that.

---

VANJA. I was saying that's what happens when you get signed your letter or something by a CEO of a company.

---

GRAHAM. Oh, well, that probably happens too, doesn't it? But if you're Bob Dylan, you certainly don't want to sign hundreds of books, do you?

---

CAROLE. Well, what the hell, right? It's like, don't say it's a signature then. Well, I agree. I think I can paraphrase one of his songs. It's all right, Ma. I'm only stealing. That's what I think. Bring it all back home.

---

GRAHAM. That's very good. Poor Bob Dylan. My pick of the week, a New York Times article called Bob Dylan Gets All Tangled Up in Book Autograph Controversy by Remy Tuumann.

Brilliant. That just about wraps it up for 300 episodes of Smashing Security. Woo! We made it.

---

VANJA. And we agreed that in 200 episodes we... You're going to be back. I'm going to meet again.

---

CAROLE. Maybe earlier if I have my way about it.

---

GRAHAM. Vanja, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to find out what you're doing? Is it on the interplanetary file system?

---

VANJA. I can't say now that it's Twitter, although you can still follow me on Twitter. But on the Mastodon at Vanja Schweitzer at infosec.exchange.

---

GRAHAM. And you can find Smashing Security's Mastodon account at smashingsecurity.com slash Mastodon. Or you can still follow us at the moment on Twitter at Smash Insecurity. No G, Twitter wouldn't allow us to have a G. And you can look up the Smashing Security subreddit on Reddit. And finally, you can ensure you never miss another episode by follow Smashing Security in your favourite podcast app.

---

CAROLE. It's certainly not finally because we have to thank this episode's sponsors Collide, Bitwarden, Andrata, and of course to our wonderful Patreon community. You got us here at a 300. Thanks to all of you. This show is free for everyone. For episode show notes, sponsorship info, guests, listen to the entire back catalogue of more than 299 episodes. Check out smashingsecurity.com.

---

GRAHAM. Until next time in episode 301. Cheerio. Bye bye. Bye. Woo. Bye. Just like the old days. But without the video. Yes.

---

CAROLE. Thank God, that was so dumb.

---

VANJA. The video was also good. The video was unnerving. And also that you have to go almost live.

---

GRAHAM. Yeah, no editing. Not that we ever edit the show at all, of course. Of course, of course.

---

CAROLE. Listeners, Carole here. On behalf of Graham and I, I've just finished editing the second half of our 300th show. And, you know, I'm kind of proud. I just want to say a huge, massive, massive thank you for listening to us, especially those of you that have been with us from the beginning and those of you that joined us midway through but went back to the start to listen. And let's not forget our incredible Patreon community and sponsors that help make this show possible. And like Graham said, if you like the show, please let us know. A review is fantastic. Not only does it help other people find us, it even makes Graham grumble a little less, which I'm incredibly grateful for. We love you. We thank you. And here's to 300 more.

---

GRAHAM. I can't believe, Carole, you'd add a bit at the end without telling me.

-- TRANSCRIPT ENDS --